When windows reloaded, I found that searching google/bing/yahoo for any queries and clicking the result links opened random advertising and other search engine pages. I normally use Firefox, but found the same happened in IE as well. I get occasional popup windows opening with no user activity. These sometimes open when no browser was already open too.
Testing further with firefox, I found that if I typed the result url directly, I got the correct page, but if I clicked the link I got the hijacked page.
I also found that dragging the result link to the tab bar opens the correct page. Not all results get hijacked - it seems to be random.
Also, I am unable to get to windows update by any method I know. Both IE and Firefox give a 'connection reset' message for windowsupdate.microsoft.com
I uninstalled and got the latest firefox - no change (didn't expect one, but worth a try)
I noticed some new services got installed. Can't remember what they were, but I removed them. No change to system.
I have run the latest AVG, found a couple of trojans, but they were in old game files I haven't used in months. deleted them anyway. Listed as TrojanHorseDropper.Generic.BVNA
Have run rootkit revealer, found a heap of registry keys dated 25/05, the date of the infection.
A bunch of them have swearware in the path, and appear to be backups of Winsocks settings.
Also a lot of files dated today (27/05) that are hidden from windows API, but these appear to be temporary internet files from IE and firefox.
Have attached the complete log.
I used the windows cd to run the recovery console and ran fixmbr. This seems to have slowed the rate of browser pages that get hijacked, but some still do.
I still get the odd random browser window that opens by itself, but these are also less common.
Have also run DDS and GMER as per instructions on this site. Logs attached.
So, hope one of you good folk can help. Otherwise I'll have to reinstall everything I guess. Out of interest, does this even fix rootkits?
Don't know if this is related but I even though I can browse these forums on my pc I am unable to create a post. I have had to post this from another PC.
I think I have fixed this infection. I installed MS security essentials. It found win32/alureon.h and win32/ertfor.b and was able to remove them both.
I also rebuilt the tcp/ip stack and reset the dns addresses to the correct ones, as these had been modified.
System appears to be working normally - I can now run windows updates just fine, web searches are no longer being hijacked, and random popups appear to be gone as well.
Edited by Budapest, 29 May 2010 - 07:51 PM.
Posts merged ~BP