Sign in to follow this  
hRc

Persistant adware

Recommended Posts

My computer recently was infected by an adware from a program downloaded from the internet. The adware constantly opens new tabs in google chrome and either opens up ad sites or adds junk to google calendar. I have since deleted the original program file and have run scans using Mcafee, Malwarebytes and Adwcleaner but they have all failed to solve this issue. I am able to provide the original file which the adware came from. Is there a way to remove it and also to find out why it is not being detected by my antivirus softwares?

Edited by hRc

Share this post


Link to post
Share on other sites

Hi hRC,

Have you gone through all settings in Chrome to check if they're correct?
Have you tried to disable all add-ons to make sure that none of them is the culprit?

Note that adware aren't virus or a malicious program since they don't destroy Windows and you've selected to install it. Therefore adware are seldom detected by antivirus programs.

Share this post


Link to post
Share on other sites

Just a thought - do you have 'SYNC' switched 'on'? If so , this may be your problem.

 

  • Like 1

Share this post


Link to post
Share on other sites
19 hours ago, CeciliaB said:

Hi hRC,

Have you gone through all settings in Chrome to check if they're correct?
Have you tried to disable all add-ons to make sure that none of them is the culprit?

Note that adware aren't virus or a malicious program since they don't destroy Windows and you've selected to install it. Therefore adware are seldom detected by antivirus programs.

Yes, all add-ons are disabled. The problem started after i downloaded and ran a file from the internet that probably has it. I deleted the original program but the problem still persists.

Share this post


Link to post
Share on other sites

I can see that you're using Norton. Can't they help you?

But I'll continue to go through the log files.

Share this post


Link to post
Share on other sites

You've firewalls from Norton and McAfee according to Addition.txt. The recommendation is to have only one firewall and one antivirusprogram. Having two can cause conflicts and lower security. Which program do you want to use?

Quote

AV: Norton Security (Enabled - Up to date) {A2708B76-6835-6565-CB96-694212954A75}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: McAfee VirusScan (Disabled - Up to date) {9D4501E6-72F6-2877-C789-89AF6F535B2C}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton Security (Enabled) {9A4B0A53-225A-643D-E0C9-C077EC460D0E}
FW: McAfee Firewall (Enabled) {A57E80C3-3899-292F-ECD6-209A91801C57}

Are there any problems with adware in Edge or Firefox?

Which program do you think installed the adware and when did that happen?

Edited by CeciliaB

Share this post


Link to post
Share on other sites
2 minutes ago, CeciliaB said:

You've firewalls from Norton and McAfee according to Addition.txt. The recommendation is to have only one firewall and one antivirusprogram. Having two can cause conflicts and lower security. Which program do you want to use?

Are there any problems with adware in Edge or Firefox?

Norton should have already expired. I dont use it anymore.

Share this post


Link to post
Share on other sites
8 minutes ago, hRc said:

Norton should have already expired. I dont use it anymore.

You've to uninstall more of it. Follow this: https://support.norton.com/sp/en/us/home/current/solutions/v15972972

Restart the computer.
Run FRST and upload new log files.

Edited by CeciliaB

Share this post


Link to post
Share on other sites
49 minutes ago, CeciliaB said:

Are there any problems with adware in Edge or Firefox?

Which program do you think installed the adware and when did that happen?

 

Share this post


Link to post
Share on other sites

Thanks.

Sorry, still only the last part of FRST.txt. Do you get any error messages while running FRST?

Try to delete FRST.txt and Addition.txt before running FRST again.

Share this post


Link to post
Share on other sites
6 hours ago, Pierre67 said:

Just a thought - do you have 'SYNC' switched 'on'? If so , this may be your problem.

 

Sync in Chrome?

Share this post


Link to post
Share on other sites

Are you using the synchronization feature in Chrome?

Have you installed nProtect Online Security by INCA Internet yourself?

Are you using Norton Online Backup (program) or Norton Studio (app from Microsoft Store?
If not, please uninstall.

Which antivirusprogram are you using?

Did you install the adware November 18th (strange .bat files are created at that date as well as the folder C:\Users\micecom\Documents\VlcpVideoV1.0.1)?

Share this post


Link to post
Share on other sites
2 hours ago, CeciliaB said:

Are you using the synchronization feature in Chrome?

Have you installed nProtect Online Security by INCA Internet yourself?

Are you using Norton Online Backup (program) or Norton Studio (app from Microsoft Store?
If not, please uninstall.

Which antivirusprogram are you using?

Did you install the adware November 18th (strange .bat files are created at that date as well as the folder C:\Users\micecom\Documents\VlcpVideoV1.0.1)?

Yes im using the sync feature in Chrome.
No i have not installed it
I have uninstalled both
Im currently using Mcafee
Yes it was created on November 18th

Share this post


Link to post
Share on other sites

Can you disable the sync feature in Chrome?
It's possible that something you do in Chrome to prevent e.g. addons is changed back by the sync feature.

McAfee hasn't registered in Windows as an antivirus program, only as a firewall. Can you see that the antivirus part is working?

Can you uninstall nProtect Online Security?
Please restart the computer afterwards.

Please upload new FRST logs since you've uninstalled the Norton programs and hopefully nProtect.

Share this post


Link to post
Share on other sites

1. You should change to another antivirus program since it's important to always have the realtime scanning running. But not now.

2. Please, start Notepad.
Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
AV: Norton Security (Enabled - Up to date) {A2708B76-6835-6565-CB96-694212954A75}
FW: Norton Security (Enabled) {9A4B0A53-225A-643D-E0C9-C077EC460D0E}
Norton Online Backup (HKLM-x32\...\NARA) (Version: 4.6.0.12 - Symantec Corporation) Hidden
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
BHO-x32: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
S3 np_ck64s; C:\WINDOWS\syswow64\np_ck64s.sys [108976 2019-07-01] (INCA Internet Co.,Ltd. -> INCA Internet Co.,Ltd.)
S3 TKCtrl; C:\WINDOWS\SysWOW64\TKCtrl2k64.sys [147240 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKFsAvM; C:\WINDOWS\SysWOW64\TKFsAv64.sys [198808 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKFsFtM; C:\WINDOWS\SysWOW64\TKFsFt64.sys [28824 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKPcFt; C:\WINDOWS\SysWOW64\TKPcFtCb64.sys [54504 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKRgAc; C:\WINDOWS\SysWOW64\TKRgAc2k64.sys [115760 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKRgFt; C:\WINDOWS\SysWOW64\TKRgFtXp64.sys [68968 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKTool; C:\WINDOWS\system32\TKTool2k64.sys [32496 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
U1 avgbdisk; no ImagePath
Reboot:

and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.

3. Please, locate these files or folders and change their names, e.g. by adding the text _bad.

2020-11-18 14:32 - 2020-11-18 14:32 - 000000024 _____ C:\ProgramData\33764.bat
2020-11-18 14:29 - 2020-11-18 22:03 - 000000000 ___HD C:\ProgramData\Windows Host
2020-11-18 14:29 - 2020-11-18 14:29 - 000000024 _____ C:\ProgramData\64657.bat
2020-11-18 14:28 - 2020-11-29 17:39 - 000000000 ____D C:\Users\micecom\Documents\VlcpVideoV1.0.1
2020-12-01 02:07 - 2019-04-20 10:24 - 000000000 ____D C:\Program Files (x86)\INCAInternet
CHR Extension: (Google Translate) - C:\Users\micecom\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco [2020-11-18]
CHR Extension: (Chrome Media Router) - C:\Users\micecom\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2020-11-18]

Some of these files and folders are hidden and you need to change a setting to be able to see them: https://support.microsoft.com/en-us/windows/view-hidden-files-and-folders-in-windows-10-97fbc472-c603-9d90-91d0-1166d1d9f4b5

I suggest a name change since it's difficult to know if something will stop working or give you a lot of error messages when the files/folders get a new name or are deleted. If you get any such problems you can change the names back to the original names. Please tell me if something happens.

Restart the computer and check how Chrome works.

4. I'll soon leave the computer for maybe 14 hours.

 

Share this post


Link to post
Share on other sites
10 hours ago, CeciliaB said:

Sync in Chrome?

Cecilia, sorry my bad - I should have mentioned SYNC in CHROME.

 

  • Thanks 1

Share this post


Link to post
Share on other sites
11 hours ago, CeciliaB said:

1. You should change to another antivirus program since it's important to always have the realtime scanning running. But not now.

2. Please, start Notepad.
Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
AV: Norton Security (Enabled - Up to date) {A2708B76-6835-6565-CB96-694212954A75}
FW: Norton Security (Enabled) {9A4B0A53-225A-643D-E0C9-C077EC460D0E}
Norton Online Backup (HKLM-x32\...\NARA) (Version: 4.6.0.12 - Symantec Corporation) Hidden
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
BHO-x32: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
S3 np_ck64s; C:\WINDOWS\syswow64\np_ck64s.sys [108976 2019-07-01] (INCA Internet Co.,Ltd. -> INCA Internet Co.,Ltd.)
S3 TKCtrl; C:\WINDOWS\SysWOW64\TKCtrl2k64.sys [147240 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKFsAvM; C:\WINDOWS\SysWOW64\TKFsAv64.sys [198808 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKFsFtM; C:\WINDOWS\SysWOW64\TKFsFt64.sys [28824 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKPcFt; C:\WINDOWS\SysWOW64\TKPcFtCb64.sys [54504 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKRgAc; C:\WINDOWS\SysWOW64\TKRgAc2k64.sys [115760 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKRgFt; C:\WINDOWS\SysWOW64\TKRgFtXp64.sys [68968 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKTool; C:\WINDOWS\system32\TKTool2k64.sys [32496 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
U1 avgbdisk; no ImagePath
Reboot:

and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.

3. Please, locate these files or folders and change their names, e.g. by adding the text _bad.

2020-11-18 14:32 - 2020-11-18 14:32 - 000000024 _____ C:\ProgramData\33764.bat
2020-11-18 14:29 - 2020-11-18 22:03 - 000000000 ___HD C:\ProgramData\Windows Host
2020-11-18 14:29 - 2020-11-18 14:29 - 000000024 _____ C:\ProgramData\64657.bat
2020-11-18 14:28 - 2020-11-29 17:39 - 000000000 ____D C:\Users\micecom\Documents\VlcpVideoV1.0.1
2020-12-01 02:07 - 2019-04-20 10:24 - 000000000 ____D C:\Program Files (x86)\INCAInternet
CHR Extension: (Google Translate) - C:\Users\micecom\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco [2020-11-18]
CHR Extension: (Chrome Media Router) - C:\Users\micecom\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2020-11-18]

Some of these files and folders are hidden and you need to change a setting to be able to see them: https://support.microsoft.com/en-us/windows/view-hidden-files-and-folders-in-windows-10-97fbc472-c603-9d90-91d0-1166d1d9f4b5

I suggest a name change since it's difficult to know if something will stop working or give you a lot of error messages when the files/folders get a new name or are deleted. If you get any such problems you can change the names back to the original names. Please tell me if something happens.

Restart the computer and check how Chrome works.

4. I'll soon leave the computer for maybe 14 hours.

 

The problem seemed to have stopped. I will continue to check for awhile. Thanks for the help!

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-11-2020
Ran by micecom (01-12-2020 14:11:11) Run:1
Running from C:\Users\micecom\Downloads
Loaded Profiles: micecom
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
AV: Norton Security (Enabled - Up to date) {A2708B76-6835-6565-CB96-694212954A75}
FW: Norton Security (Enabled) {9A4B0A53-225A-643D-E0C9-C077EC460D0E}
Norton Online Backup (HKLM-x32\...\NARA) (Version: 4.6.0.12 - Symantec Corporation) Hidden
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
BHO-x32: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
S3 np_ck64s; C:\WINDOWS\syswow64\np_ck64s.sys [108976 2019-07-01] (INCA Internet Co.,Ltd. -> INCA Internet Co.,Ltd.)
S3 TKCtrl; C:\WINDOWS\SysWOW64\TKCtrl2k64.sys [147240 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKFsAvM; C:\WINDOWS\SysWOW64\TKFsAv64.sys [198808 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKFsFtM; C:\WINDOWS\SysWOW64\TKFsFt64.sys [28824 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKPcFt; C:\WINDOWS\SysWOW64\TKPcFtCb64.sys [54504 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKRgAc; C:\WINDOWS\SysWOW64\TKRgAc2k64.sys [115760 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKRgFt; C:\WINDOWS\SysWOW64\TKRgFtXp64.sys [68968 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
S3 TKTool; C:\WINDOWS\system32\TKTool2k64.sys [32496 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION
U1 avgbdisk; no ImagePath
Reboot:
*****************

Restore point was successfully created.
Processes closed successfully.
"AV: Norton Security (Enabled - Up to date) {A2708B76-6835-6565-CB96-694212954A75}" => removed successfully
"FW: Norton Security (Enabled) {9A4B0A53-225A-643D-E0C9-C077EC460D0E}" => removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NARA\\SystemComponent" => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg => removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF} => removed successfully
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\" => removed successfully
HKLM\SOFTWARE\Policies\Mozilla => removed successfully
HKLM\SOFTWARE\Policies\Google => removed successfully
HKLM\System\CurrentControlSet\Services\np_ck64s => removed successfully
np_ck64s => service removed successfully
HKLM\System\CurrentControlSet\Services\TKCtrl => removed successfully
TKCtrl => service removed successfully
HKLM\System\CurrentControlSet\Services\TKFsAvM => removed successfully
TKFsAvM => service removed successfully
HKLM\System\CurrentControlSet\Services\TKFsFtM => removed successfully
TKFsFtM => service removed successfully
HKLM\System\CurrentControlSet\Services\TKPcFt => removed successfully
TKPcFt => service removed successfully
HKLM\System\CurrentControlSet\Services\TKRgAc => removed successfully
TKRgAc => service removed successfully
HKLM\System\CurrentControlSet\Services\TKRgFt => removed successfully
TKRgFt => service removed successfully
HKLM\System\CurrentControlSet\Services\TKTool => removed successfully
TKTool => service removed successfully
HKLM\System\CurrentControlSet\Services\avgbdisk => removed successfully
avgbdisk => service removed successfully


The system needed a reboot.

==== End of Fixlog 14:11:24 ====

Share this post


Link to post
Share on other sites
2 hours ago, hRc said:

The problem seemed to have stopped. I will continue to check for awhile. Thanks for the help!

You're welcome and I'm glad the problem is gone.

You renamed two Chrome Extensions called Google Translate and Chrome Media Router since they were changed during the same day as your problem started. It's common to have those extensions but in your case they might have been changed in a bad way. If you've another computer you can copy those two folders from the other computer. You can also ask a friend to send them to you.

At the end of the week you can delete those renamed files and folders and uninstall FRST in this way:

Rename FRST/FRST64.exe to uninstall.exe and run it.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this