Lots of trojan problems

Okay, I've now spent the past 24 hrs going through the entire Read This process, and tried to follow it to the letter. A bunch of stuff still seems to be sticking around, so here are all the log files.

Just FYI, I'm running a Gateway Tablet PC. The problem seems to have started in a small way on the 19th, but I got majorly slammed on the 21st around 11am. I had already cleaned out about 1000 files before going through this whole process clean.

I've attached all the logs, plus my notes from the result of Spybot Search and Destroy, please let me know what I should do next.

Thanks,

Doug

 

Here are the remaining log files

 

Download
- Pocket Killbox
- ExplorerXP

Folllow the directions for:
- Look2Me VX2 Removal
- Qoologic Removal Procedure

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

Be sure to tell me how your computer is running.

 

That seems to have done it.
I'll spend more time tomorrow running a few scans to see what they find.

I had already done a couple scans and fixed one or two things so some of the files listed weren't there to delete, but other than that it all worked.

Here is an updated HJT log.

I did not fix one of the trusted sites, because it is a known site that I need for a Microsoft CRM project I am working on with a client.

Web browsing seems to be fine with no pop-ups so far, my home page is back now as my default, and it is fast again.

The only question I have at this point is that I had just run a BitDefender scan before I got your post (logfile attached). It was still showing two trojans in my system restore directories. Do I need to worry about that? Or, will that be fixed once we reset the system restore points?

BD also showed some weird stuff in an old Outlook archive I have. I never go in there, but don't want to kill the file if possible. Should I be concerned about that? It just has some old e-mails that I might need in the future.

Thanks a ton for all the help. I'll play with things a bit more tomorrow and make sure everything is working.

Doug

 

Your HijackThis log is clean.

If you need that site in the Trusted Zone, then yes keep it there. Normally you don't want sites in the Trusted Zone, since Malware can take advantage of the Trusted Zone.

The stuff in your archived Outlook PST can not be activated unless you acess the email and open the infected attachment. BD identifies it as Exploit.Iframe.Vulnerability which is not an infection, but an informational alert to a vulnerabiltiy.

Lets flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.

 

Got it all. System seems to be running fine. Yahoo! Thanks a ton!

It has some problems shutting down, though. Like an error saying that ccApp failed to close, and then one "system beep" type of sound as it is shutting down. Probably not malware, but just some junky pre-loaded stuff that's gone bad. Any ideas how I start tracking that down, or is there a different forum for that? I don't want to take up bandwidth in the wrong spot.

This was a HUGE help, thanks so much. I'm going through the process of reading up on what I need to do to protect my system a bit better, and will probably be adding a better firewall/AV software package to help.

 

Somtimes Windows has a hard time shutting things down. Norton can hang quite often at shut down. If Norton continues to hang you may have to uninstall it and then install Norton again after a reboot.

Yes, it would be best to post this sort of issue in the Software Forum. There are several smart people there who can help you sort out problems with software.