popups due to malware?

Welcome to Major Geeks!

No. Next time you try, make sure that ALL protection software is disabled and also close all other applications including your browser while this runs. If that does not help then skip RogueKiller and continue.

 

You're welcome. Malwarebytes removed a lot of junk but there is some more to do.

Please download OTM by Old Timer and save it to your Desktop.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe

:Files
C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
C:\Users\Basil\AppData\Local\Wajam
C:\Users\Basil\AppData\Roaming\Mozilla\Firefox\Profiles\rf4qt2yt.default\extensions\plugin@yontoo.com
C:\ProgramData\Wincert
C:\Program Files (x86)\Search Results Toolbar
C:\Windows\TEMP\*.*
C:\Users\Basil\AppData\Local\Temp\*.*

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\s]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• the JRT.TXTlog
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

With which browsers? Chrome? Firefox? Internet Explorer? All of them ( you need to check but only open one at any given time ) ?

Also please download OTL by OldTimer.

• Save it to your desktop.
• Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  drives
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

My point was that I needed you to test all of them. So I'm not sure if you tested all of them based on this answer. It will help me know whether you problem is simply that Firefox is corrupted and that it is not really a hiding malware issue. If all of them had the exact same problem then it would more likely be malware. But again only one should be running at any given time. I think your Chrome installation was also impacted but not IE which is quite common. IE has less issues than Chrome and Firefox.

Uninstall the below program. If you do not find it or it will not uninstall, just keep going.
BrowseSmart


Now check for BrowseSmart addon in Firefox:

Open Mozilla Firefox. Go to Tools → Add-ons. Select Extensions. Choose BrowseSmart toolbar Click on Disable or Remove button to remove it.


Now check for BrowseSmart extension in Google Chrome:

Open Google Chrome, click on Chrome menu button. Go to Tools → Extensions, select BrowseSmart toolbar and click trashcan icon to remove it.



Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts.

• Double-click OTL.exe to run. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

:OTL
FF - prefs.js..extensions.enabledAddons: firefox%40browsesmart.net:1.0.0
CHR - Extension: BrowseSmart = C:\Users\Basil\AppData\Local\Google\Chrome\User Data\Default\Extensions\ippenodjaoidmkkfdlmdhofiebnpjddb\1.0.0_0\
[2013/12/06 15:59:04 | 000,007,355 | ---- | M] () (No name found) -- C:\Users\Basil\AppData\Roaming\mozilla\firefox\profiles\2z0tytho.default\extensions\firefox@browsesmart.net.xpi
[2013/12/06 15:59:04 | 000,007,355 | ---- | M] () (No name found) -- C:\Users\Basil\AppData\Roaming\mozilla\firefox\profiles\rf4qt2yt.default\extensions\firefox@browsesmart.net.xpi
[2012/08/08 22:05:35 | 000,001,234 | ---- | M] () -- C:\Users\Basil\AppData\Roaming\mozilla\firefox\profiles\2z0tytho.default\searchplugins\search-the-web.xml
:Files
C:\Program Files (x86)\BrowseSmart
:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrowseSmart]
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]

[REBOOT]

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• If the fix needed a reboot please do it.
• Click the OK button (upon reboot).
• When OTL is finished, Notepad will open. Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (See: How to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the log from OTL
• C:\MGlogs.zip

Make sure you tell me how things are working now!

If the problem still occurs after doing the above then run the below:

Reset Firefox to Defaults

Then exit Firefox and reload to see if anything has changed.

 

You did not run the Fix with OTL. You ran a scan. You need to finish the fix to remove more items related to BrowseSmart


Also you did not attach the proper log that I requested from MGtools. Only MGlogs.zip should be attached and nothing from the C:\MGtools folder unless requested.

 

Okay that's much better. Now things look good.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
   • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore​
   • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
   • Then we want you to Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!