Solved 213.163.89.105 virus - as well

[us3r1]

Hi,

since yesterday I've seem to be infected with this virus. My MBAM keeps on giving me notices that it is blocking attempts to access websites and my COMODO antivirus keeps on giving me virus alerts.

Now I've read the 8-step procedure and have tried to replicate it to provide you guys with the info you need however some errors occured (I will go through it per step):

Step 1: Antivirus scanning - Tried to do a full system scan using COMODO antivirus, however after it has done an extensive scan it hangs my whole system, so I guess it is not complete.

Step 3: Updates - cannot be done one way or the other. Never had any problems so far but I just tried to do a Windows update and it gave me the following error code: 80072EFE

Step 5: GMER - completed, but the file is too big to be attached to this message

Step 6: DDS - I see the cmd screen, its running and scanning, however it just closes and doesn't show me the DDS.txt nor Attach.txt


All the other steps have been completed. I have attached the MBAM log and GMER log.

I really hope someone can help me out!

Thanks in advance!

Us3r1

 

[Bobbye]

Sorry- I'm not going to an unknown website to open your log. You can use 2 replies here if you need to. There is nothing in the Mbam log.

Skip Steps 1 and 3, repeat Step 6.

The IP 213.163.89.105 belongs to a site in the Netherlands where searches are redirected. I can't help you until I see what's on the system.

 

[us3r1]

Ok sorry about that.

Instead I've zipped the gmer.log (using 7zip), but in case you do not trust that either, I've also cut the whole gmer.log into 5 smaller bits and attached those.

I tried to repeat step 6 several times but the DDS just doesn't give me the DDS.txt nor the Attach.txt. I cancelled COMODO and MBAM to make it work, but that didn't change anything.

Hope you can help me out!

 

[us3r1]

And the total gmer.log zipped.

 

[Bobbye]

Thanks. We'll do this backwards:
Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix.
===================================
Once Combofix has been installed: Run this:
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
Folder::
Registry::
Driver::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  smb.*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
============================
Please leave all logs in the next reply. Depending on what I see, I will likely have you try DDS again

 

[us3r1]

It seems like that has done something. I ran everything in safe mode, btw.

Even though there were some errors in the DOS-box, Combofix announced that it found a rootkit.

I managed to run SystemLook and also DSS this time.

Please see attached the logs.

Even though we probably have not finished yet - thanks for the help so far!


Edit: So far I haven't seen that message from MBAM that it blocked an attempt to access a website in the last 10 minutes. That's good I suppose.
It also seems that I can use Windows Update again!

Edit 2: MBAM just gave me another notice again, it has been since two hours or so. Maybe the rootkit got reactivated through a backdoor? Just speculating

 

[us3r1]

Did a full scan with updated Comodo, it still found presence of a rootkit. See attached log.

 

[Bobbye]

We're not finished yet. IT is not appropriate to try and run Comodo at this point. I did just enough to get you into the system, using the information I had at the time.

Please run all scans in Normal Mode unless instructed specifically told to use Safe More-OR-is you cannot get into Normal Mode.
==================================

1. About the Combofix report:
   [o]There is much more to the report. I need it all.
   [o] Please use English.
   [o] All security is suppose to be disabled when running Combofix- all of your shows running.
   
   Please update Combofix and rescan. Include the new report in next reply.
   ===================================
2. I also notice these entries in the DDS log:
   C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
   C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
   C:\Windows\system32\svchost.exe -k NetworkService
   C:\Windows\system32\svchost.exe -k LocalService
   C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
   C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
   S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
   
   And this Services are running: Is there a language difference here? I can't identify 'yeymuoqhb.'
   S2 yeymuoqh;Security Controller;c:\windows\system32\svchost.exe -k netsvcs [2008-1-21 21504][/b]
   
   Have you or the Administrator set any of these restrictions?
   ========================================
3. Do you recognize the name in this file? 2010-05-15 09:04:23 C:\uwddipoc.sys
   =========================================
4. There are different homepage settings for the browsers:
   IE: Start Page = hxxp://www.asus.com
   Firefox: Start Page= www.nu.nlSince there is what appears to be Dutch in some log entries, it is possible that the IP for the site in the Netherlands is legitimate. Is this your homepage?
   ==========================================
5. File Sharing/P2P Warning:Please uninstall or do not use StreamTorrent while I am helping you.
   =======================================
6. It is important that I get a good scan with Combofix, in Normal Mode with all security disabled. You have the program on the system now. Just go offline to rerun it.

 

[us3r1]

Hi Bobbye thanks for your repy.

My comments to your post:

1. I did not leave out anything, nor did I change the language to Dutch in the ComboFix.txt. Even though I was running in Safe Mode I checked whether comodo was running, and I did not see any processes pointing to that fact.

2. I (I am also the administrator of this (private) system), did not set those restrictions.
Also, I do not know what 'yeymuoqhb' means/stands for. I am Dutch, but it is definitely not something written in my language.

3. No, I do not recognize the name of that file.

4. Those start pages are correct. The IE start page is the one that came standard with my laptop (ASUS). www.nu.nl is the start page of my firefox browser. Again, I am Dutch (if it makes any difference, I do not currently live in the Netherlands). And I can assure you that the IP which I mentioned in the header of this thread does not refer to that website.

5. I uninstalled StreamTorrent earlier today (because I never used it anyway). Hence I did not use it while you were helping me.

6. I managed to make Combofix run in Normal Mode, attached is the log. However the log was in Dutch (I did not set it to Dutch, and I downloaded Combofix from your link). Additionally I also ran SystemLook again, see attached text.
Also, to be absolutely sure that MBAM and Comodo were not interfering with combofix I uninstalled them temporarilly.

Note that the added Combofix2.txt is the original logfile in Dutch even though my operating system is in English. The Combofix.txt is exactly the same, but I translated it from Dutch to English for your understanding. Only a few headers needed to be changed, I did not alter any of the key lines in the text.

Additionally, I managed to get DSS running in Normal Mode. I have attached the DSS.txt and Attach.txt for your reference.


I hope I made everything clear to you and that you can understand what I did. I am looking very much forward to your reply.

 

[Bobbye]

Thanks for you help in the language department. I'm working between thunderstorms this morning and don't have much battery time so I'll try to get as much up as possible.

I have to ask though: why did you think you should install Hitman Pro while I was helping you? That program is a bundle of other free programs on the internet, most being used without the permission of the authors. And it is possible that using it has altered some of the contents I see in the logs.

Please do not use any more cleaning programs or scans while I am helping you unless I instruct you to. Do not use a Registry cleaner or make any changes in the Registry

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\drivers\hitmanpro35.sys
c:\windows\system32\bootdelete.exe
C:\uwddipoc.sys
c:\windows\system32\DRIVERS\ewusbfake.sys

Folder::
c:\programdata\Hitman Pro
c:\program files\Hitman Pro 3.5
c:\users\Matthijs\AppData\Local\temp
c:\users\Default\AppData\Local\temp

NetSvc::
yeymuoqh

Registry::
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
"yeymuoqh"

Driver::
hwusbfake
yeymuoqh

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
============================
Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please include both logs in next reply.

 

[us3r1]

The only reason I ran HitmanPro is because of my own impatience and someone (who I perceive as very knowledgable about computers) recommended it to me. And I thought it wouldn't be such a big deal. So sorry if that messed up our progress.

I've been away the whole day so I'll run Combofix first thing tomorrow and post the logs.

 

[Bobbye]

Pass this on to the person who recommended Hitman:

Is there a particular reason you don't recommend the Hitman program?

Yes, a few. Based on what I read and the cleaning programs I run. Others may think differetly. The publisher's description is:

Anti-spyware program combines up to six popular engines to maximize removal effectiveness.

Part is personal preference, wanting to maintain control over my system. Hitman is also different in the versions. One main objection is the use of multiple programs that are free on the internet. Depending on the program, it should prevent and/or remove. While the scans with Hitman are free, removal of the malware can only be done within the 30 trial.

Hitman Pro (version 1 and 2) automatically downloads, installs and runs third party anti-spyware and anti-adware programs that are freely available on the Internet:

• 
  [*] Eset NOD32 antivirus system (trial, expires in 30 days)
  [*] Webroot Spy Sweeper (trial, expires in 7 days)
  [*] PC tools Spyware doctor (demo, will not clean anything)
  [*] Lavasoft AdAware SE (freeware)
  [*] Safer Networking Spybot - Search & Destroy (freeware)
  [*] TrendMicro CWShredder (freeware)
  [*] JavaCool Software SpywareBlaster (freeware)
  [*] McAfee VirusScan SuperDAT (virus signature definition updates, McAfee PrimeSupport license required for qualifying product)
  [*] Ewido Micro Scanner (freeware)(AVG)

The scan time was very long, the program used many system resources and errors in the used third party programs could cause system instability

Hitman Pro is using other people’s knowledge without their permission. NOD32 has granted permission to use their software. Software producer Lavasoft is in discussion with Mr. Loman over changes to the program before granting any official permission to implement their software and McAfee says they did not grant permission and claim no knowledge at all of the program with no further comment.[/quote]

Hitman Pro 3 uses a white list that includes Windows system files and other (safe) files that are present on most PCs. Hitman Pro 3 also requires a license key to remove malware found on a users computer, however it does offer a free 30-day trial.

The new version of Hitman Pro, version 3, uses:

• NOD32 Antivirus
• Avira AntiVir
• Prevx
• G DATA Anti-Virus
• a-squared Anti-Malware

Virus scanners are not installed on the local computer, but in the scan cloud on Internet
Unlimited free scanning and free 30-day version to remove detected malware

None of these programs- alone or together have the power of a program like Combofix- or other 'intensive' programs. While Hitman may resolve one problem, that does not mean all of the malware has been removed.

Most of the logs I see have multiple malware infections. Some, like the DNS Changer malware, will require a DNS flush and a router reset. If that isn't done, the resolution to the problem is only temporary.

Just leave your logs when ready.

 

[us3r1]

Hey thanks for your detailed report on Hitman, I understand it is not wise to run it.

I just ran Combofix and here is the log. Again, I translated it from Dutch to English for your understanding. I will run the ESET online scan later today.

Thanks again for you help so far.

Edit: I was thinking about upgrading my system from Windows Vista to Windows 7 after we have cleaned my system by doing a clean install. Do you think there could be any issues with regard to the current infection on my system?

 

[us3r1]

And here is the ESET Online Scan. Looking forward to your reply.

 

[Bobbye]

Okay- that one entry in Eset is for Qoobox. That's where Combofix puts the quarantined files. It is not active in the system and will be removed when Combofix is uninstalled.

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

KillAll:
File::
c:\windows\system32\DRIVERS\ewusbfake.sys
c:\windows\system32\Drivers\usbaapl.sys
Folder::
C:\ProgramData\Alwil Software
C:\Program Files\Alwil Software

Registry::
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

Driver::
hwusbfake
USBAAPL

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
==============================
Please go ahead and run the Eset online scan now. Please tell me how the system is running and what, if any, problems from malware still exists.

 

[us3r1]

Hi Bobbye,

hereby the Combofix log (again translated to Dutch, and the original one).
During the translation process I noticed Combofix found a potential rootkit, as you can see in the log as well. Quite the bugger eh?!

I currently do not perceive any problems with malware, but there seems to be something interfering with my MBAM as it cannot start its protection service and hence I cannot really specify if I am not still having my original problem. Do you think there is still some malware/virus/rootkit on my system that blocks MBAM perhaps?

I will update this post later on when ESET is done. I just wanted to provide you asap with the combofix log.

Looking forward to your next reply!

Edit: added ESET online scan log.

 

[Bobbye]

There has been a problem showing with one of the Mbam drivers. I tried to remove it, but it did not move. This is the driver/Service:
R2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [x]

This is a valid Service and should be running, but it has shown up this way in all the logs listing the Services. Check>

Click on Start> Run> type in services.msc> double click on MBAMService> Set Startup Type to Automatic> Start the Service.
Exit Services.
You may need to reboot. Let me know if this resolves the problem.

There is no new malware in the Eset log. Qoobox is the Combofix folder. It is not active in your system and will be removed when I have you drop the old restore points.
===============================
The 2 files that showed up in the original GMER look to be okay now. Please rescan with GMER to see if there is something new or if a file didn't get moved.

Go ahead and delete all the GMER logs you have now. I don't need a translation in this log.

 

[us3r1]

The MBAM solution you suggested did not help. It still kept on giving problems. However by simply reinstalling the program the problem was solved. It's running smoothly now. I haven't been on my system for such a long time so I cannot yet tell you if the original problem (MBAM blocking access to some website) still prevails.

I've added the new GMER log for your information.

Edit: MBAM just gave me a notification of a potentially malicious website that has been blocked. Seems like the problem still exists?!

 

[Bobbye]

(MBAM blocking access to some website)
My MBAM keeps on giving me notices that it is blocking attempts to access websites
MBAM just gave me another notice again

Edit: MBAM just gave me a notification of a potentially malicious website that has been blocked. Seems like the problem still exists?!

Why do you think this is a problem? and do you know that Firefox has a feature build in that will warn of a bad site and not load it? Being warned about a bad site is a good thing, not a problem!

Is this one website or random websites?
==================================================================

System Restore Points> No restore point in system.

Did you turn off the system Restore feature?
=========================
Please run the following in the order listed. You don't need to translate unless all of the content is in Dutch:

1. Update and scan with Mbam. Leave new log.
2. Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Question: the following appeared in DDS> have you set any restrictions?
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

 

[us3r1]

Why do you think this is a problem? and do you know that Firefox has a feature build in that will warn of a bad site and not load it? Being warned about a bad site is a good thing, not a problem!

Is this one website or random websites?

I think this is a problem because of two reasons:
1. It pops up when I am not trying to access a particular website. It even happens when I don't have IE or Firefox open at all. Sometimes MBAM does not block the websites access and then Firefox just opens another tab and tries to open website (often Firefox blocks the website as well and I have WOT running).

2. This symptom - the MBAM pop ups - is where all my indications to a virus/rootkit started. As soon as I saw them popping up two times every 15 min or so I came to this forum to ask for help as I thought that indicated a potential virus.

It is a random website it tries to open. When ever the pop ups show, it says something like: 'MBAM has blocked access to a potential malicious website' and then shows the IP address of the website.

However I will try to monitor the pop ups as in when they show up and try to understand why. Hopefully later today I can tell you a bit more about the situation.

Did you turn off the system Restore feature?

Not that I am aware of.

Question: the following appeared in DDS> have you set any restrictions?
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

Not that I am aware of. I have never given that command but can understand that perhaps a firewall has done so? But I am just speculating on this

==============================================

Regarding the MBAM and HiJackThis scans: both done and see attached the logs.

 

[Bobbye]

Mbam shows No action taken. Please update and run again, taking care to follow this:

Be sure that everything is checked, and click Remove Selected.

I'll be back to check the logs. But please give me a couple of the site URLs that are getting these 'blocks.'

NOTE: I don't want the URL to be a link, so please put it in link this with the < > and hxxp:

<hxxp:// sitedomain name.com>

 

[us3r1]

Ok I rescan with MBAM and this cleaned through Remove Selected. See attached the log.

I don't have exactly the URLs that MBAM tries to block. This is because MBAM does even give me the pop up while I am not trying to access a website. It randomly pops up without me taking any action.

For instance this morning MBAM 'blocked' access to the following websites (it only shows IP addresses, no exact urls):
95.211.19.28
95.211.27.137
66.150.14.65

I tried to find some info on these IP addresses so I first just entered them in Firefox, but then the site does not open because Firefox recognizes it as an untrustworthy website. Then second, I simply googled the IP addresses and found the following: (this is just a website that trace-routes IPs)

<hxxp://www.robtex.com/ip/95.211.19.28.html>
<hxxp://www.robtex.com/ip/95.211.27.137.html>
<hxxp://www.robtex.com/ip/66.150.14.65.html>

I cannot seem to figure out when/why I get these pop ups. They come up randomly without me having peformed any browsing action.

Then also, could you give me an estimation of how 'clean' my system is right now. Are we almost ready, or do we still have to perform several actions? Just as a little FYI for me Thanks.

 

[Bobbye]

Whether it's Firefox or Mbam, they are trying to protect you:

IP 95.211.19.28
inetnum: 95.211.0.0 - 95.211.255.255
org: ORG-OB3-RIPE
admin-c: LSW1-RIPE
tech-c: LSW1-RIPE
netname: NL-LEASEWEB-20080724
descr: LeaseWeb B.V.
country: NL

LeaseWeb B.V. is a web hosting site
Ocom B.V.
P.O. Box 93054
1090 BB Amsterdam
NETHERLANDS

You can view the type of web sites it hosts here:
http://www.websitetrafficspy.com/isp/37823/leaseweb b.v.

For one, there was an infected ad on the foxnews site for Rogue.VirusSweeper. Users with ad blockers wouldn't have seen the ad. Atttempts to scam users used a name 'onlineproantispywarescannerv2'

IP 66.150.14.65
CustName: Pinball Corp.
Address: 3600 136th PL SE
City: Bellevue
StateProv: WA
Assets from the controversial online media company Zango was acquired by the Blinkx video search enginePinball is the new name for former domain Zango. Zango was formerly known as 180solutions, found to have "used unfair and deceptive methods to download adware and obstruct consumers from removing it."

Source: http://www.techflash.com/seattle/2009/05/Zango_assets_reborn_as_Pinball.html

Fake Firefox site bundles undead adware (Zango, Hotbar) Web users taken in by the scam will wind up downloading browser software contaminated with the Hotbar toolbar from Pinball Corp, formerly Zango.
=====================================
Does the Comodo program you're using also have an antivirus program with it? I don't see any separate program running.

IF you are still getting the pop-ups, it means we haven't removed the source. When you got any pop-ups alerting you to an infection and telling you to 'click here' to remove, did you install anything?

Mbam, GMER and Eset any malware. Please verify that you are still getting these same pop-ups now. And also let me know about the antivirus program.
=================================
Run Kaspersky Online Scanner in Internet Explorer

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Click Accept and the web scanner will begin to load
• If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
• You will be prompted to install an ActiveX component from Kaspersky, click Install
• If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT and then Scan Settings
• In the scan settings make that the following are selected:
  [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
  [o] Scan Options: Scan Archives> Scan Mail Bases
• Click OK
• Now under select a target to scan:
  [o] Select My Computer
• The program will start to scan your system.
• Once the scan is complete, click on the Save as Text button and save the file to your desktop

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

 

[us3r1]

1. My Comodo application has both an antivirus and firewall

2. The pop ups from MBAM are still there, although much more rare than in the beginning. After observing it for a while it seems that MBAM is just blocking ads/pop ups from websites I am on. Does that make sense? I first had the feeling that there was a malicious programme on my system that made my browser open malicious websites.

3. Scanned with Kaspersky as you said and everything seems clean, attached is the log.

I guess based on the above findings, we can assume that my system is clean now?


Edit: I get your point of seeing these pop ups that say that tmaleware/virusses have been found on my system and 'click here to remove'. But I have never in my life accepted/clicked on such a pop up. I know that is just a scam.

 

[Bobbye]

2. The pop ups from MBAM are still there, although much more rare than in the beginning. After observing it for a while it seems that MBAM is just blocking ads/pop ups from websites I am on. Does that make sense? I first had the feeling that there was a malicious programme on my system that made my browser open malicious websites.

Here is a comparison between the paid Mbam and free Mbam:

Malwarebytes' Anti-Malware (MBAM) is a computer application that finds and removes malware.It is available in a free version, which scans for and removes malware when started manually, and a paid version, which provides scheduled scans, real-time protection and a flash memory scanner.

From Mbam support:

The Protection Module has 2 main components:

• 
  [1]. Execution Protection:
• This is the component that runs in the background to block and remove malicious processes when they attempt to run on your PC
  [2]. IP Protection:
• This component is tied to your internet connections and works regardless of what browser you use. It prevents known malicious IP addresses and IP ranges from establishing connections with your PC, whether the connection is initiated from outside your PC (ie a web based attack or hacker) or from a program on your PC, such as an internet browser or any other program

Obviously you have the paid version of Malwarebytes. ($25) because ir does not appear that the free version has blocking ability. If you find this level of security, disable the real time option.

Please see Post #7 beginning with Section G IP Protection Module for instructions and settings, with screenshots, for Mbam: Once you understand how and what the blocking is, you can determine how you want the program set:
FAQ about the IP Protection component located in the FAQ HERE

You have put a program on your system for security purposes. It's up to you to decide on how you want to configure it.
================================
Please run a scan with HijackThis to make sure no bad entries are listed:

Download the HijackThis Installer HERE and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.