Astro’s advice is quite good. If you’re not familiar with the log file that Hijackthis will produce, there are websites available specifically to help you. I tend to like www.bleepingcomputer.com.
There are some NASTY trojans out there right now – I just had to do a wipe and reinstall this week. Some of the more sophisticated malware will actually recognize when the user is looking and hide.
Other than Astro’s advice, I offer the following:
From a clean system (at work, a friend’s house, library, etc.) download the following, besides Hijackthis:
Spybot Search and Destroy
AdAware 2008 Free
Malwarebytes’ Anti-Malware
SUPERAntispyware Free edition
SpywareGuard
There are other fairly specific tools available, such as ComboFix and MGTools, which are usually requested by the techs at self-help antimalware forums.
Let you in on something I discovered this week:
We generally don’t give much thought to our Java installation – websites seem to work fine and it’s basically forgotten. Bad move. There is malware out there that takes advantage of security gaps in older versions of Java and can do nasty things to your system. Whatever happens with this infection, when you’re clean (via cleanup or reinstall) you need to hit Sun’s website and get the latest version of their Java ASAP. It has gotten to the point where there are shady, fake antimalware programs out there that they con you into buying (via fake ‘alerts’ downloaded and installed by their own trojans.) They then use the revenue to purchase ad space on reputable websites, which can then exploit Java – even in Firefox – and cause more users to become infected, thus securing more sales of their fake ‘remover’.
If your desktop background changes to a scary looking warning about spyware/trojans, and you SEEM to be crashing to a blue Windows error screen, you’ve got one of these, probably a version of Virtumonde. It’s a nasty bastard. That blue screen of death? Just a screensaver to scare you into buying their product.
Otherwise, you probably have one or more trojans executing downloads/installs of other malware, which adds up fast. I suggest, as soon as possible but certainly when you have a clean system, that you put a firewall like ZoneAlarm on your system and make sure it asks about program access. Be very, very careful about allowing any .tmp file access to the web – these things hide in tmp files.
SpyBot has a tool called “Resident-TeaTimer” that can autorun on startup and will alert you to changes in your registry or startup list, where Malware likes to add entries. SpywareGuard can do the same. If you purchase the full versions of some programs, you get the same ‘realtime’ protection. Even with all that, though, no system is 100% safe 100% of the time.
Used to be if we downloaded the newest virus/malware/trojan definitions every couple of weeks or so, not much could get to us. Now, two weeks is an eternity, as the malware can change, drastically, from day to day. The bad guys are getting the updates and working around them, and the good guys are tweaking, and so on.
I feel for you…this is a hard process, especially once infection sets in and becomes noticed.
Once your system is pristine, do the Java update, make sure you’re using Firefox 3 (or whatever you prefer), make sure you have multiple scanners ready and updated, and make sure your scanners will update daily themselves, or do it manually NO LESS than once weekly. Scan NO LESS than once weekly with everything. Also, create a limited user account that does not have Administrator privileges on your computer, and use that. It isn’t perfect, but it gives you a bit of a leg up, since restricted users typically do not have access to critical files or folders.
Key places to look for malware:
Registry (particularly within the /Run tree)
C:/Windows
C:/Windows/System32
C:/Windows/Temp
And, of course, in your startup menu. Beware, these things can hide and not show in the startup menu in msconfig. Likewise, malware can hide in ‘real’ processes and be very difficult to remove. Some variants will altar all the .exe files it can find…and at that point I know no other way to get rid of it than a reformat/reinstall.
Good luck!