Pop ups won't stop

So I normally get pop ups coming from Speed Monitor or something like that and it normally pops on my IE. I used to have a lot of popups, then I did some scans and remember seeing virtumonde? I tried to get rid of it, but I'm not sure if I did or not. I used spybot snd, ccleaner, and mcafee and I still get the popups.. not as bad, but I still do. here is my log.

 

Hi krisisme!
Welcome to Major Geeks!

Yes, you have that infection and you need to go through a special set of cleaning instructions and get help to remove it. The first part of the instructions, which you will find in the READ & RUN ME FIRST will produce 3 logs for you to attach with your next post. One of us will look at them and get back to you with a follow-up set of instructions that will allow you to remove it. The less you do on your computer and the less you reboot while we remove this infection, the faster the removal process will be completed.

abri

 

I'm lost at the MGTools part. I double clicked it in the C:\ drive and it created a folder, but nothing else is happening.

 

I think I got this down. Here are the files.

 

Hi krisisme!

You do have an infection in your computer and it is not very bad yet. Do the following:

Go back to the READ & RUN ME FIRST and find CCleaner and make sure you installed it and ran it correctly. AVG Antispyware picked up a lot of cookies that should have been gotten rid of by CCleaner. (If you already installed this, just run it again as per the instructions in the READ & RUN ME)

Also, while you're in the READ & RUN ME, please make sure that your startup type is set to normal system start. If you're not sure how to do this, please click in the Start button and then click on Run. In the box that opens up, type in msconfig
A window will open up where you can see a box that says normal system start. Make sure that box is checked. If not, please check it and then click on accept and okay.

After you finish both of the above, go to the MGTools folder you found under C:\

Open the MGTools folder and look for the file called GetLogs.bat
Double click on GetLogs.bat and allow it to run. It takes a couple of minutes and when it's finished, it says click on any key to produce a log or to close the window.

It will produce a log that will be located in another place.

Go back to C:\ and look directly under C:\ for a file ( not a folder ) called MGlogs.zip. Please attach that file to your next post.

Thanks.
abri

 

Here you go.

 

Hi krisisme!

Please do the following:

1) We'll begin by stopping a service.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Core LC
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT (it will now be called analyse.exe and you will find it inside the MGTools folder of your root drive), but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste Symantec Core LCinto the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [QdrModule9] "C:\Program Files\QdrModule\QdrModule9.exe"
O4 - HKCU\..\Run: [QdrPack10] "C:\Program Files\QdrPack\QdrPack10.exe"
O20 - Winlogon Notify: cbxwwvu - cbxwwvu.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

After you click fix, just close hijackthis.


3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

4) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Now run CCleaner in the default setting with the Windows tab as the active one. Do not check anything which is not already checked. After you hit the Run Cleaner button, there will be a warning that all the files will be permanently deleted. Click on ok and allow it to run. When it's finished, just close it.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

When you told me to click and check the ones on HJT, this one wasn't on the list:
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I went ahead and did without since it wasn't on the list.

Also, while using Avenger, there was an error:
"Syntax error in line --- does not appear to be a valid registry path. Line will be ignored."
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | QdrModule9"
"The instruction at "0x00acabb2" referenced memory at "0x00451000". The memory could not be "read"."

And after all that it exits the program.

 

Hi krisisme!

Did Avenger produce a log? If so, please post it to me along with the new MGlogs.zip so I can see which things got taken care of which things not.

Thanks.
abri

 

No it did not produce a log, because it keeps showing up the syntax error window about qdr 9 and 10 and it exits the program without finishing.

 

krisisme!

1) Download and install Erunt. Use it to create a backup of your registry.

2) Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

3) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

so far I haven't encountered any popups from IE.

 

Hi krisisme!

Except for the following (which I recommend) I don't see anything further wrong in your logs. We recommend taking out the Windows Messenger, because very few people use it and it is a place where malware gets into people's computers. The Microsoft messengers which are all different have such similar names, that many people confuse them.If you do not use Windows Messenger (not to be confused with MSN Messenger!!) please do the following: Disable/Remove Windows Messenger

Other than that, if you're not having any futher symptoms, please do our final clean-up instructions:

abri

 

Just wanted to say thank you for taking your time to help me out.

 

You're welcome!
Enjoy your computer!

 

one last question. Would my problem have been solved if I had restored my computer to factory settings? or would the infection have attached itself regardless?

 

Hi krisisme,
This wasn't as easy a question as expected. If you return your computer to the factory settings, yes, it would have gotten rid of all the problems. It's not clear, though, if it would have also gotten rid of everything else on your computer that you put on it as well. I'm not sure if your manufacturer offers returning the computer to the original factory settings as a solution in which your data is still protected. Normally, that will only occur if you use system restore.
abri