I think I have a virus *sigh*

WHen I go to google, it just says "Welcome to nginx!" well, I did a Yahoo search (and holy hell, let me tell you .... it took me a second to think of how I was going to search for things since Google wasn't working....lol) and from what people said on the interwebz, I have a virus. Well; I've ran Norton - it came up with not a damn thing (shocker...) I ran AdAware, Spybot .... it came up with files, I tried to delete them - it says I don't have administrative power to delete those files. This is on an HP desktop ... does anyone have any ideas on what I can do? This is pissing me off :(

http://www.bleepingcomputer.com/download/anti-virus/combofix

I have yet to run into a virus that can survive a good blast from combofix.

EDIT: and I work at an IT consulting firm, so I get to deal with these at least on a weekly basis.

Ahhh you're the best!!

Do I need to remove spybot or adaware?

I seriously owe you like a box of ammo or something, because IT WORKS. Ahhhh it got everything that no other anti-virus has been able to get. I don't even know what it was, because it just popped up with a notepad full of computer talk, and I said "Well - I hope that worked" and it did :) AHHH YEAHHH!!! THank you!!

I seriously owe you like a box of ammo or something, because IT WORKS. Ahhhh it got everything that no other anti-virus has been able to get. I don't even know what it was, because it just popped up with a notepad full of computer talk, and I said "Well - I hope that worked" and it did :) AHHH YEAHHH!!! THank you!!

:D w00t!

It's back :( It's doing that stupid "Welcome to Nginx!" on Google and Youtube again.

I ran all the virus programs again, and the one you posted the link to - and it says there's nothing there, so I don't know.

I hate computers.

It's back :( It's doing that stupid "Welcome to Nginx!" on Google and Youtube again.

I ran all the virus programs again, and the one you posted the link to - and it says there's nothing there, so I don't know.

I hate computers.

Go to the folder: c:\windows\system32\drivers\etc and open the file called "hosts". You can double click on it and then select notepad as the app to open it with.

If there are any lines beyond what you see below, then delete them, as they are acting as overrides:


# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Hey lynn

you didn't tell me how you ran the anti-virus. The problem with these viruses is that they are not the same as they were a couple of years ago, the great majority now are able to hide themselves and generate random names for files that trick the antivirus software into deleting simply a clone file. You MUST boot your rig in safe mode, this limits what gets loaded and therefore the virus wont have the ability to clone itself. Also this sounds alot like a browser hijack, what is your default browser?

Also Scotts idea with the host file although a good one, is moot if the core of the virus is still intact since it will just modify the file again.

Once you clean your system, there is a host file I will post for you that basically protects you against a lot of known malware sites.

I did do it in Safemode :/ It didn't come up with anything there either :(

Go to the folder: c:\windows\system32\drivers\etc and open the file called "hosts". You can double click on it and then select notepad as the app to open it with.

If there are any lines beyond what you see below, then delete them, as they are acting as overrides:


# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost


Doing that now :)

Go to the folder: c:\windows\system32\drivers\etc and open the file called "hosts". You can double click on it and then select notepad as the app to open it with.

If there are any lines beyond what you see below, then delete them, as they are acting as overrides:


# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

This is all that came up when I pulled up the notepad after going into that file:

127.0.0.1 localhost

that's it :/

it's a 1k file, so it's not big at all ... I have no idea why that's all that's there.

I hate computers, I really do.

OK you mind telling me what software you have running for getting rid of stuff and are you running them one at a time or together

a very reliable piece of software is HiJackThis. It has two functions one will scan your computer for unknown processes and attempt to kill them and will provide you with a list of all the processes that are running which you can then submit for analysis

I have Spybot, AdAware, and Norton - and then I ran the above that Mason linked.

I'm going to look up the HiJackThis now.

I thank yall SO much for helping with this!!

HiJackThis has caused me some problems before. I've accidentally a few client computers with that, that's why I switched to ComboFix.

You may have a rootkit. Try booting into safemode and running TDSSKiller - link here (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
See if that picks anything up.

do you have all of those installed at the same time? That alone can cause issues, and can make it harder for other programs to figure out what viruses you have.

Yeah Norton sucks. I liked the enterprise version of Kaspersky until this latest one. It's a POS. Version 6 was rock solid though. Norton is exactly as PK described though, a bloated pig.