IE Pop Up / Mute / Hidden Ad Issue

Welcome to Major Geeks!



Your infection is in your Master Boot Record (MBR). We need to see the below log before creating a fix.

• Download bootkit_remover.rar
• Click the underlined DOWNLOAD text to download the file and save it to your Desktop.
• You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip
• After extracing remover.exe to your Desktop, double click the remover.exe file to run the program.
• Attach or post inline here, the output from remover.exe

NOTE: The Command Prompt window text can be copied to the clip board by right clicking on the top bar of the window and using the Edit commands to Mark, Copy, and Paste.


Also I need to ask some questions:

1. Do you have any drives that has a non-windows installation on them
2. Are all drives NTFS formatted
3. Do you have any non-standard or special MBRs which can occur from companies like Dell or HP who frequently install additional partitions used for recovery partitions in lieu of giving CD/DVDs.
4. Is any program like Grub ( see:http://www.gnu.org/software/grub/ ) being used
5. Is drive-encryption being used?
6. Are any drives external USB pen drives or external hard drives being used?
7. VERY IMPORTANT: Do you have all important data backed up? You really should do this before continuing since we will need to rewrite your MBR to fix this and while most times this can be done without any problem, these infections can react badly and that could result in a PC not being bootable. You really don't have much choice though since these infections are too dangerous to your security to leave on a PC.

Now follow the directions in the below link for running MGtools It also explains possible reasons for not being able to run MGtools

• Using MGtools

Attach the requested MGlogs.zip file.

 

Attach the log I requested from MGtools and we will likely be able to tell.

You need to do this since as stated, there is always a risk of trouble even though our current success rate is about 99.8%.

 

I see the below information in your logs

The 39.19 MB Partition Disk #0, Partition #0 is likely the factory partition that Dell installed instead of doing the correct thing and giving you all the CD/DVDs you need to maintain and fix your PC when problems like this arise.

I cannot guarantee that fixing your infection will not break the factory recovery partition so you have a choice to make.

1. Do you want to trying fixing the infection and avoiding a reset to the state you received your PC in?
2. Or do you want to reimage it back to the way it was shipped to you from the factory?

Either way you still need to back up you own personal data somewhere first and not on this hard disk since you could lose it. You need to save it to another drive, USB drive, or to DVDs....etc.

 

My personal opinion would be to fix it since it typically works okay and I would nver personally restore to a factory ship stated myself since I would reinstall from scratch and only install what I want. However you may not have the disks to install from scratch or the knowledge to set everything back up it you did a reinstall.

Correct about a System Restore. But you appear to be confusing System Restore and Factory Restore. A factory restore would put your PC back to the same way you had it when you first took it out of the box. Everything you put on it up to now after the ship date would be gone!!!!! A System Restore just modifies various registry entries and files in an attempt to return you how the registry was on a particular date. The System Restore would not delete your files for this program but it would make the program unusable since to the registry, it would not really be installed anymore.

If we fix it by repairing the MBR, there would be no effect other than removing the infection. The risk you take though is that your PC could have boot problems. It is minimal risk but it could happen. The success rate right now is over 99 %. This does not mean that fixing the MBR does not have ill effects on the usability of your Factor Recovery partition. It could impact this while still allowing your PC to boot okay. It would only be in the future if you ever tries to use the recovery partition that you would know that it was broken.

You could wait but it is potentially dangerous if you are ging to use this PC doing anything that allows private information, banking/financial,...etc to be available. MBR infections are quite frequently information and password stealers. Thus you need to be very selective on how you use the PC before you finish cleaning it.

Just tell us what you would like to do.

 

Yes it looks that way.



Now if you have important data backup up and understand the above warning - please do the following:

• Click Start, Run then copy and paste the below into the Run box and click OK.

"%userprofile%\Desktop\bootkit_remover\remover.exe" fix \\.\PhysicalDrive0

• Now reboot your PC and after reboot continue with the below instructions.
• Disable System Restore on all drives.
• Look for the below folder and if if it sill exists, delete it.
  • C:\System Volume Information\Microsoft
• If you don't see this Microsoft folder or are denied access to the System Volume Information folder, just continue on
• Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).
  
  Then attach the below logs:
  • C:\MGlogs.zip

Make sure you tell me how things are working now!

 

This means you did not create a new log. Let's do it this way so you can be sure to create a new log. Delete your current C:\MGlogs.zip file.


Now run the C:\MGTools\GetLogs.bat file and attach the new log.

 

Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

 

Let's make sure the MBR infection is still gone.

Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now please delete the below if they exist

• C:\MGlogs.zip
• C:\MGtools.exe
• C:\MGtools << the whole folder

Now download the below and save it directly onto your Destop

MGtools


Now reboot your PC into Safe Boot Mode and do the below.

Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

cd Desktop <-- this changes to your Desktop folder and the prompt should change to show the full path to your Desktop
MGtools <-- this will try to run all of the scans from MGtools. Tell me what happens.

Even if it appears to get error messages, look for the C:\MGlogs.zip file and attach it.

 

Your logs are clean, but you do need to uninstall Viewpoint Media Player which is junk/foistware from AOL.

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Sean McGrane\Local Settings\Temp\

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

It would not hurt to plug it in and then rerun the MBRCheck program scan and attach a new log just to check it it detects anything but my guess is it may be okay.

No formal process exists but some of us do have PayPal accounts but that is purely optional.

I will hold off on final instructions until I see the next MBRcheck log.

 

Re-download it from the below link as the original link is currently out of service:

MBRCheck

 

Okay that looks fine. You should be okay.




If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome and thanks. I sent you a PM with instructions.