Need Help w/Browser Ad Problem

SOHOtechRob

SOHOtechRob

Active Member
Reaction score
63
Location
Columbus, Ohio USA
Situation:
Customer and his wife each have laptops. One is Win7, the other Win8 (maybe 8.1, didn't check).

Symptoms:
When using IE or Chrome (the only browsers installed), getting pop-under and other additional tab ads/scary notices about video player not being compatible, need to update this or that or sometimes just a blatant garbage site like $lutroulette. Wife accesses her AOL.com email account from both laptop and iPhone.

Unsuccessful Efforts:
On both machines customer already has MBAM premium which scanned and found nothing. On both machines, customer already has SuperAntiSpyware which has scanned and found nothing. On both machines, in a combination of SAFE and NORMAL modes, I have run ComboFix, CCleaner, TDSS Killer, ADW Cleaner, RevoUninstaller (to remove obvious junk), System Ninja and RogueKiller. Either no items found or minor items found which I removed. No extensions/add-ons are in the browsers besides Norton 360. I disabled a few suspicious scheduled tasks. But problem persists when performing Google search or just entering data on web sites (like entering travel dates on Kayak.com)

Compounding Problem:
Wife uses Safari on her iPhone and performing a browse causes a warning prompt to appear that something is out of date and she needs to update. This looks like a typical fake warning that would appear on a computer browser, but this is on her iPhone.

I'm at a loss here. Not only is the problem software not showing up on these scanner/cleaner tools, but it's on both systems AND her iPhone. I don't trust a System Restore since I don't know how long this problem has been present. At this point, my only safe suggestion is to back up data, note installed software so they can gather installation media/keys, and then perform a full pave nuke.

Does anybody have any suggestions???

Many thanks!

Update: Thanks to trevm999. It was indeed malicious DNS entries on the router. I set to Google and now husband and wife are all good!
 
Last edited:
If it was ME, I'd enable administrator account, reboot in safe mode using administrator account, still run something like killemall/rkill/whatever nick's new dWhatever that kills processes is called. Then check scheduled tasks, clear gpo's, run TFC, then run mbar/bitdefender antirootkit/rogue killer/jrt/adwcleaner in that order, and maybe MAYBE finish with MBAM but it's been nearly useless for me since the new version.
 
Are you talking about (simple) browser redirects? Do a google for browser redirects chrome & IE, and you will see how to remove them. Not sure about the pop unders, but I'd start w/ the redirects first.

Also, you could create a new profile and see if it happens there.
 
LifelineIT said:
If it was ME, I'd enable administrator account, reboot in safe mode using administrator account, still run something like killemall/rkill/whatever nick's new dWhatever that kills processes is called. Then check scheduled tasks, clear gpo's, run TFC, then run mbar/bitdefender antirootkit/rogue killer/jrt/adwcleaner in that order, and maybe MAYBE finish with MBAM but it's been nearly useless for me since the new version.
Click to expand...

I've tried most of those, in both safe and normal modes. I haven't tried d7ii nor the rootkit tools. TDSS scaned and found nothing.
 
katz said:
Are you talking about (simple) browser redirects? Do a google for browser redirects chrome & IE, and you will see how to remove them. Not sure about the pop unders, but I'd start w/ the redirects first.

Also, you could create a new profile and see if it happens there.
Click to expand...

They're not redirects. They're pop-under/over/new tabs. I can try creating a new user profile. Thanks.
 
Check proxy and hosts? And...if you ran just about anything after the system was fully on and active processes weren't terminated, then whatever is there can already have cloaked/gone memory resident/moved.

There's a somewhat new breed of nastyware that's using system-established GPO's to do its thing, and they can be...problematic...to remove.
 
LifelineIT said:
Check proxy and hosts? And...if you ran just about anything after the system was fully on and active processes weren't terminated, then whatever is there can already have cloaked/gone memory resident/moved.

There's a somewhat new breed of nastyware that's using system-established GPO's to do its thing, and they can be...problematic...to remove.
Click to expand...

Yes, forgot to mention that I already checked proxy settings for IE: none present.
 
Something else to try if you haven't already is hitman pro, also the browser add on's
hmpalert25 and malwarebytes anti exploit
 
If it's coming up on her iphone as well, check the router. Infections on a PC wouldn't be affecting another device.
As far as the PC goes, check the actual shortcuts used to launch them.
 
When using IE or Chrome (the only browsers installed), getting pop-under and other additional tab ads/scary notices about video player not being compatible, need to update this or that or sometimes just a blatant garbage site like $lutroulette.


so additional tabs are opening when you launch IE? did you check Tools, internet options, general tab "Home Page" are there links to multiple sites listed? did you try resetting the browser settings back to default?
 
Last edited:
Xander said:
If it's coming up on her iphone as well, check the router. Infections on a PC wouldn't be affecting another device.
As far as the PC goes, check the actual shortcuts used to launch them.
Click to expand...

^^^ This
Sounds like something has set some nasty DNS servers or futzed with some other settings in the router.
 
i saw this yesterday. the windows network proxy settings have been set to point to a weird port on localhost. i switched off the proxy setting and the internet started working normally again but i got the phone call not much later that it was playing up again. the customer has evidently picked up a virus that has installed a service and set the network proxy settings to direct all internet traffic through that service.

hmmm it could be the anti-virus whose name escapes me, not one i come across every day. does anyone know of an anti-virus that does this kind of thing?
 
Last edited:
trevm999 said:
Check DNS settings on router, if nothing found, swap router and test.
Click to expand...

Ding ding ding, this was it! Thank you so much. Their router had 107.170.189.30 and 104.131.182.211 as DNS servers, so all the clients on the network were getting these. The computers were actually clean, it was the router which was the culprit. I set to Google DNS and the client is all good now.
 
You must log in or register to reply here.

Similar threads

Metanis
[REQUEST] Recommending a backup solution.
Replies
8
Views
457
Sky-Knight
Sky-Knight
britechguy
HP Spectre X360 Convertibles - Are these known "problem children"?
Replies
10
Views
1K
britechguy
britechguy
Metanis
[TIP] A "new" Microsoft Defender is showing up on my home PCs
Replies
5
Views
1K
britechguy
britechguy
HCHTech
Windows 11 - Outlook display issue after latest office update?
2
Replies
22
Views
2K
NETWizz
NETWizz
britechguy
The Spurious "Actions Needed" Caution Triangle Overlay on Windows Security SysTray Icon
Replies
18
Views
2K
GTP
GTP
Back
Top