Jump to content

Possible adware infection


Recommended Posts

Hi,

 

I started a topic yesterday about adware suddenly taking over my browser, half an hour after installing Malwarebytes (Free version, from the official site). The pesky ads (provided by PriceMinus and Browser Shop) were removed after the scan, and everything seems to be normal again. But Daledoc advised me to seek help from experts in this section of the forums and I figured that might be a good plan. :)

 

I have disabled my P2P client (Deluge, which wasn't running at the time of the problems) and performed a scan with the Farbar Recovery Scan Tool.

 

Thanks in advance!

FRST.txt

Addition.txt

Link to post
Share on other sites

Welcome to the forum.

When we're done you have to reinstall Chrome, it has been compromised:

 

CHR dev: Chrome dev build detected! <======= ATTENTION

https://support.google.com/chrome/answer/95319?hl=en<---re-install chrome

 

============================================

Make sure you have created a restore point before you continue

============================

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

==========================

Lets check for any adware/spyware now:

Please download AdwCleaner from HERE or HERE to your desktop.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program that may have been targeted by mistake.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
Next..................

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Next.........

Please Update and run a Threat Scan (Malwarebytes)

Click on settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine All that's found

MrC

fixlist.txt

Link to post
Share on other sites

Hello Charlie,

 

I have uninstalled Chrome, created a restorepoint and used your fixlist. Here's the log:

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-05-2015
Ran by Reinier at 2015-06-02 22:54:33 Run:1
Running from D:\Reinier\Downloads
Loaded Profiles: Reinier (Available Profiles: Reinier)
Boot Mode: Normal
==============================================

fixlist content:
*****************
HKU\S-1-5-21-785127952-170756034-2261666444-1002\...\RunOnce: [] => [X]
HKU\S-1-5-21-785127952-170756034-2261666444-1002\...\RunOnce: [{775f6e79-d513-41b1-8397-84959fd7c3c2}] => C:\Users\Reinier\AppData\Local\Temp\delete_{81919a22-d5e1-4a75-9e2d-9f48fa068eea}.vbs [913 2015-04-27] () <===== ATTENTION
HKU\S-1-5-21-785127952-170756034-2261666444-1002\...\RunOnce: [{712f56b9-b72c-4bc5-8ced-7fc2412855b8}] => C:\Users\Reinier\AppData\Local\Temp\delete_{9e2cd3c1-f72d-4f17-a663-2e6182e93e81}.vbs [913 2015-04-27] () <===== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
CHR HKU\S-1-5-21-785127952-170756034-2261666444-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - https://clients2.google.com/service/update2/crx
C:\Users\Reinier\AppData\Local\Temp\delete_{81919a22-d5e1-4a75-9e2d-9f48fa068eea}.vbs
C:\Users\Reinier\AppData\Local\Temp\delete_{9e2cd3c1-f72d-4f17-a663-2e6182e93e81}.vbs
C:\ProgramData\dbfdbm.dll
C:\ProgramData\SetStretch.exe
C:\ProgramData\SetStretch.VBS
C:\Users\Reinier\AppData\Local\Temp\BullseyeCoverage-2-x86.dll
C:\Users\Reinier\AppData\Local\Temp\i4jdel0.exe
C:\Users\Reinier\AppData\Local\Temp\SpotifyUninstall.exe
C:\Users\Reinier\AppData\Local\Temp\utils.dll
AlternateDataStreams: C:\Users\Reinier\SkyDrive:ms-properties

*****************

HKU\S-1-5-21-785127952-170756034-2261666444-1002\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ => value Removed successfully
HKU\S-1-5-21-785127952-170756034-2261666444-1002\Software\Microsoft\Windows\CurrentVersion\RunOnce\\{775f6e79-d513-41b1-8397-84959fd7c3c2} => value Removed successfully
HKU\S-1-5-21-785127952-170756034-2261666444-1002\Software\Microsoft\Windows\CurrentVersion\RunOnce\\{712f56b9-b72c-4bc5-8ced-7fc2412855b8} => value Removed successfully
"HKLM\SOFTWARE\Policies\Google" => key Removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key Removed successfully
"HKU\S-1-5-21-785127952-170756034-2261666444-1002\SOFTWARE\Google\Chrome\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh" => key Removed successfully
C:\Users\Reinier\AppData\Local\Temp\delete_{81919a22-d5e1-4a75-9e2d-9f48fa068eea}.vbs => Moved successfully.
C:\Users\Reinier\AppData\Local\Temp\delete_{9e2cd3c1-f72d-4f17-a663-2e6182e93e81}.vbs => Moved successfully.
C:\ProgramData\dbfdbm.dll => Moved successfully.
C:\ProgramData\SetStretch.exe => Moved successfully.
C:\ProgramData\SetStretch.VBS => Moved successfully.
C:\Users\Reinier\AppData\Local\Temp\BullseyeCoverage-2-x86.dll => Moved successfully.
C:\Users\Reinier\AppData\Local\Temp\i4jdel0.exe => Moved successfully.
C:\Users\Reinier\AppData\Local\Temp\SpotifyUninstall.exe => Moved successfully.
C:\Users\Reinier\AppData\Local\Temp\utils.dll => Moved successfully.
C:\Users\Reinier\SkyDrive => ":ms-properties" ADS Removed successfully.

