Solved

Severe adware/popup problem in all browsers

Posted on 2014-09-10
10
300 Views
Last Modified: 2014-10-21
Hi all,

It appeared that in other request on EE to fix similar problem was solved but what if I say that I used Adwcleaner, MalwareBytes, Adsfix and JunkWareTool, HitManpro  which I believe are very all alike and that it did not do the trick. I even, as a workaround, install AdBlock components to all browsers and that did not stop the popups Ads to nag users. I used a while ago SpyBot and kind of dropped it but I am willing to give it a try as well for other tools listed by others in this forum. But how many do I have to use? it's seems to me that its virtually infinite!

My situation is I have an organization which is plagued with this since last may and despite all efforts I put it in I just can't get rid of this crap. I am desperate to get over with this really frustrating problem for them and for my reputation as an IT admin;-)

Also one troublesome thing I noticed is I just installed a new clean machine in the organization and yesterday in another useless attempt to understand and fix the problem on other machines that particular machine (which was totally clean) popped up an advertisement and then I figured that maybe a machine in the network has been compromised and just keeps sending this crap to the networked workstations ? Which tools could I use to find this out ?

I attached here for your convenience screen captures.
capture-mariejo-14-08-14.png
FauxLecteur.png
0
Comment
Question by:asusxtian
  • 3
  • 2
  • 2
  • +3
10 Comments
 
LVL 9

Accepted Solution

by:
macarrillo1 earned 500 total points
ID: 40314546
First, The new system; Did you install the OS yourself?  
If so did you use an original copy of Windows or is this a burned copy of Windows?
What did you install on the new system.  One of the applications that you installed could be invected.

Second, You described a number of anit-malware that you tried.  However, you did not mention what antivirus you are using if any. What Antivirus are you using and is it up to date.

What Browser(s) are you using on these systems?
How many systems are we talking about?
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40314661
Also, use wireshark to look for computers that are spitting out more traffic than it should be.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40314845
It looks. at least at first glance, to be coming up in browsers. A popup from a browser, as long as no one acts on it, is not as dangerous as malware.  That being said, have you tried running the various apps from securityxploded.com?

At least try:

SpyDLLRemover
SpyBHORemover

Also have you tried running process explorer from Microsoft to see if any processes are affected?
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40315085
asusxtian --
I do not see that you have run an antivirus app.  ESET, Panda and BitDefender report they can block it.

Have you looked in Control Panel|Programs and Features to see if it is in the list and can be removed from there?
0
 
LVL 9

Expert Comment

by:macarrillo1
ID: 40317975
On one of your compromised systems check Task Manager by right clicking on the Task bar at the bottom of your screen and selecting 'Start Task Manager'. Then Click the 'Processes' tab.
Take a snap shot (control + Print Screen) and post Here.
We might be able to identifiy the process causing the problem.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 69

Expert Comment

by:Merete
ID: 40320775
In the background of your snapshot is listed a  Trojan Fake Antivrus.
And
Spyware banker
Download and install the free version Malware bytes for spyware banker etc. on each system and leave it there as it will run in the background and auto update / run a scan on each system.  
https://www.malwarebytes.org/
How many computers are connected?
Reset the router and  if possible disconnect everyone .
These popups and warnings could be the fake antivirus pulling you into this?
When I read up on similar to this one they do exactly this throw up constantly this warning to get you to buy into it.
 How many computers are connected?
Reset the router and if possible disconnect everyone
Here is the removal tool for
Fake Antivirus (FakeAV) Removal Tool( trend Micro)
Problem Description
Fake Antivirus (FakeAV) threats have been rampant in the past few years. Various FAKEAV variants have infected millions of PCs and are continuously spreading worldwide.
One reason why FAKEAV infections have become well-known to users is because they have visual payloads.
Variants of the malware family often display pop-up messages telling users that their machines have been infected.
This may cause panic among users, pressuring them to purchase rogue antivirus applications in the hope of resolving the issue. Users, however, should never purchase antivirus software from unknown sources.
Notes:
The FakeAV Removal Tool works for Windows XP, Vista, Windows 7 and Windows 8 (32-bit and 64-bit)
Solution
 Using the ATTK FakeAV Removal ToolTo use the removal tool, do the following:
Download one of the following packages depending on your operating system: Graphical User Interface mode
This package provides a simple user interface to use and is recommended for home users.For 32-bitFor 64-bit
Note: Clicking the link will open the Trend Micro License Agreement on another window. Read the License Agreement and click I Accept to download the Fake AV removal tool.
Command Line Interface mode
This is recommended for advanced users who only wants to see the CMD screen.For 32-bitFor 64-bit
Run the executable file.
If you are having problems running the file because the Fake AV is blocking it, you can do the following:
Rename the attk_far tool to svchost.exe or iexplore.exe.
Change the file extension of the attk_far tool into .com. Renaming the tool will trick the Fake AV that you are running a critical windows process.
Note: If you are using Windows Vista/7, right-click the tool and select Run as Administrator to make sure that the application is not blocked from running.
Accept the license agreement.Click Scan Now.
Tick the items that are associated with the FakeAV infection, then click Clean.
Note: Restart your computer if you are prompted.
http://esupport.trendmicro.com.au/Pages/Fake-Antivirus-FakeAV-Removal-Tool.aspx
--------------------------------------------------------------------------------------------
Example
Remove SystemBrowsing.com pop-up virus (Fake Warning Removal)
http://malwaretips.com/blogs/systembrowsing-com-removal/

Do you have Norton Installed?
Possibly Norton is the infected tool
According to Trend Micro
Risk Level 1: Very Low
Trojan.FakeAV is a detection for Trojan horse programs that intentionally misrepresent the security status of a computer. These programs attempt to convince the user to purchase software in order to remove non-existent malware or security risks from the computer. The user is continually prompted to pay for the software using a credit card. Some programs employ tactics designed to annoy or disrupt the activities of the user until the software is purchased.
Read On
http://www.symantec.com/security_response/writeup.jsp?docid=2007-101013-3606-99

All the Best with it.
Merete
0
 

Author Comment

by:asusxtian
ID: 40320834
Thank you all for your answers, I was quite busy this week and I "Hijacked" one of the machine infected at my place to run extensive tests (among those you suggested)

First of all my machines are installed from an Windows 7 Enterprise image (.wim) which I maintained on a regular basis.  I usually remove administratives credentials to all users for all the organisations that are under my responsibility but for some reason I dropped it for couple of users in this particular org. The infection appeared "suddenly" in may. I don't have much details as to how it came upon but someone in the office called me to notify me of the problem on monday when nothing was wrong the week before. What I vaguely recall is that some people were there in the weekend and used the workstations for some purposes and that may well be where it all started...

All computers are equipped by default with MSE (I know it is not the best) for convenience and price. We are a not for profit IT consultant which mainly deal with non-profit organisations so money is an issue. The organisations purchase most of their software through Techsoup (Techsoup Canada here) which saves them a great deal of money and allows us to set up enterprise level infrastructure to a certain extent (Windows 7 Enterprise, Office Pro Plus, Windows Server in some cases, etc) MSE, with its own weaknesses, has been "sufficient" so far, I may have had some classic problems (always when administratives credentials were given to users) but it was quickly and easily dealt with (Malwarebytes among the clean up solutions) But this time is different and so far I have been a total failure to get rid of the crap. Techsoup is offering now to organization bundle of licences for BitDefender (although its out-of-stock as of this writing) which is considered by most reviews the best AV so I intend to offer this solution to organisations.

Yes it does happen with all browsers (and only in this context) : IE, Firefox and Chrome. On one machine I installed BitDefender, I scan with Malwarebytes, AdwCleaner and HitmanPro : still the crap is popping up on my face. One thech told me to scan the HD in another machine (to cut short on running programs), he suggest Eset NOD32... Another one suggest Avira in safe mode. I will post some of my findings (ps list), thanks !
0
 

Author Comment

by:asusxtian
ID: 40322045
Ok. I think I have a better clue now. The machine that I brought from the office to my place is not showing any behavior of adware at ALL. Even with the Adblock, nothing shows up. At the other hand my recently deployed machine is all but popping adware from any website...

Which, I believe, lead me (it has to) that the problem comes/is triggered from the organization's network and/or, I presume, from a compromised machine. Any suggestions at this point as how I could/should track it ?

Thanks !
0
 
LVL 69

Expert Comment

by:Merete
ID: 40322322
Is it possible to switch off the router so that it's reset?
Also disconnects from the internet
I find malware can lodge in the router. While the router is off , boot your computer to safemode with networking.
run the Fake removal tool I posted above that should delete any registry keys
http://esupport.trendmicro.com/Pages/Fake-Antivirus-FakeAV-Removal-Tool.aspx
http://esupport.trendmicro.com.au/Pages/Fake-Antivirus-FakeAV-Removal-Tool.aspx
Here's the steps
How To Remove Antivirus Live – Fake Antivirus Malware Virus (Antivirus Live Trojan Removal)
http://botcrawl.com/how-to-remove-antivirus-live-fake-antivirus-malware-virus/
0
 

Author Closing Comment

by:asusxtian
ID: 40395557
The problem was not really solved as I noticed for many questions on this forum related with spywares. I later found out by "accident" that one local machine could possibly be the cause for broadcasting ads trough port 80 which in turn could explain why once the machines isolated from the faulty one(s) they did not exhibit the problem. But I never had time to investigate nor any hints were given on the forum regarding possible broadcasting machines on a LAN. Everybody had antispywares in mind : I discovered some more and tried them but it all pretty much failed. I decided to isolate the "faulty" machine and did extensive scanning with Malwarebytes and all alikes. I was kind of impressed though by Hitman Pro among the tools I used. Finally I applied a host file (http://winhelp2002.mvps.org/hosts.htm) and so far the client has not called ;-)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now