Jump to content

laubeyrietechnology Ads X not removed by MWB


Recommended Posts

I have "laubeyrietechnology Ads X" malware on chrome, probably caused by installing FVD_Downloader_Module_1.0.8.msi for chrome.
As a result, I see advertising blocks before and after Google search results in chrome (not on firefox).
After clicking on links in this ads, they are redirected to
laubeyrietechnology.com
The advertising block disappear after clicking "x" next to Ads.

I tried all the usual things such uninstalling and reinstalling chrome, resetting chrome, disabling chrome extensions, look for suspicious programs, run malwarebytes, adwcleaner_7.2.4.0.exe, all to no avail. Even if I boot in safe mode with networking, the adds still appear.

Attached are (malware bytes scan log, FRST.txt, Addition.txt)

MWB_Log.txt

FRST_25-11-2018 12.12.55.txt

Addition_25-11-2018 12.12.55.txt

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Let me know if the problem persists in Chrome.

fixlist.txt

Link to post
Share on other sites

HI,

This could be a Syncing issue if you are Syncing Chrome with other devices?
To remove it you will have to reset the Sync in Chrome.

Read this article and proceed.

Chrome Secure Preferences detection always comes back
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/
<<<>>>
 

 

Link to post
Share on other sites

Update: I just discovered something interesting. When I use ExpressVPN and change my IP to another country, the ads do not appear in Chrome.
Changing my IP to another IP in my country does not help. It only helps if I change to another country.
This is regardless of whether I am signed in or not.
Hope this new clue can help us track down this malware.

Link to post
Share on other sites

Touch wood, but for now it looks like it is gone, even without having to change my IP to another country.

The change of IP clue gave me the idea to have a look in C:\Windows\System32\drivers\etc\hosts
I saw that on the date of infection this was added to the host file:

5.149.253.143 www.gstatic.com
5.149.253.143 www.google-analytics.com
5.149.253.143 adservice.google.com

I removed and rebooted but I also needed to "Restore Settings to their Original Defaults" in Chrome for the ads to disappear.
I also delete any cookies in the last weeks but I am not sure if this was necessary as I only tested after having done both the Restore Settings and clearing cookies.

Link to post
Share on other sites

No, I never used that IP before. I certainly did not add it to the host file. I am based in Asia, not in Canada, and never used a Canadian VPN. The date stamp of the host file corresponded with the date the infection, so these three entries must have been made on that date because I only modified my host file many years ago.

Link to post
Share on other sites

Thank you for your assistance.

Do you think that just those entries in the host file were enough for Chrome to show those ads? Or do you think Chrome still needs to make use of remnant malware on my computer to do so?

I also wonder why changing my IP to another country also made them disappear. Possibly it checks back the IP of the computer the redirect comes from? I wonder why it would do that.

Link to post
Share on other sites


You got me thinking, it happens at my age. 😃

It may be that your Internet Settings\ZoneMap\Domains were compromised.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

fixlist.txt

Edited by nasdaq
Link to post
Share on other sites

haha... that makes two of us, this nasty virus definitely got me thinking as well 😃
The computer works fine now, no more ads, so in the spirit of "if it ain't broke, don't fix it", I am bit reluctant to make changes because I wasted about 4 days on killing this virus.

I need to get my restore point working first as that apparently did not work with the previous FRST. Alternatively I could make a backup of the registry first.

So I have not run FRST yet. However, when having a quick look at the current registry Iand  observed the following:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
\Domains] and \Ranges] of your fxlist.txt are there,
but I also see \EscDomain] and\ProtocolDefaults]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
only has \Protocols],
\Domains], \Ranges], \EscDomains] of your fxlist.txt are missing

Not sure if that is normal.
 

Link to post
Share on other sites

Thank you. At least it is good to know this is an area to look for in case of future problems.

There does seem to be nothing suspicious in the zonemap area. Jhere and there I see a haxadecimal value like 0, 1, 2, or 3, except perhaps for this @ivt

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]@ivt
Reg_DWORD 0x00000001 (1)

Safe to delete?

 

Link to post
Share on other sites

Hi,

Cannot find anything real about @ivt

This fix will change the Reg_DWORD 0x00000001 (1) value to 0.
Meaning it will be disabled.

Copy all the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.


Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]@ivt
Reg_DWORD 0x00000001 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]@ivt
Reg_DWORD 0x00000000 

Restart the computer when completed.

You can delete the fixme.reg file when done.
===

Has your problem been solved?

p.s.
We can reset the value if needed.
 

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.