Jump to content


Photo

Coupon spyware? Not sure what this is...


  • This topic is locked This topic is locked
4 replies to this topic

#1 Sanaki

Sanaki

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 30 January 2012 - 06:35 PM

I can't quite figure out what's going on here, but I'm getting these popups on any site vaguely resembling a shopping site, with generally outdated coupon codes. Originally I thought it was the newest irritating ad agency's ploy, now I think otherwise. Anyone know what this is and how to get rid of it? It doesn't seem to be tied into the pages themselves, rather it appears to just be responding. Only suspect processes I see are two instances of plugin-container.exe, but that shouldn't be it (newest version of Firefox, that's a standard, I'm just not familiar with what all it does). Panda Cloud Antivirus and Spybot both fail to detect anything. See the image below. This seems to happen in Firefox only, though for reasons not important here I'm unable to test this in IE as well.

couponware.png


Edit: Please read the Forum FAQ and post the requested logs. We need the information in order to help you.

EDIT:
Information requested as follows:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.01.30.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Sanaki :: EEEBRICK [administrator]

1/30/2012 3:54:47 PM
mbam-log-2012-01-30 (15-54-47).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 290783
Time elapsed: 2 hour(s), 48 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.1.0

Run by Sanaki at 21:05:17 on 2012-01-30

Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.1014.83 [GMT -8:00]

.

AV: Panda Cloud Antivirus *Enabled/Updated* {86971480-9989-6750-B122-681A86518D59}

SP: Panda Cloud Antivirus *Enabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Windows\system32\taskhost.exe

C:\Windows\System32\AsusService.exe

C:\Windows\system32\Dwm.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\asus\SystemSetting\WallPaperAgent.exe

C:\Program Files\GNU\GnuPG\dirmngr.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\Explorer.exe

C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe

C:\Program Files\Asus\Game Park\GameConsole\OberonGameConsoleService.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

C:\Program Files\Elantech\ETDCtrl.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Program Files\EeePC\HotkeyService\HotKeyMon.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\EeePC\HotkeyService\HotkeyService.exe

C:\Program Files\EeePC\SHE\SuperHybridEngine.exe

C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe

C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Elantech\ETDCtrlHelper.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files\GNU\GnuPG\gpg-agent.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Bluefish\bluefish.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://asus.msn.com

uDefault_Page_URL = hxxp://asus.msn.com

uInternet Settings,ProxyOverride = *.local

uWinlogon: Shell=c:\program files\asus\systemsetting\WallPaperAgent.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll

BHO: ASUS Windows 7 Starter Helper: {d381ff29-7cfb-4d4e-b92a-c4eddc696614} - c:\program files\asus\systemsetting\StarterHelper.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll

TB: Panda Security Toolbar: {b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4} - c:\program files\panda security\panda security toolbar\PandaSecurityDx.dll

uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [Google Update] "c:\users\sanaki\appdata\local\google\update\GoogleUpdate.exe" /c

mRun: [HotkeyMon] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotKeyMon.exe

mRun: [HotkeyService] AsusSender.exe c:\program files\eeepc\hotkeyservice\HotkeyService.exe

mRun: [Eee Docking] c:\program files\asus\eee docking\Eee Docking.exe autorun

mRun: [LiveUpdate] AsusSender.exe c:\program files\asus\liveupdate\LiveUpdate.exe auto

mRun: [SuperHybridEngine] AsusSender.exe c:\program files\eeepc\she\SuperHybridEngine.exe

mRun: [OOBESetup] c:\program files\asus\ooberegbackup\ooberegbackup.exe /restore -"c:\program files\asus\ooberegbackup\OOBEReg.ini"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [SynAsusAcpi] %ProgramFiles%\Synaptics\SynTP\SynAsusAcpi.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe

mRun: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe

mRun: [IgfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar

mRun: [Panda Security URL Filtering] "c:\programdata\panda security url filtering\Panda_URL_Filtering.exe"

mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab

DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab

TCP: DhcpNameServer = 172.18.64.215 172.18.64.215

TCP: Interfaces\{5EA79718-E4E0-412D-A847-5D9E947E7D12} : DhcpNameServer = 172.16.0.1 216.163.195.101 8.8.8.8 172.16.0.1

TCP: Interfaces\{B7B55FCF-A18E-4F0E-BE7F-63166DB1A397} : DhcpNameServer = 172.18.64.215 172.18.64.215

TCP: Interfaces\{C9CCF4C0-EFC3-4E1B-A64D-1A3C9C17CFEE} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{C9CCF4C0-EFC3-4E1B-A64D-1A3C9C17CFEE}\0514452594349414D20534F5E4564777F627B6 : DhcpNameServer = 68.87.71.230 68.87.73.246

TCP: Interfaces\{C9CCF4C0-EFC3-4E1B-A64D-1A3C9C17CFEE}\2375942554235313 : DhcpNameServer = 172.16.0.1 216.163.195.101 8.8.8.8 172.16.0.1

TCP: Interfaces\{C9CCF4C0-EFC3-4E1B-A64D-1A3C9C17CFEE}\4656661657C647 : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{C9CCF4C0-EFC3-4E1B-A64D-1A3C9C17CFEE}\54143545D414E483 : DhcpNameServer = 192.168.1.1

Notify: igfxcui - igfxdev.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\sanaki\appdata\roaming\mozilla\firefox\profiles\1tgo330n.default\

FF - prefs.js: browser.search.selectedEngine - DuckDuckGo (SSL)

FF - prefs.js: browser.startup.homepage - hxxp://www.geeksaresexy.net/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=panda&type=PCAFSI1190&p=

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: c:\users\sanaki\appdata\local\google\update\1.3.21.93\npGoogleUpdate3.dll

FF - plugin: c:\users\sanaki\appdata\roaming\mozilla\firefox\profiles\1tgo330n.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll

.

============= SERVICES / DRIVERS ===============

.

R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2009-7-5 11448]

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2011-4-28 126024]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 AsusService;Asus Launcher Service;c:\windows\system32\AsusService.exe [2010-12-30 219136]

R2 DirMngr;DirMngr;c:\program files\gnu\gnupg\dirmngr.exe [2011-3-2 224256]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2011-12-30 13336]

R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2011-8-1 143624]

R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2011-4-28 99400]

R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2011-4-28 111176]

R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2011-4-28 112712]

R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [2011-4-13 119592]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 btmhsf;btmhsf;c:\windows\system32\drivers\btmhsf.sys [2011-7-19 225280]

S3 iBtFltCoex;iBtFltCoex;c:\windows\system32\drivers\iBtFltCoex.sys [2011-7-20 47104]

S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2010-12-30 51712]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2011-8-2 18432]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-12-4 52224]

S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]

.

=============== File Associations ===============

.

.txt=bftxtfile

.

=============== Created Last 30 ================

.

2012-01-30 23:40:54 -------- d-----w- c:\users\sanaki\appdata\roaming\Malwarebytes

2012-01-30 23:40:28 -------- d-----w- c:\programdata\Malwarebytes

2012-01-30 23:40:27 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-01-30 23:40:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-01-30 20:49:03 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{dda050fe-5f64-4ccb-aace-21909d51a8c1}\offreg.dll

2012-01-27 21:58:37 6557240 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{dda050fe-5f64-4ccb-aace-21909d51a8c1}\mpengine.dll

2012-01-27 01:54:16 -------- d-----w- c:\users\sanaki\appdata\roaming\Wings3D

2012-01-26 23:11:25 -------- d-----w- c:\program files\Geeks3D

2012-01-26 23:08:31 -------- d-----w- c:\program files\wings3d_1.4.1

2012-01-26 22:51:36 -------- d-----w- c:\program files\KiCad

2012-01-23 03:38:17 -------- d-----w- c:\program files\Elantech

2012-01-21 03:00:01 -------- d-----w- c:\users\sanaki\appdata\local\Diagnostics

2012-01-17 19:54:17 -------- d-----w- c:\users\sanaki\appdata\local\panda2_0dn

2012-01-17 19:51:46 -------- d-----w- C:\temp

2012-01-12 00:31:52 1006360 ----a-w- c:\windows\system32\igxpun.exe

2012-01-11 19:05:44 224768 ----a-w- c:\windows\system32\schannel.dll

2012-01-11 19:05:44 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2012-01-11 19:05:44 1038848 ----a-w- c:\windows\system32\lsasrv.dll

2012-01-11 19:05:43 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-01-11 19:05:43 369352 ----a-w- c:\windows\system32\drivers\cng.sys

2012-01-11 19:05:43 314880 ----a-w- c:\windows\system32\webio.dll

2012-01-11 19:05:43 22528 ----a-w- c:\windows\system32\lsass.exe

2012-01-11 19:05:43 100352 ----a-w- c:\windows\system32\sspicli.dll

2012-01-11 19:05:42 22016 ----a-w- c:\windows\system32\secur32.dll

2012-01-11 19:05:42 15872 ----a-w- c:\windows\system32\sspisrv.dll

2012-01-11 01:04:01 1288472 ----a-w- c:\windows\system32\ntdll.dll

2012-01-11 01:03:57 67072 ----a-w- c:\windows\system32\packager.dll

2012-01-11 01:03:52 1328128 ----a-w- c:\windows\system32\quartz.dll

2012-01-11 01:03:51 514560 ----a-w- c:\windows\system32\qdvd.dll

2012-01-07 21:24:34 -------- d-----w- c:\users\sanaki\appdata\roaming\Arduino

2012-01-07 09:01:45 -------- d-----w- c:\program files\arduino-1.0

2012-01-07 08:29:34 -------- d-----w- c:\users\sanaki\Code

2012-01-05 20:55:00 -------- d-----w- c:\users\sanaki\appdata\roaming\.purple

.

==================== Find3M ====================

.

2011-12-31 04:05:23 4881704 ----a-w- c:\windows\system32\ETDUI.cpl

2011-12-31 04:05:16 119592 ----a-w- c:\windows\system32\drivers\ETD.sys

2011-12-31 04:02:04 16896 ----a-w- c:\windows\AsTaskSched.dll

2011-12-31 03:57:06 53248 ----a-w- c:\windows\system32\CSVer.dll

2011-12-31 02:56:02 253208 ----a-w- c:\windows\system32\igfxsrvc.exe

2011-12-31 02:56:02 150808 ----a-w- c:\windows\system32\igfxpers.exe

2011-12-31 02:56:02 142104 ----a-w- c:\windows\system32\igfxtray.exe

2011-12-31 02:56:01 673048 ----a-w- c:\windows\system32\igfxcfg.exe

2011-12-31 02:56:01 173336 ----a-w- c:\windows\system32\igfxext.exe

2011-12-31 02:56:00 59392 ----a-w- c:\windows\system32\oemdspif.dll

2011-12-31 02:56:00 174360 ----a-w- c:\windows\system32\hkcmd.exe

2011-12-31 02:56:00 155648 ----a-w- c:\windows\system32\igfxCoIn_v2364.dll

2011-12-07 18:08:58 236576 ------w- c:\windows\system32\MpSigStub.exe

2011-12-07 02:39:18 544656 ----a-w- c:\windows\system32\deployJava1.dll

2011-12-05 19:37:50 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-12-04 22:06:42 152576 ----a-w- c:\windows\system32\msclmd.dll

2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys

2011-11-05 04:26:03 2048 ----a-w- c:\windows\system32\tzres.dll

2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll

2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll

2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb

.

============= FINISH: 21:08:36.48 ===============


Results of screen317's Security Check version 0.99.30
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Panda Cloud Antivirus
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

MVPS Hosts File
Spybot - Search & Destroy
Toolbar Cleaner 1.0
Java™ 7 Update 1
Java™ SE Development Kit 7 Update 1
Java version out of date!
Adobe Flash Player 11.1.102.55
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (9.0.1)
Mozilla Thunderbird (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Panda Security Panda Cloud Antivirus PSANHost.exe
Panda Security Panda Cloud Antivirus PSUNMain.exe
``````````End of Log````````````

Edited by Sanaki, 31 January 2012 - 12:18 AM.


#2 lance_yien

lance_yien

    Forum Deity

  • Malware Support Mod
  • PipPipPipPipPip
  • 2,442 posts

Posted 31 January 2012 - 10:17 AM

Hello Sanaki and welcome to SWI.

I'm lance_yien and will be helping you.

 Very Important!

Posted Image >>> Please do immediately:
  • In the upper right hand corner of the topic you will see a button called "Watch this topic", by clicking on this => "Immediate E-Mail notification" => "Proceed" you will be advised when we respond to your topic and facilitate the cleaning of your machine.
  • Back up your personal documents by copying them to a location of your choice (other than your system drive).
  • Spybot's TeaTimer may interfere with our tools. Please disable it (if running on your computer): Run Spybot S&D => "Mode" => "Advanced..." => "Tools" => "Resident" and Uncheck "Resident TeaTimer" and OK any prompts.
    Close Spybot S&D.
Posted Image >>> During this cleanup,
Please DO NOT run, install and/or uninstall any tools/ programs other than those I suggest to you because some programs can interfere with others and/ or can cause some problems to your system.

Posted Image >>> When you receive new instructions,
  • Please Read the whole message.
  • All our tools must be downloaded to the Desktop and launched from there (unless otherwise specified).
  • Please perform all steps in the received order and DO NOT proceed if you need clarification.
  • Please DO NOT re-run any program I suggest. If you encounter problems please stop and tell me about it.
Posted Image >>> When replying,
  • Please use the "Add Reply" button Posted Image. I do not need to see my previous instructions. Thank you!
  • Please copy and paste your logs into your post unless specifically asked to attach one.
 

Please print out these instructions or copy them to a Notepad file for an easier reading.

>>> Use RogueKiller: Please download to your Desktop, RogueKiller (by Tigzy) from here.
Close all running programs and right-click on "RogueKiller.exe" => "Run as administratorr".
Type 1 and hit "Enter" and let it run uninterrupted.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe.
A log "RKreport[x].txt" will be saved at the same location as RogueKiller.exe, please copy and paste its contents in your next reply.


>>> OTL scan: Please download to your Desktop OTL (by OldTimer) from here or here.
Insert all your removable drives/pendrives/memory cards and close all open windows.
Right-click on OTL.exe => "Run as administrator" and paste the following (starting with netsvcs) in the "Custom Scans/Fixes" window:

netsvcs
drivers32
%SYSTEMDRIVE%\*.* /90
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /90
%systemroot%\Tasks\*.job
%systemroot%\system32\drivers\*.sys /90
CREATERESTOREPOINT
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
SAVEMBR:0

Click the Run Scan button and let the program run uninterrupted.
When the scan completes, it will open two Notepad windows - "OTL.txt" (opened) and "Extras.txt" (minimized). These are saved in the same location as OTL.
Please copy and paste the contents of these files in your next reply (please post only one at a time).


>>> In your next reply, please include the following (you may need to use two posts to get it all in):
  • RKreport[x].tx
  • OTL.txt
  • Extras.txt

EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#3 Sanaki

Sanaki

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 07 February 2012 - 05:18 PM

Apologies for the delay. Work's been taking most of my time. I found the cause with a quick wireshark log and a bit of trial and error, and though I didn't take the exact line of steps you suggested, I appreciate the help.

Cause:
Panda Security Toolbar 2.0
Installed with Panda Cloud Antivirus Free

It seems Panda Cloud Antivirus, when using the free version, has a few little "extras" to help pay for the free software. One is clearly disclosed: your browser's address bar search engine will be automatically and repeatedly changed to their sponsored yahoo search. Not a biggie, solvable or ignorable. In my case solved with a line in my hosts file. What I didn't realize is that the Panda Security Toolbar has "Coupons\Shopping" as the wiki puts it here. This may have been clearly disclosed before, but if so I didn't see it before. Either way, no spyware, no malware, nothing of that nature to worry about, just classic bloatware.

For anyone curious, the coupons seem to originate from couponwinner.com and couponcamp.com.

#4 lance_yien

lance_yien

    Forum Deity

  • Malware Support Mod
  • PipPipPipPipPip
  • 2,442 posts

Posted 08 February 2012 - 03:26 AM

Hi Sanaki,

Good to know that your problem seems to have been fixed :thumbup:

>>> Very important: Any program out of date may contain some vulnerabilities exploited by hackers to infect your computer.
Your versions of these programs are out of date.
  • Adobe Acrobat Reader: Please uninstall this program and install the latest version from here (make sure to uncheck the install McAfee Security Scan option).
  • Java: I recommend you download to your Desktop the newest version from here or here.
    It's important that you uninstall older versions of Java because they can leave holes and vulnerabilities on your computer.
    Please, go to "Start" => "Control Panel" and double-click on the "Software" icon => "Add or Remove programs".
    Search in the list for all previous installed versions of Java (J2SE Runtime Environment.... ).
    They should have this icon next to them: Posted Image
    Select each in turn and click Remove.
    Now install the newest version.

>>> Protect your computer:
  • Enable Automatic Updates for your Windows under "Start" => "Control Panel" => Automatic Updates. These updates address known issues and will strengthen your protection against known security threats. Without these updates I can almost guarantee that you will get infected again.
  • Make sure ALL your programs are up to date - because older versions may contain Security Leaks.
    To find out what programs need to be updated, please run the Secunia Software Inspector Scan ou Update Checker.
  • Use:
    - Autorun Protector to prevent your PC from being infected with autorun worms and also protecting your removable devices from being infected from other sources (Make sure to insert all your removable drives/pendrives/memory cards, etc before running the tool).
    - SpywareBlaster to protect your computer from spyware, hijackers... A tutorial on using SpywareBlaster may be found here.
  • Nowadays, most malware is developed only to steal personal information and/or various passwords. I recommend you change all your passwords - make sure you create strong passwords and use a different password for every site (you can keep them in KeePass).
  • Back up your Registry using ERUNT. It can help you especially if the System Restore is disabled by malware or corrupted for some reasons.
  • Please, note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a pop-up for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here.

>>> Recommended reading:

Hopefully this should take care of your problems!

Safe surfing! :)
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.

#5 lance_yien

lance_yien

    Forum Deity

  • Malware Support Mod
  • PipPipPipPipPip
  • 2,442 posts

Posted 16 February 2012 - 06:43 AM

Since the issue appears to be resolved this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
EI | SWI | ZEBULON | Posted Image | Posted Image

My help is free, but if you wish to help keep these forums running please consider a donation. Please, see here for details.




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button