Annoying pop-ups in all browsers in bottom right/left corner

[OCD]

Hi anton_ego,

Still a few steps to be sure we have gotten all of the malware. :bigthumb:

=========================

1. Malwarebytes' Anti-Malware

Locate Malwarebytes' Anti-Malware (it should be on your desktop).
If not, download it here

• Right click and select "Run as Administrator" mbam-setup.exe and follow the prompts to run the program..
• Once the program has loaded, select the Update tab to get the latest updates before performing the scan.
• Select Perform quick scan, then click Scan.
  
  
  
  
  
  
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

=========================

2. ESET Online Scanner

*Note:

• It is recommended to disable on-board antivirus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
• Please don't go surfing while your resident protection is disabled!
• Once the scan is finished remember to re-enable your antivirus along with your anti-spyware programs.

** You need to run your browser with Administrator Rights, to do so right click your browsers short cut and select "Run as Administrator".

= = = = = = = = = = = = = = = = = = = =

Go here to run ESET Online Scanner

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is Checked.
• Click Scan.
• Wait for the scan to finish.
• When the scan completes, click List of found threats
• click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
• Include the contents of this report in your next reply
  
  Note - when ESET doesn't find any threats, no report will be created.
  
• Push the back button.
• Push Finish
• Re-enable your Antivirus software.

=========================

In your next post please provide the following:

• MBAM log
• ESET's log.txt
• Any remaining issues?

 

[anton_ego]

Hi OCD.

It seems like there is no big threat anymore. I am attaching the files you asked for.

MBAM.txt

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.03.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16576
Sundhar :: SUNDHAR-PC [administrator]

03-06-2013 22:33:39
mbam-log-2013-06-03 (22-33-39).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 275224
Time elapsed: 4 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

---

ESETScan.txt

C:\Users\Sundhar\Downloads\cbsidlm-cbsi5_3_0_96-KMPlayer-BP-10659939.exe probably a variant of Win32/CNETInstaller.A application
C:\Users\Sundhar\Downloads\cbsidlm-tr1_11-Desktop_Richie-SEO-10382006.exe Win32/DownloadAdmin.G application
C:\Users\Sundhar\Downloads\cbsidlm-tr1_6-LiveCricket-10912597.exe Win32/DownloadAdmin.G application

---

Those are some apps I downloaded, which I don't need anymore. Thanks a lot anyway. I hope we are finally done. System seems to be clean now. Booting is a little faster than earlier.

If there is anymore check up needed, let me know.

BR,
SS

 

[OCD]

Hi anton_ego,

1. Run OTL.exe

Windows Vista and Windows 7 users Right Click and select "Run as Administrator"

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

  :Files
  C:\Users\Sundhar\Downloads\cbsidlm-cbsi5_3_0_96-KMPlayer-BP-10659939.exe
  C:\Users\Sundhar\Downloads\cbsidlm-tr1_11-Desktop_Richie-SEO-10382006.exe
  C:\Users\Sundhar\Downloads\cbsidlm-tr1_6-LiveCricket-10912597.exe
  
  :Commands
  [purity]
  [createrestorepoint]
  [emptyjava]
  [emptyflash]
  [emptytemp]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then re-run OTL and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

=========================

In your next post please provide the following:

• OTL fix log

 

[anton_ego]

Hi OCD.

Pardon my late reply. Here are the new log file from OTL.

---

OTL.txt

All processes killed
========== FILES ==========
File\Folder C:\Users\Sundhar\Downloads\cbsidlm-cbsi5_3_0_96-KMPlayer-BP-10659939.exe not found.
File\Folder C:\Users\Sundhar\Downloads\cbsidlm-tr1_11-Desktop_Richie-SEO-10382006.exe not found.
File\Folder C:\Users\Sundhar\Downloads\cbsidlm-tr1_6-LiveCricket-10912597.exe not found.
========== COMMANDS ==========
Restore point Set: OTL Restore Point

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Guest

User: Public

User: Sundhar
->Java cache emptied: 5198183 bytes

User: UpdatusUser

Total Java Files Cleaned = 5.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Guest

User: Public

User: Sundhar
->Flash cache emptied: 6448 bytes

User: UpdatusUser

Total Flash Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Sundhar
->Temp folder emptied: 2181523 bytes
->Temporary Internet Files folder emptied: 4804504 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 8259164 bytes
->Flash cache emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3894 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 3142041 bytes

Total Files Cleaned = 18.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 06052013_193642

Files\Folders moved on Reboot...
C:\Users\Sundhar\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Sundhar\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{98E5BDEB-4376-4547-BE41-4D0EADF6D557}.tmp moved successfully.
C:\Users\Sundhar\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

---

BR,
SS

 

[OCD]

Hi anton_ego,

Your log appears to be clean. :bigthumb:

We have a few items to take care of before we get to the All Clean Speech.

=========================

1. Uninstall Combofix

The following will implement important cleanup procedures as well as reset System Restore points:

Click on the Start button and then in the Search field enter combofix /uninstall, as shown in the image below with the blue arrow.
Please note that there is a space between combofix and /uninstall.



Once you have typed this in, press Enter on your keyboard. A Open File security warning will appear asking if you are sure you want to run ComboFix. Please click on the Run button to start the program.

ComboFix will now uninstall itself from your computer and remove any backups and quarantined files. When it has finished you will be greeted by a dialog box stating that ComboFix has been uninstalled.

=========================

2. Clean up with OTL:

• Right-click OTL.exe select "Run as Administrator" to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

=========================

3. You can now delete any tools and/or logs remaining on your desktop.

=========================

4. Disable Java in Web Browsers

There is a vulnerability with regards to Java and web browsers. Therefore, we recommend to disable java in web browsers.
More information can be found here: http://www.techsupportforum.com/forums/f50/disable-java-in-browsers-683721.html

• Click on the Start button and then click on the Control Panel option.
• In the Control Panel Search enter Java Control Panel.
• Click on the Java icon to open the Java Control Panel.

Disable Java through the Java Control Panel

• In the Java Control Panel, click on the Security tab.
• Deselect the check box for Enable Java content in the browser. This will disable the Java plug-in in the browser.
• Click Apply. When the Windows User Account Control (UAC) dialog appears, allow permissions to make the changes.
• Click OK in the Java Plug-in confirmation window.
• Restart the browser for changes to take effect.

=========================

With the above items taken care of let's move on to the All Clean part of the process.

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

Here are some tips to reduce the potential for spyware infection in the future:

Make your Internet Explorer more secure - This can be done by following these simple instructions:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
• Change the Download unsigned ActiveX controls to Disable
• Change the Initialize and script ActiveX controls not marked as safe to Disable
• Change the Installation of desktop items to Prompt
• Change the Launching programs and files in an IFRAME to Prompt
• Change the Navigate sub-frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

Make your Mozilla Firefox more secure - This can be done by adding these add-ons:

• NoScript
• AdBlockPlus

Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

Free Anti-Virus

• Avast Free Antivirus
• Avira Free Antivirus 2013
• PC Tools AntiVirus Free
• Ad-Aware Free Antivirus +

Free Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here.

• Online Armor Free
• Agnitum Outpost Firewall Free
• Comodo Firewall

Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.

Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

WOT (Web of Trust) As "Googling" is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.

Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

 

[anton_ego]

Hi OCD.

The issues seem to have resolved. Thanks a lot and I am extremely grateful to you and all other contributors for helping us. You rock!

I have completed the recommendations as suggested by you. Thanks a lot again. Peace out!

BR,
SS

 

[OCD]

Hi anton_ego,

You're very welcome. Glad I was able to help. :bigthumb: Have a great day.