Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on September 13, 2017, 07:27:01 PM
-
Hi, I have some malware on my system (Windows XP SP3). Sometimes, when I open a usual web-page and click on some links there, pop-up windows appears with advertisement. Mainly, first it opens the web-page called oneclickrev.com and then it redirects to some other pages with advertisement.
I have two browsers Firefox and Chrome. On both happens the same.
I have no Idea where does it come from. Maybe it comes from some freeware I have installed earlier. But I don’t know which one. I suspected cCleaner, so I have uninstalled it. It didn’t help. :(
-
I have no Idea where does it come from.
Probably a website you wisited
-
The strange thing is... Some websites showed Pop-ups earlier, but now does not show anymore... Some websites do it now as well.
-
You may run Malwarebytes Adwcleaner
Malware experts are notified
-
In the mean time you can read here: https://malwaretips.com/threads/how-to-remove-save-by-click-adware-removal-guide.12955/
polonus
-
Your DNS server settings have been hijacked.
- Open Notepad (click Start button -> type notepad.exe -> press Enter)
- Copy text from code block below and paste it into Notepad
Tcpip\Parameters: [DhcpNameServer] 87.117.234.36 8.8.8.8
Tcpip\..\Interfaces\{51412544-8CD5-4EDC-9744-DA6197C2CE12}: [DhcpNameServer] 87.117.234.36 8.8.8.8- Go to File -> Save As
- Make sure that UTF-8 is selected as Encoding (left side of Save button)
- Save it as fixlist.txt on Desktop
- Open again FRST and click on button Fix
- Wait until FRST finishes
- fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
-
You may run Malwarebytes Adwcleaner
Malware experts are notified
Thank you for the hint, but unfortunately it requires Windows 10 (32/64-bit),Windows 8 (32/64-bit), or Windows 7 (32/64-bit) and I have Win Xp.
-
Your DNS server settings have been hijacked.
- Open Notepad (click Start button -> type notepad.exe -> press Enter)
- Copy text from code block below and paste it into Notepad
Tcpip\Parameters: [DhcpNameServer] 87.117.234.36 8.8.8.8
Tcpip\..\Interfaces\{51412544-8CD5-4EDC-9744-DA6197C2CE12}: [DhcpNameServer] 87.117.234.36 8.8.8.8- Go to File -> Save As
- Make sure that UTF-8 is selected as Encoding (left side of Save button)
- Save it as fixlist.txt on Desktop
- Open again FRST and click on button Fix
- Wait until FRST finishes
- fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
Thank you. I will do it when I go back home from work today.
Can you tell which software hijacked my server settings? So I could uninstall it and not use it again in the future. Could it happen without a software, or an add-on installation? Just by accidentally clicking on some link?
Update:
What was hijacked - my PC or my Router?
My mothers PC is using the same router and it has the same problem. I will upload its logs later today as well.
-
Your DNS server settings have been hijacked.
- Open Notepad (click Start button -> type notepad.exe -> press Enter)
- Copy text from code block below and paste it into Notepad
Tcpip\Parameters: [DhcpNameServer] 87.117.234.36 8.8.8.8
Tcpip\..\Interfaces\{51412544-8CD5-4EDC-9744-DA6197C2CE12}: [DhcpNameServer] 87.117.234.36 8.8.8.8- Go to File -> Save As
- Make sure that UTF-8 is selected as Encoding (left side of Save button)
- Save it as fixlist.txt on Desktop
- Open again FRST and click on button Fix
- Wait until FRST finishes
- fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
Here it is - a fixlog.txt of PC1.
Later I will upload logs (FRST.txt and Additions.txt ) of PC2 (my moms PC). It has similar problem.
-
PC Nr. 2:
Here are the logs of PC2. It is definitively infected. :( Or the Router. It shows much more pop-up windows than my pc (PC1). :(
-
- Open Notepad (click Start button -> type notepad.exe -> press Enter)
- Copy text from code block below and paste it into Notepad
Tcpip\Parameters: [DhcpNameServer] 87.117.234.36 8.8.8.8
Tcpip\..\Interfaces\{43782033-CBCE-4F77-9832-9494C06EF56D}: [DhcpNameServer] 87.117.234.36 8.8.8.8
GroupPolicy: Restriction ? <==== ATTENTION
cmd: ipconfig /flushdns- Go to File -> Save As
- Make sure that UTF-8 is selected as Encoding (left side of Save button)
- Save it as fixlist.txt on Desktop
- Open again FRST and click on button Fix
- Wait until FRST finishes
- fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
-
- Open Notepad (click Start button -> type notepad.exe -> press Enter)
- Copy text from code block below and paste it into Notepad
Tcpip\Parameters: [DhcpNameServer] 87.117.234.36 8.8.8.8
Tcpip\..\Interfaces\{43782033-CBCE-4F77-9832-9494C06EF56D}: [DhcpNameServer] 87.117.234.36 8.8.8.8
GroupPolicy: Restriction ? <==== ATTENTION
cmd: ipconfig /flushdns- Go to File -> Save As
- Make sure that UTF-8 is selected as Encoding (left side of Save button)
- Save it as fixlist.txt on Desktop
- Open again FRST and click on button Fix
- Wait until FRST finishes
- fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
You mean on PC Nr. 2?
-
Yes.
-
Yes.
Here is the fixlog of PC Nr. 2.
but the pc still has the same issue - every time I go on any webpage and click on a link, a popup window appear.
-
Even after system restart?
-
Even after system restart?
unfortunately yes :( at least on firefox.
I have scanned the PC Nr. 2 with FABAR again and attached the logs.
-
Let's clear this. What is the status of PC 1?
-
Let's clear this. What is the status of PC 1?
I still get some pop-up windows on some pages. Not so often as on PC 2, but never the less sometimes. Here are the logs of PC 1.
-
Your router settings has been modified by malware. Login to your router configuration page and find DHCP server settings. There you will find "87.117.234.36" as primary DNS server. Remove it and set router's local IP address as primary DNS server (default gateway address and primary DNS address should be same).
-
Your router settings has been modified by malware. Login to your router configuration page and find DHCP server settings. There you will find "87.117.234.36" as primary DNS server. Remove it and set router's local IP address as primary DNS server (default gateway address and primary DNS address should be same).
OK. I have found the DHCP Settings on my router configuration page and have changed Primary DNS as you told me. It seems to help. I can not notice any popup windows now. but I will keep watching it next days and write here if I see something suspicious.
You wrote - "router settings has been modified by malware". Is the malware still in the system? How could I find it? and more important, how to prevent it in the future?
I have changed the default login and password of the router configuration page. Would it prevent the malware to make modifications in the future? Should I change anything else here?
-
It wasn't present in your systems according to FRST logs. Changing default password for router configuration should prevent future attacks and no additional action required. However, XP SP3 no longer receives security updates and PC2 is capable of running 7, 8.1 and 10 so you should consider installing them.
If there is no more adware popups:
• The following will implement some post-cleanup procedures:
=> Please download DelFix (https://toolslib.net/downloads/finish/2-delfix/) by Xplode to your Desktop.]
Run the tool and check the following boxes below;
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Remove disinfection tools
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Create registry backup
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
-
It wasn't present in your systems according to FRST logs. Changing default password for router configuration should prevent future attacks and no additional action required. However, XP SP3 no longer receives security updates and PC2 is capable of running 7, 8.1 and 10 so you should consider installing them.
If there is no more adware popups:
• The following will implement some post-cleanup procedures:
=> Please download DelFix (https://toolslib.net/downloads/finish/2-delfix/) by Xplode to your Desktop.]
Run the tool and check the following boxes below;
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Remove disinfection tools
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Create registry backup
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
On the PC Nr. 2 I sometimes still have the same issue. Not so often as earlier, but never the less on some pages it shows same pop-up windows. :(
-
Can you make screenshot of that popup window and page on which it showed? Just to make sure was popup caused by adware or by web pagee you visited.
-
Can you make screenshot of that popup window and page on which it showed? Just to make sure was popup caused by adware or by web pagee you visited.
Unfortunately today I have no acces to the PC Nr. 2. I will have it in two days and then I will make screenshots.
But I remember one webpage where I got pop-up windows last time. Here it is if it hepls: http://sostavproduktov.ru/potrebitelyu/kak-izbavitsya-ot-pishchevoy-moli
-
Can you make screenshot of that popup window and page on which it showed? Just to make sure was popup caused by adware or by web pagee you visited.
Here are the screenshots.
First appears page Nr. 1 (blank), than it redirects to other (different) pages, here is one of them on the second image.
See attachments.
-
Attach fresh FRST logs from that PC.
-
Attach fresh FRST logs from that PC.
Here it is. Logs from Pc Nr. 2 made today.
-
Did you install Tampermonkey?
-
Did you install Tampermonkey?
I do not really remember. I think yes. It was together with some kind of chrome addon as I remember. Adblock or something similar.
Is it a dangerous addon? Should I remove it?
-
It is not dangerous but it can be misused by adware. If you don't use it feel free to disable/remove it.
-
It is not dangerous but it can be misused by adware. If you don't use it feel free to disable/remove it.
OK. What else?
-
If you removed it test if ads appear where they should not appear.