ackthbbft Posted February 17, 2010 ID:201483 Share Posted February 17, 2010 On Monday, I performed a simple search for a kitchen appliance review: "foodsaver v3840 v3860". The top Google search result was for "retrevo.com", which actually took me to "mytrevo", after which I saw an odd "Updating" message appear in my taskbar, followed by an rogue antivirus app suddenly appearing over my already-running AVG window. Going back to the page caused it to reload with a Canadian Pharmacy site. (This really pisses me off, because we know companies pay Google to be rated at the top of searches, so basically retrevo paid Google to infect me.)I suspect a Flash exploit caused it to load simply by inadvertantly mousing over it, without even clicking anything, but I really can't be sure. I know I didn't click anything, though.Here's the interesting part. I was using a Guest account (named simply "Bill") running Firefox at the time of infection, but after running MalwareBytes to clean the infection (which at the time showed 8 hits, but the log only shows 1), Firefox still works, but IE and Chrome do not (they load, but can't connect to any sites I try to access). This is only on the Guest account, however. My admin account has no problems connecting to any sites using IE or Chrome.Here's are the important parts of the log file:Malwarebytes' Anti-Malware 1.44Database version: 3741Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187022/15/2010 11:40:04 AMmbam-log-2010-02-15 (11-40-04).txtScan type: Full Scan (C:\|)Objects scanned: 223383Time elapsed: 1 hour(s), 27 minute(s), 0 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 8Files Infected:C:\Documents and Settings\Bill\Local Settings\Application Data\mcxpmw\bwinsftav.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Documents and Settings\Bill\Local Settings\Temp\2C.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Documents and Settings\Bill\Local Settings\Temp\2D.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Documents and Settings\Bill\Local Settings\Temp\30.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Documents and Settings\Bill\Local Settings\Temp\uJpC.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Documents and Settings\Bill\Local Settings\Temp\ktLL.dll (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Documents and Settings\Bill\Local Settings\Temporary Internet Files\Content.IE5\2XCDIHAD\eHfffd8b5cV0100f036002R8bf228e3102Tb48401f6Q00000000901801F002a000aJ11000601l0409Ke5aea8d230dP000001080 (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Documents and Settings\Bill\Local Settings\Temporary Internet Files\Content.IE5\2XCDIHAD\eU230d9c2eHfffd8b5cV0100f036002Rc4d61207102Tb484011dQ00000000901801F002a000aJ11000601l0409K70987d2730dP000001080 (Trojan.Dropper) -> Quarantined and deleted successfully.Did MalwareBytes somehow kill IE and Chrome on the Guest account when it cleaned the infection?My next question may be off-topic, but still related to the overall trojan/rogueAV subject. My coworker (a top-notch IT genius and MENSA member) said he just had to format 26 PCs at his home (don't ask why he has so many, because I didn't ask), because he got hit with a rogue app again, as well (unknown if it is the same one I was hit with), and he is under the impression that the latest rogues will actually rewrite MalwareBytes to download fake definition updates, making you think you are clean but actually still infected. Is there any weight behind this? Should I reformat/reimage? If not, should I just delete the existing Guest account and create a new one to get IE and Chrome working again? Link to post Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!Register a new account
Already have an account? Sign in here.Sign In Now