Pages: 1 2

 

  • Index » 
  • Community » 
  • Tech » 
  • Need help with pop-up ads in IE and blank windows in Chrome
2010-07-21 20:02:27
Jaekus
I'm the matchstick that you'll never lose
+957|5436|Sydney
Been having this issue for over a week now and it's getting worse.

I've scanned with:

MBAM
Avira
Ad-Aware

Ive got "enable phishing and malware protection" enabled in Chrome, search results came up with nothing and certain (most) sites will keep getting this fkn pop-up in IE. In Chrome it will simply load a blank page and if I click the blank page the same pop-up I get in Chrome appears.

It's driving me nuts and I don't know what to do about it. Scans all came up clean, except for Ad-Aware, which deleted a few tracking cookies.

This is the url for the pop-up I get, I've made it so noone can click it accidently:

http://your-review (dot) net/a/adframe.php


E: Here's a screenie of the pop-up

https://static.bf2s.com/files/user/52172/temp.jpg

Last edited by Jaekus (2010-07-22 00:07:29)

2010-07-21 20:04:45
steelie34
pub hero!
+603|6639|the land of bourbon
run hijack-this and post the logfile results
https://bf3s.com/sigs/36e1d9e36ae924048a933db90fb05bb247fe315e.png
2010-07-21 20:05:38
Jaekus
I'm the matchstick that you'll never lose
+957|5436|Sydney
Totally forgot about hijack-this, doing it now...
2010-07-21 20:07:50
Jaekus
I'm the matchstick that you'll never lose
+957|5436|Sydney
Well I posted the logfile here and it seems fine - http://www.hijackthis.de/

Here's the logfile anyway

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:27 PM, on 22/07/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
D:\Games\Fraps\fraps.exe
D:\Programs\Steam\Steam.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Jake\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [NBAgent] "C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Jake\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "d:\programs\steam\steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Windows\SysWOW64\skype4com.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files (x86)\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files (x86)\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - Unknown owner - C:\Program Files (x86)\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @C:\Program Files (x86)\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files (x86)\Nero\Update\NASvc.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9663 bytes

Last edited by Jaekus (2010-07-21 20:12:49)

2010-07-21 20:22:49
steelie34
pub hero!
+603|6639|the land of bourbon
ugh.. at first glance your log looks clean.  this might be a newer adware that isn't being detected yet, but it's ability to run without showing some trace in the hijackthis log is a bit unsettling. 

your next step is to either a) reformat or b) start more in-depth scanning using the various sysinternal tools to watch what's going on in the background when the pop-up appears.  it's not easy though if you don't have some pretty advanced knowledge of process hooking and what to look for, but it could also be a good learning experience if you want to give it a shot.

the first tool you want is process explorer.  it will give you real-time info of what's going on when the pop-up appears.

alexb wrote:

Those Microsoft services that say "Unknown Owner" and "(file missing)" shouldn't show up in your log; they seem suspicious to me.
those aren't necessarily bad.  windows doesn't always statically link dll's to calling processes, and all the referenced dll's and processes are legitimate.

Last edited by steelie34 (2010-07-21 20:26:46)

https://bf3s.com/sigs/36e1d9e36ae924048a933db90fb05bb247fe315e.png
2010-07-21 20:30:49
Jaekus
I'm the matchstick that you'll never lose
+957|5436|Sydney
Ok, so I'm downloading now and installing/unzipping/whateves. Once I run it, what's the next step?
2010-07-21 20:41:10
steelie34
pub hero!
+603|6639|the land of bourbon
well that's going to be the hard part.  you'll have to watch what processes and/or dll's are being loaded when the pop-up show's up.  while it's running, make the pop-up appear, and see if you notice what process ran immediately before it happens.  also try dll mode to see if any hidden dll files are being referenced.  if it looks sketchy, google it to see if it's a legit program.

make sure you give this one a shot as well:

listdlls

same as before, google anything you don't recognize.

Last edited by steelie34 (2010-07-21 20:43:12)

https://bf3s.com/sigs/36e1d9e36ae924048a933db90fb05bb247fe315e.png
2010-07-21 20:49:54
Jaekus
I'm the matchstick that you'll never lose
+957|5436|Sydney
Ok, so I did it with the first one about a dozen times, both checking the processes and the dlls. Nothing changed whilst the popup was appearing. Maybe I should try it before I open IE? Problem is now Chrome is getting two pop-ups instead of one.
2010-07-21 20:51:06
Jaekus
I'm the matchstick that you'll never lose
+957|5436|Sydney
I ran listdlls and it runs a whole bunch of text in a DOS window, then closes straight after it's finished
2010-07-21 21:05:11
steelie34
pub hero!
+603|6639|the land of bourbon
you'll have to run the listdlls from the command prompt to keep the window open, and yes definitely use IE when running the process explorer...
https://bf3s.com/sigs/36e1d9e36ae924048a933db90fb05bb247fe315e.png
2010-07-21 21:05:45
Jaekus
I'm the matchstick that you'll never lose
+957|5436|Sydney
Hmmm, I may have a little something.

In process explorer, when I open Chrome, It has chrome.exe and then one more instance in the folder tree for each page. HOWEVER, when I open a page that loads, goes blank and when I click the blank window the pop-up appears, when it goes blank (but before the pop-up appears) there appears to be 2 instances of chrome.exe for that page (so if I hve bf2s open and talkbass.com open, there's 3 pages loaded, but if I close talkbass.com there's only 1 page).

When I have 2 pop-ups appear, the second one is not registered anywhere in process explorer from what I can see.

This is far from solving the problem, but at least it's better than showing no result at all I guess...
2010-07-21 21:16:03
steelie34
pub hero!
+603|6639|the land of bourbon
try rootkit revealer as well.  however, this program is a little hard to understand if you haven't used it before.  definitely read the help file and good luck.
https://bf3s.com/sigs/36e1d9e36ae924048a933db90fb05bb247fe315e.png
2010-07-21 21:16:41
Jaekus
I'm the matchstick that you'll never lose
+957|5436|Sydney
The other thing is, it has never ever done this for BF2s, Facebook, Yahoo Mail, my bank and credit card login, only really does it on sites that have advertising.

Could it be something on their end? I noticed on geekstogo (where it was also doing it) they're currently clsoed due to repeated hack attempts -- http://www.geekstogo.com/forum/forums.html
2010-07-21 21:19:09
Dilbert_X
The X stands for
+1,815|6364|eXtreme to the maX
Put the computer away for a few weeks, let the virus definitions catch up with the threats, scan, done.
I'm still dubious about this since there could still be a keylogger buried somewhere as part of the attack.

Or

Total reformat and rebuild. I put in a new HD at this point and put the old one away for future scanning or wiping.
Fuck Israel
2010-07-21 21:24:19
tazz.
oz.
+1,338|6432|Sydney | ♥

Chrome opens a process per page, as to not crash all your pages if one crashes.


Sounds to me like your comp is simply slowing down and becoming buggy, not filled with viruses. It is Windows after all.

Backup, and Re-format.
everything i write is a ramble and should not be taken seriously.... seriously.
2010-07-21 21:31:00
Jaekus
I'm the matchstick that you'll never lose
+957|5436|Sydney
Ergh, I really hate going through the reformat process, and I don't have the time for the next week or two to do it because it'll take me ages to backup, reinstall windows, reinstall the programs and get everything back to the way I like it.

I might just give it a couple weeks and see if a solution appears. If it doesn't by a fortnight I'll have enough time to do it over the weekend then.

E: My comp is only about 4 months old, surely it shouldn't become buggy already?

Last edited by Jaekus (2010-07-21 21:31:44)

2010-07-21 21:33:44
Jaekus
I'm the matchstick that you'll never lose
+957|5436|Sydney

steelie34 wrote:

try rootkit revealer as well.  however, this program is a little hard to understand if you haven't used it before.  definitely read the help file and good luck.
For some reason the app won't open, I tried it in safe mode too just in case. Is it compatible with 64 bit systems?

Gotta go to work soon too.
2010-07-21 21:37:48
Dilbert_X
The X stands for
+1,815|6364|eXtreme to the maX

Jaekus wrote:

E: My comp is only about 4 months old, surely it shouldn't become buggy already?
A virus doesn't care.

Take out current HD.
Find a blank HD.
Do a minimum install to keep you going.

Swap them back and rescan in a few weeks/months. Maybe you'll be lucky.

I checked some data backup DVDs a few weeks ago and found viruses on them which hadn't been detected at the time.
Fuck Israel
2010-07-21 21:46:34
Jaekus
I'm the matchstick that you'll never lose
+957|5436|Sydney
Can't really afford a new HD at the moment as I just paid $1500+ for my car this week, have a flight to pay today, another one next week and a filmclip due to be paid next week too... plus 4 birthdays in 3 weeks. Fun times.
2010-07-21 21:49:33
tazz.
oz.
+1,338|6432|Sydney | ♥

I love my setup

Linux PC: All my files go here, everything. 3.5TB of space

my normal PC: 1x 500GB HD for OS.. 1x 500GB HD for Steam Games

The only reason i'm not reformatting at the moment, is because i'm halfway through GTa4, and backing that up through App Data is a mofo.
everything i write is a ramble and should not be taken seriously.... seriously.
2010-07-22 00:03:16
Jaekus
I'm the matchstick that you'll never lose
+957|5436|Sydney
Well just as I was leaving for work I decided to once more run MBAW, and checked the updates, it had only been updated till May, so I ran the update and left it to do full scan. Hopefull something turns up/fixes.
2010-07-22 00:06:17
Dilbert_X
The X stands for
+1,815|6364|eXtreme to the maX
MBAW or MBAM?
MBAM gets updated multiple times/day.
Fuck Israel
2010-07-22 00:06:57
Jaekus
I'm the matchstick that you'll never lose
+957|5436|Sydney
Sorry, I meant MBAM.
2010-07-22 06:26:12
Jaekus
I'm the matchstick that you'll never lose
+957|5436|Sydney
Updated, full scan with MBAM, no infections
2010-07-22 07:15:19
steelie34
pub hero!
+603|6639|the land of bourbon
that's interesting you say it only happens on sites that have advertising pop-ups... is it the same pop-up window (same website), even for different sites?  or is it just that one particular site that causes that particular pop-up?  you should install firefox with the ad-block plus plug-in and see if the problem goes away.  it might not be spyware at all, just the other websites sending that pop-up... in which case we should all /facepalm 

and no i don't think rootkit revealer works on x64 systems.
https://bf3s.com/sigs/36e1d9e36ae924048a933db90fb05bb247fe315e.png

 

Pages: 1 2

  • Index » 
  • Community » 
  • Tech » 
  • Need help with pop-up ads in IE and blank windows in Chrome

Board footer

Privacy Policy - © 2025 Jeff Minard