I removed a malware (I think?)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Win xp (mce) with all updates.

I saw an ad on TV about an ointment that is reported to
protect your cuts and scrapes against MRSA
(Methicillin-resistant Staphylococcus aureus) and looked it
up on the web.  The page offers a three-dollar coupon.  I
tried to download the coupon and was told by the ointment
vendor that I had to add a plugin first that would permit my
printer to display bar codes.

This I did, and the coupon printed out.

The next time I used the computer I could not connect with
the web in general.  My Firefox 5.0 and IE would permit me
to connect with atomic clock, but when I tried to read
Drudge (and other pages) I got a msg saying the computer
could not connect with addresses starting with HTTP, and a
list of other Hxxx urls.

I thought maybe that somebody had screwed with my HOSTS
file, but could not find anything wrong there.

I thought something was wrong with my ISP, so I went online
with my wife's laptop, which connects through the same
router as my regular machine.  The laptop worked perfectly,
so the problem was not at the ISP.

I took my desktop into safe mode and ran Spybot SD.  It
found seven problem cookies all listed under the heading
"Coupon".  Spybot removed six of them, reporting that it
could not remove the last one.

I ran Malwarebytes'antimalware program and it found one
problem item, evidently the one Spybot couldn't remove.
Malwarebytes  could not remove it either, but told me how to
remove it myself.

Following instructions I navigated in the registry to:  
currentuser\software\microsoft\windows\ ->
currentversion\ext\stats\  -.
[9522b3fb -7a2b -4646- 8af6 - 36e7f593073c}

The instructions were to close all applications before
removing that line, as it might cause running applications
to misbehave and screw something up.

This I did, and rebooting back into regular mode found that
my internet was now working normally.

I post this in case someone else has problems after printing
a coupon plugin for the ointment. A barcode plugin sounds
kind of fishy anway.

The ointment vender advertises his product on national TV,
so I doubt that he is intentionally spreading malware.  But
I felt that this should be posted somewhere.

FWIW


Jack from Taxacola (formerly Pensacola), FL

Re: I removed a malware (I think?)

Jackson wrote:

Major snip...

Quoted text here. Click to load it

Good story!  I hope this close call has you thinking about your backup
situation which you failed to mention.

You may wish to follow-up MBAM with a SAS run in Safe Mode:

               <http://www.superantispyware.com/

As you will undoubtedly notice, MBAM & SAS come in two flavors each
and although you will still see that we still like the major thrust of
Spybot-S&D, it isn't updated frequently enough for the likes of some.

By upgrading MBAM & SAS to their paid for versions, you upgrade to
real-time lifetime protection that's updated several times per day.

It might have been helpful to many if you had listed all the
infections and the URL (obfuscated) where you believe you downloaded
the infections for addition to the HOSTS file.

What are you doing for antivirus protection?

Congratulations on your self help adventure.

Best regards,
--
Pete

Re: I removed a malware (I think?)


Quoted text here. Click to load it

Everything said above; times two. He did well. :)


--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk

Re: I removed a malware (I think?)

wrote:
/../
Quoted text here. Click to load it

Thanks for responding; I'll take your advice. Right now I
use Zonealarm fire wall and AVG  free 8.0.

The product advertised is Staphaseptic.  I believe they are
legit bacause so many large chains carry the product.

I googled the name and it led me to their page which was
given the little green check mark by Firefox, which I
thought means that the page is safe (?).  Along with info
about their product was an offer of a three dollar coupon.

I clicked on the coupon was was told my printer needed a
plugin in order to be able to print the bar code.  At the
time, this seemed plausible, but thinking about it, why in
the world would a Lexmark Z25 need a plugin to print a bar
code.

Anyway they sent me seven infections. According to Spybot SD
they consisted of three ID class, one library class, two
interface class and one root class.  I don't really know
what all that means.

Malwarebytes identified their one item as Adware.Coupon
registry key.

Do you happen to know what adware.coupon does?  Is it just a
tracking cookie?  It was on my computer overnight before I
discovered it so it had time to do a lot altho the isp is
shut down most of the night.

I visited the web site again today and could not fine the
offer of a coupon.  They must have removed it, or possibly
their legitimate site was hacked.

Would it be smart to change all my passwords?

Thanks for any info.


Jack from Taxacola (formerly Pensacola), FL

Re: I removed a malware (I think?)


Quoted text here. Click to load it

http://www.malwarebytes.org/malwarenet.php?name=Adware.Coupons



Re: I removed a malware (I think?)

Jackson wrote:
Quoted text here. Click to load it

You would do well to upgrade/update your browser's security and
reputation plugins.

Quoted text here. Click to load it

That's where you should have re-thought the process again.

Quoted text here. Click to load it

If you have any logs kept from Spybot-S&D, it would be good to
reproduce them in an abbreviate but useful form here.

Quoted text here. Click to load it

Are you sure it wasn't plural?

<http://www.malwarebytes.org/malwarenet.php?name=Adware.Coupons

Quoted text here. Click to load it

By themselves, cookies don't /usually/ render harm.

Quoted text here. Click to load it

The coupon offer /is/ there.

hXXp://bricks.coupons.com/ and/or hXXp://www.staphaseptic.com/may have
been compromised.

Quoted text here. Click to load it

Since you haven't given us all the information requested about the
exact infections you experienced, yes.  Of course!

I'd even change the date and place of your birth...

In all seriousness, some would have had you flatten & rebuild your
system - still.

Quoted text here. Click to load it

I'm sure we all wish you would rethink your whole antimalware strategy
now.

Quoted text here. Click to load it

Regards,

--
1PW

Re: I removed a malware (I think?)

Jackson wrote:

Quoted text here. Click to load it

http://www. staphaseptic. com/  ?

Quoted text here. Click to load it

I clicked on the coupon and was told I was using an unsupported browser,
and that I might borrow someone else's computer who had "Win2K and newer
operating systems running:  Internet Explorer 5.5 or newer, Firefox,
Netscape 7 or newer, and most recent AOL or MSN browsers. [or] Macintosh
OSX 10.3 or newer running Safari."

I used Firefox 3.0.13 and an operating system a good deal newer than
Win2K:  Linux Ubuntu...   No coupon (or malware) for me!  :-)

Oh, the coupon is not offered by the site above; it comes from
http://bricks. coupons. com/

Later, just for kicks, I switched my UA string to read IE6.0 on WinXP,
and went back to the coupon page.  
"The system cannot find the file specified."

I'd suggest Mercurochrome.

--
   -bts
   -Friends don't let friends drive Windows

Site Timeline