Folks,

PV1:

Correct. But I had to do some detective work before I knew what the problem was and what I needed to fix it.

A bit of background:

I have been tormented by this nasty bit of code for weeks. We had just suffered a fatal crash on my computer that was caused by a failed power supply. I had several prophylactic precautions installed on that box and I had never had an infection that was not immediately dealt with by one or the other. This computer I am now using was my son's and unfortunately it only had AVG and Adaware running on it. The AVG definitions were however up-to-date.

One of us apparently downloaded and opened something we shouldn't have. AVG failed to stop the malicious code from installing and then it refused to find and delete it. I suspect that it was blocked. Adaware was the same. I could not install and run Spybot Search & Destroy or go to many security related websites for help or for a scan. They were all blocked!

I could not even get online without resorting to clicking several times on my IE icon in the quick launch bar. I was unable to revert to a previous state in XP. None of my programs were allowed to update including the OS. When surfing the Internet we were being re-directed to other sites. Whatever it was it seemed to be sophisticated.

Since I could not get to any security sites for help I decided to call my friendly but costly local PC guru. Over the phone, he recommended a HDD wipe and a clean OS install. That would do the trick I reasoned but I did not especially fancy doing that. Relocating drivers and software registration codes and all the other stuff seemed way less than fun to me.

OK. First I tackled the aggravating problem of multi-clicking the IE icon to get online. This also prevented reputable software being able able to access the Internet to update or to retrieve HTML help pages etc.

I began to use the task manager to see what processes were running. I was able to download Process XP which is a free program that gave me more info on what was running. I had noticed that once after a re-boot I could get online with but one click again and a particular file was missing from the Windows task manager. After a new re-boot that file was back and so was the problem.

I looked up the process online and then I used task manager to dump it. I no longer had that problem even without re-booting. The process was out of memory. I checked the startup file to see what was loading at boot time. I removed the problem process so that it would not return.

Now I began the painstaking process of checking every process in the start file and in task manager online. This took some time but one by one I removed several processes that were questionable or clearly unneeded. I also found that if I opened each web page in a different window twice most of the re-direction stopped. Not all.

At times I would get one of those fast multi-click situations that would have flooded my browser with pages had I not closed it with task manager. I began to associate this with spoolsv.exe. This is a normal process and it is used by windows in the printing and certain other processes. It is OK to disable it because it will return after a re-boot. I did close that and the multi-click attacks stopped.

I found that I had CW Shredder already on the HDD so I ran that.... nothing.

All I was doing so far was denying the nasty code what it needed to run and I was having a little success in that. But it was not yet found or removed and there was a limit to what and how many processes I could safely close and keep Windows happy. I checked the windows firewall and found it had been mysteriously turned off and I removed several questionable exceptions.

I was now able to get to some security sites that I was previously denied access to. I started checking on AVG. I found that I could update its definitions file manually by downloading files from their website into the proper AVG directory. Then I simply directed AVG to update itself from that file. Now it worked better. It found and removed some tracking cookies. But it did not remove the problem code.

I checked the program settings and scan settings in AVG. All seemed as they should be but I noticed that the scan for Rootkits was grayed out. I didn't know what a rootkit was. I did not know if this feature was supposed to be unavailable in the AVG 8 free edition or if the infection had done it.

I looked up rootkits online and I was amazed when I found out what they were and what they can do. It sounded like my own particular variety of nasty beastie. I began to search the Internet for a freeware tool that specifically targeted rootkits. I tried several with no luck.

Then when I was about to give up I tried a little Sun Micro Systems program titled Rootkit Buster. That ran only a few minutes before it found and deleted my rootkit problem. After running that program everything has more or less fallen back into place. There is no more re-directing or difficulty getting on-line.

All my programs including XP and AVG are updating properly. AVG updated to ver. 8.5 automatically. XP downloaded a large backlog of security updates including IE 8. I have loaded SBS&D and I have run that. It found several additional registry problems and fixed them. I have removed Adaware and loaded Super-Anti-Spyware. I ran that. It found 130 questionable registry threats. I have now added Process Guard and Script Sentry to my defensive arsenal. I run CCleaner every day to remove trash and keep the registry clean. I defrag both my HDDs at east once a week. That had also been prevented. Perhaps it is over kill but I am paranoid now.

After successfully running Rootkit Buster I found PandaRootkit and I ran that. That is a highly praised freebie I understand but it found nothing. Hopefully all is now infection free and it will stay that way. For a novice I have done all that I could do. smile

DISCLAIMER:

No one in his right mind should read the above with the slightest entention of doing any part of it themselves unless they do not care if their PC locks up and melts. I was lucky. You might not be. Every system is different, every infection is therefore different. You might get an entirely different and disasterous result.

MG:

Let us hope that, like the lady who scheduled liposuction on her butt, your problems are all behind you now.

Dux:

Yikes! How long does it take to drive a truck laden with Olga and several heavy cases of Rocket Fuel Additive labeled Vodka across the Atlantic? No one but Olga could make it. I hope that you gave her the standard fake address? Yes, the very one C51 gave us for forwarding all his mail to when he moved back to Canada....





Originally Registered January,2001 Member Number 3044

"Blessed are they who expect nothing, for they shall not be disappointed" - Edmond Gwenn, "The Trouble With Harry"

CELEBRATING EIGHTEEN YEARS and over 20 MILLION VIEWS on SNAFU's HWH thread- April 2019