Solved Persistent ad malware. Redirects. New tab/window opening. smartnewtab.com, onlickads.net, etc...

[marcnathan88]

I have this ad malware on my laptop. It opens up a new window that shows ads. Redirects also happens wherein a new tab opens up. This happens when I click on something or a link on any webpage I'm browsing. It doesn't really happen all the time. Approximately it happens 15 to 30 minutes. The other problem I encounter is that when I open chrome it doesn't show the homepage instead it shows C//:file index of.

I've tried the solution I found here on malwaretips.com. I've tried adwcleaner, rkill, hitman pro, zemana anti-malware, tdss killer.

Adwcleaner kept showing the datebase corrupted error. I've downloaded and ran adwcleaner 10 times but still kept showing the database corrupted error. Rkill didn't also worked. After double clicking it the cmd shows for a while and then it crashes. Hitman pro took a while before it worked. The first several times I downloaded it tried to install it nothing was happening. It only worked a couple of hours before I wrote this post. Zemana anti-malware also had error when I tried to install it. It shows an error saying files are corrupted. I've also tried this on safe mode with networking but to no avail. Adwcleaner, rkill and zemana anti-malware still showed the same error. Tdss killer worked the first time I downloaded and installed it. I did a scan with it but It didn't found anything. I've also tried Rogue killer. I did a scan with it. It found some 37 threats. But I couldn't tell which ones were the ad malware. The files found were all from the registry so I didn't deleted those files. I was afraid it might cause some problems on my laptop.

I have also downloaded FRST and I will be including the log file here. The logs by FRST are the latest. I did a scan with FRST just a couple of hours ago.

These are screenshots of the new window that opens. Some of them also opens on a new tab after a redirect.

99tab. Opened on a new window


This one on the other hand had a search bar displayed.


liveadexchanger. Opened on a new window


optmz.online. Opened on a new window


smartnewtab.com. This opens on a new tab after a redirect or on a new window which this screenshot shows.


Thank you in advance for your help. I will be patiently waiting for answers.

Thank you again and regards.

 

[TwinHeadedEagle]

Hello,


Please download Zemana AntiMalware and save it to your Desktop.

• Install the program and once the installation is complete it will start automatically.
• Without changing any options, press Scan to begin.
• After the short scan is finished, if threats are detected press Next to remove them.

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.​

• Open Zemana AntiMalware again.
• Click on
  
  icon and double click the latest report.
• Now click File > Save As and choose your Desktop before pressing Save.
• The only left thing is to attach saved report in your next message.

 

[marcnathan88]

Hello,


Please download Zemana AntiMalware and save it to your Desktop.

• Install the program and once the installation is complete it will start automatically.
• Without changing any options, press Scan to begin.
• After the short scan is finished, if threats are detected press Next to remove them.

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.​

• Open Zemana AntiMalware again.
• Click on
  
  icon and double click the latest report.
• Now click File > Save As and choose your Desktop before pressing Save.
• The only left thing is to attach saved report in your next message.

Thank you sir. I have also tried Zemana AntiMalware but it's not installing on my laptop. Three times it showed an error. It says that the files are corrupted. I'll be downloading and installing it again. If the error persist I will get a screenshot and post it here. The same thing occurred on Hitman pro. The first several times I downloaded it nothing was happening but yesterday it finally installed and run. I will try again with Zemana AntiMalware. I'm in the office so I'll be able to do it when I get home.

Thank you again sir.

 

[TwinHeadedEagle]

You can get a portable version of Zemana on this link:

https://www.zemana.com/en-US/Download

 

[marcnathan88]

You can get a portable version of Zemana on this link:

Zemana Downloads – Security Software Free Trails

Thanks for the quick reply sir. I'd also like to ask. I've set my downloads to be saved on my desktop. Is that going to help? I've read some of your post here on MalwareTips and you gave that as an advice.

Thank you again sir.

 

[marcnathan88]

@TwinHeadedEagle. I forgot to mention sir. Apologies. After I've downloaded the portable version of Zemana I will be installing it and will also be runnning a scan then I will be posting the results here.

Thanks again sir.

 

[TwinHeadedEagle]

Thanks for the quick reply sir. I'd also like to ask. I've set my downloads to be saved on my desktop. Is that going to help? I've read some of your post here on MalwareTips and you gave that as an advice.

Thank you again sir.

You can do however you like.

 

[marcnathan88]

You can do however you like.

Thank you sir. I'm currently downloading Zemana anti-malware. I'll be posting updates on my next message.

 

[marcnathan88]

Zemana anti-malware finally worked this time sir. It installed properly with no error compared to the first few times I tried it. I ran the application and it was scanning my laptop. I went to do something for a while but when I came back my laptop was frozen. Zemana anti-malware stopped scanning. Basically my laptop halted and freeze. It was stuck. I'm wondering now what caused it. I've re-started my laptop and I will be doing the scan again.

I would also like to post some screenshots of other problems in my laptop.

When I open chrome.



Same with firefox.


Another problem with chrome.


Apologies for posting too much problem I'm encountering. After the scan with zemana anti-malware I will be posting the log here. I hope my laptop wont freeze again.

 

[marcnathan88]

After the scan with Zemana and rebooting my laptop the issue of browsers displaying "index of" was fixed on chrome and firefox but ad malware still persist. New window still opens. Just a while ago smartnewtab.com opened a new window again. The other problem that still persist is that two icons of chrome are displaying in the taskbar.

Here is the log of Zemana anti-malware scan. Thank you in advance sir for your next reply.

Zemana AntiMalware 2.50.2.133 (Installed)

-------------------------------------------------------
Scan Result : Completed
Scan Date : 2016/10/27
Operating System : Windows 7 64-bit
Processor : 4X Intel(R) Core(TM) i3-4000M CPU @ 2.40GHz
BIOS Mode : Legacy
CUID : 127A3C1D04CA0973EAB607
Scan Type : Scheduled Scan
Duration : 34m 16s
Scanned Objects : 214919
Detected Objects : 23
Excluded Objects : 0
Read Level : SCSI
Auto Upload : Enabled
Detect All Extensions : Disabled
Scan Documents : Disabled
Domain Info : TECHNICAL,0,2

Detected Objects
-------------------------------------------------------

Opera Shortcut
Status : Scanned
Object : "
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Opera Shortcut

Opera Shortcut
Status : Scanned
Object : "
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Opera Shortcut

Opera Shortcut
Status : Scanned
Object : "
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Opera Shortcut

Internet Explorer Shortcut
Status : Scanned
Object : "
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Internet Explorer Shortcut

Internet Explorer Shortcut
Status : Scanned
Object : "
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Internet Explorer Shortcut

Internet Explorer Shortcut
Status : Scanned
Object : "
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Internet Explorer Shortcut

Internet Explorer Shortcut
Status : Scanned
Object : "
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Internet Explorer Shortcut

Firefox Shortcut
Status : Scanned
Object : "
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Firefox Shortcut

Firefox Shortcut
Status : Scanned
Object : "
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Firefox Shortcut

Firefox Shortcut
Status : Scanned
Object : "
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Firefox Shortcut

Firefox Search
Status : Scanned
Object : trotux - Trotux
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Firefox Search

Firefox Search
Status : Scanned
Object : istartpageing - IStartPageing
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Firefox Search

Firefox Search
Status : Scanned
Object : www.yessearches.com - YesSearches
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Firefox Search

Firefox Search
Status : Scanned
Object : trotux - Trotux
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Firefox Search

Chrome Shortcut
Status : Scanned
Object : "
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Chrome Shortcut

Chrome Shortcut
Status : Scanned
Object : "
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Chrome Shortcut

Chrome Shortcut
Status : Scanned
Object : "
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Chrome Shortcut

Chrome Shortcut
Status : Scanned
Object : "
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Chrome Shortcut

Chrome Startup Url
Status : Scanned
Object : IStartPageing
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Chrome Startup Url

Chrome Homepage
Status : Scanned
Object : IStartPageing
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Chrome Homepage

NlaSvc Manual Proxies
Status : Scanned
Object : HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\@
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Setting
Cleaning Action : Delete
Related Objects :
Registry Entry - HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\@ = 0http://nonestops.org/wpad.dat?1668f0c51748d6b5794ca9c4e881555918667326

pptprv.dll
Status : Scanned
Object : %programfiles%\nergose\pptprv.dll
MD5 : 2C4C3627E882AEA2AE2725807678C1BA
Publisher : -
Size : 273920
Version : -
Detection : Malware:Win32/Vorniac.A!Rkie
Cleaning Action : Delete
Related Objects :
File - %programfiles%\nergose\pptprv.dll
DLL - 2252 - C:\Windows\SysWOW64\svchost.exe
Registry Entry - HKLM\System\CurrentControlSet\Services\Cercither\Parameters\ServiceDll = C:\Program Files (x86)\Nergose\PptPrv.dll

tyav32.dll
Status : Scanned
Object : NE->c:\program files\common files\inca shared\onlineengine\tyav32.dll
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Virus:Test/Eicar!Neng
Cleaning Action : Quarantine
Related Objects :
(null) - (null)


Cleaning Result
-------------------------------------------------------
Cleaned : 23
Reported as safe : 0
Failed : 0

 

[marcnathan88]

I'd like to consult something to you sir. My laptop has frozen three times already in the middle of Zemana scan. The second time was in the middle of a deep scan. It was at 99%. Almost done but my laptop got frozen. It found 3 threats including a trojan but I wasn't able to delete it because my laptop got stuck. After my laptop opened again I ran Zemana but this time it didn't resumed the deep scan. I wish to know why my laptop was freezing. I will be waiting for answer sir. Thank you in advance.

 

[TwinHeadedEagle]

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition.txt option is checked.
  
  
  
  
  
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please attach report into your next reply.

 

[marcnathan88]

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition.txt option is checked.
  
  
  
  
  
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please attach report into your next reply.

Thank you sir. Should I close any or all running applications before I start the scan with FRST?

I will be posting the log on my next message after the scan.

 

[marcnathan88]

Here is the report sir. Just a few seconds ago Malwarebytes blocked five sites which I can clearly tell are adverts. This ad malware remains persistent. Thank you sir for your help.

 

[marcnathan88]

Since my last post my laptop has been experiencing constant freezing. Last night was in the middle of Zemana scan. It happened three times. Now it happened again three times. One was in the middle of FRST scan. The other was while I was browsing this site. Another freeze happened. I was typing this when it happened and then I came back here and was able to pick up where I left my typing. I was not running any scan when it freeze. Just a while ago my laptop freeze again when I was running a scan with Hitman pro. Apologies sir If I'm complaining too much about the problems I encounter. I simply want to put an update about what's happening on my laptop.

Thank you for your help sir.

 

[marcnathan88]

Another situation update sir. My laptop has frozen so many times already in the last couple of hours. No scans running. Just me browsing this website. Thank you in advance sir for your response.

 

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

 

[marcnathan88]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

Thank you for your response sir. I have resorted to a system restore and chose a point before my laptop was infected with the ad malware. I'm hoping this will work. My laptop is doing good so far. Can a system restore fix the ad malware issue?

I will be downloading Zemana anti-malware and FRST again and the other antivirus programs I've used as they were lost due to system restore. I will also be continuing with your advise for the fix and the other methods you have given me. But I would like to ask. Would you advise me to continue with the fix? I will be waiting to hear from you anytime sir.

Thanks for all the help you have given me.