If this post looks too long to read, scroll down to the bottom where it says "Why I think I'm infected"
Here's my story:
I'm not really that smart when it comes to malware and infections, so I don't even really know when I first got infected. I know that for a while now I've been getting pop-ups in firefox whenever I go to "questionable" sites (best way I can describe, meaning I don't get pop-ups from youtube, but I do get pop-ups from like entensity and even imageshack for example). I'm pretty sure that I'm not supposed to be getting pop-ups, because my friends don't get them, and we all use firefox. Also, I keep getting this "dumb test" pop-up, but that's the only recurring one I can think of (I never really paid attention to the pop-ups because I didn't realize they weren't normal until last night)
This was the first event that I can recall:
I think a couple months ago was the first time I knew I was infected and had to take action. I got a series of pop-ups which immediately sent my computer into a clicking/crunching frenzy, and then it started shutting itself down and restarting. When it started itself back up, the task manager was "disabled by an administrator" and I was getting an obviously planted bubble message telling me I'm infected and I should get their product. Unfortunately I don't remember what the product was, because I've never been through this kind of thing before and didn't think to remember.
All I had as "protection" at the time was Spybot S&D and Ad-Aware, but I couldn't run them because the infections were blocking it. I think I solved that problem by going into safe mode, and I think doing a system restore and/or I may have had to change the spybot exe to have a "1" at the end to stop it from being blocked. After running those two programs, I seemed to have gotten rid of everything at the time.
I think during those scans I remember it recognizing and removing Smitfraud.C (At least I think it had the .C at the end) and *maybe* Virtumonde, but I can't remember.
I think it was about a week after the first event, pretty much the same exact thing happened, but this time I had Spybot's TeaTimer, and it recognized Smitfraud trying to do something, and I was able to block it. Then, I think a day later it happened again, but this time much worse. I don't remember details very well at all, but I remember finding a file called bratsk.exe in my c:\windows\ folder, and I used google to find someone offer the suggestion of running Spybot S&D, Malwarebytes' Anti-Malware, SUPERAntiSpyware, SpywareBlaster, and CCleaner in that order.
I ran all of those in safe mode I think, including Ad-Aware too, and it seemed to fix my computer again.
Fast Forward to December 2nd 2008:
This is when I went to entensity, and I'm pretty sure I got 2 or 3 blank pop-ups behind the main firefox window, and my computer started clicking/crunching heavily, and I looked at task manager. There were about 10 different processes I've never seen before, all presumably installing themselves. My freaked-out panic reaction caused me to hit the restart button on the front of my computer. I'm pretty sure my computer crashed about 3 times in a row trying to start-up, and although safe mode worked, I couldn't for the life of me get any of the aforementioned anti-virus scanners to even load. I don't recall exactly how I got the computer to start up normally, but somehow I did get back into normal mode without a crash.
TeaTimer immediately gave me about 20 warnings in a row of different programs trying to change start-up settings and registry settings. At this point, I tried to scan with Spybot, and it gave me some kind of warning about "scanner manually disabled by user," and then showed a bunch of errors for every single item it tried to scan.
So, I went back into safe mode, and did a system restore to Nov 30th, and that fixed the scanners from not working, so I did all 4 of my scans in safe mode overnight. At the time I didn't know that you can set SUPERAntiSpyware to scan the entire computer, instead of just the default settings of "only known files" or something like that.
So, after that.. I did all 4 scans again (Spybot, Ad-Aware, Malwarebytes', SUPERAntiSpyware) in normal mode, and it found some more things in the System Volume Information folder.
This is where I may have done some stupid things, although I don't see any bad signs, so maybe not. After all those scans, I still didn't feel clean, so I inspected the c:\windows\ folder and the c:\windows\system32\ folder and sorted by recently modified. There were some of the .exe files all created at the time of infection, so I looked them up in google to make sure they were spyware, then deleted them manually. I wish I could tell you what they were, but they seemed like random letters. I think I remember seeing "_32" on the end of most of them.
Again, I remind you I pretty much have no experience in dealing with this except for what I've told you. At this point, I did a system search for any files created on that day, and deleted any files that were created within 2 minutes of the time of infection. The only two files I didn't delete were something that warned me it potentially could be the death of my computer if I deleted them.
The two files are still on my computer, and I'll post where they're located. The first one was created at 5:00 am (time of infection), and the second was created at 5:26 am, which I guess is when I logged onto Administrator in safe mode:
C:\Documents and Settings\Noah Nelson\Application Data\Microsoft\Crypto\RSA\S-1-5-21-789336058-1123561945-839522115-1003\e0e842231b38cecaa50a1eaeb44b3f22_c52aa906-a33a-44ad-bec8-f23254680db5
C:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-789336058-1123561945-839522115-500\e0e842231b38cecaa50a1eaeb44b3f22_c52aa906-a33a-44ad-bec8-f23254680db5
I think it was at this point where, in a search about the system volume information folder which showed up two scans in a row by the same scanner, I found information that turning off system restore and turning it back on would delete any viruses in there, at the cost of all system restores. And, I did that.. I made a new system restore right after that.
After all that, basically everything else I've done has been re-running scans, restarting, running them again to see if anything popped up again, finding 1 or two infections every once in a while. And, on the side I've been searching google for possible solutions. That's how I ended up here, but unfortunately I tried to take matters into my own hands again after reading a similar problem on these forums (I hadn't read the warning about it being potentially harmful to follow instructions meant for others). Hopefully I didn't do anything stupid..
The thread I saw was someone complaining about a "dumb test" pop-up, which is what I searched for to find the thread in the first place. They were told to get ATF-Cleaner, and SUPERAntiSpyware and run both in safe mode. So, I did that.
Then they were told to run VundoFix in normal mode and VirtumundoBeGone in safe mode, and I did both, following the instructions. VundoFix found and removed 2 files, and as far as I can tell VirtumundoBeGone didn't have any negative affects.
Then they were told their Java was out of date, and that's how they probably got infected and they should update. So, I uninstalled all my Java and updated it with the most recent.
They were also told to run an online scanner "like bitdefender," which I tried to run but it wouldn't update, so I couldn't. Then, I tried a different one called Trend Micro housecall, and it reported finding 106 infections, 101 of those being referred to as "adware_memwatcher"
But, for some reason when it started the removal process, my cpu usage went to 100% and iexplorer was running at 99 in the process list, and it didn't move. I let it sit for about an hour, but it never made any progress. I gave up and decided to try again, since it had scanned the first time while I was at work, and I thought maybe if I acted sooner it would work properly. Again, it had the same problem after scanning, and I gave up and took a screenshot of what it reported to find so that I would at least have the file names. I couldn't figure out how to delete any of them manually, and I'll upload the screenshot if it'll help.
Here's what the file names/locations are from what it found:
First section, I forget what it was titled and its not in the screenshot: "1 Infection"
Second section, ADWARE_MEMWATCHER: "101 Infections"
Third section, HTTP cookies: "4 Detected"
Internet Explorer Cache\atwola.com
Internet Explorer Cache\did-it.com
Internet Explorer Cache\revsci.net
Internet Explorer Cache\server iad liveperson.net
(I can't see the bottom of the last url in the screenshot, so I dont know if the spaces are dots, underscores or what)
I cleared Internet Explorer's "temporary internet files" after that, but I don't know if that got rid of anything.
Where I am now:
After this failed, I tried running it in firefox instead, but it wouldn't install/update properly and I couldn't get it to work. So, I saw somewhere else an instruction to run kaspersky online scanner, but then I realized it only creates a log file. It's still running in the background, but it is taking incredibly long, as it seems to be taking about 5 minutes to get through each part of a rar that has 50 parts so far.
At this point, I realized I've exhausted every single idea I've had so far, and my brain has turned to mush. I have no energy because I've been working on this for pretty much 41 hours, the only exceptions being some naps and work. I really need help from someone who knows what they're doing, and I hope I didn't make it immensely difficult or impossible to fix. I'm sorry I didn't come here sooner, and I'll appreciate any help you can offer, even if it's just help in reformatting my harddrive.
Why I think I'm infected, a quick summary:
The reason I think I'm infected is because, even after all my attempts at scanning and cleaning my computer, I'm still seeing pop-ups that I'm pretty sure shouldn't be there. Although, I haven't seen any pop-ups since before using Vundofix, I also haven't gone to any sites that would generally cause my pop-ups. What I have seen since then though, is when a site is pretty much blank with text on it, I see certain key words turned into links, and when I scroll over those links it brings up a small pop-up that chases my cursor, and I don't think that's normal for an uninfected computer.
I also think I'm infected, because I ran Trend Micro's housecall web scanner, and it reported that it found 106 infections, and it only managed to quarantine 1 of them before it froze up and wasn't able to clean anything. I manually deleted the quarantined item after kaspersky found it and showed me where it was being held (which is still running as I type, and that rar is up to part 71).
I would be extremely surprised to find out I'm somehow not infected after all this, but I have no idea what to do at all anymore, and I need help... Thank you to anyone who reads this or tries to help..
Just adding that during a restart I got some kind of warning telling me dw20.exe couldn't initialize because the system was shutting down. I've never seen that before, but I thought any information would be helpful. Also, during startup I was watching the processes and saw something called imapi.exe for the first time. Looking up what they are, they seem to be normal windows processes, but I've never seen either of these until today. But, maybe I'm just being more paranoid and watchful than I've ever been.
Edited by Noah N, 04 December 2008 - 05:08 AM.