Getting Pop-ups and New tabs opening

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by vantheman, Mar 16, 2014.

  1. vantheman

    vantheman Private E-2

    Sometimes when opening Firefox I get the untrusted connection message even though I am just opening my home page (https://www.google.com/).
    Logs are attached. Thanks in advance for your help.
     

    Attached Files:

    vantheman, Mar 16, 2014
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not finding much in the way of malware, however, let's do this:

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.

    Code:
    :Processes
explorer.exe

:Files
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\at2.job
C:\WINDOWS\Tasks\at3.job
C:\WINDOWS\Tasks\at4.job
C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\*.*
C:\WINDOWS\Temp\*.*

:Commands
[purity]
[ResetHosts]
[emptytemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

    Be sure to tell me how things are running.
     
    TimW, Mar 17, 2014
    #2
  3. vantheman

    vantheman Private E-2

    Thanks Tim,
    Here the copy form the results window;

    Log file is also attached.
    Really appreciated your help!
     

    Attached Files:

    Last edited by a moderator: Mar 22, 2014
    vantheman, Mar 21, 2014
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's do the following:

    SaveDailyDeals <<< This needs to be uninstalled.

    Now rerun RogueKiller and have it fix these items:
    Code:
    ¤¤¤ Registry Entries : ¤¤¤ 
[RUN][SUSP PATH] HKCU\[...]\Run : ContentExplorer ("C:\Documents and Settings\Compaq_Owner.HOME\Application Data\ContentExplorer\ContentExplorer.exe" [7]) -> FOUND 
[RUN][SUSP PATH] HKCU\[...]\Run : LVMaintenance (C:\Documents and Settings\Compaq_Owner.HOME\Application Data\LVMaintenance\LVMaintenance.exe [7]) -> FOUND 
[RUN][SUSP PATH] HKUS\S-1-5-21-326230193-3217102083-1583786809-1008\[...]\Run : ContentExplorer ("C:\Documents and Settings\Compaq_Owner.HOME\Application Data\ContentExplorer\ContentExplorer.exe" [7]) -> FOUND 
[RUN][SUSP PATH] HKUS\S-1-5-21-326230193-3217102083-1583786809-1008\[...]\Run : LVMaintenance (C:\Documents and Settings\Compaq_Owner.HOME\Application Data\LVMaintenance\LVMaintenance.exe [7]) -> FOUND
    Rerun OTM.
    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.
    Code:
    :Processes
explorer.exe
:files
C:\Documents and Settings\All Users\Start Menu\Programs\[B]SaveDailyDeals[/B]
C:\Program Files\[B]SaveDailyDeals Updater[/B]
C:\Program Files\[B]SaveDailyDeals[/B]
C:\Documents and Settings\Compaq_Owner.HOME\Application Data\[B]ContentExplorer[/B]
C:\Documents and Settings\Compaq_Owner.HOME\Application Data\[B]LVMaintenance[/B]
C:\WINDOWS\Tasks\[B]SaveDailyDeals updater.job[/B]
[B]:Commands[/B]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

    Now to make sure, copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).
    Then attach the below logs:
    * C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited by a moderator: Mar 22, 2014
    TimW, Mar 22, 2014
    #4
  5. vantheman

    vantheman Private E-2

    Hi Tim,

    My 1st reply (I see) did not show the results you had asked for, here they are again (hopefully);
    All processes killed
    ========== PROCESSES ==========
    No active process named explorer.exe was found!
    ========== FILES ==========
    C:\WINDOWS\Tasks\At1.job moved successfully.
    C:\WINDOWS\Tasks\At2.job moved successfully.
    C:\WINDOWS\Tasks\At3.job moved successfully.
    C:\WINDOWS\Tasks\At4.job moved successfully.
    Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
    DllUnregisterServer procedure not found in C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\IadHide5.dll
    DllUnregisterServer procedure not found in C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\ntdll_dump.dll
    Unable to locate HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce key.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\AdobeARM.log moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Arabic.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\cepatch.zip moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\ce_update.exe moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\ct_2001.exe moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Czech.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Danish.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\DIO10.tmp moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\DIO11.tmp moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\DIOD.tmp moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\DIOE.tmp moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Dutch.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\English.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Finnish.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\French.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\German.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Greek.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Hebrew.bin moved successfully.
    File move failed. C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\hpodvd09.log scheduled to be moved on reboot.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\hpqddusr.log moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\HPWUCl000.log moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Hungarian.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\IadHide5.dll moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Italian.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Japanese.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Korean.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Lithuanian.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\MAR7.tmp moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\MAR8.tmp moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\MAR9.tmp moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\MARB.tmp moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Norwegian.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\ntdll_dump.dll moved successfully.
    File move failed. C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Perflib_Perfdata_c08.dat scheduled to be moved on reboot.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Polish.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Portuguese(Brazil).bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Portuguese.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\RedboxLog.txt moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Russian.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\SimChin.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Slovenian.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Spanish.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\SWEDISH.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Thai.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\TradChin.bin moved successfully.
    C:\Documents and Settings\Compaq_Owner.HOME\Local Settings\Temp\Turkish.bin moved successfully.
    C:\WINDOWS\Temp\hpqddsvc.log moved successfully.
    C:\WINDOWS\Temp\MpCmdRun.log moved successfully.
    C:\WINDOWS\Temp\MpSigStub.log moved successfully.
    C:\WINDOWS\Temp\wuredist.cab moved successfully.
    ========== COMMANDS ==========
    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    [EMPTYTEMP]

    User: All Users

    User: Compaq_Owner

    • I don't know if they're still relevant at this point.
    • I have uninstalled SaveDailyDeals using the program uninstaller, did not get any type of confirmation message but I checked the Programs file and it was gone.
    It wasn't clear to me about using RogueKiller, I clicked on Fix Host, Fix Proxy and Fix DNS buttons. There were more entries in the Registry area, PUM ones that I deselected.
    Arrrggh... too literal in following the instructions so I clicked the reboot button before copying the results window:-o
    • OTM Log is attached.
    • I did get a confirmation that the FixMe info. has been successfully entered into registry
    • C:\MGlogs.zip is attached

    I'll use the computer for a computer for a couple days and post anything I find odd.

    Thanks for you continuing help and patience!
     

    Attached Files:

    vantheman, Mar 22, 2014
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just let me know how things are running.
     
    TimW, Mar 22, 2014
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds