hermesalpha
asked on
What is the best way to get rid of the malware or hijacker that my laptop is infected with?
What is the best way to get rid of the malware or hijacker that my laptop is infected with?
Because I think the suspended response from the cursor when typing is a sign of my laptop having been hijacked.
What happens is the the cursor "stops up" for half a second when typing (no smooth regular flow when typing) on a webpage (like when typing here at Experts Exchange).
I have already run a full scan by Microsoft Security Essentials 2 (which found nothing) and Malwarebytes PRO (which found 8 infections, among them one hijacker). I chose to let MB delete those 8 infections and thought the laptop would be like normal again (usually MB fixes everything and the laptop is like new again, but not this time). But I still have this suspended typing. So I am considering to use Combofix now.
I never ever visit any sites that could have caused this. I translate everyday and I'm so dependent on that the laptop is completely clean every day as I can get a new job any day. However, I do a lot of Google searches each day when I translate, and some of those contain words and phrases that get hits for dubious sites (although I never open these of course). But a few days ago, I began to get these small windows with pretty girls asking for a chat with me popping up on completely legitimate sites. I think these chat requests have something to do with www.gmx.com (www.gmx.co.uk), because sometimes they pop up there also (have done during a long time at GMX). So perhaps the source of my infections now come from GMX, but I'm not sure.
Because I think the suspended response from the cursor when typing is a sign of my laptop having been hijacked.
What happens is the the cursor "stops up" for half a second when typing (no smooth regular flow when typing) on a webpage (like when typing here at Experts Exchange).
I have already run a full scan by Microsoft Security Essentials 2 (which found nothing) and Malwarebytes PRO (which found 8 infections, among them one hijacker). I chose to let MB delete those 8 infections and thought the laptop would be like normal again (usually MB fixes everything and the laptop is like new again, but not this time). But I still have this suspended typing. So I am considering to use Combofix now.
I never ever visit any sites that could have caused this. I translate everyday and I'm so dependent on that the laptop is completely clean every day as I can get a new job any day. However, I do a lot of Google searches each day when I translate, and some of those contain words and phrases that get hits for dubious sites (although I never open these of course). But a few days ago, I began to get these small windows with pretty girls asking for a chat with me popping up on completely legitimate sites. I think these chat requests have something to do with www.gmx.com (www.gmx.co.uk), because sometimes they pop up there also (have done during a long time at GMX). So perhaps the source of my infections now come from GMX, but I'm not sure.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It's possible the infection came with a Chrome add-on I just installed (unvoluntarily, culdn't deselect it when I installed another software I needed): Sidekick (something for saving websites I visit).
ASKER
What is the most probable infection?: Rootkit, Hijacker or Malware.
ASKER
I also opened an e-mail in GMX that was suspicious (wasn't possible to judge from the subject that is was a fraud attempt e-mail) a few days ago, the virus could have come from that also.
ASKER
I tried Rogue Killer and Kasperskys rootkit scanner but they didn't find anything.
ASKER
The biggest problem now is that I have no installation cd for windows 7, only the plastic case with the windows anytime upgrade and product key, but all in traditional chinese language.
ASKER
If I use GMER on this site, can someone here help me to interpret the results?:
http://www.techsupportalert.com/best-free-rootkit-scanner-remover.htm
http://www.techsupportalert.com/best-free-rootkit-scanner-remover.htm
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here comes the latest logfile (from Dr Web CureIt). However, I shut of the laptop because the scanning freezed twice on the same spot: C:\...er\Downloads\PPS_Net work_Setup .exe
(At this point in scanning, after around only 10 % scanned, the scanning freezed on this particular file twice.)
One infected file was found among these 10 %: Trojan.KillProc.14170
I chose "Cure?"-"Yes", "...cannot be cured. Move? Yes. Incurable. Moved".
Results after 11 hours/73,752 scanned files (10 % scanned): 1 infection, 2 suspicious, 1 adware (I think the 2 suspicious are false alarms).
CureIt.log
(At this point in scanning, after around only 10 % scanned, the scanning freezed on this particular file twice.)
One infected file was found among these 10 %: Trojan.KillProc.14170
I chose "Cure?"-"Yes", "...cannot be cured. Move? Yes. Incurable. Moved".
Results after 11 hours/73,752 scanned files (10 % scanned): 1 infection, 2 suspicious, 1 adware (I think the 2 suspicious are false alarms).
CureIt.log
ASKER
Logfile from RogueKiller, I don't know where it's saved to, which folder, couldn't find it. For the tab Proxy I got this FOUND result:
http://screencast.com/t/zR4BZozKT
(I use Astrill as VPN. My OS is Windows 7 Ultimate 64-bit.)
The scanning with RogueKiller only takes a few seconds, should it be like that?
http://screencast.com/t/zR4BZozKT
(I use Astrill as VPN. My OS is Windows 7 Ultimate 64-bit.)
The scanning with RogueKiller only takes a few seconds, should it be like that?
ASKER
Here is the logfile from TDSSKiller (didn't find anything either).
TDSSKiller-log-report.txt
TDSSKiller-log-report.txt
ASKER
Where can I find the logfile from Combofix?
ASKER
I received a warning when downloading The Killer ("This file seems to be harmful, throw it?").
And it's named exactly the same as the Trojan that was found by Dr Web CureIt!:
explorer.exe
What should I do with it?
And it's named exactly the same as the Trojan that was found by Dr Web CureIt!:
explorer.exe
What should I do with it?
ASKER
In this case, it should be safe shouldn't it?: http://www.neuber.com/taskmanager/process/explorer.exe.html
ASKER
It seems this could be a porno dialer: http://www.neuber.com/taskmanager/process/explorer.exe.html
I have had small popup windows with pretty girls asking for a chat on completely legitimate websites, completely randomly popping up during the last week. Not much, just a handful times.
I have had small popup windows with pretty girls asking for a chat on completely legitimate websites, completely randomly popping up during the last week. Not much, just a handful times.
ASKER
I found someone who had a problem with this explorer.exe on a Swedish forum (only in Swedish, but you can machinetranslate it to view it):
http://eforum.idg.se/topic/132496-problem-med-explorerexe/
Actually, after following the advices his computer regained normal speed and the infections were killed.
http://eforum.idg.se/topic/132496-problem-med-explorerexe/
Actually, after following the advices his computer regained normal speed and the infections were killed.
ASKER
I downloaded Hijackthis from MajorGeeks (suppose it's safe to download from there), created a map in Programs and installed there. But received this error message when trying to system scan and save log file:
http://screencast.com/t/WdUDYXEh2uK
BTW, my laptop is getting worse and worse, can hardly use it anymore.
http://screencast.com/t/WdUDYXEh2uK
BTW, my laptop is getting worse and worse, can hardly use it anymore.
ASKER
Should I follow the advice and edit the Hosts file, and then save as " 'hosts.' " (including the two simple quotes ' ' and the full period . )?
Also, can I restart the laptop now, because every letter takes several seconds to type (laptop is extremely sluggish, can hardly type anything)?
Also, can I restart the laptop now, because every letter takes several seconds to type (laptop is extremely sluggish, can hardly type anything)?
ASKER
The only line in this hosts file is this:
127.0.0.1 localhost
127.0.0.1 localhost
ASKER
Here is the RougeKiller report.
RougeKiller-report.txt
RougeKiller-report.txt
ASKER
I just ran SpyBot which found iCrossRider in the Registry.
Run Spybot as Administrator and it should remove Icrossrider.
ASKER
I run Trojan Remover now which didn't find anything. Either the scans find somethings which is deleted and then the laptop is still as sluggish as before, or nothing is found at all. Is it possible it's something else than infections? Like a hardware issue?
ASKER
Isn't the most probable infection a Keylogger as the only problem I have now is extremely slow typing, nothing else (the popup windows only appeared a few times some days ago, nothing now)?
ASKER
Here are all active processes on my laptop:
http://screencast.com/t/D1YxRdzlC
http://screencast.com/t/YzlMwt3S36
http://screencast.com/t/TLX3Z9XFls1V
http://screencast.com/t/sbCmbzTO2JIn
http://screencast.com/t/TZX3pGyN
http://screencast.com/t/D1YxRdzlC
http://screencast.com/t/YzlMwt3S36
http://screencast.com/t/TLX3Z9XFls1V
http://screencast.com/t/sbCmbzTO2JIn
http://screencast.com/t/TZX3pGyN
ASKER
Here are the results from SpyHunter:
http://screencast.com/t/5sNoQRFM7qMF
http://screencast.com/t/tj57zCzVzkx
http://screencast.com/t/Ko6jjKBq
Can any of these be real threats or are they fabricated to get me to buy SpyHunter?
http://screencast.com/t/5sNoQRFM7qMF
http://screencast.com/t/tj57zCzVzkx
http://screencast.com/t/Ko6jjKBq
Can any of these be real threats or are they fabricated to get me to buy SpyHunter?
ASKER
Or can't I just navigate to the folders and wipe these out with my fileshredder, without having to buy SpyHunter?
ASKER
Here is Hi jakk this log.
hajja-detta.log
hajja-detta.log
ASKER
Here is the dds log and attachment to dds (see http://forums.techguy.org/virus-other-malware-removal/943214-everyone-must-read-before-posting.html)
DDS.txt
Attachment-to-DDS.zip
DDS.txt
Attachment-to-DDS.zip
ASKER
And som results from Emsisoft:
http://screencast.com/t/ynGah5Ukv56b
(the 4 high-risk objects are part of a Japanese dictionary, very old, JWPCE, and I think they are false alarms)
http://screencast.com/t/ynGah5Ukv56b
(the 4 high-risk objects are part of a Japanese dictionary, very old, JWPCE, and I think they are false alarms)
ASKER
I really would like to do a reinstall, is there any way to do this now without any installation CD (only the upgrade key from Windows 7 Home to Windows 7 Premium)?
ASKER
Thanks for the advice about doing the searches in XP Mode Nicolus, will do that. I was going to make an image this week with Acronis True Image, too bad I didn't do it in time. I still want to try to get rid of this whatever the infection is about, but it seems like the worst type if even MB and Combofix can't find it. I have a translation job until Monday I need to finish in time, so I want to try a few more hours, before I maybe do a wipe and reinstall.
rrjmin0, can I burn the Defender Offline on my second laptop (although this second laptop I can't connect to internet)? Otherwise, I have no alternative than to burn the Defencer Offline on my new already infected laptop.