hRc 0 Report post Posted November 29, 2020 (edited) My computer recently was infected by an adware from a program downloaded from the internet. The adware constantly opens new tabs in google chrome and either opens up ad sites or adds junk to google calendar. I have since deleted the original program file and have run scans using Mcafee, Malwarebytes and Adwcleaner but they have all failed to solve this issue. I am able to provide the original file which the adware came from. Is there a way to remove it and also to find out why it is not being detected by my antivirus softwares? Edited November 29, 2020 by hRc Quote Share this post Link to post Share on other sites
CeciliaB 470 Report post Posted November 29, 2020 Hi hRC, Have you gone through all settings in Chrome to check if they're correct? Have you tried to disable all add-ons to make sure that none of them is the culprit? Note that adware aren't virus or a malicious program since they don't destroy Windows and you've selected to install it. Therefore adware are seldom detected by antivirus programs. Quote Share this post Link to post Share on other sites
Pierre67 208 Report post Posted November 30, 2020 Just a thought - do you have 'SYNC' switched 'on'? If so , this may be your problem. Â 1 Quote Share this post Link to post Share on other sites
hRc 0 Report post Posted November 30, 2020 19 hours ago, CeciliaB said: Hi hRC, Have you gone through all settings in Chrome to check if they're correct? Have you tried to disable all add-ons to make sure that none of them is the culprit? Note that adware aren't virus or a malicious program since they don't destroy Windows and you've selected to install it. Therefore adware are seldom detected by antivirus programs. Yes, all add-ons are disabled. The problem started after i downloaded and ran a file from the internet that probably has it. I deleted the original program but the problem still persists. Quote Share this post Link to post Share on other sites
CeciliaB 470 Report post Posted November 30, 2020 Please see this topic: https://forum.adaware.com/index.php?/topic/30823-read-this-before-you-post/ Â Quote Share this post Link to post Share on other sites
hRc 0 Report post Posted November 30, 2020 9 minutes ago, CeciliaB said: Please see this topic: https://forum.adaware.com/index.php?/topic/30823-read-this-before-you-post/ Â Â Addition.txt FRST.txt Quote Share this post Link to post Share on other sites
CeciliaB 470 Report post Posted November 30, 2020 I can see that you're using Norton. Can't they help you? But I'll continue to go through the log files. Quote Share this post Link to post Share on other sites
CeciliaB 470 Report post Posted November 30, 2020 (edited) You've firewalls from Norton and McAfee according to Addition.txt. The recommendation is to have only one firewall and one antivirusprogram. Having two can cause conflicts and lower security. Which program do you want to use? Quote AV: Norton Security (Enabled - Up to date) {A2708B76-6835-6565-CB96-694212954A75} AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AV: McAfee VirusScan (Disabled - Up to date) {9D4501E6-72F6-2877-C789-89AF6F535B2C} AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} FW: Norton Security (Enabled) {9A4B0A53-225A-643D-E0C9-C077EC460D0E} FW: McAfee Firewall (Enabled) {A57E80C3-3899-292F-ECD6-209A91801C57} Are there any problems with adware in Edge or Firefox? Which program do you think installed the adware and when did that happen? Edited November 30, 2020 by CeciliaB Quote Share this post Link to post Share on other sites
hRc 0 Report post Posted November 30, 2020 2 minutes ago, CeciliaB said: You've firewalls from Norton and McAfee according to Addition.txt. The recommendation is to have only one firewall and one antivirusprogram. Having two can cause conflicts and lower security. Which program do you want to use? Are there any problems with adware in Edge or Firefox? Norton should have already expired. I dont use it anymore. Quote Share this post Link to post Share on other sites
CeciliaB 470 Report post Posted November 30, 2020 (edited) 8 minutes ago, hRc said: Norton should have already expired. I dont use it anymore. You've to uninstall more of it. Follow this: https://support.norton.com/sp/en/us/home/current/solutions/v15972972 Restart the computer. Run FRST and upload new log files. Edited November 30, 2020 by CeciliaB Quote Share this post Link to post Share on other sites
hRc 0 Report post Posted November 30, 2020 26 minutes ago, CeciliaB said: You've to uninstall more of it. Follow this: https://support.norton.com/sp/en/us/home/current/solutions/v15972972 Restart the computer. Run FRST and upload new log files. Â FRST.txt Addition.txt Quote Share this post Link to post Share on other sites
CeciliaB 470 Report post Posted November 30, 2020 That isn't the complete FRST.txt, please try again. Quote Share this post Link to post Share on other sites
CeciliaB 470 Report post Posted November 30, 2020 49 minutes ago, CeciliaB said: Are there any problems with adware in Edge or Firefox? Which program do you think installed the adware and when did that happen? Â Quote Share this post Link to post Share on other sites
hRc 0 Report post Posted November 30, 2020 7 minutes ago, CeciliaB said: Â There are no problems with my microsoft edge. The program should be one called data.exe which i ran. Addition.txt FRST.txt Quote Share this post Link to post Share on other sites
CeciliaB 470 Report post Posted November 30, 2020 Thanks. Sorry, still only the last part of FRST.txt. Do you get any error messages while running FRST? Try to delete FRST.txt and Addition.txt before running FRST again. Quote Share this post Link to post Share on other sites
CeciliaB 470 Report post Posted November 30, 2020 6 hours ago, Pierre67 said: Just a thought - do you have 'SYNC' switched 'on'? If so , this may be your problem. Â Sync in Chrome? Quote Share this post Link to post Share on other sites
hRc 0 Report post Posted November 30, 2020 Addition.txt FRST.txt Quote Share this post Link to post Share on other sites
CeciliaB 470 Report post Posted November 30, 2020 Are you using the synchronization feature in Chrome? Have you installed nProtect Online Security by INCA Internet yourself? Are you using Norton Online Backup (program) or Norton Studio (app from Microsoft Store? If not, please uninstall. Which antivirusprogram are you using? Did you install the adware November 18th (strange .bat files are created at that date as well as the folder C:\Users\micecom\Documents\VlcpVideoV1.0.1)? Quote Share this post Link to post Share on other sites
hRc 0 Report post Posted November 30, 2020 2 hours ago, CeciliaB said: Are you using the synchronization feature in Chrome? Have you installed nProtect Online Security by INCA Internet yourself? Are you using Norton Online Backup (program) or Norton Studio (app from Microsoft Store? If not, please uninstall. Which antivirusprogram are you using? Did you install the adware November 18th (strange .bat files are created at that date as well as the folder C:\Users\micecom\Documents\VlcpVideoV1.0.1)? Yes im using the sync feature in Chrome. No i have not installed it I have uninstalled both Im currently using Mcafee Yes it was created on November 18th Quote Share this post Link to post Share on other sites
CeciliaB 470 Report post Posted November 30, 2020 Can you disable the sync feature in Chrome? It's possible that something you do in Chrome to prevent e.g. addons is changed back by the sync feature. McAfee hasn't registered in Windows as an antivirus program, only as a firewall. Can you see that the antivirus part is working? Can you uninstall nProtect Online Security? Please restart the computer afterwards. Please upload new FRST logs since you've uninstalled the Norton programs and hopefully nProtect. Quote Share this post Link to post Share on other sites
hRc 0 Report post Posted November 30, 2020 My Mcafee's scanning is disabled as it keeps intefering with my synpos program even after whitelisting it. Addition.txt FRST.txt Quote Share this post Link to post Share on other sites
CeciliaB 470 Report post Posted November 30, 2020 1. You should change to another antivirus program since it's important to always have the realtime scanning running. But not now. 2. Please, start Notepad. Copy all text that is in the box: CreateRestorePoint: CloseProcesses: AV: Norton Security (Enabled - Up to date) {A2708B76-6835-6565-CB96-694212954A75} FW: Norton Security (Enabled) {9A4B0A53-225A-643D-E0C9-C077EC460D0E} Norton Online Backup (HKLM-x32\...\NARA) (Version: 4.6.0.12 - Symantec Corporation) Hidden ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File BHO-x32: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File HKLM-x32\...\Run: [] => [X] HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION S3 np_ck64s; C:\WINDOWS\syswow64\np_ck64s.sys [108976 2019-07-01] (INCA Internet Co.,Ltd. -> INCA Internet Co.,Ltd.) S3 TKCtrl; C:\WINDOWS\SysWOW64\TKCtrl2k64.sys [147240 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION S3 TKFsAvM; C:\WINDOWS\SysWOW64\TKFsAv64.sys [198808 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION S3 TKFsFtM; C:\WINDOWS\SysWOW64\TKFsFt64.sys [28824 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION S3 TKPcFt; C:\WINDOWS\SysWOW64\TKPcFtCb64.sys [54504 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION S3 TKRgAc; C:\WINDOWS\SysWOW64\TKRgAc2k64.sys [115760 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION S3 TKRgFt; C:\WINDOWS\SysWOW64\TKRgFtXp64.sys [68968 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION S3 TKTool; C:\WINDOWS\system32\TKTool2k64.sys [32496 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION U1 avgbdisk; no ImagePath Reboot: and paste in Notepad. Check that no files have been split on two lines. Save the file as fixlist.txt on the desktop. Exit all programs. Start FRST, please. Click the Fix button. Wait until the tool has finished. It creates a log file, called Fixlog.txt, on the desktop. Please, paste the content of that file in your reply. 3. Please, locate these files or folders and change their names, e.g. by adding the text _bad. 2020-11-18 14:32 - 2020-11-18 14:32 - 000000024 _____ C:\ProgramData\33764.bat 2020-11-18 14:29 - 2020-11-18 22:03 - 000000000 ___HD C:\ProgramData\Windows Host 2020-11-18 14:29 - 2020-11-18 14:29 - 000000024 _____ C:\ProgramData\64657.bat 2020-11-18 14:28 - 2020-11-29 17:39 - 000000000 ____D C:\Users\micecom\Documents\VlcpVideoV1.0.1 2020-12-01 02:07 - 2019-04-20 10:24 - 000000000 ____D C:\Program Files (x86)\INCAInternet CHR Extension: (Google Translate) - C:\Users\micecom\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco [2020-11-18] CHR Extension: (Chrome Media Router) - C:\Users\micecom\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2020-11-18] Some of these files and folders are hidden and you need to change a setting to be able to see them: https://support.microsoft.com/en-us/windows/view-hidden-files-and-folders-in-windows-10-97fbc472-c603-9d90-91d0-1166d1d9f4b5 I suggest a name change since it's difficult to know if something will stop working or give you a lot of error messages when the files/folders get a new name or are deleted. If you get any such problems you can change the names back to the original names. Please tell me if something happens. Restart the computer and check how Chrome works. 4. I'll soon leave the computer for maybe 14 hours. Â Quote Share this post Link to post Share on other sites
Pierre67 208 Report post Posted November 30, 2020 10 hours ago, CeciliaB said: Sync in Chrome? Cecilia, sorry my bad - I should have mentioned SYNC in CHROME. Â 1 Quote Share this post Link to post Share on other sites
hRc 0 Report post Posted December 1, 2020 11 hours ago, CeciliaB said: 1. You should change to another antivirus program since it's important to always have the realtime scanning running. But not now. 2. Please, start Notepad. Copy all text that is in the box: CreateRestorePoint: CloseProcesses: AV: Norton Security (Enabled - Up to date) {A2708B76-6835-6565-CB96-694212954A75} FW: Norton Security (Enabled) {9A4B0A53-225A-643D-E0C9-C077EC460D0E} Norton Online Backup (HKLM-x32\...\NARA) (Version: 4.6.0.12 - Symantec Corporation) Hidden ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File BHO-x32: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File HKLM-x32\...\Run: [] => [X] HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION S3 np_ck64s; C:\WINDOWS\syswow64\np_ck64s.sys [108976 2019-07-01] (INCA Internet Co.,Ltd. -> INCA Internet Co.,Ltd.) S3 TKCtrl; C:\WINDOWS\SysWOW64\TKCtrl2k64.sys [147240 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION S3 TKFsAvM; C:\WINDOWS\SysWOW64\TKFsAv64.sys [198808 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION S3 TKFsFtM; C:\WINDOWS\SysWOW64\TKFsFt64.sys [28824 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION S3 TKPcFt; C:\WINDOWS\SysWOW64\TKPcFtCb64.sys [54504 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION S3 TKRgAc; C:\WINDOWS\SysWOW64\TKRgAc2k64.sys [115760 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION S3 TKRgFt; C:\WINDOWS\SysWOW64\TKRgFtXp64.sys [68968 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION S3 TKTool; C:\WINDOWS\system32\TKTool2k64.sys [32496 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION U1 avgbdisk; no ImagePath Reboot: and paste in Notepad. Check that no files have been split on two lines. Save the file as fixlist.txt on the desktop. Exit all programs. Start FRST, please. Click the Fix button. Wait until the tool has finished. It creates a log file, called Fixlog.txt, on the desktop. Please, paste the content of that file in your reply. 3. Please, locate these files or folders and change their names, e.g. by adding the text _bad. 2020-11-18 14:32 - 2020-11-18 14:32 - 000000024 _____ C:\ProgramData\33764.bat 2020-11-18 14:29 - 2020-11-18 22:03 - 000000000 ___HD C:\ProgramData\Windows Host 2020-11-18 14:29 - 2020-11-18 14:29 - 000000024 _____ C:\ProgramData\64657.bat 2020-11-18 14:28 - 2020-11-29 17:39 - 000000000 ____D C:\Users\micecom\Documents\VlcpVideoV1.0.1 2020-12-01 02:07 - 2019-04-20 10:24 - 000000000 ____D C:\Program Files (x86)\INCAInternet CHR Extension: (Google Translate) - C:\Users\micecom\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco [2020-11-18] CHR Extension: (Chrome Media Router) - C:\Users\micecom\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2020-11-18] Some of these files and folders are hidden and you need to change a setting to be able to see them: https://support.microsoft.com/en-us/windows/view-hidden-files-and-folders-in-windows-10-97fbc472-c603-9d90-91d0-1166d1d9f4b5 I suggest a name change since it's difficult to know if something will stop working or give you a lot of error messages when the files/folders get a new name or are deleted. If you get any such problems you can change the names back to the original names. Please tell me if something happens. Restart the computer and check how Chrome works. 