1,105,406 Community Members

Help! Unknown malware: Pop-ups, ads, etc

Member Avatar
aeaism
Newbie Poster
22 posts since Jul 2010
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Hi, I have some unknown malware on my computer. When browsing online, constant annoying popups and ads come up, my homepage is constantly changed to aol for some reason, and I absolutely can't remove it. I've tried MBAM (latest one included, totally clean), AVAST, AVG, Lavasoft adaware, spybot, etc etc but nothing can get rid of it. I have attached all the following required information. Please help!
I didn't have any trouble running the required steps.
I am unable to post the DDS LOG or the DDS attach or the GMER One because I am getting the following error message when trying to post them: "The code snippet in your post is formatted incorrectly. Please use the Code button in the editor toolbar when posting whitespace-sensitive text or curly braces." Should I attach them?

GMER TWO
GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-07-13 15:57:24
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.LH00 465.76GB
Running: u63z8etr.exe; Driver: C:\Users\3yoosh\AppData\Local\Temp\kwdiqpog.sys

---- Threads - GMER 2.1 ----

Thread C:\Windows\system32\svchost.exe [1412:3940] 000007fef59e506c
Thread C:\Windows\system32\svchost.exe [1412:3944] 000007fef6301c20
Thread C:\Windows\system32\svchost.exe [1412:3948] 000007fef6301c20
Thread C:\Windows\system32\svchost.exe [1412:3480] 000007fef7095124
Thread C:\Windows\system32\svchost.exe [1412:5928] 000007fef5a884d8
Thread C:\Windows\system32\svchost.exe [1412:5992] 000007fee72823a8
Thread C:\Windows\system32\svchost.exe [1412:6756] 000007feeada0d00
Thread C:\Windows\system32\svchost.exe [1412:7636] 000007fee71f9498
Thread C:\Windows\system32\svchost.exe [1412:8664] 000007fef8cc4164
Thread C:\Windows\system32\svchost.exe [1412:8268] 000007fee6dacb70
Thread C:\Windows\system32\svchost.exe [1412:6676] 000007fef9f41ab0
Thread C:\Windows\System32\spoolsv.exe [1728:3252] 000007fef5f810c8
Thread C:\Windows\System32\spoolsv.exe [1728:3260] 000007fef5f46144
Thread C:\Windows\System32\spoolsv.exe [1728:3264] 000007fef72a5fd0
Thread C:\Windows\System32\spoolsv.exe [1728:3268] 000007fef5f23438
Thread C:\Windows\System32\spoolsv.exe [1728:3272] 000007fef72a63ec
Thread C:\Windows\System32\spoolsv.exe [1728:3280] 000007fef6025e5c
Thread C:\Windows\System32\spoolsv.exe [1728:3288] 000007fef6055074
Thread C:\Windows\System32\spoolsv.exe [1728:3728] 000007fef60c2288
Thread C:\Windows\system32\svchost.exe [2176:1404] 000007fef59a2888
Thread C:\Windows\system32\svchost.exe [2176:5752] 000007fef59a2a40
Thread C:\Windows\SysWOW64\ntdll.dll [2628:2632] 000000000041e9fa
Thread C:\Windows\SysWOW64\ntdll.dll [2628:2712] 0000000000483580
Thread C:\Windows\SysWOW64\ntdll.dll [3460:976] 000000000042e828
Thread C:\Windows\SysWOW64\ntdll.dll [4216:4220] 000000000041953a
Thread C:\Windows\SysWOW64\ntdll.dll [4396:4400] 0000000000401292
Thread C:\Windows\System32\svchost.exe [4368:11504] 000007fef7099874
Thread C:\Windows\SysWOW64\ntdll.dll [3536:4348] 000000000059f17c
Thread C:\Windows\SysWOW64\ntdll.dll [3536:5596] 00000000005a0828
Thread C:\Windows\SysWOW64\ntdll.dll [3536:4452] 00000000005a0828
Thread C:\Windows\SysWOW64\ntdll.dll [3536:5960] 00000000005a0828
Thread C:\Windows\SysWOW64\ntdll.dll [3536:3464] 00000000005a0828
Thread C:\Windows\SysWOW64\ntdll.dll [3536:6048] 00000000005a0828
Thread C:\Windows\SysWOW64\ntdll.dll [3536:3348] 00000000005a0828
Thread C:\Windows\SysWOW64\ntdll.dll [3536:4912] 00000000005a0828
Thread C:\Windows\SysWOW64\ntdll.dll [3536:4092] 00000000005a0828
Thread C:\Windows\SysWOW64\ntdll.dll [3536:1504] 00000000005a0828

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???y.2???????????-?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.??? ???y???????????????????????7?7?7?7?7?7?7?7?7?7?7?7?????Z?Z?Z???.?.?7?7?7?7?3?7?7?7?7?7?7?7?7?7???.???0?/?3?0?0?3?7??6???1???1???7?7?7?7?7?7?7?7?7?7?7?7?7?Z?Z???.?.?7?7?7?7?7?????7????????71804372-9596-47f6-97b1-7efa743??????/?/?3?/?7?/?/?7?/???0???h?k?k?k?k???k???0???&?&?&?&?&?&?-?-?-?&?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?,?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?-?.?-?.?-?-?-?-?-?-?.?-?.?.?-?.?.?.?.?.?-?-?.?.?-?.?.?0?-?8?8????8???.?.??.??.?.?.?.????.??;??????.????????????????????_?~?????-?-?-?-?????????.?-?.?.???????????-?-?-??????.???????????????(???ms_vwifi????????????????????(???ms_nativewifip??????????????????8???ms_ndiscap??????????????????????ms_pacer????????????????????????ms_server???????????????????(???ms_netbios??????????????????(???ms_wfplwf???????????????????(???ms_steelhead????????????????????8???ms_rassrv???????????????????(???ms_rasman???????????????????????ms_msclient?????????????????8??

---- Disk sectors - GMER 2.1 ----

Disk \Device\Harddisk0\DR0 unknown MBR code

---- EOF - GMER 2.1 ----
MBAM
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.13.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16618
3yoosh :: 3YOOSH-PC [administrator]

7/13/2013 3:58:41 PM
mbam-log-2013-07-13 (15-58-41).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 518947
Time elapsed: 1 hour(s), 31 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Member Avatar
mmcdonald
Posting Pro in Training
473 posts since Sep 2012
Reputation Points: 28 [?]
Q&As Helped to Solve: 32 [?]
Skill Endorsements: 12 [?]
 
0
 
  1. Have you run your scans whilst disconnected from the interweb?
  2. Have you run your scans in safemode?
  3. Have you checked for extensions installed in your browser?

Keep me updated

Member Avatar
gerbil
Industrious Poster
4,624 posts since May 2005
Reputation Points: 190 [?]
Q&As Helped to Solve: 338 [?]
Skill Endorsements: 5 [?]
 
0
 

Please don't attach logs. As it says, do this: "The code snippet in your post is formatted incorrectly. Please use the Code button in the editor toolbar when posting whitespace-sensitive text or curly braces."
The code button is in the line right above where you type your response. A window will open, paste the logs into it.
Shooting in the dark, here, but this line is probable germaine:---- Disk sectors - GMER 2.1 ----
Disk \Device\Harddisk0\DR0 unknown MBR code
Please run ASWMBR, and tdsskiller.
==Download aswMBR from http://www.bleepingcomputer.com/download/aswmbr/
Start it, press Scan [it will download virus definitions from Avast], wait the 3 or 4 minutes until it says Scan completed then press Save Log. Post that, please. Do NOT fix anything at this stage.
An MBR.dat file will appear on your desktop, it is a copy of your MBR. Do not delete it.
==Download TDSSkiller from this link, save it to your desktop:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe -you may need to download it to a clean computer and then transfer it to the desktop using a USB flash drive.
=Start TDSSKiller,
-click Start scan;
-if TDSSKiller finds a rootkit and prompts a Cure then press Continue [a reboot may be required];
-press Continue also on any Skip prompt for suspicious files. Do not delete or quarantine any files.
Post the log from C:.

Member Avatar
HenrryWhite
Newbie Poster
5 posts since Aug 2013
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

I know how to remove virus and stop the pop-ups. Read the article and perform the instrustions: How to stop pop ups in your browser

Member Avatar
DM Galaxy
Junior Poster in Training
65 posts since Aug 2013
Reputation Points: -6 [?]
Q&As Helped to Solve: 2 [?]
Skill Endorsements: 5 [?]
 
0
 

just remove those virus using the Norton Internet Security or Panda Internet Security 2014 or Quick Heal Total Security or AVG Internet Security.

Member Avatar
Rik_
Posting Maven
2,556 posts since May 2009
Reputation Points: 111 [?]
Q&As Helped to Solve: 221 [?]
Skill Endorsements: 8 [?]
 
0
 

1 - It's an oldish thread.
2 - Norton, Panda, and AVG absolutely will not remove anything that Mbam can't see. Especially Norton, it is the most useless security program out there, I am having to fix all the problems it causes on a daily basis.

Member Avatar
Ranjit88
Light Poster
26 posts since Nov 2013
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
-1
 

Use Avasta Internet Security. It will help you.

Member Avatar
Deep Modi
Posting Whiz in Training
256 posts since Nov 2013
Reputation Points: 6 [?]
Q&As Helped to Solve: 22 [?]
Skill Endorsements: 6 [?]
 
-1
 

Dude I will like to say that use Internet Security Antivirus...
Norton, quick heal, avast etc are useless for those errors.
Quick Heal Total Security may help You...
Avast Internet Security, Avira Internet Security may this helps you so...
When I am having the problem like this I use Quick heal Total and it removes all the Bug...

and now the reason for AOL as your default homepage/toolbar..
You have to uninstall it so from the Uninstaller
if you can't see this item in the uninstaller then This is hidden object so that you can't uninstall it but there are few steps for this too like:
Go to C:\ and check cookies for all the Files and etc.
And delete the AOL Toolbar/cookies etc...
If for some reasons you can't delete then use unlocker from filehippo and then delete that from unlocker.

You must also reset your Browser.
And then check for update after resetting... (If you use skins for browser then may this happen for that resons too.)

After reset, scaning and then you should restart your PC.
Then Run Ccleaner.
also Fix the Registry from it so this will help you alot...
and then again restart. (restart is done as some file of viruses can't deleted untill the restart has been done so. you need restart)

I use same procedure and now my PC is clean from that Time

Notes: Don't use the hack serial/keygen for antivirus.
Reasons: They are already blocked so that you will see it as Active but actually its not active...
(serial/keygen that you get from internet may result you to restart your PC. slow down your pc, or shows you as critical situation as you check for update...

You
This article has been dead for over three months: Start a new discussion instead
Post:
Start New Discussion
View similar articles that have also been tagged: