Jump to content

Recommended Posts

About a week ago I started being plastered by ads while browsing the internet.  I can't point to a specefic location where I aquired the infection.  I've got Microsoft Security Essentials and Malwarebytes (Licensed Version) running and they never detect the "Ads By Salus" program.  I found the program in my programs list and it is never on a recent date.  While the date matches (It will say installed on 1/6) the year has been between 2012 and 2013.  The only way I can find it is by searcing installed programs for "Salus" and uninstalling it.  It always asks my if I'd like to reconsider before uninstalling it.  I proceed with the removal and it remains gone until the next day.  I can reboot my computer multiple times and once it is gone it won't reappear until the next day.

 

Also about the same time my Firefox home page has been reset to http://www-search.info/?src=us. I've cleared out all cookies, reset the browser, uninstalled and reinstalled yet I can't get it to direct away from that page when I first open it.  If I open a new tab or click on the home button it goes to Google (behavior I have it set to do) or a blank page (behavior for a new tab)

 

Below are the requested scans as per the Pinned post at the top of this page.  I do use a P2P program, but it has been and will remain disabled until this issue is resolved.  Also I wil not be making any registry changes or uninstalling anything unless told to do so.

 

The last thing I tried was a program called HitmanPro this morning right after my daily ritual of uninstalling Salus from the programs in Control Panel.  It did find a few entries titled "Salus" in my Program Files(x86) on my C drive and it said it deleted them.  Not positive that it corrected the problem though.

 

I've attached the requested files to this post to keep the message from being a "scroll fest".

 

Thank you for your time in reviewing them.

FRST.txt

Addition.txt

Link to post
Share on other sites

Hi!

Welcome to Malwarebytes' Support Forums! I am Blackbird and I will help you removing any malware that might be present on your computer.

An important WARNING to all individuals reading this topic:
All advice in this topic was given specifically for this user and this computer!! Performing instructions given by me in this topic on other computers may harm your computer's infrastructure and can cause serious damage to them!!
Please don't perform the steps given by me or other Helpers in this topic when you are not the original Topic Starter, but start your own topic with a question for help. You will get help from a trained and qualified Helper to clean up your computer from any present malware when you do so.


General rules:
  • From now on, don't use this computer anymore to access your bank account or any other serious business where you have to login for, untill I've told you your computer is clean from malware.
  • Be patient waiting for my answer. I'm doing the best I can to answer to logs as soon as possible, but I'm handling multiple topics at the same time. Please feel free to remind me of your topic by sending a link to it by private message, when I didn't get back to you after 24 hours.
  • Don't change anything on your computer in the period I'm helping you, except when I tell you to do so. So don't add/remove any software (programs, drivers, etc.) and don't change any hardware. If you really need to change something that can't wait, please inform me directly, by posting it in this topic or - if private - send me a private message containing an explanation of the changes made by you. This gives me the possibility to give you good advice.


Rules about advices from me:
  • The Helpers active on this board first got a full training in removing malware and providing support to people who got infected. Also they were trained to resolve any problems caused by malware infections. Please use the programs I provide to you only when under supervision of a trained Helper. This, because using these programs without supervision can cause damage to your computer.
  • It's possible that your virus scanner, anti-spyware program or any other malware protection program or policy tries to block one or more of the programs provided by us. If that is the case, please always allow those programs to run and/or allow the provided changes to be made. If needed to run our tools properly, temporarily disable your anti-malware programs.
  • Always Save tools provided by me to your Desktop, unless I give you other instructions. Don't ever run tools directly from the internet, because this can stop them from working properly. Also never save tools to any other locations than your Desktop.
  • If you have any problems while following my instructions, stop there and tell me the exact nature of the issue.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • You can check here if you're not sure if your computer is 32-bit or 64-bit.



Rules about posting results:

  • Always copy/paste the logfiles in your replies completely. If a logfile doesn't fit into one post, please add the logfile as an attachment instead. If this still won't work, please inform me.
  • Never change something in the logfiles!! Include them in your posts as they were provided by the tools. This way I'll get a clear view on your system's situation. If you change the logfiles, it will take more time to clean up your computer.
  • Don't post logs using CODE, QUOTE or FONT tags. Just post them as direct text.


Things I want you to do before performing the steps below:
  • Please enable your system to show hidden files: How to see hidden files in Windows.
  • Make sure you're subscribed to this topic. Click on the Follow This Topic button at the top right of this page, make sure that the Receive Notification box is checked and that it is set to Instantly.
  • Even though we do the best we can to help you, removing malware includes risks. Therefor I advise you to back-up all of your important files to a CD/DVD, external drive or flash drive. For instructions/help, take a look here.



-------------------------------------------------------------------------------------------------------------------------------------------------------
Thanks in advance for keeping above rules in mind. :)
Maybe they look like unnecessary rules, but practice teaches us they are needed to help.

Now, let's continue with the steps you need to do:
-------------------------------------------------------------------------------------------------------------------------------------------------------

1. We need to temporarily disable any cd-emulators active on your computer, as they can impede the interpretation of logfiles provided by our tools.

  • Download Defogger and save it to your Desktop.
  • Right-click Defogger.exe and select Run as Administrator.
  • When the program has opened, click the Disable button.
  • When Defogger asks for a confirmation, click Yes.
  • Wait untill you get the "Finished" message. Click OK.
  • When Defogger asks you to restart the system, please allow the program to do so immediately.


  • When an error occured while using Defogger, look for a file called "defogger_disable.txt", which should be located at your Desktop. Post the contents of this file into your next reply.
  • You can enable the cd-emulator software again by running Defogger again and clicking the "Re-enable" button. Only do this when I told you your computer is clean again.


2. Download AdwCleaner and save it to your Desktop.
  • Close all open windows.
  • Right-click AdwCleaner.exe and select Run as Administrator.
  • Click the Scan button.
  • When the scan has finished, please click the Report button and save the logfile that opens to the Desktop.
  • Post the contents of this logfile into your next reply.



3. Download Malwarebytes' Anti-Malware and save it to your Desktop.
If you already got Malwarebytes' Anti-Malware installed on your computer, please go to step 3-A.



3-A. Start Malwarebytes' Anti-Malware.

  • On the Dashboard tab, click the Update Now button, to update the definitions to the latest version.
  • Then click the Scan tab. Select Custom Scan and click the Start Scan button.
  • In the window that appears, check the box next to Scan for Rootkits. Also, select all drives, except for CD/DVD-drives. After you have done this, click Start Scan.
  • Follow the instructions given by Malwarebytes' Anti-Malware.
  • If any items were found during the scan process, Malwarebytes' Anti-Malware will ask you what you want to do with those items. Please quarantine all items.
  • It's possible the program asks you for permission to restart the computer. If so, please allow MBAM to do so immediately.
  • Save the logfile in txt-format and copy/paste it in your next reply.
  • Note: If you can't find the logfile, look at the "History" tab. Select the most recent logfile (you can see the creation date in the log's title).
 
4. Start Farbar Recovery Scan Tool
  • If asked, click Yes at the Disclaimer window.
  • Click Scan once the program has opened.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.



5. Download GMER Rootkit Scanner and save it to your Desktop.
NOTE: Windows 8 users can skip this step. GMER Rootkit Scanner isn't compatible with Windows 8. Don't run it.

  • Right-click the GMER executable file (which's name will contain 8 digits/characters) and select Run as Administrator.
  • If GMER warns you about possible rootkit activity and asks you to scan for rootkits, DON'T allow GMER to do so.
  • Under "Files", put a checkmark next to Quick Scan.
  • Remove the checkmark next to Show all.
  • Now, click the Scan button.
  • Note: This scan often provides False Positives in the scan results. Never fix anything found by Gmer, unless I instructed you to do so!
  • If the scan's finished, click Save and save the log to your Desktop.
  • Post GMER's logfile into your next reply.



6. Please provide me a detailed description of any computer problems you're facing, together with the logfiles mentioned in step 1 - 6.

Good luck! :)

Link to post
Share on other sites

Hello and thank you for looking at my issue.

 

In my previous post I had mentioned about "Ads by Salus" reappearing on my system day after day even after repeated uninstalling of the program.  It always had bogus install dates of various years from 2012-2014.  Yesterday before I had posted here and sent my FRST logs on myh original post I had run a program called HitmanPro_x64 that I found by searching for Salus removal.  This program did find instances of Salus that Malwarebytes and Microsoft Security Essentials both never saw.  It cleaned them off and today for the first time in a long whle I haven't had the "Ads by Salus" or the Salus program self install on my machine.  Not positive it is fixed, but hopefully you won't find anything in my logs you requested.

 

The Firefox hijack is still in place however.  Even uninstall/reinstall of Firefox didn't fix it.  My homepage shows it is set to google.com but it still loads  http://www-search.info/?src=us  instead.

 

I've followed the 6 steps you asked me to and hopefully didn't miss anything.  I've added them as attachments below.

 

One thing that I noticed about the same time that I started seeing the ads was a problem with a few of my drivers on this machine. 

 

1.  My scanner/printer:  In device manager it stared showing me that the driver for my printer was not installed.   I was able to print/scan with no issues despite this.  Allowing windows to search for the proper driver always failed.  I uninstalled/reinstalled the printer/scanner software from HP and still I can print/scan with it but still shows the yellow triangle in device manager.

 

2.  In Device Manager I have another yellow triange on somehting called "Microsoft Teredo Tunneling Adapter" in the Network Adapters category.  I have 2 network adapters (The one built into my board is disabled because the Gigabit was acting flaky on it back when I built the system so I put a Intel Gigabit PCI card in it)  I've tried to let troubleshooter fix the problem but it is unable do because of an "Error 10".  I uninstalled my network card and reinstalled it and it came up again with the same error after reboot.

 

The Defogger didn't ask me to reboot (infact none of the run programs/scans asked me to).  Also included the "Addition.txt" file from teh FRST64 Scan.

defogger_disable.log

AdwCleanerR0.txt

MWBScan.txt

FRST.txt

Addition.txt

GMERScan.log

Link to post
Share on other sites

Sorry but I was just reviewing my logs and noticed that I had left "Scan for Rootkits" unchecked int eh Malwarebytes scan.  I'm rescanning now (hopefully will take about an hour) and will eith the above post with the correct Malwarebytes log when it is available.

Link to post
Share on other sites

Hi,

 

General P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

1. Download RKill and save it to your Desktop.

  • Right-click RKill.exe and select Run as Administrator....
  • If a Windows Security prompt shows up, please allow the program to start.
  • The program will start immediately with it's tasks. When the program has finished, a logfile will appear.
    Please copy the contents of this logfile in your next reply.

 

2. Start AdwCleaner by right-clicking it and selecting Run as Administrator

  • When the program has started, click the Scan button and wait untill the scan has finished.
  • Make sure everything (on all tabs) is selected, and click the Delete button.
  • It's possible that AdwCleaner asks you to restart the system. It's important that you agree with this.
  • After restart a logfile will appear. Please post the contents of that logfile in your next reply.

 
3. Please download fixlist.txt to your Desktop.
  • Please make sure to put fixlist.txt in the same location as where FRST.exe/FRST64.exe is located!

 

4. Start Farbar Recovery Scan Tool by right-clicking it and selecting Run as Administrator.

  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called fixlog.txt. Please include this logfile in your next reply.

 
5. Delete fixlist.txt, if still present, from your computer. (Important!!)
 
6. Start Malwarebytes' Anti-Malware.
  • On the Dashboard tab, click the Update Now button, to update the definitions to the latest version.
  • Then click the Scan tab. Select Custom Scan and click the Start Scan button.
  • In the window that appears, check the box next to Scan for Rootkits. Also, select all drives, except for CD/DVD-drives. After you have done this, click Start Scan.
  • Follow the instructions given by Malwarebytes' Anti-Malware.
  • If any items were found during the scan process, Malwarebytes' Anti-Malware will ask you what you want to do with those items. Please quarantine all items.
  • It's possible the program asks you for permission to restart the computer. If so, please allow MBAM to do so immediately.
  • Save the logfile in txt-format and copy/paste it in your next reply.
  • Note: If you can't find the logfile, look at the "History" tab. Select the most recent logfile (you can see the creation date in the log's title).

 

7. Restart your computer, please. (This is important!!)

 

8. Start Farbar Recovery Scan Tool

  • If asked, click Yes at the Disclaimer window.
  • Click Scan once the program has opened.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

 
9. Please give me an update on your PC problems and also please post the logfiles from:
  • RKill
  • AdwCleaner
  • Farbar Recovery Scan Tool - using fixlist.txt
  • Malwarebytes' Anti-Malware
  • Farbar Recovery Scan Tool - regular scan

 

Good luck! :)

Link to post
Share on other sites

I've run the scans you asked me to.  Log files are attached.

 

Firefox Still opens the weird search page from the shortcut on my desktop.

 

Microsoft Teredo Tunneling Adapter still shows the yellow mark in Device manager.  Check for drivers shows it is up to date, but it gives this error under properties: This device cannot start. (Code 10)

 

Still no sign of Salus on the system today (yay!)

 

Should I delete my Firefox Shortcut and recreate one?  Both the shortcut and the quicklaunch icon take me to the odd search page that loads in and redirects me to elsewhere (as I watch the address bar)

 

 

Rkill.txt

Fixlog.txt

MBAMLog.txt

FRST.txt

AdwCleanerS0.txt

Link to post
Share on other sites

I checked the properties of the shortcut for Firefox on my desktop.  It was set to go to the weird search website.  Same was true for the shortcut on the taskbar.  I deleted them and recreated the shortcut out of the main Firefox install folder and it no longer opens the search website as before.  I guess I should have looked at those properties earlier.

 

The only remaining concern I now have it the Microsoft Teredo Tunneling Adapter.  To be honest I'm not even sure what is is that it does, but I know there weren't any issues with my device manager up until I had the infection.  As for my printer showing there is an issue as well, I've got a new printer here and have just been waiting to get the Salus issue cleared up and make sure I'm not infected before I remove the HP Printer and install my new one.  Once I've got the all clear from you I'll get all the HP software off my system and begin to get my new Brother printer installed on my network.  Ever since I've had my HP Printer (I think I bought it back in 2003 or 2004) I don't think there has been a period of time more than 2 months where something goes wonky with the HP software that came with it and needs a fresh install. 

 

Thanks again for your help.

Link to post
Share on other sites

Hi,

 

Glad to hear that. I can tell you your logfiles look already much cleaner. But we're not done yet! :)

I understand the problem with the "Microsoft Teredo Tunneling Adapter". There's still malware present on your computer though, which makes me want to delete that first, before we're going to solve that hardware problem. I hope you agree with that?

 

1. Start RKill.exe by right-clicking it and selecting Run as Administrator.

  • If a Windows Security prompt shows up, please allow the program to start.
  • The program will start immediately with it's tasks. When the program has finished, a logfile will appear.
    Please copy the contents of this logfile in your next reply.

 

2. Please download fixlist.txt to your Desktop.

  • Please make sure to put fixlist.txt in the same location as where FRST.exe/FRST64.exe is located!

 
3. Start Farbar Recovery Scan Tool by right-clicking it and selecting Run as Administrator.
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called fixlog.txt. Please include this logfile in your next reply.

 

4. Delete fixlist.txt, if still present, from your computer. (Important!!)

 

5. Restart your computer, please. (Important!!)

 

6. Start Farbar Recovery Scan Tool

  • If asked, click Yes at the Disclaimer window.
  • Click Scan once the program has opened.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

 
7. Please give me an update about the malware problems. Do you still notice any suspicious behaviour? Please also post the logfiles from:
  • RKill
  • Farbar Recovery Scan Tool - using fixlist.txt
  • Farbar Recovery Scan Tool - regular scan

 

Good luck! :)

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Blackbird:

 

Sorry I did not get a message last time you responded.  I had figured it was cleaned and we were good to go.  I'd like to go ahead and run the scans and post the requested logs, however there are a couple changes to my system.  My wife needed to print for work and with the non-working HP printer I had to remove it and install my new printer.  The new printer has been working fine and I don't get any errors.  I also found a tutorial online to fix tohe teredo issue and it has not popped back up again.

 

The system has been running trouble free for the past few days, but I haven't been using it too much.  There are a couple of other programs I'd like to remove from it (Utorrent and Peerblock) but will wait until we're complete here.

 

I'll check the forums manually to see if there is a response instead of waiting for the email notification.

 

So am I clear to use the fixlog you sent or not because of the change in removing the HP printer and adding a new one?

Link to post
Share on other sites

Hi,

 

General P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

All Clean!
Congratulations, your computer seems to be clean again! I don't see anymore signs of malware on your system. I feel glad to tell you that we are done here! The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of recourses and tools that you might find useful.

AFZxnZc.jpg Download DelFix and save the file to your Desktop.

  • Double-click DelFix.exe to run the programme.
  • Place a checkmark next to the following items:
    • Activate UAC
    • Remove disinfection tools
    • Create registry backup
    • Purge system restore
    • Reset system settings

    [*]Click the Run button.


-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + Delete).

==============================================================

I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.



The following programmes come highly recommended in the security community.

  • xKsUqI5A.png.pagespeed.ic.vn1Hlvqi8h.jpgAdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
  • E8I37RF.pngCryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware.
  • EG85Vjt.pngMalwarebytes' Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
  • x6YRrgUC.png.pagespeed.ic.HjgFxjvw2Z.jpgMalwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
  • xjv4nhMJ.png.pagespeed.ic.A5YbWn1eDO.pngNoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
  • 3O8r9Uq.pngSandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
  • DgW1XL2.png.pagespeed.ce.v1OlJl_ZAS.pngSecunia PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
  • xj1OLIec.png.pagespeed.ic.k6hhwopU0q.jpgSpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
  • xJEP5iWI.png.pagespeed.ic.4tmM1lM7DQ.pngWeb of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.



My help will always be free! However, if you're happy with the help provided and/or want to buy me a drink, you can consider a donation:


btn_donate_SM.gif



==============================================================

Please confirm if you have no outstanding issues, and are happy with the state of your computer. Also please tell me if you got any questions left regarding the removal process we went through and the information I gave you in this post.

Link to post
Share on other sites

Everything looks great.  Thanks!  I'll be notifying my Father-in-Law of the forums here as I seem to be the go-to almost weekly for cleaning the junk off his computer.   I am never sure if I got it all from the phone conversations, but the instructions you provided were simple and quite easy to follow.  Hope I wasn't too difficult.  I've bought you a drink through the link below at PayPal.    Thank you so much!

Link to post
Share on other sites

Hi,

 

Thank you very much for that drink, it will taste better now! :)

I'm happy to hear your problems are solved. If he'll get any other problems, ofcourse he's welcome himself to post about it and he'll receive help from one of the Malware Analysts here, like myself. No problem at all!

 

I will inform a moderator about this topic, as your problems are solved.

 

Happy surfing again! :)

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.