(The quickest way to register)

Forum

Dear visitor! The webpage is only available in English. We're sorry for the inconvenience.
  1. User picture
    • paul g on Thu 04 Jun 2009
    • 09:29:00 AM UTC

    MBAM found adware infection.

    Hi,all.I have just updated MBAM and ran a full scan at the end it found 7 entries saying Adware BHO I have no idea how this happened can someone help please. heres the log. Also Winpatrol popped up 2 times saying ACTIVE X web browser xml HTTP wants to run and ACTIVE X msxml3.dll wants to run are they connected??

    Thankyou for your time...........p................

    Malwarebytes' Anti-Malware 1.37
    Database version: 2227
    Windows 6.0.6001 Service Pack 1

    04/06/2009 10:11:01
    mbam-log-2009-06-04 (10-10-57).txt

    Scan type: Full Scan (C:\|D:\|E:\|)
    Objects scanned: 172710
    Time elapsed: 43 minute(s), 2 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 7
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\bfast.com (Adware.BHO) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\commission-junction.com (Adware.BHO) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\fastclick.com (Adware.BHO) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\fastclick.net (Adware.BHO) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\kqzyfj.com (Adware.BHO) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\linksynergy.com (Adware.BHO) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\qksrv.net (Adware.BHO) -> No action taken.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    i removed all of them........Thanks again........p.............

    If You Dont Ask You Will Never Know..

Comments:

  2. User picture
    • MysteryFCM on Thu 04 Jun 2009
    • 11:37:36 AM UTC

    ....

    Those aren't FP's, and can safely be removed ;o)

    Regards
    Steven Burn
    Ur I.T. Mate Group / hpHosts
    it-mate.co.uk / hosts-file.net
    • User picture
      • paul g on Thu 04 Jun 2009
      • 11:54:05 AM UTC

      MBAM F/Ps

      Hey MysteryFCM.Thanks for your quick reply i have just popped back to post that i have just done updates for MBAM and ran a full scan on my mums PC she is a very basic user just shops and looks at differant sites than me and she had exact same results so i thought something like F/Ps..Do you know how we both had the same results.Do you know how we got them please??

      Thanks for your time...........cheers...........p..............

      If You Dont Ask You Will Never Know..
      • User picture
        • MysteryFCM on Thu 04 Jun 2009
        • 12:11:44 PM UTC

        ...

        Chances are, the same sites were loaded on both machines (or sites related to each other).

        It's worth noting however, that those keys are not the results of a virus/worm/trojan etc. They're just cookies related to adware/spyware sites.

        See the following for reference;

        http://support.microsoft.com/kb/182569

        You'd get sites in the same reg hive if you used 2 of the extensions that I wrote for my AB Extension Pack (the two extensions allow you to dynamically add sites to the trusted or restricted sites listing).

        Regards
        Steven Burn
        Ur I.T. Mate Group / hpHosts
        it-mate.co.uk / hosts-file.net
        • User picture
          • paul g on Thu 04 Jun 2009
          • 12:31:12 PM UTC

          They're just cookies.

          Hi,again MysteryFCM Thanks i read the link you gave. We dont go to the same sites at all.But if i understand the page about security zones i can make them higher? Im sorry but i dont know anything about REG keys and tech stuff like that
          "It's worth noting however, that those keys are not the results of a virus/worm/trojan etc. They're just cookies related to adware/spyware sites."Thats good to know thanks for that. I will go through her bookmarks and see if we have any the same.

          Thanks for your time.........cheers...........p............

          If You Dont Ask You Will Never Know..
          • User picture
            • YoKenny on Thu 04 Jun 2009
            • 01:19:53 PM UTC

            They are registry keys

            They are registry keys that were not checked before for long since removed malware.

            See:
            http://www.malwarebytes.org/forums/index.php?showt...
            • User picture
              • paul g on Thu 04 Jun 2009
              • 01:41:34 PM UTC

              Traces.

              Hi,YoKenny.Thanks for that. i read the link that was there and it was a bit over my head too.I dont know what the infection might have been in the first place but good to know MBAM picked them up.

              Thanks for your time..........cheers.........p..........

              If You Dont Ask You Will Never Know..
          • User picture
            • MysteryFCM on Thu 04 Jun 2009
            • 01:26:45 PM UTC

            ...

            It's not the sites referenced themselves, that have been visited - it's sites that use their ad/tracking servers.

            As YoKenny mentioned, there was malware that put them on the machine too, but I am confident that this is not the case here.

            Regards
            Steven Burn
            Ur I.T. Mate Group / hpHosts
            it-mate.co.uk / hosts-file.net
  3. User picture
    • Anonymous on Thu 04 Jun 2009
    • 12:02:14 PM UTC

    Network

    Two machines on same network will share same viruses Paul.You and your wife will be on same connection so share the same viruses.Thats what love is,share everything.LOL.(G.O.M.with Honours).
  4. User picture
    • paul g on Thu 04 Jun 2009
    • 12:08:44 PM UTC

    Where on differant networks.

    Hey,cod head ,my MUM is on BT and im on VIRGIN so if im right? we are not sharing the same network so im a bit confused how we got the same results?

    Thanks for your time..........cheers.........p...............

    If You Dont Ask You Will Never Know..
  5. User picture
    • demonluo on Thu 04 Jun 2009
    • 01:58:20 PM UTC

    make sure this site r in ur

    make sure this site r in ur cookie, restricted zone & host blocklist...

    Registry Keys Infected:
    bfast.com (Adware.BHO) -> No action taken.
    commission-junction.com (Adware.BHO) -> No action taken.
    fastclick.com (Adware.BHO) -> No action taken.
    fastclick.net (Adware.BHO) -> No action taken.
    kqzyfj.com (Adware.BHO) -> No action taken.
    linksynergy.com (Adware.BHO) -> No action taken.
    qksrv.net (Adware.BHO) -> No action taken.
  6. User picture
    • paul g on Thu 04 Jun 2009
    • 02:14:44 PM UTC

    There back?

    Hi,demonluo Thanks i just scanned again and 6 were back so i just looked at SpywareBlaster it said 6 unprotected so i went back to previous host back up i have Hostsxpert to so i think if i clear back to windows then update this might help??
    I will reset Hostsxpert now do a scan and see what happens..

    Thanks for your time...........cheers..........p.............

    If You Dont Ask You Will Never Know..
    • User picture
      • MysteryFCM on Thu 04 Jun 2009
      • 02:16:10 PM UTC

      ....

      If I remember correctly, all of those domains are in hpHosts, and MVPS Hosts, so aslong as HE is downloading the updates for you, further access to the sites will be blocked anyway ;o)

      Regards
      Steven Burn
      Ur I.T. Mate Group / hpHosts
      it-mate.co.uk / hosts-file.net
  7. User picture
    • paul g on Thu 04 Jun 2009
    • 03:03:57 PM UTC

    hpHosts, and MVPS Hosts

    Hi, MysteryFCM. You got it i reset Hostsxpert to MVPS host file. Then after running round i reset SpywareBlaster on both PCs and all seems well again i will leave Hostxpert update from hphosts till tomorrow im gettin a headache.

    THANKYOU ALL FOR YOUR TIME AND HELP........cheers........p............

    If You Dont Ask You Will Never Know..
    • User picture
      • MysteryFCM on Thu 04 Jun 2009
      • 07:11:43 PM UTC

      ...

      No problem :o)

      Regards
      Steven Burn
      Ur I.T. Mate Group / hpHosts
      it-mate.co.uk / hosts-file.net