Quads,

Thank you for posting the information about OTI and your script. I used both and have removed the problem that was in the beginning of this thread.  The popup was becoming very annoying. I have the log file that was created when I first installed OTI, didn't know if that was relevant to you or anyone else or would help in eliminating this problem.

Thanks again

compassPlant

The script is not for your machine either,   Scripts are for that machine only.

Quads

Blocking this in internet explorer worked for me it :

Go to  My computer, Control Panel, Internet Options, Content tab, click on Enable under Content advisor, click on Approved sites tab, in Allow this website type http://www.google-analytics.com/ga.js and then click never, and apply

---

Marissa wrote:

Blocking this in internet explorer worked for me it :

 

Go to  My computer, Control Panel, Internet Options, Content tab, click on Enable under Content advisor, click on Approved sites tab, in Allow this website type[REMOVED] and then click never, and apply

---

Except you are still basically infected,   Blocking a problem does not fix this.   Then again some people don't mind still having the problem on their PC as long as they don't see it.

As long as users don't see your "fix" as a fix, because it is NOT.  So ignore the above instructions!!!!  Users doing so will still have the settings for the infection on their systems, let alone if you have zeroaccess in behind that.

Quads

You need your own thread.

Quads

Geez scripts are for the system it is intended for  yet everyone is using it, even if they have instead  (or also) zeroaccess in behind or a slightly different redirect, for instance, from one machine.

O1 HOSTS File: ([2012/03/15 01:20:56 | 000,001,395 | RHS- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 149.5.18.172 xxx.google-analytics.com.
O1 - Hosts: 149.5.18.172 ad-emea.doubleclick.net.
O1 - Hosts: 149.5.18.172 xxx.statcounter.com.
O1 - Hosts: 108.163.215.51 xxx.google-analytics.com.
O1 - Hosts: 108.163.215.51 ad-emea.doubleclick.net.
O1 - Hosts: 108.163.215.51 xxx.statcounter.com.

but the system has also got

aswMBR.txt: 
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-25 05:11:06
-----------------------------
05:11:06.004 OS Version: Windows x64 6.1.7601 Service Pack 1
05:11:06.004 Number of processors: 8 586 0x1E05
05:11:06.005 ComputerName: ALEX-NEW UserName: Alex
05:11:06.871 Initialize success
05:12:13.158 AVAST engine defs: 12032401
05:12:25.004 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
05:12:25.006 Disk 0 Vendor: Intel___ 1.0. Size: 1907734MB BusType: 8
05:12:25.008 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-0
05:12:25.010 Disk 1 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 8
05:12:25.012 Disk 0 MBR read successfully
05:12:25.014 Disk 0 MBR scan
05:12:25.018 Disk 0 Windows 7 default MBR code
05:12:25.021 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
05:12:25.023 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 1907632 MB offset 206848
05:12:25.074 Disk 0 scanning C:\Windows\system32\drivers
05:12:38.047 Service scanning
05:12:46.528 Service maxbackserviceint C:\Windows\system32\oracleorahome90agent.dll **INFECTED** Win64:Sirefef-E [Trj]
05:13:02.811 Modules scanning
05:13:02.825 Disk 0 trace - called modules:
05:13:02.900 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll 
05:13:02.931 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800c98f790]
05:13:02.935 3 CLASSPNP.SYS[fffff88001b7543f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800a93e050]
05:13:04.016 AVAST engine scan C:\Windows
05:13:06.689 AVAST engine scan C:\Windows\system32
05:13:08.499 File: C:\Windows\system32\amfilter.dll **INFECTED** Win64:Sirefef-E [Trj]
05:13:10.368 File: C:\Windows\system32\asc3350p.dll **INFECTED** Win64:Sirefef-E [Trj]
05:13:10.459 File: C:\Windows\system32\ASUSVRC.dll **INFECTED** Win64:Sirefef-E [Trj]
05:13:13.163 File: C:\Windows\system32\AVCamUSB20.dll **INFECTED** Win64:Sirefef-E [Trj]
05:13:13.210 File: C:\Windows\system32\avgfwsrv.dll **INFECTED** Win64:Sirefef-E [Trj]
05:13:13.734 File: C:\Windows\system32\bb-run.dll **INFECTED** Win64:Sirefef-E [Trj]
05:13:15.962 File: C:\Windows\system32\bwcsrv.dll **INFECTED** Win64:Sirefef-E [Trj]
05:13:20.788 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Sirefef-JQ [Trj]
05:13:22.067 File: C:\Windows\system32\CT20XUT.DLL.dll **INFECTED** Win64:Sirefef-E [Trj]
05:13:32.685 File: C:\Windows\system32\dlapoolm.dll **INFECTED** Win64:Sirefef-E [Trj]
05:13:32.957 File: C:\Windows\system32\dmload.dll **INFECTED** Win64:Sirefef-E [Trj]
05:13:37.027 File: C:\Windows\system32\EAWDMFD.dll **INFECTED** Win64:Sirefef-E [Trj]
05:13:43.720 File: C:\Windows\system32\hmonitor.dll **INFECTED** Win64:Sirefef-E [Trj]
05:13:48.119 File: C:\Windows\system32\ino_flpy.dll **INFECTED** Win64:Sirefef-E [Trj]
05:13:48.154 File: C:\Windows\system32\inport.dll **INFECTED** Win64:Sirefef-E [Trj]
05:13:48.372 File: C:\Windows\system32\iPassPeriodicUpdateApp.dll **INFECTED** Win64:Sirefef-E [Trj]
05:13:56.849 File: C:\Windows\system32\LXARScan.dll **INFECTED** Win64:Sirefef-E [Trj]
05:13:57.260 File: C:\Windows\system32\MaVctrl.dll **INFECTED** Win64:Sirefef-E [Trj]
05:13:57.714 File: C:\Windows\system32\mcafeeframework.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:02.352 File: C:\Windows\system32\MRESP50a64.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:09.124 File: C:\Windows\system32\mvwebserver.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:19.163 File: C:\Windows\system32\NWHOST.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:21.082 File: C:\Windows\system32\oracleorahome90agent.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:21.136 File: C:\Windows\system32\osaio.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:21.356 File: C:\Windows\system32\OVT511Plus.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:24.075 File: C:\Windows\system32\pmem.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:29.823 File: C:\Windows\system32\rchost.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:33.370 File: C:\Windows\system32\RTL8023xp.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:34.050 File: C:\Windows\system32\s116mgmt.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:36.077 File: C:\Windows\system32\se59nd5.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:38.812 File: C:\Windows\system32\slabser.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:39.325 File: C:\Windows\system32\smbusp.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:39.848 File: C:\Windows\system32\sony_ssm.sys.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:40.185 File: C:\Windows\system32\spcstb.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:42.707 File: C:\Windows\system32\sscdmdm.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:43.424 File: C:\Windows\system32\stylexphelper.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:43.637 File: C:\Windows\system32\SWNC8U51.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:43.923 File: C:\Windows\system32\symfw.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:43.968 File: C:\Windows\system32\symmpi.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:49.811 File: C:\Windows\system32\ulcdrhlp.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:50.976 File: C:\Windows\system32\usbvm321.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:52.640 File: C:\Windows\system32\vhidmini.dll **INFECTED** Win64:Sirefef-E [Trj]
05:14:53.836 File: C:\Windows\system32\w200bus.dll **INFECTED** Win64:Sirefef-E [Trj]
05:15:01.608 File: C:\Windows\system32\wmiaprpl.dll **INFECTED** Win64:Sirefef-E [Trj]
05:15:02.013 File: C:\Windows\system32\wmp54gssvc.dll **INFECTED** Win64:Sirefef-E [Trj]
05:15:02.565 File: C:\Windows\system32\wmpnetworksvc.dll **INFECTED** Win64:Sirefef-E [Trj]
05:15:19.333 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
05:15:22.955 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
05:18:09.361 File: C:\Windows\assembly\tmp\loader.tlb **SUSPICIOUS**
05:18:09.465 File: C:\Windows\assembly\tmp\U\00000001.@ **SUSPICIOUS**
05:18:09.579 File: C:\Windows\assembly\tmp\U\000000c0.@ **SUSPICIOUS**
05:18:09.659 File: C:\Windows\assembly\tmp\U\000000cb.@ **SUSPICIOUS**
05:18:09.723 File: C:\Windows\assembly\tmp\U\000000cb.@ **INFECTED** Other:Malware-gen
05:18:09.732 File: C:\Windows\assembly\tmp\U\000000cf.@ **SUSPICIOUS**
05:18:09.772 File: C:\Windows\assembly\tmp\U\80000000.@ **SUSPICIOUS**
05:18:09.859 File: C:\Windows\assembly\tmp\U\800000c0.@ **SUSPICIOUS**
05:18:09.878 File: C:\Windows\assembly\tmp\U\800000c0.@ **INFECTED** Win32:Sirefef-PL [Rtk]
05:18:09.931 File: C:\Windows\assembly\tmp\U\800000cb.@ **SUSPICIOUS**
05:18:09.941 File: C:\Windows\assembly\tmp\U\800000cb.@ **INFECTED** Win32:Malware-gen
05:18:09.954 File: C:\Windows\assembly\tmp\U\800000cf.@ **SUSPICIOUS**
05:18:09.973 File: C:\Windows\assembly\tmp\U\800000cf.@ **INFECTED** Win32:Malware-gen
05:18:09.985 File: C:\Windows\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6} **SUSPICIOUS**
05:18:10.509 AVAST engine scan C:\Windows\system32\drivers
05:18:25.767 AVAST engine scan C:\Users\Alex
05:28:03.355 Disk 0 MBR has been saved successfully to "C:\Users\Alex\Desktop\MBR.dat"
05:28:03.697 The log file has been saved successfully to "C:\Users\Alex\Desktop\aswMBR.txt" 

So for the standard user using the browser to block the redirect works for that symptom only,,,,,,   Yay that fixed it for me. and users go away without completely checking their system for the likes of above.

Quads

Quad thnks for your help.  Others seem to be using this even though the fix is custom so I hope they will not damage their environment.  Maybe Norton will wake up and realize a need to block these useless pain in the butt "add-ons".

This Recommended for you pest is just that, a mosquito, it is not damaging.

Thanks again.

HI TGS949,

 Please understand that although your problem seems to be solved,  Quads may have further instructions for you.

People who run scripts on their machines that are not written specifically for their system are asking for trouble and will be lucky to receive any help.

Cheers,  Dave.