Jump to content

"Ads by TS" injected in Google search results


Recommended Posts

Hi, 

Everytime I do a Google search, it gives some fake results with a label 'Ads by TS X' in the right top corner as it can be seen in the screen capture below. This happens with all browsers, not only Chrome.

image.thumb.png.74284877dd3aae85c3fc5145f55ddf17.png

I tried Malwarebytes a many others, and no one can detect nor remove this adware.

I used Farbar scan tool and generated the files FIRST.txt and Addition.txt attached to this post

Could anyone please help me to get rid of this adware?

Thanx

 

image.png

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please let me know if the problem persists.

fixlist.txt

Link to post
Share on other sites

Hi,

--RogueKiller--

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.


=======

Scan the computer with Fabar again.
This time just check the box to create a Shortcut list.
Post the log for my review.


 

Link to post
Share on other sites
On 8/15/2018 at 11:50 AM, nasdaq said:

Hi,

--RogueKiller--

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.

 


=======

Scan the computer with Fabar again.
This time just check the box to create a Shortcut list.
Post the log for my review.


 

Hi again

I send you ReportRougue.txt and new Farbar files

 

Tank you for your help

 

 

ReportRogue.txt

FRST.txt

Shortcut.txt

Link to post
Share on other sites

Hi,

Is the last FRST.TXT log submitted in your post No. 8 is from the MAC?

The infection is not the same.

Please start a new topic in this forum and post fresh FRST.TXT and Addition.txt logs.

When done post the topic URL here and I will expedite the response.

 

As for the current problem on the first computer execute this.

Your copy of Chrome has been compromised

step1.gif Remove Chrome from your Computer and reinstall a fresh copy later.

step2.gif Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

step3.gifIf you sync you account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data if you sync with other defices. <- Important ...
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

step4.gif Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

step5.gif Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

step6.gif Re-install Chrome and the Bookmarks.
<<<>>>

Keep me posted.

 

 

Link to post
Share on other sites
48 minutes ago, nasdaq said:

As for the current problem on the first computer execute this.

Hi, i'm the toppic starter, and the last FIRST.txt file on post #8 is from the same computer. It was generated after running RougeKiller as you recomended.

I already re-installed Chrome before starting this post, and the problem was not solved

Any further ideas?

Regards

Link to post
Share on other sites


Hi,

These 2 entries were not in your first log.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.

	Start
	CreateRestorePoint:
CloseProcesses:
	HKLM\...\Winlogon: [Shell] explorer.exe [3932672 2018-07-06] (Microsoft Corporation)
HKLM-x32\...\Winlogon: [Shell] explorer.exe [3611368 2018-07-06] (Microsoft Corporation)
	Reboot:
End


Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.
 

Link to post
Share on other sites

Hi,

From a previous post.

I already re-installed Chrome before starting this post, and the problem was not solved

Did you clean the cache as I suggested in post no 9.
The syncing is also important. The redirect may come from a connected device.

Link to post
Share on other sites
On 8/19/2018 at 10:31 AM, nasdaq said:

Hi,

From a previous post.

 

Did you clean the cache as I suggested in post no 9.
The syncing is also important. The redirect may come from a connected device.

The fact is that this problem is not limted only to Chrome, it also afects Edge and Internet Explorer

Link to post
Share on other sites
2 hours ago, nasdaq said:

Hi,

Are you syncing Chrome with other devices, phone, android etc...

It used to be synched before I uninstalled it, but I didn't resynched it after reinstallation

Remember this problem occurs not only in Chrome but also in Edge and Internet Explorer (I don't have Firefox)

Link to post
Share on other sites

Hi,

Lets start with this.

INTERNET EXPLORER - Microsoft

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141
===

Microsoft Edge: How to Clear Browser History and Cache
http://acer--uk.custhelp.com/app/answers/detail/a_id/38047/~/microsoft-edge%3A-how-to-clear-browser-history-and-cache

===

Check these ou and remove it applicable.

Inernet Explorer > Syncing issues.

https://support.microsoft.com/en-ca/help/4026102/windows-10-about-sync-settings
<<<>>>

Edge > Syncing issues.

https://www.tenforums.com/tutorials/36286-turn-off-sync-favorites-reading-list-microsoft-edge.html
===


If Syncing do not re-sync until the issue is solved.

Link to post
Share on other sites
  • 2 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.