Split Doubleclick and zedo redirects

Support

June 11, 2021 12:23

Hi I am having the same issue. Everytime I delete then reboot the adaawarebp.exe appears and when I scan it's detected as a virus.

Could someone pls possibly help me? Here are the frst.txt and addition.txt files.

Specifically adwcleaner keeps finding an issue with these files and since they have popped up on my PC (see below screen print).

I'm getting these doubleclick and zedo redirects endlessly from browsers because of this. Happened once before but using the JRT and adwcleaner fixed it.

I'm using malware antibytes and Lavasoft virus protection but they don't seem to pick them up.

Hi acesup,

According to the screen shot, AdwCleaner thinks that Ad-Aware Browsing Protection is adware. When it removes the register posts and files (?), I assume that Ad-Aware restores them or blocks them from being deleted. Please attach the logfile of AdwCleaner. I don't think that Ad-Aware Browsing Protection is responsible for the redirects in the browsers, but some poker programs are. I don't know if using 4.2.2.2 as a DNS server can cause redirect problems.

When did this problem with doubleclick and zedo redirects start?

Do you have the problem in all four browsers?

Do you want to have something of McAfee installed or is it only left-overs from an old antivirus program that I see in the logs?

You've a left-over of a very old version of Ad-Aware and the following script will remove it.

Please, start Notepad.

Copy all text that is in the box:

CreateRestorePoint:

CloseProcesses:

R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [14456 2015-09-13] (GFI Software)

Reboot:

and paste in Notepad. Check that no files have been split on two lines.

Save the file as fixlist.txt on the desktop.

Exit all programs.

Start FRST, please.

Click the Fix button.

Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.

Please, paste the content of that file in your reply.

Since Al5000's problem was to remove adawarebp after an uninstallation of Ad-ware, I'll move your posts to a new topic when you've replied.

0

Customer

June 11, 2021 12:23

Thanks for that I ran the fix you said.

So I had the same problem about 18 months ago and ran adwcleaner and JunkRemovalTool and it fixed it

It came back a cpl of times and I didn't know why, then I realized it seemed to be whenever I connected my iPhone it would come back. I'm really strict with my PC because I use it for all my work by I did check a couple of unsavoury websites on my iPhone and I'm sure that has some sort of malware/trojan/virus.

It's possible the 2 aren't related I guess since it doesn't seem to be an issue that has come up frequently, but I felt they were. Especially since last time my iPhone was connected (a cpl of weeks ago) the virus came back.

However this time I can't seem to get rid of it. I heard sometimes these problems can be nested in the router so I reset that but had no luck. When I run chrome I can see redirects constantly shooting off in the url message window although the pages I'm viewing are unaffected. Also it only seems to happen at certain websites. Like youtube gets it quite bad and it gets to the point where videos get so bogged down they won't load and gradually things get worse to the point where I can't even type text in the search box (typing just stops working). The PC gets so slow after around 5 hours work that I need to restart it

I've been using those poker programs for years they are a way of life for me. Although AmericasCardRoom I did only start using around 5 months ago. This is a program used by millions around the world though I'd be surprised if that could cause an issue?

The rediects are things like adserver, doubleclick something, zedo etc. I didn't notice Edge (Explorer) doing it but I'm sure it was because youtube started slowing down to a halt last time I used it and become unusable. My PC is generally really fast otherwise.

Any advice? Thanks very much for your assistance.

0

Support

June 11, 2021 12:23

You're welcome

Sorry that the forum changes "i Phone" (without space) to "##nospam", I'll inform the forum administrator.

This Chrome extension:

CHR Extension: (Chrome Media Router) - C:\Users\Kelvin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-09-01]
can be adware since I cannot find it in Chrome Web Store. Please uninstall Chrome Media Router: https://support.google.com/chrome_webstore/answer/2664769?hl=en

Restart the computer.

If that didn't help:

Turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Scan button.
Wait until the search has finished.

