Is this adware/malware?

[kyrcy]

When visiting a specific website with internet explorer (any version) a second website tries to open with a link something like this (I suggest you do not try to open):

http://ams1-ib.adnxs.com/it?e=wqT_3QLeBPBEXgIAAAMA1gAFAQi-1O68BRCSpu2G2JfahgoYh_KvvpyM...TYABo0J0VePrtA

I have blocked the above website as antivirus and adware/malware removal utilities do not detect anything suspicious.

The above link does not seem to open when using a different browser on the same website so it seems to be related to internet explorer only.

I have asked others using the specific website and they do not have this issue.

Can anyone offer any advice?

[hech54]

Just Google "ams1 popup", tons of info.

[kyrcy]

I have tried following the steps on some websites to remove this manually but I find nothing related to it.

[hech54]

I have tried following the steps on some websites to remove this manually but I find nothing related to it.

In 7 minutes?

[kyrcy]

No, I searched google before and found the information, searched hard disk, registry, internet explorer add-ons. Nothing suspicious found and still the links open.

[hech54]

No "one software" is going to get rid of that thing. Follow the procedures laid out in the instructions.
If the link keeps opening, it's(the infection, virus, malware, hijacker, etc etc) still there.

[kyrcy]

I find no traces of the infection by searching manually and every removal tool I tried did not find any trace either. Thinking about formattng and re-installing windows now.

[Cornucopia]

1. Backup your important data files (docs, pix, flix, tunes, ebooks, favorites/bookmarks, email...)
2. Try booting in safe mode with the various tools & methods.
3. If that doesn't work, boot from a different drive (CD/DVD live rescue disc, USB stick, external HDD/SSD...). If it never gets loaded into memory, it can be "active" and so becomes more visible & vulnerable. Then try using the various tools & methods.
4. If that doesn't work, THEN reformat & reinstall.

Scott

[october262]

When visiting a specific website with internet explorer (any version) a second website tries to open with a link something like this (I suggest you do not try to open):

http://ams1-ib.adnxs.com/it?e=wqT_3QLeBPBEXgIAAAMA1gAFAQi-1O68BRCSpu2G2JfahgoYh_KvvpyM...TYABo0J0VePrtA

I have blocked the above website as antivirus and adware/malware removal utilities do not detect anything suspicious.

The above link does not seem to open when using a different browser on the same website so it seems to be related to internet explorer only.

I have asked others using the specific website and they do not have this issue.

Can anyone offer any advice?

did you try clearing your Internet history & cookies ??

[kyrcy]

did you try clearing your Internet history & cookies ??

Yes.

[october262]

On your keyboard, press control - alt - delete and when task manager shows, click on
Processes tab, see if anything suspicious is running.

[johns0]

Also check internet explorer addons for any suspicious ones.

[aedipuss]

unfortunately even re-formatting isn't enough in some cases these days. there is malware that reprograms the hard drive’s firmware, creating hidden sectors on the drive that can only be accessed through a secret API (application programming interface). Once installed, the malware is impossible to remove: disk formatting and reinstalling the OS doesn’t affect it, and the hidden storage sector remains.

[kyrcy]

On your keyboard, press control - alt - delete and when task manager shows, click on
Processes tab, see if anything suspicious is running.

Nothing suspicious is running.

Also check internet explorer addons for any suspicious ones.

Already checked and no suspicious ones.

unfortunately even re-formatting isn't enough in some cases these days. there is malware that reprograms the hard drive’s firmware, creating hidden sectors on the drive that can only be accessed through a secret API (application programming interface). Once installed, the malware is impossible to remove: disk formatting and reinstalling the OS doesn’t affect it, and the hidden storage sector remains.

I did a new windows installation and I tried internet explorer without installing any updates (only Ethernet drivers) and the problem still insists. Could the infection be on the specific website and not on my PC?

[locotus]

Perhaps one these may get rid of your browserhacker: Adwcleaner, JRT(Junk Removal Tool) or the old Spybot Search and Destroy.

[kyrcy]

Perhaps one these may get rid of your browserhacker: Adwcleaner, JRT(Junk Removal Tool) or the old Spybot Search and Destroy.

Nothing suspicious is found.

[october262]

You could try this - https://youtu.be/9HgslhFDeeQ

[kyrcy]

You could try this - https://youtu.be/9HgslhFDeeQ

I try uninstalling and installing internet explorer with no luck.

[october262]

Does it do this on Firefox or Chrome ??
What version of Internet Explorer do you have ?

[aedipuss]

I did a new windows installation and I tried internet explorer without installing any updates (only Ethernet drivers) and the problem still insists. Could the infection be on the specific website and not on my PC?

sure of course a specific website can be infected themselves and host malware they try to install whenever someone visits. if it doesn't happen anywhere else that's what i would assume is going on.

[kyrcy]

Does it do this on Firefox or Chrome ??
What version of Internet Explorer do you have ?

The problem happens with a flash website and only with (all versions of) internet explorer.

[october262]

Does it do this on Firefox or Chrome ??
What version of Internet Explorer do you have ?

The problem happens with a flash website and only with (all versions of) internet explorer.

update your adobe flash player.

[kyrcy]

Does it do this on Firefox or Chrome ??
What version of Internet Explorer do you have ?

The problem happens with a flash website and only with (all versions of) internet explorer.

update your adobe flash player.

Did that too.

[october262]

Try running Internet Explorer in safe mode.

[kyrcy]

Try running Internet Explorer in safe mode.

I am unable to enter safe mode with networking or without. Windows reboot at safe mode login screen. Windows repair finds no problems. This seems to be an unrelated problem, but still a problem that needs to be solved.

[jollyjohn]

Reformat

[kyrcy]

This is a new windows installation and I spent days applying patches. The windows reboot at safe mode login screen seem to be a known issue (other posts exist about it) but I did not find a solution yet.

[ranchhand]

There is one program that you haven't used yet- Combofix. To be honest, I hesitate to recommend it, not because it is ineffective, but you really have to be careful because you can brick your operating system if you don't follow directions exactly. Been there, done that.
Rather than type lengthy instructions, I will post the instructions courtesy of Broni, an expert AV removal tech at Suggest-A-Fix. I will just add a couple of things that I have experienced (for emphasis).
> Once Combofix is running, do not move the mouse, touch the keyboard or stop it. It can stall, and that could cause damage to the OS.
> Disable any antivirus program or tool you might have running; if Combofix messages you that it detects a certain program is running and it will interfere, take it seriously. If you must, totally delete any program it messages you about. If you force it to run anyway, you can damage your OS or even brick it. I had that happen once.
> Combofix will appear like it is doing nothing sometimes; do not get impatient, it is working. This is not a fast fix, it takes time. Rather than sit and stare at it, go do something else and come back
I strongly suggest that you make an image backup of your partition before doing this; at least if disaster strikes you can re-image and be back to square one.

Ok, that being said, here is the post:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
• Never rename Combofix unless instructed.
• Close any open browsers.
• Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
If the connection is not there use restore point you created prior to running Combofix.
• Double click on combofix.exe & follow the prompts.


NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
• When finished, it will produce a report for you.

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.


NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingc...ad/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingc...ad/rkill/dl/11/

Restart computer in safe mode
• Double-click on the Rkill desktop icon to run the tool.
• If using Windows Vista, 7 or 8 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• Do not reboot until instructed.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

[kyrcy]

I tried Combofix but nothing was found.

[october262]

This is a new windows installation and I spent days applying patches. The windows reboot at safe mode login screen seem to be a known issue (other posts exist about it) but I did not find a solution yet.

Try this- turn off computer- unplug power cord - open computer
And remove the button cell battery on the motherboard and wait an hour, replace battery
and retry rebooting in safe mode.