Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with pop up ads


  • This topic is locked This topic is locked
10 replies to this topic

#1 spmeli

spmeli

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 21 March 2015 - 02:05 AM

Greetings, 
My name is Spiros and i have been infected with pop up ads, As you can see in the picture below.
I have tried to scan my system with panda global protection 2015, malwarebytes and spybot search and destroy, none of this applications seemed to find a solution to my problem.
Below i listed the link that one of the ad direction.
 
htxxtp://news-207466-latest.dverser.ru/8v0n2hh3mzi50e0ngfryu05gxgctu5t6o5vcb8u74jkd939p4fu4niu9108smofxwf6994zkrbark59asdnuqmgx9c8q0vqx2qa79br7d2g9c95y6gexofnrc8bbocmatcep9bk8t85350e7xiics9ldu08nfhibhblem6h42o7g9g0m59fgd8cklxf614bmfhdtmw5s1dbfwajh37pzv4fmn9l55gz1yxnqve9932zmi8wwnt86i7roycrif8xsre3ns4mm509cjutzrqu5xht0b9fk008kmxxypy4oe8c7m7il9hzg5bkjxkb9bt86bja72ont3k8f3briy3shy991qm33sxzn6eu93kjrz1r8xir5nzsppa5n8agcqhqn0610fx7gxljl8jpsy1mye566uyv15lwemj6c1r9rx5hz6
 
 
 
03c6d0e7f8.jpg

Attached Files


Edited by nasdaq, 24 March 2015 - 08:28 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:50 AM

Posted 24 March 2015 - 08:52 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1764373829-2308832716-692088465-1001\...\Policies\Explorer: []
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
S0 nckkof; No ImagePath
R4 IOMap; \??\C:\windows\system32\drivers\IOMap64.sys [X]
S1 NNSSTRM; system32\DRIVERS\NNSStrm.sys [X]
Task: {71BD4903-ADC9-48C6-BB16-A748531D4525} - \LaunchSignup No Task File <==== ATTENTION
AlternateDataStreams: C:\Users\Spiros\OneDrive:ms-properties
AlternateDataStreams: C:\Users\Spiros\Downloads\ΦÎΡÎΠΣΥÎÎÎΤÎÎÎΣÎΣ.eml:OECustomProperty
C:\Windows\Tasks\{4A9D6D14-11C2-450E-A330-58D260E7206F}.job

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#3 spmeli

spmeli
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 25 March 2015 - 10:02 AM

Hey nasdag , thank you for your response, 

 

Well i followed you instructions and i have to say that Adwcleaner didn't find anything abnormal

I think it's getting worse since i can no longer close the ads, chrome will direct me to other sites, and yesterday i had a direction in steam application.

 

As you asked you will find the documents attached bellow.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:50 AM

Posted 25 March 2015 - 01:37 PM

Click the StartBtn.gif button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

ipconfig /release

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7/8 with Elevated Privilege
http://www.bleepingcomputer.com/tutorials/windows-elevated-command-prompt/
<<<>>>

Reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

How is the computer running now?

#5 spmeli

spmeli
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 25 March 2015 - 11:13 PM

I think that did the job, currently no ads or redirects so far.

Thank you so much nasdag, i really appreciate your help.

 

Can i ask what are the possibilities that caused that and what can i do to prevent it in the future?



#6 spmeli

spmeli
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 25 March 2015 - 11:18 PM

Well  although in chrome the pop ups and directions stopped i got an ad and a direct again in the steam application, is it possible that i have to reset programs that have their own browsers?

 

Uhm now i have again ads 


Edited by spmeli, 26 March 2015 - 01:23 AM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:50 AM

Posted 26 March 2015 - 08:21 AM

Well although in chrome the pop ups and directions stopped i got an ad and a direct again in the steam application, is it possible that i have to reset programs that have their own browsers?

Yes if you can.

Run this tool to clean your Temporary files/Folders.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.
===

If you are using a router it's possible that it may be compromised.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

#8 spmeli

spmeli
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 27 March 2015 - 12:34 AM

I think that may caused my problem. Reading in other greek forums about the router i have, one of the main issues that my company has is that we, customers, are unable to change the username AND the password giving easily access to my router for everyone that haves my IP, since the admin and pass is fixed to all customers. 

Well now i have to change company ( Hooray, i hate waiting) 

 

What do you think Nasdag? 

 

After all this scans can we say that this case is closed or should we wait to change company and see for ourselves ?

 

I can't thank you enough though, you guided me step by step, making a noob like me to fully understand what is happening and what I do. You are the best :)



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:50 AM

Posted 27 March 2015 - 08:43 AM

I will close this topic in a week or so.

If you need to return please send me a Personal Message.

#10 spmeli

spmeli
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 27 March 2015 - 12:29 PM

Great, thanks for everything :)



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:50 AM

Posted 02 April 2015 - 06:45 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users