Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Porn ads in net clients


  • Please log in to reply
7 replies to this topic

#1 Tattorack

Tattorack

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 13 October 2016 - 01:45 AM

OS: Win 10

Tech: MSI gaming laptop. Intel i5 CPU. Intel HD 530 GPU. nVidia GeForce 950m dGPU. 8GB RAM. 1TB HDD, 2 partitions.

 

I've been struggling with this problem for a whole month now.

Every program that has somekind of connection to the internet (with the exception of web browser like Firefox and Chrome or VOIP clients like Skype or Discord) gets overlayed with mostly pornographic advertisements.

Here you can see Steam, Arc Game Launcher and Vuze having these problems:

WARNING! GRAPHIC CONTENT!

https://drive.google.com/file/d/0B52yFFazFTCtS0Y2dHlZNkRwTzg/view?usp=sharing

 https://drive.google.com/open?id=0B52yFFazFTCtc1JaY1NPU1preE0

https://drive.google.com/open?id=0B52yFFazFTCtSlhNN1VUR2JldGM

 https://drive.google.com/open?id=0B52yFFazFTCtOTlzTnZ2d3d2LW8

 

Windows Defender, ADWCleaner, rKill, Malwarebytes, McAfee Rootkit remover, Avaz and AVG are all programs I've used to try to solve this problem (not all at the same time, mind you. I know how antivirus programs love to make war on eachother).

Whether I do a full scan, in safeboot mode or not, none of them can find anything wrong.

There obviously is something very wrong.

 

I've been manually looking all of my system processes and services at least 5 times and all checks out fine to my inspection. Whenever I did find something I thought was suspicious, a simple check on the internet would confirm its an essential process of the OS.

I also manually looked in every %appdata% folder and also spent hours grovelling over my win32 and WOW64 folders, though I may have missed something amongst all the files.

 

This first occurred when I was on Reddit little over a month ago. I clicked on a link there that redirected me through adfly. I had to leave the room to do something quickly and when I came back adfly had opened a dozen windows to very suspicious looking websites and my entire computer was covered in garbage.

I instantly rebooted my computer into safeboot mode let the programs I had at the time (ADWCleaner, Windows Defender, Malwarebytes) do their job. They removed everything, except for the virus that is still currently bothering me.

 

FRST.txt:

Spoiler

 

Addition.txt:

Spoiler


Well.... I have no idea why the double post happened...



BC AdBot (Login to Remove)

 


#2 Tattorack

Tattorack
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 13 October 2016 - 05:14 AM

Update:

Scanned with GMER.

It found nothing.

Log file is attached.

Attached Files

  • Attached File  01.log   1.72MB   1 downloads


#3 Tattorack

Tattorack
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 14 October 2016 - 02:19 AM

Just tried this; Origin Client and Ubisoft client also gets these ads.


Edited by Tattorack, 14 October 2016 - 02:22 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:14 AM

Posted 14 October 2016 - 10:47 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [.QMDeskTopGCIcon] -> {B7667919-3765-4815-A66D-98A09BE662D6} =>  No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicy: Restriction - Windows Defender <======= ATTENTION
CHR HomePage: clacachthergidrigi -> hxxp://www.trotux.com/?z=919761d6870668ff192c424gaz6mcgcmcbeo9gbc3e&from=epf1&uid=WDCXWD10JPVX-22JC3T0_WD-WXF1E650X71E0X71E&type=hp
CHR StartupUrls: clacachthergidrigi -> "hxxp://www.trotux.com/?z=919761d6870668ff192c424gaz6mcgcmcbeo9gbc3e&from=epf1&uid=WDCXWD10JPVX-22JC3T0_WD-WXF1E650X71E0X71E&type=hp"
CHR DefaultSearchURL: clacachthergidrigi -> hxxp://www.trotux.com/search/?q={searchTerms}&z=919761d6870668ff192c424gaz6mcgcmcbeo9gbc3e&from=epf1&uid=WDCXWD10JPVX-22JC3T0_WD-WXF1E650X71E0X71E&type=sp
CHR DefaultSearchKeyword: clacachthergidrigi -> trotux
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
U0 ctpgdb; C:\Windows\System32\drivers\jlpu.sys [79064 2016-10-13] (Malwarebytes)
C:\Windows\System32\drivers\jlpu.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Restart Chrome.
===

Please post the Fixlog.txt file and let me know if the problem persists.

p.s.
I need to know if this profile clacachthergidrigi was set by you.
CHR Profile: C:\Users\Tattorack\AppData\Local\Google\Chrome\User Data\clacachthergidrigi [2016-09-11] <==== ATTENTION

If not and you still have issues please run the Farbar tool normally and post fresh FRST and Addition.txt files for my review.
===

#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:14 AM

Posted 14 October 2016 - 10:47 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [.QMDeskTopGCIcon] -> {B7667919-3765-4815-A66D-98A09BE662D6} =>  No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicy: Restriction - Windows Defender <======= ATTENTION
CHR HomePage: clacachthergidrigi -> hxxp://www.trotux.com/?z=919761d6870668ff192c424gaz6mcgcmcbeo9gbc3e&from=epf1&uid=WDCXWD10JPVX-22JC3T0_WD-WXF1E650X71E0X71E&type=hp
CHR StartupUrls: clacachthergidrigi -> "hxxp://www.trotux.com/?z=919761d6870668ff192c424gaz6mcgcmcbeo9gbc3e&from=epf1&uid=WDCXWD10JPVX-22JC3T0_WD-WXF1E650X71E0X71E&type=hp"
CHR DefaultSearchURL: clacachthergidrigi -> hxxp://www.trotux.com/search/?q={searchTerms}&z=919761d6870668ff192c424gaz6mcgcmcbeo9gbc3e&from=epf1&uid=WDCXWD10JPVX-22JC3T0_WD-WXF1E650X71E0X71E&type=sp
CHR DefaultSearchKeyword: clacachthergidrigi -> trotux
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
U0 ctpgdb; C:\Windows\System32\drivers\jlpu.sys [79064 2016-10-13] (Malwarebytes)
C:\Windows\System32\drivers\jlpu.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Restart Chrome.
===

Please post the Fixlog.txt file and let me know if the problem persists.

p.s.
I need to know if this profile clacachthergidrigi was set by you.
CHR Profile: C:\Users\Tattorack\AppData\Local\Google\Chrome\User Data\clacachthergidrigi [2016-09-11] <==== ATTENTION

If not and you still have issues please run the Farbar tool normally and post fresh FRST and Addition.txt files for my review.
===

#6 Tattorack

Tattorack
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 14 October 2016 - 11:53 AM

This actually seems to have solved the problem.

I logged into Steam and browsed about for at least 20 minutes, but I'm no longer seeing any pornographic ads.

 

Here is the Fixlog:

Spoiler

 

I have a question, though.

I haven't used Google Chrome since I first installed it multiple months ago. I did this to compare it to Firefox, the browser I use all the time. I had decided to stick with Firefox and I actually forgot I even had Chrome up until now.

So how did my Chrome browser get infected by the Trotux virus?

How did the Trotux virus effect every other internet-using client?

And why didn't AVs like Windows Defender or ADWCleaner detect it?



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:14 AM

Posted 15 October 2016 - 09:07 AM

There are may ways to skin a cat.

Chrome was installed and the malware changed the settings.

Only your startup pages were compromised.
Unless the security programs knows that the site hxxp://www.trotux.com is bogus it cannot detect it.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#8 Tattorack

Tattorack
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 16 October 2016 - 04:33 AM

Right, and I guess Steam's (and other client's) front page also fall under as some kind of startup page.

 

Hey, thanks for the assist! I really appreciate it!

And good luck against Spyhunter.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users