L corner pop up / ad.yieldmanager and fhserve

[parkmano]

Hi SuperDave,

I am getting continual pop ups that is a square in the L hand corner and when I scroll over it the link it shows either says ad.yieldmanager or fhserve, or nothing at all.  And now I am also getting a white rectangle in the R hand corner that also pops up on certain pages.   Most of the time they both pop up. 

Attached is my log/

Many thanks! I have no idea how to get this blasted thing off of my computer!

[recovering disk space, attachment deleted by admin]

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please download AdwCleaner by Xplode onto your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  
• Click on Search.
  
• A logfile will automatically open after the scan has finished.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

*********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*************************************************
Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.

[parkmano]

Step 1 reply ::
Copy and pasted (and also attached)/ Will post Malwarebytes read once finished.

# AdwCleaner v2.115 - Logfile created 03/19/2013 at 18:12:35
# Updated 17/03/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : MP - MP-PC
# Boot Mode : Normal
# Running from : C:\Users\MP\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Users\MP\AppData\Roaming\Mozilla\Firefox\Profiles\w2q8psc8.default\searchplugins\search.xml

***** [Registry] *****

Key Found : HKCU\Software\Zugo

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16521

[OK] Registry is clean.

-\\ Mozilla Firefox v19.0.2 (en-US)

File : C:\Users\MP\AppData\Roaming\Mozilla\Firefox\Profiles\w2q8psc8.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [801 octets] - [19/03/2013 18:12:35]

########## EOF - C:\AdwCleaner[R1].txt - [860 octets] ##########

[recovering disk space, attachment deleted by admin]

[parkmano]

Hi,

This is the code after my scan.  There was nothing detected to delete. 

Still hopeful! Now on to the extra steps.
Start log (also attached)/

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.20.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16521
MP :: MP-PC [administrator]

3/19/2013 6:20:58 PM
mbam-log-2013-03-19 (18-20-58).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 395608
Time elapsed: 1 hour(s), 22 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


[recovering disk space, attachment deleted by admin]

[SuperDave]

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*************************************************************************
Download Combofix from any of the links below, and save it to your DESKTOP. 
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

[parkmano]

Hey SuperDave,

Here is the log from Security Check.bat/ and further below is the log from Combo Fix/  I have also attached both log files (.txt).
Start log/
Results of screen317's Security Check version 0.99.61 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 9 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Enabled! 
Microsoft Security Essentials   
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````[/u]
 Malwarebytes Anti-Malware version 1.70.0.1100 
 Adobe Flash Player 11.6.602.180 
 Adobe Reader 9 
 Adobe Reader XI 
 Mozilla Firefox (19.0.2)
````````Process Check: objlist.exe by Laurent````````[/u] 
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````[/u]

Combo Fix log/
Start log/
ComboFix 13-03-20.02 - MP 03/20/2013  21:16:48.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3032.1351 [GMT -7:00]
Running from: c:\users\MP\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
SP: Microsoft Security Essentials *Enabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\MP\AppData\Roaming\Mozilla\Firefox\Profiles\w2q8psc8.default\searchplugins\bing-zugo.xml
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-21 to 2013-03-21  )))))))))))))))))))))))))))))))
.
.
2013-03-21 05:05 . 2013-03-21 05:05   --------   d-----w-   c:\users\Default\AppData\Local\temp
2013-03-21 03:52 . 2013-02-14 05:51   972264   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4A164E8B-C5D6-4C01-AEF5-C8342410F1FB}\gapaengine.dll
2013-03-21 03:52 . 2013-03-15 06:28   9311288   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3ED3BF2C-F00C-4406-BFC1-D64B78D31E04}\mpengine.dll
2013-03-20 05:57 . 2013-03-20 05:57   193968   ----a-w-   c:\windows\system32\javaws.exe
2013-03-20 05:57 . 2013-03-20 05:57   172976   ----a-w-   c:\windows\system32\javaw.exe
2013-03-20 05:57 . 2013-03-20 05:57   172976   ----a-w-   c:\windows\system32\java.exe
2013-03-20 05:57 . 2013-03-20 05:57   544688   ----a-w-   c:\windows\system32\npdeployJava1.dll
2013-03-20 05:57 . 2013-03-20 05:57   526256   ----a-w-   c:\windows\system32\deployJava1.dll
2013-03-20 05:57 . 2013-03-20 05:57   --------   d-----w-   c:\program files\Java
2013-03-20 01:20 . 2013-03-20 01:20   --------   d-----w-   c:\users\MP\AppData\Roaming\Malwarebytes
2013-03-20 01:19 . 2013-03-20 01:19   --------   d-----w-   c:\programdata\Malwarebytes
2013-03-20 01:19 . 2013-03-20 01:19   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2013-03-20 01:19 . 2012-12-14 23:49   24176   ----a-w-   c:\windows\system32\drivers\mbam.sys
2013-03-20 01:18 . 2013-03-20 01:18   --------   d-----w-   c:\users\MP\AppData\Local\Programs
2013-03-19 10:15 . 2013-02-08 00:28   9162192   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-03-14 10:01 . 2013-03-14 10:01   --------   d-----w-   c:\program files\Microsoft Silverlight
2013-03-14 10:01 . 2013-03-14 10:01   --------   d-----w-   c:\program files (x86)\Microsoft Silverlight
2013-03-13 01:18 . 2013-02-14 05:51   972264   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-03-13 01:18 . 2013-02-14 05:51   972264   ------w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AED5F436-D4B4-4F07-BF78-DA450CAFB275}\gapaengine.dll
2013-02-28 05:28 . 2013-03-20 05:54   --------   d-----w-   c:\programdata\Spybot - Search & Destroy
2013-02-28 05:28 . 2013-03-20 05:54   --------   d-----w-   c:\program files (x86)\Spybot - Search & Destroy
2013-02-27 11:00 . 2013-01-13 20:09   249856   ----a-w-   c:\windows\SysWow64\d3d10_1core.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-14 10:03 . 2010-05-07 05:00   72013344   ----a-w-   c:\windows\system32\MRT.exe
2013-03-14 03:19 . 2012-08-05 23:24   693976   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-14 03:19 . 2011-09-10 18:03   73432   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-12 05:45 . 2013-03-13 05:25   135168   ----a-w-   c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45 . 2013-03-13 05:25   308736   ----a-w-   c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45 . 2013-03-13 05:25   350208   ----a-w-   c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45 . 2013-03-13 05:25   111104   ----a-w-   c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48 . 2013-03-13 05:25   474112   ----a-w-   c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-13 05:25   2176512   ----a-w-   c:\windows\apppatch\AcGenral.dll
2013-01-20 23:59 . 2013-01-20 23:59   230320   ----a-w-   c:\windows\system32\drivers\MpFilter.sys
2013-01-20 23:59 . 2012-08-31 06:03   130008   ----a-w-   c:\windows\system32\drivers\NisDrvWFP.sys
2013-01-17 09:28 . 2010-07-01 02:09   273840   ------w-   c:\windows\system32\MpSigStub.exe
2013-01-08 05:32 . 2013-02-14 03:08   9161176   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{B5CB9964-D7E3-44DB-9856-86FFC4E61EE0}\mpengine.dll
2013-01-05 05:53 . 2013-02-14 03:14   5553512   ----a-w-   c:\windows\system32\ntoskrnl.exe
2013-01-05 05:00 . 2013-02-14 03:14   3967848   ----a-w-   c:\windows\SysWow64\ntkrnlpa.exe
2013-01-05 05:00 . 2013-02-14 03:14   3913064   ----a-w-   c:\windows\SysWow64\ntoskrnl.exe
2013-01-04 05:46 . 2013-02-14 03:14   215040   ----a-w-   c:\windows\system32\winsrv.dll
2013-01-04 04:51 . 2013-02-14 03:14   5120   ----a-w-   c:\windows\SysWow64\wow32.dll
2013-01-04 04:43 . 2013-02-14 03:14   44032   ----a-w-   c:\windows\apppatch\acwow64.dll
2013-01-04 03:26 . 2013-02-14 03:14   3153408   ----a-w-   c:\windows\system32\win32k.sys
2013-01-04 02:47 . 2013-02-14 03:14   25600   ----a-w-   c:\windows\SysWow64\setup16.exe
2013-01-04 02:47 . 2013-02-14 03:14   7680   ----a-w-   c:\windows\SysWow64\instnm.exe
2013-01-04 02:47 . 2013-02-14 03:14   2048   ----a-w-   c:\windows\SysWow64\user.exe
2013-01-04 02:47 . 2013-02-14 03:14   14336   ----a-w-   c:\windows\SysWow64\ntvdm64.dll
2013-01-03 06:00 . 2013-02-14 03:14   1913192   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2013-01-03 06:00 . 2013-02-14 03:14   288088   ----a-w-   c:\windows\system32\drivers\FWPKCLNT.SYS
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-05 559616]
.
c:\users\MP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 Detect3SYS;Detect3SYS;c:\users\MP\AppData\Local\Temp\Temp2-Fg7e4-Hostscan\detect3SYS.sys

R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe [2013-02-05 235216]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-30 1255736]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-01-20 130008]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-17 497856]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-01-27 379360]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-05-08 215552]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-05-20 393728]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-05 03:19]
.
2013-02-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3047106280-4143791459-3762946256-1001Core1ce0c84a0e84ecc.job
- c:\users\MP\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-21 03:36]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-01-23 305664]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-29 444416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-30 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-30 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-30 365080]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 1281512]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\MP\AppData\Roaming\Mozilla\Firefox\Profiles\w2q8psc8.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&ss=1&scc=1&ltmpl=default&ltmplcache=2&hl=en|http://www.govolsxtra.com/|http://www.tennessee.rivals.com/|http://espn.go.com/
FF - prefs.js: keyword.URL - hxxp://www.oovoostart.com/s/?src=FF-Address&site=Bing&cfg=2-201-0-0&engine_id=1&provider_id=1&product_id=201&country=US&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - c:\windows\System32\StikyNot.exe
Wow6432Node-HKCU-Run-MobileDocuments - c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3047106280-4143791459-3762946256-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3047106280-4143791459-3762946256-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-03-20  22:08:51
ComboFix-quarantined-files.txt  2013-03-21 05:08
.
Pre-Run: 143,554,187,264 bytes free
Post-Run: 143,939,014,656 bytes free
.
- - End Of File - - B92E410E21F92CD3BFFF980710EA8E39


[recovering disk space, attachment deleted by admin]

[SuperDave]

Are you still getting the pop-ups?

Please download Rooter and Save it to your desktop.

• Double click it to start the tool.Vista and Windows7 run as administrator.
• Click Scan.
  
• Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.
  

***************************************

• Download RogueKiller on the desktop
  
• Close all the running programs
• Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  
• Otherwise just double-click on RogueKiller.exe
  
• Pre-scan will start. Let it finish.
• Click on SCAN button.
  
• A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  
• If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
  

[parkmano]

YES!!! The popups are no longer popping up. Thank you very much for all the detailed instructions.  I'll continue on with the next steps.

[parkmano]

SuperDave,

Here is the log to the Rooter_1 and then the RKreports 1 and 2.  I have also attached the .txt files, if needed.

Many thanks!

* Start Rooter_1 log/

Rooter.exe (v1.0.2) by Eric_71
.
The token does not have the SeDebugPrivilege privilege ! (error:1300)
Can not acquire SeDebugPrivilege !
Please run the tool as administrator ..
.
Windows 7 Home Edition (6.1.7601) Service Pack 1
[32_bits] - Intel64 Family 6 Model 23 Stepping 10, GenuineIntel
.
Error OpenService (wscsvc) : 6
Error OpenSCManager : 5
Error OpenService (MpsSvc) : 6
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 9.10.9200.16521
Mozilla Firefox 19.0.2 (en-US)
.
C:\  [Fixed-NTFS] .. ( Total:218 Go - Free:129 Go )
D:\  [CD_Rom]
.
Scan : 20:12.22
Path : C:\Users\MP\Downloads\Rooter.exe
User : MP ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
Locked smss.exe (312)
Locked csrss.exe (408)
Locked wininit.exe (476)
Locked csrss.exe (488)
Locked services.exe (536)
Locked winlogon.exe (560)
Locked lsass.exe (588)
Locked lsm.exe (600)
Locked svchost.exe (692)
Locked svchost.exe (768)
Locked MsMpEng.exe (852)
Locked svchost.exe (932)
Locked svchost.exe (968)
Locked svchost.exe (996)
Locked svchost.exe (112)
Locked stacsv64.exe (400)
Locked DockLogin.exe (1260)
Locked vpnagent.exe (1320)
Locked svchost.exe (1364)
Locked wlanext.exe (1456)
Locked conhost.exe (1464)
Locked WLTRYSVC.EXE (1488)
Locked BCMWLTRY.EXE (1540)
Locked spoolsv.exe (1608)
Locked svchost.exe (1636)
Locked armsvc.exe (1712)
Locked AppleMobileDeviceService.exe (1764)
Locked mDNSResponder.exe (1852)
Locked svchost.exe (1884)
Locked SeaPort.exe (2028)
Locked SftService.exe (1204)
Locked svchost.exe (1432)
Locked WLIDSVC.EXE (2056)
Locked IAANTmon.exe (2092)
Locked WLIDSVCM.EXE (2164)
Locked NisSrv.exe (2508)
______ ? (2840)
______ ? (2904)
______ ? (2936)
Locked Toaster.exe (2676)
Locked STService.exe (2772)
______ ? (2776)
______ ? (2784)
Locked DSUpd.exe (3144)
Locked ApMsgFwd.exe (3212)
______ ? (3432)
______ ? (3520)
______ ? (3528)
______ ? (3576)
______ ? (3624)
______ C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (3640)
______ ? (3764)
______ ? (3788)
Locked SearchIndexer.exe (3836)
______ ? (3868)
______ ? (3280)
______ C:\Program Files (x86)\Skype\Phone\Skype.exe (3340)
______ ? (3356)
______ C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe (2236)
______ ? (2812)
______ ? (3756)
______ C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe (3152)
______ C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe (3168)
______ C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (4224)
______ C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe (4248)
______ C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe (4304)
______ C:\Program Files (x86)\iTunes\iTunesHelper.exe (4372)
Locked iPodService.exe (4808)
Locked sprtsvc.exe (4460)
Locked wmpnetwk.exe (4644)
______ ? (3936)
Locked svchost.exe (3404)
______ C:\Program Files (x86)\Mozilla Firefox\firefox.exe (2216)
______ C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe (6148)
______ C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe (6192)
______ C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe (6212)
______ C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe (6544)
______ C:\Users\MP\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe (6572)
Locked WmiPrvSE.exe (5948)
Locked SearchProtocolHost.exe (3116)
Locked SearchFilterHost.exe (3208)
______ C:\Users\MP\Downloads\Rooter.exe (6540)
Locked taskhost.exe (6304)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:41094144)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:41943040 | Length:15728640000)
\Device\Harddisk0\Partition3 (Start_Offset:15770583040 | Length:234287718400)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\Adobe Flash Player Updater.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3047106280-4143791459-3762946256-1001Core1ce0c84a0e84ecc.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 20:12.33
.
C:\Rooter$\Rooter_1.txt - (21/03/2013 | 20:12.33)


* End Rooter_1 log/

*Start RKreport [1] log/
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : MP [Admin rights]
Mode : Scan -- Date : 03/21/2013 20:16:08
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9250315AS +++++
--- User ---
[MBR] 6c909fcee3b7c7c8a34657c5292f3fca
[BSP] c23e3143548f958391da41bdc6837df3 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 223434 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_03212013_02d2016.txt >>
RKreport[1]_S_03212013_02d2016.txt



* End RKreport [1] log/

* Start RKreport [2] log/
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : MP [Admin rights]
Mode : Remove -- Date : 03/21/2013 20:19:52
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9250315AS +++++
--- User ---
[MBR] 6c909fcee3b7c7c8a34657c5292f3fca
[BSP] c23e3143548f958391da41bdc6837df3 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 15000 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30801920 | Size: 223434 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_03212013_02d2019.txt >>
RKreport[1]_S_03212013_02d2016.txt ; RKreport[2]_D_03212013_02d2019.txt



* End RKreport [2]/

THANKS!

[recovering disk space, attachment deleted by admin]

[SuperDave]

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.

• Leave the check mark next to Remove found threats.
  

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt