Link to home
Start Free TrialLog in
Avatar of hermesalpha
hermesalphaFlag for Paraguay

asked on

What is the best way to get rid of the malware or hijacker that my laptop is infected with?

What is the best way to get rid of the malware or hijacker that my laptop is infected with?

Because I think the suspended response from the cursor when typing is a sign of my laptop having been hijacked.

What happens is the the cursor "stops up" for half a second when typing (no smooth regular flow when typing) on a webpage (like when typing here at Experts Exchange).

I have already run a full scan by Microsoft Security Essentials 2 (which found nothing) and Malwarebytes PRO (which found 8 infections, among them one hijacker). I chose to let MB delete those 8 infections and thought the laptop would be like normal again (usually MB fixes everything and the laptop is like new again, but not this time). But I still have this suspended typing. So I am considering to use Combofix now.

I never ever visit any sites that could have caused this. I translate everyday and I'm so dependent on that the laptop is completely clean every day as I can get a new job any day. However, I do a lot of Google searches each day when I translate, and some of those contain words and phrases that get hits for dubious sites (although I never open these of course). But a few days ago, I began to get these small windows with pretty girls asking for a chat with me popping up on completely legitimate sites. I think these chat requests have something to do with www.gmx.com (www.gmx.co.uk), because sometimes they pop up there also (have done during a long time at GMX). So perhaps the source of my infections now come from GMX, but I'm not sure.
ASKER CERTIFIED SOLUTION
Avatar of Rob Miners
Rob Miners
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Steve Smith
Steve Smith
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of hermesalpha

ASKER

I just run Combofix and afterwards it's still the same.

Thanks for the advice about doing the searches in XP Mode Nicolus, will do that. I was going to make an image this week with Acronis True Image, too bad I didn't do it in time. I still want to try to get rid of this whatever the infection is about, but it seems like the worst type if even MB and Combofix can't find it. I have a translation job until Monday I need to finish in time, so I want to try a few more hours, before I maybe do a wipe and reinstall.

rrjmin0, can I burn the Defender Offline on my second laptop (although this second laptop I can't connect to internet)? Otherwise, I have no alternative than to burn the Defencer Offline on my new already infected laptop.
It's possible the infection came with a Chrome add-on I just installed (unvoluntarily, culdn't deselect it when I installed another software I needed): Sidekick (something for saving websites I visit).
What is the most probable infection?: Rootkit, Hijacker or Malware.
I also opened an e-mail in GMX that was suspicious (wasn't possible to judge from the subject that is was a fraud attempt e-mail) a few days ago, the virus could have come from that also.
I tried Rogue Killer and Kasperskys rootkit scanner but they didn't find anything.
The biggest problem now is that I have no installation cd for windows 7, only the plastic case with the windows anytime upgrade and product key, but all in traditional chinese language.
If I use GMER on this site, can someone here help me to interpret the results?:

http://www.techsupportalert.com/best-free-rootkit-scanner-remover.htm
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Here comes the latest logfile (from Dr Web CureIt). However, I shut of the laptop because the scanning freezed twice on the same spot: C:\...er\Downloads\PPS_Network_Setup.exe
(At this point in scanning, after around only 10 % scanned, the scanning freezed on this particular file twice.)

One infected file was found among these 10 %: Trojan.KillProc.14170

I chose "Cure?"-"Yes", "...cannot be cured. Move? Yes. Incurable. Moved".

Results after 11 hours/73,752 scanned files (10 % scanned): 1 infection, 2 suspicious, 1 adware (I think the 2 suspicious are false alarms).
CureIt.log
Logfile from RogueKiller, I don't know where it's saved to, which folder, couldn't find it. For the tab Proxy I got this FOUND result:

http://screencast.com/t/zR4BZozKT

(I use Astrill as VPN. My OS is Windows 7 Ultimate 64-bit.)

The scanning with RogueKiller only takes a few seconds, should it be like that?
Here is the logfile from TDSSKiller (didn't find anything either).
TDSSKiller-log-report.txt
Where can I find the logfile from Combofix?
I received a warning when downloading The Killer ("This file seems to be harmful, throw it?").
And it's named exactly the same as the Trojan that was found by Dr Web CureIt!:
explorer.exe

What should I do with it?
In this case, it should be safe shouldn't it?: http://www.neuber.com/taskmanager/process/explorer.exe.html
It seems this could be a porno dialer: http://www.neuber.com/taskmanager/process/explorer.exe.html

I have had small popup windows with pretty girls asking for a chat on completely legitimate websites, completely randomly popping up during the last week. Not much, just a handful times.
I found someone who had a problem with this explorer.exe on a Swedish forum (only in Swedish, but you can machinetranslate it to view it):

http://eforum.idg.se/topic/132496-problem-med-explorerexe/

Actually, after following the advices his computer regained normal speed and the infections were killed.
I downloaded Hijackthis from MajorGeeks (suppose it's safe to download from there), created a map in Programs and installed there. But received this error message when trying to system scan and save log file:

http://screencast.com/t/WdUDYXEh2uK

BTW, my laptop is getting worse and worse, can hardly use it anymore.
Should I follow the advice and edit the Hosts file, and then save as " 'hosts.' " (including the two simple quotes ' ' and the full period . )?

Also, can I restart the laptop now, because every letter takes several seconds to type (laptop is extremely sluggish, can hardly type anything)?
The only line in this hosts file is this:

127.0.0.1       localhost
Here is the RougeKiller report.
RougeKiller-report.txt
I just ran SpyBot which found iCrossRider in the Registry.
Run Spybot as Administrator and it should remove Icrossrider.
I run Trojan Remover now which didn't find anything. Either the scans find somethings which is deleted and then the laptop is still as sluggish as before, or nothing is found at all. Is it possible it's something else than infections? Like a hardware issue?
Isn't the most probable infection a Keylogger as the only problem I have now is extremely slow typing, nothing else (the popup windows only appeared a few times some days ago, nothing now)?
Here are the results from SpyHunter:

http://screencast.com/t/5sNoQRFM7qMF
http://screencast.com/t/tj57zCzVzkx
http://screencast.com/t/Ko6jjKBq

Can any of these be real threats or are they fabricated to get me to buy SpyHunter?
Or can't I just navigate to the folders and wipe these out with my fileshredder, without having to buy SpyHunter?
Here is Hi jakk this log.
hajja-detta.log
And som results from Emsisoft:

http://screencast.com/t/ynGah5Ukv56b

(the 4 high-risk objects are part of a Japanese dictionary, very old, JWPCE, and I think they are false alarms)
I really would like to do a reinstall, is there any way to do this now without any installation CD (only the upgrade key from Windows 7 Home to Windows 7 Premium)?