I suspect I have a virus but nothing is turning up

I couple of days ago I was trying out programs that convert Flash video to other formats. I was downloading trial editions of software off download.com. One program when I tried to install it caused Macafee to freak out so I aborted the install and had Macafee clean up what it thought was a threat. Did a scan, everything looked ok. However since there, I had two popups that I couldn’t explain from websites that normally don’t give me popups. The Window looked like a Windows explorer box with a scan running saying that “MS antivirus has found a threat, click here to clean your system.” One of them happened while I was browsing here.

Macafee comes up clean.
Malware Bytes showed nothing
Hijackthis comes up with nothing unexpected
I tried spybot just has an extra check.

I ran what I could in both normal and safe mode. I’m running Vista in the highest security mode. So if anything does try to install, the os stops everything and asks me repeatedly if I want to install anything.

So besides nuking it from orbit, what should I do?

You have rogue antispyware, probably a new strain if MBAM didn’t detect it. Try SuperAntiSpyware, and if that doesn’t work, try it again along with MBAM in a week or so.

If you are comfortable enough, download and try ComboFix. You may have to rename the executable to get it to run if you have a really crafty infection. I tend to ignore the bit about creating the recovery console. After rooting out rootkits, MalwareBytes and SuperAntiSpyware (both great products in their right) may give you better results.

Check with Rootkit Revealer to see if you’ve got yourself a hider.

Receptionist just got this one today, even with regular nightly scans with Spybot and AVG. I installed the latest version of MBAM, flipped her machine over to safe mode, and did a scan: Came back positive for Vundo/Virtumonde.

That fucker. I hate it with the passion of a thousand suns. I’m also hating AVG more and more for not being able to see it.

Just bought another license for the protection-enabled version of MBAM, and I’m stripping out AVG from yet another machine.

And the follow-up to this is that Vundo may have gotten onto her machine via SmitFraud.

Her hosts file was locked down by Spybot, but Hijack This found an compromised entry in the registry.

You may want to check out http://www.bleepingcomputer.com/files/sdfix.php.

Rogue. Surprised that MBAM didn’t catch it. Also recommend SuperAntispyware and Avira Rescue CD (http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html).

I’m having a hell of a time with something similar with my Vista machine at home.

I noticed that Windows Update, which is set to auto-download but apply when I tell it to, hasn’t done anything in awhile. Windows Defender is giving me that little “hey you should update your definitions” icon. So I go to update Windows Defender’s definitions, and I get error 0×80072EFD. I go to Windows Update, same error. Hmm…

I do some searching, which leads me to check my HOSTS file. It’s full of junk! I have something! I nuke my hosts file, reboot, and start scanning…

MBAM: comes up clean
SuperAntiSpyware: comes up clean, save for 50 ad tracking cookies (not a big deal)
HiJackThis: nothing at all suspicious
BitDefender: I leave this running all the time and it has never warned me, but I did an update and scan and it came back clean.

Among all this I have also flushed my DNS cache and so on and so forth.

Windows Update hasn’t grabbed anything more recent than 2/20. Given that there seems to be a new Windows Defender definition update once or twice a week, if not more, that’s really weird. And I still can’t connect: I get error 0×80072EFD. That error code corresponds to the ever-useful “unable to connect” description.

With the exception of my HOSTS file being full of guff, which may have been there since the last time I got some kind of infection months ago for all I know, I show no other symptoms of being infected. I’m not getting unusual popups or ads in places where I don’t expect them, or experiencing any other behavior I wouldn’t expect to.

Still, I can’t connect to Windows Update, which is troubling to say the least.


Perhaps it’s PIFTS.exe?

Just kidding.



Well that’s interesting and all, but the PIFTS.exe problem is Norton specific. It’s also a case of a warning popping up - both the OP and I have an issue where we have a symptom, but scans come back totally clean. :/

I had my Vista install go a little shanenigans a while ago, it did that among other things. You can download the defender definitions from MS site if you wish, but I don’t think it will find anything. I wasn’t able to connect this and other weird behavior with any virus-spyware, and I invested some time in it.

The pifts.exe “incident” smells a bit like 4chan.* I love that they included the post titles.

*Edit: The post deleting, not the file itself.

I’ve tried everyone’s suggestions and nothing has turned up yet. However i haven’t see the weird popup again either since posting the inital message.