Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Daily 7 News and other Pop Ups issue


  • This topic is locked This topic is locked
6 replies to this topic

#1 AndyRobbb

AndyRobbb

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:04 AM

Posted 29 January 2012 - 03:24 AM

Hello,

I'm having an issue where I get Daily 7 News pop ups (along with a handful of other suspicious sites) at seemingly random times when I'm online. Their appearence doesn't seem obviously keyed to any specific website or action on my part. This issue appeared around the same time as a Google redirect virus, and with the help of Malwarebytes and CCleaner, I appear to have dealt with that aspect for good. However, Malwarebytes and Symantec both now read clean, and the pop ups continue. Any advice would be greatly appreciated. Here's my DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Ady1 at 19:05:02 on 2012-01-28
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.894.173 [GMT -10:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\OpenOffice.org 3\program\swriter.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Ask.com\UpdateTask.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\ady1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
LSP: mswsock.dll
Trusted Zone: phoenix.edu
Trusted Zone: phoenix.edu\classroom
DPF: {4AB16005-E995-4A60-89DE-8B8A3E6EB5B0} - hxxp://www.worldwinner.com/games/v56/trivialpursuit/trivialpursuit.cab
DPF: {64CD313F-F079-4D93-959F-4D28B5519449} - hxxp://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53
TCP: Interfaces\{BA4D6EA3-855B-4B53-A456-2CC5770D3831} : DhcpNameServer = 4.2.2.2 4.2.2.3 4.2.2.4
TCP: Interfaces\{C3B7A911-1DE9-4489-A7AE-A9F467687CEA} : DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53
TCP: Interfaces\{C3B7A911-1DE9-4489-A7AE-A9F467687CEA}\16474777966696 : DhcpNameServer = 192.168.6.1 64.134.255.2 64.134.255.10
TCP: Interfaces\{C3B7A911-1DE9-4489-A7AE-A9F467687CEA}\4586560284F657375602F6E602458656028496C6C6 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{C3B7A911-1DE9-4489-A7AE-A9F467687CEA}\75169707F62747F5143636563737 : DhcpNameServer = 192.168.5.1 64.134.255.2 64.134.255.10
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-01-29 02:46:33 -------- d-----w- c:\programdata\PC Tools
2012-01-28 06:07:13 -------- d--h--w- c:\windows\msdownld.tmp
2012-01-28 06:03:00 748336 ----a-w- c:\program files\internet explorer\iexplore.exe
2012-01-28 06:03:00 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-01-28 04:14:57 -------- d-----w- c:\program files\CCleaner
2012-01-22 01:52:10 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-22 01:52:09 224768 ----a-w- c:\windows\system32\schannel.dll
2012-01-22 01:52:08 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-01-22 01:52:08 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-01-22 01:52:06 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-22 01:52:05 99840 ----a-w- c:\windows\system32\sspicli.dll
2012-01-22 01:52:05 314368 ----a-w- c:\windows\system32\webio.dll
2012-01-22 01:52:05 22528 ----a-w- c:\windows\system32\lsass.exe
2012-01-22 01:52:05 22016 ----a-w- c:\windows\system32\secur32.dll
2012-01-22 01:52:05 15360 ----a-w- c:\windows\system32\sspisrv.dll
2012-01-12 04:02:36 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-11 07:51:21 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 07:51:16 1288984 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 07:51:03 1328640 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 07:51:02 514560 ----a-w- c:\windows\system32\qdvd.dll
.
==================== Find3M ====================
.
2012-01-28 06:03:00 161792 ----a-w- c:\windows\system32\msls31.dll
2011-12-11 01:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-24 04:23:31 2340352 ----a-w- c:\windows\system32\win32k.sys
2011-11-05 04:30:11 2048 ----a-w- c:\windows\system32\tzres.dll
.
============= FINISH: 19:09:13.20 ===============

Attached Files

  • Attached File  Gmer.log   26.18KB   1 downloads


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:04 AM

Posted 29 January 2012 - 10:12 AM

Hi,

Please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT



Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 AndyRobbb

AndyRobbb
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:04 AM

Posted 30 January 2012 - 06:46 AM

Hi,

TDSSKiller had an update today that found and took care of it. I suppose there are no gaurantees, but it found and took care of a file (one of the Zero Access ones) that seems to be tied to this problem elsewhere. Some quick browser exercise reveals no traces of the issue remain. If there's something I'm not aware of that I should be, I'll post those logs, but otherwise, it looks good now.

Thanks for your help!

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:04 AM

Posted 30 January 2012 - 05:19 PM

it's entirely up to you

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 AndyRobbb

AndyRobbb
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:04 AM

Posted 30 January 2012 - 11:47 PM

Well, I'm good then. Thanks again.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:04 AM

Posted 31 January 2012 - 06:49 PM

OK

I will close this topic, if you find you need further assistance then please start a new topic

thank-you

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:04 AM

Posted 31 January 2012 - 06:50 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users