Jump to content

Adware refuses to go away

alternates300
 Share

Recommended Posts

alternates300

alternates300

Posted
Posted (edited)

Hi, I'm having trouble with some stupid adware that has been on Chrome for two days now, and it won't go away. I don't even know how I got it since I haven't installed anything since March 26th (excluding Malwarebytes), and that was Rainmeter.

I've tried many different things to eliminate this adware spanning from scanning my PC with Malwarebytes four times, quarantining the threats it did end up finding, using AdwCleaner twice, using HitmanPro, System Restore, Farbar Recovery Scan Tool, Junk Removal Tool, until finally I completely removed Chrome from my computer and reinstalled it. It came right back a day later.

I'm at the point where I don't know what to do and I'm worried I'll have to reformat my computer, which is frustrating because I don't have the disc with my OS anymore.

Any help would be much appreciated because I'm about to throw my computer out on the road. Thanks in advance.

 

**EDIT** I should mention Malwarebytes is blocking many of the popups I'm getting. Sites such as these are trying to come up (putting spaces between dots to avoid linking, just to be safe):

pixel . uprise . website

zcx . herdatrocious . com

There's more than that, I'll update as I see them.

There's also the fact that sometimes when I try to search something, a thing at the top of the results will appear, labeled "RocketTab, powered by addonjet."

Edited by alternates300
Link to post
Share on other sites
Aura

Aura

Posted
Posted

Hi alternates300 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the thread below, and provide me both the FRST.txt and Addition.txt logs please.

https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

 

Link to post
Share on other sites
alternates300

alternates300

Posted
  • Author
Posted (edited)

I got Ad-Aware after the viruses started appearing because I've used it before, so I trust it. It came from a site called lavasoft.com. I need to renew the license though so I uninstalled it.

As for those logs, I'm not sure I still have them. What would they be called?

Edited by alternates300
Link to post
Share on other sites
Aura

Aura

Posted
Posted

From your FRST.txt logs, I can see the following: 

C:\Users\Trent\Desktop\JRT.txt
C:\Users\Trent\Desktop\Fixlog.txt

And the logs from Malwarebytes can be obtained straight from the program. I can provide further instructions once I get home if needed.

The logs from AdwCleaner can be found in C:\AdwCleaner (I think there's a folder called "logs" inside). Just take the latest log (you can order them by "Modified" date) and copy/paste it here. For HitmanPro, I would have to look around. See if you can find them from within the program.

Link to post
Share on other sites
alternates300

alternates300

Posted
  • Author
Posted (edited)

Alright. Sorry I'm replying slowly, I'm doing a lot right now.

I'm not quite sure which one would be most important in regards to AdwCleaner so I just included both of the latest documents, "[C2]" was modified at 10:16 PM and "[S1]" was modified at 10:13 PM, both on April 20th.

I can't find the HitmanPro one. I'm not sure I have it anymore. Should I try that again?

 

**EDIT** Added the date the documents were modified.

JRT.txt

Fixlog.txt

AdwCleaner[C2].txt

AdwCleaner[S1].txt

Edited by alternates300
Link to post
Share on other sites
alternates300

alternates300

Posted
  • Author
Posted (edited)

I'll try it out and let you know soon after if this worked. I stopped getting the ads for a couple days but they came back yesterday, so I'm gonna install that extension and see how it goes.

 

EDIT: Rephrased my first sentence to "soon after" rather than "in a couple days."

Edited by alternates300
Link to post
Share on other sites
alternates300

alternates300

Posted
  • Author
Posted (edited)

It took about 6 hours but I'm still getting them even having installed that extension. The same ones from before, plus more:

nan . mashfsttest . com

lsi . fightostler . com

There's also a thing at the bottom right of some pages that says "Interstitial Information?" that starts appearing everytime the virus starts coming up.

Edited by alternates300
Link to post
Share on other sites
Aura

Aura

Posted
Posted

Sorry, it seems like I missed your post last week. I suspect that one of your Google Chrome extension is causing these ads. Do you know the extensions listed below? 

Quest
Fun Switcher
Realm of the Mad God
Photo Zoom for Twitter
The Weather Channel for Chrome
Social Fixer for Facebook
https://twitter.com/account/authentic...

I cannot find anything on these extensions, or they come up as being suspicious in my Google searches (one of them is also flagged as a PUP by McAfee).

Link to post
Share on other sites
alternates300

alternates300

Posted
  • Author
Posted (edited)

I remember installing all of those except the last Twitter one. Quest, I installed a couple years ago and all it is is a text adventure thing, Fun Switcher I forgot what that is, don't know why I installed it but I'll uninstall because it looks dumb, Realm of the Mad God is just a game that's also on Steam, Photo Zoom for Twitter just enlarges photos on Twitter by hovering the mouse over it, The Weather Channel is just The Weather Channel, Social Fixer I use.

Which one is coming up as a PUP? If it just so happens to be that twitter.com one then yeah, that's extremely suspicious because I don't know what it is.

EDIT: Also I think I just found something that I don't remember installing, it was called "Click&Clean App." I just now deleted it, but yeah, I don't exactly remember getting that.

Edited by alternates300
Link to post
Share on other sites
Aura

Aura

Posted
Posted

You can remove the Twitter one (last one listed in my previous post).

Also, it looks like "Photo Zoom for Twitter" have an Adware module.

https://malwaretips.com/blogs/ads-by-photo-zoom-for-twitter-removal/
https://www.reddit.com/r/chrome_extensions/comments/678nuu/malware_alert_extension_photo_zoom_for_twitter/

And it's the extension flagged as PUP by McAfee.

https://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=9534134

 

Link to post
Share on other sites
Aura

Aura

Posted
Posted

Alright. There are programs, extensions, etc. that start legitimately (in a clean state) and as time pass, ends up adding adware feature in order to have an income for some reason (maybe for the dev own profit, maybe to get funding to keep the project going, etc.) AceStream is a good example.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.