Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange Adultube.info malware isn't going even after several OS reinstalls


  • Please log in to reply
8 replies to this topic

#1 Sumit Das

Sumit Das

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 11 May 2015 - 10:25 AM

Hi I am Sumit Das. Since the end of March I am getting a weird popups similar to the case here http://www.bleepingcomputer.com/forums/t/573703/adultubeinfo-popup-in-chrome-and-ie/

So I thought it might be some random adware or spyware so I re installed my OS a week after I finished with my ongoing project then. My PC ran smooth but after a week this problem came back.

So I immediately re-installed my OS but out of my surprise it was came back as soon as it was connected to the internet. So I did it several times but it didn't help. Then I thought it might be my Modem which might be infected so I took my PC to a friend of mine and reinstalled the OS and tried to connect to the internet. There was no sign of the popup there. So I brought my CPU back home and connected here at my home and it started to open those redirecting websites again. I know this states my modem is the culprit or may be my ISP somehow but I am not convinced fully because I used my CPU for around 15 min at max with my friends internet but twice. Where as at home I don't get those redirecting sites some times. I am all confused. What should I do? And if it is in my modem how do I confirm?



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:57 PM

Posted 16 May 2015 - 07:50 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======


Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Wait for further instructions.

#3 Sumit Das

Sumit Das
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 16 May 2015 - 11:56 AM

Hello,

Thank you  very much for your reply.

Here are the results.

 

Rogue Killer

RogueKiller V10.6.3.0 (x64) [May 11 2015] by Adlice Software

 
Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Sumit Das [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Delete -- Date : 05/16/2015  21:15:10
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 10 ¤¤¤
[Orphan] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | WebCheck : {E6FB5E20-DE35-11CF-9C87-00AA005127ED}  -> Not selected
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | WebCheck : {E6FB5E20-DE35-11CF-9C87-00AA005127ED}  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 37.48.127.131 8.8.8.8 [(Unknown Country?) (XX)][-]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 37.48.127.131 8.8.8.8 [(Unknown Country?) (XX)][-]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DAA20916-BD75-4E1D-B782-2C8533645936} | DhcpNameServer : 37.48.127.131 8.8.8.8 [(Unknown Country?) (XX)][-]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{DAA20916-BD75-4E1D-B782-2C8533645936} | DhcpNameServer : 37.48.127.131 8.8.8.8 [(Unknown Country?) (XX)][-]  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000AAKX-00U6AA0 +++++
--- User ---
[MBR] 9d0b22c36c0c07c57b3ce3f03c857b54
[BSP] 954b9c5be589e7ef4cfe67f45b0f08cf : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 105900 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 217090048 | Size: 161000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 546818048 | Size: 209938 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
 
============================================
RKreport_SCN_05132015_212711.log - RKreport_DEL_05132015_212746.log - RKreport_SCN_05162015_211413.log
 
 
 
AdwCleaner
 
# AdwCleaner v4.204 - Logfile created 16/05/2015 at 21:22:13
# Updated 12/05/2015 by Xplode
# Database : 2015-05-12.2 [Server]
# Operating system : Windows 8.1 Pro  (x64)
# Username : Sumit Das - SUMITDAS-PC
# Running from : C:\Users\Sumit Das\Downloads\adwcleaner_4.204.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Users\Sumit Das\AppData\Local\PackageAware
Folder Deleted : C:\Users\Sumit Das\AppData\Roaming\OpenCandy
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16384
 
 
-\\ Google Chrome v42.0.2311.152
 
[C:\Users\Sumit Das\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Sumit Das\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://isearch.omiga-plus.com/web/?type=ds&ts=1404199393&from=smt&uid=WDCXWD5000AAKX-00U6AA0_WD-WCC2EXA6025160251&q={searchTerms}
[C:\Users\Sumit Das\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&CUI=UN12557058091704730&ctid=CT2260173&UM=2
[C:\Users\Sumit Das\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://isearch.omiga-plus.com/web/?type=ds&ts=1404199393&from=smt&uid=WDCXWD5000AAKX-00U6AA0_WD-WCC2EXA6025160251&q={searchTerms}
[C:\Users\Sumit Das\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://websearch.ask.com/redirect?client=ie&tb=AVR-4&o=APN10267&src=crm&q={searchTerms}&locale=en_IN&apn_ptnrs=^AGY&apn_dtid=^YYYYYY^YY^IN&apn_uid=91AC68AD-B6A6-4DAF-9C1F-26AFF35B305A&apn_sauid=41F5C40B-3F35-4D31-A0A0-F5AE3D4DCCCB
[C:\Users\Sumit Das\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://isearch.omiga-plus.com/web/?type=ds&ts=1404199393&from=smt&uid=WDCXWD5000AAKX-00U6AA0_WD-WCC2EXA6025160251&q={searchTerms}
[C:\Users\Sumit Das\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Sumit Das\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://en.softonic.com/s/{searchTerms}
 
*************************
 
AdwCleaner[R0].txt - [2572 bytes] - [16/05/2015 21:19:27]
AdwCleaner[S0].txt - [2517 bytes] - [16/05/2015 21:22:13]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2576  bytes] ##########
 


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:57 PM

Posted 16 May 2015 - 12:32 PM

IP Details for 37.48.127.131 is from the Netherlands if you do not need if run the RogueKiller tool and fix these.
The default value will be set.

[Orphan] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | WebCheck : {E6FB5E20-DE35-11CF-9C87-00AA005127ED} -> Not selected
[Orphan] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | WebCheck : {E6FB5E20-DE35-11CF-9C87-00AA005127ED} -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 37.48.127.131 8.8.8.8 [(Unknown Country?) (XX)][-] -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 37.48.127.131 8.8.8.8 [(Unknown Country?) (XX)][-] -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DAA20916-BD75-4E1D-B782-2C8533645936} | DhcpNameServer : 37.48.127.131 8.8.8.8 [(Unknown Country?) (XX)][-] -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{DAA20916-BD75-4E1D-B782-2C8533645936} | DhcpNameServer : 37.48.127.131 8.8.8.8 [(Unknown Country?) (XX)][-] -> Not selected
[PUM.DesktopIcons] (X64)


I suspect also that your router has been compromised.

If the problem persists execute this.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

Keep me posted.

#5 Sumit Das

Sumit Das
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 17 May 2015 - 07:59 AM

Hello,
I did as you said. I selected all the Registry files you stated and pressed the delete button in Rogue Killer. And it seems it didn't fixed it
And for the Router, I actually don't have a router at my home. I only have a modem which my ISP that is "MTNL" provided me.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:57 PM

Posted 17 May 2015 - 08:23 AM

I can only conclude that your modem is compromised. Using only the RogueKiller to remove the bad IP will not worked until the router/modem is corrected.

I suggest you start a new topic in the Networking forum as this is not my forte.

http://www.bleepingcomputer.com/forums/f/21/networking/

Have someone check you settings.
They will suggest other tools that I'm not familiar with.

I will leave this topic open when the router/modem has been fixed please return to this topic.

#7 Sumit Das

Sumit Das
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 17 May 2015 - 11:07 AM

Should I change my ISP will that help?



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:57 PM

Posted 17 May 2015 - 01:09 PM

I think it will since your modem may also be changed with the new provider.

Ask you current provider how you can reset the modem first.

#9 Sumit Das

Sumit Das
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 20 May 2015 - 11:27 AM

Sorry my internet was down for a day. Okay I will ask them if they can reset my modem.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users