Pop ups remain after scans

Welcome to Major Geeks!

First uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Also uninstall Java 2 Runtime Environment, SE v1.4.2 which is an out of date version!

Now please run this Virtumonde aka Trojan Vundo Removal but do not attach a log from VundoFix after the first run. I want you to run this procedure multiple times until the scan comes up clean. Then attach the final log from VundoFix.

Then continue on to the below!

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now attach the below new logs and tell me how the above steps went.

1. VundoFix log from the final run
2. ComboFix log
3. GetRunKey
4. ShowNew
5. HJT

Make sure you tell me how things are working now!

 

Please go back and complete step 2 of the READ ME properly or you will not be able to do my next steps which I will be posting in a few minutes.

Question: Why are you running with Zero protection? No Antivirus, no antispyware and no true software firewall?

 

You should not be allowing the PC to be used without an antivirus and without antispyware programs. If your IT department is allowing this.......... well I just leave it at that! While a hardware firewall does help alot, you should still have a software firewall.

Please tell me what is in the below folders and also whether you know what these are for. If you don't know what they are for and if they are empty folders then delete them.

Code:

                       
"C:\WINDOWS\SYSTEM32\"
POG           May 30 2007              "pog"
T1QASQ        May 30 2007              "T1QaSQ"
T3            May 30 2007              "T3"
T4            May 30 2007              "T4"
T6            May 30 2007              "T6"
TQ0           May 30 2007              "TQ0"

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {00CEAA86-0070-4114-A4A2-3D80D9A4F6C5} - C:\Program Files\Microsoft SQL Server\hopecejys.dll
O2 - BHO: 0 - {0205688B-55B0-4168-75B9-9CDDC5096F78} - C:\Program Files\Microsoft Works\labuv.dll (file missing)
O2 - BHO: (no name) - {CBCAC715-5B87-48F9-A86C-27F4F385F382} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: (no name) - {DCE0BD01-F5A1-470A-82C2-CAC7BC90E6ED} - \
O2 - BHO: (no name) - {E6506E1E-D7AF-D60F-DA07-FFADD8E423B2} - C:\WINDOWS\system32\bvkh.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\spersyn\APPLIC~1\ICROSO~1.NET\winword.exe" -vt yazb
O4 - HKCU\..\Run: [Zus] "C:\Program Files\??crosoft\??erinit.exe"

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\SYSTEM32\bvkh.dll
C:\WINDOWS\SYSTEM32\qsmwnjqs.ini

Now run Ccleaner

Now reboot in normal mode

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Yes they do! You still did not do what I requested in message # 7. And I stated that you would not be able to do my next steps unless you did.

 

Okay! That means HJT was able to delete the file when it fixed the O2 BHO line.


Your logs are clean. If you are not having any other malware problems, it is time to do our final steps given below. You need to get this PC properly protected and that is covered in step 10 below.

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. You should read the How to protect thread anyway for your own education!