I removed a malware (I think?)

[Jackson]

Win xp (mce) with all updates.

I saw an ad on TV about an ointment that is reported to
protect your cuts and scrapes against MRSA
(Methicillin-resistant Staphylococcus aureus) and looked it
up on the web. The page offers a three-dollar coupon. I
tried to download the coupon and was told by the ointment
vendor that I had to add a plugin first that would permit my
printer to display bar codes.

This I did, and the coupon printed out.

The next time I used the computer I could not connect with
the web in general. My Firefox 5.0 and IE would permit me
to connect with atomic clock, but when I tried to read
Drudge (and other pages) I got a msg saying the computer
could not connect with addresses starting with HTTP, and a
list of other Hxxx urls.

I thought maybe that somebody had screwed with my HOSTS
file, but could not find anything wrong there.

I thought something was wrong with my ISP, so I went online
with my wife's laptop, which connects through the same
router as my regular machine. The laptop worked perfectly,
so the problem was not at the ISP.

I took my desktop into safe mode and ran Spybot SD. It
found seven problem cookies all listed under the heading
"Coupon". Spybot removed six of them, reporting that it
could not remove the last one.

I ran Malwarebytes'antimalware program and it found one
problem item, evidently the one Spybot couldn't remove.
Malwarebytes could not remove it either, but told me how to
remove it myself.

Following instructions I navigated in the registry to:
currentuser\software\microsoft\windows\ ->
currentversion\ext\stats\ -.
[9522b3fb -7a2b -4646- 8af6 - 36e7f593073c}

The instructions were to close all applications before
removing that line, as it might cause running applications
to misbehave and screw something up.

This I did, and rebooting back into regular mode found that
my internet was now working normally.

I post this in case someone else has problems after printing
a coupon plugin for the ointment. A barcode plugin sounds
kind of fishy anway.

The ointment vender advertises his product on national TV,
so I doubt that he is intentionally spreading malware. But
I felt that this should be posted somewhere.

FWIW


Jack from Taxacola (formerly Pensacola), FL

 

[1PW]

Jackson wrote:

Major snip...

This I did, and rebooting back into regular mode found that
my internet was now working normally.

I post this in case someone else has problems after printing
a coupon plugin for the ointment. A barcode plugin sounds
kind of fishy anway.

The ointment vender advertises his product on national TV,
so I doubt that he is intentionally spreading malware. But
I felt that this should be posted somewhere.

FWIW


Jack from Taxacola (formerly Pensacola), FL

Good story! I hope this close call has you thinking about your backup
situation which you failed to mention.

You may wish to follow-up MBAM with a SAS run in Safe Mode:

<http://www.superantispyware.com/>

As you will undoubtedly notice, MBAM & SAS come in two flavors each
and although you will still see that we still like the major thrust of
Spybot-S&D, it isn't updated frequently enough for the likes of some.

By upgrading MBAM & SAS to their paid for versions, you upgrade to
real-time lifetime protection that's updated several times per day.

It might have been helpful to many if you had listed all the
infections and the URL (obfuscated) where you believe you downloaded
the infections for addition to the HOSTS file.

What are you doing for antivirus protection?

Congratulations on your self help adventure.

Best regards,

 

[Dustin Cook]

Jackson wrote:

Major snip...


Good story! I hope this close call has you thinking about your backup
situation which you failed to mention.

You may wish to follow-up MBAM with a SAS run in Safe Mode:

<http://www.superantispyware.com/>

As you will undoubtedly notice, MBAM & SAS come in two flavors each
and although you will still see that we still like the major thrust of
Spybot-S&D, it isn't updated frequently enough for the likes of some.

By upgrading MBAM & SAS to their paid for versions, you upgrade to
real-time lifetime protection that's updated several times per day.

It might have been helpful to many if you had listed all the
infections and the URL (obfuscated) where you believe you downloaded
the infections for addition to the HOSTS file.

What are you doing for antivirus protection?

Congratulations on your self help adventure.

Best regards,

Everything said above; times two. He did well.

 

[Jackson]

/../

It might have been helpful to many if you had listed all the
infections and the URL (obfuscated) where you believe you downloaded
the infections for addition to the HOSTS file.

What are you doing for antivirus protection?

Congratulations on your self help adventure.

Best regards,

Thanks for responding; I'll take your advice. Right now I
use Zonealarm fire wall and AVG free 8.0.

The product advertised is Staphaseptic. I believe they are
legit bacause so many large chains carry the product.

I googled the name and it led me to their page which was
given the little green check mark by Firefox, which I
thought means that the page is safe (?). Along with info
about their product was an offer of a three dollar coupon.

I clicked on the coupon was was told my printer needed a
plugin in order to be able to print the bar code. At the
time, this seemed plausible, but thinking about it, why in
the world would a Lexmark Z25 need a plugin to print a bar
code.

Anyway they sent me seven infections. According to Spybot SD
they consisted of three ID class, one library class, two
interface class and one root class. I don't really know
what all that means.

Malwarebytes identified their one item as Adware.Coupon
registry key.

Do you happen to know what adware.coupon does? Is it just a
tracking cookie? It was on my computer overnight before I
discovered it so it had time to do a lot altho the isp is
shut down most of the night.

I visited the web site again today and could not fine the
offer of a coupon. They must have removed it, or possibly
their legitimate site was hacked.

Would it be smart to change all my passwords?

Thanks for any info.


Jack from Taxacola (formerly Pensacola), FL

 

[FromTheRafters]

Thanks for any info.

http://www.malwarebytes.org/malwarenet.php?name=Adware.Coupons

 

[1PW]

/../

Thanks for responding; I'll take your advice. Right now I
use ZoneAlarm fire wall and AVG free 8.0.

The product advertised is Staphaseptic. I believe they are
legit because so many large chains carry the product.

I googled the name and it led me to their page which was
given the little green check mark by Firefox, which I
thought means that the page is safe (?). Along with info
about their product was an offer of a three dollar coupon.

You would do well to upgrade/update your browser's security and
reputation plugins.

I clicked on the coupon was was told my printer needed a
plugin in order to be able to print the bar code. At the
time, this seemed plausible, but thinking about it, why in
the world would a Lexmark Z25 need a plugin to print a bar
code.

That's where you should have re-thought the process again.

Anyway they sent me seven infections. According to Spybot SD
they consisted of three ID class, one library class, two
interface class and one root class. I don't really know
what all that means.

If you have any logs kept from Spybot-S&D, it would be good to
reproduce them in an abbreviate but useful form here.

Malwarebytes identified their one item as Adware.Coupon
registry key.

Are you sure it wasn't plural?

Do you happen to know what adware.coupon does? Is it just a
tracking cookie? It was on my computer overnight before I
discovered it so it had time to do a lot altho the isp is
shut down most of the night.

By themselves, cookies don't /usually/ render harm.

I visited the web site again today and could not fine the
offer of a coupon. They must have removed it, or possibly
their legitimate site was hacked.

The coupon offer /is/ there.

hXXp://bricks.coupons.com/ and/or hXXp://www.staphaseptic.com/may have
been compromised.

Would it be smart to change all my passwords?

Since you haven't given us all the information requested about the
exact infections you experienced, yes. Of course!

I'd even change the date and place of your birth...

In all seriousness, some would have had you flatten & rebuild your
system - still.

Thanks for any info.

I'm sure we all wish you would rethink your whole antimalware strategy
now.

Jack from Taxacola (formerly Pensacola), FL

Regards,

 

[Beauregard T. Shagnasty]

The product advertised is Staphaseptic. I believe they are
legit bacause so many large chains carry the product.

I googled the name and it led me to their page which was

http://www. staphaseptic. com/ ?

given the little green check mark by Firefox, which I
thought means that the page is safe (?). Along with info
about their product was an offer of a three dollar coupon.

I clicked on the coupon was was told my printer needed a
plugin in order to be able to print the bar code.

I clicked on the coupon and was told I was using an unsupported browser,
and that I might borrow someone else's computer who had "Win2K and newer
operating systems running: Internet Explorer 5.5 or newer, Firefox,
Netscape 7 or newer, and most recent AOL or MSN browsers. [or] Macintosh
OSX 10.3 or newer running Safari."

I used Firefox 3.0.13 and an operating system a good deal newer than
Win2K: Linux Ubuntu... No coupon (or malware) for me!

Oh, the coupon is not offered by the site above; it comes from
http://bricks. coupons. com/

Later, just for kicks, I switched my UA string to read IE6.0 on WinXP,
and went back to the coupon page.
"The system cannot find the file specified."

I'd suggest Mercurochrome.

 

[1PW]

The file is couponprinter.exe. VirusTotal gives it a 4 out of 32.
http://www.virustotal.com/analisis/...059e959a2bac6929aa402859544eaa51dd-1250619919

Outstanding! May I please interest you in uploading the file to:

<http://www.uploadmalware.com/>

That is the URL to an international group that will see to it that the
file's fingerprint gets into the databases of much more than the four.

If you do, I can't tell you that the process is quick and you may not
see good movement immediately because the pipeline is long and slow.

Well done!

Thank you.

 

[Duh_OZ]

Ahhh yes, the old plugin download to print a coupon. If anyone was
in the KFC fiasco, a few were complaining that the plugin screwed up
their computer. I think it is just some trojan wannabe? I didn't
google it. For the KFC one, a few vendors flagged it, 'K wouldn't
even let me install it.

Never hurts to rid it after you use it and it looks like you(Jack from
Tax) did a good job on doing so.


BTW, me thinks Jack meant Mozilla 5.0, not Firefox 5.0 :0)