Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser popup/redirect for one website only


  • Please log in to reply
5 replies to this topic

#1 Carnivore

Carnivore

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 17 December 2014 - 02:45 AM

I've been getting browser redirects to a fake "Update Your Flash Player" page, but only when I visit the news website Reuters.com, a legitimate major news organization. It happens in both IE11 and the latest Firefox, but it doesn't happen every time, just randomly. It's been happening for quite a while but I've just been forcing the browser closed when it comes up.

 

I have:

- Cleared browser cache and cookies

- Cleared Java cache

- Reset IE11

- Flushed DNS

- Full system scan with AVG

 

I'm on Windows 7 Professional 64 bit.



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:58 AM

Posted 17 December 2014 - 09:27 AM

Welcome to BC !

 

You can block the third party/ ad/ tracking cookies from installing. Once you have blocked them you will need to

remove the existing ones. Disable third-party cookies in IE, Firefox, and Google Chrome | How To - CNET

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Check for adware and malware using the programs below. Allow them to remove whatever they find.

 

  • download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

Hold down Control and click on this link to open ESET OnlineScan in a new window.

  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

 

If you don't have NoScript and Adblock Plus add-ons installed in Firefox....you should. Using Adblock Plus is a no-brainer. NoScript takes

a bit of learning in how to use it properly but is the best prevention of many types of malware including getting infected by just opening a page

at a website.....driveby installs of malware.

NoScript Security Suite :: Add-ons for Firefox

Adblock Plus :: Add-ons for Firefox


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Carnivore

Carnivore
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 21 December 2014 - 12:52 AM

AdwCleaner logfile contents: 

-------------------------------------

# AdwCleaner v4.105 - Report created 20/12/2014 at 17:06:48
# Updated 08/12/2014 by Xplode
# Database : 2014-12-16.1 [Live]
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : [REDACTED]
# Running from : C:\Users\[REDACTED]\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

[x] Not Deleted : C:\Users\[REDACTED]\Favorites\Software
[x] Not Deleted : C:\Users\\[REDACTED]Favorites\Software
Folder Deleted : C:\Users\[REDACTED]\Documents\Updater
File Deleted : C:\Users\[REDACTED]\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage-journal

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Key Deleted : HKCU\Software\AVG SafeGuard toolbar
Key Deleted : HKLM\SOFTWARE\AVG SafeGuard toolbar
Key Deleted : HKLM\SOFTWARE\AVG Security Toolbar

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17496

-\\ Mozilla Firefox v34.0 (x86 en-US)

[1qf2kfvy.default\prefs.js] - Line Deleted : user_pref("extensions.wrc.SearchRules.ask.com.style", ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WRCN {display:inline !important; background: url(\"I[...]
[1qf2kfvy.default\prefs.js] - Line Deleted : user_pref("extensions.wrc.SearchRules.ask.com.url", "^hxxp(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*");
[1qf2kfvy.default\prefs.js] - Line Deleted : user_pref("extensions.wrc.SearchRules.rambler.ru.style", ".WRCN {display:none} .search-results .title + .WRCN {display:inline !important; background: url(\"IMAGE\") right no-repeat}");

-\\ Google Chrome v39.0.2171.95

[C:\Users\[REDACTED]\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.ask.com/web?q={searchterms}&l=dis&o=CMDTDF
[C:\Users\[REDACTED]\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\[REDACTED]\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [2523 octets] - [20/12/2014 17:00:08]
AdwCleaner[S0].txt - [2440 octets] - [20/12/2014 17:06:48]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2500 octets] ##########

 

-------------------------- 

JRT logfile contents

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.0 (11.29.2014:1)
OS: Windows 7 Professional x64
Ran by [REDACTED] on Sat 12/20/2014 at 17:13:33.35
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-2705875278-3786199224-3447265658-1001\Software\Microsoft\Internet Explorer\Main\\Start Page

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

~~~ FireFox

Emptied folder: C:\Users\[REDACTED]\AppData\Roaming\mozilla\firefox\profiles\1qf2kfvy.default\minidumps [163 files]

 

~~~ Event Viewer Logs were cleared

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 12/20/2014 at 17:37:53.91
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  

 

 

ESET scan hung at 100% but I finally hit stop and manually copied the threats to clipboard.

Notes:

- epm.exe is the EaseUS Partition Master installer which was downloaded directly from manufacturer's site, and was never installed on this machine.

- EaseUS Backup Free and Toyota Techstream installers were also never installed on this machine.

- CCleaner amd ImgBurn installers have both been run on this machine.

-------------------------------------

C:\Users\[REDACTED]\Downloads\ccsetup500.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\[REDACTED]\Downloads\epm.exe Win32/OpenCandy potentially unsafe application
C:\Users\[REDACTED]\Downloads\SetupImgBurn_2.5.7.0.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\Users\[REDACTED]\Downloads\Toyota Techstream 8.00.034.zip a variant of Win32/Packed.Themida.AAP trojan
C:\Users\[REDACTED]\Downloads\EaseUS Backup Free\tb_free.exe a variant of Win32/TFTPD32.A potentially unsafe application

 

----

Thanks for your help.
 



#4 buddy215

buddy215

  • Moderator
  • 13,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:58 AM

Posted 21 December 2014 - 07:55 AM

What Eset found was adware bundled with those installers. Did you allow it to remove what it found? If not, you should or

delete the installers yourself since you aren't using some of the programs or have some already installed.

 

Is the ad still popping up on that one site? Did you block the third party cookies from installing and remove the existing ones?

Did you install either of the add-ons for Firefox?

 

Two items you didn't allow AdwCleaner to delete from the Favorites folder....Software. Did you think it was going to delete all

favorites?


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 Carnivore

Carnivore
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 21 December 2014 - 01:38 PM

I'll delete the installers, thanks.

 

I blocked third-party cookies. We'll see if it impacts features I use like Disqus on various sites.

 

I'm a longtime user of AdBlock Plus and I'm familiar with NoScript too.

 

The Software folder within my Favorites contains only links to popular shareware sites etc, one of which probably triggered AdwCleaner. But I'm careful with those sites and don't want to delete a whole folder full of favorites. It would have been more useful if AdwCleaner would have flagged a specific link(s) instead of recommending the deletion of the entire folder. 

 

So getting to the thing that really matters, no I have not seen that ad pop back up again yet so I think it's fixed. If it appears again though, I'll come back and update this thread. 

 

Really appreciate your help, thanks.



#6 buddy215

buddy215

  • Moderator
  • 13,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:58 AM

Posted 21 December 2014 - 02:38 PM

You may occassionally run across a site that won't let you view something unless you allow the ad cookies. What I do is

just move on to find another site that offers the same such as a news story, etc that doesn't do that. There are free game sites

that will require the adware. Up to you to decide whether it is worth enabling the cookies or not. The ad cookies that get installed in

Flash will not be blocked. Use CCleaner occassionally to clean that or go to Adobe - Flash Player : Settings Manager - Global Storage Settings Panel

and change the settings on each tab. I just block everything and zero out the storage.

 

If Adblock Plus was active while seeing that popup then it could be one that they allow. It allows some ads but you can stop that by

clicking on the icon and choosing filter preferences. Uncheck the box that allows some ads. You can also use Adblock Plus to block the

ad if it shows up again. That can be a bit tricky in figuring out which one of the many things AP can block is the right one. But it is doable.

Using NoScript would block it for sure.

 

You're welcome and happy surfin' !


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users