Ads by AdsAlert, Need an Expert! ;(

lethalshark

Honorable
Jan 18, 2014
25
0
10,590
1
About 2 weeks ago I first started getting Ads by Ads Alert. I reset my Chrome browser and it was gone for 3 days, then it came back. I cleared it again and it was gone for 3 days and came back. I checked my extensions, my installed programs, I ran multiple anti-malware programs such as Malwarebytes and AdwareCleaner but all of them came back with no results. I've even tried to check my computer's registry by using ctrl+f to search for things like Ads, Alert, AdsAlert, etc. but didn't come up with anything suspicious( I don't really know where a virus like this may reside inside the registry so I only did ctrl+f which probably isn't the best way to search for it). I need someone with experience with viruses similar to this or even someone who has resolved an issue like this before. I'm kind of desperate at this point as it seems to be getting a tiny bit worse every time it returns :(. Thanks for any help..
 

gangrel

Honorable
Jun 4, 2012
61
0
10,610
6
Was, perhaps, 7/17 the last time it reappeared? Regardless...it should not be a folder, and it should never be reported as 'not a valid file'. Windows 7 should not be using autoexec normally; IIRC, it might use it when you open up a command line terminal window, but that's all. So I believe it's safe to delete it. If you want to be extra-cautious, rename it first. (If you want more opinions, then create a new question, specifically focused on this, and see what others say.) But if you rename or delete right now...then go back through and repeat the removal steps. Control Panel, Programs, Uninstall; Chrome, Settings, Plugins...that sort of thing.
 

gangrel

Honorable
Jun 4, 2012
61
0
10,610
6
Found this:
http://howtoremove.guide/remove-ads-by-adsalert/

and this
http://www.virusresearch.org/remove-adsalert-ads-chrome-firefox-ie/

Hope that helps.
 

gangrel

Honorable
Jun 4, 2012
61
0
10,610
6
BTW, one *possible* reason it's coming back is a nasty email attachment. This was listed as one of the initial infection paths. And I do recall problems with certain messages with attachments, that would kick back up just when scrolling through the list, past that message. Don't remember the details, as I think that was a couple years ago.

Anyway, hope you can get rid of it.
 

lethalshark

Honorable
Jan 18, 2014
25
0
10,590
1


I have not, how would I go about doing that? Also, if this was the case, wouldn't it affect other computers connected?
 

gangrel

Honorable
Jun 4, 2012
61
0
10,610
6
On the router, that's in the connection stuff for the router. But you can also do that on the one computer by editing the properties of the network connection. An alternative to Google's servers is OpenDNS's servers:

https://www.opendns.com/home-internet-security/opendns-ip-addresses/


 

lethalshark

Honorable
Jan 18, 2014
25
0
10,590
1


Let me read try this and I'll get back to you.
 

gangrel

Honorable
Jun 4, 2012
61
0
10,610
6
It turns out, there are rather too many of these! DiscountBomb is another one. In reading a site's removal steps for this one, one of its last steps is to eliminate the byproducts. It gives the following...they're for DiscountBomb, but the point is, these would all be areas to look for files that don't belong. In most of these, check by date.

%Temp%\Discount Bomb.exe
%Appdata%\Discount Bomb.reg
%Homepath%\[Random].bat
%Allusersprofile%\[Random].ini
%Localappdata%\[Random].dll
%Windir%\SysWOW64\[Random].dll
%Systemroot%\Discount Bomb\[Random].exe
%CommonProgramFiles%\Discount Bomb.ini
%Homedrive%\Discount Bomb\[Random].exe
%Windir%\System32\[Random].dll
%Systemroot%\System32\[Random].dll
%Windir%\System32\drivers\[Random].sys
 

lethalshark

Honorable
Jan 18, 2014
25
0
10,590
1


Maybe this is the big break, I'll try it. I changed my internet settings. Although it seems faster, the virus is still not fixed. :/
 

lethalshark

Honorable
Jan 18, 2014
25
0
10,590
1


%Windir%\SysWOW64\[Random].dll has TONS of .dll that were last edited on the 15 and before. Not sure what I should do..
EDIT: Same with %Windir%\System32\[Random].dll
 

gangrel

Honorable
Jun 4, 2012
61
0
10,610
6
Start using Google to query what they are. If Google can't find any results that seem to fit, it's likely to be from the virus, particularly if the date is any time after you first noted the problem. Also, DLLs in that area should be linked to something you installed, so if you can't link it to something you did, that's another likely strike.
 

lethalshark

Honorable
Jan 18, 2014
25
0
10,590
1


Holy hell this might take a while, especially with the virus creating popups every 2 minutes
 

gangrel

Honorable
Jun 4, 2012
61
0
10,610
6
Hmm...something that might be worth doing in the meantime, would be to bring up Task Manager and see what's running there. (To make life simpler, shut down any other programs except chrome and your AV.)
 

lethalshark

Honorable
Jan 18, 2014
25
0
10,590
1


Yeah, checking processes doesn't give me any info. :(
 

lethalshark

Honorable
Jan 18, 2014
25
0
10,590
1


Oh my god, I may have found it.. Autoexec.bat was last edited the day the virus first appeared.... If I'm not wrong, the virus is set to run now whenever I boot my PC. But I'm not sure... My issue is that if this is the situation, how do I get rid of it without completely destroying my pc...
 

gangrel

Honorable
Jun 4, 2012
61
0
10,610
6
OK. One could hope.

I'm thinking now that maybe you also want to review all your Chrome plugins and extensions. I assume you've already removed any explicit AdsAlert plugin, as that's included in the removal instructions. In case, tho, another plugin is acting as the backdoor, try stripping Chrome down to its bare bones by disabling most stuff. If you already tried this as part of resetting Chrome, then it probably won't help. But it seems clear that there is SOME remnant...a DLL, an INI file, a BAT file...that resurrects the damned thing. A plugin that you don't explicitly remember adding, could be the culprit. Gods know, I've blasted through some software updates or installs without thinking about it, and seen them ram the Ask toolbar (Flash) down my throat, or a few other, similar things. I *hate* this. CNet and SoftPedia are both notorious for doing this; never, ever download from them. I'm just tossing out ideas, as I don't know what you've done...maybe if something rings a bell it'll help.
 

lethalshark

Honorable
Jan 18, 2014
25
0
10,590
1


It has to be autoexec.bat. It was edited the day the virus appeared and hasn't been edited since. I can confirm the virus appeared on 6/17/15 because on that day I went out of town for a month and the virus wasn't on the night before...

EDIT: Trying to open the file says: C:/Autoexec.bat is not a valid win32 file. Also it is hidden. Sorry but I have no idea on how to edit/open this file... :/
 

ASK THE COMMUNITY