Malware Pop-Ups Can't Get Rid Of

ghamilton

New Member
Thread author
Sep 7, 2013
12
I am getting a ton of pop-ups that always occur in the lower left-hand corner of my browser, which is IE v8. I have ran Malware Bytes.com full scan and boot scan multiple times and then removed all identified objects, but still when I open up Internet Explorer, those persistent pop-ups prevail. I even found 2 threats on my memory stick which I removed, one of them was a Trojan. I have listed the specific pop-ups that I am seeing if that helps any, and I have included the OTL & aswMBR logs in addition to screen shots of some of the pop ups I am seeing. Also, I noticed a couple of times I was getting this message saying my disk space was running low. I looked and found my C: drive had 0 bytes free space. I got to looking and found a text file on my C: drive root directory called Avenger.txt that was 4.67 GB which just happened to be exactly how much space I had left on my hard drive. I also found an empty folder called Avenger on my C: drive. I deleted both of these, but I have no idea where they came from.

Thanks in advance for all your help.

-------------------------------------------------------------------
Pop-ups:
-System Warning!! Your PC is about to crash! Click OK to fix it.
-Browser Update Available.
-Please install HD player, message important, update now.
-Test center - Congratulations, you are the 999,999 visitor in Carrollton! You've been selected to test a new Galaxy S4! Accept or decline.
-Health care reform has passed in TX, save up to 90% now, InsuranceQuotesfor1.com, get quote.
-You have (1) new message! Click here to get it! Michael
-------------------------------------------------------------

That's all for now.

Thanks,
Greg
 

Fiery

Level 1
Jan 11, 2011
2,007
Hi and welcome to MalwareTips! :)

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:
  • Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
  • Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
  • Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
  • Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
  • The absence of symptoms does not mean your PC is fully disinfected.
  • If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
  • Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
SRV - (‮etadpug) -- C:\Program Files\Google\Desktop\Install\{0afb2e91-d2ea-a870-dcad-d539de9fa7e2}\ \ \‮ﯹ๛\{0afb2e91-d2ea-a870-dcad-d539de9fa7e2}\GoogleUpdate.exe < [WARNING: C:\Program Files\Google\Desktop\Install\{0afb2e91-d2ea-a870-dcad-d539de9fa7e2}\ \ \???\{0afb2e91-d2ea-a870-dcad-d539de9fa7e2}\GoogleUpdate.exe <] File not found
SRV - (BrowserDefendert) -- C:\Documents and Settings\All Users\Application Data\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.exe File not found
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10042&barid={8FF3A7F1-E0EC-11E2-B878-001B788C864E}
IE - HKCU\..\SearchScopes\{4C91286A-0887-42AE-BFDA-A6BBFF5556EB}: "URL" = http://search.conduit.com/Results.aspx?ctid=CT3300033&SearchSource=45&q={searchTerms}
O4 - HKLM..\Run: [wuione] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Greg\Application Data\wuione.dll",level File not found
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6D7FE56B-EE93-4A2C-8CBF-DD01BBDC90EC}: DhcpNameServer = 209.18.47.61 209.18.47.62
[2013/09/01 12:42:54 | 000,465,280 | R--- | C] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2win32.cid
[2013/09/01 12:42:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Coupons
[2013/09/07 15:37:11 | 000,116,635 | ---- | M] () -- C:\System Warning, Your PC Is About To Crash Pop-Up.JPG
[2013/09/07 15:33:05 | 000,171,430 | ---- | M] () -- C:\Browser Update Available Pop-Up.JPG
[2013/09/07 12:25:04 | 000,000,410 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2013/03/04 21:30:21 | 000,002,048 | -HS- | M] () -- C:\RECYCLER\S-1-5-18\$0afb2e91d2eaa870dcadd539de9fa7e2\@
[2013/03/04 21:30:21 | 000,000,000 | -HSD | M] -- C:\RECYCLER\S-1-5-18\$0afb2e91d2eaa870dcadd539de9fa7e2\L
[2013/03/26 10:56:39 | 000,000,000 | -HSD | M] -- C:\RECYCLER\S-1-5-18\$0afb2e91d2eaa870dcadd539de9fa7e2\U
[2013/08/01 12:25:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Babylon
[2013/08/12 11:57:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BrowserDefender

:Commands
[EMPTYTEMP]
[RESETHOSTS]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Download TDSSkiller from here
  • Double-Click on TDSSKiller.exe to run the application
  • When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
  • After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
    clip.jpg
  • click Start scan .
  • If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
  • If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

Download Malwarebytes Anti-Rootkit from here to your Desktop
  • Unzip the contents to a folder on your Desktop.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
  • After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
  • When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)
 

ghamilton

New Member
Thread author
Sep 7, 2013
12
Hello Fiery,

I apologize, but after I made my initial posting I found on your malwaretips.com website the link listed below which recommended a total of seven steps of cleaning the computer of malware & viruses with the 7th step actually being two seperate steps. I have completed these 8 steps and have all of the logs that were created by each program during the process of removal of the viruses, malware & adware. I have attached all of the logs if that will help any. I just wanted to find out if you wanted to look at these logs before I did what you said in your posting below. For instance, I have already done the TDSSKiller.exe, but the previous procedure did not say to check the box for "verify the digital signature", so I did not check it. Also, I already did something with Malwarebytes by completing step #2 (Remove Trojan Horses, rogue security software and other malicious files from your computer with Malwarebytes Anti-Malware Free), but this sounds different from what you said about Malwarebytes Anti-Rootkit. Also, I have not done the cusomized OTL scan yet either. I had to zip up the Hitman Pro text file, I guess because it was 40KB whereas all the others were much smaller. Please let me know you want me to do next. Thanks.
 

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

The steps I suggested are different from the guide as this is a more customized approach for your specific case. The Malwarebytes program that I suggested is different from the guide, and the TDSSkiller scan setting is different so it scans additional items. Lastly, the OTL script is specifically for your PC as there are some entries that needs to be removed.

As for the next step, please follow the instructions in my previous post.
 

ghamilton

New Member
Thread author
Sep 7, 2013
12
Okay, thanks. That makes sense.

I ran the OTL program with the stuff you asked me to cut and paste into it. I'm not 100% sure it ran correctly because each time I tried it, the program appeared to lock-up where my start bar at the bottom of my screen would be gone along with that whole ~3/8" portion of the screen at the very bottom of the screen which normally shows all open programs. Anyway, on my last attempt to run the program, I noticed it created a text log file, so I tried to send it to you along with the ones it created on my previous attempts in case you were able to look at these and tell me if I needed to rerun it. Unfortunately, when I tried to send the two text file OTL logs, MWBytes gave the error "please correct the following errors before continuing: the type of file that you attached is not allowed, please remove the attachment or choose a different type" Like I said, both of these OTL log files were .txt files totalling on 24KB. I did notice that OTL created its own directory on my C: drive which includes several additional directories & files to include the screen shots I attached previously of the pop-ups I was experiencing. I tried savings the two OTL logs as .doc files and it made no difference. I made screen shots, but of course that made the files very large. I ended up having to delete all of my previous log files I had attached in my previous posts to be able to get under the size limit so I could send these screen shots. Please let me know if you need me to resend any of those previous files.

When I ran the TDSSKiller, it detected 6 threats, but all were suspicious with medium risk as opposed to malicious, so as Skip was already selected by default, I hit Continue as requested. I also ran the Malware Anti-Rootkit program which appeared to run okay, except at the end it did come up and say scan aborted, not sure if that is a normal part of the scan, or if I hit the wrong key. It did say no threats were detected.

Now, all of the attachments associated with this thread were created during the process of running the 3 programs that you suggested. Please let me know if you need any of the previously attached files that I had to delete so I could send these. I don't know if it is possible to get the 1MB limit increased. Thanks.
 

ghamilton

New Member
Thread author
Sep 7, 2013
12
Oh, great! I just realized that when I resized the 4 screen shots, it made them unusable as you can't even read them. Any ideas on why MWB would not let me send the two OTL log files I was trying to send? Also, on what you said to cut/paste into the OTL file, would I include Quote: or just start at :OTL? I'm pretty sure when I originally ran it, I started with :OTL. Thanks.
 

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

The OTL script contained a command to kill all the running processes in the background so any malware processes would get killed also. That's why part of your screen disappeared.

I'm not too sure why MWB isn't allowing you to post the OTL log. You can try copying the entire log and pasting them directly in your next reply rather than send them as an attachment since they aren't too long.

For the next logs, you can just post them in the reply if your 1MB quota is exceeded or MWB is giving you that error.

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
  • Click delete
  • Please post the content of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt

Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select Run as Administrator to start
  • Wait until Prescan has finished, then click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click delete and wait until it saids deleting finished
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
    Exit/Close RogueKiller+
 

ghamilton

New Member
Thread author
Sep 7, 2013
12
Okay, here are the OTL logs pasted directly into the thread:

I ran it twice, I guess because the first time it did not seem to run correctly, the one below had filename of 09082013_202247
----------------------------------------------------------------------
Files\Folders moved on Reboot...
C:\Documents and Settings\Gracie\Local Settings\Temp\JavaDeployReg.log moved successfully.
C:\Documents and Settings\Gracie\Local Settings\Temp\~DFE46A.tmp moved successfully.
C:\Documents and Settings\Gracie\Local Settings\Temp\~DFE482.tmp moved successfully.
C:\Documents and Settings\Gracie\Local Settings\Temp\~DFE5DC.tmp moved successfully.
C:\Documents and Settings\Gracie\Local Settings\Temp\~DFE5EF.tmp moved successfully.
C:\Documents and Settings\Gracie\Local Settings\Temp\~DFE69E.tmp moved successfully.
C:\Documents and Settings\Gracie\Local Settings\Temp\~DFE6B1.tmp moved successfully.
C:\Documents and Settings\Gracie\Local Settings\Temporary Internet Files\Content.IE5\RXB9IL7E\embed[1].htm moved successfully.
C:\Documents and Settings\Gracie\Local Settings\Temporary Internet Files\Content.IE5\RXB9IL7E\lisd_net[1].htm moved successfully.
C:\Documents and Settings\Gracie\Local Settings\Temporary Internet Files\Content.IE5\RXB9IL7E\lisd_net[2].htm moved successfully.
C:\Documents and Settings\Gracie\Local Settings\Temporary Internet Files\Content.IE5\RXB9IL7E\YDAoLskQQ5MOAgvHUQCcLbcQawGFB1zaa2VYh64hVv8[1].eot moved successfully.
C:\Documents and Settings\Gracie\Local Settings\Temporary Internet Files\Content.IE5\931ZDHX1\iepngfix[1].htc moved successfully.
C:\Documents and Settings\Gracie\Local Settings\Temporary Internet Files\Content.IE5\7RLFDA5E\embed[1].htm moved successfully.
C:\Documents and Settings\Gracie\Local Settings\Temporary Internet Files\Content.IE5\7RLFDA5E\view[4].htm moved successfully.
C:\Documents and Settings\Gracie\Local Settings\Temporary Internet Files\Content.IE5\6P49VWGN\rzvoOTOZcQfVDoKuaB7mVvesZW2xOQ-xsNqO47m55DA[1].eot moved successfully.
C:\Documents and Settings\Gracie\Local Settings\Temporary Internet Files\Content.IE5\6P49VWGN\S1YQx4pVZa17uu0HWQd2fA[1].eot moved successfully.
File move failed. C:\Documents and Settings\Greg\Local Settings\Temp\JavaDeployReg.log scheduled to be moved on reboot.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\YAJ321T1\default[1].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\YAJ321T1\Thread-Malware-Pop-Ups-Can-t-Get-Rid-Of[1].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\XKQ1KN15\Messenger[1].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\XKQ1KN15\outlook[1].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\XKQ1KN15\xmlProxy[1].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\SVWXWEF5\regular[1].eot moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\SVWXWEF5\resourcespreload[1].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\SVWXWEF5\xmlProxy[3].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\RP3HHNUV\LocalStorage[1].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\RP3HHNUV\semibold[1].eot moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\RP3HHNUV\xmlProxy[4].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\O3G5B83O\GFXHasherVerification[1].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\O3G5B83O\skypedomaincheck[1].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\HP3051RE\flextag[1].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\HP3051RE\RteFrameResources[1].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\B3P01ETE\GFXHasherAjaxIFrame_e8u3OtQonFhEjc0Yi_3RCA2[3].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\41V8KAAG\light[1].eot moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\41V8KAAG\xmlProxy[2].htm moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
----------------------------------------------------------------------
The next time I ran OTL, it had the filename of 09092013_051505:

All processes killed
========== OTL ==========
Error: No service named ‮etadpug was found to stop!
Service\Driver key ‮etadpug not found.
File C:\Program Files\Google\Desktop\Install\{0afb2e91-d2ea-a870-dcad-d539de9fa7e2}\ \ \‮ﯹ๛\{0afb2e91-d2ea-a870-dcad-d539de9fa7e2}\GoogleUpdate.exe < [WARNING: C:\Program Files\Google\Desktop\Install\{0afb2e91-d2ea-a870-dcad-d539de9fa7e2}\ \ \???\{0afb2e91-d2ea-a870-dcad-d539de9fa7e2}\GoogleUpdate.exe <] File not found not found.
Error: No service named BrowserDefendert was found to stop!
Service\Driver key BrowserDefendert not found.
File C:\Documents and Settings\All Users\Application Data\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.exe File not found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EEE6C360-6118-11DC-9C72-001320C79847}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{4C91286A-0887-42AE-BFDA-A6BBFF5556EB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4C91286A-0887-42AE-BFDA-A6BBFF5556EB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\wuione not found.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer| /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6D7FE56B-EE93-4A2C-8CBF-DD01BBDC90EC}\\DhcpNameServer| /E : value set successfully!
File C:\WINDOWS\System32\cpnprt2win32.cid not found.
Folder C:\Documents and Settings\All Users\Start Menu\Programs\Coupons\ not found.
File C:\System Warning, Your PC Is About To Crash Pop-Up.JPG not found.
File C:\Browser Update Available Pop-Up.JPG not found.
File C:\WINDOWS\tasks\At1.job not found.
File C:\RECYCLER\S-1-5-18\$0afb2e91d2eaa870dcadd539de9fa7e2\@ not found.
Folder C:\RECYCLER\S-1-5-18\$0afb2e91d2eaa870dcadd539de9fa7e2\L\ not found.
Folder C:\RECYCLER\S-1-5-18\$0afb2e91d2eaa870dcadd539de9fa7e2\U\ not found.
Folder C:\Documents and Settings\All Users\Application Data\Babylon\ not found.
Folder C:\Documents and Settings\All Users\Application Data\BrowserDefender\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Charlie

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Gracie
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Greg
->Temp folder emptied: 639518 bytes
->Temporary Internet Files folder emptied: 5957748 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Mommy
->Temp folder emptied: 593099 bytes
->Temporary Internet Files folder emptied: 93277017 bytes
->Java cache emptied: 279544 bytes
->Google Chrome cache emptied: 111824468 bytes
->Flash cache emptied: 856 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 238092058 bytes
->Java cache emptied: 1527 bytes
->Flash cache emptied: 16500 bytes

User: New User
->Temp folder emptied: 21428538 bytes
->Temporary Internet Files folder emptied: 180652126 bytes
->Java cache emptied: 161958 bytes
->Flash cache emptied: 3158 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 6480609 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 58205489 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 494141405 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 1,156.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.69.0 log created on 09092013_051505

Files\Folders moved on Reboot...
File move failed. C:\Documents and Settings\Greg\Local Settings\Temp\JavaDeployReg.log scheduled to be moved on reboot.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\YBQUJIUI\GFXHasherAjaxIFrame_e8u3OtQonFhEjc0Yi_3RCA2[1].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\YBQUJIUI\xmlProxy[1].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\YBQUJIUI\xmlProxy[2].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\YBQUJIUI\xmlProxy[3].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\WUT6BBE1\regular[1].eot moved successfully.
File\Folder C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\WUT6BBE1\skypedomaincheck[1].htm not found!
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\WUT6BBE1\Thread-Malware-Pop-Ups-Can-t-Get-Rid-Of[1].htm moved successfully.
File\Folder C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\NSA33AHP\default[1].htm not found!
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\NSA33AHP\light[1].eot moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\NSA33AHP\semibold[1].eot moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\NSA33AHP\xmlProxy[1].htm moved successfully.
File\Folder C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\2L384F5F\flextag[1].htm not found!
File\Folder C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\2L384F5F\GFXHasherVerification[1].htm not found!
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\2L384F5F\LocalStorage[1].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\2L384F5F\Messenger[1].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\2L384F5F\outlook[1].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\2L384F5F\resourcespreload[1].htm moved successfully.
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\2L384F5F\RteFrameResources[1].htm moved successfully.
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
---------------------------------------------------------------------

Okay, the next thing I did was run AdwCleaner.exe and I have attached the two files that were created during that process.

The next thing I did was run Rogue Killer and I have attached those logs as well. Thanks.
 

Fiery

Level 1
Jan 11, 2011
2,007
Ok, please update your Malwarebytes Antimalware and perform a quick scan.

Do you still get the Pop-ups?
 

ghamilton

New Member
Thread author
Sep 7, 2013
12
Okay, I updated to the latest definitions on Malware Bytes Anti Malware and ran the quick scan as you requested. Please see log attached. Somehow, it came up with 8 threats which I deleted. I'm not sure how I'm still picking up stuff after I have ran all of these cleaners over and over. Also, I noticed in my previous post that somehow one of the logs I pasted into the thread got converted to a different language or something although I'm 99% sure I looked at that log before I sent it and I could read it fine. Let me know if you want me to run that one again. No, I am not getting the agressive pop-ups anymore that were in the lower left corner anytime I had my IE browser open. Thanks.
 

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

There are still some rootkit leftovers on your PC. It may have been there originally. Let's run a more powerful tool. Please backup any important data you may have prior to running this program.

Please download ComboFix from one of these locations:

<a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a>
<a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a>

<>* IMPORTANT !!! Save ComboFix to your Desktop as ComboFix.exe</>
<ul>
<li>Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See <a title="External link" href="http://www.bleepingcomputer.com/forums/topic114351.html" rel="external">HERE</a> for help</li>
<li>Double click on Combo-Fix & follow the prompts.</li>
<li>As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's ly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.</li>
<li>Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.</li>
</ul>
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

<img src="http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif" alt="Posted Image" />
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

<img src="http://img.photobucket.com/albums/v706/ried7/whatnext.png" alt="Posted Image" />
Click on <>Yes</>, to continue scanning for malware.

When finished, ComboFix will produce a log.

<>Note:</>
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.
 
Last edited by a moderator:

ghamilton

New Member
Thread author
Sep 7, 2013
12
I had a couple problems initially trying to download the Combo Fix. The 1st site, Bleeping Computers, wanted to load me up with a lot of extra stuff, so I tried the 2nd link, but then I got a message saying I needed to validate the certificate of software provider or something. I went back to the 1st link and just took my lumps. They loaded me up with white smoke toolbar, changed by search home page, added browser cleaner, price gong, a whole bunch of stuff. I went through and added/removed programs on everything they gave me plus went and manually deleted all Program Files that I got at that same time. Anyway, I might have some extra adware now, but it could be from when I downloaded Combo Fix from Bleeping Computer when I had my virus protection turned off. We will see.

I have attached all of the logs I could find that were generated by Combo Fix. I appreciate your help. Please let me know what to do next.
 

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

I think you clicked on some advertisements that downloaded unwanted applications. You can run adwcleaner again and click delete to get rid of the adware.

Afterwards, Please download Junkware Removal Tool to your desktop from here
  • Turn off your antivirus software now to avoid potential conflicts
  • Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
  • The tool will open and start scanning your system
  • Please be patient as this can take a while to complete depending on your system's specifications
  • On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
  • Post the contents of JRT.txt into your next reply

Next, open up Notepad and paste the following:

Folder::
c:\documents and settings\All Users\Application Data\Conduit
c:\documents and settings\Greg\Local Settings\Application Data\Conduit

Driver::
oehqhixy

File::
c:\windows\system32\drivers\htgfbkl.sys

DDS::
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BrowserDefendert"=-
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    CFScript.gif
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
*Browserdefender*

:folderfind
*Browserdefender*

:Regfind
Browserdefender
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
 

ghamilton

New Member
Thread author
Sep 7, 2013
12
Okay, I re-ran Adwcleaner again and deleted what was found. I also ran the other 3 programs you requested with the applicable scripts. Please see attached logs. Thanks.
 

Attachments

  • ComboFix.txt
    14.7 KB · Views: 95
  • JRT.txt
    1.3 KB · Views: 72
  • SystemLook.txt
    2.1 KB · Views: 81
  • AdwCleaner[R1].txt
    2.7 KB · Views: 83
  • AdwCleaner[S1].txt
    2.8 KB · Views: 88

Fiery

Level 1
Jan 11, 2011
2,007
Looks good. Any other adware that got install that wasn't removed in the previous scans? How is your PC running?

Please update malwarebytes antimalware and do a quick scan. THen,

Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
    • Scan unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
  • The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
 

ghamilton

New Member
Thread author
Sep 7, 2013
12
Yeah, looks good. Haven’t had any pop-ops for a long time now, although as we keep running these various adware cleaners, it seems like these cleaners are still picking things up. They must not be nearly as aggressive & bad as what was on there originally though.

I updated Malware Bytes Anti-Malware and ran a scan. Here is the log that was created.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.18.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Greg :: GX280-11DEF53E3 [administrator]

9/17/2013 8:47:58 PM
mbam-log-2013-09-17 (20-47-58).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 286904
Time elapsed: 15 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 4
C:\Documents and Settings\Greg\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3} (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Greg\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}\chrome (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Greg\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}\chrome\content (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Greg\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}\skin (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.

Files Detected: 6
C:\Documents and Settings\Greg\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}\chrome.manifest (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Greg\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}\icon.png (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Greg\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}\install.rdf (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Greg\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}\chrome\content\browser.xul (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Greg\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}\chrome\content\toparcadehits.js (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Greg\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}\skin\style.css (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.

(end)

---------------------------------------------------------------------------------------------------------

One thing I may have forgotten to mention earlier. I use a memory stick for my backup, so throughout the course of the day or week, I will have it in there every now and then. Sometime at the beginning of this ordeal, I ran a scan on it and detected several items and deleted them. I wonder if stuff keeps jumping off of the memory stick onto my hard drive.

I ran the ESET cleaner and here is what it found. Thanks.

C:\ADWCLEANER\QUARANTINE\C\PROGRAM FILES\WAJAM\UPDATER\WAJAMUPDATER.EXE.VIR WIN32/WAJAM.A APPLICATION
C:\DOCUMENTS AND SETTINGS\GRACIE\APPLICATION DATA\PDF WRITER PACKAGES\UNINSTALLER.EXE A VARIANT OF WIN32/INSTALLCORE.AZ APPLICATION
C:\DOCUMENTS AND SETTINGS\GREG\DESKTOP\CBSIDLM-TR1_15-ADWCLEANER-SEO-75851221.EXE WIN32/DOWNLOADADMIN.G APPLICATION
 

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

The things malwarebytes and ESET detected are not really "threats." They are unwanted applications and already quarantined items.

If you suspect there are things on your USB, you can perform a Full Scan with Malwarebytes Antimalware and you will have the choice to scan the USB. Let me know the results. If all is good, then we will clean up the tools we used and reset some settings on your PC.
 

ghamilton

New Member
Thread author
Sep 7, 2013
12
I scanned my memory stick with MWB. It found nothing suspicious. See below. Thanks.

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.20.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Greg :: GX280-11DEF53E3 [administrator]

9/20/2013 7:38:15 AM
mbam-log-2013-09-20 (07-38-15).txt

Scan type: Full scan (G:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 276777
Time elapsed: 6 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

Fiery

Level 1
Jan 11, 2011
2,007
Ok that's good. I don't think your USB is infected nor are malware jumping on and off your USB. The things malwarebytes detected were not the original malware that caused all the nuisance and pop-ups.

If you are no longer experiencing any other issues, your PC should be clean!

Double click on OTL to run it
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
  • This will remove itself and other tools we may have used.

Also, open adwCleaner and click Uninstall




Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.

For XP
How to create a Restore Point in XP
Delete all restore points except the most recent one



Keeping your programs (especially Adobe and Java products) updated is essential. Outdated programs make your PC more vulnerable to future malware threats. To help you:
  • Download and install Update Checker. It will notify you if any of your programs require an update.
  • Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
  • Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here


In addition to your antivirus, you need additional protection such as a firewall and behavioural blocker. However, adding one of these programs may slow down performance. It is for you to decide the trade off between more security and a faster PC.


Other steps that you may want to do to further protect your system/files:
  • Sandboxie - "Quarantines" your browser so anything that you do in it will be isolated from your system.
  • Backup important files regulary to an external hard-drive or USB

Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.

Should you want to try a product but don't know how it performs, here is a list of current reviews to help you decide.


Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.
  • KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
  • AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
  • NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
  • Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites

Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.


Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.

Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask :)

My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top