Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Really Difficult Virus, DDE Server Error When Login Off/Memory Error/Ad-Redirect


  • This topic is locked This topic is locked
13 replies to this topic

#1 AndyFieldsMS

AndyFieldsMS

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 16 June 2015 - 02:30 PM

I recently got infected by a very well made virus. Reinstalled the OS (Windows 10 Pro Insider) and the virus is still there, even though I click on Format the drive when reinstalling the OS. (does it make any difference if I format the hard drive from an external source like sata-to-usb? I mean will the virus go away?) Anyway I've run several scanners including Hitman, Eset, Vipre, Adware Cleaner, Adware Removal Tool, Malwarebytes Antimalware, Malwarebytes Anti-Rootkit, Norton Anti-Rootkit, Emsisoft Emergency Kit, Junkware Removal Tool and Windows Defender(meaning nothing). But they don't detect anything. The virus redirects me all the time to sites like Aliexpress, Alibaba, Adcash, casino88 and so on, this is so complex that the site is always changing. The worst part is that, it was affecting my BlackBerry phone, doing the same thing, when I'm connected to the same network. I was so upset that I reseted both my cellphone and computer, also internet modem/router back to its original defaults, even modem had to be reconfigured. That didn't work. I can try to eliminate this virus if I'm able to, but I'm needing serious help here, I also don't think that a local repair shop can take care of this. I can try to recreate MBR file is the virus is there with external tools and programs or even make a custom configuration on my ISP modem, I'm open to all suggestions here, and it would be highly appreciated.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:30 AM

Posted 21 June 2015 - 02:35 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/579669 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 AndyFieldsMS

AndyFieldsMS
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 22 June 2015 - 12:47 AM

Thanks for the help.

I have media available to reinstall with Windows image if required.

Steps taken so far:

 

-Fresh Installation of Windows/Custom/Hard Drive was formated.

 

-Run Several Scanners: Hitman Pro, Eset, Vipre, Adware Cleaner, Adware Removal Tool, Malwarebytes Antimalware, Malwarebytes Anti-Rootkit, Norton Anti-Rootkit, Emsisoft Emergency Kit, TDSS Killer, Junkware Removal Tool

 

-Reseted modem to its original settings.

 

-Reseted Cellphone 

 

-SVCHOST Process with no primary name running, I can END it and nothing happens, somehow that doesn't do noting. system would not allow me to remove the file associated with SVCHOST-NONAME.

 

 

Issues: 

 

-Add-redirect when clicking on website links, photos,.

-When using Adblocker, browser gets stuck when opening a link or a photo. Adblocker was removed. 

-Adds popping up also happening on cellphone browser when connected to the same network, dolphin browser and BlackBerry browser. 

-Server/Memory Error when Logging Off /DDE Server Error

-Internet slow sometimes not even reaching half of my connection.

 

Any help provided will be highly appreciated. 

 

 

 

Attached Files



#4 StanFF

StanFF

  • Malware Response Team
  • 1,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 22 June 2015 - 01:19 PM

Hello AndyFieldsMS,
 

I'm Stan and I will be helping you for this problem.

 

First of all I want to clear some things about the malware removal process:

  • Do not run any tools on your own. This may affect the process of removal and may cause both slowdown and additional problems.
  • Read carefully the steps that I suggest you to do. Any mismatch will prolong this case.
  • Copy any scripts carefully so they stay exactly the same with the original. Otherwise the script may not work and we will need to rerun/recreate it.
  • Feel free to copy all the steps in offline environment. They may be easier to read and follow in this way.
  • Feel free to ask any questions about the malware removal process. I'm here to help you so nothing must be hidden or misunderstood.
  • Share with me any problems/changes you experience while working with the current system.
  • Please, do not use any quotes or code boxes when you post logs.

I want to inform you that I will be able to respond in the evenings - 07:00 P.M - 11:00 P.M. (UTC + 02:00) - since I'm working during most of the daytime. If I haven't posted anything for 48 hours straight, please, feel free to send me a personal message. I will bump the topic if there is no response from you for 3 days. After 5 days of inactivity, the topic will be closed.

 

I want to inform you that I'm still in my training program so my posts must be reviewed by an instructor. This may lead to a slight delay in my answers.

 

*******************

 

Thank you for the provided logs. I will inspect them as fast as I can and will be back with instructions for further actions. Based on your explanation of the current situation, it looks like there is possibility that the problem is located "outside" of the current system. Meanwhile, did you try to use another router? Also, are there any other computers connected to the current network? When reinstalling the operating system, did you format the partition only or the whole drive?

 

While waiting for my response, please, start your system in Safe Mode with Networking and try to browse the Internet from there. To access Safe Mode on Windows 10, please, read the following article. Its highly possible that the problem will be present there too, but I want to check the option so I can be sure.


Regards,

Stan

 

"There isn't a person anywhere who isn't capable of doing more than he thinks he can." - Henry Ford

 

 

 

 

 


#5 AndyFieldsMS

AndyFieldsMS
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 22 June 2015 - 11:36 PM

I'm currently in Safe Mode with Networking and as you mentioned the issue is still happening in this mode. 
 
did you try to use another router?  
No
  
Also, are there any other computers connected to the current network?
Yes I brought my friends computer today and issue is not happening in Internet Explorer, even iif it's connected to the same network.
 
When reinstalling the operating system, did you format the partition only or the whole drive?
 
The whole drive.
 
Thanks for the help Stan! I will follow your instructions carefully.


#6 StanFF

StanFF

  • Malware Response Team
  • 1,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 23 June 2015 - 11:50 PM

Hello AndyFieldsMS and sorry for the delay.

 

Thank you for the provided information. Please, follow the steps below:

 

Please, download MiniToolBox.

  • Save the file on your desktop.
  • Double-click the executable to start the application.
  • In the main window of the program, please, check the checkboxes in front of the following lines:
    • Report IE Proxy Settings
    • Report FF Proxy Settings
    • List IP Configuration
    • List Winsock Entries
  • When ready, push GO button to generate the report.

A file named Result.txt should appear in the same directory where MiniToolBox is located. Please, copy and paste the content of the file in your next reply.


Regards,

Stan

 

"There isn't a person anywhere who isn't capable of doing more than he thinks he can." - Henry Ford

 

 

 

 

 


#7 AndyFieldsMS

AndyFieldsMS
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 25 June 2015 - 01:06 AM

Here's the file.

Thank you very much. 

Attached Files


Edited by AndyFieldsMS, 25 June 2015 - 01:06 AM.


#8 StanFF

StanFF

  • Malware Response Team
  • 1,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 25 June 2015 - 11:36 PM

Hello AndyFieldsMS,

 

Things do look interesting since there are not any obvious reasons for the behavior present. However, we will try some options which, if not successful, may give us precious information about the case. Please, follow the steps described here to temporary set used DNS addresses to Google ones. When ready, browse the Internet for a while and see if there is any change in system's behavior.

 

Did the problem appear right after you the reinstallation of the operating system or it was noticed on a later stage (it was not there at the beginning after the installation)? Also, what is actual model of the router you are using? This will give me more options to consider.


Regards,

Stan

 

"There isn't a person anywhere who isn't capable of doing more than he thinks he can." - Henry Ford

 

 

 

 

 


#9 AndyFieldsMS

AndyFieldsMS
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 28 June 2015 - 01:04 AM

Thank you again for all the help, is highly appreciated always. 

So here's a recap: 

 

I set up a temporary DNS address with Google configuration and the issue was gone on regards of the ad-redirect, even tough I changed DNS back to Normal and redirect issue on browsers in not happening either, not even in the cellphone. 

 

The service that might be related to this issue if you think that since I don't really have the answer, is still running with no name and attached to the SVCHOST. Memory Error When logging off  is still present, but it has changed, now it doesn't say anything about DDE Server Error, that part is blank, but the memory error/iexplore is the same.

