Posted 01 December 2010 - 03:55 PM
this is my first post, hope I've chosen the correct forum. You can guess from the title what this is about, but I'll give you a brief history and some background.
I'm an IT professional, albeit not too knowledgeable about PC/Windows technology, and the malware discussed below infected my 'work' laptop, which is running XP Professional, SP3. I have another machine at home that I use for 'doubtful' surfing (YouTube, Facebook, random web links etc.), so I was surprised that it was my work machine that got infected, especially as we run Kaspersky Anti-Virus 220.127.116.112, with daily updates. However, I believe Kaspersky class the first item mentioned below as malware, not a virus (!).
Anyway. I picked up the Rogue Security Tool first (no idea how - can you get it from opening emails?). Did some reading on the BC forums, then downloaded RKill, MalwareBytes and SuperAntiSpyware, with which I managed to get rid of it.
Then I noticed that links from Google searches on Firefox (version 3.6.12) were intermittently redirecting; plus I started getting virus alerts from Kaspersky, warning me about the creation of a file called 123.js. Each time the warning popped up, I chose to delete the 123.js file, but it would re-occur soon afterwards.
At this point, I ran Trend Micro's Housecall (quick scan), which told me I had the trojan Bamital!inf and another virus, PE_PATCHED.SMC, that had infected winlogon.exe and explorer.exe.
TM Housecall gave me the option to fix these (after a reboot), and sure enough, Bamital disappeared from the scans, and I the warnings from Kaspersky stopped. However, according to TM Housecall, PE_PATCHED.SMC remained (is this a false positive?) and the redirects have continued.
I've tried using IExplore 6.0, and have seen no evidence of redirection, but that may be because it is intermittent. Needless to say, a proportion of the Firefox redirects are to what Mozilla refers to as 'attack sites', which are blocked. Sometimes, the click-through will arrive on the correct website, but within a few seconds I get an error screen with the message: 'Content Encoding Error. The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression'.
Apart from the TM Housecall results, no other scan is currently reporting any malware (Kaspersky, MBAM, SAS).
That's all for now, sincerely hope the cavalry can ride in and rescue me.