0

Recently we got a user who had some malware on his machine -- we've run our McAfee VirusScan Enterprise software, malware bytes anti-malware, combo-fix, adwcleaner and hijack this just to name a few applications. I've also combed through his installed programs, browser extensions/add-ons, reset browser settings, etc... but it seems that even after the malware was "removed" from his system (according to the anti-virus/malware apps), random ads still seem to show up within the browser window and off to the right side of the window with "ads by jabuticaba" written on the bottom of the ads.

I checked for suspicious processes and locations e.g. app data directories, programdata, temp, etc... but couldn't seem to locate anything. Also tried re-profiling/other Windows profiles, but the issue still re-occurs there.

Is there any way to maybe pinpoint how and from where these ads are loading into the browsers via tools/utilities?

SomeITGuy
  • 17
  • 1

2 Answers2

2

Check the properties of two files C:\Windows\System32\dnsapi.dll and C:\Windows\SysWOW64\dnsapi.dll, if you find they have a "Date modified" around about the time you got the infection then those files are infected and you need to replace them with uninfected versions. The infection does not change other properties like file size and version, you can only tell they are infected by the Date modified. That means you can use the infected files to find out what version of the uninfected files you need, because the version numbers are unchanged. Once you know the version numbers then go and find those uninfected files on a different uninfected system, making sure that the Modified dates look correct e.g. compare to other system dlls.

These were the full steps I used to disinfect a Windows 8.1 system manually, it was also suffering from not being able to print because the print spooler would not start, and Windows Update and anti-virus update programs would not update saying there was no Internet connection. Also Ads by Jabuticaba was occasionally replaced by Ads by Shopperz, and Ads by LaSuperba, but all in the same format. As you will observe fixing this took considerable time - a couple of days - perhaps some of these steps can be shortcut but this is how eventually I fixed the problem.

  1. Uninstalled all obvious adware type programs

  2. Removed all obvious adware type toolbars from Internet Explorer (I am not using Chrome or Firefox)

  3. Download and run free editions of the following anti-virus/anti-malware programs, run them repeatedly until they all find nothing. 3.1 AVG 3.2 Malwarebytes 3.2 Spybot Search and Destroy (None of the updaters will work first time)

  4. Reset the TCP stack to cure printing and updating: 4.1 Type CMD in the Windows search function, right-click the Command Prompt item found, and click Run as administrator 4.2 Type and hit enter for these two commands: netsh int ipv4 reset netsh int ipv6 reset

  5. Re-run the above listed free editions of anti-virus/anti-malware programs, this time they should update, re-run them repeatedly until they find nothing

  6. Run the free edition of the ESET online scanner (it found a few more threats)

  7. Replace the two dnsapi.dll files listed above in the introduction to this reply

  8. Flush DNS in another elevated command prompt using command: ipconfig /flushdns

  9. Re-start Windows

colinp_1
  • 21
  • 3
1

I know the other answer is very detailed and well thought out, but your best bet is sincerely just reimaging the machine. It's standard practice at most places when an infection is suspected.

Michael Bailey
  • 462
  • 2
  • 12