Malware warning from google (adnetserver.com)

Status
Not open for further replies.

emmandgr81

Posts: 41   +0
a malware warning from google automatically pops-out when i use the internet which says that i am being redirected to this site... adnetserver.com... can anyone help me on how to remove this?
 
This is a sign that you have Coolwebsearch infection - lets start with you getting me a hijackthis log

Highjackthis Instructions
  • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
  • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
  • After installing, the program launches automatically, select Scan now and save a log
  • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
 
Remove bad HijackThis entries
  • Run HijackThis
  • Click on the System Scan Only button
  • Put a check beside all of the items listed below (if present):

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\emman\AppData\Local\Temp\efcASlJY.dll,#1
    O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\emman\AppData\Local\Temp\urQgFwTL.dll,c
    O4 - HKCU\..\Run: [b803feb1] rundll32.exe "C:\Users\emman\AppData\Local\Temp\vtnufntb.dll",b
    O4 - HKCU\..\Run: [BMbb30cd2d] Rundll32.exe "C:\Users\emman\AppData\Local\Temp\guytnqxd.dll",s

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

-------------------------------------------------------------------------------

OTMoveit2 by OldTimer
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    [b]
    C:\Users\emman\AppData\Local\Temp\efcASlJY.dll
    C:\Users\emman\AppData\Local\Temp\urQgFwTL.dll
    C:\Users\emman\AppData\Local\Temp\vtnufntb.dll
    C:\Users\emman\AppData\Local\Temp\guytnqxd.dll[/b]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

------------------------------------------------------------------------------

Malwarebytes' Anti-Malware

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please attach this log with your reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Attach:

1)OTMoveit2 log
2)MBAM log
3) fresh hijackthis ran after the others
 
File/Folder not found.
File/Folder C:\Users\emman\AppData\Local\Temp\efcASlJY.dll not found.
File/Folder C:\Users\emman\AppData\Local\Temp\urQgFwTL.dll not found.
DllUnregisterServer procedure not found in C:\Users\emman\AppData\Local\Temp\vtnufntb.dll
C:\Users\emman\AppData\Local\Temp\vtnufntb.dll NOT unregistered.
C:\Users\emman\AppData\Local\Temp\vtnufntb.dll moved successfully.
DllUnregisterServer procedure not found in C:\Users\emman\AppData\Local\Temp\guytnqxd.dll
C:\Users\emman\AppData\Local\Temp\guytnqxd.dll NOT unregistered.
C:\Users\emman\AppData\Local\Temp\guytnqxd.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07122008_015131
 
Have hijackthis fix these just like before

O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [BMbb30cd2d] Rundll32.exe "C:\Users\emman\AppData\Local\Temp\spoivywe.dll",s
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\emman\AppData\Local\Temp\vtUkhfgH.dll,c



-----------------------------------------------------------------

Paste these into OTMoveit2 just like before and select Moveit!
Code:
[b]C:\Users\emman\AppData\Local\Temp\spoivywe.dll
C:\Users\emman\AppData\Local\Temp\vtUkhfgH.dll[/b]

-------------------------------------------------------------------

Update your Java Runtime Environment
  • Click the following link
    Java Runtime Environment 6 Update 6
  • The 5th option down is the one you want (click Download)
  • Check the box to agree to terms of service
  • Check the box for your operating system and click 'Download selected'at the bottom
  • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
  • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder

--------------------------------------------------------------------------

Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

------------------------------------------------------------------

attach a new hijackthis with the OTMoveit log
 
in the atf cleaner, i was not able to choose prefetch in the main because it says that it is disabled... the options for firefox and opera are not available so i was not able to empty them... i attached the logs in this reply for hijackthis and OTMoveit
 
Good job.

one more to see if anything left

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply
 
im having a hard time downloading kaspersky because my internet connection is too slow... anyway, how do i remove the script error which appears everytime i open my computer?
 
you don't download kaspersky - it is an online scanner

-------------------------------------

What script error are you getting - screen shots or exact wording would help
 
oh, i see... i'll just run the kaspersky and send the report...

here's the error that im receiving...

an error has occured in the script on this page
line:1
char:1
error: object expected
code: 0
URL: file:///C:/ProgramData/Yahoo!/YOP/yop.html
 
much better - lets try this - i think your security is blocking it which is ok


Panda Online Scan
  • Please visit Panda Online Scanner
  • Click on "Scan your PC".
  • A new browser window will open with Panda ActiveScan.
  • Click the big "Check Now" button
  • Enter your Country, State/Province, e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
Note: If this is the first time you scanned your PC, you´ll have to download the ActiveX controls (8 MB). The time it takes to download these can vary depending on your connection
  • Click on "Local Disks" to start the scan
  • Save the log file to your desktop to attach it here
 
You need to open up Explorer, not internet explorer and delete the following files


File name / Threat name / Threats count
C:\Users\emman\AppData\Local\Temp\tmp0000e1f5
C:\Users\emman\AppData\Local\Temp\tmp0000e233 I
C:\Users\emman\AppData\Local\Temp\tmp0000e771
C:\Users\emman\AppData\Local\Temp\tmp0000eaab
C:\Users\emman\AppData\Local\Temp\tmp0000ebf3
C:\Users\emman\AppData\Local\Temp\tmp0000ec7f
C:\Users\emman\AppData\Local\Temp\tmp0000f333
C:\Users\emman\AppData\Local\Temp\tmp0000f362
C:\Users\emman\AppData\Local\Temp\tmp0000f44c
C:\Users\emman\AppData\Local\Temp\tmp0000f797
C:\Users\emman\AppData\Local\Temp\tmp0000fa26
C:\Users\emman\AppData\Local\Temp\tmp0000fa93
C:\Users\emman\AppData\Local\Temp\tmp0000faa3
C:\Users\emman\AppData\Local\Temp\tmp0001032b
C:\Users\emman\AppData\Local\Temp\tmp0001079e
C:\Users\emman\AppData\Local\Temp\tmp00010f0d
C:\Users\emman\AppData\Local\Temp\tmp00011016
C:\Users\emman\AppData\Local\Temp\tmp000116e9
C:\Users\emman\AppData\Local\Temp\tmp00011dd
C:\Users\emman\AppData\Local\Temp\tmp00012b53
C:\Users\emman\AppData\Local\Temp\tmp00014a67
C:\Users\emman\AppData\Local\Temp\tmp000154e2
C:\Users\emman\AppData\Local\Temp\tmp000156b6
C:\Users\emman\AppData\Local\Temp\tmp0001a90a
C:\Users\emman\AppData\Local\Temp\tmp00037efe
C:\Users\emman\AppData\Local\Temp\tmp00067628
C:\Users\emman\Documents\LimeWire\Saved\ImTOO iPod Computer Transfer 2.0.86.0201+Keygen(Full-New).rar
C:\Users\emman\Documents\LimeWire\Saved\LimeWire_pro_4.18.2\utorrent-acceleration-tool-free.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-3gp-video-converter.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-all-products-keygen.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-audio-converter.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-avi-mpeg-converter.exe I
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-avi-to-dvd-converter.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-cd-ripper.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-divx-to-dvd-converter.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-audio-ripper.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-creator.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-ripper.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-to-3gp-converter.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-to-divx-converter.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-to-ipod-converter.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-to-mp4-converter.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-to-ppc-ripper.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-to-psp-converter.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-dvd-to-wmv-converter.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-ipod-video-converter.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-mov-converter.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-mp3-wav-converter.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-mp4-converter.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-mpeg-to-dvd-converter.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-psp-video-converter.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-rm-converter.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-video-to-audio-converter.exe I
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen\x-wma-mp3-converter.exe

Also, run a new Hijackthis! scan.

It seems that you are not running any (decent) firewall. You may be running Windows Firewall but that is not good enough
So you can either choose between:
Zone alarm
or
Comodo
I personally use Comodo,so i am biased, but it is your choice
 
Paste this into OTMoveit2! then hit the green cleanup button

Code:
C:\Users\emman\AppData\Local\Temp\tmp0000e1f5
C:\Users\emman\AppData\Local\Temp\tmp0000e233
C:\Users\emman\AppData\Local\Temp\tmp0000e771
C:\Users\emman\AppData\Local\Temp\tmp0000eaab
C:\Users\emman\AppData\Local\Temp\tmp0000ebf3
C:\Users\emman\AppData\Local\Temp\tmp0000ec7f
C:\Users\emman\AppData\Local\Temp\tmp0000f333
C:\Users\emman\AppData\Local\Temp\tmp0000f362
C:\Users\emman\AppData\Local\Temp\tmp0000f44c
C:\Users\emman\AppData\Local\Temp\tmp0000f797
C:\Users\emman\AppData\Local\Temp\tmp0000fa26
C:\Users\emman\AppData\Local\Temp\tmp0000fa93
C:\Users\emman\AppData\Local\Temp\tmp0000faa3
C:\Users\emman\AppData\Local\Temp\tmp0001032b
C:\Users\emman\AppData\Local\Temp\tmp0001079e
C:\Users\emman\AppData\Local\Temp\tmp00010f0d
C:\Users\emman\AppData\Local\Temp\tmp00011016
C:\Users\emman\AppData\Local\Temp\tmp000116e9
C:\Users\emman\AppData\Local\Temp\tmp00011ddc
C:\Users\emman\AppData\Local\Temp\tmp00012b53
C:\Users\emman\AppData\Local\Temp\tmp00014a67
C:\Users\emman\AppData\Local\Temp\tmp000154e2
C:\Users\emman\AppData\Local\Temp\tmp000156b6
C:\Users\emman\AppData\Local\Temp\tmp0001a90a
C:\Users\emman\AppData\Local\Temp\tmp00037efe
C:\Users\emman\AppData\Local\Temp\tmp00067628
C:\Users\emman\Documents\LimeWire\Saved\ImTOO iPod Computer Transfer 2.0.86.0201+Keygen(Full-New).rar
C:\Users\emman\Documents\LimeWire\Saved\LimeWire_pro_4.18.2\utorrent-acceleration-tool-free.exe
C:\Users\emman\Documents\LimeWire\Saved\Xilisoft - All 2008 Products (DVD Tools,Ipod,etc) + Keygen \s

It may ask you to reboot to remove something - say yes then post me the log after - It will be in the OTMoveit folder
 
i didn't know that it was the imtoo program that was causing the problem so i used it again... i think my computer got infected again... safepctool ang winanonymous.com keeps on popping out... i attached the hijackthis log...
 
That wasn't your main problem - but I see something now, we need to run this tool

Combofix
  • Download Combofix to your desktop.
  • Double click combofix.exe & follow the prompts.
  • A window will open with a warning.
  • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt
 
i cant clean up using OTmoveit... it says file access denied... i deleted the folders of imtoo and xiisoft already... and the temp folder says that its empty
 
You would need to right click the program and select run as administrator -> Then I meant click the Red Moveit! button

Also that won't remove the registry entries so please see my last post
 
Status
Not open for further replies.
Back