Help me get rid of virus PLEASE!!
so, heres the deal
I recently got a virus. The first problem was that my computer just sat at a black screen and would not startup after a restart. So i did a windows xp repair install. The next symptom was that it slowed wayyyyyyyyyy down. Then I noticed that if i go to google.com and try to click any link from my search I get redirected to 1 of 2 websites every single time. It mainly redirects to a site called flurrysearch.com so i either have to type in the url bar the website or view it through google cache. The main problem is the slow comp. my cpu usage (as viewed in task manager) is always at 100% even if I'm not doing anything. which makes me sick.
As far as the redirect problem Ive tried running avg free, avast, spy bot search and destroy, and still nothing. I need help getting this mother fucker off my computer… Ive looked at the host file, cleared the dns cache and searched my computer for the url's that my google searches are redirected to. It found a couple items in my system32 folder which i deleted but it did not fix the problem.
Right now I'm running avast and it is constantly popping up and saying malicious url blocked, well not constantly but like every 5-10 minutes. its a lot of different urls not just a couple. The virus is using the process names of scvhost.exe and DJS.exe. The DJS.exe i believe has been removed, that was that annoying little fucker that is the fake windows security virus scanner shit. i believe that avast has removed that from my computer as the icon isn't there anymore and i haven't seen the process in a while. there are 5 scvhost.exe processes and the one that I believe is the virus takes up the most mem usage out of any other process.. But when i remove it it doesn't change to much. I have a few viruses I'm sure. windows memory too low is popping up all the time also, obviously..
Oh, come to think of it there is another odd problem that this virus is causing, its actually causing my dick to shrink. I dunno wtf but i used to be an average 8-9'', but ever since this virus I'm only 5.5''… This isn't just effecting me anymore…. no but foreal its causing my computer to stop playing sound. Unless i double click the speaker icon very first thing upon startup i cannot get it to come up and even after i get it up (so i can change the volume levels and such) sometimes my comp wont play any video or youtube or flash or whatever with sound. but if i click the volume button it beeps on the speakers so i know they are still working. but still i cant get volume on youtube or vlc or divx etc. Sometimes i can and sometimes i cant.. its really weird…
Any ways if anyone knows of a good virus scanner (free or torrented) I would really appreciate the help. Or maybe if someone else has had experience with a similar virus they could guide me in the right direction. I know this was a long post and i thank you for reading it.
Thanks.
EDIT: Yes how stupid of me… I'm on windows xp pro SP2. I'm using a dell computer. every piece of hardware i have in that comp was ordered through dell, except the cd-rom because the dell cd-rom i had stopped opening.
Reinstall windows (not repair install). Probably the easiest solution.
If you don't want to do that you could check out http://www.malwarebytes.org/ and http://www.superantispyware.com/
apescanfly223 wrote: Oh, come to think of it there is another odd problem that this virus is causing, its actually causing my dick to shrink. …
cool thanks a lot for the help ill download those right now. I cant realistically reformat at the moment because i don't have any way to backup my files, some of which are actually very important (school and what not.). Any way thanks again ill check those out.
EDIT: I just noticed another problem these viruses are causing… When my speakers stop working and i cant hear any movie or show i play there is a weird like ticking/cracking sound and in the background is white noise. anyway just thought i would add that in case it matters.
In the future, start by posting your OS and system information. example, Win7 sp1 64-bit. Don't format. Anyone who suggests that immediately for any malware hasn't simply hasn't seen the football since kick off. Nothing personal, just I see that suggested every time.
Start with running combo fix. It may take a while for it to do it's thing, but hopefully it will solve your problem. http://download.bleepingcomputer.com/sUBs/ComboFix.exe/
If you would like to narrow down what process is causing the problem, you can use process explorer. You're going to be looking for a misspelling of svchost.exe, or svchost.exe that isn't a child process of services.exe (for example svchost.exe as a child of explorer.exe as a child of cmd.exe). If you see anything obvious, you can right-click and kill the process tree. Any changes will be undone on reboot. http://technet.microsoft.com/en-us/sysinternals/bb896653
Edit: Does this sound like you? I still would start with ComboFix. http://fixredirectvirus.org/?hop=iamtheceo1
Quoting from that last link "I used combofix about 10 days ago to solve the google redirect problem…no more redirects. Thank you for the help.Sincerely…J. Gheta"
starofale wrote: Why not? It requires less effort than manually removing malware and is more likely to get rid of it as well.
uggh. And then he has to re-install all the applications, has to re-update everything, and he also has to completely backup all his files before the reformat, so there's a chance that the malware is still there.
Time is the issue. It should take a max of 1 hour to run combofix - and it may take 2 hours just to format. Then you have to deal with drivers, software, software settings… And then I'll have a customer calling me back 2 weeks later wondering how to get some obscure Windows setting back the way it was.
Sometimes I do format though. Usually those computers were bought used, or they haven't been formatted 5 years or so. They're always painfully slow, and there's just so many things that can cause those kind of problems. If I format in that situation, then the next time I see that customer I'll know what their computer should be acting like too.
On my own machines, I format all the time. I have everything backed up, so it's real easy.
May I add to maug's excellent advice?
I would absolutely back up his suggestion and suggest a second to process explorer with Security Task Manager - which is quite useful for identifying DLLs / EXEs which use perceptually more "dangerous" Windows API calls.
