I'm going crazy. Spent 2 full days on this now.
Not sure how much more i can take...
I think my daughter must have gotten on the pc at some point before screensaver logged me off and went about her business online.
Their accounts are not admin.
I was relying on MS security essentials on one pc she may have used and 2 others she didn't, avast on 2 others 1 she may have used.
So she could have touched 2 on my login, only 1 has Avast on it. I have 5 in all and all seem to be getting popups.
The popups are for adcash.net, jdjzz.playnow.dollfield.eu, onclickads.net, appimat.com, geolocations.net, maybe some others I haven't taken note of.
Some of the pages go straight and download a file immediately without prompting. This file was detected by kaspersky and later avast, but as far as i know was never executed.
Attached a pic of the dollfield page.
In my usual haphazard not taking any notes fashion I threw everything I could think of at the problem.
Trusty Malwarebytes scan was negative.
Avast scan negative, superantispyware negative, spybot negative, kaspersky rootkit scan negative.
It was still happening so I downloaded YAC (yet another cleaner) and Hitman, both did nothing but detect a few false positives and Hitman flagged all YAC's signatures...
Still got popups.
Tried kaspersky rescue cd scan and that was the first time I remember something detecting that executable named 'flashplayer.exe'. As I said I wasn't paying attention earlier.
Rebooted. Now I was looking for trouble. Went on bing and clicked on the news links, clicking clicking any link that wasn't clearly an ad, stuff like the 'Contact' links and About us etc...
Popups. All browsers, wtf.
I figured ok, it must be a damn extension propagating through firefox/chrome sync and maybe via Win 8.1 settings sync. I had already gone through disabling all addons/extensions/plugins. YAC said 'Java SSV' looked suspicious so I deleted that one along with some others.
Still popups.
Ok to heck with it I put in the Windows install cd, formatted the drive and reinstalled fresh.
From this point on making a point to NOT sync any settings through chrome or firefox. Went looking for trouble again on bing/msn.
Still popups by golly.
Reinstall Windows 8.1, logon with my hotmail as it advises, didn't allow it to restore settings from another pc as I had previously.
Popups.
Nuke time. Used Samsung 'secure erase' cd to erase the ssd since Hiren boot cd utility couldn't detect it for some reason.
On reinstall I unplugged the network cable and did not use my hotmail to create account.
Did NOT install chrome, firefox, or anything, just right out the door got on IE looking for trouble. All seemed to be fine but I had been fooled before.
I wasn't getting popups on all sites as I seemed to remember, can I remember? Not really, not the before-time. But still popups every once in awhile.
Maybe it's just certain sites? This site in particular was reliably a popupper, canadajournal.net/entertainment/mos-def-barred-from-returning-to-us-cancels-tour-8580-2014'
If you click on the center pic of mos def behind bars a popup every time.
It just must be some sites no way anything could have stuck around I had erased the boot sector and disconnected all other drives, during the install it was just the cd, ssd, and me.
Things seemed to be ok, must have been my imagination silly me, went ahead and connected account to my hotmail login and starting installing apps and so forth.
First thing I installed was avast and malwarebytes, did a scan, nada. Good to go. I installed chrome and firefox, being vewy careful this time disabled java in chrome and IE, and first off installed Web Of Trust and enabled that and the Avast addon/extensions.
But I couldn't leave well enough alone went looking for trouble again. avast/wot/java disable successfully blocking the ad site popups from loading, but the canadajournal site still giving me the popup hmmm.
It's just that site, can't be me.
Went to install my trusty roboform and clicked the download link on the roboform site (not the cnet, direct from roboform). ADCASH.NET .... GETLOCATION.NET ... WHY GOD WHY?
No way Siber Systems site would have a friggin ad script in their site right?
WHERE IS THIS SCRIPT COMING FROM I STILL HAVEN'T SYNCED MY FIREFOX/CHROME SETTINGS AND NOT INSTALLED ANY ADDONS??? I did use Ninite to batch-install the usual bunch, foxit, filezilla, etc...
So now I'm just loving life and I guess I don't care anymore HAHA I might as well go LICK A DoOrKnOb aT A CoMmUnItY CeNtEr and order up A LiFETIME sUpPlY Of VAlTREX froM An ONlInE PhArMaCy.
Silly script how did you get there? Why do you keep coming back do you love me?
Mezmerized at the roboform site I start examining every bit of html and do you know what? I went to the debug window and found this little gem:
- Code: Select all
'adcash': function() { var adcash = document.createElement('script'); adcash.type = 'text/javascript'; adcash.src = 'http://www.adcash.com/script/java.php?option=rotateur&r=274944'; document.body.appendChild(adcash); }, '1896743': function() { exoUrl = 'http://geolocations.net'; cookieName = 'splashWeb-896743'; exopop.init();
So how did it get there? IS IT JUST THe Sites? The bad lazy Sites that didn't update their Apache or something? Or did it get appended/injected by some Greasemonkey-like malware thing? Because I know these addons they revise the page and add their little functions and you have no clue is it there? Is it not there? My imagination? Am I just crazy?
How can I know where that friggin bit of script is coming from? Me or the site? I would get on another pc to check but ALL 5 PC'S IN THE HOUSE SEEM TO BE DOING IT.
I would go order 5 textbooks and read up until I knew enough to make my own web browser that would just tell you whether it was the site or it was you. And it would take all the addons/extensions/plugins/ and handy sync things it could find down to the basement and drown them in an iron washtub, but I have to work and stuff.
Thank you for listening.