4. I'll soon leave the computer for maybe 14 hours.  The problem seemed to have stopped. I will continue to check for awhile. Thanks for the help!  Fix result of Farbar Recovery Scan Tool (x64) Version: 29-11-2020 Ran by micecom (01-12-2020 14:11:11) Run:1 Running from C:\Users\micecom\Downloads Loaded Profiles: micecom Boot Mode: Normal ============================================== fixlist content: ***************** CreateRestorePoint: CloseProcesses: AV: Norton Security (Enabled - Up to date) {A2708B76-6835-6565-CB96-694212954A75} FW: Norton Security (Enabled) {9A4B0A53-225A-643D-E0C9-C077EC460D0E} Norton Online Backup (HKLM-x32\...\NARA) (Version: 4.6.0.12 - Symantec Corporation) Hidden ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File BHO-x32: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File HKLM-x32\...\Run: [] => [X] HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION S3 np_ck64s; C:\WINDOWS\syswow64\np_ck64s.sys [108976 2019-07-01] (INCA Internet Co.,Ltd. -> INCA Internet Co.,Ltd.) S3 TKCtrl; C:\WINDOWS\SysWOW64\TKCtrl2k64.sys [147240 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION S3 TKFsAvM; C:\WINDOWS\SysWOW64\TKFsAv64.sys [198808 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION S3 TKFsFtM; C:\WINDOWS\SysWOW64\TKFsFt64.sys [28824 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION S3 TKPcFt; C:\WINDOWS\SysWOW64\TKPcFtCb64.sys [54504 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION S3 TKRgAc; C:\WINDOWS\SysWOW64\TKRgAc2k64.sys [115760 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION S3 TKRgFt; C:\WINDOWS\SysWOW64\TKRgFtXp64.sys [68968 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION S3 TKTool; C:\WINDOWS\system32\TKTool2k64.sys [32496 2019-01-15] (INCA Internet Co.,Ltd. -> INCA Internet Co., Ltd.) <==== ATTENTION U1 avgbdisk; no ImagePath Reboot: ***************** Restore point was successfully created. Processes closed successfully. "AV: Norton Security (Enabled - Up to date) {A2708B76-6835-6565-CB96-694212954A75}" => removed successfully "FW: Norton Security (Enabled) {9A4B0A53-225A-643D-E0C9-C077EC460D0E}" => removed successfully "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NARA\\SystemComponent" => removed successfully HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg => removed successfully HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} => removed successfully HKLM\Software\Wow6432Node\Classes\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF} => removed successfully "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\" => removed successfully HKLM\SOFTWARE\Policies\Mozilla => removed successfully HKLM\SOFTWARE\Policies\Google => removed successfully HKLM\System\CurrentControlSet\Services\np_ck64s => removed successfully np_ck64s => service removed successfully HKLM\System\CurrentControlSet\Services\TKCtrl => removed successfully TKCtrl => service removed successfully HKLM\System\CurrentControlSet\Services\TKFsAvM => removed successfully TKFsAvM => service removed successfully HKLM\System\CurrentControlSet\Services\TKFsFtM => removed successfully TKFsFtM => service removed successfully HKLM\System\CurrentControlSet\Services\TKPcFt => removed successfully TKPcFt => service removed successfully HKLM\System\CurrentControlSet\Services\TKRgAc => removed successfully TKRgAc => service removed successfully HKLM\System\CurrentControlSet\Services\TKRgFt => removed successfully TKRgFt => service removed successfully HKLM\System\CurrentControlSet\Services\TKTool => removed successfully TKTool => service removed successfully HKLM\System\CurrentControlSet\Services\avgbdisk => removed successfully avgbdisk => service removed successfully The system needed a reboot. ==== End of Fixlog 14:11:24 ==== Quote Share this post Link to post Share on other sites
CeciliaB 470 Report post Posted December 1, 2020 2 hours ago, hRc said: The problem seemed to have stopped. I will continue to check for awhile. Thanks for the help! You're welcome and I'm glad the problem is gone. You renamed two Chrome Extensions called Google Translate and Chrome Media Router since they were changed during the same day as your problem started. It's common to have those extensions but in your case they might have been changed in a bad way. If you've another computer you can copy those two folders from the other computer. You can also ask a friend to send them to you. At the end of the week you can delete those renamed files and folders and uninstall FRST in this way: Rename FRST/FRST64.exe to uninstall.exe and run it. Quote Share this post Link to post Share on other sites