Something Causing IE Popups

So a few weeks ago I messed up and tried to install a torrented program that had a bogus keygen.  Setting aside the fact that I'm an idiot for falling into such an obvious trap, I now have something opening Internet Explorer windows to ad sites.  I've disabled access to IE from my firewall so it just pops up blank windows, but it still pops them up every minute or so -- but only after I navigate to a new page.  When my computer idles nothing gets opened; only when I'm already browsing.  It's also apparently causing Windows time to be ahead by 5 hours...

I've ran HijackThis and ComboFix, neither are reporting anything that I can see as the source of the problem.  I've used process viewers to check out what's currently running, nothing seems out of place.  AVG isn't finding any infected files after multiple scans and both Ad-Aware and Spybot both find nothing.  I'm at a loss now.

I've attached the HijackThis and ComboFix logs in case anyone wants to have a look at them.  I'm Running XP Pro, SP2, etc...
hijackthis.log
combofix.txt
LVL 4
Harry_TrumanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

IndiGenusCommented:
Combofix couldn't delete the core.cache.dsk file because another driver is protecting it. This should get it hopefully.

1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

---------------------------------------------------------------------------------------------------------------

File::
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\ati1ttxxx.sys

Driver::
ati1ttxxx

---------------------------------------------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HardiCommented:
Have you tried system restore?

ComboFix failed to delete something... what file is it?
0
DistinctiveITCommented:
If you allow IE access, what is the contect of the pop-ups? What version of IE? 6 or 7? You can try disabling all the IE add-ons to see if the pop ups still occur.
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

kadadi_vIT AdminCommented:
try to scan online with trndmicro house call or panda antivirus and upgrade your spybot search & destroy application and run its in advanced mode.



Regards,



Vijay kadadi
0
Shanmuga SundaramDirector of Software EngineeringCommented:
it may be the work of trojans disguissing as some exe's. For example some  trojan disguise as crsss.exe . try using good spyware removal or trojan removal and have an online virus check (or with latest antivirus update check)

Check out:
http://www.sophos.com/virusinfo/analyses/w32rbotmx.html 

0
Harry_TrumanAuthor Commented:
I ran out of time to do anything else last night, though I ran Spybot one last time and it removed core.cache.dsk.  I'll rerun ComboFix when I get home later.  

System Restore is disabled on my machine to free HDD space.  I'd just as soon wipe it out and start over if I ever get myself into a situation that deep.

IE7, no addons since it never gets used.  I'll unblock it later this evening and list a few sites that it gets directed to.
0
Harry_TrumanAuthor Commented:
Here's the new CF log after having ran with CFScript.  I've been browsing around waiting for popups to...well, pop up.  So far nothing...mayhaps running CFScript fixed it?  Of course I'm not counting my chickens just yet, gonna see if I can make anything happen.
combofix-2.txt
0
IndiGenusCommented:
Looks like those files and driver are gone. A couple of other things I noticed that probably won't cause much harm but should be deleted. You should also run full system virus and spyware scans to make sure all is clean.

These...
C:\WINDOWS\{00000001-00000000-00000006-00001102-00000004-20021102}.BAK
C:\WINDOWS\system32\BMXStateBkp-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
C:\WINDOWS\system32\BMXState-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
C:\WINDOWS\system32\BMXCtrlState-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
C:\WINDOWS\system32\BMXBkpCtrlState-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
C:\WINDOWS\system32\DVCState-{00000001-00000000-00000006-00001102-00000004-20021102}.rfx
C:\WINDOWS\system32\settingsbkup.sfm
C:\WINDOWS\system32\settings.sfm
C:\WINDOWS\{00000001-00000000-00000006-00001102-00000004-20021102}.CDF

Can be deleted.

Good luck,
Dave
0
Harry_TrumanAuthor Commented:
Everything ran fine the the remainder of the evening.  No popups, and I noticed that my boot speed and average load times for normal tasks was back to normal.  Thanks for the help!
0
Harry_TrumanAuthor Commented:
You put an end to my anxiety.  Thanks again!
0
IndiGenusCommented:
You're welcome, and thank you for the points and grade.

Good luck in the future,
Dave
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Spyware

From novice to tech pro — start learning today.