Trouble with the instant savings app

T

tobs

New Member
Thread author
Jun 26, 2013
2
Hi together,
I'm new in this forum and also have a pretty small knowledge of malware removal, thats why I ask for help.
Yesterday I tried to download VirtualDub on a page I didn't know, and got an alert from my Avira free Antivirus. It found this infected file:
'ADWARE/InstallCore.Gen'

Actually 3 days earlyer it found this one aswell, but I dont know in which context:
'ADWARE/GFilter.Gen2'

Avira put these files in quarantine, and later I deleted them (I don't know if this is the right way to remove malware)

After that I started to get advertising boxes on the facebook page ('Ads by Instant Savings')
And all hppts:/ pages gave me security warnings (Connection is encodet with a 128 bit encoding, and the page contains unsave ressources.)

I followed the instruction of your blog Remove Instant Saving App Adware
I couldn't find the instant savings app in my control panel, but another suspicious application which name I forgot (googled it and it said it was adware as well). I uninstalled every application I didn't know.

I coudln't find the Instant Savings App in my Google Chrome extensions.

After I used Adwcleaner the problem seemed solved.
Avira couldn't finde any more malware.

That was yesterday.

Today the adware suddenly appeared again. :huh:
I used Adwcleaner again but this time effortless.

Malwarebytes and Hitman Pro both couldn't find any malware.
This is the point where I need your advise.

Thank you, and excuse my English, I'm not a native speaker. :)
 

Attachments

  • OTL.Txt
    64.3 KB · Views: 113
  • aswMBR.txt
    1.6 KB · Views: 82
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:
  • I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />


STEP 1: Run the below OTL fix
<ol><li>Start <>OTL.exe</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL
Code: 
:OTL
[2013.06.25 12:59:13 | 000,000,000 | ---D | M] ("Plus-HD-2.3") -- C:\Users\Tobias\AppData\Roaming\mozilla\Firefox\Profiles\wokto3b8.default\extensions\7125a285-7e68-47aa-9d72-e81874f4d47e@d3fcdb92-135d-4a8a-8cf6-11e3b57c5fda.com
[2013.06.25 12:59:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Tobias\AppData\Roaming\mozilla\Firefox\Profiles\wokto3b8.default\extensions\7125a285-7e68-47aa-9d72-e81874f4d47e@d3fcdb92-135d-4a8a-8cf6-11e3b57c5fda.com\chrome\content\extensionCode
[2012.10.17 19:35:42 | 000,558,413 | ---- | M] () (No name found) -- C:\Users\Tobias\AppData\Roaming\mozilla\firefox\profiles\wokto3b8.default\extensions\toolbar@web.de.xpi
[2012.03.18 14:52:05 | 000,000,000 | ---D | M] (WEB.DE Toolbar) -- C:\Program Files\Mozilla Firefox\distribution\extensions\toolbar@web.de
File not found (No name found) -- C:\USERS\TOBIAS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\WOKTO3B8.DEFAULT\EXTENSIONS\FFXTLBR@INCREDIBAR.COM
[2012.03.13 07:23:34 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.03.13 07:06:36 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012.03.13 07:23:34 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012.03.13 07:23:34 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2012.03.13 07:23:34 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.03.13 07:23:34 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter}
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O24 - Desktop WallPaper: C:\Users\Tobias\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O24 - Desktop BackupWallPaper: C:\Users\Tobias\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg
O33 - MountPoints2\{2af5a9b2-d447-11dd-beaf-001fc67d7d9f}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe 218DELL08.vbs
O34 - HKLM BootExecute: (autocheck autochk *)
[2013.06.25 14:27:11 | 000,000,000 | ---D | C] -- C:\Users\Tobias\{148d896c-a18f-42df-89d3-c19ecd45064f}
[2013.06.25 21:27:32 | 000,097,280 | ---- | M] () -- C:\Users\Tobias\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013.06.25 19:26:12 | 000,012,088 | ---- | M] () -- C:\Users\Tobias\Desktop\Unbenannt 1.odt
[2013.06.24 12:39:34 | 000,685,474 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2013.06.24 12:39:34 | 000,642,506 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013.06.24 12:39:34 | 000,149,774 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2013.06.24 12:39:34 | 000,121,394 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013.06.25 14:26:16 | 000,000,057 | ---- | C] () -- C:\ProgramData\Ament.ini
[2010.06.01 22:28:37 | 000,019,658 | ---- | C] () -- C:\Users\Tobias\AppData\Roaming\UserTile.png
[2010.02.19 13:47:23 | 000,000,680 | ---- | C] () -- C:\Users\Tobias\AppData\Local\d3d9caps.dat
[2008.12.27 21:00:18 | 000,097,280 | ---- | C] () -- C:\Users\Tobias\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini


:commands
[emptytemp]
[reboot]
<>NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system</></li>
<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>

<hr />
 
Last edited by a moderator:
T

tobs

New Member
Thread author
Jun 26, 2013
2
Hi,
thank you for your help!

I tried to run the OTL fix a couple times but after 2 seconds OTL said no reply (for more than a hour) and the computer locked up so I had to reboot.
It stucked with the process
Processing 034 - HKLM BootExecute: (autocheck autochk*)

Yesterday Avira detected 3 new infected files:
'TR/Dldr.VB.wps' in 'G:\x.exe'
'TR/ATRAPS.Gen2' in 'G:\zzz.dll'
'TR/Dldr.VB.wps' in 'G:\zjxon.exe'

Another odd thing:
Since yesterday I started to get pop up windows that the recycle bin in C: is damaged and if I want to delete it.
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
For the recycle bin error click on Yes.....
Step -1
Try OTL in safe mode also...

<h3>STEP 1 : Start your computer in Safe Mode with Networking</h3>
<ol><li>Remove all floppy disks, CDs, and DVDs from your computer, and then <>restart your computer</>.</li>
<li><>Press and hold the F8 key as your computer restarts</>.Please keep in mind that you need to press the F8 key <>before the Windows start-up logo appears</>.
<em>Note</em>: With some computers, if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", <>tap the "F8 key" continuously</> until you get the Advanced Boot Options screen.</li>
<li>On the Advanced Boot Options screen, use the arrow keys to <>highlight Safe Mode with Networking</> , and then <>press ENTER</>.
<img title="Safe Mode with Networking screen" src="http://malwaretips.com/images/removalguide/safemode.jpg" alt="[Image: Safemode.jpg]" width="539" height="292" border="0" /></li>
</ol>
<hr />


If step 1 not working go for Step 2
Step-2

Can you please try to run a scan with Farbar Recovery Scan Tool. You will need a USB (Flash) pendrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tooland save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.
 
Last edited by a moderator:

Similar threads

tanner_doriano
  • Locked
No Reply PC Infected with Persistent Malware Downloading Files Hourly
Replies
7
Views
505
Windows Malware Removal Help & Support
icotonev
icotonev
Gandalf_The_Grey
    • Like
    • +Reputation
How to restore the Photos Legacy app on Windows
Replies
1
Views
287
Multimedia editors and players
Bot
Bot
mjfneto
  • Locked
Persisting Suspicious Activity
Replies
5
Views
486
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top