Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help removing adcash, snapdo and possible others [Solved]

adcash snapdo pc + mobile devices infected

  • This topic is locked This topic is locked

#1
celago

celago

    New Member

  • Member
  • Pip
  • 8 posts

Hello,

 

I will like help removing malware from my father's computer (HP Desktop PC with Windows 7). I have already spent the last 48 hours scanning and cleaning using malware bytes, sophos, avg and trend micro (not at the same time), as well as manually removing things from the startup (via msconfig), browser extensions (for chrome, firefox, and ie) and program files (uninstalling known culprits). I have also ran ccleaner as well as avg and tuneup utilities several times and gone through several rounds of much needed updates for the windows 7.

 

The problem is not as bad as before (two days ago when I first saw the computer), but it is still creeping up every now and then. Basically, the internet browsing is interrupted by unwanted popups of extra tabs to ad sites or fake "mac keeper" or similar services that purport to identify a virus and provide a software download link. Some sites, including geekstogo, have part of their text highlighted in green with an arrow which point to unwanted links to similar ad sites or fake virus diagnostic reports.

 

The suspect urls that keep showing up are adcash, snapdo, mackeeper, android appsync (or something similar sounding). There could be others, but I have deleted so many things over the last couple of days that I forget the names now.

 

Lastly, the virus seems to have infected other devices through the wifi. My father's iphone and ipad as well as my samsung s4 phone have constant popups show up when browsing the internet through them.

 

Here are the OTL logs.

 

Many thanks for all your help in advance.

 

Best,

 

CL

Attached Files


  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there I would like to use a different scanner :)

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Select additions at the bottom
  • Press Scan button.
    frst.JPG
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach both logs generated.
THEN

Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it.
You may be offered the option of using virtualisation, accept that
When it offers to download the virus database allow that as well
Click the "Scan" button to start scan

AswMBR%20scan.JPG


On completion of the scan click save log, save it to your desktop and post in your next reply
  • 0

#3
celago

celago

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

thank you!

Attached Files


  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you let me know how the computer is behaving after this please

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

AppInit_DLLs: C:\Users\Jaun\AppData\Local\Smartbar\Application\Resources\crdlil64.dll => C:\Users\Jaun\AppData\Local\Smartbar\Application\Resources\crdlil64.dll File Not Found
AppInit_DLLs-x32: c:\users\jaun\appdata\local\smartbar\application\resources\crdlil.dll => "c:\users\jaun\appdata\local\smartbar\application\resources\crdlil.dll" File Not Found
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:49423;https=127.0.0.1:49423
SearchScopes: HKU\S-1-5-21-1305129150-3733445347-2525841340-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1305129150-3733445347-2525841340-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1305129150-3733445347-2525841340-1000 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL =
SearchScopes: HKU\S-1-5-21-1305129150-3733445347-2525841340-1000 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
Toolbar: HKU\S-1-5-21-1305129150-3733445347-2525841340-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - No File
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
2014-12-14 07:04 - 2014-01-29 12:01 - 00000000 ____D () C:\Users\Jaun\AppData\Local\Conduit
2014-12-14 07:04 - 2014-01-29 12:01 - 00000000 ____D () C:\Program Files\Conduit
2014-12-14 07:04 - 2014-01-29 12:01 - 00000000 ____D () C:\Program Files (x86)\Conduit
2014-12-14 07:04 - 2013-12-14 20:17 - 00000000 ____D () C:\Users\Jaun\AppData\Roaming\Systweak
2014-12-13 07:35 - 2013-12-14 20:18 - 00000000 ____D () C:\Program Files (x86)\MyPC Backup
2014-12-13 07:33 - 2013-12-23 16:19 - 00000000 ____D () C:\Program Files (x86)\PCFixSpeed
2014-12-13 06:10 - 2014-01-09 21:55 - 00000000 ____D () C:\Users\Jaun\AppData\Local\StormAlerts
Task: {96610E0E-10D0-429B-8D40-97017B7A1402} - System32\Tasks\{99ED054F-F6DD-47E0-9BA2-C363C75E1A1A} => pcalua.exe -a C:\Users\Jaun\Downloads\sp48162.exe
C:\Users\Jaun\AppData\Local\Mobogenie
c:\users\jaun\appdata\local\smartbar
EmptyTemp:
CMD: bitsadmin /reset /allusers


Save this as fixlist.txt, in the same location as FRST.exe
FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

  • 0

#5
celago

celago

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Will reply in the next couple of days. Thank you for your help. Please do not close the thread.
  • 0

#6
celago

celago

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

here are the logs... many thanks again...

 

I should say that I got an error message when running the script on FRST... i tried it a couple of times and rechecked it to make sure i hadn't made a mistake, but i am pretty sure i followed your steps to a t... the log still printed out, but i am also attaching a screengrab of the error message just in case (.pdf file)...

 

no obvious problems with the adwcleaner however... 

 

 

Attached Files


  • 0

#7
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Thanks I will pass that on to Farbar

How is the computer behaving now ?
  • 0

#8
celago

celago

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

The computer is behaving a lot better since I dloaded all the usual cleaners and tuneup software programs a couple of days before I posted on gtg. No more unwanted popups or bogus google-look-alike search engines. However, the mobile devices that are using the same wifi signal as the desktop still get unwanted prompts from adcash or other similar websites to download fishy "android cleaners". Alternatively, the play store on these devices pops up every now and then inviting us to download unwanted games and such.

 

When connected on other wifi networks, these mobile devices behave normally.

 

Many thanks!


  • 0

#9
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
That would tend to suggest that there may be an infection in the router. Do you know how to reset it ?
  • 0

#10
celago

celago

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

i know how to reset it using an unbent paperclip... is that what you mean? should i just do that and nothing else?

 

thanks!


  • 0

Advertisements


#11
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes as the other devices connecting are expiring popups that would be the logical conclusion, especially as there are none when they use other routers
  • 0

#12
celago

celago

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

ok. just reset it. will be on the lookout for the mobile devices.

 

otherwise, do the logs show any remaining malware?

 

thanks!


  • 0

#13
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No the logs look clean, any further problems before I tidy up ?
  • 0

#14
celago

celago

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts

well... the main pc seems to be working fine then... and so do the mobile devices...

 

but there is one last remaining macbook on the home network that is still showing similar symptoms... i.e. unwanted invitations to dload software through the app store...

 

any help is much appreciated!


  • 0

#15
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Unfortunately I know nothing about Mac's I have never even owned one. We do have a mac forum here http://www.geekstogo.../176-apple-osx/ but I am not sure if anyone is qualified to clean them. There do not appear to be any forums that specialise in this that I can find I am afraid


Subject to no further problems :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix

delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme ;)

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP