Symptoms:

Every few minutes IE opens with a link to some new website. This one I'm looking at appears to be a Stainmaster ad. Every now and then an outlook express email pops up pre addressed to something to do with Craig's List.

I have run MSE, Kaspersky Online Scanner, and SuperAntiSpyware. Each caught and supposedly disabled/erased threats but I still have the same problem.

It would be nice to know what I'm infected with so I can turn to google for a little help.

Thanks.

dl this:

http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

Post the log here (or alternately http://www.bleepingcomputer.com/forums/forum22.html)

As OBOB says, post your hijackthis log. For 90% of virii, the below will take care of the problem:

Boot in safe mode with networking, get yourself a copy of RKill, then run that, and full scans of MSSE and Malwarebytes Anti-Malware while in safe mode.

rKill is great for the really pesky ones, but helix brings up a good point:

have you booted into safe mode prior to a scan?

Feeling brilliant helix, completely forgot to run MSE, etc in safe mode.

So, downloaded rkill and hijack this, will reboot in safe mode and run them.

Thanks.

HiJack this gives insight into what programs & services are running, so don't run that in safe mode.

After running in safe mode twice, ran MSE, SUPERantispyware, and Malwarebytes anti malware, I still have the problem. It's not that bad, every few minutes Explorer opens with some kind of ad already cued up- a lot pointing to sites through search engine blinx(?). I'm just troubled that between MSE, SAS, MBAM I couldn't get rid of it.

Thinking about doing a 30 day trial on Norton then running in safe mode again to see if it gets picked up. Any other programs I could try?

I may have to post my log files but never have had to before, always fixed viruses without so much work. This one is pretty subtle, not too annoying, and I guess well hidden.

Also try I.E.'s no add on mode and see if it keep happening. It it doesn't happen again, go through your list of addons and uninstall the addon.

http://blogs.msdn.com/b/ie/archive/2006/07/25/678113.aspx

Just a thought, but try setting your homepage for IE to about:blank and see if it loads up anything. It could just be pointed to some ad server. Also try running RKill as it will check your hosts and eliminate any proxies that the malware set up. Also, try doing a system restore to a date before the problems started happening.

If none of those anti-malware solutions you already tried found something, Norton is certainly not going to. I'd just go ahead and post your log.

So, I thought I had it taken care of with MSE, SUPERantispyware, and Malwarebytes in safe mode, plus MSE found a couple items out of safe mode and supposedly dealt with it. Then a couple days ago I got hijacked by one of those programs which tries to get you to purchase protection. No idea where this stuff is coming from but have the feeling I never got rid of the IE redirect bug and it eventually got me to a site that downloads code. I really have no idea what possible site I would have picked it up from. Was looking for some MMA rebroadcasts recently and some of those "justin.tv" type sites are suspicious.

So anyway, the hijack bug was even running in safe mode. What is that fake XPSecurity2012 virus, anyone have any experience?

So, from another computer I downloaded a copy of norton 2012 90 day trial onto a flash drive and installed that on my laptop and hoping it cleans this up.

I was surprised the hijack virus was running itself in safe mode. Yikes, hope I can get this nonsense to disappear.

If none of those anti-malware solutions you already tried found something, Norton is certainly not going to. I'd just go ahead and post your log.

They found issues all right but couldn't clear them out. Trying Norton because it always worked for me before on these kind of issues. OTOH, so has Kaspersky and an online scan with it didn't cure it either. Next step if Norton fails is log file post. However, I thought I ran the log file program and it didn't actually produce a log file like I've seen before, so we'll see on that.

Not to confident in Norton here because I'm about half way through the scan and it hasn't registered a problem.

Maybe try ESET...they have an online scanner for free

If you are using another browser other than IE such as Firefox or Chrome, do you still have the same problems? You might want narrow down if the browser is hijacked or if something else is going on.

If I understand you correctly you Have both Security Essentials and Norton anti-virus installed at the same time. If this is true you need to take one of them off as that can cause you additional problems. You may have a rootkit or another new strain of bug. You can post the log OBOB mentioned and someone may be able to find something or you can go to a site that has forums dedicated to helping people. The problem with posting a log in this forum is you have too many varying suggestions as what to do and that can be confusing. Not that people are giving you bad advice necessarily but it is much easier when you are on a forum where only the person helping you or someone else he/she requests can give directions.

Based on what I'm reading, I don't believe it's a rootkit.

It may not be I haven't researched it at all. I was just throwing that out as a possibility of why he is having trouble getting rid of it. I am not up to date on things as I was.

Right Hall, pretty sure I am only running one av/malware program at a time.

Well, I don't know what program initially took over but it was redirecting and seems a bit harmless but my guess is it eventually probably hits a site that uploads something. I'm still dealing with it, running AV programs in safe mode but it's going to take some help.

It has shut my internet down so anything I do from here online means working between this one and my laptop with a zip. It would be interesting to know why it seems immune to discovery/inoculation.

I expect to try and clean it up with help from bleepingcomputers, save all the files I need, then reload Windows.

Is it true that a Mac is much harder to hack and almost immune to viruses?

My thought is that the AV/anti-malware solutions are removing the virus, but there is something in your internet or computing practices that brings it back (or something similar). It should not be running in safe mode, unless it is perhaps something that has altered your hosts file or some other system file. Have you tried RKill in safe mode? See if it turns up and kills anything, and then run your scans.

Macs have fewer viruses designed to operate on them at this point but are certainly not immune from hacking, phishing, malware, etc, and the trend is that Mac malware is on the rise as ownership has increased, and at this point Mac has fewer options for defense. If you really want something that is and likely will remain virtually free of malware, go with a Linux build.

The real key is simply using safe computing practices as your primary source of protection no matter what O/S you choose to use. My AV/Anti-malware software is my last line of defense. My eyes and brain are my first, and it is extremely rare that something gets through them. In the extremely rare event that it does (I can count the number of malware alerts I have gotten over the last 10 years on 1 hand), I'm stl

My thought is that the AV/anti-malware solutions are removing the virus, but there is something in your internet or computing practices that brings it back (or something similar).

No, has not been removed since infected and all the AV/AM software has been unsuccessful.

It should not be running in safe mode, unless it is perhaps something that has altered your hosts file or some other system file. Have you tried RKill in safe mode? See if it turns up and kills anything, and then run your scans.

Yup, running in safe mode but only on my account, but not on the administrator account. Nonetheless, cannot remove either way. Thought that was unusual. Maybe it did alter some files.

Interestingly, in either account it will let me run all av/am except StopZilla, which it blocks. Is that an indication it's "afraid" of SZ? I wish I could download onto a zip drive then try and open that way but I imagine the hijack software will still just stop it from executing.

No, has not been removed since infected and all the AV/AM software has been unsuccessful.

Yup, running in safe mode but only on my account, but not on the administrator account. Nonetheless, cannot remove either way. Thought that was unusual. Maybe it did alter some files.

Interestingly, in either account it will let me run all av/am except StopZilla, which it blocks. Is that an indication it's "afraid" of SZ? I wish I could download onto a zip drive then try and open that way but I imagine the hijack software will still just stop it from executing.

You need to run safe mode and your AV/AM programs on the administrator account. That is a likely reason why the software is failing to remove the malware. if that isn't the reason, the fact that the MW is still running in safe mode is and RKill will be able to terminate it. If for some reason RKill won't run, try downloading one of the alternately named versions. Boot into admin safe mode, run RKill to kill any malicious processes, services, etc that are running, and then run your AV/AM. Let us know how that works.

Re: stopzilla, that could indeed be something that the MW is afraid of, and might be worth a shot in admin safe mode after running RKill if the above fails.

I have seen and fixed this particular virus and I will say it was a bit more complicated than most.

RKill will get you there, take that advice. RKill + Malwarebytes IIRC handled this, and I rarely even have to go into safemode when delousing someone's machine.

- it was a variant, to be clear, not the exact virus.

Did you try backing up your data and doing system restore?

Or you may want to try backing up your data and just doing a clean install. You will get a fresh new system and you can start from scratch.

If what obob and helix says does not work for you, I would do one of the above. If system restore doesn't get rid of the problem, go for a clean install.

Are you having problems similar to this?

http://www.tomshardware.com/forum/241642-44-delete-blinkx
http://answers.yahoo.com/question/index?qid=20110227200656AAMt8Sl

I just posted in Swamp Gas about picking up what sounds similar to this virus, while visiting a Denver Bronco forum. First time a few days ago when I clicked a link posted in SG thread directing me to Denver forum--within minutes my browser was hijacked and it disabled both my Malwarebytes and MSSE. Couldn't do anything with either one. I kept getting those fake warnings about needing to purchase antivirus software because my system was infected, etc. Went to my wife's desktop to get more info and eventually had to boot up in safe mode--and downloaded Microsoft Security Scanner which picked it right up and cleaned it out with no problem.

Well, earlier tonight I went to a couple of different Denver forums and again--I caught essentially the same virus within a few minutes of being there. That is when it hit me about the common site both times--a Denver Bronco forum site. That was the ONLY site (outside of GC) I had been to both times I got hammered with this nasty virus. Took me quite awhile tonight to finally be able to get into safe mode, but even then--this virus was working while in that too!! Tonight what saved me was doing a system restore and everything seemed to go away, as I was finally able to get back online with my browser and both MSSE and MalwareBytes was functional again.

Needless to say, once I was back up and running tonight--I still downloaded the Microsoft Security Scanner and ran it to be on the safe side--sure enough it found 3 infected files and cleaned them up. And of course, I ran both MSSE and MB again and found nothing so I think it is clean again. I am a firm believer in both MSSE and MB, and haven't had any problems up until this week. What I did learn the first time this week however was some of the reviews of the Security Scanner from Microsoft were very high on it being better than most at picking up things which most of the others DON'T pick up. Maybe just luck on my part, but for me--it DID pick things up my others didn't.

Oh yeah...no matter how great Tebow does the rest of this season or his friggin career--NO WAY I will ever go back to a Denver Bronco forum. Two nasty bugs on two visits are enough for me.

Just getting back on this. Once I realized I was likely going to have to reload Windows I just put it down for a while and recently got around to restoring that laptop. I can't believe there's a company out there that presumably makes money hijacking computers. At any rate, appreciate the help, that one just got out of hand and I was unable to confidently remove via established procedures.

One thing I've noticed is that I've never been able to restore to previous configurations, not sure why. But now I try to set system restore points at the first of every month. Previously I had not set any restore points, thought the computer/software did that for me- my computer always showed restore points on the system restore calender but always failed.

At any rate, I saved my files to an external drive, reloaded Windows, and back in business on that laptop.

The business of distributing infections, hacking accounts, and the like is not limited to one company. It is a highly lucrative form of lowbrow business that is worldwide in scope. I have read in the past of people who make a stunning amount of money doing it.

It's all about volume and averages.

Spam converts at like .001%, but when it does it's lucrative and, of course, you have access to someone's credit card.

The fake anti-spyware software has an even higher conversion rate.

Given fake AV’s status as a reliable cash cow, the industry is likely to bounce back rapidly. Fake AV is extremely profitable, in large part because it is easily franchised.

Individual affiliates can quickly make a lot of money. Fake AV distribution networks pay affiliates between $25 and $35 each time a victim provides a credit card to pay for the junk software.

More importantly, fake AV affiliates can outsource the majority of their work. Damon McCoy, a researcher at the University of California, Santa Diego, has been studying the fake AV industry. He found that fake AV can be massively profitable when installed via pay-per-install (PPI) programs. PPI networks contract out the deployment of the malware to affiliates who get paid per one thousand installs (the payment rate varies with the geographic locations of the victim PCs).

McCoy said fake AV affiliates can purchase 10,000 installs of their scareware programs very cheaply. “For 10,000 installs, [the PPI networks] will charge you normally about $900, but if you squeeze them a bit they will go down to $750,” McCoy said.

In an analysis of the fake AV industry released last month, McCoy and other UCSD researchers discovered that fake AV affiliates can expect that one out of every 50 people who have fake AV installed on their systems will pay for the software.

The good news (from the same article), is the fake AV industry is getting squeezed:

http://krebsonsecurity.com/2011/08/fake-antivirus-industry-down-but-not-out/

this forum is awesome. helped me clean one of them face virus protectoin malwares couple weeks ago.