A couple of problems

[Li'l Abner]

I just cleaned up a computer that was infected with Antivirus8.
MalwareBytes pretty well did the trick since SuperAntispyware only found a
couple of cookies. I've checked IE and Firefox for redirects and am not
getting any. But I've got two problems that I haven't figured out yet.
One of them is that when the computer is first booted, both Internet
Explorer and Firefox both automatically open to their home page (Google).
I find nothing in msconfig that is starting the browsers.
The second thing is that when searching from Internet Explorer certain
items will bring up a popup from Amazon just above the system tray. See
http://mewnlite.com/amazon.jpg for an example. This does not occur with
Firefox.
It's an Acer, Windows 7 32 bit Home Premium. He has AVG free as his AV.
I have not yet run any rootkit detectors since I don't see any spymtoms
(like redirects) that usually accompany a rootkit. If anyone recognizes
either of these behaviors and has a solution, feel free to tell me about
it!
Meanwhile, I'll keep Googling,
Thanks.

--
--- Everybody has a right to my opinion. ---

[Whoever]

"Li'l Abner" <blvstk@dogpatch.com> wrote in
news:Xns9E7481835892Bbutter@wefb973cbe498:
>
> I just cleaned up a computer that was infected with Antivirus8.
> MalwareBytes pretty well did the trick since SuperAntispyware only
> found a couple of cookies. I've checked IE and Firefox for redirects
> and am not getting any. But I've got two problems that I haven't
> figured out yet. One of them is that when the computer is first
> booted, both Internet Explorer and Firefox both automatically open to
> their home page (Google). I find nothing in msconfig that is starting
> the browsers. The second thing is that when searching from Internet


While MSCONFIG still has its uses I'd highly recommend using AUTORUNS
instead. While there are ways to get around it as well, it has been far
more useful in tracking down autostarting programs for me.

http://technet.microsoft.com/en-us/s...rnals/bb963902


> Explorer certain items will bring up a popup from Amazon just above
> the system tray. See http://mewnlite.com/amazon.jpg for an example.
> This does not occur with Firefox.
> It's an Acer, Windows 7 32 bit Home Premium. He has AVG free as his
> AV. I have not yet run any rootkit detectors since I don't see any
> spymtoms (like redirects) that usually accompany a rootkit. If anyone
> recognizes either of these behaviors and has a solution, feel free to
> tell me about it!


Sounds like scanning for a rootkit is a good idea. TDSSKiller is pretty
much standard procedure for me these days, along with more generic rootkit
scanners. As far as the popups, I usually strip IE down to its basics when
I run into things like that. Uninstalling all the toolbars, resetting all
of the settings, etc. I just finished cleaning one up where I had to
uninstall all of the search providers, then reinstall them in order to
clean up a search results hijacking problem. Or at least it appears to have
cleared up the problem. I need to keep running it for another day or so to
make sure it doesn't come back.



--
Don't bother trying to
contact me via email.

[Buffalo]

Li'l Abner wrote:
> I just cleaned up a computer that was infected with Antivirus8.
> MalwareBytes pretty well did the trick since SuperAntispyware only
> found a couple of cookies. I've checked IE and Firefox for redirects
> and am not getting any. But I've got two problems that I haven't
> figured out yet. One of them is that when the computer is first
> booted, both Internet Explorer and Firefox both automatically open to
> their home page (Google). I find nothing in msconfig that is starting
> the browsers.
> The second thing is that when searching from Internet Explorer certain
> items will bring up a popup from Amazon just above the system tray.
> See http://mewnlite.com/amazon.jpg for an example. This does not
> occur with Firefox.
> It's an Acer, Windows 7 32 bit Home Premium. He has AVG free as his
> AV.
> I have not yet run any rootkit detectors since I don't see any
> spymtoms (like redirects) that usually accompany a rootkit. If anyone
> recognizes either of these behaviors and has a solution, feel free to
> tell me about it!
> Meanwhile, I'll keep Googling,
> Thanks.
Try the latest def updates for SAS and scan it again. Same with MBAM.
Do try a rootkit detector and also Lipman's programs.
Buffalo

[David H. Lipman]

From: "Whoever" <whoever@wherever.invalid>

| "Li'l Abner" <blvstk@dogpatch.com> wrote in
| news:Xns9E7481835892Bbutter@wefb973cbe498:

>> I just cleaned up a computer that was infected with Antivirus8.
>> MalwareBytes pretty well did the trick since SuperAntispyware only
>> found a couple of cookies. I've checked IE and Firefox for redirects
>> and am not getting any. But I've got two problems that I haven't
>> figured out yet. One of them is that when the computer is first
>> booted, both Internet Explorer and Firefox both automatically open to
>> their home page (Google). I find nothing in msconfig that is starting
>> the browsers. The second thing is that when searching from Internet


| While MSCONFIG still has its uses I'd highly recommend using AUTORUNS
| instead. While there are ways to get around it as well, it has been far
| more useful in tracking down autostarting programs for me.

| http://technet.microsoft.com/en-us/s...rnals/bb963902


>> Explorer certain items will bring up a popup from Amazon just above
>> the system tray. See http://mewnlite.com/amazon.jpg for an example.
>> This does not occur with Firefox.
>> It's an Acer, Windows 7 32 bit Home Premium. He has AVG free as his
>> AV. I have not yet run any rootkit detectors since I don't see any
>> spymtoms (like redirects) that usually accompany a rootkit. If anyone
>> recognizes either of these behaviors and has a solution, feel free to
>> tell me about it!


| Sounds like scanning for a rootkit is a good idea. TDSSKiller is pretty
| much standard procedure for me these days, along with more generic rootkit
| scanners. As far as the popups, I usually strip IE down to its basics when
| I run into things like that. Uninstalling all the toolbars, resetting all
| of the settings, etc. I just finished cleaning one up where I had to
| uninstall all of the search providers, then reinstall them in order to
| clean up a search results hijacking problem. Or at least it appears to have
| cleared up the problem. I need to keep running it for another day or so to
| make sure it doesn't come back.



I agree with the above assertions.


--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[David H. Lipman]

From: "Buffalo" <Eric@nada.com.invalid>



| Li'l Abner wrote:
>> I just cleaned up a computer that was infected with Antivirus8.
>> MalwareBytes pretty well did the trick since SuperAntispyware only
>> found a couple of cookies. I've checked IE and Firefox for redirects
>> and am not getting any. But I've got two problems that I haven't
>> figured out yet. One of them is that when the computer is first
>> booted, both Internet Explorer and Firefox both automatically open to
>> their home page (Google). I find nothing in msconfig that is starting
>> the browsers.
>> The second thing is that when searching from Internet Explorer certain
>> items will bring up a popup from Amazon just above the system tray.
>> See http://mewnlite.com/amazon.jpg for an example. This does not
>> occur with Firefox.
>> It's an Acer, Windows 7 32 bit Home Premium. He has AVG free as his
>> AV.
>> I have not yet run any rootkit detectors since I don't see any
>> spymtoms (like redirects) that usually accompany a rootkit. If anyone
>> recognizes either of these behaviors and has a solution, feel free to
>> tell me about it!
>> Meanwhile, I'll keep Googling,
>> Thanks.


| Try the latest def updates for SAS and scan it again. Same with MBAM.
| Do try a rootkit detector and also Lipman's programs.
| Buffalo

It wouldn't be a bad iodea to use the Sophos and Trend Micro modules of my Multi-AV and if
Li'l Abner isn't using Avira, the Avira module.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Li'l Abner]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:ihd20h028m1@news5.newsguy.com:

> From: "Whoever" <whoever@wherever.invalid>
>
>| "Li'l Abner" <blvstk@dogpatch.com> wrote in
>| news:Xns9E7481835892Bbutter@wefb973cbe498:
>
>>> I just cleaned up a computer that was infected with Antivirus8.
>>> MalwareBytes pretty well did the trick since SuperAntispyware only
>>> found a couple of cookies. I've checked IE and Firefox for redirects
>>> and am not getting any. But I've got two problems that I haven't
>>> figured out yet. One of them is that when the computer is first
>>> booted, both Internet Explorer and Firefox both automatically open
>>> to their home page (Google). I find nothing in msconfig that is
>>> starting the browsers. The second thing is that when searching from
>>> Internet
>
>
>| While MSCONFIG still has its uses I'd highly recommend using
>| AUTORUNS
>| instead. While there are ways to get around it as well, it has been
>| far more useful in tracking down autostarting programs for me.
>
>| http://technet.microsoft.com/en-us/s...rnals/bb963902
>
>
>>> Explorer certain items will bring up a popup from Amazon just above
>>> the system tray. See http://mewnlite.com/amazon.jpg for an example.
>>> This does not occur with Firefox.
>>> It's an Acer, Windows 7 32 bit Home Premium. He has AVG free as his
>>> AV. I have not yet run any rootkit detectors since I don't see any
>>> spymtoms (like redirects) that usually accompany a rootkit. If
>>> anyone recognizes either of these behaviors and has a solution, feel
>>> free to tell me about it!
>
>
>| Sounds like scanning for a rootkit is a good idea. TDSSKiller is
>| pretty
>| much standard procedure for me these days, along with more generic
>| rootkit scanners. As far as the popups, I usually strip IE down to
>| its basics when I run into things like that. Uninstalling all the
>| toolbars, resetting all of the settings, etc. I just finished
>| cleaning one up where I had to uninstall all of the search providers,
>| then reinstall them in order to clean up a search results hijacking
>| problem. Or at least it appears to have cleared up the problem. I
>| need to keep running it for another day or so to make sure it doesn't
>| come back.

> I agree with the above assertions.

Well, if YOU agree, he must be right! :-)

But here is what the causes/solutions turned out to be:
Acer SmartBoot (in startup) remembers (if you let it) your most often used
programs and opens them automatically. IE and Firefox were on its list. I
turned that feature off.
"Powered" by PriceGong was in the bottom of that Amazon.com popup. I found
PriceGong in the Add/Remove (or the Win 7 equivelant thereof) list.
I can't believe that MBAM or SuperAntispyware wouldn't have tagged that.
If I searched for MalwareBytes, the same popup came up but Amazon was
asking $33.95 for it ($9 too much)

Thanks, Bob, for the "assertions" and Dave for the Seal of Approval!

--
--- Everybody has a right to my opinion. ---

[Li'l Abner]

Whoever <whoever@wherever.invalid> wrote in
news:Xns9E7490C1A84E7somewhere@69.16.185.247:

> "Li'l Abner" <blvstk@dogpatch.com> wrote in
> news:Xns9E7481835892Bbutter@wefb973cbe498:
>>
>> I just cleaned up a computer that was infected with Antivirus8.
>> MalwareBytes pretty well did the trick since SuperAntispyware only
>> found a couple of cookies. I've checked IE and Firefox for redirects
>> and am not getting any. But I've got two problems that I haven't
>> figured out yet. One of them is that when the computer is first
>> booted, both Internet Explorer and Firefox both automatically open to
>> their home page (Google). I find nothing in msconfig that is starting
>> the browsers. The second thing is that when searching from Internet
>
>
> While MSCONFIG still has its uses I'd highly recommend using AUTORUNS
> instead. While there are ways to get around it as well, it has been
> far more useful in tracking down autostarting programs for me.
>
> http://technet.microsoft.com/en-us/s...rnals/bb963902
>
>
>> Explorer certain items will bring up a popup from Amazon just above
>> the system tray. See http://mewnlite.com/amazon.jpg for an example.
>> This does not occur with Firefox.
>> It's an Acer, Windows 7 32 bit Home Premium. He has AVG free as his
>> AV. I have not yet run any rootkit detectors since I don't see any
>> spymtoms (like redirects) that usually accompany a rootkit. If anyone
>> recognizes either of these behaviors and has a solution, feel free to
>> tell me about it!
>
>
> Sounds like scanning for a rootkit is a good idea. TDSSKiller is
> pretty
> much standard procedure for me these days, along with more generic
> rootkit scanners. As far as the popups, I usually strip IE down to its
> basics when I run into things like that. Uninstalling all the
> toolbars, resetting all of the settings, etc. I just finished cleaning
> one up where I had to uninstall all of the search providers, then
> reinstall them in order to clean up a search results hijacking
> problem. Or at least it appears to have cleared up the problem. I need
> to keep running it for another day or so to make sure it doesn't come
> back.

I did run TDSS at your suggestion and it found nothing.
I didn't mention it before, but MBam had found over a hundred instances
of PUP.dealio but it didn't checkmark them. I did though and got rid of
them. His homepages had both been SweetIM before I changed them to
Google. There were AVG, SweetIM, and Yahoo toolbars. I got rid of all of
those. And then Google Chrome was installed. He didn't know how that got
there. No doubt a drive by by Adobe. A also set IE back to defaults as
you suggested.
See my reply to Dave's short reply to you. That explains what the real
culprits turned out to be.
And thanks!



--
--- Everybody has a right to my opinion. ---