BleepingComputer.com: Small Box On Top Left Coner On Start Up

I have no idea what is happening. This happened about 2 weeks ago. So once i start up my computer this small box appears and i cant do anything to it except right clicking it and moving it around. All i hear from the box is click sounds ( you know on internet explore when you click a link it makes a click sound) After, many pop-up starts popping up and its always this new1.adultworld one. On the small box when i right click and click view source i sometimes get www.jeeran.com or www.ahmedriad75.jeeran.com. Oh sometimes i get this internet explore error script thing that gives you a yes or no button. When i look at the task manager i see iexplore.exe when i end that process the box is gone and so are the ads but will re apear when i start the computer up again. Ever since i got this box thing my computer seems slow and seem to act up sometimes like error messages saying the program crashed or something. I have used many virus program, spyware program, etc but no of them seem to remove that box and i don't really want to reformat my computer. Is there anyone that has this similar problem and can help me remove it? I searched about this some people had the same problem but it didn't help me.

Please Help!!

Heres a screenshot

 virus.jpg (383.97K)
Number of downloads: 24

hi,,,, it looks like you have a hijacker and by the looks of it the security is trying to block the site from loading, and the site keeps trying to load again,, this is the clicking noise,,,
download this scanner,,,, blue tab free version,,,
http://www.malwarebytes.org/
and how to use it
http://www.udel.edu/topics/spyware/malwarebytes.html
also download this cleaner to flush out the browser,,, instructions on use are on the download page just below the download link,,,,
http://www.atribune.org/index.php?option=c...5&Itemid=25
if this does not get it then repost in the security section in the "am i infected" forum and also post a link this thread
good luck.

superantispyware at http://www.superantispyware.com is another great malware remover u can try and http://www.avira.com has a good antivirus thats free and awesome too.

Hello ,please post your Malwarebytes and SUPER A logs after the scan.
I am moving this from Vista to the Am I Infected forum.

We Need to check for Rootkits with RootRepeal

• Download RootRepeal from the following location and save it to your desktop.
  • Direct Download (Recommended)
    • Primary Mirror
      
    • Secondary Mirror
      
    • Secondary Mirror
      
    • Secondary Mirror
    
    
  • Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
    
    • Primary Mirror
      
      
    • Secondary Mirror
      
      
    • Secondary Mirror
    
    
  • Rar Mirrors - Only if you know what a RAR is and can extract it.
    
    • Primary Mirror
      
      
    • Secondary Mirror
      
      
    • Secondary Mirror
  
  
• Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  
• Open on your desktop.
  
• Click the tab.
  
• Click the button.
  
• Check all seven boxes:
  
• Push Ok
  
• Check the box for your main system drive (Usually C:), and press Ok.
  
• Allow RootRepeal to run a scan of your system. This may take some time.
  
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

I downloaded RootRepeal but when i opened the program i got an error saying this does not support 64 bit OS

This one does.

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.

• Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  
• Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  
• A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  
• Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  
• If the scan did not start automatically, make sure the following are checked:
  
  
  • Running processes
    
  • Windows Registry
    
  • Local Hard Drives
  
  
• Click Start scan.
  
• Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  
• When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  
• Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
  • Files tagged as Removable: No are not marked for removal and cannot be removed.
    
  • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    
  • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  
  
• Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  
• A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  
• After reboot, a dialog box displays the files you selected for removal and the action taken.
  
• Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  
• When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  
• This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.

Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.

• Disconnect from the Internet or physically unplug you Internet cable connection.
  
• Clean out your temporary files.
  
• Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  
• Temporarily disable your anti-virus and real-time anti-spyware protection.
  
• After starting the scan, do not use the computer until the scan has completed.
  
• When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 26/11/2009 at 22:51:18 PM
User "Anthony" on computer "ANTHONY-PC"
Windows version 6.0 SP 2.0 Service Pack 2 build 6002 SM=0x100 PT=0x1 WOW64
Info: Starting registry scan.
Hidden: registry item \HKEY_USERS\S-1-5-21-367350868-1995089442-3628444069-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9B1F01C7-96F0-18D5-E8BD-18C5EBE098C6}\bbmpipgemijacfbcgecidoigeblpmphcbego
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Windows\System32\config\RegBack\COMPONENTS.LOG1
Hidden: file C:\Windows\Temp\TMP0000000650EE1B079E09AC60
Hidden: file C:\Windows\Temp\TMP00000098C99F4B26A8739094
Hidden: file C:\Windows\System32\drivers\sptd.sys
Hidden: file C:\Users\Anthony\AppData\Local\Microsoft\Messenger\@hotmail.com\SharingMetadata\st@hotmail.com\DFSR\Staging\CS{02394ADA-C443-4385-9891-E087BE189A07}\01\10-{02394ADA-C443-4385-9891-E087BE189A07}-v1-{DC177EA2-66AB-457D-A0FA-72F8D6DD2137}-v10-Downloaded.frx
Hidden: file C:\Users\Anthony\AppData\Local\Microsoft\Messenger\hotmail.com\SharingMetadata\s@hotmail.com\DFSR\Staging\CS{02394ADA-C443-4385-9891-E087BE189A07}\11\11-{DC177EA2-66AB-457D-A0FA-72F8D6DD2137}-v11-{DC177EA2-66AB-457D-A0FA-72F8D6DD2137}-v11-Downloaded.frx
Hidden: file C:\Users\Anthony\AppData\Local\Microsoft\Messenger\@hotmail.com\SharingMetadata\@hotmail.com\DFSR\Staging\CS{02394ADA-C443-4385-9891-E087BE189A07}\12\12-{DC177EA2-66AB-457D-A0FA-72F8D6DD2137}-v12-{DC177EA2-66AB-457D-A0FA-72F8D6DD2137}-v12-Downloaded.frx
Hidden: file C:\Users\Anthony\AppData\Local\Microsoft\Messenger\.com\SharingMetadata\s@hotmail.com\DFSR\Staging\CS{02394ADA-C443-4385-9891-E087BE189A07}\14\14-{DC177EA2-66AB-457D-A0FA-72F8D6DD2137}-v14-{DC177EA2-66AB-457D-A0FA-72F8D6DD2137}-v14-Downloaded.frx
Hidden: file C:\Users\Anthony\AppData\Local\Microsoft\Messenger\.com\SharingMetadata\s@hotmail.com\DFSR\Staging\CS{02394ADA-C443-4385-9891-E087BE189A07}\12\12-{DC177EA2-66AB-457D-A0FA-72F8D6DD2137}-v12-{DC177EA2-66AB-457D-A0FA-72F8D6DD2137}-v12-Downloaded.frx
Hidden: file C:\Program Files (x86)\rcv4\winwood\87\ROCKWELL.wav
Hidden: file C:\Windows\Temp\TMP000000012DC2E2DAC8041FA1
Stopped logging on 27/11/2009 at 0:45:32 AM


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 28/11/2009 at 10:28:31 AM
User "Anthony" on computer "ANTHONY-PC"
Windows version 6.0 SP 2.0 Service Pack 2 build 6002 SM=0x100 PT=0x1 WOW64
Info: Starting registry scan.
Hidden: registry item \HKEY_USERS\S-1-5-21-367350868-1995089442-3628444069-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9B1F01C7-96F0-18D5-E8BD-18C5EBE098C6}\bbmpipgemijacfbcgecidoigeblpmphcbego
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Windows\System32\config\RegBack\COMPONENTS.LOG1
Hidden: file C:\Windows\Temp\TMP0000000650EE1B079E09AC60
Hidden: file C:\Windows\Temp\TMP00000098C99F4B26A8739094
Hidden: file C:\Users\Anthony\AppData\Local\Microsoft\Windows Live Contacts\{25c5c49f-fca0-4a38-bee0-8e985eebe2dd}\DBStore\tempedb.edb
Hidden: file C:\Windows\System32\drivers\sptd.sys
Hidden: file C:\Users\Anthony\Desktop\ALL FOLDERS\canon\2008_08_08\IMG_0015.JPG
Hidden: file C:\Users\Anthony\Desktop\ALL FOLDERS\canon\2008_08_08\IMG_0016.JPG
Hidden: file C:\Users\Anthony\Desktop\ALL FOLDERS\canon\2008_08_08\IMG_0020.JPG
Hidden: file C:\Users\Anthony\Desktop\ALL FOLDERS\canon\2008_08_08\IMG_0021.JPG
Hidden: file C:\Users\Anthony\Desktop\ALL FOLDERS\canon\2008_08_08\IMG_0022.JPG
Hidden: file C:\Users\Anthony\Desktop\ALL FOLDERS\canon\2008_08_08\IMG_0023.JPG
Hidden: file C:\Users\Anthony\Desktop\ALL FOLDERS\canon\2008_08_08\IMG_0024.JPG
Hidden: file C:\Users\Anthony\Desktop\ALL FOLDERS\canon\2008_08_08\IMG_0025.JPG
Hidden: file C:\Users\Anthony\Desktop\ALL FOLDERS\canon\2008_08_08\IMG_0026.JPG
Hidden: file C:\Users\Anthony\Desktop\ALL FOLDERS\canon\2008_08_08\IMG_0027.JPG
Hidden: file C:\Users\Anthony\Desktop\ALL FOLDERS\canon\2008_08_08\IMG_0028.JPG
Hidden: file C:\Users\Anthony\Desktop\ALL FOLDERS\canon\2008_08_08\IMG_0029.JPG
Hidden: file C:\Users\Anthony\Desktop\ALL FOLDERS\canon\2008_08_08\IMG_0030.JPG
Hidden: file C:\Users\Anthony\Desktop\ALL FOLDERS\canon\2008_08_08\IMG_0031.JPG
Hidden: file C:\Users\Anthony\Desktop\ALL FOLDERS\canon\2008_08_08\IMG_0032.JPG
Hidden: file C:\Users\Anthony\AppData\Local\Microsoft\Messenger\@hotmail.com\SharingMetadata\steven900917@hotmail.com\DFSR\Staging\CS{02394ADA-C443-4385-9891-E087BE189A07}\01\10-{02394ADA-C443-4385-9891-E087BE189A07}-v1-{DC177EA2-66AB-457D-A0FA-72F8D6DD2137}-v10-Downloaded.frx
Hidden: file C:\Users\Anthony\AppData\Local\Microsoft\Messenger\hotmail.com\SharingMetadata\st@hotmail.com\DFSR\Staging\CS{02394ADA-C443-4385-9891-E087BE189A07}\11\11-{DC177EA2-66AB-457D-A0FA-72F8D6DD2137}-v11-{DC177EA2-66AB-457D-A0FA-72F8D6DD2137}-v11-Downloaded.frx
Hidden: file C:\Users\Anthony\AppData\Local\Microsoft\Messenger\@hotmail.com\SharingMetadata\steven900917@hotmail.com\DFSR\Staging\CS{02394ADA-C443-4385-9891-E087BE189A07}\12\12-{DC177EA2-66AB-457D-A0FA-72F8D6DD2137}-v12-{DC177EA2-66AB-457D-A0FA-72F8D6DD2137}-v12-Downloaded.frx
Hidden: file C:\Users\Anthony\AppData\Local\Microsoft\Messenger\@hotmail.com\SharingMetadata\s7@hotmail.com\DFSR\Staging\CS{02394ADA-C443-4385-9891-E087BE189A07}\14\14-{DC177EA2-66AB-457D-A0FA-72F8D6DD2137}-v14-{DC177EA2-66AB-457D-A0FA-72F8D6DD2137}-v14-Downloaded.frx
Hidden: file C:\Users\Anthony\AppData\Local\Microsoft\Messenger\@hotmail.com\SharingMetadata\@hotmail.com\DFSR\Staging\CS{02394ADA-C443-4385-9891-E087BE189A07}\12\12-{DC177EA2-66AB-457D-A0FA-72F8D6DD2137}-v12-{DC177EA2-66AB-457D-A0FA-72F8D6DD2137}-v12-Downloaded.frx
Hidden: file C:\Windows\Temp\TMP000000012DC2E2DAC8041FA1
Stopped logging on 28/11/2009 at 12:32:37 PM

This post has been edited by boopme: 28 November 2009 - 04:11 PM

still need help

Can you run SAS and MBAM?

boopme, on Nov 28 2009, 07:12 PM, said:

Whats SAS and MBAM?

Sorry,, Thought thaty was in an earlier post.
Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Hmm.. It didn't find anything. Here is the log:



Malwarebytes' Anti-Malware 1.41
Database version: 3253
Windows 6.0.6002 Service Pack 2

28/11/2009 8:26:47 PM
mbam-log-2009-11-28 (20-26-47).txt

Scan type: Quick Scan
Objects scanned: 101550
Time elapsed: 4 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

As I cannot find anymore Malware we can do to things. First run SFC... If that doesn't change it poand HJT log.

SFC

Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista users..The command needs to be run from an elevated Command Prompt.
Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the XP CD when asked.



To run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic275291.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom