Ads by AdsAlert, Need an Expert! ;(

[lethalshark]

About 2 weeks ago I first started getting Ads by Ads Alert. I reset my Chrome browser and it was gone for 3 days, then it came back. I cleared it again and it was gone for 3 days and came back. I checked my extensions, my installed programs, I ran multiple anti-malware programs such as Malwarebytes and AdwareCleaner but all of them came back with no results. I've even tried to check my computer's registry by using ctrl+f to search for things like Ads, Alert, AdsAlert, etc. but didn't come up with anything suspicious( I don't really know where a virus like this may reside inside the registry so I only did ctrl+f which probably isn't the best way to search for it). I need someone with experience with viruses similar to this or even someone who has resolved an issue like this before. I'm kind of desperate at this point as it seems to be getting a tiny bit worse every time it returns . Thanks for any help..

 

[gangrel]

Found this:
http://howtoremove.guide/remove-ads-by-adsalert/

and this
http://www.virusresearch.org/remove-adsalert-ads-chrome-firefox-ie/

Hope that helps.

 

[gangrel]

BTW, one *possible* reason it's coming back is a nasty email attachment. This was listed as one of the initial infection paths. And I do recall problems with certain messages with attachments, that would kick back up just when scrolling through the list, past that message. Don't remember the details, as I think that was a couple years ago.

Anyway, hope you can get rid of it.

 

[lethalshark]

Sadly, I've already been on both of those sites looking for an answer but nothing has worked. I still need help

 

[popatim]

have you checked your routers DSN or tried changing it to googles servers?

 

[lethalshark]

have you checked your routers DSN or tried changing it to googles servers?

I have not, how would I go about doing that? Also, if this was the case, wouldn't it affect other computers connected?

 

[gangrel]

On the router, that's in the connection stuff for the router. But you can also do that on the one computer by editing the properties of the network connection. An alternative to Google's servers is OpenDNS's servers:

https://www.opendns.com/home-internet-security/opendns-ip-addresses/

 

[lethalshark]

On the router, that's in the connection stuff for the router. But you can also do that on the one computer by editing the properties of the network connection. An alternative to Google's servers is OpenDNS's servers:

https://www.opendns.com/home-internet-security/opendns-ip-addresses/

Let me read try this and I'll get back to you.

 

[gangrel]

I am also gonna link in this thread...not quite the same, but very similar.
http://www.tomshardware.com/answers/id-2721741/router-infected-ads-adsmate-problem.html

There's no resolution per se there, but what it's suggesting to me is that, if you have a modem and router from your ISP, the fix might be to replace them. However, you did say it's ONLY on this computer, then the router itself is not likely to be at fault.

 

[gangrel]

It turns out, there are rather too many of these! DiscountBomb is another one. In reading a site's removal steps for this one, one of its last steps is to eliminate the byproducts. It gives the following...they're for DiscountBomb, but the point is, these would all be areas to look for files that don't belong. In most of these, check by date.

%Temp%\Discount Bomb.exe
%Appdata%\Discount Bomb.reg
%Homepath%\[Random].bat
%Allusersprofile%\[Random].ini
%Localappdata%\[Random].dll
%Windir%\SysWOW64\[Random].dll
%Systemroot%\Discount Bomb\[Random].exe
%CommonProgramFiles%\Discount Bomb.ini
%Homedrive%\Discount Bomb\[Random].exe
%Windir%\System32\[Random].dll
%Systemroot%\System32\[Random].dll
%Windir%\System32\drivers\[Random].sys

 

[lethalshark]

It turns out, there are rather too many of these! DiscountBomb is another one. In reading a site's removal steps for this one, one of its last steps is to eliminate the byproducts. It gives the following...they're for DiscountBomb, but the point is, these would all be areas to look for files that don't belong. In most of these, check by date.

%Temp%\Discount Bomb.exe
%Appdata%\Discount Bomb.reg
%Homepath%\[Random].bat
%Allusersprofile%\[Random].ini
%Localappdata%\[Random].dll
%Windir%\SysWOW64\[Random].dll
%Systemroot%\Discount Bomb\[Random].exe
%CommonProgramFiles%\Discount Bomb.ini
%Homedrive%\Discount Bomb\[Random].exe
%Windir%\System32\[Random].dll
%Systemroot%\System32\[Random].dll
%Windir%\System32\drivers\[Random].sys

Maybe this is the big break, I'll try it. I changed my internet settings. Although it seems faster, the virus is still not fixed. :/

 

[lethalshark]

It turns out, there are rather too many of these! DiscountBomb is another one. In reading a site's removal steps for this one, one of its last steps is to eliminate the byproducts. It gives the following...they're for DiscountBomb, but the point is, these would all be areas to look for files that don't belong. In most of these, check by date.

%Temp%\Discount Bomb.exe
%Appdata%\Discount Bomb.reg
%Homepath%\[Random].bat
%Allusersprofile%\[Random].ini
%Localappdata%\[Random].dll
%Windir%\SysWOW64\[Random].dll
%Systemroot%\Discount Bomb\[Random].exe
%CommonProgramFiles%\Discount Bomb.ini
%Homedrive%\Discount Bomb\[Random].exe
%Windir%\System32\[Random].dll
%Systemroot%\System32\[Random].dll
%Windir%\System32\drivers\[Random].sys

%Windir%\SysWOW64\[Random].dll has TONS of .dll that were last edited on the 15 and before. Not sure what I should do..
EDIT: Same with %Windir%\System32\[Random].dll

 

[gangrel]

Start using Google to query what they are. If Google can't find any results that seem to fit, it's likely to be from the virus, particularly if the date is any time after you first noted the problem. Also, DLLs in that area should be linked to something you installed, so if you can't link it to something you did, that's another likely strike.

 

[lethalshark]

Start using Google to query what they are. If Google can't find any results that seem to fit, it's likely to be from the virus, particularly if the date is any time after you first noted the problem.

Holy hell this might take a while, especially with the virus creating popups every 2 minutes

 

[gangrel]

Hmm...something that might be worth doing in the meantime, would be to bring up Task Manager and see what's running there. (To make life simpler, shut down any other programs except chrome and your AV.)

 

[lethalshark]

Hmm...something that might be worth doing in the meantime, would be to bring up Task Manager and see what's running there. (To make life simpler, shut down any other programs except chrome and your AV.)

Yeah, checking processes doesn't give me any info.

 

[lethalshark]

Hmm...something that might be worth doing in the meantime, would be to bring up Task Manager and see what's running there. (To make life simpler, shut down any other programs except chrome and your AV.)

Oh my god, I may have found it.. Autoexec.bat was last edited the day the virus first appeared.... If I'm not wrong, the virus is set to run now whenever I boot my PC. But I'm not sure... My issue is that if this is the situation, how do I get rid of it without completely destroying my pc...

 

[gangrel]

OK. One could hope.

I'm thinking now that maybe you also want to review all your Chrome plugins and extensions. I assume you've already removed any explicit AdsAlert plugin, as that's included in the removal instructions. In case, tho, another plugin is acting as the backdoor, try stripping Chrome down to its bare bones by disabling most stuff. If you already tried this as part of resetting Chrome, then it probably won't help. But it seems clear that there is SOME remnant...a DLL, an INI file, a BAT file...that resurrects the damned thing. A plugin that you don't explicitly remember adding, could be the culprit. Gods know, I've blasted through some software updates or installs without thinking about it, and seen them ram the Ask toolbar (Flash) down my throat, or a few other, similar things. I *hate* this. CNet and SoftPedia are both notorious for doing this; never, ever download from them. I'm just tossing out ideas, as I don't know what you've done...maybe if something rings a bell it'll help.

 

[gangrel]

WELL! OK, hold off on the plugins, and look at what the HECK is going on in autoexec.

 

[lethalshark]

OK. One could hope.

I'm thinking now that maybe you also want to review all your Chrome plugins and extensions. I assume you've already removed any explicit AdsAlert plugin, as that's included in the removal instructions. In case, tho, another plugin is acting as the backdoor, try stripping Chrome down to its bare bones by disabling most stuff. If you already tried this as part of resetting Chrome, then it probably won't help. But it seems clear that there is SOME remnant...a DLL, an INI file, a BAT file...that resurrects the damned thing. A plugin that you don't explicitly remember adding, could be the culprit. Gods know, I've blasted through some software updates or installs without thinking about it, and seen them ram the Ask toolbar (Flash) down my throat, or a few other, similar things. I *hate* this. CNet and SoftPedia are both notorious for doing this; never, ever download from them. I'm just tossing out ideas, as I don't know what you've done...maybe if something rings a bell it'll help.

It has to be autoexec.bat. It was edited the day the virus appeared and hasn't been edited since. I can confirm the virus appeared on 6/17/15 because on that day I went out of town for a month and the virus wasn't on the night before...

EDIT: Trying to open the file says: C:/Autoexec.bat is not a valid win32 file. Also it is hidden. Sorry but I have no idea on how to edit/open this file... :/

 

[lethalshark]

WELL! OK, hold off on the plugins, and look at what the HECK is going on in autoexec.

Well it seems it was just a coincidence, nothing is happening in autoexec.bat. D: Back to the drawing board for me...

 

[gangrel]

In Explorer, open a window at your C: drive level. Click on Organize, view folder options, then View. There's a few things to change: you want to show hidden files, and show protected operating system files.

The fact that it's saying it's not a valid win32 file is damning. So is this: I did as I mentioned above, and I don't even *see* an autoexec.bat. When you combine all these points together...it's proof beyond a reasonable doubt that this is the culprit.

 

[gangrel]

BTW: in explorer, right-click on the file, then select Properties. You should see the Hidden box checked, near the bottom of the dialog. Uncheck that and it should be visible. Click OK. Now, right-click again. A legit BAT file is a text file, straight ASCII. Windows, in the right-click menu, should have an Edit File menu entry. Try that. That uses Notepad. If you get random crap, it's code.

 

[lethalshark]

In Explorer, open a window at your C: drive level. Click on Organize, view folder options, then View. There's a few things to change: you want to show hidden files, and show protected operating system files.

The fact that it's saying it's not a valid win32 file is damning. So is this: I did as I mentioned above, and I don't even *see* an autoexec.bat. When you combine all these points together...it's proof beyond a reasonable doubt that this is the culprit.

Well, the date was incorrect :/ it was changed 7/17/15 not 6/17. If you still believe that it may be the culprit then that's fine. I already have show hidden files on, when I go to Computer/Local Disk (C I see autoexec.bat as a hidden folder. When I click on it, it tells me it's not a valid win32 file.

EDIT: Although the file is hidden, it is not checked as hidden. My mind is blow...
DOUBLE EDIT: When I edit the file as a notepad, it is COMPLETELY 100% EMPTY.

 

[lethalshark]

If this doesn't turn out to be it, I found another sketchy thing that might be an issue.