irritating virus
Chief Tardis Technician
Join Date: Jan 2001
Location: Western Australia S31.715 E115.737
Age: 71
Posts: 554
Likes: 0
Received 0 Likes
on
0 Posts
Download and install hijackthis.
Run the prog, let it do a scan.
Tick any instances of domex
the do the fix. it may fix the problem for you. Take the time to have a look at the information posted by the scan, there could be all sorts of strange stuff there.
Run the prog, let it do a scan.
Tick any instances of domex
the do the fix. it may fix the problem for you. Take the time to have a look at the information posted by the scan, there could be all sorts of strange stuff there.
Thread Starter
Join Date: Apr 2002
Location: In the circuit
Posts: 177
Likes: 0
Received 0 Likes
on
0 Posts
Update on where I am so far.
This is a tricky little thing. I've run most of the cleaning measures on majorgeeks suggested by M Mouse. First good tip was that I found two items on the rogue list that I was able to uninstall via the control panel. Then I downloaded and ran SuperAntiSpyware. Despite the fact that I've been running malwarebytes on a weekly basis SaS found 242 suspect items which I have removed.
Unfortunately the issue is still there, I have also downloaded Combofix which I am about to run. If this has no effect I'll move on to the rootkit versions. Majorgeeks pages are very good, clear instructions and simple to use.
GB
This is a tricky little thing. I've run most of the cleaning measures on majorgeeks suggested by M Mouse. First good tip was that I found two items on the rogue list that I was able to uninstall via the control panel. Then I downloaded and ran SuperAntiSpyware. Despite the fact that I've been running malwarebytes on a weekly basis SaS found 242 suspect items which I have removed.
Unfortunately the issue is still there, I have also downloaded Combofix which I am about to run. If this has no effect I'll move on to the rootkit versions. Majorgeeks pages are very good, clear instructions and simple to use.
GB
More bang for your buck
Join Date: Nov 2005
Location: land of the clanger
Age: 82
Posts: 3,512
Likes: 0
Received 0 Likes
on
0 Posts
You may be going in circles, i.e. you home page is set to domdex.com so every time you start your browser it goes there and re-infects. What browser are you using by the way?
Per Ardua ad Astraeus
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
It is important to point out also that, as good as M Mouse's link to MG is, it does not call for a boot-time scan. Unlike some suggestions of running this in Safe Mode/Command prompt I am even more cynical and cautious and do not let ANY part of Windows near my machine for a boot-time scan. It needs to be run in DOS from a boot CDROM. Virii now are getting pretty clever at 'hiding' inside a Windows frame. I do not know of one which hides in DOS - yet......................
Thread Starter
Join Date: Apr 2002
Location: In the circuit
Posts: 177
Likes: 0
Received 0 Likes
on
0 Posts
Well I've run the other tools and the rootkit tools and they don't find any infection. I was running IE7 which I have upgraded to IE8 the homepage is set to Google in internet options, although I've changed that to another site to see if it helps, which it doesn't.
So am truly nonplussed now.
So am truly nonplussed now.
Per Ardua ad Astraeus
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
GB - Avira will download an ISO to burn a boot-time CDROM, or Avast has a setting which enables a DOS-run scan. If, as it seems, you probably have an infected Windows system file, a boot scan will ask you to delete infected files. You may well need then to restore them from your Windows XP CDROM. Be prepared!
Join Date: Mar 2008
Location: Western USA
Posts: 555
Likes: 0
Received 0 Likes
on
0 Posts
Join Date: Jun 2003
Location: EuroGA.org
Posts: 13,787
Likes: 0
Received 0 Likes
on
0 Posts
It is not so much "DOS" you need to run.
The key point is that you need to boot the machine from an O/S which is not loaded by the boot sector of the hard drive of the potentially infected machine.
What that O/S is is irrelevant. It could be a normal copy of winXP, Unix, whatever. For example the Micro$oft boot-CD virus scanner (which I have used successfully to detect really clever infections) actually loads a copy of win7. This is no suprise, since you want that O/S to support peripherals like network controllers, USB, etc, and you want it to be able to get onto the internet and download the latest virus definitions. Plain DOS would be no good; apart from anything else DOS 6.2 only supported hard drives up to 2GB
Once the stuff has booted off the CD, everything on the HD is treated as passive data and can be freely scanned. Since nothing on the HD is executed (as program code) there is no way for anything on the HD to interfere with this virus scan.
You can achieve a similar result without a boot CD. For example if you suspect your drive C: has a virus, you can take the HD out of that machine and pop it into another machine as a secondary HD and virus scan it. Or, more cleverly, you can make a Trueimage (or some ISO) image of the whole drive, copy it to another machine (one guaranteed to be virus free) where you use TI to mount it as a logical drive, and virus scan that logical drive.
FWIW, I have seen many infected machines but nothing that I have sole access to has ever got infected. That's why I think people catch the nasties in particular ways.
The key point is that you need to boot the machine from an O/S which is not loaded by the boot sector of the hard drive of the potentially infected machine.
What that O/S is is irrelevant. It could be a normal copy of winXP, Unix, whatever. For example the Micro$oft boot-CD virus scanner (which I have used successfully to detect really clever infections) actually loads a copy of win7. This is no suprise, since you want that O/S to support peripherals like network controllers, USB, etc, and you want it to be able to get onto the internet and download the latest virus definitions. Plain DOS would be no good; apart from anything else DOS 6.2 only supported hard drives up to 2GB
Once the stuff has booted off the CD, everything on the HD is treated as passive data and can be freely scanned. Since nothing on the HD is executed (as program code) there is no way for anything on the HD to interfere with this virus scan.
You can achieve a similar result without a boot CD. For example if you suspect your drive C: has a virus, you can take the HD out of that machine and pop it into another machine as a secondary HD and virus scan it. Or, more cleverly, you can make a Trueimage (or some ISO) image of the whole drive, copy it to another machine (one guaranteed to be virus free) where you use TI to mount it as a logical drive, and virus scan that logical drive.
FWIW, I have seen many infected machines but nothing that I have sole access to has ever got infected. That's why I think people catch the nasties in particular ways.
Thread Starter
Join Date: Apr 2002
Location: In the circuit
Posts: 177
Likes: 0
Received 0 Likes
on
0 Posts
Absolutely agree on the access. This PC has 5 user accounts on it. My laptop which I use for business has only myself, which I run as a standard user and an admin account that I log in to when I want to do admin type things. I don't generally get any problems on this one.
By restricting Domdex as a site within IE I've got rid of the irritating effect where it goes to a Dpomdex blank page whenever you try to access a site in IE.
That is a symptom rather than the problem though, so I will now need to look at the boot methods as above.
I have the windows XP CD so can restore files if necessary.
By restricting Domdex as a site within IE I've got rid of the irritating effect where it goes to a Dpomdex blank page whenever you try to access a site in IE.
That is a symptom rather than the problem though, so I will now need to look at the boot methods as above.
I have the windows XP CD so can restore files if necessary.
HijackThis (suggested above) might well point to the entry that is causing the issue.
It hasn't been developed much since TM took over, but is still serviceable.
HijackThis - Trend Micro USA
It hasn't been developed much since TM took over, but is still serviceable.
HijackThis - Trend Micro USA
Last edited by Tarq57; 26th Oct 2011 at 11:47. Reason: link added
