First off, I'm happy to have found such a forum as this. I've read a lot from it in the past few days.
Let me tell you about my machine -- I built it entirely from scratch and have been using it nicely for almost 2 years now without any problems.
My OS is Windows XP with SP3.
My internet browser is Firefox 3.6.9
The problems began late Sunday night (13 SEP 2010) or early Monday morning, when I clicked on what I thought would be a hilarious "FAIL" video from within the Facebook wall. Instead, it took me to another site that I didn't recognize.
The problems mimic the Google Redirect Virus and its closely related "waiting for www.google-analytics.com" issue. I read articles both here and in other places on how to deal with that.
I've used HijackThis, MalwareBytes, TDSSKiller and attempted also to run ComboFix at the advice of an IT-professional (friend of mine) but was unable to run it due to an error that said the computer was infected with "Virut". I've tracked down registry keys and values, looked at processes, services and other things to try to solve this.
I'll tell you what I SEE and experience right now:
1. I see a mysterious file called "2008.exe" in the root of C:\ and when I delete it, it stays away until I reboot, and then it's back again.
2. I see a folder created also in the root of C:\ which has a long name and suffixed with .tmp, which contains but a single file, "iexplore.exe"
3. A mysterious process from C:\WINDOWS\ called svc2.exe kept starting until I edited my MSConfig settings in the Startup tab and unchecked it. SOMETHING, however, occasionally brings it back!
4. Everytime I restart, whether in regular or Safe Mode, IEXPLORE.EXE pops up as a process, even though I'm not (ever) running Internet Explorer, and it starts usually within 10 seconds of logging in. This process starts also regardless of whether I'm logged in as myself, Administrator, or anyone else (there's only one other active profile on my machine, belonging to my brother)
5. Upon restart, my hosts file gets rewritten exactly as follows:
#/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
# 220.127.116.11 rhino.acme.com # source server
# 18.104.22.168 x.acme.com # x client host
...that is, until I made the hosts file read-only, and it hasn't been hacked since.
6. As far as the "google redirect" issue goes, when I go to www.google.com and use the search engine that way, I can click on any result I find without problem. However, when I use the google search tool built in (I do not have the Google Toolbar installed), I get the same search results, but clicking on any of the links redirects me to random ads.
I have not heard any follow-up on the issue of Virut and whether or not there is a legitimate and permanent fix to it. It seemed that the consensus from more than a year ago was that if you had Virut, you were simply hosed. Is this still the case one year later??
I'll be ready to provide any other info and results/logs from new attempts to fix this upon request.
Edited by hamluis, 16 September 2010 - 05:19 PM.
Moved from XP to Am I Infected ~ Hamluis.