Popups in Windows 8.1

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Popups in Windows 8.1

Unread postby DougSr » May 16th, 2014, 8:25 pm

My wife inadvertently downloaded some malware when she downloaded Open Office and now we are getting pop ups while using Chrome. I tried earlier viewtopic.php?f=11&t=62810&sid=6dd0d5ee067c9416ff6a1638095a0813#.U3ar0yhmmBr to get DDS and OTL to work but they are incompatible with Win 8. Gary asked me to run FRST and below are my logs;

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-05-2014
Ran by DougWendy (administrator) on FAMILYPC on 16-05-2014 20:18:25
Running from C:\Users\DougWendy\Downloads
Platform: Windows 8.1 (Update 1) (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/downloa ... ool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/downloa ... ool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

Re: Popups in Windows 8.1

Unread postby wannabeageek » May 18th, 2014, 4:11 pm

Hello DougSr, and Welcome to MalWare Removal forums!

My name is wannabeageek and I'll be helping you with any malware problems.

Before we begin, please read and follow these important guidelines, so things will proceed smoothly.
  1. The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. You must have Administrator rights, permissions for this computer.
  3. DO NOT run any other fix or removal tools unless instructed to do so!
  4. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
  5. Only post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  6. Print each set of instructions if possible - your Internet connection will not be available during some fix processes.
  7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  8. Only reply to this thread, do not start another one. Please, continue responding, until I give you the "All Clean!" :cheers:

    Absence of symptoms does not mean that everything is clear.

I am currently reviewing your logs and will return, as soon as possible, with additional instructions. In the meantime...

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.

Please read all instructions carefully before executing and perform the steps, in the order given.
lf you have any questions or problems executing these instructions, <<STOP>> do not proceed, post back with the question or problem.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start
Re: Popups in Windows 8.1

Unread postby wannabeageek » May 19th, 2014, 1:02 am

Hi DougSr,

Please run the following:

Step 1.
  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy and Paste the following script into Notepad, Do not include the words Code: select all
    • (Click the select all button next to code to select the entire script).
    Code: Select all
    C:\Program Files (x86)\webget
    R1 {9edd0ea8-2819-47c2-8320-b007d5996f8a}Gw64; C:\Windows\System32\drivers\{9edd0ea8-2819-47c2-8320-b007d5996f8a}Gw64.sys [61112 2014-05-12] (StdLib)
    AlternateDataStreams: C:\Users\DougWendy\Downloads\adwcleaner_3.208.exe:BDU
    AlternateDataStreams: C:\Users\DougWendy\Downloads\Apache_OpenOffice_4.1.0_Win_x86_install_en-US.exe:BDU
    AlternateDataStreams: C:\Users\DougWendy\Downloads\ccsetup412.exe:BDU
    AlternateDataStreams: C:\Users\DougWendy\Downloads\CrashPlan-x64_3.6.3_Win.exe:BDU
    AlternateDataStreams: C:\Users\DougWendy\Downloads\CreativeCloudSet-Up.exe:BDU
    AlternateDataStreams: C:\Users\DougWendy\Downloads\CrucialScan.exe:BDU
    AlternateDataStreams: C:\Users\DougWendy\Downloads\dds(1).scr:BDU
    AlternateDataStreams: C:\Users\DougWendy\Downloads\dds(2).scr:BDU
    AlternateDataStreams: C:\Users\DougWendy\Downloads\dds.com:BDU
    AlternateDataStreams: C:\Users\DougWendy\Downloads\dds.scr:BDU
    AlternateDataStreams: C:\Users\DougWendy\Downloads\FRST64.exe:BDU
    AlternateDataStreams: C:\Users\DougWendy\Downloads\HitmanPro_x64.exe:BDU
    AlternateDataStreams: C:\Users\DougWendy\Downloads\JRT.exe:BDU
    AlternateDataStreams: C:\Users\DougWendy\Downloads\mbam-setup-
    AlternateDataStreams: C:\Users\DougWendy\Downloads\mp68-win-mp560-1_06-ea24.exe:BDU
    AlternateDataStreams: C:\Users\DougWendy\Downloads\OTL.exe:BDU
    AlternateDataStreams: C:\Users\DougWendy\Downloads\UnityWebPlayer.exe:BDU
  • Save it next to FRST.exe as filename fixlist.txt.
  • NOTE: It's important that both files, FRST/FRST64 and fixlist.txt are saved in the same location or the fix will not work.
  • Right-click FRST.exe and select " Run as administrator " to run it.
  • Press the Fix button just once. Then wait.
  • When finished, it will create a Fixlog.txt log on your Desktop.
  • Please post the content of the Fixlog.txt in your next reply.

Step 2.
As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do the following:
  • Launch the application.
  • One of 2 things will happen:
    • The program will be so outdated that it will automatically invoke a complete re-install; or
    • The program will check, update the database and then run.
    If it does a complete re-install, be sure to follow the prompts.
  • Perform Quick Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Re: Popups in Windows 8.1

Unread postby DougSr » May 20th, 2014, 7:44 am

Save it next to FRST.exe as filename fixlist.txt.

I am not sure what you mean here. I will wait for clarification. How do I save it next to FRST.EXE?
Re: Popups in Windows 8.1

Unread postby wannabeageek » May 20th, 2014, 10:37 pm

Hello DougSr,

DougSr wrote:Save it next to FRST.exe as filename fixlist.txt.

I am not sure what you mean here. I will wait for clarification. How do I save it next to FRST.EXE?

What this means is where ever, (folder, location), you saved and ran the program - FRST.exe - this is where you would save the file fixlist.txt.
Running from C:\Users\DougWendy\Downloads

You really need to move this file to the desktop as this is where the programs are designed to run from.

If you need assistance please ask.

Re: Popups in Windows 8.1

Unread postby DougSr » May 21st, 2014, 12:18 am

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-05-2014
Ran by DougWendy at 2014-05-20 23:49:34 Run:1
Running from C:\Users\DougWendy\Desktop
Boot Mode: Normal

Content of fixlist:
C:\Program Files (x86)\webget
R1 {9edd0ea8-2819-47c2-8320-b007d5996f8a}Gw64; C:\Windows\System32\drivers\{9edd0ea8-2819-47c2-8320-b007d5996f8a}Gw64.sys [61112 2014-05-12] (StdLib)
AlternateDataStreams: C:\Users\DougWendy\Downloads\adwcleaner_3.208.exe:BDU
AlternateDataStreams: C:\Users\DougWendy\Downloads\Apache_OpenOffice_4.1.0_Win_x86_install_en-US.exe:BDU
AlternateDataStreams: C:\Users\DougWendy\Downloads\ccsetup412.exe:BDU
AlternateDataStreams: C:\Users\DougWendy\Downloads\CrashPlan-x64_3.6.3_Win.exe:BDU
AlternateDataStreams: C:\Users\DougWendy\Downloads\CreativeCloudSet-Up.exe:BDU
AlternateDataStreams: C:\Users\DougWendy\Downloads\CrucialScan.exe:BDU
AlternateDataStreams: C:\Users\DougWendy\Downloads\dds(1).scr:BDU
AlternateDataStreams: C:\Users\DougWendy\Downloads\dds(2).scr:BDU
AlternateDataStreams: C:\Users\DougWendy\Downloads\dds.com:BDU
AlternateDataStreams: C:\Users\DougWendy\Downloads\dds.scr:BDU
AlternateDataStreams: C:\Users\DougWendy\Downloads\FRST64.exe:BDU
AlternateDataStreams: C:\Users\DougWendy\Downloads\HitmanPro_x64.exe:BDU
AlternateDataStreams: C:\Users\DougWendy\Downloads\JRT.exe:BDU
AlternateDataStreams: C:\Users\DougWendy\Downloads\mbam-setup-
AlternateDataStreams: C:\Users\DougWendy\Downloads\mp68-win-mp560-1_06-ea24.exe:BDU
AlternateDataStreams: C:\Users\DougWendy\Downloads\OTL.exe:BDU
AlternateDataStreams: C:\Users\DougWendy\Downloads\UnityWebPlayer.exe:BDU


C:\Program Files (x86)\webget => Moved successfully.
{9edd0ea8-2819-47c2-8320-b007d5996f8a}Gw64 => Unable to stop service
{9edd0ea8-2819-47c2-8320-b007d5996f8a}Gw64 => Service deleted successfully.
C:\Windows\System32\drivers\{9edd0ea8-2819-47c2-8320-b007d5996f8a}Gw64.sys => Moved successfully.
C:\Users\DougWendy\Downloads\adwcleaner_3.208.exe => ":BDU" ADS removed successfully.
C:\Users\DougWendy\Downloads\Apache_OpenOffice_4.1.0_Win_x86_install_en-US.exe => ":BDU" ADS removed successfully.
C:\Users\DougWendy\Downloads\ccsetup412.exe => ":BDU" ADS removed successfully.
C:\Users\DougWendy\Downloads\CrashPlan-x64_3.6.3_Win.exe => ":BDU" ADS removed successfully.
C:\Users\DougWendy\Downloads\CreativeCloudSet-Up.exe => ":BDU" ADS removed successfully.
C:\Users\DougWendy\Downloads\CrucialScan.exe => ":BDU" ADS removed successfully.
C:\Users\DougWendy\Downloads\dds(1).scr => ":BDU" ADS removed successfully.
C:\Users\DougWendy\Downloads\dds(2).scr => ":BDU" ADS removed successfully.
C:\Users\DougWendy\Downloads\dds.com => ":BDU" ADS removed successfully.
C:\Users\DougWendy\Downloads\dds.scr => ":BDU" ADS removed successfully.
C:\Users\DougWendy\Downloads\FRST64.exe => ":BDU" ADS removed successfully.
C:\Users\DougWendy\Downloads\HitmanPro_x64.exe => ":BDU" ADS removed successfully.
C:\Users\DougWendy\Downloads\JRT.exe => ":BDU" ADS removed successfully.
C:\Users\DougWendy\Downloads\mbam-setup- => ":BDU" ADS removed successfully.
C:\Users\DougWendy\Downloads\mp68-win-mp560-1_06-ea24.exe => ":BDU" ADS removed successfully.
C:\Users\DougWendy\Downloads\OTL.exe => ":BDU" ADS removed successfully.
"C:\Users\DougWendy\Downloads\UnityWebPlayer.exe" => ":BDU" ADS not found.

The system needed a reboot.

==== End of Fixlog ====
Re: Popups in Windows 8.1

Unread postby DougSr » May 21st, 2014, 12:19 am

Malwarebytes Anti-Malware

Scan Date: 5/21/2014
Scan Time: 12:17:56 AM
Administrator: Yes

Malware Database: v2014.05.21.02
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: DougWendy

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 275430
Time Elapsed: 10 min, 41 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

Re: Popups in Windows 8.1

Unread postby DougSr » May 21st, 2014, 12:23 am

I have to let you know that Chrome was deleted and reinstalled in between my initial posting and these tests. I apologize for this.
Re: Popups in Windows 8.1

Unread postby wannabeageek » May 21st, 2014, 1:11 am

Hi DougSr,

When you downloaded and installed the OPen Office suite, was the entry below part of the installation?
FRST flagged it as an issue to be dealt with.

Open Office Packages (HKCU\...\Open Office Packages) (Version: - ) <==== ATTENTION
Re: Popups in Windows 8.1

Unread postby DougSr » May 21st, 2014, 1:34 am

I do not know, I was not the one to install it. I am positive my wife did not notice it.
Re: Popups in Windows 8.1

Unread postby wannabeageek » May 21st, 2014, 9:33 pm

Hi DougSr,

If you or your wife are unable to determine the origin of this installed program I highly reccomend its removal.
Open Office Packages (HKCU\...\Open Office Packages) (Version: - ) <==== ATTENTION

Please post back the condition of the computer and whether or not this affected the Open Office Suite.

Re: Popups in Windows 8.1

Unread postby DougSr » May 21st, 2014, 10:44 pm

I have removed open office, is that what you mean? I certainly hope so, I am too scared of messing this up with Windows 8.
Re: Popups in Windows 8.1

Unread postby wannabeageek » May 21st, 2014, 11:04 pm


I apologize for the misunderstanding. There were 2 entries in the installed programs list:
1.) Open Office Packages (HKCU\...\Open Office Packages) (Version: - ) <==== ATTENTION
2. ) OpenOffice 4.0.1 (HKLM-x32\...\{47F460DA-D1BE-4D85-8DF2-AA1F31D3445F}) (Version: 4.01.9714 - Apache Software Foundation)

The first entry is the one in question and possibly the source or part of the source of malware.
The second entry is legitimate and could have been left alone.

Did you remove both?

How is the computer behaving?

Re: Popups in Windows 8.1

Unread postby DougSr » May 21st, 2014, 11:13 pm

I am assuming that you mean remove them in regedit? I looked for the first one and could not find it. I shall respond and try to look for the second. I will say the computer has been operating fine but for MBAM finding an interesting tidbit, a pup I think it was. Let me find the latest log and copy it here.
Re: Popups in Windows 8.1

Unread postby DougSr » May 21st, 2014, 11:16 pm

Malwarebytes Anti-Malware

Scan Date: 5/21/2014
Scan Time: 11:15:54 PM
Administrator: Yes

Malware Database: v2014.05.21.10
Rootkit Database: v2014.05.21.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: DougWendy

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 275745
Time Elapsed: 2 hr, 0 min, 13 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.Conduit.A, C:\Users\DougWendy\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: ( "startup_urls": [ "http://www.air1.com/", "http://www.google.com", "http://search.conduit.com/?ctid=CT3324790&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SP56641997-1825-47B8-B06F-13601646BDED&SSPV=" ],), ,[709e5df7f08b92a4f961d9a740c4d828]

Physical Sectors: 0
(No malicious items detected)

