Reply
Stone Esquire
Geordieclare
Posts: 4
Registered: ‎05-04-2012
Accepted Solution

serw.clicksor.com popups and unusual image on TrendMicro site

Hi, I came to this site to check my computer over after starting to get a lot of popups from http://serw.clicksor.com.  They started right after I installed Firefox extension (which I believed was a new Pinterest toolbar).

 

I've run Housecall and RUBotted and found nothing so far.  I also have Avast doing a full system scan right now.  What is concerning me most is the unusual immage that appears on http://housecall.trendmicro.com/uk/index.html when I click the START SCAN button.  It looks suspicious and I thought I'd check if this is normal or if there is some sort of hijacking going on?

 

Here is a screen capture of what I get when I click on start scan:

housecallscreencap.PNG

 

As well as the image appearing, the only links on the page that appear to function are the "Tweetern" (odd that it's foreign), "Like" and "inShare" buttons.  I can't even click on any of the links at the top for support as they become disabled.

 

The only way I was able to run Housecall without this appearing was to right-click and open in new tab.

 

Can someone please tell me if this is normal for the site and if not, could it be related to my sudden clicksor popups problem?  Also, how should I go about fixing this?

 

Many thanks,

Clare

Please use plain text.
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: serw.clicksor.com popups and unusual image on TrendMicro site

Welcome aboard! Posted Image

 

Please download GooredFix from the below link and save it to your Desktop.
GooredFix

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista/Win 7).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear.
  • Please attach the Goored.txt log to your next reply (it can be found on your desktop).

NEXT

 

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

 

 FINALLY

 

As an addition step it's recommended that you download other free anti-malware software from the list below and run a full system scan :

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Esquire
Geordieclare
Posts: 4
Registered: ‎05-04-2012

Re: serw.clicksor.com popups and unusual image on TrendMicro site

[ Edited ]

Thank you very much for your help.  I've done as you suggested and here are the log files attached.  Unfortunately Malwarebytes didn't detect anything malicious.

 

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.04.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Clare :: CLARE-TOSH [administrator]

Protection: Enabled

04/05/2012 16:01:45
mbam-log-2012-05-04 (16-01-45).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 220761
Time elapsed: 6 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

 

 

GooredFix by jpshortstuff (03.07.10.1)
Log created at 15:56 on 04/05/2012 (Clare)
Firefox version 11.0 (en-GB)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [11:09 08/07/2011]

C:\Users\Clare\Application Data\Mozilla\Firefox\Profiles\1pwpd5do.default\extensions\
ext@sprng.me [14:52 02/03/2012]
{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [07:51 30/03/2012]
{d91a2be6-3b56-4dfb-97f5-5e48fe3ed473} [17:53 19/07/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [05:24 10/08/2011]
"web2pdfextension@web2pdf.adobedotcom"="C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn" [15:44 09/12/2011]

-=E.O.F=-

Please use plain text.
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: serw.clicksor.com popups and unusual image on TrendMicro site

As an addition step it's recommended that you download other free anti-malware software from the list below and run a full system scan :

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Esquire
Geordieclare
Posts: 4
Registered: ‎05-04-2012

Re: serw.clicksor.com popups and unusual image on TrendMicro site

[ Edited ]

Thank you for that.  I ran the first two programs and ESET found a few threats which it removed.  So far it  seems to have stopped the popups, but there is still the unusual image on the Housecall page that I mentioned in my original post.  Is this normal?

 

For your reference, this is what ESET found:

 

C:\Users\Clare\AppData\Local\Mozilla\Firefox\Profiles\1pwpd5do.default\Cache

\2\E1\BF5F2d01    HTML/ScrInject.B.Gen virus    deleted - quarantined
C:\Users\Clare\AppData\Local\Mozilla\Firefox\Profiles\1pwpd5do.default\Cache\B

\E0\02882d01    HTML/ScrInject.B.Gen virus    deleted - quarantined
C:\Users\Clare\AppData\Local\Mozilla\Firefox\Profiles\1pwpd5do.default\Cache\D

\D7\FBBECd01    HTML/ScrInject.B.Gen virus    deleted - quarantined

Please use plain text.
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: serw.clicksor.com popups and unusual image on TrendMicro site

Go ahead and download and run a full scan with superantispyware....housecall issue is normal.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.
Stone Esquire
Geordieclare
Posts: 4
Registered: ‎05-04-2012

Re: serw.clicksor.com popups and unusual image on TrendMicro site

Thank you for all your help, I think ESET fixed the problem.  Superantispyware only found cookies.

Please use plain text.
Epic Talent
malwarekiller
Posts: 3,835
Registered: ‎08-08-2011

Re: serw.clicksor.com popups and unusual image on TrendMicro site

Your Welcome! Keep safe.

—————
Was this post helpful? Say “thanks” by giving me a “Kudo”!
Was your question answered or issue solved? Mark that post as an “Accepted Solution”!
Please use plain text.