The issue started when I also had Windows 7 on the machine, running dual boot with Windows 10 Tech Preview. Windows 7 partition was formated together with the whole hard drive, leaving only one partition, in which I later on, reinstalled the operating system again using an external media and selecting the boot device from the boot menu. 

My router model is ADB - P.DG A2100N

Any information that you might need will be provided within 2 days, once again I really appreciate the help. 


Edited by AndyFieldsMS, 28 June 2015 - 01:04 AM.


#10 StanFF

StanFF

  • Malware Response Team
  • 1,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 28 June 2015 - 11:57 PM

Hello AndyFieldsMS,

 

I set up a temporary DNS address with Google configuration and the issue was gone on regards of the ad-redirect, even tough I changed DNS back to Normal and redirect issue on browsers in not happening either, not even in the cellphone. 

 

Does this mean that the problem with ad-redirection is no longer present?

The service that might be related to this issue if you think that since I don't really have the answer, is still running with no name and attached to the SVCHOST. Memory Error When logging off  is still present, but it has changed, now it doesn't say anything about DDE Server Error, that part is blank, but the memory error/iexplore is the same.

I see that you are running Windows 10 Insider Preview on the system. What is the exact build of the operating system installed? This can be checked either on looking at the bottom right corner of you Desktop or using the following steps:

  • Press Windows button + R simultaneously -> Type winver -> Press Enter.
  • A new window should pop-up giving information about the version of the operating system and the exact build number.

Regards,

Stan

 

"There isn't a person anywhere who isn't capable of doing more than he thinks he can." - Henry Ford

 

 

 

 

 


#11 AndyFieldsMS

AndyFieldsMS
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 29 June 2015 - 02:08 AM

Yes issue with ad-redirection is no longer present, still sites like chatroulette would not allow me to send me webcam signal through the web. I'm really curious about discovering what make that issue with the ads dissapear, but I guess we might know later. 

The Windows 10 Build I'm running is 10130. I can try to install Windows 7 Professional on a different partition which I can create if you think that can lead us to something. I still have the product key. Thanks again for the help. 



#12 StanFF

StanFF

  • Malware Response Team
  • 1,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 30 June 2015 - 11:42 PM

Hello Andy,

 

Yes issue with ad-redirection is no longer present, still sites like chatroulette would not allow me to send me webcam signal through the web. I'm really curious about discovering what make that issue with the ads dissapear, but I guess we might know later. 

 

The issue was in fact related to your router. It was forcing the system to use the its assigned DNS addresses which cause the redirection problems you were experiencing both on your system and your phone. By manually setting new DNS servers, the behavior was overridden. To set certain DNS addresses to be used by the router, we must edit its configuration settings. Since I was unable to find a manual over the web for your router model, we can do two things:

  • If you are familiar with your router options, you can manually set the Google DNS servers mentioned in my previous posts by editing the related DNS setting.
  • If you are unfamiliar with your router options, you can find them following the steps described in this manual (page 27). When you access the main configuration page, you may take screenshots of the options present and post them here.

We will check the webcam problem after that, don't worry.

 

The errors you are experiencing during shut down is a known issue for the build you are using. The problem has been fixed in the next one (10147). This is one of the negative sides of using "beta" versions of the operating system.


Regards,

Stan

 

"There isn't a person anywhere who isn't capable of doing more than he thinks he can." - Henry Ford

 

 

 

 

 


#13 StanFF

StanFF

  • Malware Response Team
  • 1,172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 PM

Posted 04 July 2015 - 02:53 AM

Hello Andy, are you still with me? It has been three days since your last reply. Please, remember that the topic will be closed after two more days of inactivity.


Regards,

Stan

 

"There isn't a person anywhere who isn't capable of doing more than he thinks he can." - Henry Ford

 

 

 

 

 


#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:10:30 AM

Posted 06 July 2015 - 11:51 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users