It's a more general tool for finding malware and mallicious modules that are attached to any process - things that an Anti-virus or malware scanner may not necessarily pick up if it doesn't have a signature/footprint what ever they call it (sorry for loose terminology here). The advantage being, once it's in memory and executing, attached to another process, it's often then been unpacked and thus can be easily spotted between driver DLLs and safe EXEs.
Often the problem is that once things appear to have been "cleared" by malware scanners they can't always get to the root of it and find the self replicator - sometimes lying dormant in Temp directories or common Windows directories (even FS directories you strictly have limited access to).
They often have two levels too, the malware annoying the hell out of the user is really just to maximise the time that other stuff takes up all the resources and keeps them occupied trying to solve symptoms rather than the cause. This maybe a chain of thing but underneath there is often something more serious which can be anything from "botnets", key logging or even in places distributed computing - but the specifics lie in what the attackers want and what it's programmed to do.
Another set of tools I've found useful to clear this up, would be applications like:
>> Dr Delete [http://www.docsdownloads.com/Tier1/dr-delete.htm] Which allows you to shedule files to be deleted on the next system start BEFORE the rest of windows kicks in. Bear in mind this may not always do the trick but allows one to monitor if anything replicates under new names and possibly reveal where it originates from…
If all else fails in removing files, get a Linux distribution and install NTFS-3g to enable write access to your Window partition/HDD and remove files manually or conduct any scans possible from Linux - that way nothing is interfering with what the scanner can/can't read on the disc which Windows may restrict.
>> Generally any disassembler that will give you quick and easy access to a string table helps you to narrow down Class ID's/File paths/URL's etc that the malware maybe using. PE Explorer / W32DASM might do.
>> A malware scanner isn't the best but helps to clear up once you've got rid of the replicator and any other backdoors/trojans/(possibly rootkits) associated. I found A squared did a good job for obscure crap.
Hope this helps, best of luck sorting it out.
Jim,
i don't have much to say, in my past experiences when my antiviruses dont detect, or can't remove the malware, i run msconfig to see what processes are being started at boot, i note where the location is and then do a regedit to modify my registry keys, if it gives me a hard time to do so, i boot up in safe mode and do the above mentioned. once i have deleted them, i run adaware, spybot search and destroy, and my anti virus, i prefer NOD32.
sometimes the little bugger is inside your application data folder with some weird name or inside a long nonsense named folder like: "kji&%$&(jjnghs". u need to delete that one also, or else you did everything in vain.
wow, thanks for all the very helpful replies. I had a bit of a family emergency so i actually forgot about my computer for a while. That is why it took me so long to respond. I did all that was suggested and im happy to report that my computer seems to be back to normal! Thanks lots. seriously…….
For future reference what is the best anti-virus/malware/firewall (free or otherwise) to use? I want to keep this from happening again if possible.
For any future readers of this thread pay attention to j4m32's suggestion about using a linux distro. This will enable you to delete/edit/copy/replace/scan files you wouldn't be able to with windows running. This will save a lot of time and headaches, at least if you know how to use a linux shell a little. Plus you can scan files for malware or viruses etc. that a virus scanner couldn't check when running windows. I actually did this before i made this thread to backup and replace a few registry entries and a bunch of important files that i thought were corrupt.
Just to make people's lives easier here are the approximate commands to use to mount a file system with read/write privs. I use backtrack 2 distro, so if you use BT2 these commands should work exactly, of course you need to change the drive name and what not. (I may mis-spell a command or an option but i think this is correct.)
markupdf -h
use the df command to find out which partition windows is using. lets say you find out it is sda2 then you would use:
markupumount /dev/sda2
this will un-mount the drive so you can re-mount it with writing privs.
then:
mkdir /mnt/windows
mount -t ntfs-3g -o force /dev/sda2 /mnt/windows
It may say something about it cant mount the drive without a clean something or other… it will give you a command to use, use it. then try the command above 1 more time.
The df -h command will tell you what partitions are on the hard drive and how much space is used and how much is available. the '-h' option is for human readable results.
After you mount it as the type ntfs-3g you now have full read/write/execute privs. This is a HUGE help because usually when your using windows you cannot access certain important files because they are being used by the operating system. This will give you complete access to all the files. You can now repair any damaged files by getting them off your windows install disc or from the net. You can also change the local admin account password to whatever you want by mounting like this as well. Using bkhive and samdump2 you can change the password to anything you want.
To find your files use
markupcd /mnt/windows
then you can change directories into like system32 or w.e. remember though linux is CASE SENSITIVE. so cd /mnt/WinDows will not work, that directory doesnt exist. /mnt/windows exists… you can use the tab key to auto detect a directory. for example type "cd /mnt/w" then hit the tab key and it will either complete the rest of the directory for you or (if thereis more than 1 directory starting with w) it will display all options. If lets say there is 3 directories names /mnt/windows /mnt/windmills /mnt/windfalls, if you type "cd /mnt/w" and hit tab it will complete as much as possible and will now look like "cd /mnt/wind". It will list the possible option and you can add an "o" "m" or "f" and hit tab again to have it auto complete the directory for you. this is a great feature especially for long directory names or dirs with weird spelling or capitalization. i dont know why the fuck im going on about linux commands rofl……… lack of sleep probably has my mind all fucked up.
Anyway just thought i would contribute for future readers. And thank the people who have helped, much appreciated :happy: