BleepingComputer.com: Daily 7 News and other Pop Ups issue

Hello,

I'm having an issue where I get Daily 7 News pop ups (along with a handful of other suspicious sites) at seemingly random times when I'm online. Their appearence doesn't seem obviously keyed to any specific website or action on my part. This issue appeared around the same time as a Google redirect virus, and with the help of Malwarebytes and CCleaner, I appear to have dealt with that aspect for good. However, Malwarebytes and Symantec both now read clean, and the pop ups continue. Any advice would be greatly appreciated. Here's my DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Ady1 at 19:05:02 on 2012-01-28
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.894.173 [GMT -10:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\OpenOffice.org 3\program\swriter.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Ask.com\UpdateTask.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\ady1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
LSP: mswsock.dll
Trusted Zone: phoenix.edu
Trusted Zone: phoenix.edu\classroom
DPF: {4AB16005-E995-4A60-89DE-8B8A3E6EB5B0} - hxxp://www.worldwinner.com/games/v56/trivialpursuit/trivialpursuit.cab
DPF: {64CD313F-F079-4D93-959F-4D28B5519449} - hxxp://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53
TCP: Interfaces\{BA4D6EA3-855B-4B53-A456-2CC5770D3831} : DhcpNameServer = 4.2.2.2 4.2.2.3 4.2.2.4
TCP: Interfaces\{C3B7A911-1DE9-4489-A7AE-A9F467687CEA} : DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53
TCP: Interfaces\{C3B7A911-1DE9-4489-A7AE-A9F467687CEA}\16474777966696 : DhcpNameServer = 192.168.6.1 64.134.255.2 64.134.255.10
TCP: Interfaces\{C3B7A911-1DE9-4489-A7AE-A9F467687CEA}\4586560284F657375602F6E602458656028496C6C6 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{C3B7A911-1DE9-4489-A7AE-A9F467687CEA}\75169707F62747F5143636563737 : DhcpNameServer = 192.168.5.1 64.134.255.2 64.134.255.10
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-01-29 02:46:33 -------- d-----w- c:\programdata\PC Tools
2012-01-28 06:07:13 -------- d--h--w- c:\windows\msdownld.tmp
2012-01-28 06:03:00 748336 ----a-w- c:\program files\internet explorer\iexplore.exe
2012-01-28 06:03:00 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-01-28 04:14:57 -------- d-----w- c:\program files\CCleaner
2012-01-22 01:52:10 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-22 01:52:09 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-22 01:52:08 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-22 01:52:08 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-22 01:52:06 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-22 01:52:05 99840 ----a-w- c:\windows\system32\sspicli.dll
2012-01-22 01:52:05 314368 ----a-w- c:\windows\system32\webio.dll
2012-01-22 01:52:05 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-22 01:52:05 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-22 01:52:05 15360 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-12 04:02:36 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-11 07:51:21 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 07:51:16 1288984 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 07:51:03 1328640 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 07:51:02 514560 ----a-w- c:\windows\system32\qdvd.dll
.
==================== Find3M ====================
.
2012-01-28 06:03:00 161792 ----a-w- c:\windows\system32\msls31.dll
2011-12-11 01:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-24 04:23:31 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-11-05 04:30:11 2048 ----a-w- c:\windows\system32\tzres.dll
.
============= FINISH: 19:09:13.20 ===============

Hi,

Please do the following:

Please download TDSSKiller.zip

• Extract it to your desktop
  
• Double click TDSSKiller.exe
  
• Press Start Scan
  
  • Only if Malicious objects are found then ensure Cure is selected
    
  • Then click Continue > Reboot now
  
  
• Copy and paste the log in your next reply
  
  • A copy of the log will be saved automatically to the root of the drive (typically C:\)

NEXT


Refer to the ComboFix User's Guide

• Download ComboFix from one of these locations:
  
  Link 1
  Link 2
  
  * IMPORTANT !!! Place ComboFix.exe on your Desktop
  
  
• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  You can get help on disabling your protection programs here
  
  
• Double click on ComboFix.exe & follow the prompts.
  
• Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  
• When finished, it shall produce a log for you. Post that log in your next reply
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  
  ---------------------------------------------------------------------------------------------
  
  
• Ensure your AntiVirus and AntiSpyware applications are re-enabled.
  
  ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Hi,

TDSSKiller had an update today that found and took care of it. I suppose there are no gaurantees, but it found and took care of a file (one of the Zero Access ones) that seems to be tied to this problem elsewhere. Some quick browser exercise reveals no traces of the issue remain. If there's something I'm not aware of that I should be, I'll post those logs, but otherwise, it looks good now.

Thanks for your help!

it's entirely up to you

Well, I'm good then. Thanks again.

OK

I will close this topic, if you find you need further assistance then please start a new topic

thank-you

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.