Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Exceptionally annoying adware that won't get removed!


  • This topic is locked This topic is locked
6 replies to this topic

#1 pc_vs_virus

pc_vs_virus

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 01 August 2018 - 10:31 PM

As far as I know the adware in question is that of a "Wajam" or something, atleast that's what it read when I supposedly removed it. Even though after removing the aforementioned files, the adware is still there. The weird folder where it originates from named some gibberish-mishmash of lowercase and uppercase letters and numbers keeps coming back even after deleting it, in the location of c:\programfiles. There's also another thing that it still keeps on doing, and that is running 2 windows host process (rundll32) files every minute or so after deleting them from the task manager. If i'm correct these 2 files keep trying on redirecting me to really weird sites, to no avail since malwarebytes is blocking them. The dll programs are being ran from syswow64\rundll32.exe. I'm really clueless at this point, and going to need some help to get rid of it.



BC AdBot (Login to Remove)

 


#2 pc_vs_virus

pc_vs_virus
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 01 August 2018 - 11:19 PM

Ok, so I had failed a little bit before doing that post. I ran the adware removal software by malwarebytes and the main malwarebytes scan at the same time, so the main scan didn't go through. I did it again and it removed like 15 infected files. One file though was not able to be deleted for some reason.

 

Malwarebytes
www.malwarebytes.com

-Lokitiedot-
Skannauksen päivämäärä: 2.8.2018
Skannauksen kellonaika: 6.32
Lokitiedosto: 213c932d-960d-11e8-b744-0000cb93b09a.json
Ylläpitäjä: Kyllä

-Ohjelmiston tiedot-
Versio: 3.5.1.2522
Osien versio: 1.0.365
Päivityspaketin versio: 1.0.6165
Lisenssi: Kokeiluversio

-Järjestelmän tiedot-
OS: Windows 8.1
CPU: x64
Tiedostojärjestelmä: NTFS
Käyttäjä: Miika\Miika01

-Skannauksen yhteenveto-
Skannauksen tyyppi: Uhkien skannaus
Skannauksen käynnistys: Manuaalinen
Tulos: Valmis
Skannatut kohteet: 638921
Havaitut uhkatekijät: 16
Karanteeniin asetetut uhkatekijät: 15
Kulunut aika: 32 min, 47 s

-Skannausasetukset-
Muisti: Käytössä
Käynnistys: Käytössä
Tiedostojärjestelmä: Käytössä
Arkistot: Käytössä
Piilohaittaohjelmat: Käytössä
Heuristiikka: Käytössä
PUP: Havaitse
PUM: Havaitse

-Skannauksen tiedot-
Prosessi: 0
(Haitallisia kohteita ei havaittu)

Moduuli: 0
(Haitallisia kohteita ei havaittu)

Rekisteröintiavain: 5
Adware.Wajam, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Karanteenissa, [453], [-1],0.0.0
Adware.SearchAwesome, HKLM\SOFTWARE\SrcAAAesom Browser Enhancer, Karanteenissa, [7296], [509886],1.0.6165
PUP.Optional.Wajam, HKU\S-1-5-21-3172332038-4269891482-14992881-1001\SOFTWARE\WajIEnhance, Karanteenissa, [209], [244670],1.0.6165
Adware.Wajam.Generic, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NmMyY2NjODA, Karanteenissa, [4864], [530292],1.0.6165
Adware.SearchAwesome, HKLM\SOFTWARE\WOW6432NODE\SrcAAAesom Browser Enhancer, Karanteenissa, [7296], [509886],1.0.6165

Rekisteröintiarvo: 4
Adware.Wajam, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Karanteenissa, [453], [-1],0.0.0
Adware.Wajam, HKU\S-1-5-21-3172332038-4269891482-14992881-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Karanteenissa, [453], [-1],0.0.0
Adware.Wajam, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Poistaminen epäonnistui, [453], [-1],0.0.0
Adware.Wajam.Generic, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NmMyY2NjODA|IMAGEPATH, Karanteenissa, [4864], [530292],1.0.6165

Rekisteröintitiedot: 0
(Haitallisia kohteita ei havaittu)

Datavirta: 0
(Haitallisia kohteita ei havaittu)

Kansio: 1
Adware.Wajam, C:\WINDOWS\TEMP\wjmC5D0.tmp, Karanteenissa, [453], [511084],1.0.6165

Tiedosto: 5
Adware.Wajam, C:\Windows\System32\drivers\ZTY5MWUyN2YwNTg5MWE.sys, Karanteenissa, [453], [536673],0.0.0
Adware.Wajam, C:\WINDOWS\TEMP\wjmC5D0.tmp\update.exe, Karanteenissa, [453], [511084],1.0.6165
Adware.Wajam.Generic, C:\WINDOWS\ACYVLVPZGLBZBCPV.ACY, Karanteenissa, [4864], [530292],1.0.6165
MachineLearning/Anomalous.100%, C:\WINDOWS\YJBKZJI0OTA0NDE2.EXE, Karanteenissa, [0], [392687],1.0.6165
MachineLearning/Anomalous.100%, C:\WINDOWS\YJBKZJI0OTA0NDE2.EXE, Karanteenissa, [0], [392687],1.0.6165

Fyysinen sektori: 0
(Haitallisia kohteita ei havaittu)

WMI: 0
(Haitallisia kohteita ei havaittu)


(end)

 

The one that is highlighted in bold is the file that was denied removal. I'm scanning a second time at the moment. How should I go about deleting that one?


Edited by pc_vs_virus, 01 August 2018 - 11:21 PM.


#3 satchfan

satchfan

  • Malware Response Team
  • 2,913 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:23 PM

Posted 02 August 2018 - 03:16 AM

Hello pc_vs_virus and welcome to the Bleeping Computer forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download RogueKiller to your desktop

  • close all running programs
  • for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

Please post the contents of the RKreport.txt in your next reply.

Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#4 pc_vs_virus

pc_vs_virus
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:23 PM

Posted 02 August 2018 - 10:33 AM

It's this one right?

 

RogueKiller V12.12.29.0 (x64) [Jul 30 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Miika01 [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 08/02/2018 16:57:59 (Duration : 01:19:11)
Switches : -refid

¤¤¤ Processes : 1 ¤¤¤
[VT.Unknown] Gaming Mouse.exe(8512) -- C:\Program Files (x86)\ADX\AFPH0216 Configuration\Gaming Mouse.exe[7] -> Found

¤¤¤ Registry : 11 ¤¤¤
[PUP.Gen1] (X64) HKEY_CLASSES_ROOT\CLSID\{1B0B843D-C03F-4C32-AAB4-3B2B936444B3} (C:\Program Files (x86)\TNT2\2.0.0.1950\IEToolbar64.dll) -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {1B0B843D-C03F-4C32-AAB4-3B2B936444B3} :  (C:\Program Files (x86)\TNT2\2.0.0.1950\IEToolbar64.dll) [x] -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {1B0B843D-C03F-4C32-AAB4-3B2B936444B3} :  (C:\Program Files (x86)\TNT2\2.0.0.1950\IEToolbar64.dll) [x] -> Found
[VT.Unknown] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | AFPH0216 Configuration : "C:\Program Files (x86)\ADX\AFPH0216 Configuration\Gaming Mouse.exe" /hide [7] -> Found
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3172332038-4269891482-14992881-1001\Software\Microsoft\Windows\CurrentVersion\Run | MurGee.com Auto Clicker : C:\Users\Miika01\AppData\Roaming\Auto Clicker\AutoClicker.exe :silent [x] -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3172332038-4269891482-14992881-1001\Software\Microsoft\Windows\CurrentVersion\Run | MurGee.com Auto Clicker : C:\Users\Miika01\AppData\Roaming\Auto Clicker\AutoClicker.exe :silent [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FairplayKD (\??\C:\ProgramData\MTA San Andreas All\Common\temp\FairplayKD.sys) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3172332038-4269891482-14992881-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3172332038-4269891482-14992881-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {B1219C3C-5EDB-4DE0-9DA8-71EC49983A84} : v2.22|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Miika01\AppData\Local\Temp\nsn15B.tmp\CnetInstaller-10778842.exe|Name=proinstaller71| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {600A3E08-D929-4342-B6A1-BB6B31FC7DD8} : v2.22|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\Miika01\AppData\Local\Temp\nsn15B.tmp\CnetInstaller-10778842.exe|Name=proinstaller71| [x] -> Found

¤¤¤ Tasks : 3 ¤¤¤
[Hj.Shortcut] \{3DDB9C0D-5321-45AC-9D5A-518051895D09} -- "c:\program files (x86)\google\chrome\application\chrome.exe" (http://ui.skype.com/ui/0/7.4.0.102/fi/abandoninstall?page=tsProgressBar) -> Found
[Hj.Shortcut] \{82B04A72-3808-45B7-BA4B-31D326ED3FED} -- "c:\program files (x86)\google\chrome\application\chrome.exe" (http://ui.skype.com/ui/0/7.17.85.105/fi/abandoninstall?page=tsProgressBar) -> Found
[Hj.Shortcut] \{B94E0681-0A84-4295-9A10-B39D0A135990} -- "c:\program files (x86)\google\chrome\application\chrome.exe" (http://ui.skype.com/ui/0/7.4.0.102/fi/abandoninstall?page=tsProgressBar) -> Found

¤¤¤ Files : 4 ¤¤¤
[Hidden.ADS][Stream] C:\Users\Miika01\AppData\Roaming:NT -> Found
[Hidden.ADS][Stream] C:\Users\Miika01\AppData\Roaming:NT2 -> Found
[Hidden.ADS][Stream] C:\ProgramData:NT -> Found
[Hidden.ADS][Stream] C:\ProgramData:NT2 -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [http://reddit.com/] -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA DT01ACA100 +++++
--- User ---
[MBR] 350dbc94bb393f51ea31362239bb7627
[BSP] e588d8a693808c5c67d35f1c25bd89ce : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 800 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1640448 | Size: 260 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2172928 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2435072 | Size: 153600 MB
4 - Basic data partition | Offset (sectors): 317007872 | Size: 780744 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1915971584 | Size: 18336 MB
User = LL1 ... OK
User = LL2 ... OK

 



#5 satchfan

satchfan

  • Malware Response Team
  • 2,913 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:23 PM

Posted 02 August 2018 - 10:53 AM

OK let’s clear up what was found.

Run RogueKiller

IMPORTANT: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again

  • close all programs
  • double-click RogueKiller.exe - Windows 7/8//10: right-click the program and select Run as Administrator'
  • after it has completed it's prescan, click on Scan
  • when the scan is finished press Remove Selected and post the log it produces.

Please then run it again and send the new log

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#6 satchfan

satchfan

  • Malware Response Team
  • 2,913 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:23 PM

Posted 05 August 2018 - 05:32 PM

Hi pc_vs_virus

It has been several days since I sent my last reply about computer problem.

Please let me know if you are having problems and still need help.

Thanks

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 satchfan

satchfan

  • Malware Response Team
  • 2,913 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:23 PM

Posted 07 August 2018 - 04:42 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users