Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Still getting popups Win8.1 after format can't stop scratchi

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Still getting popups Win8.1 after format can't stop scratchi

Unread postby Plasbot » May 24th, 2014, 2:19 am

So this is very long if you don't want to hear this sad mans story don't read it I just need to tell my story before the men in white suits come and get me.

I'm going crazy. Spent 2 full days on this now.
Not sure how much more i can take...
I think my daughter must have gotten on the pc at some point before screensaver logged me off and went about her business online.
Their accounts are not admin.
I was relying on MS security essentials on one pc she may have used and 2 others she didn't, avast on 2 others 1 she may have used.
So she could have touched 2 on my login, only 1 has Avast on it. I have 5 in all and all seem to be getting popups.
The popups are for adcash.net, jdjzz.playnow.dollfield.eu, onclickads.net, appimat.com, geolocations.net, maybe some others I haven't taken note of.
Some of the pages go straight and download a file immediately without prompting. This file was detected by kaspersky and later avast, but as far as i know was never executed.
Attached a pic of the dollfield page.
In my usual haphazard not taking any notes fashion I threw everything I could think of at the problem.
Trusty Malwarebytes scan was negative.
Avast scan negative, superantispyware negative, spybot negative, kaspersky rootkit scan negative.
It was still happening so I downloaded YAC (yet another cleaner) and Hitman, both did nothing but detect a few false positives and Hitman flagged all YAC's signatures...
Still got popups.
Tried kaspersky rescue cd scan and that was the first time I remember something detecting that executable named 'flashplayer.exe'. As I said I wasn't paying attention earlier.
Rebooted. Now I was looking for trouble. Went on bing and clicked on the news links, clicking clicking any link that wasn't clearly an ad, stuff like the 'Contact' links and About us etc...
Popups. All browsers, wtf.
I figured ok, it must be a damn extension propagating through firefox/chrome sync and maybe via Win 8.1 settings sync. I had already gone through disabling all addons/extensions/plugins. YAC said 'Java SSV' looked suspicious so I deleted that one along with some others.
Still popups.
Ok to heck with it I put in the Windows install cd, formatted the drive and reinstalled fresh.
From this point on making a point to NOT sync any settings through chrome or firefox. Went looking for trouble again on bing/msn.
Still popups by golly.
Reinstall Windows 8.1, logon with my hotmail as it advises, didn't allow it to restore settings from another pc as I had previously.
Popups.
Nuke time. Used Samsung 'secure erase' cd to erase the ssd since Hiren boot cd utility couldn't detect it for some reason.
On reinstall I unplugged the network cable and did not use my hotmail to create account.
Did NOT install chrome, firefox, or anything, just right out the door got on IE looking for trouble. All seemed to be fine but I had been fooled before.
I wasn't getting popups on all sites as I seemed to remember, can I remember? Not really, not the before-time. But still popups every once in awhile.
Maybe it's just certain sites? This site in particular was reliably a popupper, canadajournal.net/entertainment/mos-def-barred-from-returning-to-us-cancels-tour-8580-2014'
If you click on the center pic of mos def behind bars a popup every time.
It just must be some sites no way anything could have stuck around I had erased the boot sector and disconnected all other drives, during the install it was just the cd, ssd, and me.
Things seemed to be ok, must have been my imagination silly me, went ahead and connected account to my hotmail login and starting installing apps and so forth.
First thing I installed was avast and malwarebytes, did a scan, nada. Good to go. I installed chrome and firefox, being vewy careful this time disabled java in chrome and IE, and first off installed Web Of Trust and enabled that and the Avast addon/extensions.
But I couldn't leave well enough alone went looking for trouble again. avast/wot/java disable successfully blocking the ad site popups from loading, but the canadajournal site still giving me the popup hmmm.
It's just that site, can't be me.
Went to install my trusty roboform and clicked the download link on the roboform site (not the cnet, direct from roboform). ADCASH.NET .... GETLOCATION.NET ... WHY GOD WHY?
No way Siber Systems site would have a friggin ad script in their site right?
WHERE IS THIS SCRIPT COMING FROM I STILL HAVEN'T SYNCED MY FIREFOX/CHROME SETTINGS AND NOT INSTALLED ANY ADDONS??? I did use Ninite to batch-install the usual bunch, foxit, filezilla, etc...
So now I'm just loving life and I guess I don't care anymore HAHA I might as well go LICK A DoOrKnOb aT A CoMmUnItY CeNtEr and order up A LiFETIME sUpPlY Of VAlTREX froM An ONlInE PhArMaCy.
Silly script how did you get there? Why do you keep coming back do you love me?
Mezmerized at the roboform site I start examining every bit of html and do you know what? I went to the debug window and found this little gem:

Code: Select all
                    'adcash': function() {
                        var adcash = document.createElement('script');
                        adcash.type = 'text/javascript';
                        adcash.src = 'http://www.adcash.com/script/java.php?option=rotateur&r=274944';
                        document.body.appendChild(adcash);
                    },
                    '1896743': function() {
                        exoUrl =  'http://geolocations.net';
                        cookieName = 'splashWeb-896743';
                        exopop.init();


So how did it get there? IS IT JUST THe Sites? The bad lazy Sites that didn't update their Apache or something? Or did it get appended/injected by some Greasemonkey-like malware thing? Because I know these addons they revise the page and add their little functions and you have no clue is it there? Is it not there? My imagination? Am I just crazy?

How can I know where that friggin bit of script is coming from? Me or the site? I would get on another pc to check but ALL 5 PC'S IN THE HOUSE SEEM TO BE DOING IT.
I would go order 5 textbooks and read up until I knew enough to make my own web browser that would just tell you whether it was the site or it was you. And it would take all the addons/extensions/plugins/ and handy sync things it could find down to the basement and drown them in an iron washtub, but I have to work and stuff.

Thank you for listening.
You do not have the required permissions to view the files attached to this post.
Plasbot
Active Member
 
Posts: 2
Joined: May 24th, 2014, 12:47 am
Advertisement
Register to Remove

Re: Still getting popups Win8.1 after format can't stop scra

Unread postby Plasbot » May 25th, 2014, 1:56 am

NEVER MIND.
I had nuked the SSD again and was in the process of methodically installing one app at a time to figure out which one it was.
My son came over and asked if I could open a port for him on the router. I gave an exhausted sigh and told him maybe tomorrow, that was last night around 2am.
Today after more struggling he came up and asked again. Went to logon to the router and my password didn't work.
Tried the default password, tried old password, checked the caps lock, tried on another pc, couldn't log in.

My router had been hacked. This would explain all the negative scans, the continued popups even after nuking, popups after disabling all addons.
Oh lord.
Reset to factory default and spent all today setting all the options.
Went on the web looking for trouble, no popups.
Now I can click on Mos Def's picture on canadajournal.com and no popup.
No popup on Roboform site.

Huzzah!

However at some point, at think after I uninstalled YAC it set my homepages to trovi.com, sigh. Or was it when I updated to the new version of Avast???
Trust no one.
Plasbot
Active Member
 
Posts: 2
Joined: May 24th, 2014, 12:47 am

Re: Still getting popups Win8.1 after format can't stop scra

Unread postby Wingman » June 1st, 2014, 1:34 pm

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 287 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware