Ads by AdsAlert, Need an Expert! ;(

[lethalshark]

About 2 weeks ago I first started getting Ads by Ads Alert. I reset my Chrome browser and it was gone for 3 days, then it came back. I cleared it again and it was gone for 3 days and came back. I checked my extensions, my installed programs, I ran multiple anti-malware programs such as Malwarebytes and AdwareCleaner but all of them came back with no results. I've even tried to check my computer's registry by using ctrl+f to search for things like Ads, Alert, AdsAlert, etc. but didn't come up with anything suspicious( I don't really know where a virus like this may reside inside the registry so I only did ctrl+f which probably isn't the best way to search for it). I need someone with experience with viruses similar to this or even someone who has resolved an issue like this before. I'm kind of desperate at this point as it seems to be getting a tiny bit worse every time it returns . Thanks for any help..

 

[lethalshark]

WELL! OK, hold off on the plugins, and look at what the HECK is going on in autoexec.

Well it seems it was just a coincidence, nothing is happening in autoexec.bat. D: Back to the drawing board for me...

 

[gangrel]

In Explorer, open a window at your C: drive level. Click on Organize, view folder options, then View. There's a few things to change: you want to show hidden files, and show protected operating system files.

The fact that it's saying it's not a valid win32 file is damning. So is this: I did as I mentioned above, and I don't even *see* an autoexec.bat. When you combine all these points together...it's proof beyond a reasonable doubt that this is the culprit.

 

[gangrel]

BTW: in explorer, right-click on the file, then select Properties. You should see the Hidden box checked, near the bottom of the dialog. Uncheck that and it should be visible. Click OK. Now, right-click again. A legit BAT file is a text file, straight ASCII. Windows, in the right-click menu, should have an Edit File menu entry. Try that. That uses Notepad. If you get random crap, it's code.

 

[lethalshark]

In Explorer, open a window at your C: drive level. Click on Organize, view folder options, then View. There's a few things to change: you want to show hidden files, and show protected operating system files.

The fact that it's saying it's not a valid win32 file is damning. So is this: I did as I mentioned above, and I don't even *see* an autoexec.bat. When you combine all these points together...it's proof beyond a reasonable doubt that this is the culprit.

Well, the date was incorrect it was changed 7/17/15 not 6/17. If you still believe that it may be the culprit then that's fine. I already have show hidden files on, when I go to Computer/Local Disk (C I see autoexec.bat as a hidden folder. When I click on it, it tells me it's not a valid win32 file.

EDIT: Although the file is hidden, it is not checked as hidden. My mind is blow...
DOUBLE EDIT: When I edit the file as a notepad, it is COMPLETELY 100% EMPTY.

 

[lethalshark]

If this doesn't turn out to be it, I found another sketchy thing that might be an issue.

 

[gangrel]

Was, perhaps, 7/17 the last time it reappeared? Regardless...it should not be a folder, and it should never be reported as 'not a valid file'. Windows 7 should not be using autoexec normally; IIRC, it might use it when you open up a command line terminal window, but that's all. So I believe it's safe to delete it. If you want to be extra-cautious, rename it first. (If you want more opinions, then create a new question, specifically focused on this, and see what others say.) But if you rename or delete right now...then go back through and repeat the removal steps. Control Panel, Programs, Uninstall; Chrome, Settings, Plugins...that sort of thing.

 

[lethalshark]

Was, perhaps, 7/17 the last time it reappeared? Regardless...it should not be a folder, and it should never be reported as 'not a valid file'. Windows 7 should not be using autoexec normally; IIRC, it might use it when you open up a command line terminal window, but that's all. So I believe it's safe to delete it. If you want to be extra-cautious, rename it first. (If you want more opinions, then create a new question, specifically focused on this, and see what others say.) But if you rename or delete right now...then go back through and repeat the removal steps. Control Panel, Programs, Uninstall; Chrome, Settings, Plugins...that sort of thing.

I'll do more research on autoexec.bat and why it's invalid. Is it supposed to be empty? Also I found 3 files in System32 drivers all 3 related to malware-bytes and malware-bytes chameleon, unusual thing is, they were installed weeks before I actually installed malware-bytes and were edited a day after the virus first appeared. The files are mwac.sys, mbamchameleon.sys and mbam.sys. I'm gonna try deleting them since obviously if they are legitimate malwarebytes files, they aren't doing a good job anyways

 

[lethalshark]

autoexec.bat isn't a folder, it says its a legit batch file. But when I click it says it's not a valid win32 file, and when I open it with notepad, it is completely empty.

 

[lethalshark]

I'll give you the best answer, you've by faaaaaaaaaarrrr been the most helpful. I hope that I can still resolve this one.

 

[gangrel]

Thank you. The problem is that each of these infections has their own, individual infection characteristics and traces, so it's hard to get too specific. One has to follow general paths.

Gonna mention one last thing. I have too many ways to connect to the net for any sane person. I can use a Chromebox, an Ubuntu system, or Android...as well, of course, as Windows. And I have an Android Remix picked up through Kickstarter, just for grins. The attractive point, tho, is...unless my router got infected...I can strongly expect that I have a clean system. You noted that using Google to check the DLLs got to be tedious because of the popups...I wouldn't have that. And both the Chromebox and Linux system won't be prey to anything designed to infect Windows. So, while I haven't completely done this yet, I do intend to move basically all of my web activity off Windows platforms.

Is this a reason in and of itself to get one of these? No, but I think they're well worth considering. This whole conversation has been from my Linux box, which is my standard browsing system because it's just a little Zotac CI320 with 8 gig and an m.2 120 gig SSD. Monitor's mounted on a VESA mounting arm. Whole thing is right next to by lounger in the living room.

 

[lethalshark]

Thank you. The problem is that each of these infections has their own, individual infection characteristics and traces, so it's hard to get too specific. One has to follow general paths.

Gonna mention one last thing. I have too many ways to connect to the net for any sane person. I can use a Chromebox, an Ubuntu system, or Android...as well, of course, as Windows. And I have an Android Remix picked up through Kickstarter, just for grins. The attractive point, tho, is...unless my router got infected...I can strongly expect that I have a clean system. You noted that using Google to check the DLLs got to be tedious because of the popups...I wouldn't have that. And both the Chromebox and Linux system won't be prey to anything designed to infect Windows. So, while I haven't completely done this yet, I do intend to move basically all of my web activity off Windows platforms.

Is this a reason in and of itself to get one of these? No, but I think they're well worth considering. This whole conversation has been from my Linux box, which is my standard browsing system because it's just a little Zotac CI320 with 8 gig and an m.2 120 gig SSD. Monitor's mounted on a VESA mounting arm. Whole thing is right next to by lounger in the living room.

Well hell, contacted McAfee support and they went into my PC and cleared it up in an hour. It was really deep in the damn registry named a bunch of random characters.