Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn Adware Popups in Chrome (constant refreshing)


  • Please log in to reply
8 replies to this topic

#1 gaalla

gaalla

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 15 December 2015 - 11:53 AM

Hi.

 

My issue:

 

When searching a webpage I'll get really slow performance and extra windows open (not many but they're constantly refreshing and I can see links such as prod.vsearch.com, com-compsupport365.com). I'm also getting occasional "Virgin Media Customer Warning Call this 0800 number" and fake BSOD backgrounds. 

 

 

My system: 

 

Windows 7

Samsung Slate 7 Tablet (http://www.pcadvisor.co.uk/review/windows-tablets/samsung-series-7-slate-review-3362947/)

Chrome

 

 

What I've tried:

 

I've tried running the latest versions of SpyBot, Avast, Malwarebytes and HijackThis. Malwarebytes found a Backdoor.Agent.WD in AppData\Local\Temp\hp_u2_1309.exe. 


Edited by gaalla, 15 December 2015 - 11:55 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:34 AM

Posted 15 December 2015 - 12:40 PM

Hello gaalla do these next please.

3Al62Pm.pngMiniToolBox
  • Please download MiniToolBox, save it to your desktop and run it.
  • Checkmark the following checkboxes:
    • Flush DNS
    • Report IE Proxy Settings
    • Reset IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    • List Installed Programs
    • List Users, Partitions and Memory size.
  • Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
SXvL3ZF.pngTDSSKiller
  • Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
zcMPezJ.pngAdwCleaner
  • Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
lv0mVRW.pngJunkware Removal Tool
  • Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
cvMlKv6.pngESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 gaalla

gaalla
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 15 December 2015 - 06:08 PM

Thank you boopme for your fast response. I'm downloading and will following your instructions now. As a quick update to earlier; the backdoor removal by Malwarebytes seemed to improve things (though I didn't get a chance to test much) but though I didn't get any popups; I still saw links being continually referenced in the bottom left hand corner of Chrome. It's getting late here; so if I may have to post the results tomorrow. 



#4 gaalla

gaalla
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 15 December 2015 - 07:18 PM

Thanks it looks like we found some stuff. cdncache1-a-akamaihd maleware to BrowseFox.H etc. It surprises me that all the ones I ran already missed these. i'm not sure what I installed that this horrible stuff came bundled with. Perhaps below gives some indication? I'm usually pretty good at checking for bundled rubbish but I must've missed it. Do you recommend I change my realtime anti-virus (I'm using vanilla MSE since I tend to use this tablet for artwork occasionally).

 

Logs (I uploaded them on my dropbox for clarity of in this thread):

 

Mini Toolbox Log: https://dl.dropboxusercontent.com/u/137479361/bleep/MTB.txt

 

TDSS Killer: https://dl.dropboxusercontent.com/u/137479361/bleep/TDSSKiller.3.1.0.9_15.12.2015_23.32.32_log.txt

 

AdwCleaner: https://dl.dropboxusercontent.com/u/137479361/bleep/AdwCleaner%5BS2%5D.txt

 

Junkware: https://dl.dropboxusercontent.com/u/137479361/bleep/JRT.txt

 

Eset: https://dl.dropboxusercontent.com/u/137479361/bleep/eset.txt


Edited by gaalla, 15 December 2015 - 08:18 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:34 AM

Posted 15 December 2015 - 08:59 PM

While I review the other logs, remove what ADWCleaner found.
Double click on AdwCleaner.exe to run the tool again. Vista/Windows 7/8 users right-click and select Run As Administrator[/i]
  • The tool will start to update the database, please wait a bit.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
  • <-insert any special instructions here for what to uncheck OR remove this line if there are none->
  • This time click on the Cleaning button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:34 AM

Posted 15 December 2015 - 09:24 PM

Fix this error
Error: (12/15/2015 05:38:18 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068

1.Open Device Manager.
2.On the View menu, click to select the Show hidden devices check box.
3.Double-click Non-Plug and Play Drivers.
4.Double-click NetBIOS over Tcpip.
5.In the Device usage box, click Use this device (enable)

credit James Butcher


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 gaalla

gaalla
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 16 December 2015 - 08:52 AM

Thank you

 

AdwCleaner: https://dl.dropboxusercontent.com/u/137479361/bleep/AdwCleaner%5BC3%5D.txt

 

In Device Manager I don't have 'NetBios over TCIP' in 'Non-Plug and Play' (with hidden shown).The closest I have is NETBT

 

I get an error that a file couldn't be loaded on G: but I think that's another issue as I have a VHD mounted via F: using VHDAttach at startup. I had to mount it so that I could get dropbox onto it (F is a micro sd card which has limiations). After running some of the software above I got errors about dropbox unlinking and I think this new error (gives very few / no details) is related.



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:34 AM

Posted 17 December 2015 - 01:51 PM

Are the pop ups gone?
Reboot machine and see how t is.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 gaalla

gaalla
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 18 December 2015 - 11:44 AM

Thanks boopme it seems better :) :thumbsup






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users