Ads by BlockandSurf

[MobileTechie]

I'm struggling with an adware removal which I'm doing remotely. The computer was overrun with fake warnings and download offerings and the usual driver updaters, PC cleaners and so on.

I've got rid of a ton but keep getting ads and popups in IE and FF.

I've run:

MBAM
SAS
Hitman Pro
ADW Cleaner
JRT
RogueKiller
Bitdefender

I've reset both browsers, gone through registry Run areas, removed directories of suspicious apps that are not showing up as installed but can see running (eg youtubeserv.exe). Removed browser extensions /addons. Checked the DNS settings. Checked hosts file. Checked for proxy servers. Reset IE.

Nothing is coming up with anything yet the ads are still there.

 

[MichaelBits]

I would say do an autoruns... but being on remote may make that difficult. msconfig may have to do...

Check the shortcuts, they hide entries on the target sometimes, though it usually just affects the start page.

 

[Xander]

Load up a clean install of Chrome. If it does it, you've narrowed out the browsers/addons and know to keep looking within Windows itself.

 

[Galdorf]

try: Adware removal tool: http://www.techsupportall.com/Adware-Removal-Tool-V3.7.exe

Make sure you backup all favorites first i use this to remove that stuff.

 

[MobileTechie]

Sadly that tool didn't work and couldn't see anything in Autoruns either.

A fresh Chrome install has the same problems.

Ran comboxfix which didn't fix it either.

 

[freedomit]

If you know what your looking for then ProcessMonitor and ProcessExplorer are worth a go

 

[ohio_grad_06]

Try and bootable scans like Kaspersky rescue disk etc in case your scans are missing something? Worked on one the other day ran my routine on it and it still was not running right, did a boot scan on it and there were still like 4000+ items on it.

 

[PcTek9]

4000 plus... well... o.0

Dictionary: Experience - knowing when to Nuke & Pave.

 

[discipulus]

Run FRST or OTL and upload the log file. I'd be happy to take a look and make a recommendation from there.

 

[Go-To Gordon]

have you run revo to look for anything still installed?

 

[MobileTechie]

OTL report attached

 

[ohio_grad_06]

Under the IE heading, I saw this.

IE - HKCU\..\SearchScopes,DefaultScope = {67C334C0-408D-4E6D-B5A7-0ADD6AFFA252}
IE - HKCU\..\SearchScopes\{67C334C0-408D-4E6D-B5A7-0ADD6AFFA252}: "URL" = https://www.google.com/search?q={searchTerms}

May have something called SearchScopes still loaded. Seems like I've pulled that off before.

Under chrome I see an entry for viewpoint media player, not sure what that is.

Under things created in last 30 days, what is this?

C:\Users\Stuart\AppData\Local\speed browser

and this

C:\Windows\SysNative\.crusader


Maybe I've flagged a couple of things wrong, not sure, but I think if it were me, I'd look over that carefully, and also think I'd run a bootable scan. Maybe Kaspersky rescue disc, etc to try and hit it from outside the system.

 

[PaulTech]

Hi, Here is a partial solution and request for help.

I booted Win 8.1 with Gandolf and ran an offline scan to locate the other elements of blockandsurf. On reboot the Ads popping up in IE are gone. Good news. However, each time IE starts MBAM blocks this site "ubd.app-makr.com" and the source process is iexplorer.exe. I checked the shortcut and no modifications and starting the IE 64bit from the directory the same pop occurs. Any help is appreciated. Thanks.

 

[PaulTech]

Here's some additional information:

The MBAM protection log reads "Malicious Website Protection, IP, 5.153.38.134, ubd.app-makr.com, 49181, Outbound, C:\Program Files (x86)\Internet Explorer\iexplore.exe

The OTL logs exceed the 19.5 size so I'll copy items here:

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://toshiba13.msn.com
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =

http://www.google.com
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS

\system32\blank.htm
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages =

http://www.google.com
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page =

about:SecurityRisk
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://toshiba13.msn.com
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" =

http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE:64bit: - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/p/?LinkId=255141
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?

LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?

LinkId=255141
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{00F46C61-9ECD-4389-9135-B8677C8B0A38}: "URL" = http://www.bing.com/search?

q={searchTerms}&form=IE10TR&src=IE10TR&pc=MATBJS
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?

q={searchTerms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?

LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://toshiba13.msn.com/
IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\SysWOW64\ieframe.dll

(Microsoft Corporation)
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed

\Flash\NPSWF64_11_9_900_152.dll File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\SysWOW64\Macromed\Flash

\NPSWF32_11_9_900_152.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=16.4.3503.0728: C:\Program Files

(x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@WildTangent.com/GamesAppPresenceDetector,Version=1.0: C:\Program

Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR

\nppdf32.dll (Adobe Systems Inc.)

 

[PaulTech]

From the Extras file:

Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\OpenWith.exe "%1" (Microsoft Corporation)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Value error.

 

[Galdorf]

1. Try this: http://hijackthis.nl/smeenk/
2. Right-click on Zoek icon and select "Run as Administrator" to start the tool.
Wait patiently until the main console will appear, it may take a minute or two.
3. In the main box please paste in the following script (between the lines):
-----------------------------------------------------
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
-------------------------------------------------------
4.Make sure that Scan All Users option is checked.
5. Push Run Script and wait patiently. The scan may take a couple of minutes.

 

[PaulTech]

Thank you! That worked like a charm. Could you post a little more about this tool?

 

[Galdorf]

I just tried this on a machine same problem as you fixed
It's working great best of all you can make restore points and it has a detailed log at the end of scan.
I tried everything but nothing would remove it not even emsisoft anti-malware.
It was made by smeenk for use of removal of malware on hijackthis forums it's been around for years i only use on stubborn machines.
It has many zero day or up to date variants of malware removal scripts what bugs me is combofix could not remove it although hijackthis forums are the most used spyware cleaning help site on the web.
I believe the guy is Dutch so finding English instructions would be hard to find.

 

[Wheelie]

I can't tell if we are talking about the same virus/adware or not but here is my experience.

I have had about 10 computers in the past week with this type of problem. The solution for each of them was slightly different because the adware on each was slightly different. Seems like an intelligent morphing virus? But the common theme among them was Malwarebytes Premium (or trial) blocking bad web sites after thorough sweeps with all the usual programs (you name it I tried it). On about 5 out of the 10 PC's MWB was blocking the bad URL "fff5ee dot com" (don't go to that site!).

Finally yesterday I noticed that MWB was not blocking anything on another user's profile. So now I simply: 1) sweep the PC clean with AV, adwCleaner, and MWB, 2) uninstall Chrome (b/c triggers MWB blocking), 3) Reset IE, and 4) create a new user profile and move all user data over to it then delete the affected user profile and reinstall Chrome. That has worked well for me on the last few cleanups.

 

[Xander]

I believe the guy is German....
http://hijackthis.nl/smeenk/

Dutch. (Nederlands)