Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Advare virus


  • This topic is locked This topic is locked
22 replies to this topic

#1 puneetblog

puneetblog

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 02 July 2017 - 07:37 AM

Can anybody help me with a difficult to remove Trojan?



BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:29 AM

Posted 02 July 2017 - 07:44 AM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Please download Security Analysis by Rocket Grannie from here
  • Save it to your Desktop.
  • Close your security software to avoid potential conflicts.
  • Double click RGSA.exe
  • Click OK on the copyright-disclaimer
  • When finished, a Notepad window will open with the results of the scan.
  • The log named SALog.txt can also be found on the Desktop or in the same folder from where the tool is run if installed elsewhere.
  • Please copy and paste the contents of that log in this topic.
  • Note:
If you get a Warning from Windows about running the program, click on More info and then click Run Anyway to run it even though Windows says it might put your PC at risk.
 

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


:step4: Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 puneetblog

puneetblog
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 02 July 2017 - 08:35 AM

attached log files

Attached Files



#4 puneetblog

puneetblog
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 02 July 2017 - 08:38 AM

however i am facing difficulties with root scan 

on which it shows dda driver not installed

immediately following:

could not install driver on boot scan can't continue 

:)


Edited by puneetblog, 02 July 2017 - 08:38 AM.


#5 Jo*

Jo*

  • Malware Response Team
  • 3,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:29 AM

Posted 02 July 2017 - 08:42 AM

OK, skip the rootkit scan.

Farbar Recovery Scan Tool:
The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that log!


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#6 puneetblog

puneetblog
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 02 July 2017 - 08:43 AM

this is a series of adw cleaner logs 

Included: Addition.txt :)

Attached Files


Edited by puneetblog, 02 July 2017 - 08:46 AM.


#7 Jo*

Jo*

  • Malware Response Team
  • 3,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:29 AM

Posted 02 July 2017 - 08:54 AM

Why do you think your pc is infected?

Did you create ping.bat and the task for it?
Task: {C1959666-201B-457E-96BA-5C6EF341C6D1} - System32\Tasks\Ping => C:\Users\anil\Desktop\ping.bat [2017-04-23] () <==== ATTENTION


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#8 puneetblog

puneetblog
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 02 July 2017 - 08:55 AM

My PC webpage opens when i surf some website

 

like buy iphone etc. 

 

Yes, I created these 



#9 puneetblog

puneetblog
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 02 July 2017 - 08:57 AM

Eg. 
 
WARNING! I AM POSTING ADWARE LINKS
 
THE WEB ADDRESS IT REDIRECTS DO NOT CLICK!!
 
{
 
*-hxxp://www.easypdfcombine.com/index.jhtml?partner=^BSB^xpt001&s1=1220488&s2=339680261232&s3=&s4=&s5=&rt=1
hxxp://secure.digiup.online/swp/au/i6s/q/gt/ini7quizgg.html?brand=Desktop&volid=aps478&src=b2o&model=Desktop&os=Windows&xyz=1220488&ckk=n&ld=IN&ip=59.182.5.178&browser=Chrome&city=Mumbai&isp=Mahanagar%20Telephone%20Nigam%20Ltd.&dt=y&voluumdata=BASE64dmlkLi4wMDAwMDAwMi1lMGUyLTQ2ZmUtODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjViMWI0ODAwLTVmMjYtMTFlNy04ODk3LWM1NTE2YWNlN2FkZV9fY2FpZC4uZGIwYjVlMmYtZTIzNS00MGM4LTk5ZWYtNDQ0ZDVlODg0N2E0X19ydC4uUl9fbGlkLi5kNzM4MGMwOS01ZmFmLTQzYzEtYjJhZC04YmUxODhkNTFiZjdfX29pZDEuLmI4NjYwYjAxLTVjYmItNGIwYi1hYjZjLTIyMzk2MWUyNDgxOF9fdmFyMS4uMTIyMDQ4OF9fdmFyMi4ue3J9X19yZC4uZ29cLlxkZWxpdmVyeW1vZG9cLlxjb21fX2FpZC4uX19hYi4uX19zaWQuLl9fY3JpLi5fX3B1Yi4uX19kaWQuLl9fZGl0Li5fX3BpZC4uX19pdC4uX192dC4uMTQ5OTAwMzg4ODgwMw&zoneid=1220488&r={r}&subid=338561450563
*-hxxp://go.deliverymodo.com/afu.php?zoneid=1220488
 
}
It happens when I go, for instance, to abcnews.com 
 
Does not happen when to other websites.

Edited by Jo*, 02 July 2017 - 09:30 AM.


#10 puneetblog

puneetblog
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 02 July 2017 - 09:03 AM

Following up, 

 

For your info I have also tried Google chrome cleanup tool 

I have run a full system scan with Norton Which neutralised 3 threats.. 

But the problem remains

All my browsers are infected!



#11 puneetblog

puneetblog
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 02 July 2017 - 09:07 AM

I have noticed something quite interesting 

one of the links directs me to official website of sony liv tv but i doubt 

that 

also the ctrl shortcuts disabled on such websites

 

it was on these websites that an extension cajoled me to downloading 

a chrome extension called 'discount machine' 

and the problem is since then 

it also gave a sincere dialog confirmation which comes from the google webstore 

 

:love4u:



#12 Jo*

Jo*

  • Malware Response Team
  • 3,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:29 AM

Posted 02 July 2017 - 09:31 AM

please do not post such links again, thx.

Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***



Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt
 
Start
CreateRestorePoint:
CloseProcesses:
GroupPolicy\User: Restriction <==== ATTENTION
GroupPolicyUsers\S-1-5-21-395693985-1442103239-94539308-1003\User: Restriction <==== ATTENTION
SearchScopes: HKU\S-1-5-21-395693985-1442103239-94539308-1001 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKU\S-1-5-21-395693985-1442103239-94539308-1003 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKU\S-1-5-21-395693985-1442103239-94539308-501 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
Toolbar: HKU\S-1-5-21-395693985-1442103239-94539308-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
CHR Extension: (Chrome Media Router) - C:\Users\anil\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-30]
Task: {EA7E90F6-1BF9-46ED-8AE2-0FA564B0C81B} - \WiseCleaner\WASSkipUAC -> No File <==== ATTENTION
MSCONFIG\startupreg: BingSvc => C:\Users\anil\AppData\Local\Microsoft\BingSvc\BingSvc.exe
End

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.

The tool will make a log (Fixlog.txt) please post it to your reply.


How the computer is running now?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#13 puneetblog

puneetblog
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 02 July 2017 - 10:02 AM

Here 

 

JRT.txt

fixlog.txt

 

:) Thanks for the help (:

Attached Files


Edited by puneetblog, 02 July 2017 - 10:03 AM.


#14 Jo*

Jo*

  • Malware Response Team
  • 3,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:08:29 AM

Posted 02 July 2017 - 10:26 AM

Run Zoek

Please temporarily disable your AV program.

Download zoek.exe to your Desktop:

Important: Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications [url=[object Object]]here.
  • on Windows Vista, 7, 8 and 10, right-click Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:
    autoclean;
    emptyclsid;
    
  • close any open programs.
  • click the Run script button, and wait. It takes a few minutes to run.
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.
Can you tell me how your computer is running now and if there are any remaining problems.


---

FRST / FSRT64: run it again.
  • Right-click FRST / FSRT64 then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Put a check into the boxes next to Addition.txt and Shortcut.txt. Then press the Scan button.
  • When finished, it will produce logs called FRST.txt, Shortcut.txt and Addition.txt in the same directory the tool was run from.
  • Please copy and paste both logs in your next reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#15 puneetblog

puneetblog
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 03 July 2017 - 03:01 AM

as soon as i ran this a program called Das21 stopped running 

in addition this program itself does not finish 

it gets stuck at firefox extensions 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users