Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Youradexchange Infection on Windows Vista Machine


  • This topic is locked This topic is locked
11 replies to this topic

#1 Stanae86

Stanae86

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 12 September 2015 - 10:49 AM

Hello, my mom's computer appears to have been infected with YourAdExhange.  While using Firefox new windows will open to various ad sites like tarot card reading, adult chats, and alleged programs for virus scanning and removal. 

 

I have tried running Malwarebytes, Spybot, SpywareBlaster, and Windows Malicious Software Removal Tool without luck.  I has subsequently installed Kaspersky, but this was after the infection.  I see the Kaspersky icon on the Firefox toolbar showing it's working in the background and various things are being blocked and under "Ad agencies" that Youradexchange.com is blocked but random windows are still opening, so I don't know if there are other programs infecting my mom's computer as well.

 

Any help is greatly appreciated.

 

Attached is the FRST and ADDITION text files.

 

Thank you.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:56 PM

Posted 13 September 2015 - 08:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


ATTENTION: System Restore is disabled

Turn System Restore on - Windows Help
http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7
===


Please remove the program in bold using the Add/Remove Program applet.
Firefox Packages (HKU\S-1-5-21-363458255-1724009407-2421375920-1002\...\Firefox Packages) (Version: - ) <==== ATTENTION

===
 

Ran by Mom (ATTENTION: The user is not administrator) on MAIN (12-09-2015 08:33:18)
Running from C:\Users\Mom\Desktop\FRST
Loaded Profiles: Stanton & Mom (Available Profiles: Stanton & Amy & Mom)

Please run the FRST tool in an Administrator account.

Post a fresh FRST log for my review.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:56 PM

Posted 13 September 2015 - 08:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


ATTENTION: System Restore is disabled

Turn System Restore on - Windows Help
http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7
===


Please remove the program in bold using the Add/Remove Program applet.
Firefox Packages (HKU\S-1-5-21-363458255-1724009407-2421375920-1002\...\Firefox Packages) (Version: - ) <==== ATTENTION

===
 

Ran by Mom (ATTENTION: The user is not administrator) on MAIN (12-09-2015 08:33:18)
Running from C:\Users\Mom\Desktop\FRST
Loaded Profiles: Stanton & Mom (Available Profiles: Stanton & Amy & Mom)

Please run the FRST tool in an Administrator account.

Post a fresh FRST log for my review.

#4 Stanae86

Stanae86
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 13 September 2015 - 08:16 PM

Thanks nasdaq!

 

I went ahead and uninstalled Firefox Packages, system restore for the C drive is on, and I re-ran FRST from my administrator account.  The logs are attached.

 

I don't know if it makes a difference, but I had time to play around with the computer a little bit more.  It seems that when I'm using Firefox under my profile, there are no pop-ups but I see Kaspersky working and preventing things from happening at the little icon at the top right of my toolbar.  Once I try using Firefox under my mom's profile, the unwanted pop-up windows open despite Kaspersky still working away.

 

Thanks for your help!

 

-S

Attached Files


Edited by Stanae86, 13 September 2015 - 08:17 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:56 PM

Posted 14 September 2015 - 07:36 AM


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKU\S-1-5-21-363458255-1724009407-2421375920-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: @viewpoint.com/VMP -> C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll [2004-02-20] ()
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
Task: {1A605918-5D31-4F06-9382-A7FC3348B4AB} - \LaunchPreSignup -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
C:\Program Files\Viewpoint
C:\Users\Stanton\AppData\Local\Temp\ose00000.exe
C:\Users\Stanton\AppData\Local\Temp\_is1ADF.exe
C:\Users\Stanton\AppData\Local\Temp\_is35DE.exe
C:\Users\Stanton\AppData\Local\Temp\_is5179.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.wisc.edu/page.php?id=15141
===

How is the computer running now?

#6 Stanae86

Stanae86
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 14 September 2015 - 09:33 PM

Hi nasdaq,

 

I ran fixlist.txt and fixlog.txt is as follows:

 

Fix result of Farbar Recovery Scan Tool (x86) Version:13-09-2015 02
Ran by Stanton (2015-09-14 07:06:53) Run:1
Running from C:\Users\Stanton\Desktop\FRST
Loaded Profiles: Stanton (Available Profiles: Stanton & Amy & Mom)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\SDWinLogon: SDWinLogon.dll [X]
HKU\S-1-5-21-363458255-1724009407-2421375920-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: @viewpoint.com/VMP -> C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll [2004-02-20] ()
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
Task: {1A605918-5D31-4F06-9382-A7FC3348B4AB} - \LaunchPreSignup -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
C:\Program Files\Viewpoint
C:\Users\Stanton\AppData\Local\Temp\ose00000.exe
C:\Users\Stanton\AppData\Local\Temp\_is1ADF.exe
C:\Users\Stanton\AppData\Local\Temp\_is35DE.exe
C:\Users\Stanton\AppData\Local\Temp\_is5179.exe

End
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => key removed successfully.
"HKU\S-1-5-21-363458255-1724009407-2421375920-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKLM\Software\MozillaPlugins\@viewpoint.com/VMP" => key removed successfully.
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll => moved successfully
blbdrive => service removed successfully.
IpInIp => service removed successfully.
NwlnkFlt => service removed successfully.
NwlnkFwd => service removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1A605918-5D31-4F06-9382-A7FC3348B4AB}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1A605918-5D31-4F06-9382-A7FC3348B4AB}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\LaunchPreSignup => key not found.
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully..
C:\Program Files\Viewpoint => moved successfully
C:\Users\Stanton\AppData\Local\Temp\ose00000.exe => moved successfully
C:\Users\Stanton\AppData\Local\Temp\_is1ADF.exe => moved successfully
C:\Users\Stanton\AppData\Local\Temp\_is35DE.exe => moved successfully
C:\Users\Stanton\AppData\Local\Temp\_is5179.exe => moved successfully
EmptyTemp: => 186.9 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 07:08:35 ====

 

I Dloaded and ran AdwCleaner by pressing <Scan> and it runs through the process of scanning, but then stops and I do not see any option for clicking a "Report" button?  I have attached a picture of what I see after letting AdwCleaner run.

 

At the moment, the pop-ups appear to have been resolved.  I see Kaspersky working to keep things from happening, but new windows are not popping open.

 

Am I not seeing something in AdwCleaner for creating the Report?

 

Thanks!

 

-S

 

 

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:56 PM

Posted 15 September 2015 - 08:09 AM


The button Report as been renamed LogFile.

When click NotePad will open with the report.

In you case it seems that you do not have anything to clean.

p.s. I will change my canned speech to reflect the new button name.

==

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#8 Stanae86

Stanae86
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 15 September 2015 - 11:08 PM

Thanks nasdaq!

 

Here is the AdwCleaner log report:

 

# AdwCleaner v5.007 - Logfile created 15/09/2015 at 20:55:33
# Updated 08/09/2015 by Xplode
# Database : 2015-09-15.1 [Server]
# Operating system : Windows Vista ™ Home Premium Service Pack 1 (x86)
# Username : Stanton - MAIN
# Running from : C:\Users\Stanton\Desktop\adwcleaner_5.007.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

Folder Found : C:\ProgramData\Viewpoint
Folder Found : C:\ProgramData\37b8e60400000564
Folder Found : C:\Users\Mom\AppData\Roaming\Mozilla\Firefox\Profiles\0ynn7xye.default\Extensions\veggy@veggyAddon.com
Folder Found : C:\Users\Stanton\AppData\LocalLow\WebProtector

***** [ Files ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Found : HKLM\SOFTWARE\909182bb-8dd9-9ab9-71ad-ec0b143b58c8
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKCU\Software\AppDataLow\Software\Compete
Key Found : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Found : HKLM\SOFTWARE\MetaStream
Key Found : HKLM\SOFTWARE\Viewpoint
Key Found : HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveUpdateWPP
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Setup Support for Consumer Input
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Consumer Input Installer
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\LiveUpdateWPP
Key Found : HKU\S-1-5-21-363458255-1724009407-2421375920-1000\Software\AppDataLow\Software\Compete

***** [ Web browsers ] *****


########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [2639 bytes] ##########
 

Everything seems to be okay.  Kaspersky is stopping things and I have no more pop up window problems.  Please let me know if the above log looks okay. 

 

Thank you!



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:56 PM

Posted 16 September 2015 - 07:52 AM

You posted the Scan log of the AdwCleaner tool.

I'm sure you cleaned everything that was identified.

#10 Stanae86

Stanae86
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 17 September 2015 - 01:03 AM

Thanks Nasdaq!

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:56 PM

Posted 17 September 2015 - 09:25 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:56 PM

Posted 23 September 2015 - 06:06 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users