Pesky adware

[Jet Badger]

So as soon as younger relatives used the PC I can't get rid of this stuff. No anti-virus I tried fixed it and it's not a Firefox plugin. Any advises?


This happens on many images on any website.

Neither of those have ever been there and only seem to happen on GTP forums.

 

[DQuaN]

www.malwarebytes.org

www.superantispyware.com

Run scans with both of those.

*edit*
Just saw you already have Malwarebytes.

Try superantispyware, if that doesn't work, you can always try ComboFix but there is an element of risk involved.

 

[Buck-O]

Have you checked your plugins?
They may have installed a rogue one.

 

[sesselpupser]

I had something similar, did some snooping and found something called FLV Player which, as it turned out, was nasty. I followed this guide:

http://malwaretips.com/blogs/flv-player-somoto-virus/

You might be able to use the same stuff to find and remove your malware.

 

[carracerptp]

Did you check a different browser (IE?)? If it is firefox only than that narrows it down.

Have you tried going over the internet history? It might get you an idea of what they got into.

 

[Grayfox]

Run Combofix which you can download from bleepingcomputers.

It gets rid of most crap, then a final scan with a good anit spyware program like spybot will do.

Lastly, never let a child use the computer.

 

[Jet Badger]

Thanks for the advises, I really appreciate it.
@DQuaN, Superantispyware found a bunch of stuff after a 2h scan but the problem still persists. I checked the plugins/extensions and other than Java, Shockwave and the ADblock add-on that I installed, nothing's there. With ADBlock turned on the stuff in the second pic goes away but it's still not the solution I'm looking for. It seems to only happen on Firefox.

@neema_t, I don't seem to have that FLV player installed but I'll do those steps when I get back today, thanks

 

[Wiz]

Try adwcleaner - http://www.bleepingcomputer.com/download/adwcleaner/

I fix computers as a side job and it's become my #1 program for getting rid of odd stuff like this. I used to run Malwarebytes or ComboFix first... now I run this first. Great program.

Good luck.

 

[Jet Badger]

Thanks, I've already tried adwcleaner and a bunch of other programs. The stuff just doesn't go away. ADBlock makes things much better but I think I'll end up just reinstalling Windows.

 

[DQuaN]

Have you tried Combofix?

 

[Wiz]

If it's only happening on Firefox, have you tried to completely remove Firefox? Following these directions to ensure removal of all settings & user data? https://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer

Be sure to backup anything you need before doing so.

If that doesn't work then yeah, reinstalling Windows may be your best option.

 

[Jet Badger]

I tried to reinstall Firefox, though didn't remove it completely. I'll try that, thanks

 

[DQuaN]

I tried to reinstall Firefox, though didn't remove it completely. I'll try that, thanks

Before you do...

Have you tried Combofix?

 

[Jet Badger]

Have you tried Combofix?

That's an interesting program, can't really crack out how it works though. I'll try to get more in depth with it, thanks

 

[DQuaN]

That's an interesting program, can't really crack out how it works though. I'll try to get more in depth with it, thanks

There's not much to it. Place it on the desktop and run it. Click Ok and Yes to all prompts and let it do its thing. There is a 90% chance it will sort out your problem, 9% chance it won't, and 1% chance that it will bsod and you'll have to do a repair. If you can't run any programs after running it, reboot again and it will be fine.

Once it's done, post the log here. If it hasn't helped, maybe post a hijackthis log here too. I'll give you instructions on that after we see what this does.

 

[Jet Badger]

I think it just worked Thank you so much! 👍

Here's the log

ComboFix 14-02-05.02 - Namai 2014.02.07  23:24:46.1.1 - x86
Microsoft Windows 7 Ultimate  6.1.7601.1.1257.370.1033.18.1024.242 [GMT 2:00]
Running from: c:\users\Namai\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\VLC Player GPU+
c:\program files\VLC Player GPU+\path.inf
c:\users\Namai\AppData\Local\Microsoft\Windows\Temporary Internet Files\GreyGray_iels
c:\users\Namai\AppData\Roaming\D394D188-BAC7-4e03-8FAF-389A4D7EC6F4
c:\users\Namai\AppData\Roaming\D394D188-BAC7-4e03-8FAF-389A4D7EC6F4\{4e38134d-ba98-4066-b898-e296d8acc938}.xpi
c:\users\Namai\AppData\Roaming\D394D188-BAC7-4e03-8FAF-389A4D7EC6F4\{D394D188-BAC7-4e03-8FAF-389A4D7EC6F4}.xpi
c:\users\Namai\AppData\Roaming\D394D188-BAC7-4e03-8FAF-389A4D7EC6F4\ejbpjlaagejfakeobljhgplbgklgemll.crx
c:\users\Namai\AppData\Roaming\D394D188-BAC7-4e03-8FAF-389A4D7EC6F4\Shopping Suggestion.dll
c:\windows\Installer\{B85DDD77-4A6A-4811-B241-EDADBF996BD0}\NewShortcut2_F1630D75496847DD999177A077E0CA0F.exe
.
.
(((((((((((((((((((((((((  Files Created from 2014-01-07 to 2014-02-07  )))))))))))))))))))))))))))))))
.
.
2014-02-07 21:39 . 2014-02-07 21:40    --------    d-----w-    c:\users\Namai\AppData\Local\temp
2014-02-07 21:39 . 2014-02-07 21:39    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-02-07 21:24 . 2014-02-07 21:24    --------    d-----w-    c:\users\Namai\AppData\Local\Microsoft Games
2014-02-07 20:43 . 2014-02-07 20:43    40392    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F5A4B827-05A7-43C9-BB69-61AD5AD3FF91}\MpKsl1221e435.sys
2014-02-07 16:31 . 2013-12-03 16:57    7760024    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F5A4B827-05A7-43C9-BB69-61AD5AD3FF91}\mpengine.dll
2014-02-06 15:28 . 2013-12-03 16:57    7760024    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-01-31 10:43 . 2014-01-31 10:43    --------    d-----w-    c:\program files\Mozilla Maintenance Service
2014-01-30 17:21 . 2014-01-30 17:21    40776    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2014-01-30 08:02 . 2014-02-07 20:13    --------    d-----w-    C:\AdwCleaner
2014-01-29 20:31 . 2014-01-29 20:31    --------    d-----w-    C:\SUPERDelete
2014-01-29 20:04 . 2014-01-29 20:04    --------    d-----w-    c:\users\Namai\AppData\Roaming\SUPERAntiSpyware.com
2014-01-29 20:03 . 2014-01-29 20:04    --------    d-----w-    c:\program files\SUPERAntiSpyware
2014-01-29 20:03 . 2014-01-29 20:03    --------    d-----w-    c:\programdata\SUPERAntiSpyware.com
2014-01-29 19:48 . 2013-12-18 19:10    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-01-23 07:35 . 2013-12-21 17:14    719224    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-01-23 07:35 . 2013-12-21 17:14    719224    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6D756C97-F75A-4B06-81CC-CB898040494D}\gapaengine.dll
2014-01-18 10:56 . 2014-01-18 10:56    --------    d-----w-    c:\users\Namai\AppData\Roaming\Malwarebytes
2014-01-18 10:55 . 2014-01-18 10:55    --------    d-----w-    c:\programdata\Malwarebytes
2014-01-18 10:55 . 2013-04-04 12:50    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-01-18 10:55 . 2014-01-18 10:56    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2014-01-18 10:55 . 2014-01-18 10:55    --------    d-----w-    c:\users\Namai\AppData\Local\Programs
.
.
.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-04 19:10 . 2013-12-07 22:47    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-02-04 19:10 . 2013-12-07 22:47    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-01-19 07:32 . 2013-12-07 21:55    231584    ------w-    c:\windows\system32\MpSigStub.exe
2013-12-23 10:24 . 2013-12-23 10:24    640512    ----a-w-    c:\windows\system32\advapi32.dll
2013-12-23 10:24 . 2013-12-23 10:24    1289096    ----a-w-    c:\windows\system32\ntdll.dll
2013-12-23 10:24 . 2013-12-23 10:24    619520    ----a-w-    c:\windows\system32\tdh.dll
2013-12-23 10:24 . 2013-12-23 10:24    3969472    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-12-23 10:24 . 2013-12-23 10:24    3914176    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-12-23 10:23 . 2013-12-23 10:23    338944    ----a-w-    c:\windows\system32\drivers\afd.sys
2013-12-23 10:23 . 2013-12-23 10:23    231424    ----a-w-    c:\windows\system32\mswsock.dll
2013-12-23 10:23 . 2013-12-23 10:23    1294272    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-12-22 13:25 . 2013-12-22 13:25    745472    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2013-12-22 13:25 . 2013-12-22 13:25    185344    ----a-w-    c:\windows\system32\elshyph.dll
2013-12-22 13:25 . 2013-12-22 13:25    71680    ----a-w-    c:\windows\system32\RegisterIEPKEYs.exe
2013-12-22 13:25 . 2013-12-22 13:25    1767936    ----a-w-    c:\windows\system32\wininet.dll
2013-12-22 13:25 . 2013-12-22 13:25    158720    ----a-w-    c:\windows\system32\msls31.dll
2013-12-22 13:25 . 2013-12-22 13:25    138752    ----a-w-    c:\windows\system32\wextract.exe
2013-12-22 13:25 . 2013-12-22 13:25    150528    ----a-w-    c:\windows\system32\iexpress.exe
2013-12-22 13:25 . 2013-12-22 13:25    523264    ----a-w-    c:\windows\system32\vbscript.dll
2013-12-22 13:25 . 2013-12-22 13:25    2706432    ----a-w-    c:\windows\system32\mshtml.tlb
2013-12-22 13:25 . 2013-12-22 13:25    137216    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-12-22 13:25 . 2013-12-22 13:25    38400    ----a-w-    c:\windows\system32\imgutil.dll
2013-12-22 13:25 . 2013-12-22 13:25    12800    ----a-w-    c:\windows\system32\mshta.exe
2013-12-22 13:25 . 2013-12-22 13:25    73728    ----a-w-    c:\windows\system32\SetIEInstalledDate.exe
2013-12-22 13:25 . 2013-12-22 13:25    48640    ----a-w-    c:\windows\system32\mshtmler.dll
2013-12-22 13:25 . 2013-12-22 13:25    2877952    ----a-w-    c:\windows\system32\jscript9.dll
2013-12-22 13:25 . 2013-12-22 13:25    110592    ----a-w-    c:\windows\system32\IEAdvpack.dll
2013-12-22 13:25 . 2013-12-22 13:25    109056    ----a-w-    c:\windows\system32\iesysprep.dll
2013-12-22 13:25 . 2013-12-22 13:25    61952    ----a-w-    c:\windows\system32\tdc.ocx
2013-12-22 13:25 . 2013-12-22 13:25    719360    ----a-w-    c:\windows\system32\mshtmlmedia.dll
2013-12-22 13:25 . 2013-12-22 13:25    61440    ----a-w-    c:\windows\system32\iesetup.dll
2013-12-22 13:25 . 2013-12-22 13:25    361984    ----a-w-    c:\windows\system32\html.iec
2013-12-22 13:25 . 2013-12-22 13:25    1441280    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-12-22 13:25 . 2013-12-22 13:25    23040    ----a-w-    c:\windows\system32\licmgr10.dll
2013-12-22 13:24 . 2013-12-22 13:24    49152    ----a-w-    c:\windows\system32\taskhost.exe
2013-12-22 13:20 . 2013-12-22 13:20    9728    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-12-22 13:20 . 2013-12-22 13:20    5632    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-12-22 13:20 . 2013-12-22 13:20    5632    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-12-22 13:20 . 2013-12-22 13:20    4096    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-12-22 13:20 . 2013-12-22 13:20    3584    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-12-22 13:20 . 2013-12-22 13:20    3072    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2013-12-22 13:20 . 2013-12-22 13:20    3072    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-12-22 13:20 . 2013-12-22 13:20    2560    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-12-22 13:20 . 2013-12-22 13:20    10752    ---ha-w-    c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2013-12-22 13:20 . 2013-12-22 13:20    906240    ----a-w-    c:\windows\system32\FntCache.dll
2013-12-22 13:20 . 2013-12-22 13:20    417792    ----a-w-    c:\windows\system32\WMPhoto.dll
2013-12-22 13:20 . 2013-12-22 13:20    364544    ----a-w-    c:\windows\system32\XpsGdiConverter.dll
2013-12-22 13:20 . 2013-12-22 13:20    2284544    ----a-w-    c:\windows\system32\msmpeg2vdec.dll
2013-12-22 13:20 . 2013-12-22 13:20    1247744    ----a-w-    c:\windows\system32\DWrite.dll
2013-12-22 13:20 . 2013-12-22 13:20    1158144    ----a-w-    c:\windows\system32\XpsPrint.dll
2013-12-22 13:20 . 2013-12-22 13:20    604160    ----a-w-    c:\windows\system32\d3d10level9.dll
2013-12-22 13:20 . 2013-12-22 13:20    3419136    ----a-w-    c:\windows\system32\d2d1.dll
2013-12-22 13:20 . 2013-12-22 13:20    293376    ----a-w-    c:\windows\system32\dxgi.dll
2013-12-22 13:20 . 2013-12-22 13:20    249856    ----a-w-    c:\windows\system32\d3d10_1core.dll
2013-12-22 13:20 . 2013-12-22 13:20    220160    ----a-w-    c:\windows\system32\d3d10core.dll
2013-12-22 13:20 . 2013-12-22 13:20    207872    ----a-w-    c:\windows\system32\WindowsCodecsExt.dll
2013-12-22 13:20 . 2013-12-22 13:20    1988096    ----a-w-    c:\windows\system32\d3d10warp.dll
2013-12-22 13:20 . 2013-12-22 13:20    187392    ----a-w-    c:\windows\system32\UIAnimation.dll
2013-12-22 13:20 . 2013-12-22 13:20    161792    ----a-w-    c:\windows\system32\d3d10_1.dll
2013-12-22 13:20 . 2013-12-22 13:20    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2013-12-22 13:20 . 2013-12-22 13:20    1080832    ----a-w-    c:\windows\system32\d3d10.dll
2013-12-22 13:17 . 2013-12-22 13:17    1505280    ----a-w-    c:\windows\system32\d3d11.dll
2013-12-19 19:21 . 2013-12-19 19:21    62576    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{E996E3E6-1824-41BE-9E81-63C9E8DF21C9}\offreg.dll
2013-12-07 21:36 . 2013-12-07 21:36    95    ----a-w-    c:\users\Namai\AppData\Roaming\die.bat
2013-11-18 09:28 . 2013-12-07 21:55    7772552    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{E996E3E6-1824-41BE-9E81-63C9E8DF21C9}\mpengine.dll
2013-11-12 02:07 . 2013-12-22 09:16    2048    ----a-w-    c:\windows\system32\tzres.dll
2008-12-10 12:50 . 2008-12-10 12:50    118784    ----a-w-    c:\program files\internet explorer\plugins\LV86ActiveXControl.dll
2010-05-25 10:43 . 2010-05-25 10:43    158720    ----a-w-    c:\program files\internet explorer\plugins\LV90ActiveXControl.dll
.
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2014-01-06 5625624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-10-10 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-10 7741440]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-10 81920]
"NI Background Service"="c:\program files\National Instruments\Shared\Update Service\niupdate.exe" [2010-08-10 77824]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 948440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
SolidWorks Background Downloader.lnk - c:\program files\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe /launch_from 0 [2013-12-8 2737768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-10-09 3275136]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-10-23 172192]
R2 Util GreyGray;Util GreyGray;c:\program files\GreyGray\bin\utilGreyGray.exe [x]
R3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [2012-09-28 76904]
R3 cpuz136;cpuz136;c:\users\Namai\AppData\Local\Temp\cpuz136\cpuz136_x32.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2014-01-30 40776]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-20 77184]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-12-22 1343400]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S1 MpKsl1221e435;MpKsl1221e435;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F5A4B827-05A7-43C9-BB69-61AD5AD3FF91}\MpKsl1221e435.sys [2014-02-07 40392]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2013-10-10 120088]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2013-09-27 104768]
S2 PDMWorks Workgroup Server;SolidWorks Workgroup PDM Server;c:\program files\SolidWorks Corp\SolidWorks Workgroup PDM\Vault\pdmwService.exe [2012-09-28 3347968]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2013-10-23 280288]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL1221E435
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-07 19:10]
.
2014-02-07 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 347663b2-ec2f-4504-87e7-f7aee1d45254.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2013-11-07 20:08]
.
2014-02-02 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task ea6efdf0-4d7f-429b-be0c-74b2a8407bb3.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2013-11-07 20:08]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Namai\AppData\Roaming\Mozilla\Firefox\Profiles\cwqxmtbu.default\
FF - ExtSQL: 2013-12-08 02:14; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Namai\AppData\Roaming\Mozilla\Firefox\Profiles\cwqxmtbu.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\SolidWorks 2013 Fast Start.lnk - c:\windows\Installer\{B85DDD77-4A6A-4811-B241-EDADBF996BD0}\NewShortcut2_F1630D75496847DD999177A077E0CA0F.exe
MSConfigStartUp-GPUTemp - c:\users\Namai\AppData\Local\Temp\GPUTemp.exe
MSConfigStartUp-mobilegeni daemon - c:\program files\Mobogenie\DaemonProcess.exe
MSConfigStartUp-NextLive - c:\users\Namai\AppData\Roaming\newnext.me\nengine.dll
MSConfigStartUp-NINITE LAUNCHER - c:\users\Namai\AppData\Roaming\NINITELAUNCHER.EXE
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@[USER=217202]Denied[/USER]: (Full) (Everyone)
.
Completion time: 2014-02-07  23:46:52
ComboFix-quarantined-files.txt  2014-02-07 21:46
.
Pre-Run: 23.374.516.224 bytes free
Post-Run: 23.418.769.408 bytes free
.
- - End Of File - - 7295F79B9885D32670E4BD21DEA5A170
A36C5E4F47E84449FF07ED3517B43A31

Edit: Aand nope, it came back on again after a few minutes.

 

[DQuaN]

So it found quite a few things including what looks like a fake VLC player.

Is it any better now?

 

[Jet Badger]

The ads disappeared for a bit but got back after a few minutes, seems it's reinstalling itself each time it's removed. :/

 

[Grayfox]

Delete all system restore points

Reset firefox to default, there is no need to uninstall and reinstall
Reset by doing the following.
Click on Help>Troubleshooting Information>Click on Reset Firefox

Go to C:\users\<profile name>\appdata\roaming and delete anything that looks like FLV player

Go to C:\users\<profile name>\appdata\local\temp and delete everything in here.

Run combofix again

This is what i have in my roaming directory, yours should be similar

22/01/2014 12:11 AM <DIR> Adobe
06/12/2013 08:37 PM <DIR> ArcSoft
07/02/2014 01:08 PM <DIR> Audacity
12/01/2014 04:03 PM <DIR> avidemux
08/02/2014 10:07 AM <DIR> BitTorrent
28/11/2013 01:32 AM <DIR> Bullzip
05/02/2014 06:18 PM <DIR> Dropbox
06/02/2014 10:39 PM <DIR> Free Download Manager
04/11/2013 12:14 AM <DIR> Identities
04/11/2013 12:33 AM <DIR> InstallShield
04/11/2013 01:16 AM <DIR> Macromedia
21/11/2010 06:16 PM <DIR> Media Center Programs
04/11/2013 07:39 PM <DIR> Mozilla
26/12/2013 10:20 PM <DIR> NVIDIA
23/01/2014 09:34 PM <DIR> vlc


If anything has the name of the malware remove it

 

[DQuaN]

Ok, download Hijackthis. Run it, do a system scan and post the log file.

To be honest, if Combofix hasn't sorted it, I'd start preparing for a rebuild of your OS.

 

[G.T.Ace]

HiJackThis shouldn't be used anymore, OTL from Oldtimer is the better tool.
HJT doesn't recognize most newer threats.

 

[Jet Badger]

Delete all system restore points

Reset firefox to default, there is no need to uninstall and reinstall
Reset by doing the following.
Click on Help>Troubleshooting Information>Click on Reset Firefox

Go to C:\users\<profile name>\appdata\roaming and delete anything that looks like FLV player

Go to C:\users\<profile name>\appdata\local\temp and delete everything in here.

Run combofix again

This is what i have in my roaming directory, yours should be similar

22/01/2014 12:11 AM <DIR> Adobe
06/12/2013 08:37 PM <DIR> ArcSoft
07/02/2014 01:08 PM <DIR> Audacity
12/01/2014 04:03 PM <DIR> avidemux
08/02/2014 10:07 AM <DIR> BitTorrent
28/11/2013 01:32 AM <DIR> Bullzip
05/02/2014 06:18 PM <DIR> Dropbox
06/02/2014 10:39 PM <DIR> Free Download Manager
04/11/2013 12:14 AM <DIR> Identities
04/11/2013 12:33 AM <DIR> InstallShield
04/11/2013 01:16 AM <DIR> Macromedia
21/11/2010 06:16 PM <DIR> Media Center Programs
04/11/2013 07:39 PM <DIR> Mozilla
26/12/2013 10:20 PM <DIR> NVIDIA
23/01/2014 09:34 PM <DIR> vlc


If anything has the name of the malware remove it

It seems to have worked. There was this plugin called "shoppingsuggestions" on about:support that wasn't on the regular plugins/extensions menu. I did those steps, just didn't run combofix yet but it seems to have fixed it. I guess if it reappears I'll repeat the process. Thanks 👍

 

[Grayfox]

It would have been About:config section.