Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.
Course Of The Month
7 days, 16 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
adware removal
Posted on 2015-02-11
This is a laptop running Windows 8.1 and IE11. Following some downloads of free games by grandchildren I was left with some unwanted adware and BHOs on the machine. In particular it was impossible to search or visit websites without unwanted pages, ads, videos and sponsored links appearing. I ran a scan with Malwarebytes Anti-Malware which cleared most of it but there were two enabled entries left in the Manage Addons section of IE which looked very suspicious as they were obviously misspelt words. When I tried to disable these I found that the Enable and Disable buttons were grayed out. I subsequently did some Googling and found that I could right click the entries, choose "More Information" and then copy the information there. By pasting the info into Notepad I could copy the Class ID and use this in the registry to delete any entries referring to the addons.
I did this for both entries and they did indeed disappear from IE. For a couple of days everything was fine until suddenly today the ads and unwanted web pages started popping up again. I knew I had not downloaded anything in the meantime but when I looked in the Manage Addons window again there were two new entries, both misspelt but different words to the ones before and once again it is not possible to disable them as the buttons for this are grayed out.
The names of the current suspect Addons are 'loWrrate' and 'offErapP' but I suspect the names mean nothing as the previous ones which I removed had different but similarly unintelligible names. The names appear to refer to marketing terms, Low Rate and Offer App, and the previous ones were of a similar nature. I imagine the misspelling is to confuse adware removal programmes.
Again I have done a full scan with Malwarebytes and also Spybot S&D but nothing is detected. I am currently running a full scan with Windows Defender but nothing to see at this point. Quite obviously there must be something left on the computer that is reinstating these BHOs even when they have been removed and generating new names each time. The only indication I have of what it might be are a few entries in the quarantine section of Windows Defender referring to "adware:win32/saverextensi
I would be very grateful for any expert help so that I can put a stop to this.
I did this for both entries and they did indeed disappear from IE. For a couple of days everything was fine until suddenly today the ads and unwanted web pages started popping up again. I knew I had not downloaded anything in the meantime but when I looked in the Manage Addons window again there were two new entries, both misspelt but different words to the ones before and once again it is not possible to disable them as the buttons for this are grayed out.
The names of the current suspect Addons are 'loWrrate' and 'offErapP' but I suspect the names mean nothing as the previous ones which I removed had different but similarly unintelligible names. The names appear to refer to marketing terms, Low Rate and Offer App, and the previous ones were of a similar nature. I imagine the misspelling is to confuse adware removal programmes.
Again I have done a full scan with Malwarebytes and also Spybot S&D but nothing is detected. I am currently running a full scan with Windows Defender but nothing to see at this point. Quite obviously there must be something left on the computer that is reinstating these BHOs even when they have been removed and generating new names each time. The only indication I have of what it might be are a few entries in the quarantine section of Windows Defender referring to "adware:win32/saverextensi
I would be very grateful for any expert help so that I can put a stop to this.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2-
2
4 Comments
Active 5 days ago
Hi grigorovsky,
Please run the following and post the logs for further analysis of your system.
I would recommend to scan the system with the tools mentioned below and in the sequence they are mentioned and post the logs
Make sure you DO NOT REBOOT the system after running tools in point 1 & 2.
1. RogueKiller/TheKiller
2. Adwcleaner
3. TDSSKIller
RogueKiller:
http://www.adlice.com/softwares/roguekiller/
Adwcleaner
http://www.bleepingcomputer.com/download/adwcleaner/dl/125/
TDSSKiller
http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe
I would also recommend you to go through the articles from Younghv and RPG for the future reference
Basic Malware Troubleshooting
http://www.experts-exchange.com/A_1940.html
Rogue-Killer-What-a-great-
http://www.experts-exchange.com/A_4922.html
Stop-the-Bleeding-First-Ai
http://www.experts-exchange.com/A_5124.html
So in your next reply post the RogueKiller logs, Adwcleaner and TDSSKIller Logs
Sudeep
Please run the following and post the logs for further analysis of your system.
I would recommend to scan the system with the tools mentioned below and in the sequence they are mentioned and post the logs
Make sure you DO NOT REBOOT the system after running tools in point 1 & 2.
1. RogueKiller/TheKiller
2. Adwcleaner
3. TDSSKIller
RogueKiller:
http://www.adlice.com/softwares/roguekiller/
Adwcleaner
http://www.bleepingcomputer.com/download/adwcleaner/dl/125/
TDSSKiller
http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe
I would also recommend you to go through the articles from Younghv and RPG for the future reference
Basic Malware Troubleshooting
http://www.experts-exchange.com/A_1940.html
Rogue-Killer-What-a-great-
http://www.experts-exchange.com/A_4922.html
Stop-the-Bleeding-First-Ai
http://www.experts-exchange.com/A_5124.html
So in your next reply post the RogueKiller logs, Adwcleaner and TDSSKIller Logs
Sudeep
Ok but in the meantime how can I un-grey the disable button for these two BHOs there must be a registry entry that controls whether the enable\disable buttons can be used or not?
Active 5 days ago
The tools mentioned above would take care of it.
Please run them and let us know how does it look.
Thanks,
Sudeep
Please run them and let us know how does it look.
Thanks,
Sudeep
I used Sysinternals Autoruns to remove the BHOs. I have also scanned again with Malwarebytes and Spybot S&D and installed Kaspersky Internet Security and run a full system scan. A few things came up which have been removed. I also found some rogue folders in the Programme Files folder. All of them had odd misspelt names and included two which had the same name as the rogue BHOs. I have deleted them all and all seems well. I think the greying out of the enable/disable buttons is achieved by adding the CLSID of the BHO to the registry key: HKEY_LOCAL_MACHINE\SOFTWAR
Things are running fine at the moment. I have accepted Sudeep's solution as I am sure this would have worked also.
Things are running fine at the moment. I have accepted Sudeep's solution as I am sure this would have worked also.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
- Web Development
- Ransomware
- Cybersecurity
- Security
- Monitis
- Web Servers
Ready for our next Course of the Month? Here's what's on tap for June.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
- Microsoft Legacy OS
- Windows 10
- Windows 8
- Windows OS
- Windows 7
- Windows Vista, Windows XP, Windows 2000
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
Suggested Courses
Course of the Month7 days, 16 hours left to enroll
Earn Certification
Cisco CCNP Security: SIMOS
$197.00$177.30
729 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.