==== End of Fixlog 22:54:36 ====

 

I just completed the scan with AdwCleaner, so I'll be right back after a reboot.

Link to post
Share on other sites

Alright, my notebook has rebooted and AdwCleaner[s0].txt hs shown up:

# AdwCleaner v4.206 - Logbestand aangemaakt 02/06/2015 op 23:33:00
# Laatste update 01/06/2015 door Xplode
# Database : 2015-06-01.1 [server]
# Besturingssysteem : Windows 8.1  (x64)
# Gebruikersnaam : Reinier - LAPPIE
# Gestart vanuit : D:\Reinier\Bureaublad\AdwCleaner.exe
# Optie : Verwijderen

***** [ Services ] *****


***** [ Bestanden / Mappen ] *****

Map Verwijderd : C:\ProgramData\{1cec4107-c5c1-894d-1cec-c4107c5c041f}
[x] Niet Verwijderd : D:\Reinier\Bureaublad\Inbox
Bestand Verwijderd : C:\Users\Reinier\AppData\Roaming\AdobeWLCMCache.dat

***** [ Geplande taken ] *****


***** [ Snelkoppelingen ] *****


***** [ Register ] *****

Sleutel Verwijderd : HKLM\SOFTWARE\Classes\TypeLib\{A63C49A5-6CC1-4579-A883-AE6B3E91108D}
Sleutel Verwijderd : HKCU\Software\Conduit
Sleutel Verwijderd : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}
Sleutel Verwijderd : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}
Gegevens Verwijderd : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Webbrowsers ] *****

-\\ Internet Explorer v11.0.9600.17416


-\\ Mozilla Firefox v28.0 (nl)

[4owj6p1w.default\prefs.js] - Regel Verwijderd : user_pref("extensions.G7XAJMdZ0eK1xmgP.scode", "(function(){try{if(window.location.href.indexOf(\"rjs6rHr7rdw6qda8rdn5rTY5pds\")>-1){return;}}catch(e){}try{var d=[[\"investkingdom.com\",\"www.viracure[...]
[4owj6p1w.default\prefs.js] - Regel Verwijderd : user_pref("extensions.Xb8n5wvSqTxj0tag.scode", "(function(){try{if(window.location.href.indexOf(\"rjs6rHr7rdw6qda8rdn5rTY5pds\")>-1){return;}}catch(e){}try{var d=[[\"investkingdom.com\",\"www.viracure[...]

-\\ Chrome Canary v

[C:\Users\Reinier\AppData\Local\Google\Chrome SxS\User Data\Default\Web Data] - Verwijderd [search Provider] : hxxp://nl.softonic.com/s/{searchTerms}
[C:\Users\Reinier\AppData\Local\Google\Chrome SxS\User Data\Default\Web Data] - Verwijderd [search Provider] : hxxp://en.softonic.com/s/{searchTerms}
[C:\Users\Reinier\AppData\Local\Google\Chrome SxS\User Data\Default\Web Data] - Verwijderd [search Provider] : hxxp://nl.softonic.com/s/{searchTerms}

*************************

AdwCleaner[R0].txt - [2540 bytes] - [02/06/2015 23:05:33]
AdwCleaner[s0].txt - [2350 bytes] - [02/06/2015 23:33:00]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2409  bytes] ##########

 

And the JRT log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.8.7 (06.01.2015:1)
OS: Windows 8.1 x64
Ran by Reinier on di 02-06-2015 at 23:43:57,83
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Tasks



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] C:\Users\Reinier\appdata\local\tempdir
Successfully deleted: [Folder] C:\WINDOWS\syswow64\ai_recyclebin
Successfully deleted: [Folder] C:\ProgramData\18190886005015235548





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on di 02-06-2015 at 23:48:24,84
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

I'm starting the scan with Malwarebytes now (database is updated, settings are as you said) and I'll come back when it's completed.

Link to post
Share on other sites

The scan has finished, 0 items detected :) Thanks a lot for the help!

 

I'm going to install Chrome tomorrow. Luckily all my bookmarks, extensions, saved passwords etc. are synced. There's one thing I've been wondering about: How could Chrome have become compromised? Was it caused by the adware or other malicious software?

Link to post
Share on other sites

OK......

A little clean up to do....

Please Uninstall ComboFix: (------->if you used it<-------)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter. (it may look like CF is re-installing but it's not)

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot
Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.