louisng114 Report post Posted March 16, 2016 As my morning routine, I was browsing YouTube. As I clicked post to post a reply, some ads start popping up. I closed them quickly and ran a scan with SUPERAntiSpyware, but it did not spot any major threat. I then openned my browser to check again. Sure enough, ads start popping up when I visit sites. Below are some pictures I took. Does anyone know what virus it is and how I can remove it? https://imageshack.us/i/potnzmpGj that is how the normal page looks like https://imageshack.us/i/pmxe6WUDj now ads start showing up https://imageshack.us/i/plabJmVVj a fake (most likely) update notice appears Share this post Link to post Share on other sites
GuiltySpark Report post Posted March 16, 2016 Hi louisng114 It's a bit difficult to tell from those pics as to what particular browser hijacker it may be. Probably an unknown / unwanted download ( check those boxes aren't ticked when installing things, and always select Custom install when offered). The fake flash player image is just that.....a fake. You should check in your browsers extensions for anything not needed and remove it. And to make sure download adwcleaner and select Scan, uncheck what you want to keep and select Clean. After machine reboots please attach the txt log back here, it may also help to see what the issue was and whether or not it can be incorporated in SAS in future. https://toolslib.net/downloads/viewdownload/1-adwcleaner/ Share this post Link to post Share on other sites
louisng114 Report post Posted March 16, 2016 I do not see anything in the extension, unlike when my computer was affected by dnsunlocker before. When I download adwcleaner, it says "windows smartscreen prevented an unrecognized app from starting. running this app might put your pc at risk". Is this normal? Did the virus redirect the download? Should I run the program anyway? Share this post Link to post Share on other sites
SUPERsupport Report post Posted March 16, 2016 Hello. Smartscreen asking you if you want to run the software is normal, go ahead and run the program. Share this post Link to post Share on other sites
louisng114 Report post Posted March 16, 2016 Yay! It worked! Thanks <3 # AdwCleaner v5.102 - Logfile created 16/03/2016 at 12:46:18 # Updated 13/03/2016 by Xplode # Database : 2016-03-16.1 [server] # Operating system : Windows 8.1 (x64) # Username : Louis - LOUIS-PC # Running from : C:\Users\Louis\Downloads\adwcleaner_5.102 (2).exe # Option : Clean # Support : http://toolslib.net/forum ***** [ Services ] ***** ***** [ Folders ] ***** [-] Folder Deleted : C:\Program Files\amztab [-] Folder Deleted : C:\Program Files (x86)\sushileads [-] Folder Deleted : C:\ProgramData\sushileads [-] Folder Deleted : C:\ProgramData\333a93e2-4eb3-1 [-] Folder Deleted : C:\ProgramData\333a93e2-5361-0 [-] Folder Deleted : C:\ProgramData\bd14958f-30e5-0 [-] Folder Deleted : C:\ProgramData\bd14958f-4a15-0 [-] Folder Deleted : C:\ProgramData\bd14958f-5501-0 [-] Folder Deleted : C:\ProgramData\bd14958f-5b05-0 [-] Folder Deleted : C:\ProgramData\bd14958f-5b41-0 [-] Folder Deleted : C:\ProgramData\bd14958f-7e85-1 [-] Folder Deleted : C:\ProgramData\{139aee63-612c-1} [-] Folder Deleted : C:\ProgramData\{180aee92-312c-0} [-] Folder Deleted : C:\Users\Louis\AppData\Roaming\Nosibay [-] Folder Deleted : C:\Users\Louis\AppData\Roaming\Store [-] Folder Deleted : C:\Users\Louis\AppData\Roaming\WTools [-] Folder Deleted : C:\Users\Louis\Documents\DailyPCClean ***** [ Files ] ***** [-] File Deleted : C:\END [-] File Deleted : C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_cdncache-a.akamaihd.net_0.localstorage [-] File Deleted : C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_cdncache-a.akamaihd.net_0.localstorage-journal [-] File Deleted : C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_nps.pastaleads.com_0.localstorage [-] File Deleted : C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_nps.pastaleads.com_0.localstorage-journal [-] File Deleted : C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_pstatic.bestpriceninja.com_0.localstorage [-] File Deleted : C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_pstatic.bestpriceninja.com_0.localstorage-journal [-] File Deleted : C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_pstatic.eshopcomp.com_0.localstorage [-] File Deleted : C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_pstatic.eshopcomp.com_0.localstorage-journal [-] File Deleted : C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.re-markit00.re-markit.co_0.localstorage [-] File Deleted : C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.re-markit00.re-markit.co_0.localstorage-journal [-] File Deleted : C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_nps.pastaleads.com_0.localstorage [-] File Deleted : C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_nps.pastaleads.com_0.localstorage-journal [-] File Deleted : C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_pstatic.bestpriceninja.com_0.localstorage [-] File Deleted : C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_pstatic.bestpriceninja.com_0.localstorage-journal [-] File Deleted : C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_pstatic.eshopcomp.com_0.localstorage [-] File Deleted : C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_pstatic.eshopcomp.com_0.localstorage-journal [-] File Deleted : C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.re-markable00.re-markable.net_0.localstorage [-] File Deleted : C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.re-markable00.re-markable.net_0.localstorage-journal [-] File Deleted : C:\Users\Louis\AppData\Roaming\Bubble Dock.boostrap.log [-] File Deleted : C:\Users\Louis\AppData\Roaming\Bubble Dock.installation.log [-] File Deleted : C:\Users\Louis\AppData\Roaming\Selection Tools.installation.log [-] File Deleted : C:\Users\Louis\AppData\Roaming\WindApp.boostrap.log [-] File Deleted : C:\Users\Louis\AppData\Roaming\WindApp.installation.log ***** [ DLLs ] ***** ***** [ Shortcuts ] ***** ***** [ Scheduled tasks ] ***** ***** [ Registry ] ***** [-] Key Deleted : HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\26D9E607FFF0C58C7844B47FF8B6E079E5A2220E [-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E1527582-8509-4011-B922-29E3FB548882}_is1 [-] Data Restored : HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{0435A820-C65F-448A-B282-B0BA9396FFE5} [NameServer] [-] Data Restored : HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{33E343A9-2349-4E23-A09E-3CFCC72E4B5C} [NameServer] [-] Data Restored : HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{372276FC-17CB-4C37-A9D4-87B5D95C0E23} [NameServer] [-] Data Restored : HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{8468D42A-356C-4032-B246-9C28206ADDB0} [NameServer] [-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\bestpriceninja.com [-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\nps.pastaleads.com [-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\pastaleads.com [-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\pstatic.bestpriceninja.com ***** [ Web browsers ] ***** [-] [C:\Users\Louis\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [startup_URLs] Deleted : hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggSJQkPVw1JRBhFJFgPTA1AR1MOeAAOWBRDFgwUIQhbUQEUQwEFIk0FA1oDB0VXfV5bFElXTwhqNEpqBEoETUFQCExa ************************* :: "Tracing" keys removed :: Winsock settings cleared ************************* C:\Program Files (x86)\AdwCleaner\AdwCleaner[C1].txt - [6116 bytes] - [16/03/2016 12:46:18] C:\Program Files (x86)\AdwCleaner\AdwCleaner[s1].txt - [6027 bytes] - [16/03/2016 12:43:24] ########## EOF - C:\Program Files (x86)\AdwCleaner\AdwCleaner[C1].txt - [6302 bytes] ########## Share this post Link to post Share on other sites
louisng114 Report post Posted March 16, 2016 For some reason, cleaning the computer, I am not able to post comments on YouTube as the comment box does not expand upon clicking, even though the cursor still turns into a finger when hovering over the box. EDIT: the problem is gone after I reset my browser setting a second time. Share this post Link to post Share on other sites
GuiltySpark Report post Posted March 16, 2016 Try a different browser as it may be an issue with IE. You should also do a clean up with CCleaner free version https://www.piriform.com/ccleaner/download You may also want to run Farbar Scan & Recovery tool http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ Select Scan and post the txt log back here (if you wish). Share this post Link to post Share on other sites
GuiltySpark Report post Posted April 1, 2016 Closed due to lack of response. Share this post Link to post Share on other sites
