Still Infected?

After over a month of problems, I am not certain whether or not my machine is clean.

Problems began in mid-December when I became infected with something redirecting Google searches. I was running XP Home SP3 with all updates, AVG9 with daily updates and Zone Alarm. AVG 9 performed daily scans (in the middle of the night) but, apart from tracking cookies, had found nothing.

The Google redirects only happened when I was browsing with IE8; Google behaved normally with FireFox.

A scan with Malwarebytes Anti-Malware found, quarantined and deleted a number of items (which surprised me) but the problem continued. Further scans with SAS and SpyBot Search & Destroy only found tracking cookies.

A few days later, without any intervention from me, the redirect problem disappeared. But it came back 24 hours later. A scan with MBAM once again found some items, quarantined and deleted them but the redirect problem continued. Other scans found only tracking cookies.

Over the next few days the Google redirect issue disappeared and reappeared several times - more or less randomly as far as I could tell.

Around Christmas, it disappeared again and, to date has not returned. However, IE 8 runs much more slowly than I would expect and programs take much too long to open. Repeating the various scans finds nothing (other than tracking cookies).

One final clue - though this may be a total red herring - every time I reboot, there is intense disk activity for 45-50 minutes. During this period of activity, only about 4% of CPU is used (I have an AMD Phenon II 955 and 4GB of memory) but everything is unbelievably slow - eg 30 seconds to open IE then another 20 seconds to load Google's page and programs take about four times as long as normal to load.

However, just by accident, I discovered that if I physically unplug my internet connection during a re-boot and then leave it unplugged while Windows opens and all the start-up programs load before plugging it back in, then the PC does not go through the period of disk activity at all and everything seems much quicker.

I have followed all the advice on what to do before using the tools you suggest and the various log files are now attached. I would just make the following observations which might be relevant: ComboFix did two restarts that were not mentioned in the Guidance - it restarted after installing Recovery Console (which I expected), then shortly after beginning its scan it found something and said it needed a restart. Foolishly I did not write down the details of what it found because I assumed it would go in the log but I am not sure if it did! I think it might have mentioned the word "Rootkit" (sorry not to be more helpful). Later, it deleted a whole lot of .dll files and some folders and then did another restart.

I was also unable to run Rootrepeal - a copy of its crash report is available but there doesn't seem to be space to upload it.

I apologise for the length of this but I have tried to be comprhensive in the hope that it will help.

 

Hi TimW

Many thanks for assisting me.

In the properties section of IGRXTPCH I found the following:

On the "General" Tab:
Service Name: IGRXTPCH
Display Name: IGRXTPCH
Description: (This box was blank)
Path to Executable: C:\DOCUME~1\Chris\LOCALS~1\Temp\IGRXTPCH.exe
Startup type: Disabled
Service Status: Stopped

On the "Log On" Tab:
Local System account Radio Button - selected
Allow service to interact with desktop - box checked
Rest blank except: Hardware Profile 1 Service enabled

On "Recovery" Tab:
All three "failure" boxes: Take No Action
Reset fail count after: 0 days
Rest greyed out

On "Dependencies" Tab:
All greyed out

Maybe I am missing something very obvious (or completely misunderstood your request) but I couldn't find any references to properties being signed or dated.

Regards

Chris

 

Hi again

Maybe it is just me, but I cannot find that file anywhere on my C:\ drive. I have looked myself and had Windows Explorer search for it - but nothing!

Regards

Chris

 

Hi TimW

Followed your "final steps" and everything here seems fine.

Many thanks for your help - it is very much appreciated.

Regards

Chris.:wave