Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn adware


  • This topic is locked This topic is locked
52 replies to this topic

#46 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:57 AM

Posted 04 September 2015 - 09:48 AM

Please do the following:

Step 1

frst.pngfrstfix.png

Press thew7.png + R on your keyboard at the same time. Type notepad and click OK.
  • Copy the entire content of the codebox below and paste into the notepad document:
    CloseProcesses:
    cmd: sfc /scanfile=C:\Windows\system32\dnsapi.dll
    cmd: sfc /scanfile=C:\Windows\SysWOW64\dnsapi.dll
    
  • Click File, Save As and type fixlist.txt as the File Name.
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please post it to your reply.

Edited by deeprybka, 04 September 2015 - 10:37 AM.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

BC AdBot (Login to Remove)

 


#47 toggleon

toggleon
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 05 September 2015 - 08:58 AM

Hi. I ran this yesterday afternoon, but I forgot to post the log afterwards.

 

Fix result of Farbar Recovery Scan Tool (x64) Version:31-08-2015
Ran by Eva1 (2015-09-04 15:48:10) Run:5
Running from C:\Users\Eva1\Desktop\Malware protection
Loaded Profiles: Eva1 (Available Profiles: Eva1)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CloseProcesses:
cmd: sfc /scanfile=C:\Windows\system32\dnsapi.dll
cmd: sfc /scanfile=C:\Windows\SysWOW64\dnsapi.dll
*****************
 
Processes closed successfully.
 
=========  sfc /scanfile=C:\Windows\system32\dnsapi.dll =========
 
 
 
 
 
 
 W i n d o w s   R e s o u r c e   P r o t e c t i o n   f o u n d   c o r r u p t   f i l e s   a n d   s u c c e s s f u l l y   r e p a i r e d   
 
 
 t h e m .   D e t a i l s   a r e   i n c l u d e d   i n   t h e   C B S . L o g   w i n d i r \ L o g s \ C B S \ C B S . l o g .   F o r   
 
 
 e x a m p l e   C : \ W i n d o w s \ L o g s \ C B S \ C B S . l o g .   N o t e   t h a t   l o g g i n g   i s   c u r r e n t l y   n o t   
 
 
 s u p p o r t e d   i n   o f f l i n e   s e r v i c i n g   s c e n a r i o s . 
 
 
 
 
 
 T h e   s y s t e m   f i l e   r e p a i r   c h a n g e s   w i l l   t a k e   e f f e c t   a f t e r   t h e   n e x t   r e b o o t . 
 
 
 
========= End of CMD: =========
 
 
=========  sfc /scanfile=C:\Windows\SysWOW64\dnsapi.dll =========
 
 
 
 
 
 
 T h e r e   i s   a   s y s t e m   r e p a i r   p e n d i n g   w h i c h   r e q u i r e s   r e b o o t   t o   c o m p l e t e .     R e s t a r t   
 
 
 W i n d o w s   a n d   r u n   s f c   a g a i n . 
 
 
 
========= End of CMD: =========
 
 
 
The system needed a reboot.. 
 
==== End of Fixlog 15:48:20 ====


#48 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:57 AM

Posted 05 September 2015 - 09:00 AM

No problem. :)

Last check:

Step 1

frst.pngfrstsearch.png
  • Start FRST with Administrator privileges.
  • Write the following text into the Search textbox:
dnsapi.dll
  • Click on the Search Files button.
  • When finished, a log file (Search.txt) pops up and is saved to the same location the tool was run from.
  • Please copy and paste its contents in your next reply.
Are there any problems left?
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#49 toggleon

toggleon
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 05 September 2015 - 10:14 AM

So far things seem to be going well. Chrome is much faster when I use it and neither I nor my daughter have seen any of the pop-ups.
 
My one question is regarding the cookies. Obviously every time you go to a site you are more or less granting permission to have a cookie placed on your computer, but the virus was also injecting cookies into the browser. In scanning the cookie list I see some names that seem somewhat suspicious, but also could be put there by a legit source. So my question is what is the best way to verify that the cookies are safe.
 
 
Farbar Recovery Scan Tool (x64) Version:31-08-2015
Ran by Eva1 (2015-09-05 10:00:18)
Running from C:\Users\Eva1\Desktop\Malware protection
Boot Mode: Normal
 
================== Search Files: "dnsapi.dll" =============
 
C:\Windows\WinSxS\wow64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_6.3.9600.17415_none_90eb58f92b43cedd\dnsapi.dll
[2015-05-25 12:20][2015-07-20 16:50] 0498688 ____A (Microsoft Corporation) A2B1D4C7F59AE928B042A098BAFF8914 [File not signed]
 
C:\Windows\WinSxS\wow64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_6.3.9600.17039_none_90d9b2b12b50777f\dnsapi.dll
[2014-09-24 11:05][2015-05-30 19:48] 0106819 ____A () 8352637D2731E59DD15E7D8DA9E2A1A0 [File not signed]
 
C:\Windows\WinSxS\amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_6.3.9600.17415_none_8696aea6f6e30ce2\dnsapi.dll
[2015-05-25 12:20][2015-09-04 15:48] 0657920 ____A (Microsoft Corporation) A5675939CF0F99B20B5A3CFCC3C1B46A [File is digitally signed]
 
C:\Windows\WinSxS\amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_6.3.9600.17039_none_8685085ef6efb584\dnsapi.dll
[2014-09-24 11:05][2015-05-30 18:41] 0150063 ____A () 317AD768649A884ADF8325B18CD77A15 [File not signed]
 
