As mentioned in a previous post, I have been attacked by malware.


I cleared my cache and deleted all my cookies, and I thought it might have fixed things, but it didn't.

I ran a full virus scan, AVG says my computer is clean. I have now seen the problem on other websites (Amazon, eBay).

To be more specific about the problem: web pages will have random words highlighted in yellow and underscored, and if my mouse cursor touches the highlight, I get what you see in the attached screenshot. In this case, it is the word "Total" (after File Manager) that triggered the popup. Sometimes the trigger is a word that I have typed, other times (as in the attached example) it is in the "boilerplate" of the page.

I really, really, don't want to nuke and repave to get rid of this thing. What should I do?

tanstaafl.

What browser are you using ?

Have you tried installed and running Malware Bytes ?

http://www.malwarebytes.org/

I see from your other post that you have a selection of browsers installed.

Does the same problem occur in all browsers or just in one of them ?

In Chrome, check that you don't have any extensions you don't expect (menu -> Tools -> Extensions).

In IE, check that you don't have any plugins that you don't expect (Cog -> Manage Add-ons).

I don't have Firefox installed on this PC.

Also, use SysInternals Autoruns, which will display a list of stuff loaded at startup. In particular, since this is affecting your browser (if it's IE), look in the Internet Explorer tab.

Note that most of this stuff is benign, so don't go disabling or uninstalling it without checking first.

Remember when Ad-Aware wasn't a huge bloated mess? Might still be worth a try (free edition) if nothing else turns up the solution.

Hopefully it's just a browser-level plugin. If it affects all browsers it could be something installed as a proxy and might even show up in Windows Internet prefs.

Doug, are you still running Windows XP? Windows 7 should in theory spot stuff like this with its malware "stuff" - I can't remember if it's Defender or the other thing I can't remember the name of right now.

You should try Ubuntu.

+1 for Malwarebytes

Or get a log from HijackThis and post it here. I'm sure we can pick out the dodgy one.

Microsoft Security Essentials is what used to be Defender (although it's coming back in Windows 8 I think).

+1 for Malwarebytes. It's always the first thing I run on any of my clients' machines.

+1 for MSE, which I've recommended several times but AVG keeps winning for Doug **

I'd boot into safe mode and run Malwarebytes. That takes care of most of these things. Also try running TDSSKiller to look for rootkits, and look at Hijack This as recommended above for any odd items (but don't remove things indiscrimenantly, it's a tough program to read).

IF all else fails, then I have one more suggestion. I hesitate to suggest it because it's a much bigger hammer and some bad things could happen if used improperly. But if we're talking about really hitting a virus hard, Combofix is the tool. Again, this one can eff your system up as easily as fixing it. Please try all the other solutions here before using it.


**Doug, I'm just giving you a hard time about your love of AVG (which, admittedly, I used to love before it started looking like Norton). The fact is, a perfect antivirus does not exist in any way shape or form, aside from pulling out the network jack and never plugging any hardware or media into your computer. User behavior is still the best protection.

Yep. I also remember when using a separate application for "adware" was actually necessary, and even the people writing viruses and adware/spyware still made a distinction between the two. Now most stuff finds both because the lines have been erased.


Could be. Also, the hosts file could have been changed. Some antivirus tools will check for that (like HiJack This if it has administrative permissions), or you could go edit it manually to make sure it hasn't been changed. [url=Here]Here[/url] are the locations.


Windows 7 started installing Microsoft Security Essentials with Windows Update a good long while after the OS was first released. At least, that's what I've seen anecdotally. But I'm pretty sure it'll only install if you don't already have an antivirus installed. It certainly won't enable it as a second antivirus, which would be bad.[/quote]


It's a little more amorphous. Defender has been built into Windows since XP, and is a separate program from MSE. When you install MSE, Defender is disabled. It is in fact an antivirus program, though, so I'm a little unclear what the differences between it and MSE are, aside from the addition of scheduled virus scans...

Also, in my research to confirm the above info, I was surprised to see I was wrong about something I keep telling my clients. I thought MSE was the former Giant Antispyware. Turns out that Defender is. I have no idea where MSE came from. Maybe they built it in-house? Maybe with the Giant team?

My primary browser is Firefox. I also have Chrome and Internet Explorer available. Firefox and Chrome both show the unwanted popups; Internet Explorer [apparently] does not.

On your recommendation I have now done so.

Now if my computer catches on fire and burns down my house, it'll be all your fault!

Attached is a screenshot of the Malware Bytes log taken (I think) before I clicked the Remove Malware button. After I did that, I re-ran the program and got the message that there was no malware found.

Incidentally, I found out why you recommend running Malware Bytes in safe mode... I ran it in "normal" mode the second time (when it found no malware) and on my next reboot Malware Bytes had enabled every single item in my Startup menu. I went through it and disabled all the things I want to keep but not have loaded on boot. Attached is a screenshot of my startup menu.

If anybody wants to look through those two screen shots (right-click and choose "View Image" to make them readable) and advise me of anything that doesn't look right, I'd appreciate it.

At this point I don't know if my unwanted popups are gone, but hope springs eternal. Meanwhile, what am I going to do with all those free iPads I have won?

tanstaafl.

The TSearch thing is probably your problem.

Have a look in Add/Remove programs - it may be a simple case to remove it just there. Sometimes these uninstall nicely.

Also there's a number of Browser helper objects that look a bit dodgy.

Looks like about 3 or 4 different bits of malware (or just unwanted items) there. It's been a while since I've had to remove this sort of stuff, but AdAware was the tool I last used I think to automatically remove. I'm not sure what the best is these days. Just deleting the files and registry keys will probably be OK.

Let Malwarebytes do a clean up would be my recommendation. I'd remove basically most of the stuff. All of the registry keys I don't like. All but the first file look dodgy. The first looks like you're not running a genuine windows? That's a key server to bypass the windows authentication.

The "startup" screenshot looks OK.

PS: next time just copy/paste the log into the forum

That's what I did, then I ran it again and it reported no malware found.

Since that time I haven't seen the unwanted popup, but the night is young, so to speak. If I go a couple of days without it, I'll believe that it is gone.

Oh, sure, but where's the fun in that? The log was in plain text using a non-proportional spaced font (Courier New?) and was really ugly. I didn't want to subject you people to that!

BTW, be impressed with the startup screenshot. You can't actually make Windows display it like that...

tanstaafl.

FWIW, I don't recall ever seeing Malwarebytes find a false-positive. I wouldn't worry about telling it to remove whatever it found.


I'm pretty sure Malwarebytes just launches Notepad to display its log. Don't worry, that won't retain any formatting if you copy/paste it here.


Yeah, msconfig is obnoxious that way. I have no idea why that window isn't resizable. I like using CCleaner to look at startup items because it lets me delete (instead of just disable), but I can also maximize the window and see everything at once Anyway, sorry you had to go to all that trouble with the photoshopping

You gotta be kidding me! That's the sort of thing I live for!

tanstaafl.

I tried to get it made a rule at Rio that if there was a scrollbar anywhere inside a window, then the top-level window must be made resizeable so that people with big screens can eliminate the scrollbar. Roger groused about it, 'cos MFC dialogs don't work like that out of the box, but eventually implemented it. Later someone who didn't want the hassle of maintaining it quietly removed it

Peter

The problem with the msconfig window is due to the resizable columns, one of which (in Windows 7, at least) contains the registry key for each item. If you fully expand each column to fit the widest entry, usually you end up having to scroll at least three times the width of the window. It's just dumb.

Non-resizable windows, in general, should be punished by law.

Agreed completely: A pet peeve of mine is any non-resizable window that requires scrolling to read its contents.