Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AdwCleaner on Desktop Showing Root of Problems, Downloaded from BP


  • This topic is locked This topic is locked
8 replies to this topic

#1 JDK1

JDK1

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:52 PM

Posted 03 April 2014 - 02:18 PM

Running Windows 8 x64

 

I downloaded AdwCleaner from your site Feb 2, 2014 to my desktop. 

 

My registry was all screwed up from something.  Stopped using the computer for about a month because I was having so many problems. 

Three days ago I did a System Refresh in Safe Mode which removed ALL programs that I ever installed EXCEPT AdwCleaner.  I thought this very strange because it should have been removed with the refresh, so I started looking into the program.

I just uploaded AdwCleaner to Virus Total.  The results are shown below.

 

Please advise as to if I should ignore or can I continue to 8.1....

Thank you.

JDK

 

SHA256: 211cbcc220312224429ac386c567140b746dbff43d98a3860db66b934a174097 File name: AdwCleaner.exe Detection ratio: 2 / 51 Analysis date: 2014-04-03 18:47:05 UTC ( 0 minutes ago )

 

Antiy-AVL Worm[IM]/Win32.Sohanad 20140403 CMC Trojan.Win32.Generic!O

20140331

 

The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block
File version 3.0.1.8
Packers identified
F-PROT AutoIt, UTF-8, AutoIt, AutoIt, AutoIt, AutoIt, AutoIt, AutoIt, AutoIt, AutoIt, AutoIt, UTF-8, AutoIt, AutoIt, AutoIt, AutoIt, AutoIt, UPX, AutoIt, UPX
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2012-01-29 21:32:28
Entry Point 0x000CFE90
Number of sections 3
PE sections
Name Virtual address Virtual size Raw size Entropy MD5
UPX0 4096 577536 0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 581632 274432 270848 7.93 585d939fc528c6bf144f116356426739
.rsrc 856064 126976 125440 5.05 4baa09012a30ee4d811333312ec2dfa9
PE imports Number of PE resources by type
RT_ICON 9
RT_STRING 7
RT_GROUP_ICON 4
RT_DIALOG 1
RT_MANIFEST 1
RT_MENU 1
RT_VERSION 1
Number of PE resources by language
ENGLISH UK 21
FRENCH 2
ENGLISH US 1
ExifTool file metadata
UninitializedDataSize
577536
LinkerVersion
10.0
ImageVersion
0.0
FileVersionNumber
3.0.1.8
LanguageCode
French
FileFlagsMask
0x0000
CharacterSet
Unicode
InitializedDataSize
126976
MIMEType
application/octet-stream
FileVersion
3.0.1.8
TimeStamp
2012:01:29 22:32:28+01:00
FileType
Win32 EXE
PEType
PE32
FileAccessDate
2014:04:03 19:47:14+01:00
SubsystemVersion
5.0
OSVersion
5.0
FileCreateDate
2014:04:03 19:47:14+01:00
FileOS
Win32
Subsystem
Windows GUI
MachineType
Intel 386 or later, and compatibles
CodeSize
274432
FileSubtype
0
ProductVersionNumber
3.3.8.1
EntryPoint
0xcfe90
ObjectFileType
Unknown
File identification
MD5 54db2b8c60f04c5ade6d711d47eaba75
SHA1 de7df3ff47cc606e16f515abe7bca086f3b84f0b
SHA256 211cbcc220312224429ac386c567140b746dbff43d98a3860db66b934a174097
ssdeep
24576:WthEVaPqLLddnxgk8pY1C2IsIt9ws7GkyIs6/zV5:eEVUcLddt1wq367
imphash 890e522b31701e079a367b89393329e6
File size 1.1 MB ( 1166132 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID UPX compressed Win32 Executable (42.3%)
Win32 EXE Yoda's Crypter (36.7%)
Win32 Dynamic Link Library (generic) (9.1%)
Win32 Executable (generic) (6.2%)
Generic Win/DOS Executable (2.7%)
Tags
peexe upx
VirusTotal metadata
First submission 2014-01-28 16:31:09 UTC ( 2 months ago )
Last submission 2014-04-03 18:47:05 UTC ( 25 minutes ago )
File names adwcleaner_2.exe
Apache_OpenOffice_incubating_3.4.1_Win_x86_install_pt-BR.exe
adwcleaner 6.exe
AdwCleaner.exe
704-adwcleaner.exe
adwcleaner 222.exe
19973392
virus.exe
adwcleaner-011.exe
adwcleaner.exe..exe
AdwCleaner v3.018.exe
adwcleaner.exe
AdwCleaner 3.0 (3).exe
211cbcc220312224429ac386c567140b746dbff43d98a3860db66b934a174097.exe
AdwCleaner 3.0.exe
AdwCleaner - Copy.exe
output.19973392.txt
adwcleaner (3).exe
54DB2B8C60F04C5ADE6D711D47EABA75_adwcleaner.exe
AdwCleaner (1).exe
nw_33201_adwcleanerexe.exe
adwcleaner(1).exe
adwcleaner.exe
vti-rescan
adwcleaner-3.018.exe
Advanced heuristic and reputation engines
ClamAV PUA
Possibly Unwanted Application. While not necessarily malicious, the scanned file presents certain characteristics which depending on the user policies and environment may or may not represent a threat. For full details see: http://www.clamav.net/index.php?s=pua&lang=en .
Symantec reputation Suspicious.Insight
Behaviour characterization
Zemana
keylogger
dll-injection
 


BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:52 PM

Posted 03 April 2014 - 02:39 PM

Hi,

AdwCleaner is a portable software, that's why it was not removed.


Right-click AdwCleaner.exe and select Run As Administrator.
  • Click on the Uninstall button.
  • A window will open, press the Confirm button.
  • AdwCleaner will uninstall now.

Edited by Jo*, 03 April 2014 - 02:40 PM.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 JDK1

JDK1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:52 PM

Posted 03 April 2014 - 02:47 PM

Please explain that.  In addition, is it a virus????

Thank you.



#4 Jo*

Jo*

  • Malware Response Team
  • 3,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:52 PM

Posted 03 April 2014 - 02:52 PM

Hi again,

it's no virus, but some AV software may detect malware removal tools.

Portable_application

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 JDK1

JDK1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:52 PM

Posted 03 April 2014 - 02:59 PM

Yes, thank you for the link. I was looking into it.  I had other "portable software" on my laptop, and it was removed with the system refresh, so I don't follow your reasoning.  This was the only program left.  I had to reinstall all my Microsoft office, virus protection, browsers, windows updates from the time I have owned the product.  I need to understand how a random program from you all is still there, but all the windows updates, hp updates had to be reinstalled. 

Thanks.



#6 Jo*

Jo*

  • Malware Response Team
  • 3,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:52 PM

Posted 03 April 2014 - 03:15 PM

Hi,

we remove malware in this forum section.
The tools we use are safe, but AdwCleaner is not my tool or from BC.
It's a 3rd party tool that millions of people use.

We cannot explain why a Microsoft system refresh leaves back AdwCleaner, but no other portable software.
You may ask that at a MS forum.

You got instructions from me how to remove it, that's all we can do here.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 JDK1

JDK1
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:52 PM

Posted 03 April 2014 - 03:18 PM

You are very dismissive.  You didn't even ask me to run a log to double check or anything.  What if the program was infected after it was downloaded?  Wow.  I hope you never need help.



#8 Jo*

Jo*

  • Malware Response Team
  • 3,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:52 PM

Posted 03 April 2014 - 03:54 PM

Hello,

1. Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


2. Download OTL to your desktop.
  • Double click on the icon to run it.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    Note: These logs can be located in the OTL folder on your C:\ drive if they fail to open automatically.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 Jo*

Jo*

  • Malware Response Team
  • 3,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:06:52 PM

Posted 08 April 2014 - 02:55 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users