Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pornographic Adware on websites in the Chrome Browser


  • This topic is locked This topic is locked
6 replies to this topic

#1 m33wrat

m33wrat

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 23 February 2017 - 01:08 PM

Hello!

 

This is weird because when I scan my computer for any viruses with Malwarebytes, It says there is 0 viruses, but still get these Pornographic adware on legitimate websites  in the Chrome browser. And by legitimate websites I mean the League of Legends website as an example, and numerous other sites that I visit. I believe this isn't an issue on their end but mine. Here is an image for clarification. Any help would be appreciated.

Thank you,

m33wrat

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:36 PM

Posted 24 February 2017 - 10:41 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs.

Wait for further instructions.

#3 m33wrat

m33wrat
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 24 February 2017 - 11:55 AM

Here you go! I hope its correct.

And thank you in advance for helping out :)

 

EDIT: It gave almost everything about my computers information, network. Hopefully this cannot be used against me. x.x

Attached Files


Edited by m33wrat, 24 February 2017 - 12:00 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:36 PM

Posted 25 February 2017 - 08:35 AM

Remove this Rogue program in bold via the Control Panel > Programs > Programs and Features.
REOptimizer (HKU\S-1-5-21-177065037-2016520416-3364678728-1001\...\REOptimizer) (Version: - AltoCloud) <==== ATTENTION
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-177065037-2016520416-3364678728-1001\...\Run: [DCL1P69EG2] => "C:\Program Files\DTX6S69HO0\DTX6S69HO.exe"
HKU\S-1-5-21-177065037-2016520416-3364678728-1001\...\Run: [HWVD7OKX9R] => "C:\Program Files\1ON37L2BTY\1ON37L2BT.exe"
HKU\S-1-5-21-177065037-2016520416-3364678728-1001\...\Run: [IV0XCCXNMS] => "C:\Program Files\MM2FBOS9PF\MM2FBOS9P.exe"
HKU\S-1-5-21-177065037-2016520416-3364678728-1001\...\Run: [wyipyt] => rundll32.exe "C:\Users\ILmurat Ownuk\AppData\Local\wyipyt.dll",wyipyt <===== ATTENTION
HKU\S-1-5-21-177065037-2016520416-3364678728-1001\...\Run: [NHYKY79Y61] => "C:\Program Files\BNO7XGCF3Y\BNO7XGCF3.exe"
CHR HomePage: Default -> hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPkN6vAMNHn-tEaq5HGqheUv9UWJI4mVWYHvKZ2IobWIjMTXHEnhzJZvzuWHr9hSpp-AWOKnpSxxhxN1hSnDEf_hR7w5tqZjdo_P7D-lkucbY75FnMXaV_J8EFL2L8sVnjqkZBlbssujONBfADeOfPcjrA6Nz2_m15wKXwtf_x
CHR StartupUrls: Default -> "hxxp://www-searching.com/?pid=s&s=H22ztrmbl10AU,1fe72b85-a063-4c70-b0fc-7f3d029e25df,&vp=ch&prd=set_ch"
CHR Extension: (Chrome Web Store Payments) - C:\Users\ILmurat Ownuk\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-02-01]
CHR Extension: (Chrome Media Router) - C:\Users\ILmurat Ownuk\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-11]
S2 serverss; C:\WINDOWS\Temp\1516.tmp [X]
Task: {7F76C6B2-F9EA-411E-8D9F-8CAD173ACC9F} - System32\Tasks\HJ4z7pbjt0 => C:\Program Files (x86)\m9vA5lSADw\updengine.exe  <==== ATTENTION
Task: {CBBFB225-B22A-4735-A90F-A6BE85BDA49F} - \{0A0F0C47-7808-0C79-0E11-0F047E0B110F} -> No File <==== ATTENTION
Task: {CDD0D0A4-9FB1-4467-B81C-408654DCD5A1} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2016-09-24] ()
92.53.119.169 d134l0cdryxgwa.cloudfront.net
92.53.119.169 d2oh4tlt9mrke9.cloudfront.net
FirewallRules: [{0A94A3D2-F4C4-4760-915D-45AF876C13D9}] => (Allow) C:\Users\ILmurat Ownuk\AppData\Local\BrowserAir\Application\BrowserairExec.exe
C:\Windows\AutoKMS
C:\Users\ILmurat Ownuk\AppData\Local\BrowserAir
C:\Program Files\DTX6S69HO0\DTX6S69HO.exe
C:\Program Files\1ON37L2BTY\1ON37L2BT.exe
C:\Program Files\MM2FBOS9PF\MM2FBOS9P.exe
C:\Users\ILmurat Ownuk\AppData\Local\wyipyt.dll
C:\Program Files\BNO7XGCF3Y\BNO7XGCF3.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.
---

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

p.s.
Your Hosts file has been reset to tbe Windows Default Value.
You can re-install the 3rd party hosts file you were using.

Edited by nasdaq, 03 March 2017 - 08:00 AM.


#5 m33wrat

m33wrat
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 02 March 2017 - 02:21 PM

Hey Sorry for the late reply.
 

I did delete ReoOptimizer. 

 

I do not want to alter my hosts file if thats what the script does. 

 

Progress: I haven't seen the ad's in a while. But there was a problem where windows power shell would pop up quickly and disappear and i would get the following Malware-bytes notification. 

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:36 PM

Posted 03 March 2017 - 08:09 AM

I do not want to alter my hosts file if thats what the script does.


The script resest the Hosts to the Default Microsoft Value.

I have not problems with these entries.
 

127.0.0.1 down.baidu2016.com
127.0.0.1 123.sogou.com
127.0.0.1 www.czzsyzgm.com
127.0.0.1 www.czzsyzxl.com
127.0.0.1 union.baidu2019.com
127.0.0.1 down.baidu2016.com
127.0.0.1 123.sogou.com
127.0.0.1 www.czzsyzgm.com
127.0.0.1 www.czzsyzxl.com
127.0.0.1 union.baidu2019.com


I do however feel that all the rest of the entries referencing
92.53.119.169 ...

Are bad. Unless you have set them I suggest you Edit the Host file.

Information on Hosts file.
http://winhelp2002.mvps.org/hosts.htm
===

I have Edited my script to remove the Hosts resetting.
I suggest your execute it.

===

Malwarebytes is doing what it should.
If you wish to disable the notifications follow the instructions on this page.
https://support.malwarebytes.com/customer/portal/articles/1835324-how-do-i-disable-notifications-when-malwarebytes-anti-malware-blocks-a-file-or-website-?b_id=6438

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:36 PM

Posted 09 March 2017 - 08:41 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users