Url:Mal pop-ups from seemly sound sources

[jeffce]

Hi,

Could you visit VirusTotal found here >> https://www.virustotal.com

When you get to the page there will be a link under the Scan It! button named Scan a URL.  Please select that and then copy/paste the URL that you are getting the popups with there and select Scan It!  Attach the results to your next reply. 

[Sprey]

Ok I've done a scan of the URL on the last pop-up I received. You must understand, though, that a variety of links are blocked, and with a few different programs as sources, though they are often along similar lines to each other (in this example, other certificates from Microsoft are blocked not just this one). Results were as expected, all show "clean site"...

https://www.virustotal.com/url/bfe2db86d6a31e2106fe6b8f8f33b8450d62aa1ed10a530c3ca8d20d14142c67/analysis/1339146922/

[jeffce]

Hi,

I just wanted to verify it....

Please download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A window will open on your desktop
• if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter[/i] twice.
  
• If nothing unusual is found just press Enter[/i]
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop. 
• Please post the contents of that file.

[Sprey]

here you go

[jeffce]

Please delete the copy of OTL that you have and then download a fresh copy and attach the new log that is created.

Are you using a specific browser when the popups occur?  If so which one(s)?

[Sprey]

Attached is the quick scan log with purity and lop not checked.

And... Well I use chrome, but I've had popups when using internet explorer as well, and we've already re-installed chrome as a possible fix remember

[jeffce]

we've already re-installed chrome as a possible fix remember

  Yep...  Let me look this over and I will return as quickly as I can. 

[jeffce]

Hi,

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click  VirusTotal

Press Choose File and then browse to the following file: (one at a time if more than one file is listed)

C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\OFFICEVIRT.EXE

Once you locate the file select it and press Open now press Scan it!.

Now Copy/Paste the link to the results showing in the web browser bar to your next reply so that I can take a look at the results.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------

[Sprey]

Came back safe:
https://www.virustotal.com/file/8da1c231a0c2d1d9406e38b9129d7900c3f1a2f5856729fdef0e57c106270bd3/analysis/1339179460/

[jeffce]

Hi,

Please run ERUNT to get a new back up of your registry. 

Next

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {E0BC8645-5242-49F3-A1E6-B9C966A70D75}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{E0BC8645-5242-49F3-A1E6-B9C966A70D75}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {E0BC8645-5242-49F3-A1E6-B9C966A70D75}
IE - HKLM\..\SearchScopes\{E0BC8645-5242-49F3-A1E6-B9C966A70D75}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE - HKU\S-1-5-21-326096136-1704205804-531090515-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-326096136-1704205804-531090515-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
IE - HKU\S-1-5-21-326096136-1704205804-531090515-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9B 03 17 84 F5 3F CD 01  [binary data]
IE - HKU\S-1-5-21-326096136-1704205804-531090515-1002\..\SearchScopes,DefaultScope = {E0BC8645-5242-49F3-A1E6-B9C966A70D75}
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O16:[b]64bit:[/b] - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16:[b]64bit:[/b] - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16:[b]64bit:[/b] - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 129.234.4.13 129.234.4.9
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BF406FD8-6BC1-41D2-96A0-8E6AE001EA64}: DhcpNameServer = 129.234.4.13 129.234.4.9

:Files
dir C:\Windows\AxInstSV /s /c
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

[Sprey]

Ok, I've attached the log for you. [-]For the first time in a while I haven't had a popup when opening my internet for the first time[/-] (though that by no means means that the problem is gone, I know...)

EDIT: I'm getting popups again, but it was nice to have five minutes respite!!

[jeffce]

Please run a fresh scan with OTL 

Under the Custom Scan box paste this in and then press Quick Scan

netsvcs
%systemroot%\*. /rp /s
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop

Attach the new log. 

[Sprey]

Attached the log for you.

[jeffce]

Hi,

When you ran OTL the very first time there should have been a log made Extras.txt created.  Could you attach that please? 

If you don't have it please do the following...

Please open OTL.

• Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, click the None button near the top (it may looked greyed out)
  
• In the Extra Registry section change it to All
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  

When the scan completes, it will open 2 notepad windows, OTL.Txt and Extra.txt. Please attach the Extra.txt.
----------

[Sprey]

Ok, so first time round no extras.txt was generated, so I followed your advice and now an extras.txt and otl.txt file are attached for you...