Possible trojan, spyware etc on Vista

[kritius]

Regarding AVG8

my guess is that it was one of the 1000 downloads in the basic instructions I followed a couple of days ago.

Its not, I just checked the link in the sticky points to AVG free 7.5.

Can you unistall AVG8 and install AVG free 7.5.

I've actually removed two entrys from the host file that I'm sure to be ok since I put them there myslef

I need to know what they are.

 

[tranquillo]

now I remember... the avg thing... I had some trouble downloading the 7.5 from the link in the document so I cut down the url to http://free.grisoft.com/ , went to downloads (http://free.grisoft.com/doc/5390/us/frt/0) and got the 8.0... I never noticed that it wasn't the same version... should this really be a problem? it's not like I've downloaded som dirty cracked version... but I'll uninstall and try to get the 7.5 if you think I need it... otherwize I'll just uninstall it

 

[tranquillo]

the removed entrys are from the host file...
O1 - Hosts: 172.16.9.200 tandy1000
O1 - Hosts: 172.16.9.200 vulkan.valderas.local

 

[tranquillo]

or do you mean what they do? basicly allows me to write "tandy1000" or "vulkan.valderas.local" instead of the ip when I want to access an internal development server when I'm at the office or using a vpn to the office...

 

[tranquillo]

to answer a previous question in this thread... here's a short sample of hijacked google links...

http://www.freelotto.com/register.asp?skin=EnglishFWinner&partner=1054775&affiliateid=46974
http://www.monstermarketplace.com/searchw53.asp?q=testar
http://partners.mamma.com/jred/Clic...438&cs=88463/2&jref=968e.DhgPCBMsGRsOAQ1DDg4y
http://www.paretologic.com/xoftspy/se/newlp/xray/?uid=14wcz
http://www.noadware.net/?hop=33380

from a couple of searches of frazes like "test", "new search" and "virus trojan popup"... just got them a minute ago, so I guess nothing so far has worked... well... I don't get the popups... and just a small part of the google links are hijacked... but still...

 

[tranquillo]

you seemed to have acquired 2 new entries in your hjt log. are cleaning your pc between projects?

perhaps it may be best if you start again should kritius's instructions fail.

if so go HERE and follow these instructions. i must add that all instructions must be followed to the letter

should I do this step by step, or can I download and install all the software at once and then step through the process? if I shut the computer off somewhere along the process and pick it up again later, will it have the same effect? will this process take caire of junk that reinstalls by itself on startup?

 

[LookinAround]

in no way, do i intend or imply any disrespect to member tomcra but from my experience

• kritius is quite good at this. I've seen him assist many people
• It's difficult to follow (and effectively follow) step-by-step directions/plan when it comes from multiple directions. Suggest, for now, is best to continue with a single source for a step-by-step guidance. And understand delays in response can be due to big time zone difference between people (this is global site) and this is all volunteer work done in spare time
• But always consider input from others (i'm sure kritius does as well)

 

[kritius]

kritius is quite good at this. I've seen him assist many people

Ive helped some people, tomrca has helped more, a lot more.

should I do this step by step

yes, we need to eliminate all possibilities.

or do you mean what they do?

Thats ok then I just wanted to make sure they wernt malicious in any way.

it's not like I've downloaded som dirty cracked version

As long as it isnt cracked then thats ok.

-------------------------------------------------------------------------------------------------------

Download the ATF cleaner programme and save it to your desktop.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

Double-click ATF-Cleaner.exe to run the program.

• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

then let me know if that affects the redirects.

 

[tranquillo]

in no way, do i intend or imply any disrespect to member tomcra but from my experience

• kritius is quite good at this. I've seen him assist many people
• It's difficult to follow (and effectively follow) step-by-step directions/plan when it comes from multiple directions. Suggest, for now, is best to continue with a single source for a step-by-step guidance. And understand delays in response can be due to big time zone difference between people (this is global site) and this is all volunteer work done in spare time
• But always consider input from others (i'm sure kritius does as well)

I appreciate all the help I can get and I must say I'm surprised that I've got so quick responses.

------------

I'm gonna run off with the latest instructions and come back later...

 

[tranquillo]

for now, things looks just fine... no popups, no hijacked google links...

 

[kritius]

create a clean restore point,

Turn off system restore. (Vista only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

Reboot the sytem and check again.

 

[tranquillo]

allready restarted :/ but so far no more hijacked links and no popups... I'll clean it again and set a new restore point... just in case...

 

[tranquillo]

it's back... the hijacked google links...

 

[tranquillo]

seems to come back every second time i reboot... if I turn of restore, clean, set a new restorepoint; google works fine, if I reboot; google works fine, if I reboot again, google is hijacked...

 

[kritius]

Ill have to get someone else to have a look at this.

 

[tranquillo]

please let me know if you find something