Persistant adware

hRc · November 29, 2020

My computer recently was infected by an adware from a program downloaded from the internet. The adware constantly opens new tabs in google chrome and either opens up ad sites or adds junk to google calendar. I have since deleted the original program file and have run scans using Mcafee, Malwarebytes and Adwcleaner but they have all failed to solve this issue. I am able to provide the original file which the adware came from. Is there a way to remove it and also to find out why it is not being detected by my antivirus softwares?

Edited November 29, 2020 by hRc

CeciliaB · November 29, 2020

Hi hRC,

Have you gone through all settings in Chrome to check if they're correct?
Have you tried to disable all add-ons to make sure that none of them is the culprit?

Note that adware aren't virus or a malicious program since they don't destroy Windows and you've selected to install it. Therefore adware are seldom detected by antivirus programs.

Pierre67 · November 30, 2020

Just a thought - do you have 'SYNC' switched 'on'? If so , this may be your problem.

hRc · November 30, 2020

19 hours ago, CeciliaB said:

Hi hRC,

Have you gone through all settings in Chrome to check if they're correct?
Have you tried to disable all add-ons to make sure that none of them is the culprit?

Note that adware aren't virus or a malicious program since they don't destroy Windows and you've selected to install it. Therefore adware are seldom detected by antivirus programs.

Yes, all add-ons are disabled. The problem started after i downloaded and ran a file from the internet that probably has it. I deleted the original program but the problem still persists.

CeciliaB · November 30, 2020

Please see this topic: https://forum.adaware.com/index.php?/topic/30823-read-this-before-you-post/

hRc · November 30, 2020

9 minutes ago, CeciliaB said:

Please see this topic: https://forum.adaware.com/index.php?/topic/30823-read-this-before-you-post/

Addition.txt FRST.txt

CeciliaB · November 30, 2020

I can see that you're using Norton. Can't they help you?

But I'll continue to go through the log files.

CeciliaB · November 30, 2020

You've firewalls from Norton and McAfee according to Addition.txt. The recommendation is to have only one firewall and one antivirusprogram. Having two can cause conflicts and lower security. Which program do you want to use?

Quote

AV: Norton Security (Enabled - Up to date) {A2708B76-6835-6565-CB96-694212954A75}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: McAfee VirusScan (Disabled - Up to date) {9D4501E6-72F6-2877-C789-89AF6F535B2C}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton Security (Enabled) {9A4B0A53-225A-643D-E0C9-C077EC460D0E}
FW: McAfee Firewall (Enabled) {A57E80C3-3899-292F-ECD6-209A91801C57}

Are there any problems with adware in Edge or Firefox?

Which program do you think installed the adware and when did that happen?

Edited November 30, 2020 by CeciliaB

hRc · November 30, 2020

2 minutes ago, CeciliaB said:

You've firewalls from Norton and McAfee according to Addition.txt. The recommendation is to have only one firewall and one antivirusprogram. Having two can cause conflicts and lower security. Which program do you want to use?

Are there any problems with adware in Edge or Firefox?

Norton should have already expired. I dont use it anymore.

CeciliaB · November 30, 2020

8 minutes ago, hRc said:

Norton should have already expired. I dont use it anymore.

You've to uninstall more of it. Follow this: https://support.norton.com/sp/en/us/home/current/solutions/v15972972

Restart the computer.
Run FRST and upload new log files.

Edited November 30, 2020 by CeciliaB

hRc · November 30, 2020

26 minutes ago, CeciliaB said:

You've to uninstall more of it. Follow this: https://support.norton.com/sp/en/us/home/current/solutions/v15972972

Restart the computer.
Run FRST and upload new log files.

FRST.txt Addition.txt

CeciliaB · November 30, 2020

That isn't the complete FRST.txt, please try again.

CeciliaB · November 30, 2020

49 minutes ago, CeciliaB said:

Are there any problems with adware in Edge or Firefox?

Which program do you think installed the adware and when did that happen?

hRc · November 30, 2020

7 minutes ago, CeciliaB said:

There are no problems with my microsoft edge. The program should be one called data.exe which i ran.

Addition.txt FRST.txt

CeciliaB · November 30, 2020

Thanks.

Sorry, still only the last part of FRST.txt. Do you get any error messages while running FRST?

Try to delete FRST.txt and Addition.txt before running FRST again.

CeciliaB · November 30, 2020

6 hours ago, Pierre67 said:

Just a thought - do you have 'SYNC' switched 'on'? If so , this may be your problem.

Sync in Chrome?

hRc · November 30, 2020

Addition.txt FRST.txt

CeciliaB · November 30, 2020

Are you using the synchronization feature in Chrome?

Have you installed nProtect Online Security by INCA Internet yourself?

Are you using Norton Online Backup (program) or Norton Studio (app from Microsoft Store?
If not, please uninstall.

Which antivirusprogram are you using?

Did you install the adware November 18th (strange .bat files are created at that date as well as the folder C:\Users\micecom\Documents\VlcpVideoV1.0.1)?

hRc · November 30, 2020

2 hours ago, CeciliaB said:

Are you using the synchronization feature in Chrome?

Have you installed nProtect Online Security by INCA Internet yourself?

Are you using Norton Online Backup (program) or Norton Studio (app from Microsoft Store?
If not, please uninstall.

Which antivirusprogram are you using?

Did you install the adware November 18th (strange .bat files are created at that date as well as the folder C:\Users\micecom\Documents\VlcpVideoV1.0.1)?

Yes im using the sync feature in Chrome.
No i have not installed it
I have uninstalled both
Im currently using Mcafee
Yes it was created on November 18th

CeciliaB · November 30, 2020

Can you disable the sync feature in Chrome?
It's possible that something you do in Chrome to prevent e.g. addons is changed back by the sync feature.

McAfee hasn't registered in Windows as an antivirus program, only as a firewall. Can you see that the antivirus part is working?

Can you uninstall nProtect Online Security?
Please restart the computer afterwards.

Please upload new FRST logs since you've uninstalled the Norton programs and hopefully nProtect.

hRc · November 30, 2020

My Mcafee's scanning is disabled as it keeps intefering with my synpos program even after whitelisting it.

Addition.txt FRST.txt

CeciliaB · November 30, 2020

1. You should change to another antivirus program since it's important to always have the realtime scanning running. But not now.

2. Please, start Notepad.
Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
AV: Norton Security (Enabled - Up to date) {A2708B76-6835-6565-CB96-694212954A75}
FW: Norton Security (Enabled) {9A4B0A53-225A-643D-E0C9-C077EC460D0E}
Norton Online Backup (HKLM-x32\...\NARA) (Version: 4.6.0.12 - Symantec Corporation) Hidden
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
BHO-x32: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
S3 np_ck64s; C:\WINDOWS\syswow64\np_ck64s.sys [108976 2019-07-01] (INCA Internet Co.,Ltd. -> INCA Internet Co.,Ltd.)
S3 TKCtrl; C:\WINDOWS\SysWOW64\TKCtrl2k64.sys [147240 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKFsAvM; C:\WINDOWS\SysWOW64\TKFsAv64.sys [198808 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKFsFtM; C:\WINDOWS\SysWOW64\TKFsFt64.sys [28824 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKPcFt; C:\WINDOWS\SysWOW64\TKPcFtCb64.sys [54504 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKRgAc; C:\WINDOWS\SysWOW64\TKRgAc2k64.sys [115760 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKRgFt; C:\WINDOWS\SysWOW64\TKRgFtXp64.sys [68968 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKTool; C:\WINDOWS\system32\TKTool2k64.sys [32496 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
U1 avgbdisk; no ImagePath
Reboot:

and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.

3. Please, locate these files or folders and change their names, e.g. by adding the text _bad.

2020-11-18 14:32 - 2020-11-18 14:32 - 000000024 _____ C:\ProgramData\33764.bat
2020-11-18 14:29 - 2020-11-18 22:03 - 000000000 ___HD C:\ProgramData\Windows Host
2020-11-18 14:29 - 2020-11-18 14:29 - 000000024 _____ C:\ProgramData\64657.bat
2020-11-18 14:28 - 2020-11-29 17:39 - 000000000 ____D C:\Users\micecom\Documents\VlcpVideoV1.0.1
2020-12-01 02:07 - 2019-04-20 10:24 - 000000000 ____D C:\Program Files (x86)\INCAInternet
CHR Extension: (Google Translate) - C:\Users\micecom\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco [2020-11-18]
CHR Extension: (Chrome Media Router) - C:\Users\micecom\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2020-11-18]

Some of these files and folders are hidden and you need to change a setting to be able to see them: https://support.microsoft.com/en-us/windows/view-hidden-files-and-folders-in-windows-10-97fbc472-c603-9d90-91d0-1166d1d9f4b5

I suggest a name change since it's difficult to know if something will stop working or give you a lot of error messages when the files/folders get a new name or are deleted. If you get any such problems you can change the names back to the original names. Please tell me if something happens.

Restart the computer and check how Chrome works.

4. I'll soon leave the computer for maybe 14 hours.

Pierre67 · November 30, 2020

10 hours ago, CeciliaB said:

Sync in Chrome?

Cecilia, sorry my bad - I should have mentioned SYNC in CHROME.

hRc · December 1, 2020

11 hours ago, CeciliaB said:
1. You should change to another antivirus program since it's important to always have the realtime scanning running. But not now.

2. Please, start Notepad.
Copy all text that is in the box:
CreateRestorePoint:
CloseProcesses:
AV: Norton Security (Enabled - Up to date) {A2708B76-6835-6565-CB96-694212954A75}
FW: Norton Security (Enabled) {9A4B0A53-225A-643D-E0C9-C077EC460D0E}
Norton Online Backup (HKLM-x32\...\NARA) (Version: 4.6.0.12 - Symantec Corporation) Hidden
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
BHO-x32: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
S3 np_ck64s; C:\WINDOWS\syswow64\np_ck64s.sys [108976 2019-07-01] (INCA Internet Co.,Ltd. -> INCA Internet Co.,Ltd.)
S3 TKCtrl; C:\WINDOWS\SysWOW64\TKCtrl2k64.sys [147240 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKFsAvM; C:\WINDOWS\SysWOW64\TKFsAv64.sys [198808 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKFsFtM; C:\WINDOWS\SysWOW64\TKFsFt64.sys [28824 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKPcFt; C:\WINDOWS\SysWOW64\TKPcFtCb64.sys [54504 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKRgAc; C:\WINDOWS\SysWOW64\TKRgAc2k64.sys [115760 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKRgFt; C:\WINDOWS\SysWOW64\TKRgFtXp64.sys [68968 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKTool; C:\WINDOWS\system32\TKTool2k64.sys [32496 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
U1 avgbdisk; no ImagePath
Reboot:
and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.

3. Please, locate these files or folders and change their names, e.g. by adding the text _bad.

2020-11-18 14:32 - 2020-11-18 14:32 - 000000024 _____ C:\ProgramData\33764.bat
2020-11-18 14:29 - 2020-11-18 22:03 - 000000000 ___HD C:\ProgramData\Windows Host
2020-11-18 14:29 - 2020-11-18 14:29 - 000000024 _____ C:\ProgramData\64657.bat
2020-11-18 14:28 - 2020-11-29 17:39 - 000000000 ____D C:\Users\micecom\Documents\VlcpVideoV1.0.1
2020-12-01 02:07 - 2019-04-20 10:24 - 000000000 ____D C:\Program Files (x86)\INCAInternet
CHR Extension: (Google Translate) - C:\Users\micecom\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco [2020-11-18]
CHR Extension: (Chrome Media Router) - C:\Users\micecom\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2020-11-18]

Some of these files and folders are hidden and you need to change a setting to be able to see them: https://support.microsoft.com/en-us/windows/view-hidden-files-and-folders-in-windows-10-97fbc472-c603-9d90-91d0-1166d1d9f4b5

I suggest a name change since it's difficult to know if something will stop working or give you a lot of error messages when the files/folders get a new name or are deleted. If you get any such problems you can change the names back to the original names. Please tell me if something happens.

Restart the computer and check how Chrome works.

4. I'll soon leave the computer for maybe 14 hours.

The problem seemed to have stopped. I will continue to check for awhile. Thanks for the help!

