We help IT Professionals succeed at work.

Windows XP pro with redirect virus

I have a Windows XP pro SP3 on a domain that has a browser redirect virus I need help removing.
It started as a "Windows XP 2012 Viruse" in which I used these instructions to remove.
http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012 ". Since the then the "Windows XP 2012 Viruse" has been removed but now I still get the browser redirects and svchost.exe file is running out of control. I'll attach a Highjackthis log.
Comment
Watch Question

Author of the Year 2011
Top Expert 2006
Commented:
Please follow the directions in this EE Article about "2012" variants:
http://www.experts-exchange.com/A_6550.html (2012-Malware-Variants)

Post the logs from both RogueKiller and Malwarebytes when you are done.

You may also want to try TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
Please post the log to be analyzed.

Let us know the results and we can take the next steps.

Commented:
I would download and install malwarebytes.  I would also check your host file.  Navigate to C:\Windows\System32\drivers\etc, normally your host file should be only 1kb, open up notepad and just drag and drop the file in the notepad window.  It should look something like this:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#      127.0.0.1       localhost
#      ::1             localhost

Anything below ::1 or 127.0.0.1, remove it and resave.
Author of the Year 2011
Top Expert 2006

Commented:
@uescomp,
The full process (including downloading Malwarebytes) is included in the Article I referenced.

Please be aware that simply downloading (and using) MBAM will NOT repair this infection. There are several steps involved and they need to be followed in order.

Author

Commented:
Hmmm, Did either of you look at the link I posted?
I'll try again. Yes that is exactly what Host looks like.
I'll also try TDSSKILLER.

Commented:
I noticed 3 iexplorer.exe processes running.  By chance when you open internet explorer, does the page change or do new pages open etc.
Author of the Year 2011
Top Expert 2006

Commented:
zehren,
I am quite familiar with the link you posted and that is exactly why I posted a link to my article.

I've found that RogueKiller is much more effective than "RKill" (more Menu Options) and that is why we use it exclusively in my repair shop.

"Re-direct" malware symptoms will often be as a result of a TDSS infection, so that is why I included both recommendations.

You can also try FixTDSS.exe from Symantec

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

Author

Commented:
Well, There you go
TDSSKILLER was the WINNER!
It unrooted the RootKit!

Thank you and as always you people have the answer I can't find.
Author of the Year 2011
Top Expert 2006

Commented:
Sweeet!
That is great to hear.
Thank you for letting me know.