Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown adware causes sluggish computer and pop ups


  • This topic is locked This topic is locked
55 replies to this topic

#1 Phil in USA

Phil in USA

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 25 October 2014 - 01:10 PM

I was sent here after going thru procedures in the Do I have a Virus forum and being unable to identify or fix a virus acquired around Mon, Oct 20 when I downloaded a program to restore deleted files. If you go to that forum you can find the history under "Problem: sluggish with pop ups" by Phil in USA. The problem is that my computer behaves sluggishly and I am getting hit with many ad popups and attempts to install programs. When I press the key for "computer"  to see the drive information it takes as long as 8-10 seconds to see the drives and I am getting frequent pop up ads along with attempts to make Bling my default browser, along with other attempted installs for programs. Malawarebytes catches the pop ups, which occur even when I am not browsing the internet, but cannot see the culprit. Here is the list of programs I have already used, but none can find the culprit:

Windows Defender

MS Security Essentials

Malawarebytes anti malware premium

AdwCleaner

JRT

ESET - altho I did not quarantine any of the findings yet (see the dialog)

Security Check

 

Per instructions I have run DDS and attached the 2 files.

My suspicion is that this is a recently acquired bug caused by downloading from a bad site that is hiding probably in the registry or root system. Once I did try booting up in safe mode and then I ran malawarebytes but that didn't help either.

Thank you,

Phil

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Phil in USA

Phil in USA
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 28 October 2014 - 10:54 AM

Update. A frequent pop up that I am getting is from xmlka.com and a search on this shows it to be a hijacker/spyware. The symptoms I have are basically the same described in the virus's internet description: slow computer with lots of pop ups - and it seems to be getting slower. My protection doesn't see it.

Thanks

Phil

 



#3 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:17 AM

Posted 28 October 2014 - 02:03 PM

Hello Phil in USA,

Welcome to Bleeping Computer! :welcome:

My name is Cody and I'll be helping you clean up your computer. :)

I will reply to your posts as soon as possible -- typically within 24 hours. In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, I just ask for notice ahead of time.

Please do note any time differences between us. If I do not respond within 48 hours, feel free to send me a private message.

==========================================================================

Some points for you to keep in mind:

  • Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end with some additional information on how to stay malware-free.
  • Lastly, I would like to remind you that most members here are volunteers, and sometimes "real life" can get in the way of our malware hunt. I will notify you if I know I will need to be away for longer than 48 hours.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.


#4 Phil in USA

Phil in USA
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 29 October 2014 - 12:14 AM

Hi Cody

I appreciate your help! Did you see the later note I posted about the nature of the virus?

Thanks

Phil



#5 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:17 AM

Posted 29 October 2014 - 12:47 AM

Yes, I did. I am currently analyzing your logs and will get back to you as soon as possible with our next steps. :)


CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.


#6 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:17 AM

Posted 29 October 2014 - 09:37 AM

Hello Phil in USA,
 
Please do the following things.  :)

Farbar Recovery Scan Tool (FRST)

  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen.
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply

===========================================

ESET Log

A log filelog.pngis created at logpath.png

Copy and paste the content of this log file in your next reply.


CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.


#7 Phil in USA

Phil in USA
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 30 October 2014 - 12:27 AM

Here are the files you requested. Did you need a new ESET scan? I did this earlier for the prior helper in the forum called Do I have a virus? and I can do it again for you if you need it. Just let me know.

Thanks

Phil

Attached Files



#8 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:17 AM

Posted 30 October 2014 - 01:07 PM

Did you need a new ESET scan?

 

Not right now, no. I just wanted to see the results of the previous scan.

 

You can follow this filepath to retrieve it:  logpath.png

 

Copy and paste the content of this log file in your next reply.

 

Do I have a virus?

 

It's hard to say right now, I will know more after I evaluate the FRST.txt, Addition.txt, and ESET log files.

 

I will post back with our next steps ASAP. :)


CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.


#9 Phil in USA

Phil in USA
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 30 October 2014 - 03:32 PM

OK. I appreciate it. By the way, I am pretty sure I do have a virus - the xmlka.com one I referred to earlier. Perhaps more, partly because this virus may open opportunities for others.

Thanks again for helping out,

Phil



#10 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:17 AM

Posted 02 November 2014 - 11:19 AM

Hello Phil in USA,
 
Please do and consider the following.  :)
 
================================================
 
I do need to inform you that your logs show evidence of pirated software, specifically Adobe Creative Suite 6 Master Collection.
 
While I will continue to help you, I strongly encourage you to remove the software from your computer for a number of reasons.

  • Pirated software can contain backdoors, silently install malware on your system, and change your system's configuration without you knowing it.
  • Companies (like Adobe in this case) spend a lot of time, money, and energy to create, test, advertise, and produce software. It is unfair to them to acquire this software via pirated means.

Note that the existence of this pirated software on your machine may or may not be related to the problems you are experiencing.
 
================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt

C:\Program Files\PCMeter\ 
C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} 
C:\ProgramData\Microsoft:hBtX2CPWQ9fRwjdROWI 
C:\ProgramData\Microsoft:jwiPjbd8260kO91jTqbFsLpLs 
C:\ProgramData\Microsoft:wHTahYkllviS1pnP0apCk 
C:\ProgramData\TEMP:9638A27E 
C:\Users\User\Local Settings:ljawOxPSP1NplJ8NoFly2eGu 
C:\Users\User\AppData\Local:ljawOxPSP1NplJ8NoFly2eGu
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
     

================================================

 

TDSS Killer Scan

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

  • Download TDSSKiller.exe and save it to your desktop.
  • Execute TDSSKiller.exe by double-clicking on it.
  • Press Start Scan.
  • If Malicious objects are found, do NOT select Cure. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
  • Please post the contents of that log in your next reply.

================================================

 
Lastly, your computer shows a number of drives connected of varying sizes:


==== Disk Partitions ========================= 
C: is FIXED (NTFS) - 60 GiB total, 6.624 GiB free. 
D: is FIXED (NTFS) - 932 GiB total, 53.723 GiB free. 
E: is CDROM () 
F: is FIXED (NTFS) - 2795 GiB total, 2647.371 GiB free. 
G: is FIXED (NTFS) - 932 GiB total, 18.59 GiB free.

I see evidence of programs installed on both C:\ and D:\, and am unsure what F:\ and G:\ are.
 
Can you please explain what you know about these drives?
 
================================================
 
What I'd like to see in your next post:   :thumbsup2: 

  • fixlist.txt
  • TDSSKiller log
  • Information about drives.

Edited by TheShooter93, 02 November 2014 - 11:21 AM.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.


#11 Phil in USA

Phil in USA
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 02 November 2014 - 01:03 PM

I have attached the reports you requested. Regarding the drives, I have a 64 mb ssd drive that the operating system is located on (for speedy boot up) but it is too small for some of the other programs, so they are loaded on the d drive. The other drives are just file storage drives and are not relevant to the operating system. There are no exe programs on those other drives that I know of. 

I appreciate your help.

Phil

Attached Files



#12 Phil in USA

Phil in USA
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 02 November 2014 - 05:59 PM

Update: Since running the program you provided the machine is behaving well. I have used it for maybe an hour and no pop ups have occurred. Also, it is no longer sluggish for simple commands like looking at the properties of a hard drive. I suspect you have eliminated the virus, but I probably need to use the machine more to be sure. I look forward to hearing back from you.

Thanks again,

Phil



#13 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:17 AM

Posted 02 November 2014 - 10:41 PM

I suspect you have eliminated the virus, but I probably need to use the machine more to be sure. I look forward to hearing back from you.

 

I'm glad to hear your system is doing better. :)

 

While I review your logs, keep in mind that just because you do not see any symptoms does not mean your system is clear of malware. Please stick with me until I give you the "all-clean" at the end.

 

=========================

 

Also, unless specifically stated, just copy and paste the logs into your replies instead of attaching them -- it makes them easier to review. :)


Edited by TheShooter93, 02 November 2014 - 10:44 PM.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.


#14 Phil in USA

Phil in USA
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 03 November 2014 - 12:24 AM

Ok. I will wait for further instructions.

Thanks

Phil



#15 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:07:17 AM

Posted 05 November 2014 - 10:49 AM

Hello Phil in USA,

 

Just wanted to apologize for the delay in responding, as my instructor and I have been discussing our next steps.

 

I should be able to post those steps before the end of today. :)


CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users