Severe adware/popup problem in all browsers

Hi all,

It appeared that in other request on EE to fix similar problem was solved but what if I say that I used Adwcleaner, MalwareBytes, Adsfix and JunkWareTool, HitManpro  which I believe are very all alike and that it did not do the trick. I even, as a workaround, install AdBlock components to all browsers and that did not stop the popups Ads to nag users. I used a while ago SpyBot and kind of dropped it but I am willing to give it a try as well for other tools listed by others in this forum. But how many do I have to use? it's seems to me that its virtually infinite!

My situation is I have an organization which is plagued with this since last may and despite all efforts I put it in I just can't get rid of this crap. I am desperate to get over with this really frustrating problem for them and for my reputation as an IT admin;-)

Also one troublesome thing I noticed is I just installed a new clean machine in the organization and yesterday in another useless attempt to understand and fix the problem on other machines that particular machine (which was totally clean) popped up an advertisement and then I figured that maybe a machine in the network has been compromised and just keeps sending this crap to the networked workstations ? Which tools could I use to find this out ?

I attached here for your convenience screen captures.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

First, The new system; Did you install the OS yourself?  
If so did you use an original copy of Windows or is this a burned copy of Windows?
What did you install on the new system.  One of the applications that you installed could be invected.

Second, You described a number of anit-malware that you tried.  However, you did not mention what antivirus you are using if any. What Antivirus are you using and is it up to date.

What Browser(s) are you using on these systems?
How many systems are we talking about?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gabriel CliftonNet AdminCommented:
Also, use wireshark to look for computers that are spitting out more traffic than it should be.
Thomas Zucker-ScharffSolution GuideCommented:
It looks. at least at first glance, to be coming up in browsers. A popup from a browser, as long as no one acts on it, is not as dangerous as malware.  That being said, have you tried running the various apps from

At least try:


Also have you tried running process explorer from Microsoft to see if any processes are affected?
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

asusxtian --
I do not see that you have run an antivirus app.  ESET, Panda and BitDefender report they can block it.

Have you looked in Control Panel|Programs and Features to see if it is in the list and can be removed from there?
On one of your compromised systems check Task Manager by right clicking on the Task bar at the bottom of your screen and selecting 'Start Task Manager'. Then Click the 'Processes' tab.
Take a snap shot (control + Print Screen) and post Here.
We might be able to identifiy the process causing the problem.
In the background of your snapshot is listed a  Trojan Fake Antivrus.
Spyware banker
Download and install the free version Malware bytes for spyware banker etc. on each system and leave it there as it will run in the background and auto update / run a scan on each system.
How many computers are connected?
Reset the router and  if possible disconnect everyone .
These popups and warnings could be the fake antivirus pulling you into this?
When I read up on similar to this one they do exactly this throw up constantly this warning to get you to buy into it.
 How many computers are connected?
Reset the router and if possible disconnect everyone
Here is the removal tool for
Fake Antivirus (FakeAV) Removal Tool( trend Micro)
Problem Description
Fake Antivirus (FakeAV) threats have been rampant in the past few years. Various FAKEAV variants have infected millions of PCs and are continuously spreading worldwide.
One reason why FAKEAV infections have become well-known to users is because they have visual payloads.
Variants of the malware family often display pop-up messages telling users that their machines have been infected.
This may cause panic among users, pressuring them to purchase rogue antivirus applications in the hope of resolving the issue. Users, however, should never purchase antivirus software from unknown sources.
The FakeAV Removal Tool works for Windows XP, Vista, Windows 7 and Windows 8 (32-bit and 64-bit)
 Using the ATTK FakeAV Removal ToolTo use the removal tool, do the following:
Download one of the following packages depending on your operating system: Graphical User Interface mode
This package provides a simple user interface to use and is recommended for home users.For 32-bitFor 64-bit
Note: Clicking the link will open the Trend Micro License Agreement on another window. Read the License Agreement and click I Accept to download the Fake AV removal tool.
Command Line Interface mode
This is recommended for advanced users who only wants to see the CMD screen.For 32-bitFor 64-bit
Run the executable file.
If you are having problems running the file because the Fake AV is blocking it, you can do the following:
Rename the attk_far tool to svchost.exe or iexplore.exe.
Change the file extension of the attk_far tool into .com. Renaming the tool will trick the Fake AV that you are running a critical windows process.
Note: If you are using Windows Vista/7, right-click the tool and select Run as Administrator to make sure that the application is not blocked from running.
Accept the license agreement.Click Scan Now.
Tick the items that are associated with the FakeAV infection, then click Clean.
Note: Restart your computer if you are prompted.
Remove pop-up virus (Fake Warning Removal)

Do you have Norton Installed?
Possibly Norton is the infected tool
According to Trend Micro
Risk Level 1: Very Low
Trojan.FakeAV is a detection for Trojan horse programs that intentionally misrepresent the security status of a computer. These programs attempt to convince the user to purchase software in order to remove non-existent malware or security risks from the computer. The user is continually prompted to pay for the software using a credit card. Some programs employ tactics designed to annoy or disrupt the activities of the user until the software is purchased.
Read On

All the Best with it.
asusxtianAuthor Commented:
Thank you all for your answers, I was quite busy this week and I "Hijacked" one of the machine infected at my place to run extensive tests (among those you suggested)

First of all my machines are installed from an Windows 7 Enterprise image (.wim) which I maintained on a regular basis.  I usually remove administratives credentials to all users for all the organisations that are under my responsibility but for some reason I dropped it for couple of users in this particular org. The infection appeared "suddenly" in may. I don't have much details as to how it came upon but someone in the office called me to notify me of the problem on monday when nothing was wrong the week before. What I vaguely recall is that some people were there in the weekend and used the workstations for some purposes and that may well be where it all started...

All computers are equipped by default with MSE (I know it is not the best) for convenience and price. We are a not for profit IT consultant which mainly deal with non-profit organisations so money is an issue. The organisations purchase most of their software through Techsoup (Techsoup Canada here) which saves them a great deal of money and allows us to set up enterprise level infrastructure to a certain extent (Windows 7 Enterprise, Office Pro Plus, Windows Server in some cases, etc) MSE, with its own weaknesses, has been "sufficient" so far, I may have had some classic problems (always when administratives credentials were given to users) but it was quickly and easily dealt with (Malwarebytes among the clean up solutions) But this time is different and so far I have been a total failure to get rid of the crap. Techsoup is offering now to organization bundle of licences for BitDefender (although its out-of-stock as of this writing) which is considered by most reviews the best AV so I intend to offer this solution to organisations.

Yes it does happen with all browsers (and only in this context) : IE, Firefox and Chrome. On one machine I installed BitDefender, I scan with Malwarebytes, AdwCleaner and HitmanPro : still the crap is popping up on my face. One thech told me to scan the HD in another machine (to cut short on running programs), he suggest Eset NOD32... Another one suggest Avira in safe mode. I will post some of my findings (ps list), thanks !
asusxtianAuthor Commented:
Ok. I think I have a better clue now. The machine that I brought from the office to my place is not showing any behavior of adware at ALL. Even with the Adblock, nothing shows up. At the other hand my recently deployed machine is all but popping adware from any website...

Which, I believe, lead me (it has to) that the problem comes/is triggered from the organization's network and/or, I presume, from a compromised machine. Any suggestions at this point as how I could/should track it ?

Thanks !
Is it possible to switch off the router so that it's reset?
Also disconnects from the internet
I find malware can lodge in the router. While the router is off , boot your computer to safemode with networking.
run the Fake removal tool I posted above that should delete any registry keys
Here's the steps
How To Remove Antivirus Live – Fake Antivirus Malware Virus (Antivirus Live Trojan Removal)
asusxtianAuthor Commented:
The problem was not really solved as I noticed for many questions on this forum related with spywares. I later found out by "accident" that one local machine could possibly be the cause for broadcasting ads trough port 80 which in turn could explain why once the machines isolated from the faulty one(s) they did not exhibit the problem. But I never had time to investigate nor any hints were given on the forum regarding possible broadcasting machines on a LAN. Everybody had antispywares in mind : I discovered some more and tried them but it all pretty much failed. I decided to isolate the "faulty" machine and did extensive scanning with Malwarebytes and all alikes. I was kind of impressed though by Hitman Pro among the tools I used. Finally I applied a host file ( and so far the client has not called ;-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.