Audio ads playing in the background - malware?

Hey,

For last couple of days (5-7) I'm experiencing some kind of a virus. It's playing audio ads on various websites (for example it can play an ad in listenonrepeat but it has never happened on facebook). There is no apparent schedule to this, it can be silent for 4 hours and then play the ad or play ads one by one after closing the page. Also, when I'm trying to close the page ad is playing on I get the message "Do you really want to close this tab?". I haven't downloaded anything fishy lately nor have been on fishy websites so I don't know where it came from. The only explanation is a pendrive I connected to my PC from a video guy that is going to film my wedding. I tried scanning my PC with various apps recommended and supposed-to-be-good in fighting malware and nothing. I'm not an IT guy so I don't know what to do next and need help. I need to format my system yesterday due to my mistake so I'm on fresh Windows 7 installation.

I know that there are sentences not in English but FRST chose my native language as default and I have no idea how to change it to English. If this scan is not good, just let me know.

@edit I found out how to change language so here is the new log.

Edited by JamarDracken, 15 September 2016 - 04:58 AM.

Hi JamarDracken & Welcome to the forums ^_^,


I would be helping you with your computer problems. Right now, I am a trainee at the Bleeping Computer Malware Removal Study Hall.
I am Pranav and now that we are friends, I would like to call you by your first name if that is fine with you  

All of my proposed fixes and suggestions must be approved by a fully-qualified Malware Removal Instructor. This will delay response times somewhat, but I will endeavor to respond within a reasonable time, normally 48 hours after your last post.

I will need some time to review your FRST logs and consult with the Malware Response Instructor (MRI) who will be assigned to supervise this topic. That could take a few days. Once I have reviewed my proposed response with the assigned MRI, I will reply to you with initial instructions.

While you wait for further instructions, kindly do not run any additional tools as that might complicate the process of fixing your computer and cause delays.

Have a nice day!

Regards,
Pranav 

Edited by blueelvis, 17 September 2016 - 09:11 AM.

Thanks for a rather fast respond

Since my post I haven't run any additional tools. I have only removed most of chrome's additions since I don't need them. I have left only Youtube app and Flashcontrol + Adguard extensions. 

Today I haven't heard any ads yet but they are not playing on all websites so I'm pretty sure the problem still exists unless it disappeared by itself.

Looking forward to your response,

Kamil

Greetings JamarDracken,

Since the scan is quite old and you have made some changes to the system, I think it would be best if you follow the below procedure again and reply back with the fresh logs -

Kindly delete Addition.txt before proceeding ahead.

Edited by blueelvis, 17 September 2016 - 03:33 PM.

I can't put FRST log into my post because it got extremely large with those new created files after format. I attached it to the post in a file. If you want me to post it in another way, let me know.

Hey Kamil ^_^,

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

• I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
• Please also remember that I only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
• If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
• If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
• Logs can take a while to research, so please be patient.
• Some issues just cannot be solved so you must be prepared for this.
• Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
• Please print or copy and save the instructions.
• Back up all your data and important files on another (external) drive before starting to run malware removal tools.
• You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
• Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
• Please use only that tools you have been instructed to use.
• If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
• Please copy and paste the requested log files inside your post, unless otherwise instructed.
• There are no silly questions. Ask for clarification, if you have any questions or concerns.
• Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
• Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and that may have been the route the malware used to infect your computer. Do not use any P2P software until we conclude your topic.
• Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
• I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

Before we proceed further, I would need answers to the following questions to help you out better -

1. I see a user created on the system from the following entry where the first word is of the username -

   Gość (S-1-5-21-1797493665-689152161-215716262-501 - Limited - Disabled)

2. Did you set these DNS servers yourself? DNS Servers:

   46.28.68.226 - 8.8.8.8

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Have a nice day!

Let me know in case of any problem ^_^

-Pranav

1. It's a profile created by Windows by default. It means 'guest' in english

2. Not really sure about those DNS, it seems I have auto dns set up but maybe it's a dns from my internet provider.

Log:

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8 users right-click and select Run As Administrator
• The tool will start to update the database if one is required.
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Logfile button.
• A window will open which lists the logs of your scans.
• Click on the Scan tab.
• Double-click the most recent scan which will be at the top of the list....the log will appear.
• To open a Cleaning log, click on the Cleaning tab and double-click the log at the top of the list.
• Copy and paste the contents of that logfile in your next reply.
• A copy of all logfiles are saved to C:\AdwCleaner.
•  
  
  Please download Farbar Recovery Scan Tool and save it to your Desktop. Also, please make sure that you have deleted Addition.txt before proceeding ahead.
  
  Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
   
  
  
  Let me know in case of any problems ^_^,
  
  
  Regards,
  Pranav

Hey Kamil ^_^,

Your machine appears clean!

Are you having any additional problems at this point? If so, please let me know. Otherwise feel free to enjoy use of your repaired machine

Download Delfix from here and save it to your desktop.

• Ensure Remove disinfection tools is checked.
• Also place a checkmark next to:
  • Create registry backup
  • Purge system restore
  
• Click the Run button.

When the tool is finished, a log will open in notepad. Please copy and paste the log in your next reply.

The most common cause of an infected machine is the Trojan Horse, or programs which appear to be legitimate but which contain malicious payloads, or which are simply malicious in and of themselves. No antivirus, firewall, host-based intrusion prevention system (HIPS), or other security software can fully protect you against this kind of attack. The best way to project yourself is not to run email attachments from untrusted sources, and avoid software downloaded from the internet wherever possible. Remember, when you run an application, you are giving that application permission to do to your machine anything you can do to the machine, including create, modify, or destroy files or other data. In the Windows (and most other systems' such as Unix) security model, applications don't have privileges, users do.

The second most common cause of infection is out of date software. Leaving your system unpatched leaves holes through which attackers can execute code on your behalf without your consent. This goes for far more than common targets such as Windows and Internet Explorer. Most recent threats target other third party software, such as Adobe's Adobe Reader, Shockwave Player, or Flash Player, or Oracle's Java browser plugins. You can check your system for out of date software manually, or by using automated tools such as Secunia's Personal Software Inspector. This goes doubly for security applications such as antivirus and other antimalware products based on definition lists, where out of date lists mean no detection of newer malware.

Finally, occasionally you will be forced to run some potentially infected binary, or attackers will use a hole which is unpatched by software vendors, so a last line of defense is needed. That means turning on a firewall (Windows Firewall included with Windows XP SP2 or later is fine) and leaving it on, and using and keeping up to date an antivirus solution such as Norton AntiVirus. Antiviral solutions don't even have to cost money; for instance Microsoft Secuity Essentials provides perfectly acceptable protection for free. If for some reason you don't like MSE, there are other free products available as well:

• Avast (home use only)
• Avira (shows nag screen to purchase full product when updating, home use only)
• AVG (slightly poorer performance as of late)

That should be fine for the majority of users. However, if you absolutely want additional protection, consider one or more of the following products:

• DNS based website blacklists, such as OpenDNS, Google Public DNS, or the MSMVPs Hosts File
• An additional (non-antivirus) antimalware solution, such as MalwareBytes' Anti-Malware or SUPERAntiSpyware
• Internet Explorer zone blacklists such as those provided by SpywareBlaster

If you want more information on methods malware use to infect your computer, consider browsing our How did I get infected? topic.

Have a nice day!

Regards,

Pranav