Author Topic: Ad playing on browser startup (Read 8866 times)

REDACTED · « **on:** June 23, 2014, 05:11:26 PM »

For the past few days I have had a problem when I start up my browser after putting my laptop into hibernation or restarting it.

When I open Chrome a video ad for Myspace opens. I have ran Avast, Malwarebytes, and Adwcleaner, and while they found a few things and I fixed the issues, this problem still remains. I checked to make sure there were no programs that had been installed or anything like that. I have no clue what this is and my Google searches have turned up very little and I have no idea how to fix this issue. Any help would be greatly appreciated.

Pondus · « **Reply #1 on:** June 23, 2014, 05:20:36 PM »

try this https://support.google.com/chrome/answer/3296214?hl=en

did it work?

if not, follow instructions here and attach (not copy and paste) OTL diagnostic log https://forum.avast.com/index.php?topic=53253.0

TwinHeadedEagle · « **Reply #2 on:** June 23, 2014, 05:34:19 PM »

Monitoring...

REDACTED · « **Reply #3 on:** June 23, 2014, 06:21:25 PM »

Quote from: Pondus on June 23, 2014, 05:20:36 PM

try this https://support.google.com/chrome/answer/3296214?hl=en

did it work?

if not, follow instructions here and attach (not copy and paste) OTL diagnostic log https://forum.avast.com/index.php?topic=53253.0

I've restarted a couple of times and haven't had the issue. Is it possible that the scans got rid of the issue and the browser setting just needed to be reset? I had a similar issue a while ago with Spigot and I had to reset my browser settings as well.

I'm going to keep an eye on the issue and if it persist I will run the OTL scan. Thanks for you help, I appreciate it.

Pondus · « **Reply #4 on:** June 23, 2014, 06:47:35 PM »

Quote

Is it possible that the scans got rid of the issue and the browser setting just needed to be reset?

yes, chrome sometime need to be rest after removal

REDACTED · « **Reply #5 on:** June 24, 2014, 03:58:35 PM »

The Ad shows up again. I noticed that it pops up when the computer after it is hibernated or turned off for a long time. So when I wake up in the morning and open my laptop and boot chrome this ad pop up. I believe it is also messing up my bookmarks. Twice all my bookmarks have disappeared since these ads have started popping up.

I just ran the OTL diagnostic and have attached the OTL log.

Michael (alan1998) · « **Reply #6 on:** June 24, 2014, 04:08:21 PM »

Your file is Chinese. Refer to this image and save it as ANSI

Make you save Save As to get that.

If you can't get it too still work, run a fresh scan. Sounds like Blackbeard.

Edit: Compcav needs to teach me how to type: Fixed the spelling errors.

REDACTED · « **Reply #7 on:** June 24, 2014, 04:17:05 PM »

Okay I saved it again.

What is Blackbeard? Is it serious?

Pondus · « **Reply #8 on:** June 24, 2014, 04:30:42 PM »

Blackbeard
http://blog.avast.com/2014/01/15/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-1/
https://blog.avast.com/2014/01/22/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-2/

Michael (alan1998) · « **Reply #9 on:** June 24, 2014, 04:40:01 PM »

Serious, Kind of. It can be very stealthy. I saw... this

Code: [Select]

MOD - [2014/06/23 11:42:19 | 000,805,888 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\wx._gdi_.pyd
MOD - [2014/06/23 11:42:19 | 000,027,136 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\_multiprocessing.pyd
MOD - [2014/06/23 11:42:19 | 000,007,168 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\hashobjs_ext.pyd
MOD - [2014/06/23 11:42:18 | 001,160,704 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\_ssl.pyd
MOD - [2014/06/23 11:42:18 | 000,811,008 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\wx._windows_.pyd
MOD - [2014/06/23 11:42:18 | 000,713,216 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\_hashlib.pyd
MOD - [2014/06/23 11:42:18 | 000,110,080 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\PyWinTypes27.dll
MOD - [2014/06/23 11:42:18 | 000,070,656 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\wx._html2.pyd
MOD - [2014/06/23 11:42:18 | 000,025,600 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32pdh.pyd
MOD - [2014/06/23 11:42:18 | 000,024,064 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32pipe.pyd
MOD - [2014/06/23 11:42:17 | 001,062,400 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\wx._controls_.pyd
MOD - [2014/06/23 11:42:16 | 000,686,080 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\unicodedata.pyd
MOD - [2014/06/23 11:42:16 | 000,525,640 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\windows._lib_cacheinvalidation.pyd
MOD - [2014/06/23 11:42:16 | 000,167,936 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32gui.pyd
MOD - [2014/06/23 11:42:16 | 000,128,512 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\_elementtree.pyd
MOD - [2014/06/23 11:42:16 | 000,127,488 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\pyexpat.pyd
MOD - [2014/06/23 11:42:16 | 000,119,808 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32file.pyd
MOD - [2014/06/23 11:42:16 | 000,108,544 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32security.pyd
MOD - [2014/06/23 11:42:16 | 000,087,552 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\_ctypes.pyd
MOD - [2014/06/23 11:42:16 | 000,038,912 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32inet.pyd
MOD - [2014/06/23 11:42:16 | 000,018,432 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32event.pyd
MOD - [2014/06/23 11:42:16 | 000,017,408 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32profile.pyd
MOD - [2014/06/23 11:42:16 | 000,010,240 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\select.pyd
MOD - [2014/06/23 11:42:15 | 000,557,056 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\pysqlite2._sqlite.pyd
MOD - [2014/06/23 11:42:15 | 000,320,512 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32com.shell.shell.pyd
MOD - [2014/06/23 11:42:15 | 000,098,816 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32api.pyd
MOD - [2014/06/23 11:42:15 | 000,045,568 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\_socket.pyd
MOD - [2014/06/23 11:42:15 | 000,022,528 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32ts.pyd
MOD - [2014/06/23 11:42:14 | 001,175,040 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\wx._core_.pyd
MOD - [2014/06/23 11:42:14 | 000,364,544 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\pythoncom27.dll
MOD - [2014/06/23 11:42:13 | 000,735,232 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\wx._misc_.pyd
MOD - [2014/06/23 11:42:13 | 000,078,336 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\wx._animate.pyd
MOD - [2014/06/23 11:42:12 | 000,122,368 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\wx._wizard.pyd
MOD - [2014/06/23 11:42:12 | 000,011,264 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32crypt.pyd
MOD - [2014/06/23 11:42:11 | 000,035,840 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32process.pyd

Now, it could be nothing. But that many Python files is rare, moreso in Appdata.

Take my word for this. I am no expert on OTL. THat si why Twin will help you. It's also why I am in training.

Also, [2013/10/22 20:11:11 | 000,000,000 | ---D | M] -- C:\Users\John\AppData\Roaming\uTorrent

uTorrent is a bad idea.

My Canned Speech came in handy

Hello,

You have some P2P programs installed. These programs are not recommended here. Please read below so you can decide if you'd like to keep them.

Description:

These programs link directly from Computer to computer, making you very easy to infect. While P2P use to be safe, it no longer is and any type of P2P network can be used to infect you, or others. P2P has also been linked to Cyber-Identity-Theft in a few cases, where settings were set wrong. While these programs seem like a great way to get free software/media, they usually come bundled with other files, such as adware, spyware, Trojans etc.

I would ask you to read the following articles on the dangers of P2P Usage:

Info World Article
FBI Article

If you continue the usage I cannot guarantee you will stay clean, so, I recommend you remove them. If you decide to keep them. Please refrain from using them until we are done.

Now, I shall shut up and let twin do his work

REDACTED · « **Reply #10 on:** June 24, 2014, 04:57:50 PM »

I didn't even know it was still installed. I assumed my roommate had uninstalled after our little spigot problem. Uninstalling now, thanks for the heads up.

Michael (alan1998) · « **Reply #11 on:** June 24, 2014, 05:09:44 PM »

No problem. You can thank Compcav for making me write that.

If, I had to guess, an infection might've come through there. Regardless, I am sure Twin will try to help you.

TwinHeadedEagle · « **Reply #12 on:** June 24, 2014, 08:13:42 PM »

Hello,

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

Click on the Scan button.
After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
Post logfile will also be saved in the C:\AdwCleaner folder.

***** NEXT *****

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

Double-click to run it. When the tool opens click Yes to disclaimer.
Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

REDACTED · « **Reply #13 on:** June 25, 2014, 12:18:52 AM »

Results of both scans are attached.

TwinHeadedEagle · « **Reply #14 on:** June 25, 2014, 09:01:46 AM »

Please go to: VirusTotal

Click the Choose File button.
Please copy/paste the following text into the 'File name:' box:

Code: [Select]

C:\Windows\System32\GFNEXSrv.exe

Click Open then click the Scan it! button just below.
This will scan the file. Please be patient.
If you get a message saying File already analyzed: click Reanalyse
Once scanned, copy and paste the URL from your browser address bar in your next reply.

Author Topic: Ad playing on browser startup (Read 8866 times)

REDACTED

Ad playing on browser startup

Pondus

Re: Ad playing on browser startup

TwinHeadedEagle

Re: Ad playing on browser startup

REDACTED

Re: Ad playing on browser startup

Pondus

Re: Ad playing on browser startup

REDACTED

Re: Ad playing on browser startup

Michael (alan1998)

Re: Ad playing on browser startup

REDACTED

Re: Ad playing on browser startup

Pondus

Re: Ad playing on browser startup

Michael (alan1998)

Re: Ad playing on browser startup

REDACTED

Re: Ad playing on browser startup

Michael (alan1998)

Re: Ad playing on browser startup

TwinHeadedEagle

Re: Ad playing on browser startup

REDACTED

Re: Ad playing on browser startup

TwinHeadedEagle

Re: Ad playing on browser startup