Pesky Ad Bug - Need Assistance Killing It!

KTreu42

Honorable
Apr 13, 2012
14
0
10,560
Hey folks, so after I've exhausted myself on any tech-related issue I always turn here and I'm never let down. So, here's what I've got...

First off for the record, I use Chrome, and I have not tested other browsers to see if the issue occurs there.

I have some sort of malware that I cannot stamp out. It is a redirecting/ad popup. After I click a link, or sometimes just click somewhere on a page, the page redirects momentarily to a blank page with the tab title "sup," and then after a moment redirects to a number of various spam websites. I apologize that I don't have any screenshots to show, but I figured it would be out there. I did lots of googling, and when I found some info on "suptab" it didn't quite seem to be what my issue is.

I've run Malwarebytes A-M many times, I've run AVG scans, and also Kaspersky antivirus. There are no visible Chrome extensions causing it, and I've fully reinstalled Chrome since the problem. Nothing has resolved the issue.

The issue MAY have begun when I copied over old files from a laptop hard drive (the last issue I was on these forums for, ironically). However, I didn't copy any system files over, and I wiped that hard drive once I had everything I needed from it. But that's just a possible issue I wanted to note.

Does anyone have ideas on what I can do next? If it would be helpful for me to run any specific diagnostics and copy the results here, I can do that.

Thanks all!
 
Solution
try adwcleaner, download it from bleepingcomputers.com, if that doesn't work you can also try roguekiller. but usually adwcleaner will get those. also, check in your program file list to make sure your bug isn't installed as a "legit" program, as well check your internet options in your control pannel, make sure you're not set to use some shady malware proxy to connect to the internet. some adware work that way too.

ingtar33

Honorable
Dec 17, 2012
249
0
10,910
try adwcleaner, download it from bleepingcomputers.com, if that doesn't work you can also try roguekiller. but usually adwcleaner will get those. also, check in your program file list to make sure your bug isn't installed as a "legit" program, as well check your internet options in your control pannel, make sure you're not set to use some shady malware proxy to connect to the internet. some adware work that way too.
 
Solution
it may be a trojain/adware. first try opening msconfig look at the startup tab look for any toolbars or anti spyware or search bars. turn everything off but anti virus and malware. then look at add/remove programs for any new program you dont know about that was installed about the time the issue started. from another pc download hitman pro and avast or another rescue iso disk and make a boot cd or usb stick. with hitman pro boot into safe mode and the nrun it and your anti virus to see if it picks up any hidden trojan. if your profile file is infected in crome you wont beable to clen it unless you delete crome folder and your profile folder and start fresh. if you dont and you get your old tabs and stuff back then you did not clean out crome. you may have to use a 3 party tool to remove all of crome.
 

Lutfij

Splendid
Moderator
The issue MAY have begun when I copied over old files from a laptop hard drive (the last issue I was on these forums for, ironically). However, I didn't copy any system files over, and I wiped that hard drive once I had everything I needed from it. But that's just a possible issue I wanted to note.
Is it possible to divulge what sort of files you tried copying over from your old laptop?

Would you mind saying that again?!
Adblock Plus is the most popular browser extension available for Mozilla Firefox, Google Chrome, Opera and Android. Its primary purpose is to remove all intrusive advertisements from your browsing experience: YouTube video ads, Facebook ads, banners, pop-ups, pop-unders, background ads etc.
courtesy of Google search

...and you're suggesting he/she disable it? :lol:
 

KTreu42

Honorable
Apr 13, 2012
14
0
10,560


Heh, I think they meant to be sure to use Adblock Plus (I use Adblock already), and look to see if there are unauthorized extensions causing the issue (though I also mentioned that I checked that already).

As for file types from the laptop, it was mostly documents, videos, and pictures. I used the laptop primarily during a study abroad trip to Australia and wanted to save stuff from that.

I'll try that adwcleaner and see if that picks up anything.
 

Lutfij

Splendid
Moderator
I've been using Adblock plus for a while and they are very good in blocking ads from neverland.

Are you sure the files you transferred weren't infected to begin with...? :)

* unless you tried moving the roaming data files (which are quintessential for Chrome to function and tends to retain your bookmarks) you're probably seeing the pop up windows due to an adware i.e; if all you did was copy the My Documents folder and not the user folder.
 

KTreu42

Honorable
Apr 13, 2012
14
0
10,560
I ran adwcleaner, and here's what it managed (I redacted my name from some folder names):

***** [ Services ] *****

Service Deleted : vToolbarUpdater3.2.0

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\ProgramData\AVG Security Toolbar
Folder Deleted : C:\ProgramData\NCH Software
Folder Deleted : C:\ProgramData\ParetoLogic
Folder Deleted : C:\ProgramData\DealaEEXpreSs
Folder Deleted : C:\ProgramData\FunDEals
Folder Deleted : C:\ProgramData\SohopDrop
Folder Deleted : C:\ProgramData\1b1a3a4b0dee5d1a
[!] Folder Deleted : C:\Program Files (x86)\GS_x64.Enabler
Folder Deleted : C:\Program Files (x86)\NCH Software
Folder Deleted : C:\Program Files (x86)\Common Files\AVG Secure Search
Folder Deleted : C:\Users\<MyName>\AppData\LocalLow\HPAppData
Folder Deleted : C:\Users\<MyName>\AppData\Roaming\DriverCure
Folder Deleted : C:\Users\<MyName>\AppData\Roaming\NCH Software
Folder Deleted : C:\Users\<MyName>\AppData\Roaming\ParetoLogic
File Deleted : C:\Users\<MyName>\AppData\Roaming\regsvr32.exe_log.txt

***** [ Scheduled Tasks ] *****

Task Deleted : YourFile DownloaderUpdate

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\www.superfish.com
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EC068F00-599F-4F6E-96CD-41C3884E5D2C}
Key Deleted : HKCU\Software\ParetoLogic
Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp
Key Deleted : HKLM\SOFTWARE\AVG SafeGuard toolbar
Key Deleted : HKLM\SOFTWARE\ParetoLogic
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\6BA018E6E43F3A949AF3E90563067F81
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\6BA018E6E43F3A949AF3E90563067F81
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\070C83CAC0BBFE455B6212FB4397793C
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\32DA746012E6D4F488AAD113D6FA4A44
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\382E585E62B6F595CB727CEBAB9E48A0
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3B786268CB4A7F156A3BDF6701444F22
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3FB1AAC4382437047A03618BF727B859
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4D2EB987C8C8A46578D4943D5A9A1467
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6FB4398202577895B83B74B08F79C3A2
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7617C782A0FD4D15288CD4E4ECF84C67
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7AB2AE85638F6255CA2F35481D3A8828
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9BBBCEE5468FF9C569B1F7A24F6ED3D8
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A1A8F5D2D938A495DBE3BC97E2BC5FA3
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D2E5AC6B3591558529A290643010F81B
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D5E8CD27C9B1C435AAB81D8619DCEFE3
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\6BA018E6E43F3A949AF3E90563067F81

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17496


-\\ Google Chrome v37.0.2062.94

[C:\Users\<MyName>\AppData\Local\Google\Chrome\User Data\Default\preferences] - Deleted [Startup_URLs] : hxxp://search.gboxapp.com/

-\\ Chromium v"
 

ingtar33

Honorable
Dec 17, 2012
249
0
10,910


most adware trigger at shopping sites or when you search products you can buy. try going to some sites like amazon or ebay, search a product or two through google... if no popups come up you're probably clean


 

KTreu42

Honorable
Apr 13, 2012
14
0
10,560


That sounds accurate. And thus far I can say I have not seen the popup, so *knock on wood* we may be in the clear!

Thanks everyone, if anything shows up I'll try some other suggestions but for now I think we can say it's resolved :)
 

KTreu42

Honorable
Apr 13, 2012
14
0
10,560
Hey gang,

So today I ran into another annoying popup after thinking the issue was resolved. One of those big long Chrome notifications that keeps reappearing forcing you to restart the whole browser. I have a screenshot but I don't see any image upload options.

Looks like adwcleaner didn't finish the job like I thought it did. So what next?
 

KTreu42

Honorable
Apr 13, 2012
14
0
10,560
I've gotten like 8 popups since my last post - they just came back out of nowhere with a vengeance. Mostly on Amazon, but even clicking the link in my email to come to this site I got one. They are all a little different, but generally they are of the "you're infected, call this number and give us all your money" variety.

dxcknr.jpg
 

KTreu42

Honorable
Apr 13, 2012
14
0
10,560
Thanks for the display. The full OS install sounds like a huge pain. It seems like such a silly thing as some popups would not be that hard to get rid of. I'm currently running 2 full scans, and I'll run adwcleaner once again. There has to be something I'm missing...
 

Lutfij

Splendid
Moderator
You're welcome :)

You brought over files that might've introduced bloatware.

In terms of windows - the easiest solution is to perform a clean install unless you exactly know what file(s) you introduced to create the issue. Given you've spent a week frustrated and confused for a solution and this has taken up some time off your end I'm suggesting a clean start otherwise the scanning and troubleshooting will take a couple of more days :/