Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wonderlandads.com 'Google Chrome' tabs popping up randomly


  • This topic is locked This topic is locked
8 replies to this topic

#1 spriggamortis

spriggamortis

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Perth, Western Australia
  • Local time:12:22 AM

Posted 02 February 2017 - 06:00 AM

Hi,

 

Another Wonderlandads.com infected PC here :(    The PC infected is my boys Gaming PC.  He believes the pop-ups started about 1 week or so ago. 

Malwarebytes Premium started blocking outgoing requests, that are opening up random Google Chrome tabs for wonderlandads.com (I have attached 1 example Malwarebytes log of this block)

Chrome does not have to be open for the wonderlandads pop-ups to appear in a Chrome window/tab.

I have run the usual programs in an attempt to remove it.  Malwarebytes, Adwcleaner, Spybot, Junkware removal etc.  It found a few small things, but nothing that I could link to wonderlandads.

 

As required, I have attached the FRST64 logs files.

 

Big thanks in advance.

 

Cheers

Spriggy

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:22 PM

Posted 02 February 2017 - 09:43 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
GroupPolicy: Restriction <======= ATTENTION
GroupPolicy\User: Restriction <======= ATTENTION
CHR Extension: (Rainbow Six Siege [FVD]) - C:\Users\thras\AppData\Local\Google\Chrome\User Data\Default\Extensions\ilckagbmhjbmigdhnmgfchnaipebhohc [2017-02-02]
CHR Extension: (Chrome Web Store Payments) - C:\Users\thras\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-19]
CHR Extension: (Chrome Media Router) - C:\Users\thras\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-01]
S2 amdacpksd; \??\C:\WINDOWS\system32\drivers\amdacpksd.sys [X]
U0 aswVmm; no ImagePath
AlternateDataStreams: C:\Users\thras:Heroes & Generals [38]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Please let me know if the problem persists with this computer.
===

#3 spriggamortis

spriggamortis
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Perth, Western Australia
  • Local time:12:22 AM

Posted 02 February 2017 - 10:43 AM

Thankyou very much for the prompt reply nasdaq. :)

 

I'm currently at work on nightshift.  Will follow through with your above instructions as soon as I can.

 

Cheers


Edited by spriggamortis, 02 February 2017 - 10:44 AM.


#4 spriggamortis

spriggamortis
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Perth, Western Australia
  • Local time:12:22 AM

Posted 02 February 2017 - 06:28 PM

nasdaq,

 

Got home this morning and followed your FRST instructions.  Installed RogueKiller (free) and it found x2 items.

Both FRST and RogueKiller logs are attached.

 

Thanks again for your time and help!!

 

Going to bed now, so will leave the boys PC on and chrome open.  I"ll clear Malwarebytes logs and hope ....... :)

 

Will keep u updated.

 

Cheers

 

Attached Files



#5 spriggamortis

spriggamortis
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Perth, Western Australia
  • Local time:12:22 AM

Posted 03 February 2017 - 12:41 AM

Unfortunately still happening.  Checked MWB log and found multiple entries.  However, noticed something interesting that I obviously didn't notice initially.  The outbound connections are happening every 30 mins.

I have attached a screenshot snip of the log.

 

Also, of note.  After I completed your above task requests, the PC was restarted, however I did not restart/reset the router.  Not sure if this would make any difference in this case.  For your information.

 

Cheers

Attached Files



#6 spriggamortis

spriggamortis
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Perth, Western Australia
  • Local time:12:22 AM

Posted 03 February 2017 - 01:43 AM

Just quickly.  Restarted modem (not reset).  Pop-up event still occurred, at the same time period (ie 1419hrs)

Took some kwik snip screenies of Chrome history, showing the websites blocked.  Probably won't help, but just in case.

 

Also, I re-ran RogueKiller as curiosity.  Both the registry entires, that were previously removed, had returned.

 

 

Attached Files


Edited by spriggamortis, 03 February 2017 - 01:51 AM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:22 PM

Posted 03 February 2017 - 08:46 AM


It's coming from this site puklisi.ru as seen in your images.

Please run the Farbar Recovery Scan Tool. Enter puklisi.ru in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

#8 spriggamortis

spriggamortis
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Perth, Western Australia
  • Local time:12:22 AM

Posted 03 February 2017 - 07:00 PM

Followed you last instructions.  Nothing found. (see attached)

Attached Files



#9 spriggamortis

spriggamortis
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Perth, Western Australia
  • Local time:12:22 AM

Posted 04 February 2017 - 01:52 AM

nasdaq,

 

I've done further rooting around on the boys PC, and found other problems, not related to this query.  I think the safest and easiest thing to do will be a clean install, so I"m 100% confident in mind everything is sorted.

 

Massive thankyou for your help!!  Sorry if I've wasted your time.  Gr8 to see an online community willing to help others in my situation.

 

Of note, I"m going to reset the router to factory settings and start from scratch there as well.

 

Regards

Spriggy :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users