Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware? Spyware? Not sure what to do


  • This topic is locked This topic is locked
6 replies to this topic

#1 cmb11792

cmb11792

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 30 July 2015 - 08:36 PM

Hey all,

I've got a problem that just started a few hours ago, and I'm not sure what is causing it. My best guess, is that it is malware of some sort.

Since a few hours ago, my computer has started doing something odd. Some sites that I go on, are acting rather strange. Ads are coming up in Spanish, even though I am using a computer that has it's default language as English, as well as having my browsers set to English. Netflix, when I tell the computer to play, is showing the title in Spanish, but only after the play button is clicked. It doesn't matter what browser I use, with varying extensions between them, none the same.

 

I thought it may be my ip for some reason or another, but after a ipconfig /release /renew and /flushdns, it's proven to not be the cause. I also checked my ip on some what's my ip sites, using the ip from ipconfig, and it does show me in the correct place, not in a Spanish speaking country.

I ran CCleaner thinking maybe a cookie I picked up was causing it or something, I ran malwarebytes and Kaspersky full scans, and nothing was found. I tried doing a system restore to before it happened, and it didn't change anything.

Any help would be greatly appreciated, as I'd like to get rid of whatever is causing this.

 

FRST Log and Addition attached, as well as DDS (dds/attach) logs.

 

Attached Files



BC AdBot (Login to Remove)

 


m

#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 31 July 2015 - 02:16 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

 

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

Full System Scan with Malwarebytes Antimalware



  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 cmb11792

cmb11792
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 31 July 2015 - 03:13 AM

Fixlog:

Fix result of Farbar Recovery Scan Tool (x64) Version:30-07-2015
Ran by a (2015-07-31 17:21:26) Run:1
Running from C:\Users\a\Desktop
Loaded Profiles: a (Available Profiles: a)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
AlternateDataStreams: C:\3590F75ABA9E485486C100C1A9D4FF06ZZ.Z.Z..Z....ZZZ:1
AlternateDataStreams: C:\3590F75ABA9E485486C100C1A9D4FF06ZZ.ZZ..ZZZ..Z.ZZ:1
AlternateDataStreams: C:\3590F75ABA9E485486C100C1A9D4FF06ZZZ..Z.ZZ.ZZ.ZZZ:1
CHR Extension: (IBA Opt-out (by Google)) - C:\Users\a\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbiekjoijknlhijdjbaadobpkdhmoebb [2015-06-03]
 
2015-07-31 03:01 - 2015-07-31 06:15 - 00000000 ____D C:\3590F75ABA9E485486C100C1A9D4FF06ZZ.Z.Z..Z....ZZZ
2015-07-31 10:03 - 2015-07-31 10:36 - 00000000 ____D C:\3590F75ABA9E485486C100C1A9D4FF06ZZZ..Z.ZZ.ZZ.ZZZ
2015-07-31 08:05 - 2015-07-31 10:03 - 00000000 ____D C:\3590F75ABA9E485486C100C1A9D4FF06ZZ.ZZ..ZZZ..Z.ZZ
2015-07-31 06:15 - 2015-07-31 08:04 - 00000000 ____D C:\3590F75ABA9E485486C100C1A9D4FF06ZZ...Z...ZZZZ..Z
 
EmptyTemp:
*****************
 
C:\3590F75ABA9E485486C100C1A9D4FF06ZZ.Z.Z..Z....ZZZ => ":1" ADS removed successfully.
C:\3590F75ABA9E485486C100C1A9D4FF06ZZ.ZZ..ZZZ..Z.ZZ => ":1" ADS removed successfully.
C:\3590F75ABA9E485486C100C1A9D4FF06ZZZ..Z.ZZ.ZZ.ZZZ => ":1" ADS removed successfully.
C:\Users\a\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbiekjoijknlhijdjbaadobpkdhmoebb folder not found
C:\3590F75ABA9E485486C100C1A9D4FF06ZZ.Z.Z..Z....ZZZ => moved successfully.
C:\3590F75ABA9E485486C100C1A9D4FF06ZZZ..Z.ZZ.ZZ.ZZZ => moved successfully.
C:\3590F75ABA9E485486C100C1A9D4FF06ZZ.ZZ..ZZZ..Z.ZZ => moved successfully.
C:\3590F75ABA9E485486C100C1A9D4FF06ZZ...Z...ZZZZ..Z => moved successfully.
EmptyTemp: => 1.1 GB temporary data Removed.
 
 
The system needed a reboot.. 
 
==== End of Fixlog 17:21:41 ====
 
MalwareBytes:
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 31/07/2015
Scan Time: 5:28 PM
Logfile: 
Administrator: Yes
 
Version: 2.1.8.1057
Malware Database: v2015.07.31.02
Rootkit Database: v2015.07.30.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: a
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 338642
Time Elapsed: 28 min, 58 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
ESET:
 
Keeps giving me an error that it could not download the virus definitions and asking if my proxy is configured, even though I'm not using a proxy at all. It is requiring me to download the program, not just run it.


#4 cmb11792

cmb11792
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 31 July 2015 - 06:01 AM

I got ESET to run by opening the page in IE instead of Chrome.

 

Results:

 

C:\Users\a\Desktop\Downloads\BitTorrent.exe a variant of Win32/OpenCandy.C potentially unsafe application
C:\Users\a\Desktop\Downloads\ccsetup506.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\a\Desktop\reaction images\ccsetup505.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\a\Desktop\reaction images\dfsetup219.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\a\Desktop\reaction images\spsetup128.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\a\Downloads\ccsetup507.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\a\Downloads\ccsetup508.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application


#5 cmb11792

cmb11792
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 03 August 2015 - 02:29 AM

I just tried a few different things. It appears to be only Chrome doing it. Internet Explorer isn't giving me the problems at all, including netflix showing in English where it shows in French (I was mistaken about it being Spanish). I tried changing my ip with my VPN and it's definitely attached to chrome somehow, as it didn't make a difference when I set it to other areas of Australia or with IPs that Chrome hasn't seen before, French was still being shown.

 

Before I got on the forum, I did do a full uninstall of Chrome using Geek Uninstaller and reinstalled it, so I didn't think it was something attached to chrome.


Edited by cmb11792, 03 August 2015 - 02:30 AM.


#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 03 August 2015 - 07:58 AM

The problem is that chrome is different than other browsers and such malware can hid deeply within its configuration.

 

Try this guide: http://www.chromestory.com/2011/11/how-to-remove-google-chrome/

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also




Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.




SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.



Tell me: Are any problems left now or may I post the final reply? :)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 PM

Posted 26 August 2015 - 12:37 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users