Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser popunder infection


  • Please log in to reply
4 replies to this topic

#1 vijayvithal

vijayvithal

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 22 May 2017 - 05:19 AM

My problem seems similar to that experienced by the user in thread https://www.bleepingcomputer.com/forums/t/646728/chrome-pop-unders-slow-and-tried-everything/

 

It started with crome, Clicking on text on any news website would result in a popup asking me to install toolbars/flash upgrades etc.

 

This problem started around the time I installed 3 applications (Mailbird, WakeOnLAN_2.11.16.0 and wakeonlangui) I uninstalled the applications but that did not change the situation, I then tried the following without any impact.

  1. Reset Chrome
  2. Unistall Chrome
  3. Install Malwarebytes and ran a full scan(mb3-setup-consumer-3.0.6.1469-10103)
    1. The realtime monitoring was able to detect and block the websites launched but did not detect the PUP.
  4. Install and run Adaware
  5. Install and run SophosClean
  6. Install and run Zemana.AntiMalware
  7. Install and run kts17.0.0.611en-in_full
  8. Install and run Sophos Virus Removal Tool
  9. Install and run JRT (Junk Removal Tool)
  10. Install and run adwcleaner_6.047

Some of these tools found and cleaned some PUP's but did not fix the problem.

 

I finally downloaded wireshark and tried to trace the websites used by the malware to load its advertisement and traced the following

 

While viewing http://www.catchnews.com/india-news/jean-dreze-writes-letter-about-his-partner-bela-bhatia-1459103212.html

A request was made to

  1. http://engine.spotscenered.info/link.engine?guid=edfc8266-ad5d-4135-8e8c-bf220f334f44&Hardlink=true&time=0&keyw=%5B%22jean%22%2C%22dreze%22%2C%22writes%22%2C%22letter%22%2C%22about%22%2C%22his%22%2C%22partner%]
  2. Which then redirected to  http://engine.spotscenered.info/Redirect.eng?MediaSegmentId=30278&dcid=1_ctx_eb497f0e-14c9-48d3-96bd-0d1367f65b64&vmId=00000000-0000-0000-0000-000000000000&abr=false&timeZoneOffset=&v=WKZjqU3pCCXI2HVrbwhh6RLJm]
  3. Which then responded with <h2>Object moved to <a href="http://ap9ng.3sn.xyz/?noaudio=1&amp;noalert=1&amp;noexit=1&amp;kw=5941&amp;s2=54b87eaa-7d94-4245-9b5c-120a24d08f7e">here</a>.</h2>\r\n
  4. Which in turn requested  <html><body><form id="rform" action="http://Ji4zz.exclusiverewards.keke.gdn/?sov=738369362&hid=bnjfpbnfjdnfbjl&noaudio=1&noalert=1&noexit=1&noaudio=1&noalert=1&noexit=1&redid=37806&gsid=68&campaign_id=29&p_id=8122&id=XNSX.%3A%3
  5. Which then send out a bunch of requests to load the css+js+images etc.

 

 



BC AdBot (Login to Remove)

 


#2 vijayvithal

vijayvithal
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 22 May 2017 - 05:45 AM

The reports from various Checkers are as follows

 

Security Check Report

 

Results of screen317's Security Check version 1.014 --- 12/23/15  
   x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
adaware antivirus          
Kaspersky Total Security   
Windows Defender           
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Zemana AntiMalware    
 Java version 32-bit out of Date!
 Mozilla Firefox (53.0.3)
 Mozilla Thunderbird (52.1.0)
````````Process Check: objlist.exe by Laurent````````  
 adaware antivirus adaware antivirus 12.0.649.11190 AdAwareService.exe
 adaware antivirus adaware antivirus 12.0.649.11190 AdAwareTray.exe
 Zemana AntiMalware ZAM.exe   
 Kaspersky Lab Kaspersky Total Security 17.0.0 avp.exe  
 Kaspersky Lab Kaspersky Total Security 17.0.0 avpui.exe  
 Kaspersky Lab Kaspersky Secure Connection 1.0 ksde.exe  
 Kaspersky Lab Kaspersky Secure Connection 1.0 ksdeui.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````
 



#3 vijayvithal

vijayvithal
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 22 May 2017 - 06:10 AM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 8.1 Single Language x64
Ran by soumya (Administrator) on Mon 05/22/2017 at 16:28:12.92
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 05/22/2017 at 16:36:24.80
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#4 vijayvithal

vijayvithal
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 22 May 2017 - 06:17 AM

Farbar Service Scanner Version: 27-01-2016
Ran by soumya (administrator) on 22-05-2017 at 16:45:28
Running from "C:\Users\soumya\Downloads"
Microsoft Windows 8.1 Single Language  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Action Center:
============


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Demand. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend: ""%ProgramFiles%\Windows Defender\MsMpEng.exe"".


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****



#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:52 PM

Posted 09 June 2017 - 10:24 AM

Time for a deeper look.
Please follow this Preparation Guide and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users