Click on the Log file button.
A report will be displayed, copy its content and paste into your reply.
If the report isn't displayed, it's available as C:\AdwCleaner\AdwCleaner[sx].txt, where 'x' is the highest number.

0

Customer

June 11, 2021 12:23

I really think you've nailed it. The file you mention was installed a month ago when the problems started again.

This does not show up in the extensions. And the Chrome Cleaner didn't pick it up either. I went into the actual folder manually and deleted it... I'll run cleaners again and let you know the result.

0

Customer

June 11, 2021 12:23

Just incredible! After deleting the file you mentioned for the first time in a month when I run AdwCleaner it reports no threats!

Thanks so much for your assistance with this, I really appreciate you taking the time to provide the level service you have it's helped me out so much.

BIG LAVASOFT FAN

0

Support

June 11, 2021 12:23

You're welcome

I'm glad that it's been resolved.

Time to uninstall AdwCleaner and FRST:

Please, turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.
Click on the Uninstall button.

Please, download OTC http://www.geekstogo.com/forum/files/file/403-otc-oldtimers-clean-it/
Close all programs.
Start OTC program.
Click the CleanUp! button.
Select Yes when asked "Begin cleanup process".
If you are asked to reboot, select Yes.

If any logs remain on the computer you can remove them.

0

Customer

June 11, 2021 12:23

Here is the file you requested to move forward with the issue last time. Thanks again!

AdwCleanerS21.txt

0

Customer

June 11, 2021 12:23

OMG it's back! Was gone for a day after we swatted it last time. I deleted skype it's not making any difference. And it doesn't appear in the folder where I thought I had located it previously (chrome extensions).

It was actually on the second PC on the network a cpl of weeks ago btw. After running JRT and ADWcleaner it removed it (came up with the same adwarebp type threats and removing them completely fixed the problem).

This is what it says when I run adwcleaner (after delete and reboot and after scan).

What steps should I try next? Malware Bytes and AVG never seem to pick-up issues like this unfortunately :,,(

0

Support

June 11, 2021 12:23

Registry entries with adawarebp aren't malicious, that is Ad-Aware.

Please scan with FRST and attach the two log files.

0

Customer

June 11, 2021 12:23

Here they are :,(

Thank you!!

FRST.txt

Addition.txt

0

Support

June 11, 2021 12:23

You are welcome

Here are some of the folders and files that were added after the Windows updates September 14 and before you ran FRST:

2016-09-17 14:23 - 2016-09-17 14:23 - 00000000 ____D C:\Users\Kelvin\Downloads\FRST-OlderVersion
2016-09-17 06:51 - 2016-09-17 06:51 - 00000016 _____ C:\ProgramData\mntemp
2016-09-17 06:35 - 2016-09-17 06:35 - 00001822 _____ C:\Users\Public\Desktop\iTunes.lnk
2016-09-17 06:35 - 2016-09-17 06:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2016-09-17 06:35 - 2016-09-17 06:35 - 00000000 ____D C:\Program Files\iTunes
2016-09-17 06:35 - 2016-09-17 06:35 - 00000000 ____D C:\Program Files\iPod
2016-09-16 14:29 - 2016-09-16 14:29 - 00000100 _____ C:\Users\Kelvin\Desktop\Poker Training - GTO confused - IveyLeague.com.url
2016-09-16 13:46 - 2016-09-16 13:46 - 00002640 _____ C:\Users\Public\Desktop\Skype.lnk
2016-09-16 13:46 - 2016-09-16 13:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2016-09-16 13:43 - 2016-09-16 13:45 - 41604736 _____ (Skype Technologies S.A.) C:\Users\Kelvin\Downloads\SkypeSetupFull.exe
2016-09-16 05:34 - 2016-09-16 05:34 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2016-09-15 11:56 - 2016-09-15 11:56 - 03861056 _____ C:\Users\Kelvin\Downloads\adwcleaner_6.020.exe
2016-09-14 16:06 - 2016-09-14 16:06 - 00000000 ____D C:\WINDOWS\PCHEALTH

and these were modified:

2016-09-17 14:23 - 2013-04-28 14:25 - 00000000 ___RD C:\Users\Kelvin\Google Drive
2016-09-17 14:22 - 2015-10-14 05:01 - 00000000 ____D C:\Users\Kelvin\AppData\Local\PokerStars
2016-09-17 13:59 - 2012-09-19 07:20 - 00000932 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3048988333-292484833-2357698785-1000UA.job
2016-09-17 13:52 - 2013-01-23 15:28 - 00000926 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-09-17 13:38 - 2012-09-16 18:52 - 00000000 ____D C:\Users\Kelvin\Documents\888poker
2016-09-17 13:34 - 2012-09-16 18:46 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-09-17 13:33 - 2016-07-11 22:28 - 00000928 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job
2016-09-17 11:37 - 2015-10-08 11:36 - 00004156 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{36D79BA8-9DED-43E4-BC95-73A3C1609158}
2016-09-17 11:16 - 2015-10-30 16:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-09-17 11:08 - 2016-07-11 22:28 - 00000924 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job
2016-09-17 11:08 - 2016-02-13 21:24 - 00002409 _____ C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
2016-09-17 11:08 - 2015-01-23 03:58 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-09-17 11:08 - 2013-01-23 15:28 - 00000922 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-09-17 11:07 - 2015-12-31 19:31 - 00000000 ____D C:\Users\postgres
2016-09-17 11:07 - 2015-12-31 19:31 - 00000000 ____D C:\Users\Kelvin
2016-09-17 11:06 - 2015-12-31 20:12 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-09-17 09:59 - 2012-09-19 07:21 - 00002497 _____ C:\Users\Kelvin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-09-17 09:59 - 2012-09-19 07:21 - 00002489 _____ C:\Users\Kelvin\Desktop\Google Chrome.lnk
2016-09-17 07:59 - 2012-09-19 07:20 - 00000880 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3048988333-292484833-2357698785-1000Core.job
2016-09-17 07:46 - 2012-09-22 11:57 - 00000000 ____D C:\Users\Kelvin\AppData\Roaming\Audacity
2016-09-17 06:35 - 2012-09-16 18:41 - 00000000 ____D C:\Program Files\Common Files\Apple
2016-09-17 06:33 - 2015-10-30 16:21 - 00000000 ____D C:\WINDOWS\INF
2016-09-17 02:00 - 2014-08-22 07:23 - 00000000 ____D C:\Users\Kelvin\AppData\Local\Adobe
2016-09-16 14:29 - 2012-09-17 11:25 - 00000000 ____D C:\Users\Kelvin\AppData\Roaming\Skype
2016-09-16 13:46 - 2012-09-17 11:25 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-09-16 13:46 - 2012-09-17 11:25 - 00000000 ____D C:\ProgramData\Skype
2016-09-16 12:52 - 2015-01-23 05:18 - 00000000 ____D C:\AdwCleaner
2016-09-16 12:42 - 2015-10-30 15:28 - 00786432 ___SH C:\WINDOWS\system32\config\BBI
2016-09-16 11:48 - 2015-10-30 16:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-09-16 07:24 - 2015-06-29 19:28 - 00004562 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
2016-09-16 05:34 - 2016-07-11 22:28 - 00000000 ____D C:\Program Files (x86)\Dropbox
2016-09-15 17:02 - 2015-01-23 05:40 - 00000547 _____ C:\Users\Kelvin\Desktop\JRT.txt
2016-09-15 11:48 - 2015-09-10 14:44 - 00000000 __RHD C:\Users\Public\AccountPictures

Can you narrow down the time interval?

What does C:\Users\Public\AccountPictures contain?

A bit suspicious since it's a hidden folder.

You should be able to delete these files since there shouldn't be any files in that folder:

2012-09-17 11:54 - 2012-09-17 11:54 - 0000057 _____ () C:\ProgramData\Ament.ini
2015-12-31 19:25 - 2015-12-31 19:25 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2012-09-18 04:34 - 2012-09-18 04:34 - 0004934 _____ () C:\ProgramData\flwjycbm.bab
2013-09-27 14:02 - 2013-09-27 14:02 - 0004142 _____ () C:\ProgramData\kmytnfun.aqy
2012-11-05 06:28 - 2012-11-05 06:28 - 0004914 _____ () C:\ProgramData\lrbivjdu.eai
2016-09-17 06:51 - 2016-09-17 06:51 - 0000016 _____ () C:\ProgramData\mntemp

Run an online scan with Eset (easiest with Internet Explorer) by following the instruction on http://support.eset.com/kb2921/ .
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

Deselect Remove found threats (important due to false positives).

Select:
Scan Archives
Enable detection of potentially unsafe applications
Enable detection of suspicious applications
Enable Anti-Stealth Technology

Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

0

Customer

June 11, 2021 12:23

This virus caused a fatality. It was locking up my PC and so I was unfortunately getting in the habit of turning the PC off by the switch and not shutting down correctly. This lead to my main HD failing and it's been sent away to a special team to see if anything can be salvaged. It had a lot of my work and personal stuff on it. Including baby photos. This virus is literally ruining my life. I doubt I will even be able to afford the recovery if they can recover it, since it will cost upward of $1000.

So I get the new HD in, and feeling miserable because lost all my data but then a little ray of sun shines as I realize at least that virus will be gone thank god! So after noticing fast boot times and great PC speed with my new HD today things start slowing down. then i open chrome and BAM - double click, zedo redirects right back to where it started!

I have not downloaded anything suspicious. Could it be in the router? How common is something getting into the router? The only other thing I can think of is something on my other drive which i call Z is hidden in there. I also keep some personal stuff on there and thanks fully had a little bit of work stuff backed up in there too. Also I did download The Journal 7 yesterday and Winamax Poker today (just un-installed the later)...

For now, I'm running ESET.

0

Customer

June 11, 2021 12:23

HI Cecilia, thanks. I tried running ESET but it keeps crashing near the end of the search after it says 1 threat found. I shall keep trying it, for now (takes approx 1 hour to complete).

For now here are the FRST results. Thanks again I appreciate the assistance with this.

Addition.txt

FRST.txt

0

Support

June 11, 2021 12:23

I'm sorry that you have such problems, must be terrible to loose a lot of photos. But I hope that company can restore them and they usually can when it's more likely that it's a file system error and not a hardware fault.

Do you have synchronization in Chrome?

If yes, the synchronization process might have downloaded all settings and add-ons in the old installation of Chrome from Googles server.

Routers can be hacked, and then usually all computers connected to it have the same problem and usually also all browsers in the computers. It's important to always keep the router firmware updated and change its login password.

Please scan with FRST and attach the two logs.

0

Support

June 11, 2021 12:23

You can do a factory reset of the router.

1. I wonder if this Chrome setting can cause your problem:
CHR Session Restore: Default -> is enabled.

Please, check here:

Click the Chrome Menu (3 dots) in upper right corner

Go to Settings

Under On startup, select something that doesn't keep anything from your previous session.

2. Or do you have synchronization in Chrome?

3. Test if a new Chrome user profile also has the same problem: https://support.google.com/chrome/answer/142059?hl=en

4. Download Junkware Removal Tool and save it on your desktop.

Run the tool.

The tool will open and start scanning your system.

Please be patient as this can take a while to complete.

On completion, a log is saved to your desktop and will automatically open.

Attach the JRT log file to your reply.

5. Please, save RougueKiller on the Desktop: http://www.bleepingcomputer.com/download/roguekiller/

Turn off all running programs and remove any external drives and other devices connected with USB etc. except mouse and keyboard.

Start RougueKiller.

Wait until "Prescan" has finished.
Click on "Scan" button in upper right corner.
Wait until the scan has finished.
Click on "Report" button.
A report will be created.
Please, post it in your reply.

0

Customer

June 11, 2021 12:23

Also 1 more question, would purchasing a new router be a chance of fixing this at all? Because it just seems very odd that a new HD, fresh install of DELL setup and Windows 10 is having the exact same problem instantly? I've been reseaching a bit about routers and it does seem possible threats can get in there....?

0

Customer

June 11, 2021 12:23

I tried the steps you mentioned and it did not work. JRT results.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Malwarebytes

Version: 8.0.8 (09.20.2016)

Operating System: Windows 10 Home x64

Ran by Kelvin Beattie (Administrator) on Sun 09/25/2016 at 18:02:33.15

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

File System: 0

Registry: 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sun 09/25/2016 at 18:03:47.34

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

0

Customer

June 11, 2021 12:23

Didn't have time to run RougueKiller today it seemed like the scan would take a while will do it tomorrow. I ran adwcleaner today it found no threats.

Thanks again for your assistance.

0

Customer

June 11, 2021 12:23

Hi BWIN is not malicious. I have been using it for many years as have many people I know. 100% no problem.

Yes I see what you are saying, and after running rouge killer it obviously hasn't helped the problem.

There's certain web pages that must trigger the redirects. Some pages load fine without any re-directs than others go crazy and about 10 different URLs are visited...

Any thoughts on how to proceed? Think it's something in the router?

0

Customer

June 11, 2021 12:23

Hi I apologise I did not run this as you instructed, because I've been constantly working and can't afford the time atm to disconnect everything and then wait a cpl of hours while it runs. However I did run it whilst using the PC and wanted to post the results because they seemed quite alarming to me! It directed me to this page and mentioned PUM http://www.adlice.com/remove-pum/ Please advise ! THANKS!!

RogueKiller V12.6.3.0 (x64) [sep 19 2016] (Free) by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/download/roguekiller/

Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version

Started in : Normal mode

User : Kelvin Beattie [Administrator]

Started from : C:\Program Files\RogueKiller\RogueKiller64.exe

Mode : Scan -- Date : 09/27/2016 17:00:00 (Duration : 01:24:21)

¤¤¤ Processes : 1 ¤¤¤

[VT.Unknown] bwincom.exe(19356) -- C:\Programs\bwincom\bwincom.exe[7] -> Found

¤¤¤ Registry : 2 ¤¤¤

[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3299114979-1869389477-86646056-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.dell.com -> Found

[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3299114979-1869389477-86646056-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www.dell.com -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x20]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: ST1000DM ST1000DM003-1CH1 SCSI Disk Device +++++

--- User ---

[MBR] 703a1b5c65a9f0e70a727276529bb8e8

[bSP] e3c92e5853805101f084f1330c26c6c2 : Windows Vista/7/8|VT.Unknown MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953316 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

2 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1952598016 | Size: 450 MB

User = LL1 ... OK

User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD40EZRX-00SPEB0 SCSI Disk Device +++++

--- User ---

[MBR] de496a602de0bb7323c1bb50695923e0

[bSP] 91c2c06436784351e2b16a77860a620b : Empty|VT.Unknown MBR Code

Partition table:

0 - Microsoft reserved partition | Offset (sectors): 34 | Size: 128 MB

1 - Basic data partition | Offset (sectors): 264192 | Size: 3815318 MB

User = LL1 ... OK

User = LL2 ... OK

+++++ PhysicalDrive2: I-O DATA HDCL-UT USB Device +++++

--- User ---

[MBR] 7924a9d7342dbfb560d6104b4ffed6fa

[bSP] 08cdf90f09d3efa6799a1ac9d4f8d258 : Empty|VT.Unknown MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953866 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

User = LL1 ... OK