Solved Malware Sponsored Content

[Lee Ewell]

About a week? ago I noticed that on the many news/current events websites (FOX/CNN) some additional "Sponsored Content" has appeared. Usually below the standard ads and clickbait, ads with larger than usual photos appeared advertising mostly dating sites and semi-pornographic video games. They are different in appearance and content than what I usually see. These appear in both Edge and Chrome browsers.


I have clicked on a couple of them. My browser window briefly displays mgid.com before taking me a gaming site. I also right-clicked in Chrome, which displays some technical information I am totally unfamiliar with. One panel in the Chrome analysis said that several things had failed to load and that it was "sandbagged." It sounds like the malware blocking the Sponsored Content intended to be uploaded and it replacing it with its own.

jAnd now the las three days I keep getting the "Warning your computer is infected . . . harddrive will be wiped unless you call this number . . ." pop up. And on a couple of occasions, clicking on a blog post to "read more below the fold" redirects me to gaming site.

The only site where I remember attempting a download was DC Leaks. My download failed--unless the malware is what I got.

Thanks for your help.
Lee

 

[TwinHeadedEagle]

Hello,

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition.txt option is checked.
  
  
  
  
  
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please attach report into your next reply.

 

[Lee Ewell]

Attached is the most recent report.

I also noticed that on some websites the malware loads its own "Sponsored Content" right over the top of blog text, sometimes in addition to loading it with the other legit Sponsored Content.

Thanks for your response and your interest.

Lee

 

[TwinHeadedEagle]

You're not following my instructions correctly. I need two reports.

 

[Lee Ewell]

Sorry . . . misunderstood. This one?

 

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

 

[Lee Ewell]

I ran the program and attached the log. Both FRST and fixlist.txt are on my desktop. Is that what you mean by the same location?

 

[TwinHeadedEagle]

Yes, it is correct. How is your PC behaving now?

 

[Lee Ewell]

No change--the same "Sponsored Content" and the same redirects whenever I click on "read more" or "comments" on someone's blog page.

 

[TwinHeadedEagle]

Can you make a picture how this looks like?

 

[Lee Ewell]

I just logged on this evening and now everything seems to be working normal. Interestingly, I noticed my Windows Action Center notified me that Defender removed something called rogue js tech brolo A. on Oct. 7 But I have experienced the problems that this malware causes as recently as this morning.

But it looks as if your fix took care of the problem of the "Sponsored Content." I checked both Edge and Chrome browsers and things look fine. I anticipated having to reset my computer to factory settings. I do not have that many programs and files to reload, but it still would have been a pain in the ass. I cannot thank you enough for your assistance.

 

[Lee Ewell]

Well, now things have returned. I have attempted a screen capture. This is the bottom of a page at the Patheos "Friendly Atheist" blog . . .

 

[Lee Ewell]

A second look . . . the file above came from FOX news. At Patheos I started experiencing the redirection whenever I clicked on comments. Here is a second capture from CNN. This is only the top two photos. There are five or six more running down the left side of the page . . .

 

[TwinHeadedEagle]

Is this happening no matter which browser you use? Do you have home router/modem?

 

[Lee Ewell]

yes. I use a Linksys E1200 wireless router. Your question prompted me to check out my wife's laptop. She complained a couple of days ago about the "warnings" about a viral infection. I told her they were fake and to close the window. But I just now went on her computer and when to a news/opinion mag. via chrome and saw the same ads now on her computer.

 

[TwinHeadedEagle]

Yes, it seems your router is infected. Manual below explains how to reset your router to factory settings:

Linksys Official Support - Linksys E1200 N300 Wireless Router

Page 61

 

[Lee Ewell]

I "confirmed" the router was the problem when I plugged my desktop directly into my modem and the problem disappears. I reset I, reinstalled the software, and even called Linksys (who proved no help at all.) I finally read at some other maleware help site about checking the DNS server address. (This was a learning experience--I know nothing of router settings.) Anyway, sure enough one of them differed from the others. I changed it to a google server address and the problem has been solved. I once again thank you for the attention you devoted to my problem and alerting me to the direction of a problem with my router.

 

[TwinHeadedEagle]

Since there are no more problems, we can declare this PC clean

Now, we can proceed with post-cleanup procedures. Let's remove my tools and create a new, non infected restore point concurrently deleting old ones.


Step 1. - Creation of system restore point and tools removal.


Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the
  
  icon and Run as administrator option.
• Make sure that these ones are checked:
  • Remove disinfection tools
  • Purge system restore
  • Reset system settings
• Push Run and wait until the tool completes his work.
• All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt). I don't need it for review.

Tool deletes old system restore points and creates a fresh system restore point after cleaning.


Step 2. - Tips and tricks to keep your computer clean, safe and in a good shape.


Security tips - highly recommended reading:

• Simple and easy ways to keep your computer safe and secure on the Internet

Maintenance tips:

• Optimize Windows for better performance

Additional software that I personally use and install on all my clients devices:

• Zemana AntiMalware (paid version highly recommended) - to work as a supplement for your antivirus but with excellent remediation and protection
• Zemana AntiLogger - keep everything you type on keyboard out of sight of bad guys trying to steal your credantials
• Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
• McShield - to prevent infections spread by removable media.
• Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.
• CryptoPrevent - tool for protection against Cryptolocker and similar ransomware infections.
• Adblock - to surf the web without annoying ads!
• Qualys BrowserCheck - cloud service that scans your browsers and plugins to see if they’re all up-to-date.

My help is free for everybody.
If you're happy with the help provided and/or wish to show your appreciaton, please consider a donation:
Thank you!​

Stay safe,
TwinHeadedEagle