7201 Adware On Install ?

detoxa · Jun 4, 2009

I just did a clean install of 7201 and am going through the process of setting up my toys just the way i like them

.

Unfortunately after running a Malwarebytes scan i have found 6 reg keys infected with ad-ware , So after deleting them i ran a scan with Spy-Bot and found another item of ad-ware on my w7 partition.

See attachments below for full details.

Seems very odd that i should have them on my notebook as its a "clean install". I did use IE8 briefly to set it up the way i like but all my security was inplace before hand.

Do you think these could be false positives/possible bug Ive inherited from the the shortcuts i transfered from 7137 ? Seems unlikely because i do regular scans and i always get a clean bill of health. (Hence why its so odd to me)
Any help/suggestions much appreciated as I'm curious as to whats happened please ?

Malwarebytes log :

Malwarebytes' Anti-Malware 1.37
Database version: 2227
Windows 6.1.7201
04/06/2009 04:34:25
mbam-log-2009-06-04 (04-34-25).txt
Scan type: Quick Scan
Objects scanned: 68661
Time elapsed: 2 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\bfast.com (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\commission-junction.com (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\fastclick.com (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\fastclick.net (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\kqzyfj.com (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\linksynergy.com (Adware.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

Captain Zero · Jun 4, 2009

That's not on the 7201 build. You got nailed running IE somehow. Confirmed using a fresh x64 build.

detoxa · Jun 4, 2009

Wasnt suggesting its in the build , just wondering how i got 7 lots of adware setting up IE 8 ?

Captain Zero · Jun 4, 2009

IE was your first mistake. Sorry, run Firefox and use AdBlock Plus.

detoxa · Jun 4, 2009

Thanks for the advice lol.

aussiegreen · Jun 4, 2009

that a good idea cap zero i'll use the advice too

Airbot · Jun 4, 2009

Hi detoxa,

I have these too on a clean 7201 x64 install. I confirmed my hashes. Do you perhaps have Spywareblaster installed as well? I don't think it's from setting up IE8, and there's nothing wrong with running IE :sarc:. I'm thinking it might be false positives from some recent Malwarebytes updates and Spywareblaster entries. I'm running further scans with other scanners, I'll post back if I find anything more. This is the first build I've encountered this with.

jimbo45 · Jun 4, 2009

Hi all
Sorry to disappoint you -- it's not so much the browser itself as to what you run in it.

Also NEVER EVER run those programs that offer to scan your registry or fix your drivers from a Browser.

This is the EASIEST way ever of getting an infected system. If you must run these wretched type of programs (they are usually sneakware -- you get things like problems found but you need to "upgrade" to a PRO (i.e PAY) version to use the feature you want) run then stand alone first (i.e from an .EXE file having scanned it carefully first).

Switch off all things like accelerators etc etc in Browsers -- ideally have as few plugins as possible -- with the speed of the Internet these days it doesn't take much longer to download a file such as a PDF / HTML or wahtever and run it in stand alone mode on your PC in a dedicated application.

Same (or especially true) for multi media files -- run these also from within a dedicated application and not within a browser.

Cheers
jimbo

Captain Zero · Jun 4, 2009

These entries don't appear in my reg. But... I also haven't run IE, not once, since a clean install. My point earlier is that it doesn't appear to have come with the OS unless it's something that's installed on first-run or something that's loaded from MSN.com when it loads. No other ideas on this one.

Generator · Jun 4, 2009

Someone from MajorGeeks forums claims they are false-positives. Apparently if you check the reg keys and they have the data value of 5 then everythings ok.

Block-Checker [Archive] - MajorGeeks Support Forums

Airbot · Jun 4, 2009

Here is an entry on Malwarebytes support forum. I'm betting these are false positives from a recent Malwarebytes update. Probably malwarebytes/Spywareblaster entry FPs. Some others reporting it, no mention of them using Win 7 at all.

Are These FP's? - Malwarebytes Forum

Generator · Jun 4, 2009

Its SpywareBlaster causing it, just found this..

SpywareBlaster and Spyware Doctor conflict - Wilders Security Forums

Airbot · Jun 4, 2009

What I suspected. FP's with Spywareblaster entries.

Airbot · Jun 4, 2009

Just an update.

The false positives have been fixed in the latest Malwarebytes update. if you update MB, you can scan again and it won't pick it up.

zigzag3143 · Jun 4, 2009

ad-ware

did you import anything from the previous installation? sometimes things look like shortcuts but really are either java or a disguised exe.

Good Luck

Ken

Airbot · Jun 4, 2009

They're just Spywareblaster entries being picked up as false positives. No danger.

ambientmf · Jun 4, 2009

jimbo45 said:
Also NEVER EVER run those programs that offer to scan your registry or fix your drivers from a Browser.

This is the EASIEST way ever of getting an infected system. If you must run these wretched type of programs (they are usually sneakware -- you get things like problems found but you need to "upgrade" to a PRO (i.e PAY) version to use the feature you want) run then stand alone first (i.e from an .EXE file having scanned it carefully first).

I wholeheartedly concur.
Almost every 'warning' of that kind is usually a Trojan in disguise.
Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites

detoxa · Jun 5, 2009

ambientmf said:
I wholeheartedly concur.
Almost every 'warning' of that kind is usually a Trojan in disguise.
Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites

Thanks for all the advice as it really annoyed me that i got infected for no good reason . I have learnt the hard way over the years and i kinda pride myself by not getting any nasties on my system. Ive installed various leaks from this forum and they have all been as "clean as a whistle" and i know that the sources are trusted by the more experienced users that use this forum.

Ive just read my original post again and if it came across that i was blaming the build or the original source (Sukonka) i apologise.

Thanks again

Sean.

7201 Adware On Install ?

New member

Attachments

My Computer

Ragdoll Impersonator

My Computer

New member

My Computer

Ragdoll Impersonator

My Computer

New member

My Computer

New member

My Computer

----------------------

My Computer

New member

My Computer

Ragdoll Impersonator

My Computer

- Reboot Initiated -

My Computer

----------------------

My Computer

- Reboot Initiated -

My Computer

----------------------

My Computer

----------------------

My Computer

New member

My Computer

----------------------

My Computer

New member

My Computer

New member

My Computer