Hi, I have some malware on my system (Windows XP SP3). Sometimes, when I open a usual web-page and click on some links there, pop-up windows appears with advertisement. Mainly, first it opens the web-page called oneclickrev.com and then it redirects to some other pages with advertisement.

I have two browsers Firefox and Chrome. On both happens the same.

I have no Idea where does it come from. Maybe it comes from some freeware I have installed earlier. But I don’t know which one. I suspected cCleaner, so I have uninstalled it. It didn’t help.

I have no Idea where does it come from.

The strange thing is… Some websites showed Pop-ups earlier, but now does not show anymore… Some websites do it now as well.

You may run Malwarebytes Adwcleaner

Malware experts are notified

In the mean time you can read here: https://malwaretips.com/threads/how-to-remove-save-by-click-adware-removal-guide.12955/

polonus

Your DNS server settings have been hijacked.

• Open Notepad (click Start button → type notepad.exe → press Enter)
• Copy text from code block below and paste it into Notepad

Tcpip\Parameters: [DhcpNameServer] 87.117.234.36 8.8.8.8
Tcpip\..\Interfaces\{51412544-8CD5-4EDC-9744-DA6197C2CE12}: [DhcpNameServer] 87.117.234.36 8.8.8.8

• Go to File → Save As
• Make sure that UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Thank you for the hint, but unfortunately it requires Windows 10 (32/64-bit),Windows 8 (32/64-bit), or Windows 7 (32/64-bit) and I have Win Xp.

Thank you. I will do it when I go back home from work today.

Can you tell which software hijacked my server settings? So I could uninstall it and not use it again in the future. Could it happen without a software, or an add-on installation? Just by accidentally clicking on some link?

Update:

What was hijacked - my PC or my Router?

My mothers PC is using the same router and it has the same problem. I will upload its logs later today as well.

Here it is - a fixlog.txt of PC1.

Later I will upload logs (FRST.txt and Additions.txt ) of PC2 (my moms PC). It has similar problem.

PC Nr. 2:

Here are the logs of PC2. It is definitively infected. Or the Router. It shows much more pop-up windows than my pc (PC1).

• Open Notepad (click Start button → type notepad.exe → press Enter)
• Copy text from code block below and paste it into Notepad

Tcpip\Parameters: [DhcpNameServer] 87.117.234.36 8.8.8.8
Tcpip\..\Interfaces\{43782033-CBCE-4F77-9832-9494C06EF56D}: [DhcpNameServer] 87.117.234.36 8.8.8.8
GroupPolicy: Restriction ? <==== ATTENTION
cmd: ipconfig /flushdns

• Go to File → Save As
• Make sure that UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

You mean on PC Nr. 2?

Yes.

Here is the fixlog of PC Nr. 2.

but the pc still has the same issue - every time I go on any webpage and click on a link, a popup window appear.

Even after system restart?

unfortunately yes at least on firefox.

I have scanned the PC Nr. 2 with FABAR again and attached the logs.

Let’s clear this. What is the status of PC 1?

I still get some pop-up windows on some pages. Not so often as on PC 2, but never the less sometimes. Here are the logs of PC 1.

Your router settings has been modified by malware. Login to your router configuration page and find DHCP server settings. There you will find “87.117.234.36” as primary DNS server. Remove it and set router’s local IP address as primary DNS server (default gateway address and primary DNS address should be same).

OK. I have found the DHCP Settings on my router configuration page and have changed Primary DNS as you told me. It seems to help. I can not notice any popup windows now. but I will keep watching it next days and write here if I see something suspicious.

You wrote - “router settings has been modified by malware”. Is the malware still in the system? How could I find it? and more important, how to prevent it in the future?

I have changed the default login and password of the router configuration page. Would it prevent the malware to make modifications in the future? Should I change anything else here?