[SOLVED] Recurring Adware

S

scottay

Member
Reaction score
10
Location
Reno, NV
Hi all,

A few weeks ago I got a call from a client saying they're getting popups/redirects. I went out and pull some obvious adware off, but nothing more serious than that. A week later he calls me and says they're back. After investigating and talking to him he mentioned he may have clicked on something. Another week goes by, another call. This time he knows exactly what site he was on when it started, I was unable to determine whether he was click happy. Today, yet another call, this time he's adamant he didn't click on anything. Knowing this client, I believe him. He's not the typical "click happy" person we're all familiar with. He's somewhat computer savvy.

Normally I wouldn't post on an issue like this because I'm sure I can get rid of the stuff; however, I now have 3-4 other people that seem to be having a similar situation. I've had occurrences where something would come back, or a user would blindly click something that would bring it back, but this seems different. I'm stating to see a pattern and was just curious if anyone has seen this issue recently, and whether they've discovered a hard-to-detect rootkit or something hiding. I figure I could save myself, and the client, hours of scanning with various tools if someone has seen something similar and has a suggestion on where to start looking.

The symptoms are more of an annoyance than anything. I've yet to discover a trojan or anything too nasty, just basic adware. If it as a nasty rootkit I would suspect much more severe symptoms.

Here's a quick overview on what I've done:
- numerous MBAM threat scans (running a full scan now, not complete yet).
- TDSSKiller scan - clean.
- nothing in the run entries in the event viewer (HKCU or HKLM)
- no scheduled tasks found.
- msconfig programs and services clean.
- numreous SAS scans.
- DNS setting fine.
- no proxy set.
- IE/Firefox addons clean.
- HOSTS file clean.

Any thoughts? I'm running a few deeper scans on this guys machine, and I'll update this thread with any findings.
 
Check his browser plugins. :)

I once pulled all my hair out on scans to discover it was a plugin.

Other than that I have seen some root kits do this and they are quite hidden/hard to get rid of.

Restore point? Take it back and see if you are still having issues.


coffee
 
Thanks for the reply.

No plugins. Like you, I've been there, done that...

I'll look and see what restore points are available. The first time I worked on his computer was months ago, so it may be resulting from before that. Don't really want to take him back that far.

Have you seen any of these spread through the network? I get asked this frequently, and my answer is generally "not usually." Again, like before, the ones that spread through the network tend to be much more serious that just throwing popup ads... But at this point I want to make sure I'm not missing something.

Thanks again!
 
scottay said:
Thanks for the reply.

No plugins. Like you, I've been there, done that...

I'll look and see what restore points are available. The first time I worked on his computer was months ago, so it may be resulting from before that. Don't really want to take him back that far.

Have you seen any of these spread through the network? I get asked this frequently, and my answer is generally "not usually." Again, like before, the ones that spread through the network tend to be much more serious that just throwing popup ads... But at this point I want to make sure I'm not missing something.

Thanks again!
Click to expand...

I have never seen any adware travel the network. Now I did watch about 5 workstations loaded with avast freak out over a worm that got on the network (lol)..

Have you checked the partitions on the drive? Take a look and see if you can see a suspicious partition of about 1 meg or so. That would be one type of rootkit.

Right now Im loading win10 preview and working on a laptop but did you say you were able to reproduce the problem on his computer yourself?

coffee
 
Totally spaced checking for a rogue partition! I'll check it out.

No, I'm not able to reproduce the issue, but it seems like every week or so it will just randomly start throwing popups. It usually as simple as uninstalling 1 or 2 programs in add/remove programs (obviously it goes deeper than that, but uninstalling those resolves the issue).
 
If you are not already doing it you must add roguekiller, JRT, adwcleaner to your kit.

Also be sure to check installed programs, some of these "download managers" or other helpers will periodically bring new things in on their own.

Of course always update java and flash.

blah, blah, blah....
 
Thanks! I've used all those tools at one time or another, but they're not part of my "routine" kit.

What types of scan times do you usually see on those? For example, MBAM usually takes 15-25 min for me. Assuming that, where would you expect those others to fall?

I'll also ensure that the latest Flash/Java are installed. Will probably end up just removing and installing fresh to rule out a hijack.
 
Good tip on Autoruns, thanks!

scottay said:
Here's a quick overview on what I've done:
- numerous MBAM threat scans (running a full scan now, not complete yet).
- TDSSKiller scan - clean.
- nothing in the run entries in the event viewer (HKCU or HKLM)
- no scheduled tasks found.
- msconfig programs and services clean.
- numreous SAS scans.
- DNS setting fine.
- no proxy set.
- IE/Firefox addons clean.
- HOSTS file clean.
Click to expand...

Thanks anyway :D
 
This happened to me a couple of times. Every time its a little embarrassing, don't like missing stuff at all.

The first time I basically hand scoured the registry and found the culprit - I don't remember specifically what that one was at this point. After that I changed my process and added some tools to my standard line up. Like Jimbo says, the big three are the roguekiller, jrt, and adwcleaner, but I also run through a complete uninstall and re-install of java and all the adobe's. Delete any useless addons and check the search engine settings, etc. A quick force delete any stupidware I can find with geekuninstaller, and a last go through with malwarebytes.

Typing that all out makes it seem like a pretty long affair, but I've got the process pretty streamlined at this point. I used to run combofix on a pretty regular basis, but I don't anymore. Seems a little too unstable to me.
 
'putertutor said:
This happened to me a couple of times. Every time its a little embarrassing, don't like missing stuff at all.

The first time I basically hand scoured the registry and found the culprit - I don't remember specifically what that one was at this point. After that I changed my process and added some tools to my standard line up. Like Jimbo says, the big three are the roguekiller, jrt, and adwcleaner, but I also run through a complete uninstall and re-install of java and all the adobe's. Delete any useless addons and check the search engine settings, etc. A quick force delete any stupidware I can find with geekuninstaller, and a last go through with malwarebytes.

Typing that all out makes it seem like a pretty long affair, but I've got the process pretty streamlined at this point. I used to run combofix on a pretty regular basis, but I don't anymore. Seems a little too unstable to me.
Click to expand...

You might also check the icons he uses to start his browser...I've seen them changed recently as well.

Rick
 
Instead of going to various locations all over the computer hoping to find a needle in a stack of needles.

Run PROCMON, identify the malicious activity and rip it out.
 
DBA said:
Instead of going to various locations all over the computer hoping to find a needle in a stack of needles.

Run PROCMON, identify the malicious activity and rip it out.
Click to expand...

That's if you assume the process that causes this issue is running at the exact time you are doing your repair.
 
just wondering what browser are they using, if IE ditch for firefox, chrome or other alternative.
End user may be the problem, even if they say they have not "clicked on anything" it may be an app they are installing, have you checked apps to uninstall with Revo Uninstaller?

Dont forget to remove Restore points.
 
Last edited:
Thanks all for you very helpful replies!

Here are my results:
- Installed clean Adobe/Java stuff.
- AdwCleaner found many remnants left over.
- JRT found pretty much the same.
- RogueKiller, again, the same.
- I scoured the system with AutoRuns and found a few things myself, but the big one was an IE image hijack. I think this may have been the true culprit behind why it all kept coming back. All the other stuff found by the other tools seemed to be just left overs from previous removals and didn't look like anything that could actually run on its own.

Thank you all again.
 
Also another thing I'd recommend is get in the habit of installing Google chrome or Firefox and install adblock plus and activate it's anti malware tools as well so hopefully there is less exposure on user's parts.
 
You must log in or register to reply here.

Similar threads

lan101
Am I the only one that doesn't trust nvme drives?
Replies
15
Views
572
lan101
lan101
thecomputerguy
Family friends son died unexpectedly and is out of options right?
Replies
15
Views
285
fincoder
fincoder
Appletax
[REQUEST] Client's iTunes not working right
Replies
7
Views
434
dcomp12
D
Appletax
[REQUEST] How to supersize picture thumbnails?
Replies
5
Views
243
GTP
GTP
thecomputerguy
Client basically told me he's dying and I really didn't know how to respond. How would you?
Replies
9
Views
497
Mike McCall
Mike McCall
Back
Top