System: WinXP home edition SP3. Main browser FF 3.16. AV: Avast! AntiVirus 6.0.1203; Others: MalwareBytes, SpyBot S&D latest version, definitions updated a week ago.
I'm not sure what I got infected with but the behavior I have been seeing is:
redirects from Google searches, after a few times browser (FF 3.16 IIRC) hangs entirely.
Tried launching chrome instead, will not start. Rebooted system, came up with BSOD: System error code 1000 008e, parameters C000 0005, 805ce 1cc7, f7b0 2c74, 0000 0000
HJT will not run, error msg: Windows cannot access the specified device, path, or file. you may not have appropriate permissions to access the item. Same message when attempting to run Malware Bytes. When attempting to rename file, result is error that it is unable to rename the file, make sure device is not write protected or the file is not already in use. Same behavior when logged in as admin or user account in safe mode.
However, from USB in safe mode, I am able to run HJT. parsed log through www.hijackthis.de and hjt.networktechs.com with no suspect entries found.
Have DDS logs, can upload if requested. I am using a laptop as infected PC is very unresponsive right now, screenshots will be difficult if not impossible to achieve.
GMER found nothing suspect.
Attempted system restore, after reboot got failure message stating that nothing was changed.
Avast! antivirus is disabled, attempts to start services fail with a message about not being able to reach endpoint. Haven't captured the exact text, but can try again in a while. Currently Avast will run a scan in safe mode, and I running that now. It has already found one infected file. In quick scan, it has already run for over 30 minutes and shows 99% complete but is in C:\program files\ right now so will not be done for some time.
While running DDS I got some messages from my firewall (PC Tools Firewall Plus) about something trying to access the MBR. I thought it was part of DDS scanning but I was concerned about the MBR part so I enabled the first alert but the second one raised my suspicions so I blocked subsequent attempts. I couldn't find a log file in the firewall program folder, but next time I reboot I will go into the firewall GUI and see if I can pull a log from there.
I can normally fix these by myself but I get stumped when they disable my tools. I got avast in part because it pops a warning you try to change it, which made me think no rogue process or service could disable it w/o my knowledge. I'd really like to know what this is just so I can learn about it.
Thanks for any assistance
Edited by Mike303, 08 October 2011 - 10:18 AM.