pop-ups, trojans, virus; requesting help

Like others in this forum, my machine has been compromised. It appears that trojan.dropper and trojan.vundo (spelling?) have been causing problems, as well as a program called outerinfo (and probably others???). I have attempted to follow the READ & RUN ME FIRST sticky instructions, but have had some problems that I feel warrant an immediate post. I have followed all instructions listed in step one of the sticky, except for the very last part (run CCleaner on each account). At first, I just had pop-up problems. Then Symantec's autoprotect function became permanently disabled. Then a missing DLL file error window started popping up at boot-up. Now, as I try to run CCleaner on all accounts, some of my user accounts will boot up, but no icons (or start menu) will be visible--just wallpaper and a mouse pointer. Since I cannot run CCleaner on these accounts, I thought maybe I should just post my problem and politely request some help. Some other obvious symptoms include: very, very slow running computer, apparently high CPU usage, and no matter how many times I run Symantec and SpyBot, the viruses always seem to come back. I downloaded a vundo fix program from Symantec, which helped temporarily. The computer is now disconnected from the internet (and my network); my attempt to isolate the machine and stop the infections. I can reconnect anytime if necessary. Any suggestions?

 

Thank you for the reply. I trudged through the process today, having to reboot many times (when I had no icons or when system just locked up).

Okay, here is what I have done:
1) I think that all house cleaning and setup has been performed on at least one user account. Some items on the list I was able to perform on all user accounts, others I was not not.
2) Downloaded and/or ran the following tools in this order:
CCleaner, SpyBot-S&D, Symantec (AV program that was already installed on the machine), Virtumonde aka Trojan Vundo Removal tool, combofix.exe, and MGtools.exe.

Results:
1) SpyBot and Symantec both identified Vundo on the machine I deleted the files that these programs isolated as associated with Vundo.
2) Ran Virtumonde aka Trojan Vundo Removal. Apparently removed problem files (VundoFix.txt attached).
3) Ran combofix.exe and MGtools.exe; associated files attached (ComboFix.txt and MGlogs.zip). An error window popped up while MGtools ran, but I didn't make note of what it said and MGtools appeared to finish its processes.
4) Most of the problems listed in my original thread seem to be fixed. However, the Autoprotect funtion on Symantec is still disabled and cannot be enabled. When I attempt to enable Autoprotect, the error messgae reads "Symantec AntiVirus Autoprotect failed to load".

Forgive me for being paranoid, but I'm not convinved I'm in the clear yet, especially since Symantec is not functioning properly. Please let me know what you think after reading over the attached files. Problems began to manifest about two weeks ago (Thanksgiving week).

Thanks in advance!

 

Thanks for your quick and helpful reply!

I have followed the steps that you lsited in your previous post:
1) Uninstalled Java - no apparent problems.
2) Ran HJT as suggested. However, I could not select the two lines that begin with 09 because I didn't see them. The other lines I found, selected, and fixed.
3) Ran Disable/Remove Windows Messenger - selected option to remove from machine, no apparent problems.
4) Downloaded/ran Avenger as instructed - no apparent problems (log file attached).
5) Installed current version of Sun Java. I forgot to install this after running Avenger (as instructed). In fact, I did this step last. Is that OK? No apparent problems.
6) Run Ccleaner - no apparent problems.
7) Run GetLogs.bat - (log file(s) attached). An error message came up again when running. This time I wrote it down: It said: "ProcessDLL.exe - Application Error. The application failed to initialize properly (0xc0000135). Click on OK to terminate application." I don't know what this means exactly, but thought I should include it.
8) Norton still cannot load Autoprotect. I will uninstall and reinstall as instructed ... or I may switch to a better AV program, as suggested. I can take care of this on my own - I just didn't know if it was the work of some kind of Malware.

I am back online and things seeme to be going well so far. However, I will cautiously wait for your response after you have time to look things over.

Thanks again!

 

My computer appears to be back to normal -- I no longer hesitate to connect the network cable! I have already been working on the "How to Protect Yourself ...." link that you supplied.

I do have one quick quesiton:
In your original post you mentioned that I may have to clear out the other accounts on the computer separately. The other accounts seem to be working properly now, but you are the expert: Since the logs were clean, does that mean the whole computer is clean or just the one account that I've been working in? I'm just trying to be thorough.

Once again, Thank you!

 

Alright, I ran GetLogs.bat and attached the MGlogs.zip file ... and actually, I noticed one pop-up while navigating to the MG website. So I suspect that this computer may still be compromised. Please let me know what you find when you have a chance to look the logs over.
Thank you.

 

I ran combofix and getlogs. The log files are attached. Things seem better for this account -- no more pop-ups. Please let me know how the logs look when you have time.
Assuming that the logs are now clean, I'd like to do the same for the last two user accounts on this machine. Is that alright?
Thanks.

 

I have carried out the steps you listed, with no apparent problems. I have attached the MGlogs from the current account that we have been working in, but titled it MGlogsOLD to reduce confusion. This account now appears to be working properly.

Then, I went to the next account and followed the steps listed in post #10, as instructed. I attached the combofix log as well as the new MGlogs file that resulted from running GetLogs.bat. The logs for this new account are titled MGlogsNEW.

So, to recap:
1) MGlogsOLD is from the current account that we have been working in.
2) MGlogsNEW and the combofix log are from the new account that we have not yet worked in.
I renamed the MGlog.zip files to reduce confusion and because I thought the new file might overwrite the old file if I didn't change its name.

I look forward to your analysis of the log files. Thank you.

 

One more account that was having trouble. I ran combofix and GetLogs.bat. Files attached. Let me know how they look when you have time.

 

Awesome!
No more issues.
You have been so incredibly helpful! Thank you for seeing me through to the end. I registered with MG to fix my problem, but I'm a fan ... I think I'll stick around!

thankyouthankyouthankyouthankyouthankyouthankyou....