Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PUP.Optional.Komodia, PUP.Optional.PCSpeedUp, and similar


  • This topic is locked This topic is locked
23 replies to this topic

#1 GionnyX

GionnyX

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 25 January 2017 - 01:43 PM

Hello!

I'm trying to remove this adware from this PC. It was showing ads in Google search result and it modified default search engine.

 

I ran a few times MalwareBytes AntiMalware and AdwCleaner, and they removed a lot of files related to this adware. The problem is that they keep finding malicious files.

Please can you give me some suggestion on how to remove this adware permanently?

 

 

Thank you very much :)

Attached Files

  • Attached File  FRST.txt   63.42KB   6 downloads


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:29 AM

Posted 26 January 2017 - 10:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKU\S-1-5-21-3267981941-2736852452-938076776-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-3267981941-2736852452-938076776-1001\...\Run: [] => [X]
HKU\S-1-5-21-3267981941-2736852452-938076776-1003\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-3267981941-2736852452-938076776-1003\...\Run: [] => [X]
HKU\S-1-5-21-3267981941-2736852452-938076776-1003\...\RunOnce: [Report] => \AdwCleaner\AdwCleaner[C3].txt
ShellExecuteHooks: No Name - {D1CD7500-DE3D-11E6-8016-64006A5CFC23} - C:\Users\Ammin\AppData\Roaming\Jevush\Pafght.dll -> No File
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Giovanni\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll -> No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Giovanni\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll -> No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Giovanni\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll -> No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Giovanni\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll -> No File
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShortcutTarget: Dropbox.lnk -> C:\Users\Ammin\AppData\Roaming\Dropbox\bin\Dropbox.exe (No File)
Startup: C:\Users\Giovanni\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk [2014-03-19]
ShortcutTarget: EvernoteClipper.lnk -> D:\Program Files\Evernote\EvernoteClipper.exe (No File)
Startup: C:\Users\Giovanni\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteTray.lnk [2014-03-19]
ShortcutTarget: EvernoteTray.lnk -> D:\Program Files\Evernote\EvernoteTray.exe (No File)
GroupPolicy: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
CHR Profile: C:\Users\Ammin\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-01-25] <==== ATTENTION
CHR Extension: (Pagamenti Chrome Web Store) - C:\Users\Ammin\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-25]
CHR Extension: (Chrome Media Router) - C:\Users\Ammin\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-01-25]
R2 Bisawardtusocult; C:\Program Files (x86)\Lafetqilse\Jwocultmonitor.dll [150016 2017-01-25] () [File not signed]
S2 GTFAVENUE Updater; C:\Program Files (x86)\GTFAVENUE Updater\GTFAVENUE Updater.exe [X]
S2 MEmusvc; D:\Program Files\Microvirt\MEmu\MemuService.exe [X]
R2 WinDivert1.2; C:\Windows\system32\drivers\WinDivert64.sys [37552 2017-01-25] (Basil)
S3 ALSysIO; \??\C:\Users\Ammin\AppData\Local\Temp\ALSysIO64.sys [X]
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
U0 SR; no ImagePath
U2 srservice; no ImagePath
S3 VBoxNetFlt; \SystemRoot\system32\DRIVERS\VBoxNetFlt.sys [X]
C:\Users\Giovanni\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk
C:\Users\Giovanni\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteTray.lnk
C:\Windows\system32\drivers\WinDivert64.sys

Reboot:


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixldog.txt and let me know what problem persists.

P.S.
Include for my review the Addition.txt file that was created by the Farbar tool.

#3 GionnyX

GionnyX
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 27 January 2017 - 10:20 AM

Hello!

I ran FRST, but I had to force-close it because it froze up.

 

I've attached the files you've requested. Thank you!

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:29 AM

Posted 27 January 2017 - 11:25 AM

Error: (0) Failed to create a restore point.

This error is documented in the Fixlog. It might be the reason you had to restart the computer.
Investigate the system restore status.


Remove these programs via the Control Panel > Programs > Programs and Features.
Online.io Application (HKLM-x32\...\{4C6314F6-2DE8-4354-856A-787679AEF407}) (Version: 1.15.0 - Microleaves) <==== ATTENTION
Traffic Exchange (x32 Version: 1.15.3 - Microleaves) Hidden <==== ATTENTION
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
CloseProcesses:

CustomCLSID: HKU\S-1-5-21-3267981941-2736852452-938076776-1003_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Giovanni\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll => No File
CustomCLSID: HKU\S-1-5-21-3267981941-2736852452-938076776-1003_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Giovanni\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll => No File
CustomCLSID: HKU\S-1-5-21-3267981941-2736852452-938076776-1003_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Giovanni\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll => No File
CustomCLSID: HKU\S-1-5-21-3267981941-2736852452-938076776-1003_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Giovanni\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll => No File
Task: {1CDBE66C-736E-4521-9EBE-8658E17D0A98} - System32\Tasks\Ckerbulemahitain Provider => C:\Program Files (x86)\Lafetqilse\atuhesy.exe
Task: {B6B2C737-2769-4E3A-828D-165E9B74172F} - System32\Tasks\Traffic Exchange Debug => C:\Program Files (x86)\Microleaves\Traffic Exchange\nc.exe <==== ATTENTION
Task: {D323185E-62C2-430F-9D71-873B688689D4} - System32\Tasks\GTFAVENUE => gtfavenue.exe
HKU\.DEFAULT\Software\Classes\exefile: "%1" %* <===== ATTENTION
HKU\.DEFAULT\Software\Classes\.exe: exefile => "%1" %* <===== ATTENTION
HKU\S-1-5-21-3267981941-2736852452-938076776-1001\Software\Classes\exefile: "%1" %* <===== ATTENTION
HKU\S-1-5-21-3267981941-2736852452-938076776-1001\Software\Classes\.exe: exefile => "%1" %* <===== ATTENTION
HKU\S-1-5-21-3267981941-2736852452-938076776-1003\Software\Classes\exefile: "%1" %* <===== ATTENTION
HKU\S-1-5-21-3267981941-2736852452-938076776-1003\Software\Classes\.exe: exefile => "%1" %* <===== ATTENTION
C:\Program Files (x86)\Lafetqilse
C:\Program Files (x86)\Microleaves

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

ADOBE AIR

Navigate to this page and follow the instructions and get the latest version.
https://get.adobe.com/air/


ADOBE READER
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.
<<<>>>


Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after these updates remove the old version(s) via the Control Panel > Programs > Programs and Features.
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 20.0.0.204 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.18) - Italiano (HKLM-x32\...\{AC76BA86-7AD7-1040-7B44-AB0000000001}) (Version: 11.0.18 - Adobe Systems Incorporated)
Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)

Please let me know what problem persists with this computer.

#5 GionnyX

GionnyX
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 27 January 2017 - 12:30 PM

In Programs and Features I can't find "Traffic Exchange".
 
I've updated  Adobe AIR, Adobe Reader XI, and Java 8 Update 31.
 
If I go to https://www.java.com/en/download/installed.jsp, it says "The Chrome browser does not support NPAPI plug-ins and therefore will not run all Java content. Switch to a different browser (Firefox, Internet Explorer or Safari on Mac) to run the Java plug-in. More info". What should I do? Should I update Java anyway?
 
I did a scan with Malwarebytes AntiMalware, and it found over 5000 threats!!! How is this possible?!
I've attached the scan log.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:29 AM

Posted 27 January 2017 - 01:16 PM

The Chrome browser does not support NPAPI plug-ins


If you use a program that needs that plug-in then you will have to update Java using an other browser, your call.

===

Yes remove them, Adware.Elex must be removed.
The entries are all unwanted items in the registry.

===

How is the computer running?

#7 GionnyX

GionnyX
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 28 January 2017 - 03:36 AM

The computer seems to be working fine, however Malwarebytes keeps finding malicious items. It found the following:

Chiavi di registro: 3
Adware.VidSquare.BrwsrFlsh, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GTFAVENUE Updater_is1, , [90b661201a8e43f39d78fee41ce41be5], 
PUP.Optional.VidSquare.BrwsrFlsh, HKLM\SOFTWARE\WOW6432NODE\GTFAVENUE Updater, , [86c0f78a7137f54100b28c5558a8a25e], 
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{57629D30-3D4C-4BA3-9EE2-D38E56D7221E}, , [b78fe49dfeaa063019dc94e23ac6e51b], 


Valori di registro: 2
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{57629D30-3D4C-4BA3-9EE2-D38E56D7221E}|Contact, contact@online.io, , [2521f98812962a0c7be576ea32ce2cd4]
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{57629D30-3D4C-4BA3-9EE2-D38E56D7221E}|URLInfoAbout, http://traffic.io/, , [b78fe49dfeaa063019dc94e23ac6e51b]


Dati di registro: 0
(Nessun elemento nocivo rilevato)


Cartelle: 1
PUP.Optional.OnlineIO, C:\Windows\SysWOW64\glogs, , [9caacbb693152a0c7a353998748c41bf], 


File: 7
PUP.Optional.AshampooRegistryCleaner, C:\ProgramData\Ashampoo\ico_ashampoo_marketplace.ico, , [56f04140e9bf39fd88b76464e719b54b], 
PUP.Optional.OnlineIO, C:\Windows\SysWOW64\glogs\4911381E-B523-4DCE-BC72-00CAA66AEAF1.txt, , [9caacbb693152a0c7a353998748c41bf], 
PUP.Optional.OnlineIO, C:\Windows\SysWOW64\glogs\581DC629-8445-4351-8007-253E5A827F3C.txt, , [9caacbb693152a0c7a353998748c41bf], 
PUP.Optional.OnlineIO, C:\Windows\SysWOW64\glogs\768D74B8-8F7C-4CF8-BFFB-33EFDFCB5116.txt, , [9caacbb693152a0c7a353998748c41bf], 
PUP.Optional.OnlineIO, C:\Windows\SysWOW64\glogs\99AAFBCB-BFBD-4F33-9213-0E283DF8397A.txt, , [9caacbb693152a0c7a353998748c41bf], 
PUP.Optional.OnlineIO, C:\Windows\SysWOW64\glogs\ED2266BA-4690-4751-A13B-CBC372ECC652.txt, , [9caacbb693152a0c7a353998748c41bf], 
PUP.Optional.OnlineIO, C:\Windows\SysWOW64\glogs\FD581933-6C82-45D0-8FB6-20C50ED66778.txt, , [9caacbb693152a0c7a353998748c41bf], 


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:29 AM

Posted 28 January 2017 - 09:19 AM

Clean everything then restart the computer normally.

Run the Malwarebyte program and if not clean please post the new log for my review.

#9 GionnyX

GionnyX
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 30 January 2017 - 03:35 AM

Hello!

I've attached the new scan.

 

Thank you very much for your help!

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:29 AM

Posted 30 January 2017 - 08:07 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
CloseProcesses:

DeleteKey: HKLM\SOFTWARE\WOW6432NODE\GTFAVENUE Updater
DeleteKey: HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{57629D30-3D4C-4BA3-9EE2-D38E56D7221E}
C:\ProgramData\Ashampoo\ico_ashampoo_marketplace.ico
C:\Windows\SysWOW64\glogs

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Run the MBAM program and post the log for my review.

#11 GionnyX

GionnyX
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 31 January 2017 - 03:37 AM

Here are the logs.

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:29 AM

Posted 31 January 2017 - 09:44 AM

Download this tool to your desktop.
Select the one needed for your Operating System.

SystemLook.exe
SystemLook_x64.exe
  • Double-click SystemLook.exe/SystemLook_x64.exe, or the SystemLook.txt
  • to run it.
  • Copy and paste the content of the following bold text into the main textfield:
  • :regfind
    GTFAVENUE
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled [b]SystemLook.txt.
===

Edited by nasdaq, 31 January 2017 - 09:46 AM.


#13 GionnyX

GionnyX
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 31 January 2017 - 01:23 PM

It's attached!

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:29 AM

Posted 31 January 2017 - 02:00 PM

Thia should take care of the last item.

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GTFAVENUE Updater_is1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D323185E-62C2-430F-9D71-873B688689D4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GTFAVENUE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\WRData\Journal]
"24393"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\WRData\Threats\Active]
"3"="-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\WRData\Threats\Active]
"5"="-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\WRData\Threats\Active]
"6"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\WRData\Threats\History]
"169"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\WRData\Threats\History]
"172"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\WRData\Threats\History]
"173"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\WRData\Threats\History]
"182"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\WRData\Threats\History]
"191"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\WRData\Threats\History]
"193"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\WRData\Threats\History]
"194"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GTFAVENUE Updater]


Restart the computer when completed.

You can delete the fixme.reg file when done.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#15 GionnyX

GionnyX
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 04 February 2017 - 04:16 AM

Hello, sorry for late reply.

This is the result of the latest scan.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users