Problem: adware and possibly other malware

[lehtv]

I get ads inserted on various websites (including this very page) that do not belong there, as well as redirections to some less honorable sites when clicking completely normal links. I've noticed no pattern which link might be "infected", it seems random to me.

I've tried Spybot S&D, MSE virus scan, Malwarebytes scan, and Bitdefender adware removal tool. Spybot and Malwarebytes found some unrelated tracking cookies and such.

I do use AdBlock most of the time, which replaces the inserted ads with blank space, and a text with two hyperlinks: "Ad by DiscountSmasher | Close". Clicking "Close" closes the ad. The hyperlink on the text "Ad by DiscountSmasher" is always the same:

http://advertising-support.com/why.php?type=3&zone=38463281&pid=1748&ext=DiscountSmasher

As a possibly related problem, I have an entry called "HemiListener" from publisher "HemiListener" in Programs and Features. It was installed on 4/9 which is right about when the ad spam begun. Attempting to uninstall it, an error message appears:

Here's the registry entry for this:

rundll32.exe does exist but the date modified is 07/14/2009. But there's no such path as "C:\PROGRA~2\INDEPT~1..." nor is there anything beginning with "INDEPT" in C:\Program Files\ and C:\Program Files (x86)\.

How do I get this HemiListener removed from Programs and Features, and how to proceed with removing the ad spam? Thanks

 

[denis280]

in folder option,show hidden files and folders,look for a folder under that name.then open task manager and stop the service for it.after making a restore point,in registry remove all HemiListener.restart and do a sfc /scannow

 

[Ketchup]

Crap like this usually doesn't uninstall. As long as the uninstaller is still showing, REVO uninstaller may offer some success:
http://www.majorgeeks.com/files/details/revo_uninstaller.html

If you need to go manual:
MSConfig can be a big helper here. It should make it pretty obvious where the app is starting from. Stop it from the Processes tab, then remove the folder in which is resides. Now is also an excellent time to remove anything from the %currentuser%\app data\local\temp folder. A lot of this stuff start off, if not still residing in, this folder, if it was not installed (accidentally) with another freeware program.
A lot of times, once you get the program to stop running, programs like and Malwarebytes and Superantispyware (I do recommend you try this one) will be able to more easily find it.

If it has made it pretty far into your browser, you may need to create a new identity and delete your current one (assuming the browser you are using supports this).

Once it feels gone, a registry cleaning with CCleaner (the ONLY registry cleaner I recommend, with caution) and deleting old restore points should make sure it doesn't come back.

 

[VirtualLarry]

Use FreeFixer, and nuke it from orbit.

 

[lehtv]

Thanks for the replies so far.

in folder option,show hidden files and folders,look for a folder under that name.then open task manager and stop the service for it.after making a restore point,in registry remove all HemiListener.restart and do a sfc /scannow

Couldn't find anything with hidden files visible. Also couldn't find any HemiListener service running. It might be the Programs and Features entry is obsolete and has nothing to do with the ad spam? Maybe I should just delete that registry entry?

Here are all non-Microsoft services from msconfig:

Crap like this usually doesn't uninstall. As long as the uninstaller is still showing, REVO uninstaller may offer some success:
http://www.majorgeeks.com/files/details/revo_uninstaller.html

Didn't work Same error

If you need to go manual:
MSConfig can be a big helper here. It should make it pretty obvious where the app is starting from. Stop it from the Processes tab, then remove the folder in which is resides. Now is also an excellent time to remove anything from the %currentuser%\app data\local\temp folder. A lot of this stuff start off, if not still residing in, this folder, if it was not installed (accidentally) with another freeware program.

Can't find anything suspicious in msconfig

A lot of times, once you get the program to stop running, programs like and Malwarebytes and Superantispyware (I do recommend you try this one) will be able to more easily find it.

SuperAntispyware found a DeltaToolbar PUP which "hijacks search and home page and may cause browser redirection". Also found 90 Adware.Tracking Cookie items in chrome and firefox appdata combined.

However, the problem persists.

If it has made it pretty far into your browser, you may need to create a new identity and delete your current one (assuming the browser you are using supports this).

I hope it doesn't come to that :<

Use FreeFixer, and nuke it from orbit.

After the SuperAntispyware scan, FreeFixer found: a toolbar in IE and two Firefox extensions: SpaceeCouuPonApp, CoupMania. But nothing in Chrome and nothing else that seemed suspicious to me.

Next I might try booting up in safe mode and scanning for malware then with only actual OS processes running. Good idea?

How do I enable processes, service etc manually to narrow down the culprit? Not sure if this even makes sense with nothing suspicious in msconfig

 

[Charlie98]

FWIW, I just debugged a friends PC, I had to run about 5 loops of SAS/MBAM/SpyBot to finally cull everything out... one pass just didn't do it.

 

[lehtv]

Ohhh... interesting. Will give that a try

 

[daveybrat]

What you have is considered 'junkware' infections. The standard programs like Malwarebytes, SAS, and spybot won't remove them completely.

These are the 3 programs to run that will fix your issues:

ADWCleaner: http://www.majorgeeks.com/files/details/adwcleaner.html

Junkware Removal Tool (JRT): http://www.majorgeeks.com/files/details/junkware_removal_tool.html

Ultra Adware Killer: http://www.majorgeeks.com/files/details/ultra_adware_killer.html


And IF you still have the problem after running those programs above then you'll also need to run the this:

Roguekiller: http://www.majorgeeks.com/files/details/roguekiller.html

 

[Ketchup]

Ohhh... interesting. Will give that a try

Let us know what happens. Did you try removing the contents of the user user temp folder or checking for rogue running processes?

If you create a new profile in Chrome, do you still see the error?

 

[lehtv]

Thanks for those, daveybrat.

The problem is now tentatively solved, but there may still be more malware and I should run a few scans just to be sure.

I didn't run the multi pass scans yet, instead I ran those junkware scans. I don't think they found anything related to my problem, just some obsolete program files folders, registry keys left over from a ZoneAlarm install, etc. However, I deleted Chrome's secure preferences file with Ultra Adware Killer. After logging into my chrome account, I went to chrome::addons and interestingly, there was an extension called "Ads by DiscountSmasher" (IIRC, I didn't write it down). I removed it, and voila, no more ad spam. At least so far.

I'm still a bit skeptical though, there could be some files or registry keys left that need cleaning so the problem doesn't resurface. And for some reason, I can't install any addons from Chrome web store, and I read that this might have something to do with hidden malware. Hopefully doing more scans will fix this, but if you know there's another solution to this, let me know!

Did you try removing the contents of the user user temp folder or checking for rogue running processes?

I did remove the temp folder. No idea if that had any effect on anything. What killed the ads was removing the relevant addon after deleting Chrome's secure preferences.

I checked for rogue processes using RogueKiller just now, it didn't find anything apart from a false alarm (HyperDesktop which I use for screenshots).

 

[Ketchup]

Very Good! Hope it stays away.

 

[inachu]

My advice:
Grab some wine or beer as you will sit for a long while doing this.
Open your registry: Click start,run,type in regedit.

Visit the following locations and delete the stuff if find strange stuff like random files names:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects


Hijack Points
These registry keys and files can be used to redirect the desktop, network and Internet Explorer:


Item Checked O/S
1. HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\ W9x/NTx
2. HKCU\Software\Microsoft\Internet Explorer\Main\ All (4)
3. HKCU\Software\Microsoft\Internet Explorer\SearchURL\ All (4)
4. HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ All
5. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState W9x/NTx
6. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ All
7. HKCU\Software\Policies\Microsoft\Internet Explorer\ All
8. HKCU\Software\Policies\Microsoft\Windows\ All
9. HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ W2K+
10. HKLM\Software\Microsoft\Internet Explorer\Main\ All (4)
11. HKLM\Software\Microsoft\Internet Explorer\Search\ All (4)
12. HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ All
13. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ All
14. HKLM\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\ All
15. HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\ All
16. HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\ WXP+
17. HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath NT4+
18. %WINDIR%\HOSTS
%WINDIR%\System32\drivers\etc\HOSTS W9x
NT4+
19. %WINDIR%\INF\IERESET.INF Note 5

W9x: Windows 95, Windows 98 (Standard Edition), Windows 98 SE (Second Edition), and Windows Me (Millennium Edition)
NTx: Windows NT 4.0, Windows 2000, and Windows XP
NT4+: Windows NT 4.0, Windows 2000, Windows XP, Windows Vista, and Windows 7
W2K+: Windows 2000, Windows XP, Windows Vista, and Windows 7
WXP+: Windows XP, Windows Vista, and Windows 7
WVa+: Windows Vista and Windows 7
(1): launch point checked by answering &#8220;No&#8221; at the script&#8217;s first message box and &#8220;Yes&#8221; at the message box that follows it or with the &#8220;-supp&#8221; or &#8220;-all&#8221; command line parameters
(2): excluding Windows Me
(3): excluding Windows Me, Windows XP SP2/SP3, Windows Vista, and Windows 7
(4): not checked by Silent Runners &#8211; reset by IERESET.INF (except Windows Vista and Windows 7)
(5): Internet Explorer 5.01, 5.5 & 6.0 only
(6): only active if UtilMan service running