I recently worked on a client's Windows XP computer that had multiple infections. I used several programs to clean it and spent a lot of time combing over logs to make sure it was virus-free. It came up clean on Malwarebytes Anti-Malware, Spybot Search and Destroy, Avira Antivirus, and SuperAntiSpyware. HijackThis logs looked clean as well. I uninstalled unnecessary programs and combed the logs for any services that looked suspicious. All looked good.
Despite all this, upon getting her computer back, her browser was hijacked and a rogue anti-spyware program tried to scare her into installing it. She didn't, thank goodness.
I took the computer back, tried to replicate the problem (I could not.) Scanned it seven ways from sunday, looking for anything and everything I could find that might be causing it. I returned the computer to her and asked her to take a picture if it came up again.
It finally happened last night. I was able to track down the problem as drlcleaner.info. The screen matches this one exactly:
http://www.2-spyware.com/remove-drlcleaner-info.html (not the popup, but the one behind it.)
What bothers me is that none of the tools I used even detected this thing! It flew under all of them! I've cleaned many viruses off of computers (and learned a ton from these forums) but have never found one like this. I thought I would share here and see if anyone else has had trouble dealing with this one or even seen this before.
Edited to add: Every single one of the programs I used was updated with the very latest antivirus/anti-spyware/anti-malware definitions. Both IE and Firefox were updated to the latest versions and innoculated with Spybot Search and Destroy. I had put Adblock Plus on Firefox to further protect in case of malicious ads. How this got by everything, I'm not sure. But it really bothers me!
Edited by llynara, 06 November 2009 - 12:38 PM.