PDA

View Full Version : Viral problems....again



Ninjahedge
05-29-2009, 09:05 AM
Hey guys.

My wife's machine seems to be having some problems. Her clicks on web addresses from a Yahoo search seem to go to places she does not want them to. This may or may not be related to an infection.

Also, Avira seems to have its update connection blocked. I keep hitting update and I keep getting a 403 (or is it 405?) error (cannot connect).

I ran Hijack and it SEEMED OK (although there was a lot of crap on there), and I ran Housecall on Safe mode (although there were a lot of "cannot write anything" kind of errors when it was finished last night).

I am running MalwareBytes on it now (and it has found 5 infections, but there is no way to see what they are until it is finished, and I had to get to work).

Any other suggestions? She seems to be getting a lot of crap just by surfing around. Could there be something that isn't detected opening a doorway for easy infection?

shifty
05-29-2009, 11:58 AM
Avira - HOSTS file for Windows was probably hijacked. This will show up in a HijackThis log/scan.

The search redirection is an infection.

Stick with Malware Bytes for now it will kill malware, rootkits, redirectors, etc. and ... if you've got that, that's not all she has, I bet you of that! Probably has a Vundo variant to boot.

Let it fix everything.

Reboot and dump your System Restore points (turn off SR/apply, turn on SR/apply).

Complete/Full scan again.

If more crap pops up, fix, reboot, and run Malware Bytes in SAFE mode.

If problem STILL persists, consider getting a copy of Rootkit Revealer. Run it. You *WILL* have a few keys pop up as "hidden", but ... If you take a screencap, I can help.

Meanwhile, as if you're too stupid to make a mistake like this ... DISCONNECT the computer from the internet.

HTH

Ninjahedge
05-29-2009, 03:03 PM
Ah, me is too stoopid.

I connected it to run in safe mode w/internet and connect to Trend Micro Housecall.

I also did it to get MalB. I think I have the rootkit revealer, but it not I will look for it on another machine (I know I have it on my main machine because Antivir thought it was a virus).

I do not doubt that Vundo came up. I have no idea how she gets this, she is not a complete dummy, but every machine she touches gets it! I will have to see how you can get it (she surfs more).

Thanks for the help!

BTW, is there an easy way to save a screencap in safe mode? And what prefix am I looking for in the HOSTS file? Also, would it be a good or bad idea to roll back the machine to a restore point WAY back when or does the rootkit/Vundo or other just infect the existing restore points? (or does it stay resident during restore and just re-install itself?)

TIA!

shifty
05-29-2009, 06:47 PM
Some of the new variants of Vundo turn off the Network DDE service and other oassociated services which are required to start Clipbook, which is basically what lets you have the clipboard ready to take screenshots. So depending on what you're infected with, you may not be able to do anything to take screenshots.

HOSTS: Look for a file of the same name in C:\windows\system32\drivers\etc\

The only entry in there should be 127.0.0.1 on a stock system. Anything else is 99%+ of the time totally bogus.

Do not bother with Housecall. It's outdated. Scan with SuperAntiSpyware and MalwareBytes ("full scan"), preferrably in SAFE mode.

After you can run a successful scan with nothing coming up, run RootkitRevealer. Expect to see 3-5 entries by default. Some keys are hidden in the registry by a clean system.

After that is good, download and install CrapCleaner (aka CCleaner, www.ccleaner.com ) and run it to clean out all of the temp files generated.

Next, turn OFF system restore to kill the bad files that are now saved in your restore points. Then turn it back ON again.



DO NOT plug USB devices into it. Many malware entities are wisening up, and infecting USB sticks because some versions of Windows (XP being a big one) will autorun a USB stick when you insert it - we're reliving the floppy-virus days in the USB era.

FYI, with most new infections, there is a 90% or greater chance that you CANNOT use system restore. Most "aware" malware will either corrupt, disable, or nuke old restore points, or just kill system restore from running. They caught on to that little trick really quick. Most of the new stuff runs a "monitor" process in the background that will automatically undo changes you make to registry keys to kill it, re-generate files you delete with new random names, it will automatically reverse the "unhide system files" setting, and even go so far as to download new software when you kill a part of the infection (which is why it's imperative to unplug from the internet at all costs when trying to clean, and why Housecall is SUCH a BAD option!)

They're getting damned smart - to the point that prevention is the best cure.

Hell, this new WinAntivirus2009 crap almost got me the other day. It got one of my neighbors too. It's a real ass-kicker!

=A!M=OakWind
05-29-2009, 07:23 PM
Is there win-antivir/ anti-malware?

I had it pop up twice looking very official with a yellow shield in system tray. Looked like a windows update to me.

Ninjahedge
05-29-2009, 09:33 PM
Hijack This:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:13 PM, on 5/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M 1.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\sw g.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M 1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB001" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134958401128
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Filter hijack: text/html - {1c189b71-4833-4008-a3f7-114fa93f66f5} - C:\WINDOWS\system32\mst122.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12081 bytes

shifty
05-30-2009, 11:56 PM
O18 - Filter hijack: text/html - {1c189b71-4833-4008-a3f7-114fa93f66f5} - C:\WINDOWS\system32\mst122.dll

That line is bad ^^

Fix it in HJT, then use HJT's add'l tools ("misc tools" section) to "delete on reboot" (paste the file path into the "Open" box and have it delete on reboot.)

Ninjahedge
05-31-2009, 09:37 PM
Thanks, a lot of other things seem to have gone away now. Avira can update, and some mismatched data that Rootkit found on some files is not there anymore.

I am deleting and running what you said, as you have said it.

shifty
05-31-2009, 11:07 PM
Again - when all is complete...turn off/on system restore (applying between on/of settings) to flush out all that nasty stuff.

lilith
05-31-2009, 11:40 PM
She seems to be getting a lot of crap just by surfing around. Could there be something that isn't detected opening a doorway for easy infection?
For a while I was following a few stories like Natalie Hollaway and the Jennifer/Angelina saga. I wanted to read anything I could find! Links would lead me to "news" sites and I almost completely destroyed one of my computers at work! Viruses like you wouldn't believe!!! It took our IT guy several days to get rid of all of them! (good thing he has a great sense of humor...:p bet he's still laughing about it now... hahahaha :D) If your wife is following any current stories like that, she may be running into the same type of stuff. :o

5150
06-12-2009, 03:02 AM
How Do You Guys Get That Stuff--I Surf Stupid And Look For That Stuff.
I'm Moderately Capable Of Fixing This Stuff-actually inviting this type of behaveour.
Now That I Have Asked For It -Bring It On

shifty
06-12-2009, 11:52 AM
I'll tell you a quick way to get infected.

go to Pirate Bay with no protection on.

Sit on any given page for 10 minutes. If not infected, I am surprised. Repeat the process at least 5-6 times (refresh and wait) and you should have several infestations on your computer. For whatever reason, the adverts and banners almost all have some kind of malicious script (or the site itself) which attempts several different kinds of exploits to infect you.

Usually AntiVir will pick them up, but, for example, there was a new variant of WinAntiSpy2009 or WinAntivirus2009 (nasty bastard) that Antivir didn't have yet (I upped it to them, it's in the latest definitions now) and that joker infected me. Fortunately, not even a week before, one of my neighbors got popped by a similar variant (PersonalAntiVirus 2009), so I knew 100% how to remove it and quickly.

Radiation Burns
06-12-2009, 12:18 PM
Does smitrem still work best for that? or is there a better safer way?

Ninjahedge
06-12-2009, 01:30 PM
TPB explains a bit. I never trusted that site...


You think Ad-Blockers would work?

Slayer
06-12-2009, 03:01 PM
I'll tell you a quick way to get infected.

go to Pirate Bay with no protection on.

Sit on any given page for 10 minutes. If not infected, I am surprised. Repeat the process at least 5-6 times (refresh and wait) and you should have several infestations on your computer. For whatever reason, the adverts and banners almost all have some kind of malicious script (or the site itself) which attempts several different kinds of exploits to infect you.

Usually AntiVir will pick them up, but, for example, there was a new variant of WinAntiSpy2009 or WinAntivirus2009 (nasty bastard) that Antivir didn't have yet (I upped it to them, it's in the latest definitions now) and that joker infected me. Fortunately, not even a week before, one of my neighbors got popped by a similar variant (PersonalAntiVirus 2009), so I knew 100% how to remove it and quickly.

Turn off all your protection and goto facebook and goto the game they have called special forces. A friend got his computer infected and that is where he got it from. I join to play the game with him and webroot spysweeper and Avira was going nutz. I emailed the game makers and facebook that the ad banners are infected, including that AntiVirus Pro2009 biatch!

shifty
06-12-2009, 05:05 PM
Does smitrem still work best for that? or is there a better safer way?

smitrem is waaaay outdated.

i strap up with Antivir and MalwareBytes. for removeal, MalwareBytes and SuperAntiSpyware for most infection removal and RootkitRevealer to detect anything they may miss, although, in the right hands and against the correct stuff, ComboFix is useful as well.

lilith
06-12-2009, 06:58 PM
make sure you dump spybot if you use malwarebytes. I found out this week they don't play nice together... :(

shifty
06-13-2009, 09:10 AM
Spybot S&D is also terribly outdated.

lilith
06-13-2009, 04:28 PM
Yeah, I forgot I still had it. I hadn't run it on purpose for a very long time and it hadn't popped up as finding anything either. That is, until malwarebytes wanted to update itself. :p Popups galore!!! :o

Radiation Burns
06-15-2009, 08:04 AM
Thanks Shifty, I will grab malware bytes asap. I already run avira, and other than the popups at startup Its great. and for free antivirus I wont complain at all :)