this popup drops what im doing and opens webpage everyday

[RaginNoob]

DO NOT CLICK!!!http://web.tofushopnews.com/g/?ilmernzkvtazn=BCAEC5119C316547&pu=&s=D-firefox&nm=ilmernzkvtazn&t=(Not a link!!!!!)
This site engages my web browser every day. I suspect its a virus down load. But cant find a way to make it stop from opening my browser. No matter what im doing this happens. Can someone tell me how to block them? I have Malwarebytes as well as avast. I scanned after it happened a few times to make sure I was clean. And nothing showed up in scans.

[essexboy]

Could you follow the steps here http://forum.avast.com/index.php?topic=53253.0
And attach the generated logs in this thread

[Pondus]

report on that link.... click Picture in top right corner    http://urlquery.net/report.php?id=4500793

[Secondmineboy]

It has javascript malware on it: http://sitecheck.sucuri.net/results/web.tofushopnews.com/g/

The Hacker is detecting this on the downloaded file in Virustotal: JS/Feebs.gen@MM

[Secondmineboy]

The Website is downloading two files called SetStretch.exe and SetStretch.cmd.

Virustotal: https://www.virustotal.com/en/file/a84b5e69527a9f91dae964ed40022a2a77c1fe45b7a381a335202ec3927d140b/analysis/1376253695/
                 https://www.virustotal.com/en/file/656912e6b3deb9fd4b6f223e9056350a77253fbda1b66df867aeda08956af342/analysis/

The files can be found in the Program (32-Bit) Folder of Windows.

I will sent them to Avast for analysis.

[Secondmineboy]

The cmd file opens the exe file (Screenshot)

[Secondmineboy]

The files look clean. 1/45 is detecting the exe file on Virustotal as Virut-Virus (Jiagnmin).

It was first submitted 2009.

Please follow the Steps from Essexboy until he gives you a clean sheet, or he gives up.

[kruegerb]

I am also having the exact same problem.  Attached are my log files.  Malwarebytes didn't find anything.

[essexboy]

Does this occur only in firefox or is it in IE as well

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
[2013/05/29 18:34:21 | 000,003,723 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\safeguard-secure-search.xml
O2 - BHO: (no name) - {56E4076B-A42B-4745-BA35-34DA8AC4C2F2} - No CLSID value found.
O3 - HKU\S-1-5-21-894513301-464839021-2148896484-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[Spacy]

I'm also having the same problem with Google Chrome, it happens every day.

[essexboy]

More to the point does it occur in IE as chrome and firefox share files

[kruegerb]

Received Microsoft windows message "OTL Stopped Working" during fix.  Rebooted and ran OTL quick scan.  Results attached.

[essexboy]

Are you still getting the same problem ?

[kruegerb]

So far it hasn't come up.  We will wait and see now.  THANKS for your help!

[essexboy]

Hmm the problem with firefox is that there are so many places for the malware to hide unseen

Could you run firefox in safe mode and see if the alerts restart https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode