My problem seems similar to that experienced by the user in thread https://www.bleepingcomputer.com/forums/t/646728/chrome-pop-unders-slow-and-tried-everything/
It started with crome, Clicking on text on any news website would result in a popup asking me to install toolbars/flash upgrades etc.
This problem started around the time I installed 3 applications (Mailbird, WakeOnLAN_184.108.40.206 and wakeonlangui) I uninstalled the applications but that did not change the situation, I then tried the following without any impact.
- Reset Chrome
- Unistall Chrome
- Install Malwarebytes and ran a full scan(mb3-setup-consumer-220.127.116.119-10103)
- The realtime monitoring was able to detect and block the websites launched but did not detect the PUP.
- Install and run Adaware
- Install and run SophosClean
- Install and run Zemana.AntiMalware
- Install and run kts18.104.22.1681en-in_full
- Install and run Sophos Virus Removal Tool
- Install and run JRT (Junk Removal Tool)
- Install and run adwcleaner_6.047
Some of these tools found and cleaned some PUP's but did not fix the problem.
I finally downloaded wireshark and tried to trace the websites used by the malware to load its advertisement and traced the following
A request was made to
- Which then redirected to http://engine.spotscenered.info/Redirect.eng?MediaSegmentId=30278&dcid=1_ctx_eb497f0e-14c9-48d3-96bd-0d1367f65b64&vmId=00000000-0000-0000-0000-000000000000&abr=false&timeZoneOffset=&v=WKZjqU3pCCXI2HVrbwhh6RLJm]
- Which then responded with <h2>Object moved to <a href="http://ap9ng.3sn.xyz/?noaudio=1&noalert=1&noexit=1&kw=5941&s2=54b87eaa-7d94-4245-9b5c-120a24d08f7e">here</a>.</h2>\r\n
- Which in turn requested <html><body><form id="rform" action="http://Ji4zz.exclusiverewards.keke.gdn/?sov=738369362&hid=bnjfpbnfjdnfbjl&noaudio=1&noalert=1&noexit=1&noaudio=1&noalert=1&noexit=1&redid=37806&gsid=68&campaign_id=29&p_id=8122&id=XNSX.%3A%3
- Which then send out a bunch of requests to load the css+js+images etc.