Status
Not open for further replies.

briliant

New Member
Sep 16, 2017
13
Hello,

I already wrote all the text below in the requested spaces, but I can't create the thread unless I have a message here, so here is the text again:

September 10th, 2017: after installing Kaspersky (I'm not sure if this is related to the infection, but I'm pretty sure it started around that time frame), a panel of square ads started appearing in some specific websites (for example, FootyRoom - Football / Soccer Highlights and Live Scores and Record: Tudo sobre desporto. Futebol, mercado, modalidades, resultados e classificações). In the corner of the panel says "Sponsored" and, as an example, here is the list of names that appear below each ad in of the panels: "Brxfinance", "TodaysDiets"(x3), "Memory Repair Protocol".

The reason I quickly realized these panels were adwares is that my AdBlock extension wasn't blocking them, and even if I tried to block them manually, they would immediately return after the page was refreshed.

I've followed all the steps in the MalwareTips guide (How to remove a Trojan, Virus, Worm and Malware (Windows Help Guide)), including the optional ones. This included installing and running Rkill, Malwarebytes, HitmanPro, Zemana AntiMalware Portable and Emsisoft Emergency Kit, as well as resetting my browser ro default settings. Each new program that I ran detected and removed "malicious programs", but the panels keep appearing.
 

Attachments

  • FRST.txt
    60.1 KB · Views: 3
  • Addition.txt
    65.9 KB · Views: 1

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,632
Hello,


Please download Zemana AntiMalware and save it to your Desktop.
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.
  • Open Zemana AntiMalware again.
  • Click on
    4zu6vb.jpg
    icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • The only left thing is to attach saved report in your next message.



adwcleaner_new.png
Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.
  • Right-click on
    adwcleaner_new.png
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner
 

briliant

New Member
Sep 16, 2017
13
Hi,

Thank you very much for your assistance. In attachment are the requested reports.
 

Attachments

  • 2017.09.17-23.07.13-i0-t92-d0.txt
    811 bytes · Views: 6
  • AdwCleaner[C0].txt
    6.3 KB · Views: 6

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,632
FRST.gif
Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition.txt option is checked.

    2873ryc.png

  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please attach report into your next reply.
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,632
FRST.gif
Fix with Farbar Recovery Scan Tool

icon_exclaim.gif
This fix was created for this user for use on that particular machine.
icon_exclaim.gif

icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
icon_exclaim.gif

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.



How is your computer behaving now?
 

Attachments

  • fixlist.txt
    5.2 KB · Views: 6

briliant

New Member
Sep 16, 2017
13
Hi, I ran it and the problem is still there. The fix did erase all my history and extensions though.
 

Attachments

  • Fixlog.txt
    12.6 KB · Views: 5

briliant

New Member
Sep 16, 2017
13
Like I said, the problem is still there (meaning, the "Sponsored" ads keep appearing in specifc websites, even with AdBlock activated), and, as far as I'm able to tell, the fix only erased my browser history and deleted the extensions.
 

briliant

New Member
Sep 16, 2017
13
Since the beginning I've only detected these ads in these two websites: FootyRoom - Football / Soccer Highlights and Live Scores (on the top of the main page), which is, as far as I'm concerned, one of the mainstream websites to watch highlights from football games; and on Record: Tudo sobre desporto. Futebol, mercado, modalidades, resultados e classificações (on the bottom of any page corresponding to a piece of news on this main page), which is one of the main sports websites in Portugal. Obviously, the limitation of the ads to only these two websites is relatively harmless and not much of a bother, but I was afraid it was the beginning of a virus, so I wanted to try to fix it right away.

For the sake of clarity, I send in attachment two print screens of these websites, as well as the respective links (this way you can even go yourself to them and compare the normal versions to the pics I send you).

The first is from the link I already wrote down above, FootyRoom - Football / Soccer Highlights and Live Scores (where the ads are both in portuguese and english) and the second is from Cirurgião de Ibrahimovic deixa aviso ao Manchester United (where the ads are only in portuguese; you can see the word "Patrocinado" in all of them, which is portuguese for "Sponsored"), where you can reach the spot on the picture by scrolling down until you see the subtitle "Pode gostar de ler" (meaning, "You may want to read"). In both cases the adware on the pics is immediately noticeable by the characteristic purple color. The latter link is just one example from that website, because, like I said, I see them in every piece of news from that website.

Also, you can see the AdBlock extension (which I reinstalled after the fixlist) activated on the top right corner of both pics. This was what denounced the adware in the first place to me (meaning, if they were regular ads, they would've been blocked normally).
 

Attachments

  • Footyroom.png
    Footyroom.png
    429.1 KB · Views: 11
  • Record.png
    Record.png
    596.1 KB · Views: 11

briliant

New Member
Sep 16, 2017
13
Hi, sorry for the delay in the response. I tried and it didn't work (like AdBlock, I'm able to filter the adware manually but once I refresh the page, they're back there).
 

briliant

New Member
Sep 16, 2017
13
There's an option on the Adblock/Ublock button (in the upper right corner of the browser) that allows me to manually select a portion of the page I'm currently at and "erase" that portion. Both extensions say that, in doing so, I'm "creating a new filter", but in reality this option is just a temporary patch that "blanks" out the ads because, when I refresh the page, this supposedly newly created "filter" is gone (meaning, the ads reappear on the page).
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,632
I see nothing wrong with this. Every website has ads, that's their revenue. I gave you uBlock to try out.
 

briliant

New Member
Sep 16, 2017
13
Well, that has been the point that I've tried to make since the very first post on this thread. I assumed these ads were adware (meaning, a virus) because, before I had noticed them, I hadn't detected a single ad (at least not as noticeable as these ones) from the moment I installed Adblock.

Of course every site has ads, but the ones I've been describing during this whole thread check every characteristic of an adware, namely not being able to be blocked by services like Adblock or Ublock and being easily recognizable (color, type of text and "brand" are all the same in the two different examples of websites I've sent).

I understand if there's nothing more you can think of to solve this problem, and, if that is the case, I just have to sincerely thank you for bearing with me during this whole month. Of course, if you know another place (or person) where I can further investigate how to solve this situation, I would very much appreciate that information.
 

briliant

New Member
Sep 16, 2017
13
Hi, first of all thanks for your help. It took a bit, but I eventually noticed that your Ublock is in fact different from the one I was using. Despite this, I revisited the webpage from record.com you mentioned and surprisingly these ads were now gone (just with Adblock and regular Ublock, which is new because before they couldn't filter these automatically; I've checked other news articles from the same site and the ads disappeared from all of them).

Regardless, I installed afterwards the Ublock Origin you're using, to send the image you requested and of course to check if the other website, footyroom.com was also ridden from the ads.

Unfortunately in this page they are still there. I tried the manual options of Ublock Origin that I could find, which were the lightning button and the pen button next to it. The pen, which is very similar to the manual option from Adblock and the regular Ublock, allowed me to select the section I wanted to erase, but unlike the other blocker extensions, for some reason it didn't erase it after I selected "Create" (this of course is not all that relevant, since the other extensions would only erase them temporarily, i.e. once I refreshed the page the ads were back there). The other button, the lightning one, did fulfill this (kind of pointless) task though.

Just for curiosity, I checked the list of links that Ublock Origin was blocking in this page and, sure enough, "engageya.com" wasn't there. I guess one solution would be adding in some way that domain manually?

upload_2017-10-17_23-11-9.png


upload_2017-10-17_23-14-1.png
 
Status
Not open for further replies.
Top