My son managed to infect our desktop with this trojan-downloader and all that came with it. I have been battling it for two days without success. I followed the steps offered in a thread I saw and this is the result so far:
Scanned with e-trust - found no viruses
Scanned with bitdefender - found 2
Ran TrojanRemover and removed 2 trojan-downloader files and tracking cookies
Ran SpySweeper and found 140 traces and removed
Ran the Look2Me-Destroyer and removed
Ran the VundoFix and found nothing
Went to the how to remove Trojans, Begin2 and Coolwebsearch and found nothing when I ran AboutBuster, CWShredder, SmartKiller, AdAware and Spybot.
Followed RealBlackStuff's instructions about removing items in Safe Mode and ran Hijackthis log. Deleted items found on list and rebooted. Installed Firefox. System seemed to be okay and then "System Alert" popups returned telling me system was infected with spyware managing popups and several popups actually appeared.

Needless to say I am getting quite frustrated. Attached is my Hijackthis.txt file.

Attached Files

hijackthis.txt (5.9 KB, 9 views)

[B]Hello and welcome to Techspot.[/B]

[b]Boot into safe mode.[/b] See how HERE. [url]http://www.bleepingcomputer.com/forums/tutorial61.html[/url]

[b]Turn off system restore.(XP/ME only)[/b] See how HERE. [url]http://www.bleepingcomputer.com/forums/tutorial56.html[/url]

[b]In Windows Explorer, turn on "Show all files and folders, including hidden and system".[/b] See how HERE. [url]http://www.bleepingcomputer.com/forums/tutorial62.html[/url]

Go to add remove programme in your control panel and uninstall anything to do with(if there).

The Weather Channel FW\Desktop Weather

Close control panel.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

atmclk.exe
dcomcfg.exe
DesktopWeather.exe

Close task manager.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.yahoo.com/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpE773.tmp

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

C:\Program Files\[b]The Weather Channel FW\Desktop Weather\DesktopWeather.exe"[/b]

C:\WINDOWS\system32\[b]hpE773.tmp[/b]

C:\WINDOWS\system32\[b]atmclk.exe[/b]

C:\WINDOWS\system32\[b]dcomcfg.exe[/b]

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log.

Regards Howard

Thanks for the welcome and the help. I followed your steps and am attaching the new HJT log. How will I be able to tell if I've cleaned every bit of this mess up? My computer seems to be running okay right now...but as you can imagine, I'm a little jittery.

Tir

Attached Files

hijackthissecond.txt (5.3 KB, 1 views)

Have HJT fix the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.yahoo.com/[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Post a fresh HJT log please.

Regards Howard

Okay had HJT fix the seven you had listed and attaching the newest log.

Tir

Attached Files

hijackthisthird.txt (4.9 KB, 2 views)

You still have these two entries in your HJT log.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Go and download these three programmes. Update them to the latest deffinitions and then run them in safe mode, with system restore turned off.

[url]http://www.intermute.com/products/cwshredder.html[/url]

[url]http://www.majorgeeks.com/download4113.html[/url]

[url]http://www.spychecker.com/program/aboutbuster.html[/url]

Run AboutBuster first.

Next run CWShredder.

Then run CoolWWWSearch.SmartKiller.

Run HJT and have HJT fix all R0 and R1 entries.

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log.

Regards Howard

okay, I ran About Buster, CWShredder and the CoolWWWSearch.SmartKiller and they found nothing on my system. I ran the HJT and checked all the R0 and R1 entries, rebooted and when I ran the new log, these were still there:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

newest HJT log is attached

Tir

Attached Files

hijackthisfourth.txt (4.9 KB, 2 views)

You have a new variant of smitFraud.

I want you to click on this link. [url]http://www.atribune.org/ccount/click.php?id=10[/url]

It will download a file called SysProtect Remover.exe'

Simply Download and run SysProtect Remover.exe. Once it is running click the "Remove Now" button and follow the on screen instructions.

Once done, please post a fresh HJT log.

I can`t guarantee this will work. If it doesn`t we`ll have to try something else.

Regards Howard

Downloaded and ran this and these two lines are still there. New log attached.

Tir

Attached Files

hijackthisfive.txt (4.9 KB, 3 views)

Ok. I`ve just had someone fix this problem.

Go [URL=http://www.techspot.com/vb/topic47014.html]HERE[/URL] and follow the instructions in step 3 please. I have only just updated these instructions.

Post a fresh HJT after doing that.

Regards Howard

Okay, I followed the fix instructions and here is the latest HJT log. Am I clean? If so, you have my heartiest thanks! This has been an interesting learning experience. If not...what's my next step?

Attached Files

hijackthisfinal.txt (4.8 KB, 3 views)

You are completely clean Congrats to you, and maybe a thankyou to Howard would be nice

Thanks, Spike, that's good to know. I was determined to try to work through this without having to wipe my hard drive. Howard made all that possible with precise and clear instructions and very timely responses to my posts. I am most favorably impressed with all of you here at TechSpot and will highly recommend this site to others who run into virus/trojan trouble. Thank you again.

Tir

I`ve just received your pm.

Thanks for your kind words.

Glad we could help.

Because the infection you had was a new variant, I had to do some research to find a fix that worked, hence the various instruction changes. It appears that Step 3 in my instructions finally did the trick.

I thank you for your feedback, as this will help many more members who are unfortunate enough to find themselves with the same infection.

Regards Howard

Hi Howard,
I am having the same problem
I followed the link you provided but I can't find the thread and an error message is displayed:
"No Thread specified. If you followed a valid link, please notify the administrator"
Can you please provide the steps?
Thanks a lot