Cannot figure out what this virus is, or where it's hiding

[DieAGator]

Symptoms:

Every few minutes IE opens with a link to some new website. This one I'm looking at appears to be a Stainmaster ad. Every now and then an outlook express email pops up pre addressed to something to do with Craig's List.

I have run MSE, Kaspersky Online Scanner, and SuperAntiSpyware. Each caught and supposedly disabled/erased threats but I still have the same problem.

It would be nice to know what I'm infected with so I can turn to google for a little help.

Thanks.

[orangeblueorangeblue]

dl this:

http://download.cnet.com/Trend-Micro...-10227353.html

Post the log here (or alternately http://www.bleepingcomputer.com/forums/forum22.html)

[helix139]

As OBOB says, post your hijackthis log. For 90% of virii, the below will take care of the problem:

Boot in safe mode with networking, get yourself a copy of RKill, then run that, and full scans of MSSE and Malwarebytes Anti-Malware while in safe mode.

[orangeblueorangeblue]

rKill is great for the really pesky ones, but helix brings up a good point:

have you booted into safe mode prior to a scan?

[DieAGator]

Feeling brilliant helix, completely forgot to run MSE, etc in safe mode.

So, downloaded rkill and hijack this, will reboot in safe mode and run them.

Thanks.

[orangeblueorangeblue]

HiJack this gives insight into what programs & services are running, so don't run that in safe mode.

[DieAGator]

After running in safe mode twice, ran MSE, SUPERantispyware, and Malwarebytes anti malware, I still have the problem. It's not that bad, every few minutes Explorer opens with some kind of ad already cued up- a lot pointing to sites through search engine blinx(?). I'm just troubled that between MSE, SAS, MBAM I couldn't get rid of it.

Thinking about doing a 30 day trial on Norton then running in safe mode again to see if it gets picked up. Any other programs I could try?

I may have to post my log files but never have had to before, always fixed viruses without so much work. This one is pretty subtle, not too annoying, and I guess well hidden.

[umcpgator]

Also try I.E.'s no add on mode and see if it keep happening. It it doesn't happen again, go through your list of addons and uninstall the addon.

http://blogs.msdn.com/b/ie/archive/2...25/678113.aspx

[helix139]

Just a thought, but try setting your homepage for IE to about:blank and see if it loads up anything. It could just be pointed to some ad server. Also try running RKill as it will check your hosts and eliminate any proxies that the malware set up. Also, try doing a system restore to a date before the problems started happening.

If none of those anti-malware solutions you already tried found something, Norton is certainly not going to. I'd just go ahead and post your log.

[DieAGator]

So, I thought I had it taken care of with MSE, SUPERantispyware, and Malwarebytes in safe mode, plus MSE found a couple items out of safe mode and supposedly dealt with it. Then a couple days ago I got hijacked by one of those programs which tries to get you to purchase protection. No idea where this stuff is coming from but have the feeling I never got rid of the IE redirect bug and it eventually got me to a site that downloads code. I really have no idea what possible site I would have picked it up from. Was looking for some MMA rebroadcasts recently and some of those "justin.tv" type sites are suspicious.

So anyway, the hijack bug was even running in safe mode. What is that fake XPSecurity2012 virus, anyone have any experience?

So, from another computer I downloaded a copy of norton 2012 90 day trial onto a flash drive and installed that on my laptop and hoping it cleans this up.

I was surprised the hijack virus was running itself in safe mode. Yikes, hope I can get this nonsense to disappear.

[DieAGator]

Quote:

Originally Posted by helix139

If none of those anti-malware solutions you already tried found something, Norton is certainly not going to. I'd just go ahead and post your log.

They found issues all right but couldn't clear them out. Trying Norton because it always worked for me before on these kind of issues. OTOH, so has Kaspersky and an online scan with it didn't cure it either. Next step if Norton fails is log file post. However, I thought I ran the log file program and it didn't actually produce a log file like I've seen before, so we'll see on that.

Not to confident in Norton here because I'm about half way through the scan and it hasn't registered a problem.

[vaxcardinal]

Maybe try ESET...they have an online scanner for free

[umcpgator]

If you are using another browser other than IE such as Firefox or Chrome, do you still have the same problems? You might want narrow down if the browser is hijacked or if something else is going on.

[HALLGATOR]

If I understand you correctly you Have both Security Essentials and Norton anti-virus installed at the same time. If this is true you need to take one of them off as that can cause you additional problems. You may have a rootkit or another new strain of bug. You can post the log OBOB mentioned and someone may be able to find something or you can go to a site that has forums dedicated to helping people. The problem with posting a log in this forum is you have too many varying suggestions as what to do and that can be confusing. Not that people are giving you bad advice necessarily but it is much easier when you are on a forum where only the person helping you or someone else he/she requests can give directions.

[orangeblueorangeblue]

Based on what I'm reading, I don't believe it's a rootkit.

[HALLGATOR]

It may not be I haven't researched it at all. I was just throwing that out as a possibility of why he is having trouble getting rid of it. I am not up to date on things as I was.

[DieAGator]

Right Hall, pretty sure I am only running one av/malware program at a time.

Well, I don't know what program initially took over but it was redirecting and seems a bit harmless but my guess is it eventually probably hits a site that uploads something. I'm still dealing with it, running AV programs in safe mode but it's going to take some help.

It has shut my internet down so anything I do from here online means working between this one and my laptop with a zip. It would be interesting to know why it seems immune to discovery/inoculation.

I expect to try and clean it up with help from bleepingcomputers, save all the files I need, then reload Windows.

Is it true that a Mac is much harder to hack and almost immune to viruses?

[helix139]

My thought is that the AV/anti-malware solutions are removing the virus, but there is something in your internet or computing practices that brings it back (or something similar). It should not be running in safe mode, unless it is perhaps something that has altered your hosts file or some other system file. Have you tried RKill in safe mode? See if it turns up and kills anything, and then run your scans.

Macs have fewer viruses designed to operate on them at this point but are certainly not immune from hacking, phishing, malware, etc, and the trend is that Mac malware is on the rise as ownership has increased, and at this point Mac has fewer options for defense. If you really want something that is and likely will remain virtually free of malware, go with a Linux build.

The real key is simply using safe computing practices as your primary source of protection no matter what O/S you choose to use. My AV/Anti-malware software is my last line of defense. My eyes and brain are my first, and it is extremely rare that something gets through them. In the extremely rare event that it does (I can count the number of malware alerts I have gotten over the last 10 years on 1 hand), I'm stl

[DieAGator]

Quote:

Originally Posted by helix139

My thought is that the AV/anti-malware solutions are removing the virus, but there is something in your internet or computing practices that brings it back (or something similar).

No, has not been removed since infected and all the AV/AM software has been unsuccessful.

Quote:

It should not be running in safe mode, unless it is perhaps something that has altered your hosts file or some other system file. Have you tried RKill in safe mode? See if it turns up and kills anything, and then run your scans.

Yup, running in safe mode but only on my account, but not on the administrator account. Nonetheless, cannot remove either way. Thought that was unusual. Maybe it did alter some files.

Interestingly, in either account it will let me run all av/am except StopZilla, which it blocks. Is that an indication it's "afraid" of SZ? I wish I could download onto a zip drive then try and open that way but I imagine the hijack software will still just stop it from executing.

[helix139]

Quote:

Originally Posted by DieAGator

No, has not been removed since infected and all the AV/AM software has been unsuccessful.

Yup, running in safe mode but only on my account, but not on the administrator account. Nonetheless, cannot remove either way. Thought that was unusual. Maybe it did alter some files.

Interestingly, in either account it will let me run all av/am except StopZilla, which it blocks. Is that an indication it's "afraid" of SZ? I wish I could download onto a zip drive then try and open that way but I imagine the hijack software will still just stop it from executing.

You need to run safe mode and your AV/AM programs on the administrator account. That is a likely reason why the software is failing to remove the malware. if that isn't the reason, the fact that the MW is still running in safe mode is and RKill will be able to terminate it. If for some reason RKill won't run, try downloading one of the alternately named versions. Boot into admin safe mode, run RKill to kill any malicious processes, services, etc that are running, and then run your AV/AM. Let us know how that works.

Re: stopzilla, that could indeed be something that the MW is afraid of, and might be worth a shot in admin safe mode after running RKill if the above fails.