[Buckshee Rounds]

Can't be arsed registering myself on a tech forum so I thought I'd post here. I recently had a spell with the Vista Total Security malware crap. After a day of cleaning my machine of viruses and the like I finally got things back to normal, except everytime I start up the machine and login firefox starts up immediately, fixed on my homepage. It opens another two windows with my homepage a few seconds later. While it doesn't seem to be doing anything malicious it is really f*cking annoying.

I deleted firefox in it's entirety, including the script files that I couldn't (via McaFee file shredder). When I restarted the machine internet explorer started doing the exact same thing. Something somewhere is telling the default internet browser to popup on startup and I've no idea what it is. To be sure, I deleted IE as well and when I restarted my machine everything was fine. When I reinstalled Firefox, same sh*t again. I've scanned my machine with all manner of anti-virus kit and I'm 78% sure there's nothing lurking around.

Can any of HLPs mighty tech gurus lend and opinion? Any help much appreciated, this is driving me insane.

[Fury]

- Copy your personal files to another media using a linux boot cd. Preferably something like USB hard drive that has been reformatted while connected to a clean computer.
- Reformat your PC's hard drives.
- Reinstall OS, drivers, software.
- Run virus scan on the media you copied your personal files to. If it checks up clean, you can copy them back to your hard drive(s).

Any other method will never guarantee you getting rid of virii and malware. Some are tougher and not even simple reformat gets rid of them, those are luckily rare.

[Davros]

have you looked at autoruns
http://technet.microsoft.com/en-us/sysinternals/bb963902

[Buckshee Rounds]

Tried autoruns, deleted a load of entries (including registry) still got it. I might take you up on your siggestion Fury, just as soon as I find time and money to buy some form of backup. Thanks for the replies.

[Nuke]

- Copy your personal files to another media using a linux boot cd. Preferably something like USB hard drive that has been reformatted while connected to a clean computer.
- Reformat your PC's hard drives.
- Reinstall OS, drivers, software.
- Run virus scan on the media you copied your personal files to. If it checks up clean, you can copy them back to your hard drive(s).

Any other method will never guarantee you getting rid of virii and malware. Some are tougher and not even simple reformat gets rid of them, those are luckily rare.

if youre gonna reformat you might as well nuke your partitions. if i have reason to believe that the virus is still present, then i will do a zero write to the drive as well. 

[Buckshee Rounds]

- Copy your personal files to another media using a linux boot cd. Preferably something like USB hard drive that has been reformatted while connected to a clean computer.
- Reformat your PC's hard drives.
- Reinstall OS, drivers, software.
- Run virus scan on the media you copied your personal files to. If it checks up clean, you can copy them back to your hard drive(s).

Any other method will never guarantee you getting rid of virii and malware. Some are tougher and not even simple reformat gets rid of them, those are luckily rare.

if youre gonna reformat you might as well nuke your partitions. if i have reason to believe that the virus is still present, then i will do a zero write to the drive as well. 

Flew really neatly over my head. What do you mean by nuking partitions? Is it the only way to be sure? /pun

[Dark Hunter]

I think he means perform a total erasure of the hard drive, not just the C: drive. Completely blank slate, if you will.

[jr2]

You know you could always try loading up a live CD with an anti-virus.  You see, a lot of newer viruses hide themselves by injecting themselves into a critical windows system file (one tactic picks a random one, I've seen atapi.sys and a few others personally).  When the Windows file loads, the virus loads too.  The system file is running basically above all restrictions, it loads before the anti-virus.  So, when the anti-virus loads and asks to scan the file, the virus is high enough in the OS to hand over a clean copy of the file to the AV scanner.  The file passes detection and the virus continues on its way.

Get one of the following (or both) and burn them to CD (write image file to disc, don't just burn the .iso file as a data file onto a data mode disc), then boot from the CD while connected to the internet via an Ethernet cable (so the AV software can update itself before beginning the scan, you can unplug once the update completes)

http://download.bitdefender.com/rescue_cd/

and/or

http://www.avg.com/us-en/avg-rescue-cd

then load the OS normally and clean up with

http://www.malwarebytes.org/

- use the free version, you are just cleaning up the leftovers; however you can buy the full version if you want for a $30 something one-time fee; the full version has resident protection (it scans the memory and opened files for viruses) whilst the free version is pretty much only good for cleaning up after removing the main body of threat or for nuisance malwares. (That is because the nastier viruses will actually end the malwarebytes task and delete the program; that is how they make sure your normal anti-virus doesn't catch it if it gets updated)

This works in 90% of the cases; otherwise, you will have to do a nuke-and-pave, as Nuke said.  (This is also the only absolutely sure way you can get rid of the virus)

An alternative to the nuke and pave is to download a windows livecd or a linux live cd like Mint or Ubuntu, boot of the CD, make a new folder (maybe called "backup") in the root of your hard disk, copy all of your profile information (documents, music, downloads, the desktop, etc --- XP, it will be driveletter:\Documents and Settings\username, Vista or 7, it will be driveletter:\Users\username) into that backup directory, delete all files from all other directories besides your backup directory, EDIT: including all of the files in the root directory (but not the backup folder, in other words, there should be one item on your hard disk, and that is just the backup folder) and then boot from a Windows install disk.  NOT A FACTORY RECOVERY DISK FROM THE MANUFACTURER!!! The turds will wipe your hard disk, including the backup directory!

After you re-install the OS, install a good anti-virus.  I'd recommend (free) AVG, or maybe Avast! or (non-free) BitDefender, maybe Trend Micro.  You can also do a folder scan of the backup directory with Malwarebytes, the free version will work flawlessly for that.  After your backup directory is scanned, then you can copy the files back to your regular user profile directories.

That method should pretty much be foolproof, you're booting from a clean disk, moving some files around, deleting anything where the new OS will be installed (name-wise, I mean, obviously it's not going to be the same physical location on the disk and no that does not in fact matter), and your OS CD will install a new boot sector on the hard disk.  However, you should definitely scan booting from a CD with an anti-virus  on it as well as all of that.

[Buckshee Rounds]

Okay, I'm still a little wobbly around some of the terminology but I'm pretty sure your message got through. I'm going to try the first method and see if it makes a difference. Thankyou once again for all the replies!

[Unknown Target]

If you don't have anywhere to back the files up to, you can use Dropbox.com to get 2 gigs of online storage.

[Stealth]

you guys are ridiculous.


Hey bud - in this situation, best thing is to use system restore.  it takes 2 minutes, and 99.99% of the time... it works.  plain and simple.  start programs accessories system tools system restore. pick a date before this happened. restore to that date. problem solved.

this whole 'back up everything to a seperate hard drive, do a low-level format, scan your files on the backup drives with 42 different virus scanners, and then restore it" is bull... that will take you an entire day... if you're lucky.

do the easy way first. worst case you go to plan B...

[Fury]

- Going with easy way is no guarantee you get rid of everything related to virii and malware. In the worst case scenario you won't notice anything, but you still got a trojan or something on your pc.
- Low-level format is a bad idea. It will brick your hard drives. Low-level format is NOT same thing as regular format.
- Nobody told him to run a scan with 42 virus-scanners, one good is enough. Two if you want to be sure.

Sure, there are easy ways and there are hard ways. The amount of effort is directly proportional to changes of getting rid of all crap you may have on your PC. I say it again, not all virii and malware are readily visible to whoever uses the computer. If you've been infected once with a visible virii or malware, there's nothing to say you won't have a trojan hiding in there too.

[jr2]

See, usually (with all the virii I've been dealing with anyway) the first things they do (not necessarily all of them, but I have seen all of them used and it's quite possible to do all of them) are:

1) Disable your AV software if not delete it

2) Brick your safe mode.  Literally, if you try it, it will BSOD the machine (no big deal, just restart in normal mode and it works, albeit with the virus still running).  Basically, it deletes a registry key that contains a list instructing Windows which of the basic drivers should load in safe mode.  No drivers, no boot, so no erasing the virus from safe mode.

3) Deny even the hidden Administrator account (and any other accounts) access to:
   a) System Restore  (usually wiping all restore points from the system in the process - another tactic is to infect the System Restore files themselves)
   b) Registry Editor
   c) msconfig
   d) Internet Options

All of that can be fixed (e.g., with Malwarebytes and software like Re-Enable) once you have gotten rid of the virus by booting from a clean CD, and usually the virus doesn't do all of the things listed above.  But when it does, your only hope of saving the system without reformatting is to boot from a clean CD or other boot device that has AV software on it.

(Re-Enable enables access to the following, many of which virii disable):

Windows Registry
Command Line Tool
Windows Task Manager
System Restore Config
Folder Options
Run command
My Computer
Task Scheduler
Right Click Context menu
Ms-Config (Xp only)
Control Panel
Search

EDIT: Oh, and be sure to check that your DNS settings are set to automatic or to whatever DNS server you changed them to (if you did, if you don't know, set it to automatic) as some Virii change that setting to a DNS server that sends you to bad sites that have virii instead of real sites.

Also, be sure that your proxy settings are correct (Internet Options - Connections - LAN Settings -- by default, proxy is unchecked, if you have a proxy, make sure it is set to the one you actually use).  Virii also can change this value.

You can run this command to reset your TCP/IP stack (a lot of internet settings will get set to what Windows had in the beginning by default - you know, out of the box when it worked with everything you connected it to)  Vista or 7, start - type in cmd and right-click on the result and hit "run with administrative priviledges"  XP, just hit start - run type cmd and hit enter.

In the command prompt, type:

Code: [Select]

netsh int ip reset resetlog.txt
and hit enter -- do NOT forget the resetlog.txt -- if it doesn't have a logfile specified it fails for whatever obscure reason

then type

Code: [Select]

netsh winsock reset
and hit enter

then

Code: [Select]

exit
and hit enter

[Stealth]

- Going with easy way is no guarantee you get rid of everything related to virii and malware. In the worst case scenario you won't notice anything, but you still got a trojan or something on your pc.
see below - there's no guarantee, but why waste several hours/days doing the 'guaranteed' way if there's a chance the 5 minute solution will work just as well??
- Low-level format is a bad idea. It will brick your hard drives. Low-level format is NOT same thing as regular format.
it won't "brick your hard drive" unless you don't know what you're doing...
- Nobody told him to run a scan with 42 virus-scanners, one good is enough. Two if you want to be sure.

Sure, there are easy ways and there are hard ways. The amount of effort is directly proportional to changes of getting rid of all crap you may have on your PC. I say it again, not all virii and malware are readily visible to whoever uses the computer. If you've been infected once with a visible virii or malware, there's nothing to say you won't have a trojan hiding in there too.
Disagree.  If doing something as simpple and straightforward as a system restore will fix the problem 99% of the time, then why not give it a try.  Worst case - it doesn't work, and you have to use a harder, more sure-fire method.  READ: using an easier method is not going to damage your computer or the files any more than they already are/have been.

Trust me. i've been doing this on a corporate level for almost 10 years.  I run an IT department with over 100 employees... i'm not talking out of my ass here, and i'm not just talking about one or two encounters i've had years ago.  i've dealt with everything from a virus taking down a single desktop, to a virus taking a fortune 500 company offline for half a day... And i'm telling you, all my technicians in desktop support know, the first thing you try is the most basic - because even if it works 1 out of 5 times... it is well worth the chance...

Also, for the love of god, please stop saying "virii".  That is not a word.  The singular is "virus". The plural is "viruses".  There is no such thing as "virii"...
http://www.google.com/#sclient=psy&hl=en&safe=off&site=&source=hp&q=virii&aq=f&aqi=&aql=&oq=&pbx=1&bav=on.2,or.r_gc.r_pw.&fp=f5b1d5aa1ea1fb55

[jr2]

Also, for the love of god, please stop saying "virii".  That is not a word.  The singular is "virus". The plural is "viruses".  There is no such thing as "virii"...

That's what I always thought, but actually, in the biological sense, I do believe it is "virii", I really don't know if it is in the IT world.  I've heard both.  Any definitive answer on this?


EDIT:

Never mind, I'll read the link, I didn't see it at first.  I need to slow down a bit here. 

[Stealth]

Also, for the love of god, please stop saying "virii".  That is not a word.  The singular is "virus". The plural is "viruses".  There is no such thing as "virii"...

That's what I always thought, but actually, in the biological sense, I do believe it is "virii", I really don't know if it is in the IT world.  I've heard both.  Any definitive answer on this?

"Virii" is not a word, not in a biological sense, not in a religious sense, not in the english language, and definitely not referring to a computer virus.

Simply googling "virii" will clarify this.

Or typing "virus" into merriam webster's website, dictionary of modern english's website, etc...

[Stealth]

EDIT:

Never mind, I'll read the link, I didn't see it at first.  I need to slow down a bit here. 

LOL no worries - i actually edited my post to add that link, so you didn't miss it, it was my bad

[jr2]

Not a problem.  I just realized that somehow I've quoted myself a few times and double-posted the result??  I'm taking a break from this thread, lol.. hopefully a Mod will have mercy and clean up my mess. 

[Nuke]

- Going with easy way is no guarantee you get rid of everything related to virii and malware. In the worst case scenario you won't notice anything, but you still got a trojan or something on your pc.
- Low-level format is a bad idea. It will brick your hard drives. Low-level format is NOT same thing as regular format.
- Nobody told him to run a scan with 42 virus-scanners, one good is enough. Two if you want to be sure.

Sure, there are easy ways and there are hard ways. The amount of effort is directly proportional to changes of getting rid of all crap you may have on your PC. I say it again, not all virii and malware are readily visible to whoever uses the computer. If you've been infected once with a visible virii or malware, there's nothing to say you won't have a trojan hiding in there too.

low level format != zero write. a zero-write is a secure delete of anything on the hard drive, destroys the data and not just the entry in the file table.
also by nuking partitions i mainly just bean to delete them and create new ones. this is usually sufficient to eliminate a virus.

the only reason to do a low level format is if your hard drive is loaded with bad sectors. these can be marked as bad and the drive can be restored to useable condition. this kinda thing should always be the last ditch attempt to save a hard drive (not the contents).

[Mongoose]

I can attest to System Restore sometimes being a life-saver.  I got hit by some sort of nasty drive-by attack (partially due to my own stupidity, as I had clicked on a link to a shady image-hosting site), and something nailed me that managed to dissociate all of my .exe files from being treated as executables by XP.  As you can imagine, not good, as even going into Safe Mode presented the same problem.  I knew I had fixed this same issue on my brother's Vista account in the past, but I didn't remember how, and it was really freaking late, so I didn't feel like starting up the family PC to look it up.  So I take a quick trip to System Restore, select the most recent date, and boom, problem solved.