Author Topic: Url:Mal pop-ups from seemly sound sources  (Read 37239 times)

0 Members and 1 Guest are viewing this topic.

jeffce

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #45 on: June 08, 2012, 03:47:46 AM »
Hi,

Could you visit VirusTotal found here >> https://www.virustotal.com

When you get to the page there will be a link under the Scan It! button named Scan a URL.  Please select that and then copy/paste the URL that you are getting the popups with there and select Scan It!  Attach the results to your next reply.  :)

Sprey

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #46 on: June 08, 2012, 11:16:39 AM »
Ok I've done a scan of the URL on the last pop-up I received. You must understand, though, that a variety of links are blocked, and with a few different programs as sources, though they are often along similar lines to each other (in this example, other certificates from Microsoft are blocked not just this one). Results were as expected, all show "clean site"...

https://www.virustotal.com/url/bfe2db86d6a31e2106fe6b8f8f33b8450d62aa1ed10a530c3ca8d20d14142c67/analysis/1339146922/


jeffce

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #47 on: June 08, 2012, 01:47:03 PM »
Hi,

I just wanted to verify it.... :)

Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A window will open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter[/i] twice.
  • If nothing unusual is found just press Enter[/i]
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop. 
  • Please post the contents of that file.

Sprey

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #48 on: June 08, 2012, 03:36:36 PM »
here you go :)

jeffce

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #49 on: June 08, 2012, 04:27:49 PM »
Please delete the copy of OTL that you have and then download a fresh copy and attach the new log that is created.

Are you using a specific browser when the popups occur?  If so which one(s)?

Sprey

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #50 on: June 08, 2012, 07:28:42 PM »
Attached is the quick scan log with purity and lop not checked.

And... Well I use chrome, but I've had popups when using internet explorer as well, and we've already re-installed chrome as a possible fix remember :)

jeffce

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #51 on: June 08, 2012, 07:33:38 PM »
Quote
we've already re-installed chrome as a possible fix remember
:)  Yep...  Let me look this over and I will return as quickly as I can. 

jeffce

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #52 on: June 08, 2012, 07:56:07 PM »
Hi,

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click  VirusTotal

Press Choose File and then browse to the following file: (one at a time if more than one file is listed)

C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\OFFICEVIRT.EXE

Once you locate the file select it and press Open now press Scan it!.

Now Copy/Paste the link to the results showing in the web browser bar to your next reply so that I can take a look at the results.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------


jeffce

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #54 on: June 08, 2012, 11:01:08 PM »
Hi,

Please run ERUNT to get a new back up of your registry. 

Next

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {E0BC8645-5242-49F3-A1E6-B9C966A70D75}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{E0BC8645-5242-49F3-A1E6-B9C966A70D75}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {E0BC8645-5242-49F3-A1E6-B9C966A70D75}
IE - HKLM\..\SearchScopes\{E0BC8645-5242-49F3-A1E6-B9C966A70D75}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE - HKU\S-1-5-21-326096136-1704205804-531090515-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-326096136-1704205804-531090515-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
IE - HKU\S-1-5-21-326096136-1704205804-531090515-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9B 03 17 84 F5 3F CD 01  [binary data]
IE - HKU\S-1-5-21-326096136-1704205804-531090515-1002\..\SearchScopes,DefaultScope = {E0BC8645-5242-49F3-A1E6-B9C966A70D75}
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O16:[b]64bit:[/b] - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16:[b]64bit:[/b] - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16:[b]64bit:[/b] - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 129.234.4.13 129.234.4.9
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BF406FD8-6BC1-41D2-96A0-8E6AE001EA64}: DhcpNameServer = 129.234.4.13 129.234.4.9

:Files
dir C:\Windows\AxInstSV /s /c
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Sprey

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #55 on: June 08, 2012, 11:20:52 PM »
Ok, I've attached the log for you. [-]For the first time in a while I haven't had a popup when opening my internet for the first time[/-] (though that by no means means that the problem is gone, I know...) :P

EDIT: I'm getting popups again, but it was nice to have five minutes respite!!
« Last Edit: June 08, 2012, 11:28:08 PM by Sprey »

jeffce

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #56 on: June 09, 2012, 02:28:20 AM »
Please run a fresh scan with OTL 

Under the Custom Scan box paste this in and then press Quick Scan

netsvcs
%systemroot%\*. /rp /s
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop


Attach the new log.  :)
« Last Edit: June 09, 2012, 03:57:52 AM by jeffce »

Sprey

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #57 on: June 09, 2012, 12:47:59 PM »
Attached the log for you.

jeffce

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #58 on: June 10, 2012, 02:35:25 AM »
Hi,

When you ran OTL the very first time there should have been a log made Extras.txt created.  Could you attach that please? 

If you don't have it please do the following...

Please open OTL.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, click the None button near the top (it may looked greyed out)
  • In the Extra Registry section change it to All
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open 2 notepad windows, OTL.Txt and Extra.txt. Please attach the Extra.txt.
----------

Sprey

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #59 on: June 10, 2012, 04:43:27 AM »
Ok, so first time round no extras.txt was generated, so I followed your advice and now an extras.txt and otl.txt file are attached for you...