I think I have malware

skeptikaltruth

Distinguished
Jun 7, 2010
14
0
18,560
Once again, I turn to the good people of TomsHardware for help. I think my computer has malware but I am unable to find it.

When I search on Yahoo or Google, almost every link bring me to an incorrect site, mostly spammy sites. It does this on both Mozilla Firefox and Internet Explorer.

I tried scanning with MalwareBytes, AVG, Spyware Terminator and CCleaner. Nothing has come up.

I'm not sure how to fix my problem. I'm worried that these links have downloaded additional malware and/or viruses which are also not coming up. I hope my programs haven't been compromised.

I have Windows XP SP2.

Thanks in advance for any and all help!
 

skeptikaltruth

Distinguished
Jun 7, 2010
14
0
18,560
Sorry I took so long to respond. It's been a crazy day at work.

Thank you both for your responses.

Hawkeye, my computer already has proxies disabled.

Area51, I followed your link and what a great page of information. I will be keeping that link in my bookmarks.

After starting my computer in Safe Mode with Networking, I ran MalwareBytes, ComboFix, CCleaner, AVG Antivirus, and CWShredder. I also ran Spy-Bot.

MalwareBytes and Spy-Bot found and quarantined 4 trojans.

ComboFix, AVG, CWShredder, CCleaner found nothing.

My computer is now running faster. When I search on Yahoo, it is still being hijacked.... just not as often.

Also, my Mozilla Firefox keeps freezing. When it freezes, I can't even kill the process using Ctrl-Alt-Delete. I have to restart my computer just to turn off Mozilla.

Is there anything else I can try?

Thanks again!

 

skeptikaltruth

Distinguished
Jun 7, 2010
14
0
18,560
Hawk, Thank you for your response.

I installed and scanned my hosts with your link to Microsoft FixIt.... It restarted my computer but then did nothing. I went onto Mozilla and it still gets hijacked.

I tried Process Explorer and it can't kill the process for Mozilla Firefox or for Internet Explorer.

I tried to uninstall Mozilla and reinstall it but because I can't kill the process, it won't let me uninstall it.
 

Hawkeye22

Distinguished
Moderator


Wow, it's rare that process explorer can't kill something. if you right-click on the process, you will see an option for "kill process" and "kill process tree". Most times I use "kill process tree".

Anyhow, at this point I think I'd have to start considering a clean install of the OS.
 

skeptikaltruth

Distinguished
Jun 7, 2010
14
0
18,560
I'm sorry that it took me so long to respond, again.

I am still having problems. Seems like when I run my scanning programs, they fix things but only temporarily. MalwareBytes occasionally finds a trojan in a Google Chrome folder. Thing is, I've never had Google Chrome on my computer before.

My Yahoo searching rarely gets hijacked now. However, Firefox keeps freezing up on me. I uninstalled and re-installed it and it gives me the same problem. I installed an older version instead and it still locks up. It mostly locks up when I try to check my mail on Yahoo and the website loads those ridiculous flash advertisements.

Grumpy and Aford, I will try both your programs and let you know if they worked.

If they don't work, I'm just gonna bite the bullet, back up my files and do a clean install of windows.

Thanks again for everyone's help!
 

nikorr

Distinguished
Moderator
Can u try also Trojan Remover if u can install and enable boot scan.

************************
Trojan Remover is designed specifically to disable/remove Malware without the user having to manually edit system files or the Registry. The program also removes the additional system modifications some Malware carries out which are ignored by standard antivirus and trojan scanners.

Trojan Remover scans ALL the files loaded at boot time for Adware, Spyware, Remote Access Trojans, Internet Worms and other malware. Trojan Remover also checks to see if Windows loads Files/Services which are hidden by Rootkit techniques and warns you if it finds any.

http://www.simplysup.com/
 

skeptikaltruth

Distinguished
Jun 7, 2010
14
0
18,560
Grumpy and aford, I tried all 3 programs and still no luck. TDSS and rrkill both reported no errors. However, superspyware found 8 trojans and several other things that none of the other programs found. However, it still has not fixed my problems.

Nikorr, Trojan Remover looks like an excellent program to keep in my arsenal. However, it reported no errors. The scan only took 27 seconds which did seem awfully fast. Is that normal?

Pyree, there is only one thing written in the hosts 'document' which is

127.0.0.1 localhost


However, I also see a hosts.old file which I checked and the first two lines start as follows:

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy

and then loads of malware urls are listed.

Not sure if this is normal or not. Also, I ran a Yahoo search which hijacked my link and brought me to a url which was not in that Spybot list.


It's getting frustrating. It seems like my problem should be easily fixable but I just can't grasp where the problem lies.
 

skeptikaltruth

Distinguished
Jun 7, 2010
14
0
18,560
When I try to run as admin, it is asking for a password. I've never set up a password for an admin account.

I decided to log out and try to get into admin from there. However, when I log out, there is no admin. Just my one account.

However, when I logged back in, AVG all of a sudden decided to find a Malware, some rundll.exe which I knew I had problems with but didn't know it was Malware. However, my yahoo searches are still hijacked.
 

skeptikaltruth

Distinguished
Jun 7, 2010
14
0
18,560
That's ok. I ended up going into safe mode with networking which allows me to enter as an admin.

Either way, I ran spybot and I applied immunization. Mozilla is now running slightly slower and the links are still hijacked.

Not sure if it matters but I just realized something. Not every link is hijacked, only some of them. I thought it was just random but it seems to not be. For example, every Wikipedia link seems to be hijacked as opposed to an uncommon but legitimate website.