I'm infected again

**Neo** · 14-07-2011, 11:18 PM

I just ran the Kaspersky recovery cd from the first link, How to Use the Kaspersky Rescue Disk to Clean Your Infected PC - Linux Geek
Very easy to set up, but it didn't find anything and I still have the problem.

Ok I'll run through some more...

**Neo** · 15-07-2011, 02:22 AM

Just tried f-secure Rescue CD again nothing. Although it did say one file was not scanned.. kind of odd.

Think I'm going to have a closer look at recent installs and program files and see if I can find some more stuff to strip out, maybe I'll come across something in the process.

Very impressed with this ImgBurn http://www.imgburn.com/ to mount the ISO files, I use Daemon but thought I'd give it a go, no virtual mounting but very quick and thorough. .

**harrybarracuda** · 15-07-2011, 12:43 PM

OK so now tell us what Browser you are using.

Have you cleared out all the temp files? Have you looked to see what add-ons and toolbars you have installed?

**Neo** · 15-07-2011, 03:06 PM

FF5. I cleared the temp files, cookies, registry keys, etc with Ccleaner.

I'm prety sure I got this virus when browsing images as I had several trojan alerts going off and then it was there, not even mucky pictures, mostly it's the most innocuous that are trojans.

I've just got up and having a cuppa, so I'll have a look in a bit, I'll dust off IE8 and see if that has the same prob, maybe it is specific to the browser.

An odd thing with it is, at the moment I can see it's hyperlinking the word 'date' under my av on one of my posts, no doubt a link to a dubious dating site, but that is the only hyperlink on the page, it doesn't hyperlink any of the other 'date' words.
It usually only highlights one word per screen, or two if the is a city name on there. If it was to highlight all the words of the same type then I'd be inclined to think it was some word recognition/adlink add on, but I've checked for something like that and can't find anything.

**harrybarracuda** · 15-07-2011, 04:32 PM

I'd say install IE9 but I'm guessing you're on XP.

Try Google Chrome.

**harrybarracuda** · 15-07-2011, 04:39 PM

Also, you may want to see what Browser Helper Objects you have installed.

Use something like this

**Neo** · 15-07-2011, 04:52 PM

Yes I'm on XP. I just fired up IE8 and didn't have the same problem there.
Didn't have it up for long, and cleared cookies before closing it down again.
Perhaps not enough time for the virus to spread to IE or just that it is specific to FF. I think I'll take a browse through Mozilla files, plug ins etc again, but I might try to uninstall FF, give it a scan and then re-install. What do you think?

**blue** · 15-07-2011, 05:46 PM

it might hiding in an extension -could try going to tools , add-ons etc
and disable the lot ,then restart
see if its still a problem

**Neo** · 15-07-2011, 05:55 PM

Good call! I've just disabled all extensions and the hyperlinks have gone.
Now to switch them on systematically to see which one is the problem.

**Neo** · 15-07-2011, 06:12 PM

Ok now we're really getting somewhere. It is, or it is in, the Shockwave Flash extension (10.3.181.14). I've disabled it and that has stopped the hyperlinks.
Now.. what to do, remove the file is obviously the best option but Shockwave is probably quite well embedded.
I shall investigate...

**Neo** · 15-07-2011, 06:21 PM

Mmmm... sytem restore point done.
It's not giving me the option to remove the add on via the FF browser.
I'll hang fire and wait for suggestions.

**Neo** · 15-07-2011, 06:37 PM

Sod it I'll just take the whole lot out!
Ok.. I uninstlled the extension and reinstalled the new version
Shockwave Flash (10.3.181.34) and the hyperlinks are back, So I guess the virus is in the flash player program files...

**Rural Surin** · 15-07-2011, 06:47 PM

Try:
Smithfraudfix
hijackthis
....both highly recommended for nasty malware. Cleaning, maintenance, prevention, etc. Works well with most systems and browsers.

**Neo** · 15-07-2011, 07:10 PM

Uninstalled Flash player, rebooted, reinstalled Flash player.. hyperlinks are back.

Ok stuck now, will wait for ideas.. meanwhile will try RS's scans.

**Hampsha** · 15-07-2011, 08:32 PM

CCleaner helps uninstall and delete any other files left behind. When you do uninstall something that might have a virus usually you have to turn system restore off then do it. After that I run the ccleaner and maybe even MS disk cleanup to get any possible crap left behind. When you are done you can turn system restore back on.

I've used real versions of windows and the paid versions of ESET NOD32 and never had a serious problem. I do tend to just reinstall windows if I have any type of problem. And I generally reinstall fairly often just in case there might be something I don't want going on going on.

=========

**harrybarracuda** · 15-07-2011, 08:48 PM

When you say "Hyperlinks", what is/are the underlying URL(s)?

**Neo** · 16-07-2011, 12:45 AM

Good thinking.

http://www.textsrv.com
/click.php?v=R0I6OTQ0ODo0OmRhdGluZyBzaXRlOjFhNGNhM2 I5YjgwOTljOGY2NGFhYmNjNmNjODY3Zjc2OnotNS05MzQ2

http://www.textsrv.com/click.php?v=R...ei01LTkzNDY%3D

textsrv no decent info on it so must be recent.. searching...

**Neo** · 16-07-2011, 12:58 AM

The url http://www.textsrv.com leads to a blank page.
Only one thread on it on the Kasperky forum a few days ago that's not resolved.
Looks like I'll have to wait for a fix.

**Neo** · 16-07-2011, 03:55 AM

I'm away for three weeks from Sunday so I'll have to get back to this when I can, perhaps there will be a fix by then. Cheers for all your help, I'm sure we'll get it sorted in the end.

**harrybarracuda** · 16-07-2011, 09:47 AM

I'm still thinking BHO's. One of mine is Skype, which replaces phone numbers in web pages with Skype call links.

Which is why I'd take a look at this or this

sabaii sabaii · 16-07-2011, 02:50 PM

Try Revo uninstaller

It gets rid of all the registry files and more that add/remove program doesn't

Revo Uninstaller - Free software downloads and software reviews - CNET Downloads

**harrybarracuda** · 16-07-2011, 03:09 PM

Originally Posted by sabaii sabaii

Try Revo uninstaller

It gets rid of all the registry files and more that add/remove program doesn't

Revo Uninstaller - Free software downloads and software reviews - CNET Downloads

Which program do you suspect?

sabaii sabaii · 16-07-2011, 03:13 PM

Shockwave Player

And if he re-ininstalls his browser, won't that sort it out

**harrybarracuda** · 16-07-2011, 03:25 PM

Originally Posted by sabaii sabaii

Shockwave Player

And if he re-ininstalls his browser, won't that sort it out

Does Revo uninstall Browser addons?

sabaii sabaii · 16-07-2011, 03:30 PM

I was thinking if he deleted his add ons first, then did a thorough uninstall and reinstall then he may be ok

I'm still using Aurora, had no problems whatsoever

Thread: I'm infected again

Thread Tools

Display

Thread Information

Users Browsing this Thread

Posting Permissions