Solved Blank Web site loads every morning

Spunk · Sunday at 6:53 PM

My computer specs are up to date on my profile.
Every morning, I am greeted with a blank web site window., After I close my screensaver and before I open a browser.
I am using the Brave Browser. I have cleared the browser cache, there are no extensions that relate to this. I have Synced Brave with other devices on my network and I do not get this pop up on any other device. My other browsers do not have this issue
There is nothing in Task Scheduler that I can find. I also don't find anything in Autoruns.
I have searched Windows and the Windows Registry. Finding nothing. I always clear Temp files, and remove unwanted extensions
I have scanned with Windows Security (Defender) Malwarebytes, ADW Cleaner, Esset Online TrendMicro Online etc

this started when I got a couple of Gmail's from some Russian "Women" who sent photos in a zipped file, once I unzipped them to save the pictures, this started, as far as I can remember. I never saw this when I was saving their pictures from Email individually. Searching for this web site in Gmail also brings up nothing.
Also accessing Gmail on any other device does not bring this up. Anybody got any ideas what I can try next?

Josey Wales · Sunday at 7:06 PM

You can try to run an offline scan with Defender.

Marcus Vinicus · Sunday at 7:17 PM

Put that website url into VirusTotal and it looks dodgy.

VirusTotal

www.virustotal.com

garlin · Sunday at 7:19 PM

If you can't find anything obvious, and it happens every morning, it's probably a scheduled task with a specific trigger.

1. Enable the Windows auditing policy for process creation:

Code:

auditpol /set /subcategory:"Process Creation" /success:enable
wevtutil set-log Microsoft-Windows-TaskScheduler/Operational /enabled:true

It's best to enable logging right before you leave the PC at night, in order to minimize the event log size.

2. Wait for the pop-up. Open Event Viewer, and search for Event ID 4688 (A new process has been created). You should get the name of the process, command line arguments, and the process owner.

3. When you're done with logging, disable auditing so your event log doesn't grow so fast.

Code:

auditpol /set /subcategory:"Process Creation" /success:disable
wevtutil set-log Microsoft-Windows-TaskScheduler/Operational /enabled:false

Rollback_Jockey · Sunday at 7:25 PM

I think you should be looking for infections, looks like you suffered a drive-by.

antspants · Sunday at 7:33 PM

~~Did you visit (accidentally or on purposely) a piracy site and download something?~~

Spunk said:
this started when I got a couple of Gmail's from some Russian "Women" who sent photos in a zipped file, once I unzipped them to save the pictures, this started, as far as I can remember.

ZIP Exploit via 7-Zip: Russian cybercrime groups have recently used a vulnerability in 7-Zip (CVE-2025-0411) to deliver malware that evades Windows security warnings B C. If the zipped photos were double-archived, the inner files may have executed without triggering SmartScreen or Defender.
Homoglyph Trickery: The malware may have disguised executable files using Cyrillic characters that resemble Latin ones (e.g., “С” vs “C”), making them appear like harmless `.doc` or `.pdf` files C.
Browser Hijack via Startup Trigger: The blank Brave window loading `https://xxxxxx.ru/update.app` suggests a hidden startup script or scheduled task that launches Brave with a specific URL — possibly injected via a rogue shortcut, registry key, or hidden script.

antspants · Sunday at 7:37 PM

Might be a good idea to code or remove that link from the thread?

garlin · Sunday at 7:41 PM

antspants said:
Might be a good idea to code or remove that link from the thread?

Why? The point is to better educate other folks, so they don't make the same mistakes. If you clearly said it's malware, are they tempted to click on it?

Marcus Vinicus · Sunday at 7:41 PM

Bitdefender have a whole webpage warning about the dodgy activities that domain name owners are getting up to.

antspants · Sunday at 7:43 PM

garlin said:
Why? The point is to better educate other folks, so they don't make the same mistakes. If you clearly said it's malware, are they tempted to click on it?

You obviously don’t know people very well. Not surprising.

Spunk · Sunday at 7:44 PM

I know it's dodgy. I am trying to get rid of it. If you Read my post you can see that I scanned for infections with several Malware Amt\i-Virus Scanners with no results.

Using the Code in Post #4,
I pasted it into Terminal (As Admin) which was successful, but I have searched for the Event 4668 in Event Viewer, but I can't find it?
I will see if I can see it next time I see this pop up, unless you can tell me what part EV I can look for it?

antspants · Sunday at 7:45 PM

People don’t need to see a malicious link. People need to be educated about downloading archives contained in an email sent via alleged Russian women offering photos, in an email, Garlin.

Marcus Vinicus · Sunday at 7:54 PM

Spunk said:
I know it's dodgy. I am trying to get rid of it. If you Read my post you can see that I scanned for infections with several Malware Amt\i-Virus Scanners with no results.

Using the Code in Post #4,
I pasted it into Terminal (As Admin) which was successful, but I have searched for the Event 4668 in Event Viewer, but I can't find it?
I will see if I can see it next time I see this pop up, unless you can tell me what part EV I can look for it?

Well bud I did read your post right through BEFORE I posted on this thread.

Over and out.

garlin · Sunday at 7:58 PM

Spunk said:
I know it's dodgy. I am trying to get rid of it. If you Read my post you can see that I scanned for infections with several Malware Amt\i-Virus Scanners with no results.

Using the Code in Post #4,
I pasted it into Terminal (As Admin) which was successful, but I have searched for the Event 4668 in Event Viewer, but I can't find it?
I will see if I can see it next time I see this pop up, unless you can tell me what part EV I can look for it?

Windows Logs / Security

You should open a new process, like run Notepad or launch another browser instance from the Start Menu.

Spunk · Sunday at 8:09 PM

The pop up hasn't appeared when I am using the computer.
I have opened a new Duck Duck Go Browser windows
Went to EV/Windows Logs/Security/Find typed Event 4668
get the Results Searching for selected event to the end of the list , there is no event that contains the specified string

When I search for just the number 4668 n Windows Logs/Security , it comes up with
Audit success: Event 5379, User Account Management in Windows Security Auditing . the Event occurs when a user performs a Read operation on Stored credentials in Credential Manager

Nothing with Event 4668. I will try Event Viewer the next time I see the popup.

garlin · Sunday at 8:12 PM

4-6-8-8

Spunk · Sunday at 8:31 PM

@antspants typing the code in post # 13 in PS as Admin comes up with

TaskName State Actions -------- ----- ------- BraveSoftwareUpdateTaskMachineCore Ready {MSFT_TaskExecAction} BraveSoftwareUpdateTaskMachineUA Ready {MSFT_TaskExecAction}
nothing on the desktop

Attached is a screenshot of the Startup Registry folder

antspants · Sunday at 8:40 PM

I removed the script. I could feel smirking eyes gazing on me.
Run this same way.

Powershell:

$Output = @()

# User Run Entries
$Output += "`r`n=== HKCU Run Entries ==="
$Output += (Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object PSChildName, Value | Out-String)

# Machine Run Entries
$Output += "`r`n=== HKLM Run Entries ==="
$Output += (Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object PSChildName, Value | Out-String)

# Scheduled Tasks - All Tasks with Key Info
$Output += "`r`n=== ALL Scheduled Tasks ==="

$AllTasks = Get-ScheduledTask | ForEach-Object {
    $Task = $_
    $Info = New-Object PSObject -Property @{
        TaskName      = $Task.TaskName
        Author        = $Task.Principal.UserId
        State         = $Task.State
        LastRunTime   = ($Task | Get-ScheduledTaskInfo).LastRunTime
        Actions       = ($Task.Actions | ForEach-Object { $_.Execute + " " + $_.Arguments }) -join "; "
        Triggers      = ($Task.Triggers | ForEach-Object { $_.StartBoundary }) -join "; "
    }
    $Info
}

$Output += ($AllTasks | Sort-Object TaskName | Format-Table -AutoSize | Out-String)

# Save to the current user's Desktop
$FilePath = [System.IO.Path]::Combine($env:USERPROFILE, "Desktop", "Startup_Check_Full.txt")
$Output | Out-File -FilePath $FilePath -Encoding UTF8

Write-Host "`nFull startup and task info saved to: $FilePath" -ForegroundColor Green

Sorry about the txt file.

antspants · Sunday at 8:41 PM

Do you not have a system image saved, Spunk?

Spunk · Sunday at 8:44 PM

I just restored the image, but it included this popup.
It is more annoying then it is causing any harm. If no one has any ideas, I can live with it.

Solved Blank Web site loads every morning

Well-known member

My Computer

Endeavor to Persevere

My Computers

Semper paratus

My Computers

Well-known member

My Computer

Well-known member

My Computer

Like a rolling drone.

My Computers

Like a rolling drone.

My Computers

Well-known member

My Computer

Semper paratus

My Computers

Like a rolling drone.

My Computers

Well-known member

My Computer

Like a rolling drone.

My Computers

Semper paratus

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

Attachments

My Computer

Like a rolling drone.

My Computers

Like a rolling drone.

My Computers

Well-known member

My Computer