Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Adware.Elex/Adware.Ghowska

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Adware.Elex/Adware.Ghowska

Unread postby logo » May 19th, 2017, 1:04 pm

Hi all,

I've been trying to get rid of Adware.Elex/Adware.Ghowska malwares for some time now, but no success so far.

I've ran a bunch of anti-malware tools (including Malware Bytes, Rogue Killer, Sophos, Junkware Removal, Kaspersky, ADWCleaner, GMER, Farbar Recovery, Zemana, Delfix), but these malwares spread again a couple of days after cleaning up the system.

I'm attaching the latest FRST & Addition logs.

Can anyone suggest a way to get rid of these malwares for good? Thank you!
You do not have the required permissions to view the files attached to this post.
logo
Active Member
 
Posts: 7
Joined: May 19th, 2017, 12:47 pm
Advertisement
Register to Remove

Re: Adware.Elex/Adware.Ghowska

Unread postby mAL_rEm018 » May 19th, 2017, 3:17 pm

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the Malware Removal forum and wait for help.

Failure to post replies within 3 days will result in this thread being closed.


Hello logo,

Welcome to Malware Removal! My name is mAL_rEm018, but feel free to call me mAL. I will be helping you with your malware related problems :)

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Because of this, I advise you to backup any personal files and folders before you start.

To make sure everything goes smoothly, I would like you to observe the following rules:
  • You must have Administrator rights, permissions for this computer.
  • Please reply to this thread. Do not start another topic.
  • Perform all actions in the order given.
  • If you don't know, stop and ask!
  • DO NOT run any other fix or removal tools unless instructed to do so!
  • Don't attempt to install any new software (other than those I ask you to) until your computer is clean.
  • DO NOT post for help at any other forum. Applying fixes from multiple help sites can cause problems.
  • I advise you to print the instructions if possible, since your internet connection might not be available during some of the fixes.
  • Absence of symptoms does not mean that everything is clear, therefore stick with this topic until I give you the "all clear".

I am currently reviewing your logs and will return as soon as possible, with additional instructions. In the meantime I would like you to read and get acquainted with the following topic: HOW TO GET HELP IN THIS FORUM - everyone must read this, where the conditions for receiving help here are explained.
User avatar
mAL_rEm018
MRU Master
MRU Master
 
Posts: 1061
Joined: November 11th, 2013, 6:26 pm
Location: Canada

Re: Adware.Elex/Adware.Ghowska

Unread postby logo » May 19th, 2017, 4:13 pm

Hi mAL,
Thank you for your reply! I'll be waiting for your advice. Please let me know if you need more info about my system.
Cheers
logo
Active Member
 
Posts: 7
Joined: May 19th, 2017, 12:47 pm

Re: Adware.Elex/Adware.Ghowska

Unread postby mAL_rEm018 » May 20th, 2017, 4:39 am

Hello logo,


It is clear from the logs that you've supplied that you have made several attempts at self-help prior to coming here to Malware Removal. It appears you've run a number of tools, and I need to see the logs that those tools created.

That does not mean I want you to run those tools again, it means I need to see the logs that were created when you ran them earlier.

Each will have created a report, and unless you have deleted them, or moved them, then they should be in the following locations ....

  • C:\Users\logo\Desktop\JRT.txt
  • C:\AdwCleaner\AdwCleaner[C*] * being the number of times your ran the tool.

.... if they are not in those locations, then please run a search for them to see if they are present somewhere else on your machine.

If you can't find them, then please let me know.



Malwarebytes log retrieval..
  • Open Malwarebytes Anti-Malware and click on Reports.
  • Double-click on the Scan Report by looking at the timestamp (it should be in the following order: Day/Month/Year Time)
  • Click Export and select Text file (*.txt).
  • In the File name: box, please write MBAM Log and save it to your desktop.
  • Once the process is over, a message will appear stating that the file has been successfully exported. Click OK.
  • Please post the contents of MBAM Log.txt in your next reply.

RogueKiller log retrieval..
  • Open RogueKiller and select History.
  • Click on Scan Reports, on the left-side panel.
  • Double-click on the Report by looking at the timestamp (it should be in the following order: Year/Month/Day Time)
  • Select Export TXT and save the file as RKiller.txt to your desktop.
  • Post the contents of RKiller.txt in your next reply.

Next..

Backup your registry using TCRB
  • Please download TCRB to your Desktop.
  • Open Tweaking.com Registry Backup.
  • Click on the Backup Registry tab and ensure that all options are checked.
  • Press on Backup Now.
  • Wait until the backup is complete and exit the program.

CKScanner
  • Please download CKScanner from Here
  • Save it to your Desktop.
  • Right-Click on CKScanner.exe and select Run as Administrator.
  • Select Search For Files
  • When the scan in finished, click on Save List To File.
  • Open CKFiles.txt on your desktop and post the contents in your next reply.
    Only run CKScanner.exe once.


-----------------------------------------
In your next reply, I would like to see..
  • Did you encounter any problems while following my instructions?
  • JRT.txt
  • AdwCleaner report
  • MBAM Log.txt
  • RKiller.txt
  • CKFiles.txt

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections....
User avatar
mAL_rEm018
MRU Master
MRU Master
 
Posts: 1061
Joined: November 11th, 2013, 6:26 pm
Location: Canada

Re: Adware.Elex/Adware.Ghowska

Unread postby logo » May 20th, 2017, 5:56 am

Hi mAL,

Thank you.
I was able to retrieve those logs & to successfully run TCRB & CKSCanner.

JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 10 Home x64
Ran by logo (Administrator) on 06/05/2017 at 11:23:28.46
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 06/05/2017 at 11:30:44.20
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
logo
Active Member
 
Posts: 7
Joined: May 19th, 2017, 12:47 pm

Re: Adware.Elex/Adware.Ghowska

Unread postby logo » May 20th, 2017, 5:56 am

AdCleaner Report

# AdwCleaner v6.046 - Logfile created 06/05/2017 at 11:19:57
# Updated on 24/04/2017 by Malwarebytes
# Database : 2017-05-05.1 [Server]
# Operating System : Windows 10 Home (X64)
# Username : logo - PHO090161
# Running from : C:\Users\logo\Desktop\adwcleaner_6.046.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

[-] Service deleted: Update service


***** [ Folders ] *****

[-] Folder deleted: C:\Users\logo\AppData\Roaming\Mozilla\Firefox\Profiles\kassdnkr.default-1488552594971\adblocker
[-] Folder deleted: C:\Program Files (x86)\Bernither


***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\ScreenShot
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost [WinSAPSvc]


***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [1090 Bytes] - [06/05/2017 11:19:57]
C:\AdwCleaner\AdwCleaner[S0].txt - [1360 Bytes] - [06/05/2017 11:19:10]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1236 Bytes] ##########
logo
Active Member
 
Posts: 7
Joined: May 19th, 2017, 12:47 pm

Re: Adware.Elex/Adware.Ghowska

Unread postby logo » May 20th, 2017, 5:58 am

MalwareBytes Log

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/9/17
Scan Time: 9:03 AM
Logfile: MB.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.1900
License: Free

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: PHO090161\logo

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 365381
Time Elapsed: 16 min, 33 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 3
PUP.Optional.UCBrowser, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\UCBrowser.exe, No Action By User, [1330], [396224],1.0.1900
PUP.Optional.UCBrowser, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\UCBrowser.exe, No Action By User, [1330], [396224],1.0.1900
Adware.Elex, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\WANARE, No Action By User, [2], [396496],1.0.1900

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)
logo
Active Member
 
Posts: 7
Joined: May 19th, 2017, 12:47 pm

Re: Adware.Elex/Adware.Ghowska

Unread postby logo » May 20th, 2017, 5:58 am

RogueKiller log

RogueKiller V12.10.7.0 (x64) [May 1 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : logo [Administrator]
Started from : C:\Users\logo\Desktop\RogueKillerX64(1).exe
Mode : Delete -- Date : 05/06/2017 10:31:05 (Duration : 00:26:29)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 19 ¤¤¤
[Adw.Elex] (X64) HKEY_LOCAL_MACHINE\Software\InterSect Alliance -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost | WANARE : (C:\Users\logo\AppData\Local\WANARE\Snare.dll) [-] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WANARE (C:\Users\logo\AppData\Local\WANARE\Snare.dll) -> Deleted
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{2F37166D-05D6-4629-9D15-7986FEA8AFE0}C:\program files (x86)\popcorn time\chromecast\node.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\program files (x86)\popcorn time\chromecast\node.exe|Name=node.exe|Desc=Evented I/O for V8 JavaScript|Defer=User| [x] -> Deleted
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{F1498064-CA1A-487E-9B7A-5904C322B179}C:\program files (x86)\popcorn time\chromecast\node.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\program files (x86)\popcorn time\chromecast\node.exe|Name=node.exe|Desc=Evented I/O for V8 JavaScript|Defer=User| [x] -> Deleted
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{5954D41F-071E-4449-B339-983E49B688B9}C:\program files (x86)\popcorn time\popcorntimedesktop.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\program files (x86)\popcorn time\popcorntimedesktop.exe|Name=Popcorn Time|Desc=popcorntimedesktop|Edge=TRUE|Defer=App| [x] -> Deleted
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{19EA2853-B959-4525-AD83-E1F49843557A}C:\program files (x86)\popcorn time\popcorntimedesktop.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\program files (x86)\popcorn time\popcorntimedesktop.exe|Name=Popcorn Time|Desc=popcorntimedesktop|Edge=TRUE|Defer=App| [x] -> Deleted
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {1046166E-079C-404D-9228-E0BC9AAF387C} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| [x] -> Deleted
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {BF4EBAEA-27CA-4EA9-B774-BE5A76ABD927} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{4DB47A16-354C-46D0-9FA2-629A6099DF13}C:\users\logo\appdata\local\popcorn-time\popcorn-time.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\logo\appdata\local\popcorn-time\popcorn-time.exe|Name=popcorn-time.exe|Desc=popcorn-time.exe|Defer=User| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{7C95D467-9D7C-42AE-98A9-0989778AC831}C:\users\logo\appdata\local\popcorn-time\popcorn-time.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\logo\appdata\local\popcorn-time\popcorn-time.exe|Name=popcorn-time.exe|Desc=popcorn-time.exe|Defer=User| [x] -> Deleted
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {61B07F92-9BDC-4E0A-AAE4-F95CF91DC2BF} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| [x] -> Deleted
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C5F7B803-9198-4B99-A1FC-512D5AAE3EB2} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| [x] -> Deleted
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{71BA7F4B-5A0D-4277-B9C4-B5A8B6A0E97C}C:\program files (x86)\popcorn time\popcorntimedesktop.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\program files (x86)\popcorn time\popcorntimedesktop.exe|Name=Popcorn Time|Desc=popcorntimedesktop|Edge=TRUE|Defer=App| [x] -> Deleted
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{45435A2A-A585-44F4-B9BD-9F745E02F74F}C:\program files (x86)\popcorn time\popcorntimedesktop.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\program files (x86)\popcorn time\popcorntimedesktop.exe|Name=Popcorn Time|Desc=popcorntimedesktop|Edge=TRUE|Defer=App| [x] -> Deleted
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{ACAE303E-B049-456B-89D2-71A7E92348B3}C:\program files (x86)\popcorn time\chromecast\node.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\program files (x86)\popcorn time\chromecast\node.exe|Name=node.exe|Desc=Evented I/O for V8 JavaScript|Defer=User| [x] -> Deleted
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{FF800A58-8812-411B-94A7-45CB1DF2FD36}C:\program files (x86)\popcorn time\chromecast\node.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\program files (x86)\popcorn time\chromecast\node.exe|Name=node.exe|Desc=Evented I/O for V8 JavaScript|Defer=User| [x] -> Deleted
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Not selected
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MQ01ABD100 +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 1024 MB
1 - [MAN-MOUNT] Basic data partition | Offset (sectors): 2099200 | Size: 100 MB
2 - [MAN-MOUNT] Basic data partition | Offset (sectors): 2304000 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2566144 | Size: 941699 MB
4 - [SYSTEM][MAN-MOUNT] | Offset (sectors): 1931167744 | Size: 837 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1932881920 | Size: 10079 MB
User = LL1 ... OK
User = LL2 ... OK
logo
Active Member
 
Posts: 7
Joined: May 19th, 2017, 12:47 pm

Re: Adware.Elex/Adware.Ghowska

Unread postby logo » May 20th, 2017, 6:00 am

CKScanner log

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11.VPLBW0
----- EOF -----

That's all, I believe. Thanks!
logo
Active Member
 
Posts: 7
Joined: May 19th, 2017, 12:47 pm

Re: Adware.Elex/Adware.Ghowska

Unread postby Cypher » May 20th, 2017, 6:24 am

Posting at multiple forums

You are already receiving help with this problem at another forum:

https://forums.malwarebytes.com/topic/2 ... lex-again/

May I draw your attention to the ALL USERS OF THIS FORUM MUST READ THIS FIRST topic, which you should have read before posting for help.
See the section here where we tell you why this is not a good idea.

This topic is now closed
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15049
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: JohnSmith11 and 49 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware