joshkmartinez Posted May 11, 2017 Author ID:1123701 Share Posted May 11, 2017 Ok, but from what I see, even when I opened an email (like from this forum) I used to get a pop - up ad. Link to post Share on other sites More sharing options...
joshkmartinez Posted May 11, 2017 Author ID:1123703 Share Posted May 11, 2017 (edited) Even if my computer didn't have chrome open it would still do it on occasion. Edited May 11, 2017 by joshkmartinez improper grammer Link to post Share on other sites More sharing options...
Aura Posted May 11, 2017 ID:1123785 Share Posted May 11, 2017 You mean in other web browsers, like Internet Explorer and Mozilla Firefox? Which email client are you using? Link to post Share on other sites More sharing options...
joshkmartinez Posted May 11, 2017 Author ID:1123800 Share Posted May 11, 2017 No, I only use chrome. So if the chrome application isn't even opened, like if I am playing a game or something, would get a pop-up ad. Oh, would you look a,t that I just got on my first pop-up ad from 'quickprivacycheck.com' saying my computer is being tracked. I use chrome for my email, I just go to gmail.com. Link to post Share on other sites More sharing options...
joshkmartinez Posted May 11, 2017 Author ID:1123804 Share Posted May 11, 2017 URL of ad: http://quickprivacycheck.com/siv9/?voluumdata=BASE64dmlkLi4wMDAwMDAwMS1hMTBjLTQ4NTgtODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLmJkYTA0ODAwLTM2NDktMTFlNy04M2MzLThmMzhjMjg4OTYwNF9fY2FpZC4uOWZjMWIxMTYtOGU3YS00NjI1LThhNDEtMmU2YWFlNGU4MmVlX19ydC4uREpfX2xpZC4uM2YzZGNkYTMtNDlhNC00MmY1LWJkYmEtMGU3MDI5NWMxMmFhX19vaWQxLi5kNWQwOTdiNS1iMjI0LTRkNDAtYTU1Ny1jNjBiZjJmMDk4NGNfX3ZhcjEuLjc0NTc1NTI3X19yZC4uX19haWQuLl9fYWIuLl9fc2lkLi5fX2NyaS4uX19wdWIuLl9fZGlkLi5fX2RpdC4uX19waWQuLl9faXQuLl9fdnQuLjE0OTQ1MTA1MzMyNDI&pubid=74575527 Pic of ad so you don't have to open it: Link to post Share on other sites More sharing options...
joshkmartinez Posted May 11, 2017 Author ID:1123979 Share Posted May 11, 2017 Just got another ad URL: https://softwaredownloadplayer.com/campaign/airmean4/?ID=ad2k1&sub=ad2k1&subid=74575527&S2=6efd7927-c623-4ab8-b17d-86117e4dd415 Pic: Link to post Share on other sites More sharing options...
Aura Posted May 11, 2017 ID:1123980 Share Posted May 11, 2017 This is weird indeed. Alright, follow the instructions below please. Emsisoft Emergency Kit Follow the instructions below to run a scan using the Emsisoft Emergency Kit. Download the Emsisoft Emergency Kit and execute it. From there, click on the Extract button to extract the program in the EEK folder; Once the extraction is complete, Emsisoft Emergency Kit will open, and suggest you to run an online update before using the program. Click on Yes to launch it. After the update, click on Malware Scan under 2. Scan and accept to let Emsisoft Emergency Kit detect PUPs (click on Yes). Once the scan is complete, make sure that every item in the list is checked, and click on Quarantine selected; If it asks you for a reboot to delete some items, click on Ok to reboot automatically; After the restart, click on the Start Emsisoft Emergency Kit icon again on your desktop to open it; This time, click on Logs; From there, go under the Quarantine Log tab, and click on the Export button; Save the log on your desktop, then open it, and copy/paste its content in your next reply; Link to post Share on other sites More sharing options...
joshkmartinez Posted May 12, 2017 Author ID:1123986 Share Posted May 12, 2017 All of the stuff detected by EEK was the bitcoin miner that I use. Nothing else. Link to post Share on other sites More sharing options...
Aura Posted May 12, 2017 ID:1124013 Share Posted May 12, 2017 Alright. Next, I would like to see what RogueKiller can find. RogueKiller Download the right version of RogueKiller for your Windows version (32 or 64-bit); Once done, move the executable file to your Desktop, right-click on it and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users); Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner); Let the scan complete; On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the buttom left corner); This will open the report in Notepad. Copy/paste its content in your next reply; Link to post Share on other sites More sharing options...
joshkmartinez Posted May 12, 2017 Author ID:1124020 Share Posted May 12, 2017 RogueKiller V12.10.8.0 (x64) [May 8 2017] (Free) by Adlice Software mail : http://www.adlice.com/contact/ Feedback : https://forum.adlice.com Website : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 10 (10.0.14393) 64 bits version Started in : Normal mode User : ckurl [Administrator] Started from : C:\Users\ckurl\Desktop\RogueKiller_portable64.exe Mode : Scan -- Date : 05/11/2017 19:01:57 (Duration : 00:54:41) ¤¤¤ Processes : 1 ¤¤¤ [VT.not-a-virus:RiskTool.MSIL.BitCoinMiner.ah] NiceHashMiner.exe(3520) -- C:\Users\ckurl\Desktop\NiceHashMiner_v1.7.5.10\NiceHashMiner.exe[7] -> Found * ¤¤¤ Registry : 11 ¤¤¤ [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{4ABDD67C-44E3-42E0-816D-D7F0E54761DF} (C:\Program Files\BDServices\BDUpdateServiceCom.dll) -> Found [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{65416821-217D-44BD-9C61-F53398FB1B46} (C:\Program Files\BDServices\scan.dll) -> Found [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{6DFC0DC7-FDC5-44C2-8B80-5977BA8F8ACC} (C:\Program Files\BDServices\scan.dll) -> Found [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{94915A56-4D71-4F85-B59C-CC040F5AC6F0} (C:\Program Files\BDServices\BDUpdateServiceCom.dll) -> Found [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{E5AFF088-92F8-41a9-8CAB-E9CDCCE967AC} (C:\Program Files\BDServices\scan.dll) -> Found [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3379452668-3058411388-1845388906-1001\Software\Microsoft\Windows\CurrentVersion\Run | Gaijin.Net Agent : "C:\Users\ckurl\AppData\Local\Gaijin\Program Files (x86)\NetAgent\gjagent.exe" [7] -> Found * [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3379452668-3058411388-1845388906-1001\Software\Microsoft\Windows\CurrentVersion\Run | Gaijin.Net Agent : "C:\Users\ckurl\AppData\Local\Gaijin\Program Files (x86)\NetAgent\gjagent.exe" [7] -> Found * [PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost | bdx : [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\klids (\??\C:\ProgramData\Kaspersky Lab\AVP16.0.1\Bases\klids.sys) -> Found * [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.1.1 ([]) -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cfe21422-8cd3-41c5-9d18-19018f8541fe} | DhcpNameServer : 10.0.1.1 ([]) -> Found ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 1 ¤¤¤ [PUP.Filefinder][Folder] C:\Users\ckurl\AppData\Roaming\Pluto TV -> Found ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 [Too big!] ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: TOSHIBA MQ01ABD100 +++++ --- User --- [MBR] 70b7a7f8df8e6d04800322b634f81da1 [BSP] c435b2756a98160cd71c93f623657a67 : Windows Vista/7/8|VT.Unknown MBR Code Partition table: 0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB 1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 534528 | Size: 128 MB 2 - Basic data partition | Offset (sectors): 796672 | Size: 926584 MB 3 - [SYSTEM][MAN-MOUNT] | Offset (sectors): 1898442752 | Size: 849 MB 4 - [SYSTEM] Basic data partition | Offset (sectors): 1900181504 | Size: 26043 MB User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive1: PNY USB 2.0 FD USB Device +++++ --- User --- [MBR] 0c85d70d5cec6b73c7768c62a5f422f4 [BSP] dd23538c0b876bd80f6d8290a33783c0 : Windows Vista/7/8|VT.Unknown MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 8064 | Size: 30604 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] User = LL1 ... OK Error reading LL2 MBR! ([32] The request is not supported. ) *The lines which I have put the asterisk (*) are files that I know are safe. plz tell me if I should remove the selected threats Link to post Share on other sites More sharing options...
joshkmartinez Posted May 12, 2017 Author ID:1124041 Share Posted May 12, 2017 just got another fake (but looks very real) facebook login popup ad Link to post Share on other sites More sharing options...
Aura Posted May 12, 2017 ID:1124116 Share Posted May 12, 2017 Check the following threats, and remove them. [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{4ABDD67C-44E3-42E0-816D-D7F0E54761DF} (C:\Program Files\BDServices\BDUpdateServiceCom.dll) -> Found [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{65416821-217D-44BD-9C61-F53398FB1B46} (C:\Program Files\BDServices\scan.dll) -> Found [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{6DFC0DC7-FDC5-44C2-8B80-5977BA8F8ACC} (C:\Program Files\BDServices\scan.dll) -> Found [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{94915A56-4D71-4F85-B59C-CC040F5AC6F0} (C:\Program Files\BDServices\BDUpdateServiceCom.dll) -> Found [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{E5AFF088-92F8-41a9-8CAB-E9CDCCE967AC} (C:\Program Files\BDServices\scan.dll) -> Found [PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost | bdx : [x] -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.1.1 ([]) -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cfe21422-8cd3-41c5-9d18-19018f8541fe} | DhcpNameServer : 10.0.1.1 ([]) -> Found [PUP.Filefinder][Folder] C:\Users\ckurl\AppData\Roaming\Pluto TV -> Found Link to post Share on other sites More sharing options...
joshkmartinez Posted May 13, 2017 Author ID:1124553 Share Posted May 13, 2017 just got another pop-up ad from quickprivacycheck.com again Link to post Share on other sites More sharing options...
joshkmartinez Posted May 15, 2017 Author ID:1124985 Share Posted May 15, 2017 Is there a way to block these ads directly from popping up? Like in the hosts file or something? Or in u block origin? Link to post Share on other sites More sharing options...
Aura Posted May 15, 2017 ID:1125079 Share Posted May 15, 2017 There is, yes, but you need to add them one by one. Quote No, I only use chrome. So if the chrome application isn't even opened, like if I am playing a game or something, would get a pop-up ad. In which web browser would that ad open? Are you able to reproduce it? And which game(s) are you playing? Link to post Share on other sites More sharing options...
joshkmartinez Posted May 15, 2017 Author ID:1125105 Share Posted May 15, 2017 All of the ads open in chrome. I am not able to reproduce it because the ads would pop-up randomly, even if I wasn't playing a game. Link to post Share on other sites More sharing options...
joshkmartinez Posted May 15, 2017 Author ID:1125109 Share Posted May 15, 2017 got another ad: http://onlinewebsrvy.com/us/ron/back.php Link to post Share on other sites More sharing options...
Aura Posted May 15, 2017 ID:1125116 Share Posted May 15, 2017 Alright let's try something. Download and execute proxexp64.exe. Close all your programs, and wait for an ad to appear. Once done, take a screenshot of the procexp64.exe window, where I can see the chrome.exe process listed, and post it here. https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx Link to post Share on other sites More sharing options...
joshkmartinez Posted May 15, 2017 Author ID:1125231 Share Posted May 15, 2017 Oh, of course, its just my luck that an add doesn't pop up when I want one too. This might take while. Link to post Share on other sites More sharing options...
Aura Posted May 15, 2017 ID:1125253 Share Posted May 15, 2017 The idea here is that hopefully we'll see what process launched the chrome.exe process with the ad, and it'll give me ideas on where to look for it. Link to post Share on other sites More sharing options...
joshkmartinez Posted May 16, 2017 Author ID:1125275 Share Posted May 16, 2017 (edited) finally after like 24 hours note: I was working on my PC while the ad happened. I then closed all of my tabs and then took the pic of the processes. ad URL: https://softwaredownloadplayer.com/campaign/sweetuncle6/?ID=ad2k1&sub=ad2k1&subid=74575527&S2=91ec0660-0789-49f4-b96d-1162062ef495 Edited May 16, 2017 by joshkmartinez Link to post Share on other sites More sharing options...
joshkmartinez Posted May 16, 2017 Author ID:1125387 Share Posted May 16, 2017 I got another Link to post Share on other sites More sharing options...
Aura Posted May 16, 2017 ID:1125400 Share Posted May 16, 2017 Alright, please provide me a frest set of FRST logs (FRST.txt and Addition.txt). Looks like I'll have to review them line by line. The chrome.exe processes seems to be normally invoked. Link to post Share on other sites More sharing options...
joshkmartinez Posted May 16, 2017 Author ID:1125566 Share Posted May 16, 2017 I have taken everything off of the whitelist, so the logs are quite long, so I will just attach them. Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Aura Posted May 16, 2017 ID:1125572 Share Posted May 16, 2017 Please, leave the whitelisting off. We only uncheck these in case of extreme need. I don't think it is necessary right now. Run a scan again with the default settings. Link to post Share on other sites More sharing options...
Recommended Posts