I have a computer virus and I have no idea how to get it off.

I run malware bytes and spybot. It detects and deletes what it finds but the virus is still there. I just can't get rid of it.


When I try to go to a website this pops up before it goes to some other random link


http://ninjaa.info


I would appreciate any help I could get because I can't figure this one out on my own.

Boot into safe mode. Turn off system restore, scan it, remove threats, reboot, turn system restore back on. Boot into Windows and see if anything is wrong.

Boot into safe mode. Turn off system restore, scan it, remove threats, reboot, turn system restore back on. Boot into Windows and see if anything is wrong.

Alright. Thanks for responding. I know you know what you're talking about because you've helped silverbear before.

Going to try this...

combofix

Alright I tried turning off System restore in safe mode and it didn't have an option to do that (Vista) that I could find.


Then I tried to turn it off in regular windows and it keeps searching for the disk.

I got it turned off in normal windows, ran the scan in safe mode, found something with spybot, and it still has the problem.


Im guessing it's a must to turn it off in safe mode....?

Open IE. Go into Tools->Internet Options->Connections->Local Area Network (LAN) Settings and make sure everything is unchecked. Especially the Proxy Server. (even if you don't use IE, it's a windows system wide setting)

Also note if the proxy server is selected. If it says localhosts or 127.0.0.1 it means their is a proxy installed on your PC. If it has a remote address, then they just set it up to forward to their proxy.

Either way, change any passwords you've used since this started.

Open IE. Go into Tools->Internet Options->Connections->Local Area Network (LAN) Settings and make sure everything is unchecked. Especially the Proxy Server. (even if you don't use IE, it's a windows system wide setting)

Also note if the proxy server is selected. If it says localhosts or 127.0.0.1 it means their is a proxy installed on your PC. If it has a remote address, then they just set it up to forward to their proxy.

Either way, change any passwords you've used since this started.

Just looked and everything was already unchecked. Thank you.

In spybot, do you have the following checked?

http://img109.imageshack.us/img109/7767/sbot.jpg

It's some kind of redirect virus.

In spybot, do you have the following checked?

http://img109.imageshack.us/img109/7767/sbot.jpg

Let me lookl.

Ok those were unchecked. Scanning again.. Do I need to turn off system restore again? Guess I do.

Ok those were unchecked. Scanning again.. Do I need to turn off system restore again? Guess I do.

I would, yes. When that's done go to this website (if you don't get redirected LOL) and download their rootkit scanner.

http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx

Ok those were unchecked. Scanning again.. Do I need to turn off system restore again? Guess I do.

If you have turned it off it stays off until you turn it back on.

Go here to download and run combofix

You may have to boot in to safe mode with networking to get it to download.

http://www.bleepingcomputer.com/download/anti-virus/combofix

If you have turned it off it stays off until you turn it back on.

Go here to download and run combofix

You may have to boot in to safe mode with networking to get it to download.

http://www.bleepingcomputer.com/download/anti-virus/combofix

It runs the exe file then does NOTHING lol. Wow im gonna restart and try again.

I would, yes. When that's done go to this website (if you don't get redirected LOL) and download their rootkit scanner.

http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx

Scan in safe mode?


It scans and then stops at hkey_local_machine.



The combofix wont even download for me :(

Scan in safe mode?


It scans and then stops at hkey_local_machine.



The combofix wont even download for me :(

How long does its it scan for? Also is there a registry entry/key? Like is there a name attached to it?

Example: hkey_local_machine/location/location/location (depends how far in the hive you are)

Yeah Combofix just shows up nowhwere after download.


After I try to download combofix it asks me if I want reduced functionality Yes/No. I've clicked on both and a blue screen that says administartor pops up and it's nowhere to be found again.

Combo fix won't download for you? Something is blocking it then. I am to download it. Can you put it on a USB stick from another computer?

How long does its it scan for? Also is there a registry entry/key? Like is there a name attached to it?

Example: hkey_local_machine/location/location/location (depends how far in the hive you are)

Ah I gave up on it but maybe its just really slow. Let me start it again.

If you have a second computer, or can go somewhere that has an extra computer, download the combofix there and put it on a flash drive. Then boot up the infected computer in safe mode, and run combofix off the flash drive. I've gotten rid of several viruses this way. Mcafee stringer is another good program you can run off of a flash drive that gets rid of most viruses, and it's free.

Combo fix won't download for you? Something is blocking it then. I am to download it. Can you put it on a USB stick from another computer?

Good idea. I can do it but not till monday :(.

Would trying to download it in firefox help?

Good idea. I can do it but not till monday :(.

Would trying to download it in firefox help?

Yes, you can try that but you said you got to the blue screen where it's supposedly running.

Usually, when I am doing virus remediation I'll have process explorer running in the background so that I can see what the hell is running.

http://technet.microsoft.com/en-us/sysinternals/bb896653

You can sort by a variety of fields. I do it by process and cpu utilization to see what is happening LIVE. I bet there's something running on startup too. If you click on start -> run -> msconfig you can see what's loading on startup.

Also be sure that your hosts file is clean.

http://helpdeskgeek.com/windows-7/windows-7-hosts-file/

I could also email you combofix if you PM me your email address.

Normally you wouldn't just accept it from any person on a forum but I'd like to think I've been around here long enough to be somewhat trustworthy.

Also be sure that your hosts file is clean.

http://helpdeskgeek.com/windows-7/windows-7-hosts-file/

I could also email you combofix if you PM me your email address.

Normally you wouldn't just accept it from any person on a forum but I'd like to think I've been around here long enough to be somewhat trustworthy.

I had this posted but took it down after he saw it.

http://img252.imageshack.us/img252/7767/sbot.jpg

But yeah, you can check the host file manually too if you haven't done it.

Also be sure that your hosts file is clean.

http://helpdeskgeek.com/windows-7/windows-7-hosts-file/

I could also email you combofix if you PM me your email address.

Normally you wouldn't just accept it from any person on a forum but I'd like to think I've been around here long enough to be somewhat trustworthy.

Yeah I trust you tupperware.

I actually did get it to run and it just left me with a txt log.

What's the txt.log say? And do you get redirected in firefox?

Combofix is the best solution, usually. YOu may need to download it on another computer and run it of USB (as mentioned above) or CD. It takes a while to run, and does not give a lot of feedback. However, it is effective. There are instructions for how to use it on that link given above.

What's the txt.log say? And do you get redirected in firefox?

I can't even read this text log. It's just showing a bunch of file name.

It opened it up in a Notepad file so it's not like I can delete it or anything.


The antirootkit is still scanning though...

Ok the Rootkit scan is complete. Now what do I do?

Ok the Rootkit scan is complete. Now what do I do?

What do you see in the dialog box? Unknown hidden files? Anything else? A lot of it is going to be cached internet stuff. You'll be able to see the full file path of detected items if you maximize the root kit program and expand the location bar.

Look at the file locations and endings. Look for .exe or any suspicious registry keys (if found).

Highlight it. It should say if it recommends you removing it.

I can't even read this text log. It's just showing a bunch of file name.

It opened it up in a Notepad file so it's not like I can delete it or anything.


The antirootkit is still scanning though...

Yeah that txt file should open in notepad and you should a log of what Combofix did.

Also, do you get redirected in firefox? It better not be some simple tool bar...or your home page better not be set to that url. Open up control panel -> internet options. Click the general tab and make sure you have the correct home page set. Clear everything in your browsing history, go to the advance tab and reset the internet explorer settings.

It's fixed!

Thank you guys for all of your help!

Glad you got it fixed. I was just about to post because I had a similar virus last week. When you get redirect viruses like those, its good to run the scan with your internet turned off. Some viruses use backdoor hacks with changes in your registry to re-download the same virus you are trying to rid yourself of if the internet is connected. Also, I would get AVG Anti-Virus 2012 free edition along with Malwarebytes. They work well together, and if one program lets a virus slip through the cracks during a scan, the other usually catches it.

;)


http://i.imgur.com/Im7Y2.jpg