Today when I started browsing I got the following pop-up over and over:

"Your PC is infected by trojan win32/Qoologic

It's dangerous for your system (Critical files can be lost!)
Click OK to download the antispyware programs to clean
your system (Recommended)!"

I believe that my son may have allowed an install of an active-x to try to view a video on the internet last night - then got the pop-up and just shut down the computer -

I closed the pop-up and tried to scan with Norton security (free install on this computer) - found only some cookies which were removed (they come back all the time)

Pop ups would not stop appearing - found this site and followed the instructions - attaching the logs - note that AVG found lots of stuff, but no log file was created - I may have repaired before saving the log

So far after rebooting from the CCleaner step I have seen no further pop ups.

Did this clean the sytem? If not, what is the next step.

Thanks

David

You are using an outdated version of HijackThis. Please uninstall from Add/Remove programs, and delete your current version.

Please download HijackThis to your desktop.. http://www.trendsecure.com/portal/en...HJTInstall.exe
Alternate link
http://download.bleepingcomputer.com...HJTInstall.exe
This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
Upon install, HijackThis should open for you.
Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe
1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.
===================================
Download SDFix from here and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.

=========================================
This will help to identify malware on your system.
Please download Combofix from any of these locations:
Here
or
Here
Save ComboFix to the desktop and please ensure that you disable realtime security/virus programs that monitors your PC while CF is running.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Caution...Never run and remove files using ComboFix without being supervised by a security analyst.

Thanks for the reply Pancake - Here is an updated HJT log -

I have not taken the other steps recommended because after doing the initial steps previously described, the outward indications of the malware have completely disappeared -

I know this does not necessarily mean I am clean, but am concerned about loading more and more things.

Can you determine from the HJT log if I need further work on this issue?

Thanks in advance for your reply

David

Ok.Its not a wise choice but it is your decision.My personal knowledge of this virus is that it still leaves active files on your system and would advice continuing on with the cleanup

Dr.D--that is a nasty little bug--

I second that you should follow up on cleanup... Pancake is very good-- he will remove all traces without further problems.
If you'll notice ... the ASAP and Unite links at the bottom of his posts-- these are respected Certifications in Malware removal circles.

Just My 2 Cents worth.

I downloaded and extracted SDFix and rebooted in safe mode. When I try to execute the RunThis.bat I get a very quick blue background window popping up and then disappearing.

I know a bit about scripting and .bat files, so I made a copy and edited the script to print some test text when exiting and pause for input. It looks like the beginning part of the script is jumping right to exit.

Could this be because I am running Vista, and the OS checks at the start of the script are failing?

Thanks in advance

Can you just run Combofix instead..?