Random Browser Popups

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

.

 

Please follow the directions of the READ & RUN ME. Step 6 indicates two online scanners that must be run and we also request the logs for them to be posted. This steps and these logs should be completed before using HijackThis.

Do you have any idea what the below processes are for?

C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe

 

You should look into changing all passwords for any financial institutions you connect to. Some of the trojans you have on your system may have compromised your security.

Did you ever install a program called DeskWizz? You should see this: http://vil.nai.com/vil/content/v_137329.htm

Empty your MS Antispyware Quarantine folder.

c:\windows\system32\svchost.exe is avalid process that normally runs multiple times.

We recommend uninstalling Viewpoint Manager or other Viewpoint software. It is a waste of system resources for most people because it is never used.
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Did you want you default an main pages set to about:blank:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

The procedure for installing and running HJT requests that you not use msconfig to control startup so we can see all potential problems. You are running msconfig:
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

Do you need to have the below items? Are they really necessary for stuff at school to work?
O1 - Hosts: 137.99.107.146 sbvacuum
O15 - Trusted Zone: *.uconn.edu

Make sure you have enabled viewing of hidden and system fies per the tutorial.
Boot into safe mode and use Windows Explorer to locate below and delete if found:
C:\secure32.html
C:\PROGRAM FILES\QL <--- delete the QL folder
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll <--- see this too -->>: Malware - Bancos.LU
C:\Documents and Settings\mobile student\Favorites\Cool Stuff <--- delete the Cool Stuff favorites
C:\WINDOWS\drsmartload.dat
C:\WINDOWS\kl.exe
C:\WINDOWS\timessquare1.dat
C:\WINDOWS\system32\0waop2rk.dll
C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\wvurs.dll
C:\WINDOWS\system32\wvusp.dll

I see you did something with:
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe

Is that what you used msconfig for? If so, after selecting Normal Startup, just have HJT fix those two O4 lines to permanently remove them. The locate the C:\Program Files\Common Files\VCClient folder and delete it. You may need to reboot into safe mode to delete the folder after stopping the processes from loading.

 

As I said below multiple svchost.exe processes (if running from system32 as shown in an HJT log - Task Manager is useless) are normal. I have 5 running right now. Xoftspy is junk that you don't need especially since it won't fix anything. They are better than they used to be if you have a current version but they were noted for false positives. Uninstall it and refer to this link: How to Protect yourself from malware!

If there are any other places you log into that you would be worried about stolen passwords or info, it would not hurt you to change them for your own piece of mind.

You need to be more specific. This does not tell me anything useful. What programs? And exactly what and where are they finding it?

Run HijackThis and have it fix the below lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to http://students.uconn.edu/ Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like http://students.uconn.edu/ Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now attach a new HJT log.

 

You should also run Running Ewido Security Suite it will help remove some more of this keylogger. Attach the Ewido log.