Sign in with
Sign up | Sign in
Your question

I think I have malware

Last response: in Applications
Share
September 14, 2011 12:47:14 AM

Once again, I turn to the good people of TomsHardware for help. I think my computer has malware but I am unable to find it.

When I search on Yahoo or Google, almost every link bring me to an incorrect site, mostly spammy sites. It does this on both Mozilla Firefox and Internet Explorer.

I tried scanning with MalwareBytes, AVG, Spyware Terminator and CCleaner. Nothing has come up.

I'm not sure how to fix my problem. I'm worried that these links have downloaded additional malware and/or viruses which are also not coming up. I hope my programs haven't been compromised.

I have Windows XP SP2.

Thanks in advance for any and all help!

More about : malware

a b 8 Security
September 14, 2011 6:43:40 PM

Check your internet proxy settings too. If this is a home computer it is very unlikely that you should be using a proxy.
m
0
l
Related resources
September 15, 2011 3:53:01 PM

Sorry I took so long to respond. It's been a crazy day at work.

Thank you both for your responses.

Hawkeye, my computer already has proxies disabled.

Area51, I followed your link and what a great page of information. I will be keeping that link in my bookmarks.

After starting my computer in Safe Mode with Networking, I ran MalwareBytes, ComboFix, CCleaner, AVG Antivirus, and CWShredder. I also ran Spy-Bot.

MalwareBytes and Spy-Bot found and quarantined 4 trojans.

ComboFix, AVG, CWShredder, CCleaner found nothing.

My computer is now running faster. When I search on Yahoo, it is still being hijacked.... just not as often.

Also, my Mozilla Firefox keeps freezing. When it freezes, I can't even kill the process using Ctrl-Alt-Delete. I have to restart my computer just to turn off Mozilla.

Is there anything else I can try?

Thanks again!

m
0
l
September 15, 2011 11:03:17 PM

Hawk, Thank you for your response.

I installed and scanned my hosts with your link to Microsoft FixIt.... It restarted my computer but then did nothing. I went onto Mozilla and it still gets hijacked.

I tried Process Explorer and it can't kill the process for Mozilla Firefox or for Internet Explorer.

I tried to uninstall Mozilla and reinstall it but because I can't kill the process, it won't let me uninstall it.
m
0
l
September 16, 2011 6:53:24 AM

Im having the same problem. Please help us out. Thanks
m
0
l
a b 8 Security
September 16, 2011 11:38:31 AM

skeptikaltruth said:
Hawk, Thank you for your response.

I installed and scanned my hosts with your link to Microsoft FixIt.... It restarted my computer but then did nothing. I went onto Mozilla and it still gets hijacked.

I tried Process Explorer and it can't kill the process for Mozilla Firefox or for Internet Explorer.

I tried to uninstall Mozilla and reinstall it but because I can't kill the process, it won't let me uninstall it.


Wow, it's rare that process explorer can't kill something. if you right-click on the process, you will see an option for "kill process" and "kill process tree". Most times I use "kill process tree".

Anyhow, at this point I think I'd have to start considering a clean install of the OS.
m
0
l
Anonymous
a b 8 Security
September 16, 2011 11:51:34 AM

Tdsskiller
m
0
l
October 4, 2011 8:21:04 PM

I'm sorry that it took me so long to respond, again.

I am still having problems. Seems like when I run my scanning programs, they fix things but only temporarily. MalwareBytes occasionally finds a trojan in a Google Chrome folder. Thing is, I've never had Google Chrome on my computer before.

My Yahoo searching rarely gets hijacked now. However, Firefox keeps freezing up on me. I uninstalled and re-installed it and it gives me the same problem. I installed an older version instead and it still locks up. It mostly locks up when I try to check my mail on Yahoo and the website loads those ridiculous flash advertisements.

Grumpy and Aford, I will try both your programs and let you know if they worked.

If they don't work, I'm just gonna bite the bullet, back up my files and do a clean install of windows.

Thanks again for everyone's help!
m
0
l
a b 8 Security
October 5, 2011 5:56:05 AM

Can u try also Trojan Remover if u can install and enable boot scan.

************************
Trojan Remover is designed specifically to disable/remove Malware without the user having to manually edit system files or the Registry. The program also removes the additional system modifications some Malware carries out which are ignored by standard antivirus and trojan scanners.

Trojan Remover scans ALL the files loaded at boot time for Adware, Spyware, Remote Access Trojans, Internet Worms and other malware. Trojan Remover also checks to see if Windows loads Files/Services which are hidden by Rootkit techniques and warns you if it finds any.

http://www.simplysup.com/
m
0
l
October 5, 2011 1:15:34 PM

C:\Windows\System32\drivers\etc\hosts

copy that file and give it an extension .txt

open it and see if there is any unusual domains there.
m
0
l
October 6, 2011 7:33:08 AM

Grumpy and aford, I tried all 3 programs and still no luck. TDSS and rrkill both reported no errors. However, superspyware found 8 trojans and several other things that none of the other programs found. However, it still has not fixed my problems.

Nikorr, Trojan Remover looks like an excellent program to keep in my arsenal. However, it reported no errors. The scan only took 27 seconds which did seem awfully fast. Is that normal?

Pyree, there is only one thing written in the hosts 'document' which is

127.0.0.1 localhost


However, I also see a hosts.old file which I checked and the first two lines start as follows:

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy

and then loads of malware urls are listed.

Not sure if this is normal or not. Also, I ran a Yahoo search which hijacked my link and brought me to a url which was not in that Spybot list.


It's getting frustrating. It seems like my problem should be easily fixable but I just can't grasp where the problem lies.
m
0
l
October 6, 2011 7:36:58 AM

Update spy-bot. Right click spybot and run as admin. Reapply immunisation in spy-bot.
m
0
l
October 6, 2011 7:49:04 AM

When I try to run as admin, it is asking for a password. I've never set up a password for an admin account.

I decided to log out and try to get into admin from there. However, when I log out, there is no admin. Just my one account.

However, when I logged back in, AVG all of a sudden decided to find a Malware, some rundll.exe which I knew I had problems with but didn't know it was Malware. However, my yahoo searches are still hijacked.
m
0
l
October 6, 2011 7:57:20 AM

I forgot to check your OS. The apply immunisation as admin is required only for Vista/7 users, not xp. I am sorry. You can just run spybot as normal and apply immunisation in xp.
m
0
l
October 6, 2011 8:20:55 AM

That's ok. I ended up going into safe mode with networking which allows me to enter as an admin.

Either way, I ran spybot and I applied immunization. Mozilla is now running slightly slower and the links are still hijacked.

Not sure if it matters but I just realized something. Not every link is hijacked, only some of them. I thought it was just random but it seems to not be. For example, every Wikipedia link seems to be hijacked as opposed to an uncommon but legitimate website.
m
0
l
October 6, 2011 8:24:42 AM

Ok, save all of the host files (host and its backup) in the etc folder into another folder and delete the original files. Restart computer and reapply immunisation.
m
0
l
October 6, 2011 8:39:14 AM

I did what you said and it actually worked.... I decided to click the link a second time to verify the success and it got hijacked again :( 
m
0
l
October 6, 2011 8:44:51 AM

It looks like there is a very tough to remove malware redirecting all your traffic with the host entry. The root of the problem is still the malware. Unfortunately I do not have a better idea on how to remove malware than the other posts already suggested. I am sorry, but that is the best I can do apart from suggesting a fresh installation of window. Maybe someone with more knowledge can guide you to get rid of the malware. :( 
m
0
l
a b 8 Security
October 6, 2011 8:51:32 AM

skeptikaltruth u can try to scan the boot drive too by selecting the drive - takes about 20min.(Trojan Remover) , it will scan all the files.

-------------------
-It looks like a tough one-
m
0
l
October 6, 2011 8:51:53 AM

That's the conclusion I was starting to come to about the malware and you just verified it for me. I'll give it a few more days and hopefully someone else from TH can help me. I've made progress with clearing out some of the more malicious stuff. It seems to just be the hijacking that I need to be concerned about, I think.

Thank you so much for your time and effort; I really appreciate it. You've already taught me a few things which will not be forgotten.

By the way, Happy National Day!

Edit: Nikorr, thank you, I didn't realize I could do that. By boot drive, I assume you mean the main drive (C:/) I am scanning it now. However, it is almost 5 in the morning my time and I need to finally get some sleep. I will leave the scan to run and I will let you know the progress when I wake up. Wish me luck!
m
0
l
October 6, 2011 8:56:19 AM

Although I am not currently in Taiwan, but in Australia, I thank you skeptikalttuth. 10-10-2011 is truly a day for free Chinese to celebrate as it marks the overthrowing of the old imperial government and the establishment of the new democratic Republic of China, also the birthplace of Republic of Gamers (geek talk)!!
m
0
l
a b 8 Security
October 6, 2011 9:01:06 AM

skeptikaltruth said:
That's the conclusion I was starting to come to about the malware and you just verified it for me. I'll give it a few more days and hopefully someone else from TH can help me. I've made progress with clearing out some of the more malicious stuff. It seems to just be the hijacking that I need to be concerned about, I think.

Thank you so much for your time and effort; I really appreciate it. You've already taught me a few things which will not be forgotten.

By the way, Happy National Day!

Edit: Nikorr, thank you, I didn't realize I could do that. By boot drive, I assume you mean the main drive (C:/) I am scanning it now. However, it is almost 5 in the morning my time and I need to finally get some sleep. I will leave the scan to run and I will let you know the progress when I wake up. Wish me luck!

Good luck! 2AM here
Fingers crossed
m
0
l
a b 8 Security
October 6, 2011 12:33:50 PM

You can remove the drive, and slave it into another computer. You can then scan the drive, without it even being in use.

If you haven't already, you can create a rescue disc. You can boot off the rescue disc, and initiate a malware scan from there.
http://www.avg.com/us-en/avg-rescue-cd

You can also run a Hijackthis scan, and paste the log here.
http://free.antivirus.com/hijackthis/
m
0
l
October 7, 2011 12:13:51 AM

Pyree, you're very welcome. I am not Chinese but I have nothing but respect for Chinese culture. My daughter is also half Chinese so I have learned a great deal about culture through her grandparents. Even though I am not with my daughters mother anymore, I still follow many traditions. In fact, I will be giving my daughter's grandparents a red envelope with 8 quarters and a moon cake with 2 yolk. I love moon cakes!

Back to business, Nikorr, I have scanned my entire C drive (It's the only one I have) and it found just one error. It is a Malware file for a program that i have downloaded from Cnet. However, being that I never actually installed the program yet, it can't be the problem. I deleted the file anyway and my searches are still being hijacked.

Aford, for obvious reasons, I will try the easiest one first. Here is the log from hijackthis. If this does not help, I will try the AVG rescue disk and then removing the hard drive if need be.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:06:50 PM, on 10/6/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\issc\IS89C35\wwu.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbsecsvc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Ian\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [BCU] "C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: WWU.lnk = C:\Program Files\issc\IS89C35\wwu.exe
O8 - Extra context menu item: Add to AVI Converter... - C:\Program Files\MP3 Player Utilities 5.09\AVIConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Co...
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Browser Configuration Utility Service (BCUService) - DeviceVM, Inc. - C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: wbsecsvc - Integrated System Solution Corp. - C:\WINDOWS\system32\wbsecsvc.exe

--
End of file - 6543 bytes


Thanks again everyone!
m
0
l
a b 8 Security
October 7, 2011 12:42:12 AM

I would remove the following. The last 2 entries are likely the cause of your browser redirects.

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)


O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll


O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll


m
0
l
October 7, 2011 1:55:53 AM

Nope, still being hijacked.

Not sure if it's related but right after I removed those 3 entries, I lost my internet connection (on two different computers) and had to restart my internet provider box. The other one now can't connect to Facebook for some reason.
m
0
l
a b 8 Security
October 7, 2011 2:06:15 AM

Removing local files, wouldn't have any effect on a 2nd computer. And if restarting the router fixed the issue, then it was hardware/connection related.

1 more time, try booting into safe mode with networking. Uninstall combofix. Reinstall combofix. Then run combofix.
m
0
l
!