next »

[Thermalsig]

This is just a rant here folks. I visit exactly 4 sights on the web normally and use sandboxed if I'm off in the ether. However, I've got a son who uses this pc to go shit knows where. I've got this particularly nasty piece of shit that has evaded removal by Avast and Malwarebytes. It's been a long time since I hooked anything other than the typical BS that flushes easy. Oh well, time to dig in and do it the hard way. Damn, I'm such a whiner! 

[KingDazza]

Sorry to hear that mate.  I'm sure you've got a strategy in mind... safe mode / view start up registry / processes etc?

[corroded]

God Therm, whine a bit more already!!!!!



















We all of course get the irony here, right?

[keasy]

Have you done a HiJackThis mate, before you do anything drastic like ?

[Wooster]

If you can get a handle on the process then you can suspend it using Procexp (killing them usually just invokes them to start up again) then get ripped into it with HJT as Keasy mentioned. 

[Trippynet]

Blimey, it must be a nasty bit of shit if even Malwarebytes is flummoxed by it. 

[Thermalsig]

It's a browser hijacker. It has jumped twice already. Killing several suspected processes with hijack this temp killed it, but it returned on reboot. I think I'm staring at a rootkit and a reformat. First to the pros though.                                                   

[Wooster]

Ahh, they're crafty bastards these days. 

[Thermalsig]

Ahh, they're crafty bastards these days. 

No shit. I looked down the barrel at some ugly things before, but this one seems determined to remain. There is about a billion other posts in the last 3 days about this same malware. I usually laught at this, but I can't get out myself yet.

[bashy]

Give spy-bot and ad-adware a shot too, you never know

[KingDazza]

So it doesnt show in the start up processes list?  And when disabled via hijack this or equivalent, it still reactivates at start up in safe mode too?

[Glamdring]

You've obviously disabled Restore Points? It can hide in there.

[keasy]

Good point!

[Thermalsig]

So it doesn't show in the start up processes list?  And when disabled via hijack this or equivalent, it still reactivates at start up in safe mode too?

I wasn't able to actually point at one process as the culprit, I just removed all suspect non needed with Hijack in safe mode, but didn't restart in safe mode to check if it didn't again. It popped back up in normal restart. It's a browser hijacker, so it's only effect is the redirect. I threw the log file up at hijack this to see if they could spot it and they couldn't see anything either. Do you know somewhere else I could try that might be better?

You've obviously disabled Restore Points? It can hide in there.

No on the first try, yes on the second and third. Spybot S&D caught it(the only one to do so) and attempted to delete it. After the start up scan and a clean scan(No Problems Found!), it promptly showed up again.

[KingDazza]

Not sure what else to suggest really, as tbh its been literally years since I had any malware at all.  The last one I had years ago, I just remember using the usual apps, establishing where it was rejuvenating itself from at start up, then clearing the bugger out in safe mode.  Usually for me in the past, they are always created from another location to where the actual live bugger is.  Hence you delete it, but not the source/creator.  Thats why I was focusing on seeing what ran at start up.  I'd be inclined to install Avira personally as you can select on install, for it to be a priority start up app, i.e it embeds and activates, before nasties should get a chance to do there rejuvenating antics.

In short, try other av/malware progs (start with Avira free)to see if any of them can detect the bastard at start up, after just cleaning the live one with spybot or whatever is succeeding with that part, before the reboot.

All the best with it - I know how infuriating these things can be.  I take an image every 2 weeks, rather than running a mirror, just incase of this kind of malarkey.