Posted 02 September 2009 - 03:49 PM
System information (Toshiba laptop PC, Windows XP Home, XP firewall, Internet Explorer 7, AVG 8.5 Free Edition, ZyXEL wired router)
My Toshiba laptop PC has recently been attacked by one or more viruses. It started when I clicked on an apparently innocent forum page, a site which in the past has never posed a problem (not that I visit too often). I immediately received a notification that my XP firewall had been turned off. The hard disk started to get very busy and I knew something wasn't good. I immediately powered off my router to avoid further trouble but I guess by then it was too late. I went to do a System Restore but I noticed that all of my restore points had been deleted. At the time though, I could create new save points. I knew they would have been worthless as I had already been attacked but wanted to see if I could actually perform it.
I rebooted the PC and saw straight away, upon running Internet Explorer, that my Google searches had been hijacked. Like many others, I was starting to get redirects to Cliccker.cn, among others. Over the course of time, the redirects seem to have grown so the correct links become less and less common the first time I click on them.
This isn't the only problem though. My firewall defaults to Off everytime I reboot and sometimes switches itself off while the PC is on. I have also noticed that the hard disk is gently and briefly accessed every ten seconds. It never did this before. I have tried using a program called Process Explorer to see what is accessing the disk and while I don't know the program's functionality very well, what graphs to look at and so on, I did see that there is always exactly 13.5KB worth of data being accessed each time.
As time has gone on, System Restore no longer works at all. CheckDisk has stopped working too. Today I also saw, on bootup, an error saying there was a fault with Pad.exe (part of my laptop's functionality). I am guessing that without a mouse, I might not even be able to scroll around and click on things.
I also did a Windows file search to see what files had been created or modified on the day of the attack. I did catch two .tmp files. One was Serr.tmp and the other was Ocerxawmns.tmp (I can't remember if they started with capital letters). These were in the Temp folder (I'm afraid I cannot remember which one).
I looked up these in Google (when it can work). Serr.tmp was listed as a nasty looking virus and with some symptoms that are similar to what I am getting. There wasn't a lot of returned searches on this file though so it seems funny that not a lot of information is available outside the first returned search entry. The second file I mentioned didn't come up in Google at all.
I have also seen references to something called tmp.edb, which I cannot tell if it is a virus or not as webpages in Google couldn't give a confirmed answer.
Therefore, I don't know exactly how many viruses I have in my system and whether they are related (I believe Cliccker and Serr.tmp are, however).
I haven't taken any steps to remove anything yet, other than cleaning out the Temp folder (and deleting the above mentioned .tmp files). AVG detected nothing at all upon the attack and didn't even find anything wrong with Serr.tmp. I also ran Trend's online Housecall 7 Beta which found two trojans. These files were listed as 26C3.tmp (detected as TROJ GEN.0Z10 46) and ~TM27.tmp (TROJ BREDOLAB.EZ). However, it didn't find anything else after further searches.
I won't do anything else until I have received a response from you, judging by advice given in other forum threads. For the record though, it scares me how easily my PC has been thrown into disarray and whether it will happen all over again. I don't even know how the original website got infected. The other thing I am worried about is that I had my external harddrive connected at the time and I am concerned that the virus has got onto there (something Serr.tmp is supposed to look for). I don't run any programs on the external drive though. All I have are 3D image files, music, 3D movies and PDF documents.
Finally, is there any chance that my router could be infected? I didn't believe this was possible but some people say it is possible. I recently went into my router's configuration page (entering in a password) to enable the router's firewall as a backup (I had it disabled while running tests for my XBox 360). I see the DSL light flashing on it more often than it used to, even when the PC isn't on. I'm mentioning this just for the record.
I apologise about the length of this post but wanted to detail everything clearly so it could be beneficial, not only in helping me but also to increase further awareness of these apparently new viruses. I've recently downloaded HijackThis so I will be able to post a log if you require it at some point in the future.