For the past few days I have had a problem when I start up my browser after putting my laptop into hibernation or restarting it.

When I open Chrome a video ad for Myspace opens. I have ran Avast, Malwarebytes, and Adwcleaner, and while they found a few things and I fixed the issues, this problem still remains. I checked to make sure there were no programs that had been installed or anything like that. I have no clue what this is and my Google searches have turned up very little and I have no idea how to fix this issue. Any help would be greatly appreciated.

try this https://support.google.com/chrome/answer/3296214?hl=en

did it work?

if not, follow instructions here and attach (not copy and paste) OTL diagnostic log https://forum.avast.com/index.php?topic=53253.0

Monitoring…

I’ve restarted a couple of times and haven’t had the issue. Is it possible that the scans got rid of the issue and the browser setting just needed to be reset? I had a similar issue a while ago with Spigot and I had to reset my browser settings as well.

I’m going to keep an eye on the issue and if it persist I will run the OTL scan. Thanks for you help, I appreciate it.

Is it possible that the scans got rid of the issue and the browser setting just needed to be reset?

The Ad shows up again. I noticed that it pops up when the computer after it is hibernated or turned off for a long time. So when I wake up in the morning and open my laptop and boot chrome this ad pop up. I believe it is also messing up my bookmarks. Twice all my bookmarks have disappeared since these ads have started popping up.

I just ran the OTL diagnostic and have attached the OTL log.

Your file is Chinese. Refer to this image and save it as ANSI

http://i.imgur.com/LhlCUFT.png

Make you save Save As to get that.

If you can’t get it too still work, run a fresh scan. Sounds like Blackbeard.

Edit: Compcav needs to teach me how to type: Fixed the spelling errors.

Okay I saved it again.

What is Blackbeard? Is it serious?

Blackbeard
http://blog.avast.com/2014/01/15/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-1/
https://blog.avast.com/2014/01/22/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-2/

Serious, Kind of. It can be very stealthy. I saw… this

MOD - [2014/06/23 11:42:19 | 000,805,888 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\wx._gdi_.pyd
MOD - [2014/06/23 11:42:19 | 000,027,136 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\_multiprocessing.pyd
MOD - [2014/06/23 11:42:19 | 000,007,168 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\hashobjs_ext.pyd
MOD - [2014/06/23 11:42:18 | 001,160,704 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\_ssl.pyd
MOD - [2014/06/23 11:42:18 | 000,811,008 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\wx._windows_.pyd
MOD - [2014/06/23 11:42:18 | 000,713,216 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\_hashlib.pyd
MOD - [2014/06/23 11:42:18 | 000,110,080 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\PyWinTypes27.dll
MOD - [2014/06/23 11:42:18 | 000,070,656 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\wx._html2.pyd
MOD - [2014/06/23 11:42:18 | 000,025,600 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32pdh.pyd
MOD - [2014/06/23 11:42:18 | 000,024,064 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32pipe.pyd
MOD - [2014/06/23 11:42:17 | 001,062,400 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\wx._controls_.pyd
MOD - [2014/06/23 11:42:16 | 000,686,080 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\unicodedata.pyd
MOD - [2014/06/23 11:42:16 | 000,525,640 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\windows._lib_cacheinvalidation.pyd
MOD - [2014/06/23 11:42:16 | 000,167,936 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32gui.pyd
MOD - [2014/06/23 11:42:16 | 000,128,512 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\_elementtree.pyd
MOD - [2014/06/23 11:42:16 | 000,127,488 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\pyexpat.pyd
MOD - [2014/06/23 11:42:16 | 000,119,808 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32file.pyd
MOD - [2014/06/23 11:42:16 | 000,108,544 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32security.pyd
MOD - [2014/06/23 11:42:16 | 000,087,552 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\_ctypes.pyd
MOD - [2014/06/23 11:42:16 | 000,038,912 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32inet.pyd
MOD - [2014/06/23 11:42:16 | 000,018,432 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32event.pyd
MOD - [2014/06/23 11:42:16 | 000,017,408 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32profile.pyd
MOD - [2014/06/23 11:42:16 | 000,010,240 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\select.pyd
MOD - [2014/06/23 11:42:15 | 000,557,056 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\pysqlite2._sqlite.pyd
MOD - [2014/06/23 11:42:15 | 000,320,512 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32com.shell.shell.pyd
MOD - [2014/06/23 11:42:15 | 000,098,816 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32api.pyd
MOD - [2014/06/23 11:42:15 | 000,045,568 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\_socket.pyd
MOD - [2014/06/23 11:42:15 | 000,022,528 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32ts.pyd
MOD - [2014/06/23 11:42:14 | 001,175,040 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\wx._core_.pyd
MOD - [2014/06/23 11:42:14 | 000,364,544 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\pythoncom27.dll
MOD - [2014/06/23 11:42:13 | 000,735,232 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\wx._misc_.pyd
MOD - [2014/06/23 11:42:13 | 000,078,336 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\wx._animate.pyd
MOD - [2014/06/23 11:42:12 | 000,122,368 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\wx._wizard.pyd
MOD - [2014/06/23 11:42:12 | 000,011,264 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32crypt.pyd
MOD - [2014/06/23 11:42:11 | 000,035,840 | ---- | M] () -- C:\Users\John\AppData\Local\Temp\_MEI48202\win32process.pyd

Now, it could be nothing. But that many Python files is rare, moreso in Appdata.

Take my word for this. I am no expert on OTL. THat si why Twin will help you. It’s also why I am in training.

Also, [2013/10/22 20:11:11 | 000,000,000 | —D | M] – C:\Users\John\AppData\Roaming\uTorrent

uTorrent is a bad idea.

My Canned Speech came in handy

Hello,

You have some P2P programs installed. These programs are not recommended here. Please read below so you can decide if you’d like to keep them.

Description:

These programs link directly from Computer to computer, making you very easy to infect. While P2P use to be safe, it no longer is and any type of P2P network can be used to infect you, or others. P2P has also been linked to Cyber-Identity-Theft in a few cases, where settings were set wrong. While these programs seem like a great way to get free software/media, they usually come bundled with other files, such as adware, spyware, Trojans etc.

I would ask you to read the following articles on the dangers of P2P Usage:

Info World Article
FBI Article

If you continue the usage I cannot guarantee you will stay clean, so, I recommend you remove them. If you decide to keep them. Please refrain from using them until we are done.

Now, I shall shut up and let twin do his work

I didn’t even know it was still installed. I assumed my roommate had uninstalled after our little spigot problem. Uninstalling now, thanks for the heads up.

No problem. You can thank Compcav for making me write that.

If, I had to guess, an infection might’ve come through there. Regardless, I am sure Twin will try to help you.

Hello,

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.

***** NEXT *****

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Results of both scans are attached.

Please go to: VirusTotal

[*] Click the Choose File button.
[*] Please copy/paste the following text into the ‘File name:’ box:

C:\Windows\System32\GFNEXSrv.exe

[*] Click Open then click the Scan it! button just below.
[*] This will scan the file. Please be patient.
[*] If you get a message saying File already analyzed: click Reanalyse
[*] Once scanned, copy and paste the URL from your browser address bar in your next reply.

Pasted C:\Windows\System32\GFNEXSrv.exe into the file name box and got this message:

“GFNEXSrv.exe
File not found.
Check the file name and try again.”

Can you try to find it manually?

I found it manually, however when I click ‘choose file’ and go to the same folder the only thing that shows up is GFNEX.dll, not GFNEXSrv.exe

Can you copy it manually on desktop and then upload to virustotal?

That worked, here is the url

https://www.virustotal.com/en/file/ead6b6c4d0c2f27c91d3494dd71b549c47104733cd8c8af77104d4f7f41c18e5/analysis/1403718892/