Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Popups/ Adware?


  • Please log in to reply
8 replies to this topic

#1 Chivalry

Chivalry

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 11 May 2014 - 12:26 AM

Admin | Site Admin | Global Moderator Moderator | Malware Study Hall Admin | Malware Response Instructor | Malware Response Team | BC Advisor 

 

I would like to vanquish the evil beings from my computer!

recently I have found that every other link (or so) that I click on will open a pop-up in a new window on each web browser I use.

(this even happens in STEAM browser!!   [http://store.steampowered.com/about/] if you don't know what steam is)

 

Occasionally It happens when I don't click on a link (randomly while browsing)

Am I ACTUALLY infected?

 

Thank you!

 

Operating System: Windows 8.1

Browsers: Chrome, Opera, Firefox, IE (in preferred order)



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:35 PM

Posted 11 May 2014 - 12:53 AM

Hello Chivalery and Welcome -

 

If we could please look at your system, and run a few quick Fix Tools -

 

Download all programs to Desktop, Copy and Paste any logs, and Temporarily Disable Your Anti-virus if required

 

First

Download Security Check by Screen317 from HERE or HERE
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If a security program requests permission to access the Internet, allow it to do so.

 

Next -

Download MiniToolBox, Save it to your desktop and run it.
Close any Firefox browsers you may have open
Checkmark the following boxes:
• Flush DNS
• List last 10 Event Viewer log
• List Installed Programs
• List Users, Partitions and Memory size.
 Click Go and copy / paste the result (Result.txt) from your desktop.

 

 

Next -

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

* Double-click on the Rkill desktop icon to run the tool.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from safe mode.
When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

 

Important - Do not reboot your system prior to running the next scan -

 

NOW :

Please download AdwCleaner by Xplode and save to your Desktop.
NOTE : Please close or save all work, as the computer will be Rebooted
* Double-click on AdwCleaner.exe to run the tool.
* Vista/Windows 7/8 users right-click and select Run As Administrator.
* Click on the Scan button. (only once)
* AdwCleaner will begin...be patient as the scan may take some time to complete.
* After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.

Check the listed programs it wants to remove and Untick any that you do not agre with.
NOW :Click on the Clean button. (only once)
* Press OK when asked to close all programs and follow the onscreen prompts.
* Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
* After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.

* Copy and paste the contents of that logfile in your next reply.
* A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

 

Next -

I trust that anyone on Steam would have a Current Version of Malwarebytes Anti-Malware 2.0.1 installed.

Please Update this and run a scan,

Copy / Paste any log it produces.

If you do not, please ask for a Current link to the program -

 

EDIT for TYPO -


Edited by noknojon, 11 May 2014 - 12:55 AM.


#3 Chivalry

Chivalry
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 11 May 2014 - 05:10 PM

And So it Begins!
 
======SECURITY CHECK======
Spoiler
======MINI TOOL BOX======
Spoiler
 
======RKILL LOG======
Spoiler
======ADWCleaner======
Spoiler
======MALWAREBYtes======
Spoiler

Edited by Chivalry, 11 May 2014 - 05:22 PM.


#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:35 PM

Posted 11 May 2014 - 06:14 PM

Error : Task Scheduling Error: m->NextScheduledSPRetry 5438 :

Quite often it can mean that you have conflicting Updates at the same time (none found yet)

 

Those scans only pulled PUP.Optional.OptimumInstaller.
This can be a "redirecting program" if the infection is deep enough...

 

[Missing Service] from a RKill scan can mean it either Skipped over them, or a problem.

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

  • Make sure the following options are checked:

     

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
  • Other Services

     

  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
All 10 Application Errors read =
Error: (05/10/2014 00:21:06 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second ..............

Your iTunes program needs to be changed to Manual startup and not Automatic, this is the meaning of the error.

 

Have you run any other scans prior to posting here ??

Meaning Rootkit or similar programs ??

When you use Spoiler it will often remove highlights from a post -

Mozilla Firefox (Firefox,. Firefox out of Date! <= Typical example (please update your F/fox)
Old link of mine- Reset Firefox: https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems

Please try this Online Scanner from Sophos -
First read How To Temporarily Disable Your Anti-virus and follow any items you can.

Please download Sophos Virus Removal Tool and save it to your desktop.
Alternate download link If first link has problems ........
* It is a very large file so it may take some time to download.
* Be sure to read and follow the instructions on that same page for installing and performing a scan.
* If any threats are detected, they will show in the Scan Results with an option to click a Details... button for more information.
* Click on the Start clean up button to allow removal of all threats found and reboot the computer when done.
* A log file should have been created...copy and paste the results in your next reply.
Logs are automatically saved to the following locations:
-- XP: C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
-- Vista, Windows 7, 2008: C:\Program Data\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log



#5 Chivalry

Chivalry
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 13 May 2014 - 10:20 AM

Ok no spoilers this time...
 
 
Sorry for taking so long to respond. I was trying to find the time to scan for 6 hours uninterupted (thats how long the malwarebytes scan took) but I guess it didn't take that long this time...
Also, I'm kinda noob at computers so I might not catch everything you say.
 
How can I make itunes manual and not automatic?
 
I have run a couple similar programs but it has been a long while...
 
I'm not the only one using this computer, there are other pc defilers o_O
 
 
 
 
Farbar Service Scanner Version: 03-05-2014
Ran by Michelle (administrator) on 11-05-2014 at 18:36:58
Running from "C:\Users\Michelle\Desktop"
Microsoft Windows 8.1  (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Demand. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
 
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2014-04-29 05:11] - [2014-03-04 05:15] - 2519384 ____A (Microsoft Corporation) FEEFE783D87C9063CDAC6DBDCF95F533
 
C:\Windows\System32\dnsrslvr.dll
[2014-04-29 05:11] - [2014-03-04 00:13] - 0254464 ____A (Microsoft Corporation) FE7656474448BE6A6C68E5C9BEB7CA94
 
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll
[2014-04-29 05:11] - [2014-03-08 00:01] - 0827392 ____A (Microsoft Corporation) BBE15881FE11BE37112F8320C41DAFB9
 
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\wscsvc.dll
[2014-04-29 05:05] - [2014-02-22 01:52] - 0134144 ____A (Microsoft Corporation) 515583507D3828E827FF6352C9ACCEFA
 
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll
[2014-04-29 05:09] - [2014-04-08 20:21] - 3408896 ____A (Microsoft Corporation) 779FB2F26E4339A4DD3EEF57E4E593FA
 
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2014-03-12 00:53] - [2013-10-24 23:48] - 1571328 ____A (Microsoft Corporation) 8077537B1600AF493E7EE1A7A5C90799
 
C:\Program Files\Windows Defender\MsMpEng.exe
[2014-03-12 00:53] - [2013-10-30 17:29] - 0023824 ____A (Microsoft Corporation) 7CE5405B192AC912B9405F72386C7D4B
 
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2014-04-29 05:06] - [2014-02-22 02:38] - 0753664 ____A (Microsoft Corporation) 81979817943D830BF24571B7C1B28A1A
 
 
 
**** End of log ****
 
 
 
 
 
2014-05-12 23:25:39 Sophos Virus Removal Tool version 2.5
2014-05-12 23:25:39 Copyright © 2009-2014 Sophos Limited. All rights reserved.
 
2014-05-12 23:25:39 This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.
 
2014-05-12 23:25:39 Windows version 6.2 SP 0.0  build 9200 SM=0x300 PT=0x1 WOW64
2014-05-12 23:25:39 Checking for updates...
2014-05-12 23:25:39 Update progress: proxy server not available
2014-05-12 23:25:45 Option all = no
2014-05-12 23:25:45 Option recurse = yes
2014-05-12 23:25:45 Option archive = no
2014-05-12 23:25:45 Option service = yes
2014-05-12 23:25:45 Option confirm = yes
2014-05-12 23:25:45 Option sxl = yes
2014-05-12 23:25:45 Option max-data-age = 35
2014-05-12 23:25:45 Option EnableSafeClean = yes
2014-05-12 23:25:48 Component SVRTcli.exe version 2.5
2014-05-12 23:25:48 Component control.dll version 2.5
2014-05-12 23:25:48 Component SVRTservice.exe version 2.5
2014-05-12 23:25:48 Component engine\osdp.dll version 1.44.1.2151
2014-05-12 23:25:48 Component engine\veex.dll version 3.52.0.2151
2014-05-12 23:25:48 Component engine\savi.dll version 8.1.0.2151
2014-05-12 23:25:48 Component rkdisk.dll version 1.5.30.0
2014-05-12 23:25:48 Version info: Product version 2.5
2014-05-12 23:25:48 Version info: Detection engine 3.52.0
2014-05-12 23:25:48 Version info: Detection data 4.99G
2014-05-12 23:25:48 Version info: Build date 3/12/2014
2014-05-12 23:25:48 Version info: Data files added 663
2014-05-12 23:25:48 Version info: Last successful update 5/11/2014 11:15:23 PM
2014-05-12 23:25:58 Downloading updates...
2014-05-12 23:25:58 Update progress: [I96736] Looking for package C1A903B2-E63E-483b-982D-04BB9C457C60 1.0 
2014-05-12 23:25:58 Update progress: [I49502] Found supplement SAVIW32 LATEST 4
2014-05-12 23:25:58 Update progress: [I49502] Found supplement IDE500 LATEST 
2014-05-12 23:25:58 Update progress: [I49502] Found supplement IDE501 LATEST 
2014-05-12 23:25:58 Update progress: [I49502] Found supplement IDE502 LATEST 
2014-05-12 23:25:58 Update progress: [I49502] Found supplement IDE503 LATEST 
2014-05-12 23:25:58 Update progress: [I49502] Found supplement IDE504 LATEST 
2014-05-12 23:25:58 Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 1
2014-05-12 23:25:58 Update progress: [I19463] Syncing product SAVIW32 39
2014-05-12 23:25:58 Update progress: [I19463] Syncing product IDE500 171
2014-05-12 23:25:58 Update progress: [I19463] Syncing product IDE501 233
2014-05-12 23:25:58 Update progress: [I19463] Syncing product IDE502 180
2014-05-12 23:25:58 Update progress: [I19463] Syncing product IDE503 95
2014-05-12 23:25:58 Installing updates...
2014-05-12 23:25:59 Update progress: [I19463] Syncing product IDE504 1
2014-05-12 23:25:59 Update successful
2014-05-12 23:26:05 Option all = no
2014-05-12 23:26:05 Option recurse = yes
2014-05-12 23:26:05 Option archive = no
2014-05-12 23:26:05 Option service = yes
2014-05-12 23:26:05 Option confirm = yes
2014-05-12 23:26:05 Option sxl = yes
2014-05-12 23:26:05 Option max-data-age = 35
2014-05-12 23:26:05 Option EnableSafeClean = yes
2014-05-12 23:26:05 Component SVRTcli.exe version 2.5
2014-05-12 23:26:05 Component control.dll version 2.5
2014-05-12 23:26:05 Component SVRTservice.exe version 2.5
2014-05-12 23:26:05 Component engine\osdp.dll version 1.44.1.2151
2014-05-12 23:26:05 Component engine\veex.dll version 3.52.0.2151
2014-05-12 23:26:05 Component engine\savi.dll version 8.1.0.2151
2014-05-12 23:26:05 Component rkdisk.dll version 1.5.30.0
2014-05-12 23:26:05 Version info: Product version 2.5
2014-05-12 23:26:05 Version info: Detection engine 3.52.0
2014-05-12 23:26:05 Version info: Detection data 4.99G
2014-05-12 23:26:05 Version info: Build date 3/12/2014
2014-05-12 23:26:05 Version info: Data files added 672
2014-05-12 23:26:05 Version info: Last successful update 5/12/2014 11:25:59 PM
 
2014-05-12 23:55:43 Could not open C:\hiberfil.sys
2014-05-13 00:06:38 Could not open C:\pagefile.sys
2014-05-13 00:32:49 Could not open C:\swapfile.sys
2014-05-13 00:32:49 Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2014-05-13 00:32:49 Could not open C:\System Volume Information\{5a6bb19f-d921-11e3-beb8-50465d4756a3}{3808876b-c176-4e48-b7ae-04046e6cc752}
2014-05-13 00:32:49 Could not open C:\System Volume Information\{aea8c5bf-ca98-11e3-beb2-50465d4756a3}{3808876b-c176-4e48-b7ae-04046e6cc752}
2014-05-13 00:32:49 Could not open C:\System Volume Information\{b86f3bcf-d3bc-11e3-beb6-50465d4756a3}{3808876b-c176-4e48-b7ae-04046e6cc752}
2014-05-13 00:32:49 Could not open C:\System Volume Information\{e57f55d7-d1f1-11e3-beb6-50465d4756a3}{3808876b-c176-4e48-b7ae-04046e6cc752}
2014-05-13 00:32:49 Could not open C:\System Volume Information\{fc3c092c-cf2b-11e3-beb5-50465d4756a3}{3808876b-c176-4e48-b7ae-04046e6cc752}
2014-05-13 01:10:25 >>> Virus 'Mal/VMProtBad-A' found in file D:\Borderlands 2\Binaries\Win32\buddha.dll
2014-05-13 01:26:49 >>> Virus 'Mal/VMProtBad-A' found in file D:\PlagueInc\steam_api.dll
2014-05-13 01:31:20 The following items will be cleaned up:
2014-05-13 01:31:20 Mal/VMProtBad-A
2014-05-13 07:44:51 Threat 'Mal/VMProtBad-A' has been cleaned up.
2014-05-13 07:44:51 File "D:\Borderlands 2\Binaries\Win32\buddha.dll" belongs to malware 'Mal/VMProtBad-A'.
2014-05-13 07:44:51 File "D:\Borderlands 2\Binaries\Win32\buddha.dll" has been cleaned up.
2014-05-13 07:44:51 File "D:\PlagueInc\steam_api.dll" belongs to malware 'Mal/VMProtBad-A'.
2014-05-13 07:44:51 File "D:\PlagueInc\steam_api.dll" has been cleaned up.
2014-05-13 07:44:51 Removal successful
2014-05-13 07:44:51 Contents of SafeClean bin directory:
2014-05-13 07:44:51 {
2014-05-13 07:44:51    RecordID   : "0000000000000001",
2014-05-13 07:44:51    ItemType   : "1",
2014-05-13 07:44:51    Location   : "D:\Borderlands 2\Binaries\Win32\",
2014-05-13 07:44:51    FileName   : "buddha.dll",
2014-05-13 07:44:51    ThreatName : "Mal/VMProtBad-A",
2014-05-13 07:44:51    Checksum   : "0bc0b983f15810ccad87e1556f6ba74c041a95547e71a5208c86b2eaeeae6137",
2014-05-13 07:44:51    TimeStamp  : "Tue May 13 07:44:42 2014"
2014-05-13 07:44:51 }
2014-05-13 07:44:51 {
2014-05-13 07:44:51    RecordID   : "0000000000000002",
2014-05-13 07:44:51    ItemType   : "1",
2014-05-13 07:44:51    Location   : "D:\PlagueInc\",
2014-05-13 07:44:51    FileName   : "steam_api.dll",
2014-05-13 07:44:51    ThreatName : "Mal/VMProtBad-A",
2014-05-13 07:44:51    Checksum   : "f8beb068eb734cafef4de64ec2b2f5229f1dd8df93bf87ae12e338d04682ad63",
2014-05-13 07:44:51    TimeStamp  : "Tue May 13 07:44:42 2014"
2014-05-13 07:44:51 }
 
2014-05-13 08:09:05 Scan completed.
2014-05-13 08:09:05
 
------------------------------------------------------------

Edited by Chivalry, 13 May 2014 - 10:40 AM.


#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:35 PM

Posted 13 May 2014 - 05:49 PM

Hi -

>>> Virus 'Mal/VMProtBad-A' found in file D:\Borderlands 2\Binaries\Win32\buddha.dll

>>> Virus 'Mal/VMProtBad-A' found in file D:\PlagueInc\steam_api.dll

 

From this reading, it seems that at least one of the infections was in a Steam program.

 

Both of these have been cleaned up, and your computer should be running much better.

 

Please post a general report on your system.



#7 Chivalry

Chivalry
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 13 May 2014 - 06:03 PM

The constant pop-ups have definitely been abated. :clapping: 

I believe your methoding has worked! :bananas: 

Steam is working great. All of the browsers are peachy! :bubbles: 

thank you very much!!!! :love4u: 

Now what to do about all of this infection-removal software on the computer...? :tophat:



#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:35 PM

Posted 13 May 2014 - 06:43 PM

First keep Malwarebytes Anti-Malware  and keep it updated and use it every few days if it is the Free Version.

Keep Temp File Cleaner and run it every day or so (saves needing to run CCleaner)

 

Please download Temp File Cleaner by Old Timer
Usage Instructions:

  • Download TFC from the download link above and save the file on your desktop.
  • Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
  • Double-click on the TFC icon.
  • When the program opens, click on the Start button. 
  • NOTE :TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.
  • When done, press Exit and reboot your computer and finish the cleanup.

 

All other reports and programs can just be Right click > Delete and empty the Recycle bin

 

I will keep an eye here for a day or 3 if you still have problems. After that, please start a fresh topic ......



#9 Chivalry

Chivalry
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 14 May 2014 - 10:15 AM

Thank you so much!

I just wish I new how to do all of this myself, that way I needn't bother anyone else with my troubles.

THANK YOU!!!!

 

:bowdown:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users