I’m running Windows XP Professional Edition with Security Pack 3. Online, I use Firefox 3.0 99% of the time, opening Internet Explorer less than once a month. I have Trend Micro PC-Cillin Internet Security 14 with automatic updates. I have automatic updates on Windows.
A little background, since my problem started earlier in March. I had three pop-ups all related to the same scam, Spyware Protect 2009 insisting I needed their product, plus a new icon in the tray. Trend’s Micro PC-Cillin’s scan found evidence of a virus but its quarantine failed on C:\WINDOWS\svcho.exe and on C:\Documents and Settings\Mim\Local Settings\Temporary Internet Files\Content.IE5\DRFDHWHB\bok.gif I contacted them and was advised to manually delete both.
However, both subverted the search function, changing the document name’s character string when I attempted a search from Explorer. Listing the files did not show either.
I did a fix based on the instructions at www.securitytango.com, which instructed me to delete all temporary internet files as best I was able, empty the recycle bin, delete all temp files, turn off system restore, reboot in safe mode, then download and/or update these programs:
AdAware, the free version
SpyBot Search & Destroy
My own antivirus software and firewall software (Trend Micro PC-Cillin 14, Windows)
Last, I was to run the programs in this order:
Trend Micro PC-Cillin 14
Spybot Search & Destroy
After a lot of hang-ups, frozen screens, etc. I ran everything and the pop-ups stopped. Success?
Somewhat paranoid, I started each day running Trend, AdAware, and Spybot. They found:
Redirect\.\le entry qty: 1 TAI: 4 (threat analysis index)
SpywareProtect2009 entry qty: 2 TIA: 3
Win32TrojanAgent entry qty: 2 TIA: 10 (highest level)
AdRevolver, 4 entries, Browser
Doubleclick, 1 entry, browser
Fastclick, 1 entry, browser
HitBox, 6 entries, browser
MediaPlex, 1 entry, browser
WebTrendsLive, 1 entry, browser
WildTangent, 108 entries, PUPS
Win32.Agent.pz, 3 entries, malware
Win32.Banker.xe, 2 entries, Trojans
Win32.TDSS.rtk, 6 entries, MalwareC (notice this one; a version comes up later)
WnSpywareProtect, 1 entry, MalwareC
Zedo, 5 entries, Browser
Okay, so the computer seems to be running okay in normal mode until a week later, when I had my home page (yahoo.com) and several Yahoo Answers tabs open, I started hearing an ad for Octane TV. It stopped when I closed yahoo.com without looking, but a minute later it started up again. I closed all the tabs, shutting down Firefox, but it continued. I closed Word (which had no open documents), so I was running nothing at all, and it still continued.
Windows Task Manager showed an .exe application (damn, I should have jotted it down; it mimicked internetexplorer.exe, which I did not have open) taking up 96,000 units, far more than any other application. When I ended it, the sound stopped. I immediately ran AdAware, which had done its automatic scan earlier in the day, and it found WIN32RootkitTDSS (plus some cookies) with a Threat Analysis Index of 10. It was able to quarantine it and said to reboot, which I did. The reboot got hung up. I used the on-off button to reboot again.
My second reboot seemed to work, but when I tried to run the full scan of AdAware, I got frozen again. I rebooted yet again, in safe mode this time, and the full scan of AdAware showed the same malware, WIN32RootkitTDSS. Again it was quarantined. Again I was told to reboot. Again the reboot started normally, then got hung up on a black screen. Using the on-off button, I did a manual reboot and I seem to be okay again.
But the next day (today), my PC can’t boot up in normal mode. First attempt gets me my usual wallpaper but no icons, no tray, and no quick launch. All subsequent attempts get me the wallpaper, icons, tray and quick launch, but double-clicking on icons does not open their applications, and the tray and quick launch icons seem to be on hourglass status indefinitely.
I am able to boot in safe mode with networking. And that’s how I got here.
I apologize for such a long post, but being less than knowledgeable about computers, I don’t know which detail(s) will provide the “Ah-hah!” for those attempting to help me out.
Speed Of Late
Edited by SpeedOfLate, 22 March 2009 - 09:53 AM.