Author Topic: Malware Causes Pop-up Windows (oneclickrev.com) in Browsers  (Read 9039 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Malware Causes Pop-up Windows (oneclickrev.com) in Browsers
« on: September 13, 2017, 07:27:01 PM »
Hi, I have some malware on my system (Windows XP SP3). Sometimes, when I open a usual web-page and click on some links there, pop-up windows appears with advertisement. Mainly, first it opens the web-page called oneclickrev.com and then it redirects to some other pages with advertisement.

I have two browsers Firefox and Chrome. On both happens the same.

I have no Idea where does it come from. Maybe it comes from some freeware I have installed earlier. But I don’t know which one.  I suspected cCleaner, so I have uninstalled it. It didn’t help. :(

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: Malware Causes Pop-up Windows (oneclickrev.com) in Browsers
« Reply #1 on: September 13, 2017, 08:44:43 PM »
Quote
I have no Idea where does it come from.
Probably a website you wisited

REDACTED

  • Guest
Re: Malware Causes Pop-up Windows (oneclickrev.com) in Browsers
« Reply #2 on: September 13, 2017, 10:03:13 PM »
The strange thing is... Some websites showed Pop-ups earlier, but now does not show anymore... Some websites do it now as well.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: Malware Causes Pop-up Windows (oneclickrev.com) in Browsers
« Reply #3 on: September 13, 2017, 10:34:28 PM »
You may run Malwarebytes Adwcleaner 

Malware experts are notified



Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 820
Re: Malware Causes Pop-up Windows (oneclickrev.com) in Browsers
« Reply #5 on: September 14, 2017, 11:19:00 AM »
Your DNS server settings have been hijacked.


  • Open Notepad (click Start button -> type notepad.exe -> press Enter)
  • Copy text from code block below and paste it into Notepad
Code: [Select]
Tcpip\Parameters: [DhcpNameServer] 87.117.234.36 8.8.8.8
Tcpip\..\Interfaces\{51412544-8CD5-4EDC-9744-DA6197C2CE12}: [DhcpNameServer] 87.117.234.36 8.8.8.8
  • Go to File -> Save As
  • Make sure that  UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

REDACTED

  • Guest
Re: Malware Causes Pop-up Windows (oneclickrev.com) in Browsers
« Reply #6 on: September 14, 2017, 12:53:28 PM »
You may run Malwarebytes Adwcleaner 

Malware experts are notified
Thank you for the hint, but unfortunately it requires  Windows 10 (32/64-bit),Windows 8 (32/64-bit), or Windows 7 (32/64-bit) and I have Win Xp.

REDACTED

  • Guest
Re: Malware Causes Pop-up Windows (oneclickrev.com) in Browsers
« Reply #7 on: September 14, 2017, 01:06:56 PM »
Your DNS server settings have been hijacked.


  • Open Notepad (click Start button -> type notepad.exe -> press Enter)
  • Copy text from code block below and paste it into Notepad
Code: [Select]
Tcpip\Parameters: [DhcpNameServer] 87.117.234.36 8.8.8.8
Tcpip\..\Interfaces\{51412544-8CD5-4EDC-9744-DA6197C2CE12}: [DhcpNameServer] 87.117.234.36 8.8.8.8
  • Go to File -> Save As
  • Make sure that  UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
Thank you. I will do it when I go back home from work today.

Can you tell which software hijacked my server settings? So I could uninstall it and not use it again in the future.  Could it happen without a software, or an add-on installation? Just by accidentally clicking on some link?


Update:

 What was hijacked - my PC or my Router?

My mothers PC is using the same router and it has the same problem. I will upload its logs later today as well.
« Last Edit: September 14, 2017, 03:44:13 PM by dafarulia »

REDACTED

  • Guest
Re: Malware Causes Pop-up Windows (oneclickrev.com) in Browsers
« Reply #8 on: September 14, 2017, 05:26:24 PM »
Your DNS server settings have been hijacked.


  • Open Notepad (click Start button -> type notepad.exe -> press Enter)
  • Copy text from code block below and paste it into Notepad
Code: [Select]
Tcpip\Parameters: [DhcpNameServer] 87.117.234.36 8.8.8.8
Tcpip\..\Interfaces\{51412544-8CD5-4EDC-9744-DA6197C2CE12}: [DhcpNameServer] 87.117.234.36 8.8.8.8
  • Go to File -> Save As
  • Make sure that  UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Here it is - a fixlog.txt of PC1.

Later I will upload logs (FRST.txt and Additions.txt ) of PC2 (my moms PC). It has similar problem.

REDACTED

  • Guest
Re: Malware Causes Pop-up Windows (oneclickrev.com) in Browsers
« Reply #9 on: September 14, 2017, 06:46:02 PM »
PC Nr. 2:

Here are the logs of PC2. It is definitively infected. :(  Or the Router. It shows much more pop-up windows than my pc (PC1).  :(




Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 820
Re: Malware Causes Pop-up Windows (oneclickrev.com) in Browsers
« Reply #10 on: September 14, 2017, 10:28:45 PM »
  • Open Notepad (click Start button -> type notepad.exe -> press Enter)
  • Copy text from code block below and paste it into Notepad
Code: [Select]
Tcpip\Parameters: [DhcpNameServer] 87.117.234.36 8.8.8.8
Tcpip\..\Interfaces\{43782033-CBCE-4F77-9832-9494C06EF56D}: [DhcpNameServer] 87.117.234.36 8.8.8.8
GroupPolicy: Restriction ? <==== ATTENTION
cmd: ipconfig /flushdns
  • Go to File -> Save As
  • Make sure that  UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

REDACTED

  • Guest
Re: Malware Causes Pop-up Windows (oneclickrev.com) in Browsers
« Reply #11 on: September 15, 2017, 08:59:02 AM »
  • Open Notepad (click Start button -> type notepad.exe -> press Enter)
  • Copy text from code block below and paste it into Notepad
Code: [Select]
Tcpip\Parameters: [DhcpNameServer] 87.117.234.36 8.8.8.8
Tcpip\..\Interfaces\{43782033-CBCE-4F77-9832-9494C06EF56D}: [DhcpNameServer] 87.117.234.36 8.8.8.8
GroupPolicy: Restriction ? <==== ATTENTION
cmd: ipconfig /flushdns
  • Go to File -> Save As
  • Make sure that  UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

You mean on PC Nr. 2?

Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 820
Re: Malware Causes Pop-up Windows (oneclickrev.com) in Browsers
« Reply #12 on: September 15, 2017, 09:48:34 AM »
Yes.

REDACTED

  • Guest
Re: Malware Causes Pop-up Windows (oneclickrev.com) in Browsers
« Reply #13 on: September 15, 2017, 06:04:31 PM »
Yes.
Here is the fixlog of PC Nr. 2.

but the pc still has the same issue - every time I go on any webpage and click on a link, a popup window appear.
« Last Edit: September 15, 2017, 09:15:39 PM by dafarulia »

Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 820
Re: Malware Causes Pop-up Windows (oneclickrev.com) in Browsers
« Reply #14 on: September 15, 2017, 09:33:01 PM »
Even after system restart?