Help! Malwarebytes failed to find and remove adware!

[RoroPanda]

PLEASE CORRECT ME OR MOVE ME IF IM POSTING IN THE WRONG SECTION!First time posting on these forums,

 

Ok so I found out that I had this malware or adware on my recently updated win10 laptop that pops up in most of my applications that use internet (google, origin, games, etc.) and so I ran windows defender but it could not find any PUP or PUM or Adware or malware viruses on my pc, so I ran googles fix  tool but that also failed. I noticed that the adware is possibly named "ads by jabuticaba" but I couldnt find any programs named like that or similar to that installed on my pc(I used uninstall from control panel) or in task manager. I had uninstalled chrome about 5 times to reinstall it and disabled IE to reenable it along with restarting my pc. I came across malwarebytes and downloaded it and ran it, it had found 305 viruses or PUP/PUM on my computer and had deleted them all but I still am having jabuticaba pop up on my browsers and other programs, Its like it is hidden and wont leave. Please help me uninstall this program, I cant afford to loose 300GB worth of stuff from doing system restore or a full blown recovery. (Sorry this was rushed, im in a hotel and the wifi sucks so I was battling with this all day and night, so tired) My kapersky protection disk is broken and the program was uninstalled during a system restore I had done 5 months ago.

 

 

Heres the scan details Malwarebytes scan#1.txt

 

[kevinf80]

Hello and welcome to Malwarebytes.org

P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here. Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Next,

Change the download folder setting in the default Browser so all tools we may use are saved to the Desktop:

Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

Next,

Follow the instructions in the following link to show hidden files:

http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Next,

Please open Malwarebytes Anti-Malware.

• On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
• Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
• Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
• A Threat Scan will begin.
• With some infections, you may or may not see this message box.
  
          'Could not load DDA driver'
• Click 'Yes' to this message, to allow the driver to load after a restart.
• Allow the computer to restart. Continue with the rest of these instructions.
• When the scan is complete, click Apply Actions.
• Wait for the prompt to restart the computer to appear, then click on Yes.
• After the restart once you are back at your desktop, open MBAM once more.
  

To get the log from Malwarebytes do the following:

• Click on the History tab > Application Logs.
• Double click on the scan log which shows the Date and time of the scan just performed.
• Click Export > From export you have three options:
  
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
• Recommend you use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…
  

If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.

• Double-click mbam-setup and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
• Launch Malwarebytes Anti-Malware
• A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
• Click Finish. Follow the instructions above....
  

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either accept the alert or disable your security and allow FRST to run...

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

Next,

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

• Quit all running programs.
• For Windows XP, double-click to start.
• For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
• Read and accept the EULA (End User Licene Agreement)
• Click Scan to scan the system.
• When the scan completes select "Report", log will open. Close the program > Don't Fix anything!
• Post back the report which should also be located here:
  

C:\Programdata\RogueKiller\Logs <-------- W7/8
C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <------XP


Let me see those logs in your reply....

Thank you,

Kevin...
 

[RoroPanda]

Ok I followed all of your steps and here are the files

 

Malwarebytes scan- Malwarebytes scan#2.txt

FRST files- FRST.txt ,, Addition.txt

RougeKiller files- RogueKillerScan#1.txt

 

Also I am not the only one to have used this laptop, I had lended it to my younger brother for a while and when I got it back I saw the adware Jabuticaba on it, Ive managed to lessen(stop some ads from showing up) it using some chrome extentions, Website blocker and Adblock though they do not block all adds and I rather not use them since im not a fan of chromes extensions.

 

So now what are the next steps?

[kevinf80]

Upload Files to Virustotal

Go to http://www.virustotal.com/

• Click the Choose file button
• Navigate to the file C:\WINDOWS\system32\dnsapi.dll
• Click the Scan it tab
• If you get a message saying File has already been analyzed: click Reanalyze file now
• Copy and paste the results back here please.
• Repeat the above steps for the following file
  

C:\WINDOWS\SysWOW64\dnsapi.dll
 
Next,
 
Please download SystemLook from the following link below and save it to your Desktop. Use the correct version 32bit or 64bit.

http://jpshortstuff.247fixes.com/SystemLook_x64.exe     <<-   64 bit….

http://images.malwareremoval.com/jpshortstuff/SystemLook.exe   <<-  32 bit

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  

  :filefinddnsapi.dll

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt
 

Post those logs...

 

Thank you,

 

Kevin...

[RoroPanda]

Upload Files to Virustotal

Go to http://www.virustotal.com/

 

• Click the Choose file button
• Navigate to the file C:\WINDOWS\system32\dnsapi.dll
• Click the Scan it tab
• If you get a message saying File has already been analyzed: click Reanalyze file now
• Copy and paste the results back here please.
• Repeat the above steps for the following file

C:\WINDOWS\SysWOW64\dnsapi.dll

 

 

Next,

 

Please download SystemLook from the following link below and save it to your Desktop. Use the correct version 32bit or 64bit.

http://jpshortstuff.247fixes.com/SystemLook_x64.exe     <<-   64 bit….

http://images.malwareremoval.com/jpshortstuff/SystemLook.exe   <<-  32 bit

 

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:

  :filefinddnsapi.dll

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Post those logs...

 

Thank you,

 

Kevin...

Ok heres the files/logs-

 

Virustotal- Virustotal scan 1.txt ,, Virustotal scan 2.txt

 

Systemlook- SystemLook.txt

 

Now whats next? 

[kevinf80]

Double-click RogueKiller.exe to run again. (Vista/7/8/8.1/10 right-click and select Run as Administrator)

When "initializing/pre-scan” completes  press the Scan button, this may take a few minutes to complete.

When the scan completes open the Tasks tab and locate the following detections:


[suspicious.Path] %WINDIR%\Tasks\UnliStorage.job -- c:\programdata\{064cf8d4-afe2-228b-064c-cf8d4afee352}\xemu360_bios.exe (--startup=1 --single) -> Found
[suspicious.Path] \UnliStorage -- c:\programdata\{064cf8d4-afe2-228b-064c-cf8d4afee352}\xemu360_bios.exe (--startup=1 --single) -> Found

Make sure those entries are Checkmarked (ticked) also ensure that all other entries in RK are not Checkmarked.

Hit the Delete button, when complete select "Report" post that log...

 

Next,

 

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the two logs....
 

Thank you,

 

Kevin..

[RoroPanda]

Double-click RogueKiller.exe to run again. (Vista/7/8/8.1/10 right-click and select Run as Administrator)

When "initializing/pre-scan” completes  press the Scan button, this may take a few minutes to complete.

When the scan completes open the Tasks tab and locate the following detections:

[suspicious.Path] %WINDIR%\Tasks\UnliStorage.job -- c:\programdata\{064cf8d4-afe2-228b-064c-cf8d4afee352}\xemu360_bios.exe (--startup=1 --single) -> Found

[suspicious.Path] \UnliStorage -- c:\programdata\{064cf8d4-afe2-228b-064c-cf8d4afee352}\xemu360_bios.exe (--startup=1 --single) -> Found

Make sure those entries are Checkmarked (ticked) also ensure that all other entries in RK are not Checkmarked.

Hit the Delete button, when complete select "Report" post that log...

 

Next,

 

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the two logs....

 

Thank you,

 

Kevin..

Ok I did these and here are the logs, also while doing the RK Scan, Malwarebytes popped up and had found 2 PUP, Ill post the log here also

 

Rougekiller- RogueKillerScan#2.txt

 

FRST- FRST#2.txt ,, Addition#2.txt

 

Malwarebytes- Malwarebytes scan#3.txt

 

 

Whats next?

[kevinf80]

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.

• Double click on Adwcleaner.exe to run the tool.
• Click on the Scan in the Actions box
• Please wait fot the scan to finish..
• When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
• Click on the Cleaning box.
• Next click OK on the "Closing Programs" pop up box.
• Click OK on the Information box & again OK to allow the necessary reboot
• After restart the AdwCleaner(C2)-Notepad log will appear, please copy/paste it in your next reply.
  

 

Next,

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

 

Post those logs, also give an update on any remaining issues or concerns....

 

Thanks,

 

Kevin.
 

 

Fixlist.txt

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!