unwanted windows poping up

[bobbym]

OK
just finished the EST scan .

C:\Users\bob\AppData\Roaming\QY JS/Toolbar.Crossrider.C potentially unwanted application
C:\Users\bob\AppData\Roaming\XZQE JS/Toolbar.Crossrider.C potentially unwanted application
C:\Users\bob\Downloads\cbsidlm-cbsi213-Winmail_Opener-SEO-10469892.exe a variant of Win32/CNETInstaller.B potentially unwanted application
Operating memory a variant of Win32/AdWare.Pirrit.H application




Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/18/2014
Scan Time: 10:28:59 PM
Logfile: scanlog mwb.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.10.18.06
Rootkit Database: v2014.10.17.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: bob

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 312707
Time Elapsed: 7 min, 16 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



well well past my bed time will look out for you tomorrow.

Thanks

[Juliet]

Let's throw this scan in as well. After I see the results from this scan I'll add file deletions.

Also, please make sure your antivirus is enabled.


Please download Malwarebytes Anti-Rootkit and save it to your desktop.

• Be sure to print out and follow the instructions provided on that same page for performing a scan.
• Caution: This is a beta version so also read the disclaimer and back up all your data before using.
• When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
• Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
• Copy and paste the contents of these two log files in your next reply.

Note: Further documentation can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit folder.

[bobbym]

Hi
Good morning

I have run the Malwarebytes Anti-Rootkit twice "No Maleware Found" both times.

I have checked on another computer in the house, this computer does not need to use Proxy's. which is probably one or all of the problems.

when you go to "connections" on this computer all choices are grayed out, on the other computer they are clear.

still getting unwanted windows.

[bobbym]

Hi
I have just looked in to the registry on this machine. below are the entries picked up by Rogue Killer.

HKEY_USERS\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings

ProxyEnable REG_DWORD 0x0000001 (1)
ProxyHttp1.1 REG_DWORD 0x0000001 (1)
ProxyOverride REG_SZ <local>;*origin.com;*ea.com;*akamaihd.net
ProxyServer REG_SZ http=127.0.0.1.15498

I presume the first two lines should reed 0x0000000 (1) or something similar will look at my other computer to see what it is like.

hope this helps

[bobbym]

Ok
on my other computer there is only

ProxyEnable REG_DWORD 0x0000000 (0)

does this help

[Juliet]

Morning.

Let's try to remove the infections found by Eset first.


Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CloseProcesses:
C:\Users\bob\Downloads\cbsidlm-cbsi213-Winmail_Opener-SEO-10469892.exe
uInternet Settings,ProxyServer = http=127.0.0.1:34484
uInternet Settings,ProxyOverride = <local>;*origin.com;*ea.com;*akamaihd.net
Folder:
C:\Users\bob\AppData\Roaming\QY
C:\Users\bob\AppData\Roaming\XZQE
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
End

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.




~~~~~~~~~~~~~~~~~~~~~~~`

From here I want you to download and scan with Hitman Pro.
After you download and install please boot into safe mode to run the scan.

http://www.bleepingcomputer.com/tuto...-in-safe-mode/

HitmanPro

• Please download HitmanPro.
• Launch the program by double clicking on the icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).
• Click on the next button. You must agree with the terms of EULA.
• Check the box beside "No, I only want to perform a one-time scan to check this computer".
• Click on the next button.
• The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.
• When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
• Click on the next button.
• Click on the "Export scan results to XML file".
• Save that file to your desktop and zip and attach it in your next reply.

Check proxy connections after running this fix.


IF the proxy has set itself back, also save these instructions in case the need to be reversed.

You feel comfortable in the registry?

Click Start > type regedit in the search field and press Enter.

Expand the HKEY_CURRENT_USER hive by clicking on the "+" sign next to it. Continue expanding "Software," "Microsoft," "Windows" and "CurrentVersion," then click on the "Internet Settings" subkey or folder.
View the contents of the Internet Settings folder on the right pane. Double-click on the "ProxyEnable" DWORD value to open the "Edit DWORD Value" window. Change "Value data" to "1" and press "OK" to confirm.
Double-click on the "ProxyServer" string value.
Reboot the machine.
Has it gone now?

[bobbym]

Hi
ok here are the 2 reports


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-10-2014
Ran by bob at 2014-10-19 14:01:36 Run:3
Running from C:\Users\bob\Desktop
Loaded Profiles: bob (Available profiles: bob)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CloseProcesses:
C:\Users\bob\Downloads\cbsidlm-cbsi213-Winmail_Opener-SEO-10469892.exe
uInternet Settings,ProxyServer = http=127.0.0.1:34484
uInternet Settings,ProxyOverride = <local>;*origin.com;*ea.com;*akamaihd.net
Folder:
C:\Users\bob\AppData\Roaming\QY
C:\Users\bob\AppData\Roaming\XZQE
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
End
*****************

Processes closed successfully.
C:\Users\bob\Downloads\cbsidlm-cbsi213-Winmail_Opener-SEO-10469892.exe => Moved successfully.
uInternet Settings,ProxyServer = http=127.0.0.1:34484 => Error: No automatic fix found for this entry.
uInternet Settings,ProxyOverride = <local>;*origin.com;*ea.com;*akamaihd.net => Error: No automatic fix found for this entry.

========================= Folder: ========================

Directory Not Found
C:\Users\bob\AppData\Roaming\QY => Moved successfully.
C:\Users\bob\AppData\Roaming\XZQE => Moved successfully.

========= ipconfig /flushdns =========


========= End of CMD: =========


========= netsh winsock reset all =========


========= End of CMD: =========


========= netsh int ipv4 reset =========


========= End of CMD: =========


========= netsh int ipv6 reset =========


========= End of CMD: =========


========= bitsadmin /reset /allusers =========


========= End of CMD: =========



The system needed a reboot.

==== End of Fixlog ====




<?xml version="1.0"?>

-<Log filesProcessed="20196" timeSpentInSecs="59" date="2014-10-19T14:14:57" version="3.7.9.225" scan="Normal" windows="6.1.1.7601.X64/2" computer="BOB-PC">


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ad.360yield.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ad.mlnadvertising.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.audience2media.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.creative-serving.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.pubmatic.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.stickyadstv.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.undertone.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ads.yahoo.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:adtech.de"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:adtechus.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:advertising.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:at.atwola.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:atdmt.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:bs.serving-sys.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:burstnet.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:casalemedia.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:collective-media.net"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:doubleclick.net"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:engine.phn.doublepimp.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:livejasmin.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:media6degrees.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:mediaplex.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:pd0.imp.revsci.net"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:questionmarket.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:revsci.net"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:ru4.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:serving-sys.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:smartadserver.com"/>

</Item>


-<Item status="None" score="0.0" type="Cookie">

<File path="C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\finki56m.default-1413643555328\cookies.sqlite:statse.webtrendslive.com"/>

</Item>


-<Item status="None" score="24.0" type="Suspicious">

<File path="C:\Users\bob\Desktop\FRST-OlderVersion\FRST64.exe" hash="9E08075333C377229E2763BC669558FC99F9BD3AB1FE14882E581D2F74E9A5BC"/>

</Item>


-<Item status="None" score="24.0" type="Suspicious">

<File path="C:\Users\bob\Desktop\FRST64.exe" hash="88DAA88F206F6E230A885CD4FD6F165D3042C459C6A7AAF3EFACB11C7577EE70"/>

</Item>


-<Item status="None" score="27.0" type="Suspicious">

<File path="C:\Windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe" hash="0FF64DCE66D4C4412C52B933133B7ED63E195286238437AD873E1AA29DD0BF2A"/>


-<Startup>

<Key path="HKLM\SYSTEM\CurrentControlSet\Services\Direct3dTextWin32\"/>

</Startup>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\RST\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\SI-App\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Upt\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\WinUpd\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Wow6432Node\RST\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Wow6432Node\SI-App\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Wow6432Node\Upt\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKLM\SOFTWARE\Wow6432Node\WinUpd\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKU\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\"/>

</Item>


-<Item status="None" score="0.0" type="PUP">

<File path="HKU\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com\"/>

</Item>


-<Item status="None" score="0.0" type="Repair">

<File path="HKU\S-1-5-21-2632905467-853276935-2808178832-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings"/>

</Item>

</Log>



in your regedit you specified to change the "Value data" to "1" as it was already a "1" I changed it to "0" like my other computer.
the next line
Double-click on the "ProxyServer" string value.
you gave no info as to what to do, I deleted the string value.

I did all the above in safe mode.

checking Proxy settings when the computer is run up normally are still reverting to "use proxy" and page is grayed out.

a quick check on the registry sees the edits reverted back as they were. I have just edited all four, the first two to "0" and the last two to blank.
I will post this then reboot to see if the registry is still reverting back.

[bobbym]

OK
so I have just rebooted. the registry entries for the proxy are all still there as before. they must have something hidden somewere else to put it all back.

[Juliet]

Hitman found this
C:\Windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe

Is this something you downloaded?

It also found FRST as suspicious...just look over that.

Also please download Windows Repair (all in one) from here


Install the program then go to step 4 and create a new system restore point and new registry backup.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:




NEXT
On the the Start Repairs tab => Click the Start



Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):


Click on box next to the Restart System when Finished. Then click on Start.

~~~~~~~~~~~~~~~~~~~~~~~

Please download MiniToolBox http://www.bleepingcomputer.com/download/minitoolbox/
save it to your desktop and run it.

Checkmark the following check-boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Devices
List Users, Partitions and Memory size.
List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

[Juliet]

Also, since your reading and editing wont work, let's give this a try

goto the Google Chrome icon, right click and open it with "Run as Administrator."
3 horizontal lines. Click with left button, down to settings, then go to Advanced Settings towards the bottom to CHANGE PROXY SETTINGS. This brings up the same Setting Box as in Internet Explorer.

A. If you have Internet Explorer, go to your icon for Internet Explorer on the Start Menu. Click on your right right mouse button and on the drop down menu, open it with "Run as Administrator."

B,. When you do this, then a box opens and it asks if you want this program to make changes to your computer. Click Yes. Then it opens Explorer.

C. Go up to the menu (If you don't see one, then click on gray bar just under the dark blue Internet Explorer Bar with your right mouse and check menu). On the Menu bar, go to Tools and then at the drop down menu, click on Internet Options.

D. Then select the tab, Connections, then LAN settings and REMOVE THE CHECK from USE PROXY SERVER and now CHECK AUTOMATICALLY DETECT SETTINGS. CLICK OK in LAN Setting Box and then OK in the final window. NOW IT WILL STAY since it now recognizes you as the Administrator.