Jump to content

Persistent Adware


Recommended Posts

A week ago both of my computers got infected at the same time with adware on Google Chrome. Malwarebytes kept blocking outbound connections to vsg.clankfaraday.com:51604 and Chrome would redirect me to a page saying that my computer needed cleaning.

I used Malwarebytes and CCleaner to clean up my system. The adware still persisted, so I uninstalled Google Chrome and manually deleted everything in the Temp folder.

Now, a week later, I get popups from Malwarebytes about a blocked outbound connection to www.tradeadexchange.com:57951 periodically. This doesn't happen often anymore though.

Long story short, just want to make sure both my computers are adware/virus free 

Thanks!

Edited by azhang24
Link to post
Share on other sites

Hello azhang24 and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop:

user posted imageGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. user posted image
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

user posted imageMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. user posted image Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

user posted imageInternet Explorer - Click the Tools menu in the upper right-corner of the browser. user posted image Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

user posted imageChange default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties"

In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK"

Safari Select settings (looks like cog wheel, top r/h corner) from the list select "Preferences" in the new window with "General Tab" selected, expand dropdown from "save downloaded files to" box, then select "other" from the new window navigate to and select "Desktop"

Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location.....

Next,

Follow the instructions in the following link to show hidden files:

http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Next,

Go here: https://www.zemana.com/Download download and install Zemana Anti-malware. Allow a shortcut to be saved to your Desktop.. The tool will be active with a 15 day trial....

Right click on user posted image Zemana Antimalware and select "Run as Administrator"

From the GUI select "Settings"

user posted image

In the new window Select 1. Updates, when complete Select 2. Real Time Protection.

user posted image

In the next window make sure 1. all boxes are checkmarked and the action is "Quarantine" and then " 2. Select the home icon.

user posted image

In the new window select "Scan"

user posted image

When the scan completes check each found entry (if any). For "Suspicious Browser Settings" choose REPAIR for all other entries choose QUARANTINE then select the "Next" tab


The action complete window will open, from there select the "Back" tab. That will take you back to the home screen...

On that screen select the "Reports" tab. (Looks like 3 chimneys)

user posted image

On that screen select and highlite the scan details line, then select "Open Report"

user posted image

Copy and paste that log to your reply...

Next,

user posted imageEmsisoft Emergency Kit
  • Click Here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8/10 users: Accept UAC warning if it is enabled). A screen like this will appear:
    user posted image
     
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
    user posted image
     
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    user posted image
     
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    user posted image
     
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    user posted image
     
  • Please Copy and Paste the contents of the scan log in your next reply.[/LIST

    Next,

    Download Farbar Recovery Scan Tool and save it to your desktop.

    Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

    Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

    Be aware FRST must be run from an account with Administrator status...

    • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
    • Make sure Addition.txt is checkmarked under "Optional scans"
    • Press Scan button to run the tool....
    • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
    • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

      Let me see those logs in your next reply....

      Thank you,

      Kevin.
Link to post
Share on other sites

Here is the requested information for Computer 1

Zemana AntiMalware 2.72.2.388 (Installed)

-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2017/5/20
Operating System       : Windows 10 64-bit
Processor              : 4X Intel(R) Core(TM) i5-4570T CPU @ 2.90GHz
BIOS Mode              : UEFI
CUID                   : 12AB5FF9AB04EF5D6A944C
Scan Type              : System Scan
Duration               : 2m 2s
Scanned Objects        : 115335
Detected Objects       : 1
Excluded Objects       : 0
Read Level             : Normal
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

Chrome Startup Url
Status             : Scanned
Object             : https://www.outlook.com/owa/
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Chrome Startup Url


Cleaning Result
-------------------------------------------------------
Cleaned               : 1
Reported as safe      : 0
Failed                : 0

 

Emsisoft Emergency Kit - Version 2017.4
Last update: 20/05/2017 13:50:23
User account: LENOVO-M93P\AARON
Computer name: LENOVO-M93P
OS version: Windows 10x64 

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Direct disk access: Off

Scan start:    20/05/2017 13:50:44
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}     detected: Application.AdReg (A) [271424]
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}     detected: Application.AdReg (A) [272128]
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{95B7759C-8C7F-4BF1-B163-73684A933233}     detected: Application.BHO (A) [274104]

Scanned    83382
Found    3

Scan end:    20/05/2017 13:52:01
Scan time:    0:01:17

Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{95B7759C-8C7F-4BF1-B163-73684A933233}     Application.BHO (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}     Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}     Application.AdReg (A)

Quarantined    3
 

Edited by azhang24
Link to post
Share on other sites

Here is the requested information for Computer 2

Zemana AntiMalware 2.72.2.388 (Installed)

-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2017/5/20
Operating System       : Windows 10 64-bit
Processor              : 4X Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz
BIOS Mode              : Legacy
CUID                   : 120A04479B4F95D2D8DC65
Scan Type              : System Scan
Duration               : 2m 0s
Scanned Objects        : 59729
Detected Objects       : 1
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

Chrome Startup Url
Status             : Scanned
Object             : https://www.outlook.com/owa/
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Chrome Startup Url


Cleaning Result
-------------------------------------------------------
Cleaned               : 1
Reported as safe      : 0
Failed                : 0
 

Emsisoft Emergency Kit - Version 2017.4
Last update: 20/05/2017 14:03:42
User account: LENOVO-X1Y\aaron
Computer name: LENOVO-X1Y
OS version: Windows 10x64 

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Direct disk access: Off

Scan start:    20/05/2017 14:04:33

Scanned    79007
Found    0

Scan end:    20/05/2017 14:06:10
Scan time:    0:01:37
 

Addition.txt

FRST.txt

Edited by azhang24
Link to post
Share on other sites

17 minutes ago, azhang24 said:

Here is the requested information for Computer 1

Zemana AntiMalware 2.72.2.388 (Installed)

-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2017/5/20
Operating System       : Windows 10 64-bit
Processor              : 4X Intel(R) Core(TM) i5-4570T CPU @ 2.90GHz
BIOS Mode              : UEFI
CUID                   : 12AB5FF9AB04EF5D6A944C
Scan Type              : System Scan
Duration               : 2m 2s
Scanned Objects        : 115335
Detected Objects       : 1
Excluded Objects       : 0
Read Level             : Normal
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

Chrome Startup Url
Status             : Scanned
Object             : https://www.outlook.com/owa/
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Chrome Startup Url


Cleaning Result
-------------------------------------------------------
Cleaned               : 1
Reported as safe      : 0
Failed                : 0

 

Emsisoft Emergency Kit - Version 2017.4
Last update: 20/05/2017 13:50:23
User account: LENOVO-M93P\AARON
Computer name: LENOVO-M93P
OS version: Windows 10x64 

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Direct disk access: Off

Scan start:    20/05/2017 13:50:44
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}     detected: Application.AdReg (A) [271424]
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}     detected: Application.AdReg (A) [272128]
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{95B7759C-8C7F-4BF1-B163-73684A933233}     detected: Application.BHO (A) [274104]

Scanned    83382
Found    3

Scan end:    20/05/2017 13:52:01
Scan time:    0:01:17

Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{95B7759C-8C7F-4BF1-B163-73684A933233}     Application.BHO (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}     Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}     Application.AdReg (A)

Quarantined    3
 

... and the logs from the farbar scan for computer 1

Addition.txt

FRST.txt

Edited by azhang24
Link to post
Share on other sites

We cannot work two PC`s together in one thread, this will cause confusion.. Stick with "Computer 1" when we have this one clean then move to "Computer 2" If these PC`s are networked together please disconnect... Continue with the following for Computer 1

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download AdwCleaner by Xplode onto your Desktop.

Or from this Mirror
 
  • Double click on Adwcleaner.exe to run the tool
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Post those logs, also tell me if this PC (computer 1) has any remaining issues or concerns...

Thank you,

Kevin...

fixlist.txt

Link to post
Share on other sites

Here are the logs.

Forgot to attach my first AdwCleaner one to my original post, so I've attached it here. It's the AdwCleaner[C0] one.


---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.48, May 2017 (build 5.48.13801.0)
Started On Tue May 23 11:55:55 2017

Engine: 1.1.13701.0
Signatures: 1.241.491.0
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Tue May 23 12:00:06 2017


Return code: 0 (0x0)
 

Thanks Kevin; don't have any remaining concerns. Haven't seen any popups for a few days.

Fixlog.txt

AdwCleaner[C2].txt

AdwCleaner[C0].txt

Link to post
Share on other sites

Run the following on PC no 2..

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Thank you,

Kevin....

Link to post
Share on other sites

Do not see any malware or infection in those logs... Run the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download AdwCleaner by Xplode onto your Desktop.

Or from this Mirror
 
  • Double click on Adwcleaner.exe to run the tool
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...



Next,

user posted imageEmsisoft Emergency Kit
  • Click Here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8/10 users: Accept UAC warning if it is enabled). A screen like this will appear:
    user posted image
     
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
    user posted image
     
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    user posted image
     
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    user posted image
     
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    user posted image
     
  • Please Copy and Paste the contents of the scan log in your next reply.

Let me see those logs, also tell me if there are any remaining issues or concerns...

Thank you,

Kevi

Link to post
Share on other sites

  • 2 months later...
  • Root Admin

We're sorry. It looks like your topic was somehow overlooked. Due to the length of time we'll go ahead and close this topic now but if you still actually need help please send a private message to one of the Moderators and we'll assist you.Thank you and sorry we missed your topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.