Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chrome windows opening automatically with spam sites


  • Please log in to reply
8 replies to this topic

#1 freestud

freestud

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 24 August 2014 - 12:16 AM

Hey all, I've got a serious issue that I can't seem to find an answer for. I've done a lot of virus & malware removal in the past, but this one has got me stumped. I'm not sure if I should be posting here or in the Troubleshooting forum, so please feel free to move it if need be.

 

Last Wednesday evening I was watching a movie file when spam websites began popping up on my screen every 10-30 seconds. They open in google chrome, but they do not show a chrome icon on the taskbar and when trying to open the settings in-browser, the menu just goes away in 1 second. The sites it shows are almost always different, ranging from searchacity.com (most often), younghollywood.com, workingmothertv.com, nickmom.com, gameshok.com and many more. They will often close themselves after a few seconds if there is no internet connection, or they have been minimized. They can be closed, but new ones always pop back up again. When they are minimized, they show as a small bar in the bottom left corner.

 

In taskmanager, the open windows show up as browser32.exe & can be ended from there. I've also noticed a few strange processes (csrss.exe, atieclxx.exe, etc), but most have legitimate causes. In MSConfig, I found one process in startup called UIHumble (I, not a lowercase L) that has no google results for it. I've stopped that startup item, so we'll see if it makes a difference next startup.

 

Scans with Malwarebytes, AdwCleaner, kaspersky, ESET, Avast, and others have found nothing. I've searched my add/remove programs I've gone through all Google Chrome extensions and they only one I wasn't sure of was Adblock which I turned off with no results. I also completely uninstalled Google Chrome, but this didn't stop the issue. It's almost as if the popup browser is a Chrome look-alike.

 



BC AdBot (Login to Remove)

 


m

#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:53 PM

Posted 24 August 2014 - 01:20 AM

Hello freestud -

 

We would normally start with a clean copy of RKill by Grinler, and follow with a fresh updated version of AdwCleaner, then Junkware Removal Tool and .MalwareBytes Anti-Malware, but you say that these have been used so far.

 

Remove all of the downloaded programs Malwarebytes (can be updated), AdwCleaner (open the program and hit Uninstall), Junkware Removal Tool (can be installed) and we will also run ESET onLine Scanner -

 

Now, quietman7 from here has also put his 3 step pop-up remover diagnostics, and you have attempted a few of these, but they often wor, along with resetting your home page -

 

NOTE :These are the most common solutions to eliminating the pop-up ads.

1. Go to Add/Remove Programs in Control Panel or Programs and Features if using Vista/Windows 7/8. From within Add/Remove Programs look for anything in that is odd and select Remove.

2. Open your browser and disable (uncheck) all extensions. Make a list, then one by one, re-enable each extension to see if the pop-ups start appearing again with that particular extension. Once you identify the responsible extension...permanently remove it but let me know which one it was so I can update the above list.
* How to Disable Extensions in Google Chrome - How to Uninstall Extensions in Google Chrome
* How To Disable Individual Plug-ins in Google Chrome <- try only if the above does not work
* How to Disable Extensions and Plugins in Firefox - How to Remove Extensions/Uninstall Plugins in Firefox
* How to Disable Extensions in Internet Explorer
* How to Disable Add-ons/Extensions in Internet Explorer, Firefox and Google Chrome
* How to Disable all add-ons in Firefox, Internet Explorer

3. If the above did not resolve the problem, then create a new browser user profile.
* How to Create a new browser user profile in Google Chrome
* How to Create a new browser user profile in Firefox
* How to Create a new browser user profile in Opera, Internet Explorer, Firefox, Chrome

 

 

 

Temporarily Disable your Antivirus

Run ESET Online Scanner for Internet Explorer users = ...

  • Hold down Control and click on This Link to open ESET OnlineScan in a new window.
  • Click the ESET Online button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu. to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives and Remove Threats"
  • Click Advanced settings and select the following:
    Scan potentially unwanted applications
     Scan for potentially unsafe applications
     Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this will take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

NOTE:Sometimes if ESET finds no infections it will not create a log.

 

If all of these steps have been completed, The Malware Removal Forum area, may be the best place to ask.

 

We will guide you there - Thank You -



#3 freestud

freestud
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 25 August 2014 - 08:20 AM

Thanks for the reply, noknojon.
 
I've done most of what you said, with a few exceptions. As I mentioned in my first post, I have uninstalled Google Chrome, so I no longer have access to the extension list. Although I can tell you that there were only 3, one being "Adblock" and the others being Norton & Avast. I even checked for developer extensions and there were none showing. After having uninstalled Chrome & restarted my system, the popups are no longer showing, but an error keeps coming up like this:
GoogleChromeerror.jpg
 
I had started running ESET before starting this thread & it found 12 threats, most of which were false positives from NCH Software, but 2 of which were suspicious items I had noticed before. One of them was that UIHumble.dll & another I can't remember, both with a name like Trojan.Kryptic. Unfortunately, ESET had completed its scan, but when I went to finish the process, it gave an error having timed out. I had to close out of the page in order to re-run ESET and didn't write down what it had found.
 
Hopefully I didn't screw up the process too much. I'll let you know what ESET finds when it's done. Thanks!

Edited by freestud, 25 August 2014 - 10:49 AM.


#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:53 PM

Posted 25 August 2014 - 08:13 PM

Thanks for your reply (a bit unexpected) and I do hope you find something.

 

**I have not said this** - Only if you are a qualified Malware Removal person (only), then try Combofix, if not please post to our Malware removal area as below.

 

 

Please follow the instructions in ==>This Prep Guide<== starting at Step 6.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==

NOTES : If you cannot produce any of the logs, then please create the new topic anyway, include the information that you were unable to produce the logs and why along with a description of your computer issues.
Please do not ever run ComboFix unless a Malware Response Team Member instructs you to do so.

 

Keep us updated -

Regards -



#5 freestud

freestud
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 27 August 2014 - 10:30 AM

I could work with ComboFix, as I believe I've used it once before, but I'm not sure what it means to be qualified in regards to it.

 

ESET took 3 days to complete the scan and I'm posting the log below. It found some false positives with NCH Software & a few others, so I went to restore those by clicking on "Manage Quarantine List", choosing them, & clicking "Restore". But as soon as I did, the page became unresponsive & when I went to restore it, it took me back to the beginning. I'm not sure I can live with my computer being slowed down dramatically for another 3 days while the scan runs again. I also have noticed that I'm not getting the popups or the error message that I was getting before. However, I'm not sure that ESET ever completed it's work in quarantining the bad stuff.

 

Here's the log:

C:\Users\John Michael\AppData\Local\Temp\NODA382.tmp a variant of Win32/Kryptik.CJGL trojan cleaned by deleting - quarantined
E:\Users\John Michael\Downloads\Software\ccsetup413.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined
E:\Users\John Michael\Downloads\Software\PhotoScape_V3.6.5.exe Win32/OpenCandy potentially unsafe application deleted - quarantined
F:\downloads\Software\Troubleshooting\ccsetup416.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined

 

There were others that showed on the list, but didn't appear in the log. They must have been from the other scans I had that stopped working. I am running ESET again from the app.exe that installed in my Program Files.

 

Let me know if you or someone else can walk me through what to do with ComboFix after the prep guide.

 

Thanks again!
 



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:53 PM

Posted 27 August 2014 - 05:31 PM

I could work with ComboFix, as I believe I've used it once before, but I'm not sure what it means to be qualified in regards to it.

Do NOT touch or even look at the program, as I confused you with another case I had at the same time - My fault 100% -

You may make the wrong call, and your computer will freeze and lock up - (again sorry) -

 

I do believe that your computer needs better attention than what I am providing, so please follow Post #4 and ignore all others.

The only program you can run and post back a log on is this >>

 

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* Do not reboot until instructed.<< If there is no reply after 1 hour, ignore this
* If the tool does not run from any of the links provided, please let us know.

If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.



#7 freestud

freestud
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 28 August 2014 - 05:24 PM

No worries, I didn't run Combofix.

After running Rkill, this is what I got:

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/28/2014 04:18:46 PM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* C:\Windows\System32\user32.dll : 1,008,640 : 04/18/2013 05:13 PM : 2c353b6ce0c8d03225caa2af33b68d79 [NoSig]
+-> C:\Windows\SysWOW64\user32.dll : 833,024 : 04/18/2013 05:13 PM : 861c4346f9281dc0380de72c8d55d6be [Pos Repl]
+-> C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll : 1,008,128 : 11/20/2010 09:24 PM : fe70103391a64039a921dbfff9c7ab1b [Pos Repl]
+-> C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll : 833,024 : 11/20/2010 09:24 PM : 5e0db2d8b2750543cd2ebb9ea8e6cdd3 [Pos Repl]

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 activation.cloud.techsmith.com
127.0.0.1 store-esellerate-net.wip.digitalrivercontent.net
127.0.0.1 store6.esellerate.net
127.0.0.1 store.esellerate.net
127.0.0.1 dynamic.telestream.net
127.0.0.1 dynlb.telestream.net


Program finished at: 08/28/2014 04:19:15 PM
Execution time: 0 hours(s), 0 minute(s), and 28 seconds(s)

#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:53 PM

Posted 28 August 2014 - 07:27 PM

Thanks for that, it *saved my bacon*.

 

Little else we can do in this area of the forom, so please upgrade your request for help to Malware Removal Area.

Just follow Post #4 and be patient for a reply, since they are VERY busy at the moment. 2 to 3 days is the average wait.

 

Regards -



#9 PankDavid

PankDavid

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 26 February 2017 - 04:49 AM

If you are using Microsoft security essentials, just go to settings in Microsoft security essentials and click "I do not want to join SpyNet." And you are done. Problem solved.






11 user(s) are reading this topic

0 members, 11 guests, 0 anonymous users