Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Invisible audio ads pop-up windows and amazonaws pop-ups


  • This topic is locked This topic is locked
10 replies to this topic

#1 soso_sem

soso_sem

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 29 September 2016 - 03:10 AM

Hi guys,

For almost two weeks I am having these annoying audio pop-ups and I have tried several stuff but they always seem to come back.

 

The issue appears in some websites (ex. 9gag.com), where when the site starts to load, the original ads are loaded and then almost immediately they are covered up by other ads. After some time audio starts playing and pop-ups appear with messages like "congratulations, we want to make you a millionaire" or something similar.

Additionaly when in the main page I am scrolling and there is a .gif post it automatically redirects me to the post page.

 

I have been noticing these issues on my personal laptop, which runs on Windows 10, but also on my work laptop (runs Windows 7) only when connected to my home wireless network, to a much lesser extent.

 

Here is a summary of what I have tried so far.

- Fully scanned with McAfee

- Full system scan with Spybot Search & Destroy

- Checked Control panel for unwanted installed software: no unknown software found

- Reset all browsers (IE, Chrome, Firefox, Edge), deleted history, cookies, cache and website data

- Clean reset windows 10, deleting all user information

- run rkill,com

- Scan with Malwarebytes Anti-Malware

- Scan with ADWcleaner

- Scan with Malwarebytes Junk removal tool

- Scan with Hitman Pro

- Scan with NPE Symantec

- Scan with SpyHunter - 2 issues found (identified as dialer trojans): registry keys, created by Spybot at domains/zonemaps that correspond to restricted website - Increased McAfee firewall security settings

- Took the laptop to the IT work department, they did several things (not sure exactly what though) but couldn't find any issues. Also during the time my laptop was connected to my company's wifi network, all these pop-ups and audio-ads did not appear.

 

All these scans (except the last one) either came up clean, or with minor issues which where fixed by the software.

Unfortunatelly I have no logs, as I reset Windows after and all files were deleted.

All these steps temporarily fix the issues but it keeps coming back after 1-2 days and it is driving me crazy.

Is there any advice on more things to try?

Any advise would be really appreciated!

Thanks!


Edited by hamluis, 29 September 2016 - 03:59 AM.
Moved from MRL to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,393 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:08 PM

Posted 29 September 2016 - 04:20 AM

Welcome to BC....

 

First....Uninstall SpyHunter using Download Revo Uninstaller Freeware

Then do a search for Enigma on your computer and delete what the search finds. If you purchased SpyHunter then be aware that they will

charge you every 6 months. You may also have another program installed by Enigma....a registry cleaner. Uninstall that, too.

 

If you are having issues while using your home router/ wifi, etc. and not while using your job's router and wifi, etc. then it is likely that you need

to reset your router and resecure it. Reset by simply holding in the Reset button for a few seconds.

 

If you have Spybot installed I suggest you uninstall it as it has lost the favor of security pros for several years now.

 

Once you have reset the router and secured it....run scans using MBAM, AdwCleaner and Junkware Removal Tool.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 soso_sem

soso_sem
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 29 September 2016 - 04:33 AM

Hi Buddy21,

 

Thanks for your reply.

Is there another Malware you would advise?

 

About the router: I leave in an appartment building and I am sharing my internet connection, so I have connected my router to the "central" router to make my own wi-fi network. Problem is when I try to log in to my router's admin page, I see the central one and not mine.


Edited by soso_sem, 29 September 2016 - 04:38 AM.


#4 buddy215

buddy215

  • Moderator
  • 13,393 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:08 PM

Posted 29 September 2016 - 04:46 AM

Then you need to report to whoever manages that router. Ask other tenants if they are experiencing the same. You can reset your router...right?

MBAM is very good. You may want to consider purchasing it so it will be actively running at all times...not just to scan with.

 

Have you experienced any problem uninstalling the programs?


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 buddy215

buddy215

  • Moderator
  • 13,393 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:08 PM

Posted 29 September 2016 - 04:50 AM

Clean up the computer using CCleaner and post the three lists asked for after uninstalling SpyHunter and Spybot.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Post the three lists mentioned below using CCleaner.

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.

 

Open CCleaner and click on Tools. Choose Uninstall. On that page you will see a list of programs installed on your computer and at the bottom right of that page you

will see a button when clicked will allow you to Copy and Paste that list in your next post. Please do that.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 soso_sem

soso_sem
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 29 September 2016 - 05:02 AM

I have just finished unistalling SpyHunter, and had to reboot. So now I started a junk file cleaner with Revo and cleaned all junk files.

As soon as I am done with that I will also install CCleaner and post again.

 

My neighbor that also connects to the same router has add blockers on his browsers, so perhaps even if he would have these they are blocked by his add-ons


Edited by soso_sem, 29 September 2016 - 05:03 AM.


#7 soso_sem

soso_sem
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 29 September 2016 - 05:11 AM

Here you have the lists from CCleaner:

 

START-UP

Yes    HKCU:Run    CCleaner Monitoring    Piriform Ltd    semel    "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes    HKCU:Run    OneDrive    Microsoft Corporation    semel    "C:\Users\semel\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
Yes    HKCU:Run    Skype    Skype Technologies S.A.    semel    "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
Yes    HKLM:Run    AccelerometerSysTrayApplet    Hewlett-Packard Company    All users    C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe
Yes    HKLM:Run    Dropbox    Dropbox, Inc.    All users    "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" /systemstartup
Yes    HKLM:Run    HPMessageService    Hewlett-Packard Development Company, L.P.    All users    C:\Program Files (x86)\HP\HP System Event\HPMSGSVC.exe
Yes    HKLM:Run    RTHDVCPL    Realtek Semiconductor    All users    "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s
No    HKLM:Run    SDTray    Safer-Networking Ltd.    All users    "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"

 

SCHEDULED TASKS

Yes    Task    CCleanerSkipUAC    Piriform Ltd    semel    "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes    Task    DropboxUpdateTaskMachineCore    Dropbox, Inc.    All users    C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe /c
Yes    Task    DropboxUpdateTaskMachineUA    Dropbox, Inc.    All users    C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe /ua /installsource scheduler
Yes    Task    GoogleUpdateTaskMachineCore    Google Inc.    All users    C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes    Task    GoogleUpdateTaskMachineUA    Google Inc.    All users    C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes    Task    HPCeeScheduleForsemel    Hewlett-Packard    semel    C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe HPCeeScheduleForsemel (null)
Yes    Task    Intel Security DAT Reputation (AMCore) periodic endpoint safety pulse    McAfee, Inc.    All users    C:\Program Files\Common Files\McAfee\AMContent\scanners\x86_64\datrep\54.0\mcdatrep.exe /script=mcnrdhck.lua /periodicRunCount=6
Yes    Task    McAfeeLogon    McAfee, Inc.    All users    C:\PROGRA~1\COMMON~1\McAfee\Platform\McUICnt.exe /platui
Yes    Task    OneDrive Standalone Update Task    Microsoft Corporation    semel    C:\Users\semel\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\OneDriveStandaloneUpdater.exe
 

UNINSTALL

3D Builder    Microsoft Corporation    21/09/2016        11.1.9.0    All users
Adobe Shockwave Player 12.1    Adobe Systems, Inc.    21/09/2016        12.1.7.157    All users
Alarms & Clock    Microsoft Corporation    21/09/2016        10.1608.2312.0    All users
Amazon    Amazon.com    21/09/2016        2016.815.1000.0    All users
App connector    Microsoft Corporation    21/09/2016        1.3.3.0    All users
Bonjour    Apple Inc.    25/11/2015    2.00 MB    3.0.0.10    All users
Calculator    Microsoft Corporation    21/09/2016        10.1608.2213.0    All users
Camera    Microsoft Corporation    21/09/2016        2016.816.20.0    All users
Candy Crush Soda Saga    king.com    21/09/2016        1.73.900.0    All users
CCleaner    Piriform    29/09/2016        5.22    All users
CyberLink PhotoDirector    CyberLink Corp.    21/09/2016    439 MB    5.0.5.6713    All users
CyberLink Power Media Player 14    CyberLink Corp.    23/09/2016    471 MB    14.0.4.6527    All users
CyberLink PowerDirector 12    CyberLink Corp.    21/09/2016    915 MB    12.0.4.4301    All users
CyberLink YouCam    CyberLink Corp.    21/09/2016    530 MB    6.0.1.4301    All users
Dropbox    Dropbox, Inc.    26/09/2016        10.4.26    All users
Energy Star    Hewlett-Packard Company    25/11/2015    3.39 MB    1.0.9    All users
Evernote v. 5.8.6    Evernote Corp.    25/11/2015    234 MB    5.8.6.7519    All users
Films & TV    Microsoft Corporation    21/09/2016        3.6.23941.0    All users
Get Office    Microsoft Corporation    21/09/2016        17.7319.23511.0    All users
Get Skype    Skype    21/09/2016        3.2.1.0    All users
Get Started    Microsoft Corporation    21/09/2016        4.0.12.0    All users
Google Chrome    Google Inc.    26/09/2016        53.0.2785.116    All users
Groove Music    Microsoft Corporation    26/09/2016        3.6.25021.0    All users
Hearts Deluxe    Random Salad Games LLC    26/09/2016        4.5.0.18    All users
HP 3D DriveGuard    Hewlett-Packard Company    04/08/2015    2.00 MB    6.0.28.1    All users
HP CoolSense    Hewlett-Packard Company    04/08/2015    12.0 MB    2.20.51    All users
HP Documentation    HP    21/09/2016            All users
HP Lounge    Universal Music Mobile    21/09/2016        1.7.4.0    All users
HP Registration Service    Hewlett-Packard    25/11/2015    33.1 MB    1.2.8293.5264    All users
HP Support Assistant    Hewlett-Packard Company    25/11/2015    68.4 MB    8.3.34.7    All users
HP Support Solutions Framework    Hewlett-Packard Company    25/11/2015    6.02 MB    12.5.32.37    All users
HP System Event Utility    Hewlett-Packard Company    25/11/2015    9.06 MB    1.4.1    All users
HP Welcome    Hewlett-Packard Company    21/09/2016        1.0    All users
HP Wireless Button Driver    Hewlett-Packard Company    25/11/2015    1.08 MB    1.1.5.1    All users
Intel Collaborative Processor Performance Control    Intel Corporation    21/09/2016        1.0.0.1018    All users
Intel® Dynamic Platform and Thermal Framework    Intel Corporation    21/09/2016        8.1.10600.147    All users
Intel® Management Engine Components    Intel Corporation    25/11/2015        11.0.0.1158    All users
Intel® Processor Graphics    Intel Corporation    21/09/2016        20.19.15.4331    All users
Intel® Rapid Storage Technology    Intel Corporation    23/09/2016        14.5.2.1088    All users
Intel® WiDi    Intel Corporation    25/11/2015    58.2 MB    6.0.40.0    All users



#8 buddy215

buddy215

  • Moderator
  • 13,393 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:08 PM

Posted 29 September 2016 - 06:06 AM

Suggest Disabling these Windows Startups: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes    HKCU:Run    CCleaner Monitoring    Piriform Ltd    semel    "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes    HKCU:Run    OneDrive    Microsoft Corporation    semel    "C:\Users\semel\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
Yes    HKCU:Run    Skype    Skype Technologies S.A.    semel    "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun

Yes    HKLM:Run    Dropbox    Dropbox, Inc.    All users    "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" /systemstartup
Yes    HKLM:Run    HPMessageService    Hewlett-Packard Development Company, L.P.    All users    C:\Program Files (x86)\HP\HP System Event\HPMSGSVC.exe

 

Disable these Tasks: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes    Task    CCleanerSkipUAC    Piriform Ltd    semel    "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes    Task    DropboxUpdateTaskMachineCore    Dropbox, Inc.    All users    C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe /c
Yes    Task    DropboxUpdateTaskMachineUA    Dropbox, Inc.    All users    C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe /ua /installsource scheduler

Yes    Task    GoogleUpdateTaskMachineUA    Google Inc.    All users    C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes    Task    HPCeeScheduleForsemel    Hewlett-Packard    semel    C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe HPCeeScheduleForsemel (null)

Yes    Task    OneDrive Standalone Update Task    Microsoft Corporation    semel    C:\Users\semel\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\OneDriveStandaloneUpdater.exe
 

Uninstall these programs:

Amazon    Amazon.com    21/09/2016        2016.815.1000.0    All users

Candy Crush Soda Saga    king.com    21/09/2016        1.73.900.0    All users

 

I suggest you block Third party cookies...aka...ad/ tracking cookies from installing in your browsers. Once you have done

that run CCleaner to remove the existing ones. How to disable third-party cookies in all major web browsers

 

If you don't have an ad blocker installed I would recommend using Adblock Plus. One that I have used for years.

Adblock Plus :: Add-ons for Firefox

Adblock Plus - Chrome Web Store


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 soso_sem

soso_sem
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 29 September 2016 - 06:36 AM

Hi Buddy215,

 

First of all thanks again for all your help and looking into it!

I did the actions you proposed, restarted and the ads and re-directs are still there!

 

I can install the adblocks, but I would also really like to understand why this is happening.

 

I mean it's really strange I have two pc's one next to the other at the same exactly website and one is going crazy with pop-up windows!

 

Is there anything else worth trying or repeating?



#10 buddy215

buddy215

  • Moderator
  • 13,393 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:08 PM

Posted 29 September 2016 - 07:18 AM

You can start a new topic for a deeper look. Follow the directions below.

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#11 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:07:08 PM

Posted 29 September 2016 - 09:12 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/628061/infected-with-s3-amazonawscom/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users