TechSpot

Malware warning from google (adnetserver.com)

By emmandgr81
Jul 10, 2008
  1. a malware warning from google automatically pops-out when i use the internet which says that i am being redirected to this site... adnetserver.com... can anyone help me on how to remove this?
     
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    This is a sign that you have Coolwebsearch infection - lets start with you getting me a hijackthis log

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
     
  3. emmandgr81

    emmandgr81 TS Rookie Topic Starter Posts: 41

    here's the log, i attached it... thanks
     
  4. emmandgr81

    emmandgr81 TS Rookie Topic Starter Posts: 41

    can anyone help me with this? i already attached the log.
     
  5. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
      R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
      O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\emman\AppData\Local\Temp\efcASlJY.dll,#1
      O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\emman\AppData\Local\Temp\urQgFwTL.dll,c
      O4 - HKCU\..\Run: [b803feb1] rundll32.exe "C:\Users\emman\AppData\Local\Temp\vtnufntb.dll",b
      O4 - HKCU\..\Run: [BMbb30cd2d] Rundll32.exe "C:\Users\emman\AppData\Local\Temp\guytnqxd.dll",s

    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    -------------------------------------------------------------------------------

    OTMoveit2 by OldTimer
    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      [b]
      C:\Users\emman\AppData\Local\Temp\efcASlJY.dll
      C:\Users\emman\AppData\Local\Temp\urQgFwTL.dll
      C:\Users\emman\AppData\Local\Temp\vtnufntb.dll
      C:\Users\emman\AppData\Local\Temp\guytnqxd.dll[/b]
    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt2
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    ------------------------------------------------------------------------------

    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


    Attach:

    1)OTMoveit2 log
    2)MBAM log
    3) fresh hijackthis ran after the others
     
  6. emmandgr81

    emmandgr81 TS Rookie Topic Starter Posts: 41

    File/Folder not found.
    File/Folder C:\Users\emman\AppData\Local\Temp\efcASlJY.dll not found.
    File/Folder C:\Users\emman\AppData\Local\Temp\urQgFwTL.dll not found.
    DllUnregisterServer procedure not found in C:\Users\emman\AppData\Local\Temp\vtnufntb.dll
    C:\Users\emman\AppData\Local\Temp\vtnufntb.dll NOT unregistered.
    C:\Users\emman\AppData\Local\Temp\vtnufntb.dll moved successfully.
    DllUnregisterServer procedure not found in C:\Users\emman\AppData\Local\Temp\guytnqxd.dll
    C:\Users\emman\AppData\Local\Temp\guytnqxd.dll NOT unregistered.
    C:\Users\emman\AppData\Local\Temp\guytnqxd.dll moved successfully.

    OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07122008_015131
     
  7. emmandgr81

    emmandgr81 TS Rookie Topic Starter Posts: 41

    here are the logs... thanks
     
  8. emmandgr81

    emmandgr81 TS Rookie Topic Starter Posts: 41

    is there still anything for me to do?
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Have hijackthis fix these just like before

    O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKCU\..\Run: [BMbb30cd2d] Rundll32.exe "C:\Users\emman\AppData\Local\Temp\spoivywe.dll",s
    O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\emman\AppData\Local\Temp\vtUkhfgH.dll,c



    -----------------------------------------------------------------

    Paste these into OTMoveit2 just like before and select Moveit!
    Code:
    [b]C:\Users\emman\AppData\Local\Temp\spoivywe.dll
    C:\Users\emman\AppData\Local\Temp\vtUkhfgH.dll[/b]
    -------------------------------------------------------------------

    Update your Java Runtime Environment
    • Click the following link
      Java Runtime Environment 6 Update 6
    • The 5th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder

    --------------------------------------------------------------------------

    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.

    ------------------------------------------------------------------

    attach a new hijackthis with the OTMoveit log
     
  10. emmandgr81

    emmandgr81 TS Rookie Topic Starter Posts: 41

    in the atf cleaner, i was not able to choose prefetch in the main because it says that it is disabled... the options for firefox and opera are not available so i was not able to empty them... i attached the logs in this reply for hijackthis and OTMoveit
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Good job.

    one more to see if anything left

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  12. emmandgr81

    emmandgr81 TS Rookie Topic Starter Posts: 41

    im having a hard time downloading kaspersky because my internet connection is too slow... anyway, how do i remove the script error which appears everytime i open my computer?
     
  13. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    you don't download kaspersky - it is an online scanner

    -------------------------------------

    What script error are you getting - screen shots or exact wording would help
     
  14. emmandgr81

    emmandgr81 TS Rookie Topic Starter Posts: 41

    oh, i see... i'll just run the kaspersky and send the report...

    here's the error that im receiving...

    an error has occured in the script on this page
    line:1
    char:1
    error: object expected
    code: 0
    URL: file:///C:/ProgramData/Yahoo!/YOP/yop.html
     
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    much better - lets try this - i think your security is blocking it which is ok


    Panda Online Scan
    • Please visit Panda Online Scanner
    • Click on "Scan your PC".
    • A new browser window will open with Panda ActiveScan.
    • Click the big "Check Now" button
    • Enter your Country, State/Province, e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    Note: If this is the first time you scanned your PC, you´ll have to download the ActiveX controls (8 MB). The time it takes to download these can vary depending on your connection
    • Click on "Local Disks" to start the scan
    • Save the log file to your desktop to attach it here
     
  16. emmandgr81

    emmandgr81 TS Rookie Topic Starter Posts: 41

    sorry for the late reply... i attached the logs from active scan and kaspersky... thanks
     
  17. emmandgr81

    emmandgr81 TS Rookie Topic Starter Posts: 41

    what should i do next?
     
  18. Habylab

    Habylab TS Rookie Posts: 263

    You need to open up Explorer, not internet explorer and delete the following files


    File name / Threat name / Threats count
    C:\Users\emman\AppData\Local\Temp\tmp0000e1f5
    C:\Users\emman\AppData\Local\Temp\tmp0000e233 I
    C:\Users\emman\AppData\Local\Temp\tmp0000e771
    C:\Users\emman\AppData\Local\Temp\tmp0000eaab
    C:\Users\emman\AppData\Local\Temp\tmp0000ebf3
    C:\Users\emman\AppData\Local\Temp\tmp0000ec7f
    C:\Users\emman\AppData\Local\Temp\tmp0000f333
    C:\Users\emman\AppData\Local\Temp\tmp0000f362
    C:\Users\emman\AppData\Local\Temp\tmp0000f44c
    C:\Users\emman\AppData\Local\Temp\tmp0000f797
    C:\Users\emman\AppData\Local\Temp\tmp0000fa26
    C:\Users\emman\AppData\Local\Temp\tmp0000fa93
    C:\Users\emman\AppData\Local\Temp\tmp0000faa3
    C:\Users\emman\AppData\Local\Temp\tmp0001032b
    C:\Users\emman\AppData\Local\Temp\tmp0001079e
    C:\Users\emman\AppData\Local\Temp\tmp00010f0d
    C:\Users\emman\AppData\Local\Temp\tmp00011016
    C:\Users\emman\AppData\Local\Temp\tmp000116e9
    C:\Users\emman\AppData\Local\Temp\tmp00011dd
    C:\Users\emman\AppData\Local\Temp\tmp00012b53
    C:\Users\emman\AppData\Local\Temp\tmp00014a67
    C:\Users\emman\AppData\Local\Temp\tmp000154e2
    C:\Users\emman\AppData\Local\Temp\tmp000156b6
    C:\Users\emman\AppData\Local\Temp\tmp0001a90a
    C:\Users\emman\AppData\Local\Temp\tmp00037efe
    C:\Users\emman\AppData\Local\Temp\tmp00067628
    C:\Users\emman\Documents\LimeWire\Saved\ImTOO iPod Computer Transfer 2.0.86.0201+Keygen(Full-New).rar
    C:\Users\emman\Documents\LimeWire\Saved\LimeWire_pro_4.18.2\utorrent-acceleration-tool-free.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-3gp-video-converter.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-all-products-keygen.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-audio-converter.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-avi-mpeg-converter.exe I
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-avi-to-dvd-converter.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-cd-ripper.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-divx-to-dvd-converter.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-audio-ripper.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-creator.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-ripper.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-to-3gp-converter.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-to-divx-converter.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-to-ipod-converter.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-to-mp4-converter.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-to-ppc-ripper.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-to-psp-converter.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-to-wmv-converter.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-ipod-video-converter.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-mov-converter.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-mp3-wav-converter.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-mp4-converter.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-mpeg-to-dvd-converter.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-psp-video-converter.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-rm-converter.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-video-to-audio-converter.exe I
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-wma-mp3-converter.exe

    Also, run a new Hijackthis! scan.

    It seems that you are not running any (decent) firewall. You may be running Windows Firewall but that is not good enough
    So you can either choose between:
    Zone alarm
    or
    Comodo
    I personally use Comodo,so i am biased, but it is your choice
     
  19. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Paste this into OTMoveit2! then hit the green cleanup button

    Code:
    C:\Users\emman\AppData\Local\Temp\tmp0000e1f5
    C:\Users\emman\AppData\Local\Temp\tmp0000e233
    C:\Users\emman\AppData\Local\Temp\tmp0000e771
    C:\Users\emman\AppData\Local\Temp\tmp0000eaab
    C:\Users\emman\AppData\Local\Temp\tmp0000ebf3
    C:\Users\emman\AppData\Local\Temp\tmp0000ec7f
    C:\Users\emman\AppData\Local\Temp\tmp0000f333
    C:\Users\emman\AppData\Local\Temp\tmp0000f362
    C:\Users\emman\AppData\Local\Temp\tmp0000f44c
    C:\Users\emman\AppData\Local\Temp\tmp0000f797
    C:\Users\emman\AppData\Local\Temp\tmp0000fa26
    C:\Users\emman\AppData\Local\Temp\tmp0000fa93
    C:\Users\emman\AppData\Local\Temp\tmp0000faa3
    C:\Users\emman\AppData\Local\Temp\tmp0001032b
    C:\Users\emman\AppData\Local\Temp\tmp0001079e
    C:\Users\emman\AppData\Local\Temp\tmp00010f0d
    C:\Users\emman\AppData\Local\Temp\tmp00011016
    C:\Users\emman\AppData\Local\Temp\tmp000116e9
    C:\Users\emman\AppData\Local\Temp\tmp00011ddc
    C:\Users\emman\AppData\Local\Temp\tmp00012b53
    C:\Users\emman\AppData\Local\Temp\tmp00014a67
    C:\Users\emman\AppData\Local\Temp\tmp000154e2
    C:\Users\emman\AppData\Local\Temp\tmp000156b6
    C:\Users\emman\AppData\Local\Temp\tmp0001a90a
    C:\Users\emman\AppData\Local\Temp\tmp00037efe
    C:\Users\emman\AppData\Local\Temp\tmp00067628
    C:\Users\emman\Documents\LimeWire\Saved\ImTOO iPod Computer Transfer 2.0.86.0201+Keygen(Full-New).rar
    C:\Users\emman\Documents\LimeWire\Saved\LimeWire_pro_4.18.2\utorrent-acceleration-tool-free.exe
    C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen \s
    It may ask you to reboot to remove something - say yes then post me the log after - It will be in the OTMoveit folder
     
  20. emmandgr81

    emmandgr81 TS Rookie Topic Starter Posts: 41

    i didn't know that it was the imtoo program that was causing the problem so i used it again... i think my computer got infected again... safepctool ang winanonymous.com keeps on popping out... i attached the hijackthis log...
     
  21. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    That wasn't your main problem - but I see something now, we need to run this tool

    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
     
  22. emmandgr81

    emmandgr81 TS Rookie Topic Starter Posts: 41

    i cant clean up using OTmoveit... it says file access denied... i deleted the folders of imtoo and xiisoft already... and the temp folder says that its empty
     
  23. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You would need to right click the program and select run as administrator -> Then I meant click the Red Moveit! button

    Also that won't remove the registry entries so please see my last post
     
  24. emmandgr81

    emmandgr81 TS Rookie Topic Starter Posts: 41

    i attached the otmoveit log...
     
  25. emmandgr81

    emmandgr81 TS Rookie Topic Starter Posts: 41

    here's the combofx log
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...