C:\Windows\SysWOW64\dnsapi.dll
[2015-05-25 12:20][2015-09-03 14:01] 0498688 ____A (Microsoft Corporation) 205BDB00F4C032AF45A6BFD18EA7886C [File not signed]
 
C:\Windows\System32\dnsapi.dll
[2015-05-25 12:20][2015-09-04 15:48] 0657920 ____A (Microsoft Corporation) A5675939CF0F99B20B5A3CFCC3C1B46A [File is digitally signed]
 
C:\Users\Eva1\Desktop\Malware protection\replacement for syswow64\dnsapi.dll
[2014-11-05 03:20][2015-09-03 14:01] 0498688 ____A (Microsoft Corporation) 205BDB00F4C032AF45A6BFD18EA7886C [File not signed]
 
C:\Users\Eva1\Desktop\Malware protection\replace for system 32 folder\dnsapi.dll
[2014-11-05 03:44][2015-09-03 14:01] 0657920 ____A (Microsoft Corporation) 0B082D6D7A53D91678E7409DD145E89C [File not signed]
 
C:\$Windows.~BT\Sources\SafeOS\SafeOS.Mount\Windows\WinSxS\amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.10240.16384_none_9d8c256ebdd2e48a\dnsapi.dll
[2015-07-10 05:30][2015-07-10 05:30] 0680256 ___AL () D41D8CD98F00B204E9800998ECF8427E [File not signed]
 
C:\$Windows.~BT\Sources\SafeOS\SafeOS.Mount\Windows\System32\dnsapi.dll
[2015-07-10 05:30][2015-07-10 05:30] 0680256 ___AL () D41D8CD98F00B204E9800998ECF8427E [File not signed]
 
====== End of Search ======


#50 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:57 AM

Posted 05 September 2015 - 10:35 AM

Cookies are only text files from visited sites.

 

Step 1

frst.pngfrstfix.png

Press thew7.png + R on your keyboard at the same time. Type notepad and click OK.

  • Copy the entire content of the codebox below and paste into the notepad document:
    CloseProcesses:
    cmd: sfc /scanfile=C:\Windows\SysWOW64\dnsapi.dll
    
  • Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.

cleandeeprybka.gif


That's it! abklatsch.gif
Your logs look clean to me at the moment. :thumbup2:
We're gonna clean up everything now, close security holes on your computer and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.


My help is free for everybody, however...
If I have helped you fix your PC, then please consider donating to continue the fight against malware: btn_donate_SM.gif
Thank you!


Clean Upcleanupm.PNG

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:

  • You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
  • Download delfix.pngDelFix (by Xplode) and save it to your Desktop.
    • Close all running programs and start delfix.exe.
    • Make sure that all available options are checked.
    • Click on Run
    • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
  • If there is still something left you can delete it manually.

Closing security holes

Many infections happen via drive-by downloads that run unnoticed in the background while the user visits an infected website. To achieve this malware exploits security holes in installed software (e.g. browser or its plugins). Older versions of such software often have lots of known exploitable holes. Therefore it's very important to always keep your software up-to-date.

Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#51 toggleon

toggleon
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 05 September 2015 - 10:40 AM

I think I understand, so the cookies from the adware appeared because we were getting sent to those sites.

 

Here's the fixlog

 

Fix result of Farbar Recovery Scan Tool (x64) Version:31-08-2015
Ran by Eva1 (2015-09-05 10:38:50) Run:6
Running from C:\Users\Eva1\Desktop\Malware protection
Loaded Profiles: Eva1 (Available Profiles: Eva1)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
cmd: sfc /scanfile=C:\Windows\SysWOW64\dnsapi.dll
*****************
 
 
=========  sfc /scanfile=C:\Windows\SysWOW64\dnsapi.dll =========
 
 
 
 
 
 
 W i n d o w s   R e s o u r c e   P r o t e c t i o n   f o u n d   c o r r u p t   f i l e s   a n d   s u c c e s s f u l l y   r e p a i r e d   
 
 
 t h e m .   D e t a i l s   a r e   i n c l u d e d   i n   t h e   C B S . L o g   w i n d i r \ L o g s \ C B S \ C B S . l o g .   F o r   
 
 
 e x a m p l e   C : \ W i n d o w s \ L o g s \ C B S \ C B S . l o g .   N o t e   t h a t   l o g g i n g   i s   c u r r e n t l y   n o t   
 
 
 s u p p o r t e d   i n   o f f l i n e   s e r v i c i n g   s c e n a r i o s . 
 
 
 
 
 
 T h e   s y s t e m   f i l e   r e p a i r   c h a n g e s   w i l l   t a k e   e f f e c t   a f t e r   t h e   n e x t   r e b o o t . 
 
 
 
========= End of CMD: =========
 
 
==== End of Fixlog 10:38:55 ====
 
I will run delfix now


#52 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:57 AM

Posted 05 September 2015 - 10:43 AM

fixlist content:
*****************
cmd: sfc /scanfile=C:\Windows\SysWOW64\dnsapi.dll

CloseProcesses: directive is missing! Please reboot your computer first!

 

Cookie-Information:

http://www.avgthreatlabs.com/virus-and-malware-information/content/tracking-cookies/


Edited by deeprybka, 05 September 2015 - 10:47 AM.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#53 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:57 AM

Posted 06 September 2015 - 10:26 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users