Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AdAntiHS keeps coming back for more


  • This topic is locked This topic is locked
19 replies to this topic

#1 itomanpr

itomanpr

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 11 October 2016 - 08:12 AM

I've run into a relentless little piece of malware called AdAntiHS which I have not been able to get rid of in a friend's computer. There's barely any information on it from credible sources online. It digs its claws into the startup programs on Windows (running Windows 7) and won't let go. Not sure what kind of damage it's doing either.

 

I've disabled it from startup using msconfig, manually deleted it, and even ran MalwareBytes from a USB using Hiren's BootCD and removed it. But after restarting the computer it shows back up at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup. I've also deleted keys in the registry associated with AdAntiHS but to no avail upon restarting the computer. 

 

I noticed that upon deleting AdAntiHS from startup, a commonstartup file is created at C:\Windows\pss. I deleted that too. There is a registry key of appcompatCache which I understand is more like a reference or history of programs that have executed on the computer. Those are the only registry keys I have not deleted that make mention of AdAntiHS.

 

So far, I installed BitDefender on the computer which manages to catch AdAntiHS everytime on startup, but even though I choose to delete the quarantined item, it comes back again on restart. So at best, I quarantine it on startup but I want to be able to permanently get rid of it.

 

Has anyone else encountered this piece of malware and been able to wipe it from their system?

 

Thanks in advance for your help.



BC AdBot (Login to Remove)

 


#2 guitarbruno

guitarbruno

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 AM

Posted 18 January 2017 - 07:22 AM

Hello,

 

I've got the same problem, AdAnti which comes back again and again...

 

I'm helped by a nice helper , he has been trying to fix it for 5 months! He created a soft "AntiAdanti" to hinder it from coming at each startup and a few cleaning softs were used with no good result...

 

No answer but...

 

Have you fixed the problem?

 

See my link http://www.forum-entraide-informatique.com/support/eliminer-tencent-demarrage-t21355.html , but  I'm french! (no rooster as an good icon for me! ^^) , if you'd like some translation, I can do it for you.

 

Thanks

 

Bruno



#3 buddy215

buddy215

  • Moderator
  • 13,419 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:23 PM

Posted 18 January 2017 - 08:40 AM

guitarbruno.....welcome to BC

 

You have posted in topic that is a few months old. It somehow got overlooked..happens sometimes.

 

Use the programs below to clean, remove adware and to remove malware.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

  • download Malwarebytes to your desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • Then click Finish.
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
  • The Scan log is available throughout History ->Application logs. Please post it contents in your next reply.

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#4 guitarbruno

guitarbruno

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 AM

Posted 18 January 2017 - 09:21 AM

Thanks Buddy 215 but all or almost what you propose is done and nothing better!...



#5 buddy215

buddy215

  • Moderator
  • 13,419 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:23 PM

Posted 18 January 2017 - 10:23 AM

Those programs update regularly. They provide me with information that helps me to assist you. Up to you whether to post the results of the programs or not.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 itomanpr

itomanpr
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 18 January 2017 - 11:23 AM

In my case, I later contacted BitDefender and ran some diagnostic software they provided on the computer and sent the results back to them. They then updated their virus database and BitDefender (the antivirus), was able to automatically catch and delete AdAntiHS (not simply quarantine). Haven't seen it on my startup programs again.



#7 g3n-h@ckm@n

g3n-h@ckm@n

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Valence
  • Local time:12:23 AM

Posted 18 January 2017 - 01:59 PM

hello :)

 

nothing was good.... we tried a lot of tools but it came back ( combofix , FRST , AdsFix, DrWeb, GMer, ZHPCleaner , OTL, QuickDiag, KVRT, etc...etc.... )

 

almost every tool exists but it comes back again , I coded a little tool waiting but it's not the solution..........no infection stays on the machine and even with that , it's again here.... I don't understant how it comes back.......I tried to read hexa sequences on certains executable files with Autoit, which could create this, but nothing.....


Edited by g3n-h@ckm@n, 18 January 2017 - 02:39 PM.


#8 guitarbruno

guitarbruno

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 AM

Posted 18 January 2017 - 02:12 PM

When I talked about a "nice helper", I meant  g3n-h@ckm@n!  :thumbup2:



#9 g3n-h@ckm@n

g3n-h@ckm@n

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Valence
  • Local time:12:23 AM

Posted 18 January 2017 - 02:43 PM

it looks like this infection has never found a solution lol

 

Even if Malekal had a good chance to overcome it


Edited by g3n-h@ckm@n, 18 January 2017 - 02:49 PM.


#10 Havachat

Havachat

  • Members
  • 1,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sleepy Hollow - Geelong - Go Cats.
  • Local time:09:23 AM

Posted 19 January 2017 - 04:35 AM

Hello,

 

I've got the same problem, AdAnti which comes back again and again...

 

I'm helped by a nice helper , he has been trying to fix it for 5 months! He created a soft "AntiAdanti" to hinder it from coming at each startup and a few cleaning softs were used with no good result...

 

 

5 Mths to try and Fix ? ....Why 

Simply backup your Data Required and Format and Reinstall Windows  { That doesnt take 5 Mths } more like 2 hrs.

 

Or have a Backup plan like an Image of the C:\ Drive and once running Ok and everything up to Date do the Image.

A Reinstall of an Image would take less than 20 Minutes { Also not 5 mths }.

 

Personally i might try for 1 - 2 Days to Fix a Corrupted PC , but these days i dont bother anymore. 



#11 guitarbruno

guitarbruno

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 AM

Posted 19 January 2017 - 04:55 AM

Hello, you are so right, Havachat but....

 

Why? Because in fact, it doen't cause damage to my system, I can use it with no bug, with all my sensible softs like Cakewalk or Vegas. No latency, no freeze...

 

You guess I didn't have a recent backup with all my optimized system to use my PC as a fine recording studio! And feel to lazy to reinstall all of it.



#12 g3n-h@ckm@n

g3n-h@ckm@n

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Valence
  • Local time:12:23 AM

Posted 22 January 2017 - 06:40 AM

hello yes and it could be interesting to know how it comes back too ;)



#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:23 PM

Posted 23 January 2017 - 10:53 AM

Have you tried the Bitdefender scan that was successful above?

Please run a BitDefender Online Scan

Edited by boopme, 23 January 2017 - 10:54 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 guitarbruno

guitarbruno

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 AM

Posted 23 January 2017 - 12:36 PM

Have you tried the Bitdefender scan that was successful above?

Please run a BitDefender Online Scan

 

Yes, but it didn't catch the presence of AdAntiHS !!!!

 

So not efficient....



#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:23 PM

Posted 23 January 2017 - 12:46 PM

Ok, it was a try. As there are 5 unsafe files associated with this we a deeper look to get them. Start at step 6. Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users