Having annoying pop ups when I open my browser(s). Using IE8 and FireFox. Malwarebytes' Anti-Malware program stopped working, so I can't scan of malware. Problem started soon after zone alarm alerted me to "n.exn". Please help!

Hello grave and

My name is JonTom.

• Malware Logs can sometimes take a lot of time to research and interpret.
  
• Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
  
• Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  
• Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
  
  
• Please be aware that I am still in training, and all of my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advice.
• This may cause a delay in response time, but I will do my best to keep it as short as possible.
  
• I will post back shortly with instructions.

Thanks

My problem has been getting worse, the internet has been running slower and pages won't load. I have also been watching whats going on in the task manager when Im on IE8 and noticed that iexplorer.exe multiplies itself up to 6 times. Pop ups are happening more often and when they are opened they stop task manager from working and other programs.

Hello grave

1. Please perform the following scan
   
   
   
   • Please download DDS from here or here and save it to your desktop.
   • Disable any script blocking protection (How to Disable your Security Programs)
   • Double click on the DDS icon to run the tool (may take up to 3 minutes to run).
   • When done, DDS.txt will open.
   • After a few moments, attach.txt will open in a second window.
   • Save both reports to your desktop.
   • Please post the contents of the DDS.txt and Attach.txt logs in your next reply.
   
   
2. Please scan your system with GMER
   
   
   
   • Please download GMER from here and unzip the file (called gmer.zip) to your desktop.
   • Before scanning, please make sure that all other running programs are closed and that no other actions (such as a scheduled antivirus scan) will occur while the scan is being performed. Do not use your computer for anything else during the scan.
   • Double-click gmer.exe. The program will begin to run.
   
   
   **Caution**
   These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
   
   • If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
   • Click on "NO".
   • In the right panel, you will see a number of boxes that have check marks placed next to them.
   • Leave these boxes as they are, but please ensure that the "Show all" box is un-checked.
   • Now click the "Scan" button.
   • Once the scan is complete, you may receive another notice about rootkit activity. This is normal.
   • Click on "OK".
   • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt".
   • Save the file where you can easily find it, such as your desktop.
   • Post the contents of GMER.txt in your next reply.
   
   
   In your next reply please provide the DDS logs and the GMER log.

I can't attach the GMER.txt because after running gmer.exe the computer froze up and wouldn't allow me to save the txt or do anything else. Is there anything else you know of that might work?

Hello grave

Thank you for the logs.

Please copy and paste the logs you receive directly into your reply, there is no need to attach them. Please work your way through the following steps:

1. Foistware
   
   
   
   • I can see from your log that you have Viewpoint Media Player installed.
   • Viewpoint Media Player is considered as foistware rather than malware since it is installed without user's approval but doesn't spy or do anything "bad".
   • It is recommended that you remove Viewpoint products. However, this choice is up to you.
   • To remove these programs, click "Start" and then on "Control Panel" and then on "Add or Remove Programs".
   • Select "Viewpoint Media Player" and click on "Remove".
   
   
   
2. P2P Programs:
   
   
   • P2P programs are a major source of Malware infections.
   • From your log I see you have µTorrent. We do not pass judgment on file-sharing, however we must inform you that engaging in this activity and having this kind of software installed on your system will always make you more susceptible to Malware infections.
   • The use of P2P programs may be contributing to your current situation, and you would certainly be doing yourself a favour by removing them.
   • If you wish to keep the program(s), please do not use them until your computer is cleaned.
     
   • Information regarding the risk of using these programs can be found from here and here.
     
   • It is strongly recommend that you uninstall any P2P programs you have on your system.
     
   • To do this, Click on "Start" then on "Control Panel" and then on "Add or remove programs".
   • A list of currently installed programs will be displayed.
   • Find the "µTorrent" program, click on it once and then click on the "Remove" button.
   • If you are prompted to re-boot your computer to complete the uninstall please do so.
     
     
     PLEASE NOTE:
   • Even if you are using a P2P program that is deemed safe, it is only the program that is safe. Any files that you receive using a "safe" P2P program may be infected with Malware. The malware writers use P2P file-sharing as a major conduit to spread infected files.
   
   
3. Download Combofix and RE-NAME it BEFORE saving
   
   
   
   • Download Combofix from any of the links below but rename it to weaponofchoice.exe before saving it to your desktop.
     
     Link 1
     Link 2
     
     
     
     
     
     
     
   • Double click on the renamed ComboFix.exe & follow the prompts.
   • When finished, it will produce a report for you.
   • Please post the C:\ComboFix.txt log so we can continue cleaning the system.
   
   
   
4. Please scan your system with GMER
   
   
   
   • Are you able to open GMER and perform a scan now?
   • If so, please provide the GMER log.
   • If GMER fails to scan please let me know.
   
   
   In your next reply, please provide the Combofix log, the GMER log and an indication of how your computer is acting now. Are you still receiving popups?

Thank you very much, the pop up ads have stopped and the internet is a lot faster. I still have a problem with Malwarebytes' Anti-Malware not working. What is the best firewall program for me to use?

I take that back about the pop ups, they are still popping up.

Hello grave

Please do not attach the logs unless requested.




I can see you have Zonealarm installed. I suggest we leave Zonealarm where it is for the time being and concentrate on cleaning your machine. I will provide links to Firewalls later on in the fix.
Please Note: You must only have ONE Firewall installed on your system. Multiple Firewalls will create system instability and weaken the overall security of your machine.

You have some drivers that may interfere with our tools. We will need to temporarily disable them. We will re-enable them when we are done.

1. DeFogger
   
   
   
   • Please download DeFogger to your desktop.
   • Double click DeFogger to run the tool.
   
   
   • The application window will appear
   • Click the Disable button to disable your CD Emulation drivers
   • Click Yes to continue
   • A 'Finished!' message will appear
   • Click OK
   • DeFogger will now ask to reboot the machine - click OK
   
   IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
   
   Do not re-enable these drivers until otherwise instructed.
   
   
2. Please work through the following steps
   
   
   
   
   • Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
   • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
   • Copy and Paste the text in the quotebox below into the open Notepad window:
     
     
     QUOTE
     DDS::
     uInternet Settings,ProxyServer = http=127.0.0.1:5555
     uInternet Settings,ProxyOverride = <local>
     
     File::
     c:\windows\system32\levewani.dll
     c:\windows\system32\mizukobe.dll
     c:\windows\system32\negokofi.dll
     c:\windows\system32\zayitala.dll
     c:\windows\system32\zesifimi.dll
     
     Registry::
     [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e8493ad5-5602-4b28-9164-7fdbdfecd765}]
     
     
   • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
   • Close any open browsers.
   • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Refering to the picture below, drag CFScript.txt into ComboFix.exe
     
     
     
     
   • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
   • Once the log is produced, re-engage your resident anti virus.
   
   
   In your next reply please provide the Combofix log, along with an indication of how your computer is behaving.

I have no problems with the pop ups, but I now get a error message whenever I start up the computer (see attached picture).

Hello grave



Please stay with me until I give you the all clear. I can still see malware on your system. I believe that the error message you are receiving may be related to the presence of the infection.

1. Please work through the following steps
   
   
   
   
   • Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
   • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
   • Copy and Paste the text in the quotebox below into the open Notepad window:
     
     
     QUOTE
     File::
     c:\windows\system32\nirotona.dll
     c:\windows\system32\govegomu.dll
     c:\windows\system32\guyugadu.dll
     c:\windows\Internet Logs\xDB2C.tmp
     c:\windows\Internet Logs\xDB2B.tmp
     c:\windows\Internet Logs\xDB2A.tmp
     c:\windows\Internet Logs\xDB29.tmp
     c:\windows\Internet Logs\xDB27.tmp
     c:\windows\Internet Logs\xDB28.tmp
     c:\windows\Internet Logs\xDB26.tmp
     c:\windows\Internet Logs\xDB25.tmp
     c:\windows\Internet Logs\xDB24.tmp
     
     Registry::
     [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
     "nuruselib"=-
     
     
   • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
   • Close any open browsers.
   • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Refering to the picture below, drag CFScript.txt into ComboFix.exe
     
     
     
     
   • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
   • Once the log is produced, re-engage your resident anti virus.
   
   
   
2. MalwareBytes AntiMalware
   
   
   
   • Are you able to open MBAM now?
   • If so, double click on your MalwareBytes AntiMalware icon to launch the program.
   • A screen will appear. It will look like this:
   
   
   
   
   
   
   • Click on the "Update" tab and then on "Check for Updates".
   • The program will now install the latest Malware definition files.
   • Once complete, click on the "Scanner" tab, select "Perform full scan"and then click on "Scan".
   • Once the program has scanned your computer, a log file will be created in Notepad.
   • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
   
   
   
   
   • If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
   • When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
   • The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
   • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
   
   
   In your next reply, please provide the Combofix log and the MBAM log (if it runs).

Here are the two logs. While I was running MBAM Avast antiviruse alerted me to some infections, in the attached picture are the files that were detected. I'm not quite sure you need it, but if it helps in cleaning up my pc.

Hello grave

Thank you for the logs.



What AVAST has detected are infected system restore points and infected files that we have removed with Combofix. These items are nothing to worry about at the moment as we will deal with them in due course.

However, that being said, DO NOT perform a system restore, or else you will become re-infected. Before we deal with the quarantined items and restore points, I would like you to run an online scan of your system to check for anything that we may have missed.

Please work your way through the following steps:

1. Please update your Java
   
   
   
   • You currently have Java™ 6 Update 15 installed. Update 18 is the latest version.
   • To update your Java, Click on "Start" then on "Control Panel" and then on the Java icon (looks like a coffee cup).
   • In the window that opens, click on the "Update" tab, and then on "Update Now".
   • Your Java should begin to update. Please follow any prompts that you receive.
   
   
   
2. Please delete your outdated versions of Java
   
   
   
   • Older versions of Java have vulnerabilities that are exploitable by malware.
   • To remove these older versions:
   • Click on "Start" and then on "Control Panel" and then on "Add or Remove Programs".
   • Select "J2SE Runtime Environment 5.0 Update 3" and click on "Remove".
   • Repeat this procedure for "Java 2 Runtime Environment, SE v1.4.2_03".
   • NOTE:DO NOT delete Java™ 6 Update 18!
   
   
   
3. Please perform the following scan:
   
   
   
   • This is a very deep scan that can take several hours. Please be patient.
     
   • It is recommended that you disable your onboard antivirus program and antispyware programs while performing scans to eliminate software conflicts and to speed up scan time.
   • DO NOT surf the net while your resident protection is disabled!
   • Once the scan is finished remember to re-enable your resident antivirus protection along with whatever antispyware applications you use.
   
   
   Please perform a Kaspersky Online Scan of your computer by clicking here.
   An alternative link to the Kaspersky Online Scan Tool can be found here.
   
   You will be taken to a web page. It will look like this:
   
   
   • Click on the Accept button and install any components it needs.
   • The program will install and then begin downloading the latest definition files.
   • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
   • This will start the program and scan your system.
   • The scan will take a while, so be patient and let it run (at times it may appear to stall).
   • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
   • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
   • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
   
   
   
   • Once the scan is complete, click on View scan report. To obtain the report:
   • Click on: Save Report As
   • Next, in the Save as prompt, Save in area, select: Desktop
   • In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:Text file [*.txt]
   • Then, click: Save
   • Please post the Kaspersky Online Scanner Report in your reply.
   
   
   
   If you need help performing the above steps, an animated tutorial can be found here.
   
   
4. Please download and run Rooter
   
   
   
   • Download Rooter by clicking here, and save the file (called Rooter.exe) to your desktop.
   • Double click on the desktop icon to start the scan.
   • When Rooter has completed its scan, a Notepad file containing the scan report will open (this report can also be found at %systemdrive%\Rooter.txt).
   • Please post the Rooter log in your next reply.
   
   
   
5. DDS
   
   
   
   • Please perform another DDS scan.
   
   
   
   In your next reply, please provide the Kaspersky Online Scan Log, Rooter log and the new DDS log along with an indication of how your machine is now. Are you experiencing any more problems?

I have been pop up free and every program that wasn't working is now working.