Audio Advertisement has taken over my PC

[RanchoMattPS]

Every 5 minutes a 30 second audio ad plays. It is an ad from some tech company about cyber security.
A process called nine is running a program called downslope.exe which is stored in my User/AppData/Local folder. i can delete this file a hundred times and it returns. When I disconnect from the internet the ad does not play. I have setup firewall rules blocking any inbound or outbouynd communication from this program and it does not help. Is there anything I can do short of a reinstall.

 

[Regedit32]

Hi RanchoMatPS,

From your post it appears you have picked up some form of adware infection, although I cannot say I've come across either the executable you listed or that particular process name either.

If it is adware then its likely it has installed a plugin or extension to your Default browser and possibly also to the Internet Explorer browser that sits there in the Windows 10 build.

If you go to each of these browsers Advanced options tab you should be able to click reset buttons that will remove all plugins/extensions.

It's possible that this is more than just adware though - you may have a trojan infection. From your claim the executable keeps restoring itself it seems likely that there may be some registry keys set to reload this.

The common keys affected in this way would be:

• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

They may contain a value calling this downslope.exe so it would be worth checking. If it exists here then delete that value.

It'd be worthwhile downloading and installing a adware scanner too and running a full scan to see if it picks up anything. A couple of options are:

• https://www.malwarebytes.com/mwb-download/
  
• http://www.bleepingcomputer.com/download/adwcleaner/

I'd also recommend running a thorough virus scan just in case.

 

[Tim Locke]

If you use Chrome you might have to go to about:config to find adware or malware. There was one like that a couple of years ago that was fiddly to remove. Every time you ran Chrome it replaced the item.

 

[BigFeet]

If I remember correctly, that was a nasty one. I cleaned that off a friends PC quite a while back. I don't remember what finely cleaned it. I believe I backed everything up, and just reinstalled windows. I'd start by running Malwarebytes, adwcleaner, and Emsisoft Emergency Kit.

 

[RanchoMattPS]

Ok so a scan of the registry found 10 instances of the downslope.exe, I deleted them all, as soon as I open any browser it returns. I uninstall and delete from registry all browsers except Microsoft Edge, I cant uninstall that. I was however able to Trap the offending downslope.exe and prevent it from running using Daphne, a process explorer program.

 

[Regedit32]

Have you checked registry for instances of Nine too? Nine may be the means for downslope.exe to effectively reinstall itself.

What other items are in those Run and RunOnce folders?

Also, given you found 10 instances in the registry what other keys were involved and were there any other items within their folders?

 

[Norton]

Try Malwarebytes (JRT) Junk removal tool. Make sure you check the log before deleting any .exe files that you use. You have an option to deselect what to delete.