AdClicker-FC and Ultimate Defender, PCCleaner, etc
>>> For several days leading up to today, I had following symptoms... - Fake "Spyware Alert" and "Windows Security Alert".
- IE Homepage that I attempted to set was overridden by ...softwarereferral.com... url that was redirected to Ultimate Defender, Ultimante PCCLeaner sites and the like.
- I detected a registry Start Page pointer to softwarereferral.com.
- I have not knowingly chosen to install any of these software offers.
- I found no evidence that Ultimate Defender, etc was "installed", i.e. no presence in "Add/Remove Programs" and no obvious evidence in "Program Files" directory.
- These Ultimate web pages say they're running a scan but there is never any listing of findings such as are shown of the bleepingcomputer doc about Ultimate Defender, PCCleaner.
- McAfee AntiVirus 10.0 with w/latest engine, dat files (from late last week) did not detect.
- It was annoying but I kept the problem at bay and and kept my PC usable by minimizing the fake alerts and bogus website windows ... waiting until I had some time to work on it.
>>> Today the VirusScan DAT file was updated to version 5122 (Build: 10.0.27 Engine 5100). Symptoms have changed...
- McAfee detects AdClicker-FC infection in "Documents and Settings ... \local settings\temp\ac8zt2\nsduo.dll"
- McAfee deletes nsduo.dll and all other files in the ac8zt2 folder, terminates all IE instances, and refreshes the desktop and screen.
- I confirmed that the files have in fact been deleted.
- Some minutes later this scenario is repeated, presumably because there is a program running that is rewritting those files. IE is rendered essentially unusable.
- There are now no Fake alerts or Ultimate Defender, PCCleaner web pages shown, but, I suppose that may simply be due to the repeated detection/deletion of files described above.
- The registry Start Page pointer to softwarereferral.com no longer exists.
Friends have recommended SPYBOT and I've seen the SmitfraudFix recommendations in these forums. I'm not that jazzed about using freeware and am kind of wondering why McAfee and/or Norton haven't provided such tools.
At any rate I'm looking for guidance specific to my problem and will then decide whether to attempt to remedy myself or hire an expert :-).
RE: AdClicker-FC and Ultimate Defender, PCCleaner, etc
BTW, I have a System Restore point from the day before I first experienced the infection. Would restoring to that point be at all likely to solve the problem? The reason I haven't already tried that is that there have been a couple Windows Updates completed since then and I'm not sure what will happen to them.
On 09/20, the day after my previous append, the Fake alerts and Ultimate Defender, PCCleaner web page symptoms resumed. I used the following techniques to reduce the impact/annoyance and to buy some time.
1. Used Task Manager to minimize those Fake Alert and Ultimate Defender, PcCleaner Web Page windows.
2. Created a desktop icon pointing to my desired homepage to bypass the overwritten home page in Internet Options.
3. Stopped the repeating AdClicker-FC detection and file deletions that was breaking IE, by blocking the IP address 184.108.40.206 that an instance of SVC Host was connecting to.
I ran Adaware somewhere along the way. It found a few things but did not fix any of the viruses I have reported.
The symptoms persisted until about somewhere around the end of the first week of October. It seems that around that time, McAffee began to "catch up" with the particular versions of virus that had infected my machine. For the last 2-3 weeks I have seen no evidence/symptions of these or any other viruses active on my machine.
From what you have said i do not believe the infection is gone,only hiding.
You have not removed files/folders and registry entries,as for the DNS address that belongs to somewhere in Russia(most likely fake).They can use more than one IP address even though you have blocked 220.127.116.11.At best what you have described is a workaround and those infections are still onboard.
If you had followed my advise on the 19-9 you would have been sure you where clean,i would advise you to follow those steps.