Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have Wander Burst adware and it keeps coming back.


  • This topic is locked This topic is locked
5 replies to this topic

#1 harryhh

harryhh

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Princeton, ILL
  • Local time:08:30 PM

Posted 01 August 2015 - 01:33 AM

Win 7 Home 64bit

WD primary drive C: D: E: F:

Maxtor second drive G:

WD10EZEX new drive installed, but not formatted, and no drive letter

 

I am installing a new larger hard drive in my desktop to be my primary drive. In order to clone the drive I started to download the free Macrium Reflect, but didn't like all the stuff it wanted to add, and the things it wanted me to agree to, so I did not continue with the process. But, there is a Macrium folder on my C: drive.

 

Next, already having EaseUS on my machine, I decided to download the newer free version of Partition Master and Todo Backup. This I did.

 

Now I have Wander Burst adware on my computer and can't get rid of it. Adwcleaner will find it, and I tell it to delete it, but it comes back when I restart my computer. I disable it in FireFox Extensions, but it is enabled again upon restart. Adwcleaner doesn't find much, but I don't let it delete everything it finds because I'm not sure what some of it is.

 

I've also run Microsoft Malicious Software Tool and scaned with Bitdeferder. Bitdefender has twice found and quarantined Gen:Variant.Adware.Graftor.205480 in what must be a hidden folder ProgramData.

 

I may now have other junk on my computer. I'm not sure.

 

Often, but not every time, when I restart the computer, Bitdefernder says it is disinfecting.

 

Thanks,

Harry

 

Attached File  Addition.txt   44.88KB   6 downloads

Attached File  FRST.txt   260.01KB   6 downloads


Can't keep up with the computer stuff anymore. It's getting beyond me.  :mellow:


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:30 PM

Posted 02 August 2015 - 09:55 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

() C:\Program Files (x86)\Common Files\fccb0821-00ee-466c-acb5-2a5cec258511\updater.exe
() C:\ProgramData\fccb0821-00ee-466c-acb5-2a5cec258511\PluginContainer.exe
URLSearchHook: HKU\S-1-5-21-4197695769-2084072578-523761739-1001 - (No Name) - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - No File
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} -  No File
FF Plugin-x32: @videolan.org/vlc,version=2.0.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll No File
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll [2013-08-02] (Coupons, Inc.)
FF Extension: Block site - C:\Users\Harry\AppData\Roaming\Mozilla\Firefox\Profiles\2y67u4nl.default\Extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc} [2015-05-30]
FF Extension: Wander Burst - C:\Users\Harry\AppData\Roaming\Mozilla\Firefox\Profiles\2y67u4nl.default\Extensions\{5eeca95e-41fc-41a2-83b1-b1156bc20be4}.xpi [2015-07-31]
CHR HKLM-x32\...\Chrome\Extension: [fabcmochhfpldjekobfaaggijgohadih] - https://clients2.google.com/service/update2/crx
R2 Service Mgr WanderBurst; C:\ProgramData\fccb0821-00ee-466c-acb5-2a5cec258511\PluginContainer.exe [1098976 2015-07-30] ()
R2 Update Mgr WanderBurst; C:\Program Files (x86)\Common Files\fccb0821-00ee-466c-acb5-2a5cec258511\updater.exe [1067232 2015-07-31] ()
C:\Program Files (x86)\Common Files\fccb0821-00ee-466c-acb5-2a5cec258511\updater.exe
C:\ProgramData\fccb0821-00ee-466c-acb5-2a5cec258511\PluginContainer.exe
C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll
C:\Users\Harry\AppData\Roaming\Mozilla\Firefox\Profiles\2y67u4nl.default\Extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
C:\Users\Harry\AppData\Roaming\Mozilla\Firefox\Profiles\2y67u4nl.default\Extensions\{5eeca95e-41fc-41a2-83b1-b1156bc20be4}.xpi
C:\ProgramData\fccb0821-00ee-466c-acb5-2a5cec258511
C:\Program Files (x86)\Common Files\fccb0821-00ee-466c-acb5-2a5cec258511
Task: {2A8D8BFF-67A2-4C42-97ED-7820E7048071} - \60823888 No Task File <==== ATTENTION
Task: {D80B194D-A304-45C8-B0D1-0F2DD7E87866} - System32\Tasks\winupd => C:\Users\Harry\AppData\Local\Temp:winupd.exe <==== ATTENTION
AlternateDataStreams: C:\Windows\SysWOW64\FlashPlayerInstaller.exe:BDU
C:\Users\Harry\AppData\Local\Temp:winupd.exe

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#3 harryhh

harryhh
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Princeton, ILL
  • Local time:08:30 PM

Posted 02 August 2015 - 03:31 PM

Hello nasdaq, and thanks for coming to help.
 
Having to click off all those flashing advertisements is one thing, but seeing your hard drive lite continuously going is something else. You wonder if something is stealing everything off of your computer.
 
I have followed your instructions, and things seem to be good. Wander Burst in no longer in my FireFox extensions. Neither Adwcleaner, Explorer search, or Regedit search find it.
 
I have restarted my computer three times and Bitdefender doesn't say it is disinfecting. I have gone to 15 or 20 web pages and there have been no unusual ads.

 

I had originally used Adwcleaner myself, but didn't allow it to delete everything it found. This time I deleted everything.

 

Attached File  Fixlog.txt   5.77KB   1 downloads

Attached File  AdwCleanerS5.txt   2.07KB   1 downloads

 

I will keep a close eye on my computer for the next few days, and if it seems to act up, I will post here. If it seems to be fine, I will post that here also.

 

Thanks,

Harry

 

 


Can't keep up with the computer stuff anymore. It's getting beyond me.  :mellow:


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:30 PM

Posted 03 August 2015 - 06:55 AM

Looking good.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#5 harryhh

harryhh
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Princeton, ILL
  • Local time:08:30 PM

Posted 03 August 2015 - 12:59 PM

Hello nasdaq,

 

Everything does seem to be fine. I think we can call this solved. :bananas:

 

And thank you for the info on keeping my computer safe.

 

Harry


Can't keep up with the computer stuff anymore. It's getting beyond me.  :mellow:


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:30 PM

Posted 03 August 2015 - 01:27 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users