Just to be in the safe side, try to check your PC for viruses , ari gali some infos. regarding the virus/worm I mentioned earlier :
<start>
Explanation :
Win32.WinAd is a family of trojans that direct users to ad-related sites and download a number of files.
How you get Infected :
When executed, WinAd variants modify the registry so that they can execute at each Windows start. These modifications differ depending on the variant; listed below are the registry values that may be set by WinAd variants:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<value name> = <path>\<filename.exe>
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<value name> = %Program Files%\<value name>\<filename.exe>
Notes:
- <value name> can be one of the following depending on the variant:
Windows AdService
Media Access
Media Pass
AdTools Service
- <filename.exe> is the trojan executable name
- %Program Files% is a variable location. The malware determines the location of the current Program Files folder by querying the operating system. A typical location for this folder would be "C:\Program Files".
WinAd variants also create a mutex so that multiple copies of themselves do not execute at the same time. Example mutex names created by the trojan include:
WinAdServ
WinComm
MediaAccess
MediaPass
Some WinAd variants create a folder in the %Program Files% directory and copy themselves to this location. Folders that WinAd may create include:
%Program Files%\Media Access
%Program Files%\Media Pass
%Program Files%\AdTools Service
The trojan drops the file "ide21201.vxd" (4720 bytes) into the %System% folder. This file may be detected by Anti-spyware products as DeskAd.Service.
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
The trojan also contains code that allows it to uninstall itself.
Payload :
Redirects Users to Sites
WinAd variants may open the default browser and redirect users to a site on the "windupdates.com" domain. The site displays advertisements for anti-adware and anti-spam products.
Downloads and Executes Files
Some WinAd variants download and execute files from a specific domain. Files are usually downloaded from the "windupdates.com" domain and saved to a folder that the trojan creates. The trojan usually downloads DLLs and executables, which are also detected as WinAd variants. Depending on the variants, files are usually saved to the folder locations mentioned in the Method of Infection section. Example of the filenames that these files are saved to include:
MediaAccess.exe
MediaAcck.exe
MediaAccC.dll
info.txt (a text file containing a user agreement)
Some WinAd variants drop these files instead of downloading them. The following files are dropped into the "%Program Files%\AdTools Service" folder.
AdTool.exe
AdToolsComm.dll
AdToolsKeep.exe
DLLs that are downloaded onto the infected machine are also used to download WinAd variants. Files are downloaded to the same locations as prevously mentioned. WinAd DLL components usually set a number of registry values so that they can install themselves onto the system. For Example, WinAd.G sets the following registry values:
HKCR\MediaAccX.Installer\(Default) = "MediaAccX.Installer"
HKCR\MediaAccX.Installer\CLSID\(Default) = {unique_id}
HKCR\CLSID\{unique_id}\InprocServer32\(Default) = <path\filename.dll>
HKCR\CLSID\{unique_id}\InprocServer32\ThreadingModel = "Apartment"
Deletes Files
WinAd may delete the following files:
%Windows%\autoexec.bat
%System%\autoexec.nt
Additional Info:
The trojan also creates the following registry key for its own use:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\<key name>
Where <key name> can be one of the following depending on the variant:
Windows AdService
Media Access
Media Pass
AdTools Service
<end>