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-11-2020
Ran by micecom (01-12-2020 14:11:11) Run:1
Running from C:\Users\micecom\Downloads
Loaded Profiles: micecom
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
AV: Norton Security (Enabled - Up to date) {A2708B76-6835-6565-CB96-694212954A75}
FW: Norton Security (Enabled) {9A4B0A53-225A-643D-E0C9-C077EC460D0E}
Norton Online Backup (HKLM-x32\...\NARA) (Version: 4.6.0.12 - Symantec Corporation) Hidden
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
BHO-x32: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
S3 np_ck64s; C:\WINDOWS\syswow64\np_ck64s.sys [108976 2019-07-01] (INCA Internet Co.,Ltd. -> INCA Internet Co.,Ltd.)
S3 TKCtrl; C:\WINDOWS\SysWOW64\TKCtrl2k64.sys [147240 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKFsAvM; C:\WINDOWS\SysWOW64\TKFsAv64.sys [198808 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKFsFtM; C:\WINDOWS\SysWOW64\TKFsFt64.sys [28824 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKPcFt; C:\WINDOWS\SysWOW64\TKPcFtCb64.sys [54504 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKRgAc; C:\WINDOWS\SysWOW64\TKRgAc2k64.sys [115760 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKRgFt; C:\WINDOWS\SysWOW64\TKRgFtXp64.sys [68968 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKTool; C:\WINDOWS\system32\TKTool2k64.sys [32496 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
U1 avgbdisk; no ImagePath
Reboot:
*****************

Restore point was successfully created.
Processes closed successfully.
"AV: Norton Security (Enabled - Up to date) {A2708B76-6835-6565-CB96-694212954A75}" => removed successfully
"FW: Norton Security (Enabled) {9A4B0A53-225A-643D-E0C9-C077EC460D0E}" => removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NARA\\SystemComponent" => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg => removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF} => removed successfully
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\" => removed successfully
HKLM\SOFTWARE\Policies\Mozilla => removed successfully
HKLM\SOFTWARE\Policies\Google => removed successfully
HKLM\System\CurrentControlSet\Services\np_ck64s => removed successfully
np_ck64s => service removed successfully
HKLM\System\CurrentControlSet\Services\TKCtrl => removed successfully
TKCtrl => service removed successfully
HKLM\System\CurrentControlSet\Services\TKFsAvM => removed successfully
TKFsAvM => service removed successfully
HKLM\System\CurrentControlSet\Services\TKFsFtM => removed successfully
TKFsFtM => service removed successfully
HKLM\System\CurrentControlSet\Services\TKPcFt => removed successfully
TKPcFt => service removed successfully
HKLM\System\CurrentControlSet\Services\TKRgAc => removed successfully
TKRgAc => service removed successfully
HKLM\System\CurrentControlSet\Services\TKRgFt => removed successfully
TKRgFt => service removed successfully
HKLM\System\CurrentControlSet\Services\TKTool => removed successfully
TKTool => service removed successfully
HKLM\System\CurrentControlSet\Services\avgbdisk => removed successfully
avgbdisk => service removed successfully

The system needed a reboot.

==== End of Fixlog 14:11:24 ====

CeciliaB · December 1, 2020

2 hours ago, hRc said:

The problem seemed to have stopped. I will continue to check for awhile. Thanks for the help!

You're welcome and I'm glad the problem is gone.

You renamed two Chrome Extensions called Google Translate and Chrome Media Router since they were changed during the same day as your problem started. It's common to have those extensions but in your case they might have been changed in a bad way. If you've another computer you can copy those two folders from the other computer. You can also ask a friend to send them to you.

At the end of the week you can delete those renamed files and folders and uninstall FRST in this way:

Rename FRST/FRST64.exe to uninstall.exe and run it.

Welcome to adaware forum

Persistant adware

Recommended Posts

hRc 0

Share this post

Link to post

Share on other sites

CeciliaB 470

Share this post

Link to post

Share on other sites

Pierre67 208

Share this post

Link to post

Share on other sites

hRc 0

Share this post

Link to post

Share on other sites

CeciliaB 470

Share this post

Link to post

Share on other sites

hRc 0

Share this post

Link to post

Share on other sites

CeciliaB 470

Share this post

Link to post

Share on other sites

CeciliaB 470

Share this post

Link to post

Share on other sites

hRc 0

Share this post

Link to post

Share on other sites

CeciliaB 470

Share this post

Link to post

Share on other sites

hRc 0

Share this post

Link to post

Share on other sites

CeciliaB 470

Share this post

Link to post

Share on other sites

CeciliaB 470

Share this post

Link to post

Share on other sites

hRc 0

Share this post

Link to post

Share on other sites

CeciliaB 470

Share this post

Link to post

Share on other sites

CeciliaB 470

Share this post

Link to post

Share on other sites

hRc 0

Share this post

Link to post

Share on other sites

CeciliaB 470

Share this post

Link to post

Share on other sites

hRc 0

Share this post

Link to post

Share on other sites

CeciliaB 470