Vanilla Forums has been nominated for a second time in the CMS Critic "Critic's Choice" awards, and we need your vote! Read more here, and then do the thing (please).
Our new Indie Games subforum is now open for business in G&T. Go and check it out, you might land a code for a free game. If you're developing an indie game and want to post about it, follow these directions. If you don't, he'll break your legs! Hahaha! Seriously though.
Our rules have been updated and given their own forum. Go and look at them! They are nice, and there may be new ones that you didn't know about! Hooray for rules! Hooray for The System! Hooray for Conforming!

searchqu, am I fucked?

CasualCasual Revolver Ocelot(Revolver Ocelot)Registered User regular
edited April 2011 in Help / Advice Forum
I booted up my PC just now, went into firefox and I noticed I have a new addition, a toolbar called searchqu its also now my default search engine and I can't seem to uninstall it from the program list.

Looking through my downloads I can see where I made my fuckup, I went to download some minecraft stuff last night and wasn't paying much attention to what I was doing. I think I clicked one of the adverts download links instead of the actual download link, a pretty major fuckup I know.

I have two questions.

1) How fucked am I?

2) How do I get rid of it?

Casual on
Revolver Ocelot
i write amazing erotic fiction

its all about anthropomorphic dicks doing everyday things like buying shoes for their scrotum-feet

Posts

  • ThanatosThanatos Registered User regular
    edited April 2011
    Have you tried downloading and running MalwareBytes?

    Have you tried booting into Safe Mode and uninstalling it?

    What operating system are you running? What browsers are you using?

  • DaedalusDaedalus Registered User regular
    edited April 2011
    http://www.youtube.com/watch?v=aCbfMkh940Q

    Back up anything you value, wipe out everything on the drive, and reinstall Windows. If you don't, you'll never really trust the thing again. You don't know what other stuff came in with that thing.

    vvvvvv-dithw.png
  • CasualCasual Revolver Ocelot (Revolver Ocelot)Registered User regular
    edited April 2011
    Thanatos wrote: »
    Have you tried downloading and running MalwareBytes?

    Have you tried booting into Safe Mode and uninstalling it?

    What operating system are you running? What browsers are you using?

    The quick scan ended in two minutes and found nothing which I do not think bodes well even slightly. Trying a full scan now.

    No I haven't done that.

    OS is windows 7 64 bit. I use firefox 99% of the time and chrome the rest.

    Revolver Ocelot
    i write amazing erotic fiction

    its all about anthropomorphic dicks doing everyday things like buying shoes for their scrotum-feet
  • ThanatosThanatos Registered User regular
    edited April 2011
    You generally don't want to waste your time with a quick scan when you know you have an infection.

    Try Microsoft Security Essentials next. Then, SuperAntiSpyware.

  • CasualCasual Revolver Ocelot (Revolver Ocelot)Registered User regular
    edited April 2011
    Full scan found nothing. I believe I'm going to go with the nuking from orbit option, I have a mate coming round to do some work on a PC next week anyway. He can take care of this, am I stupid for waiting a week for this to be sorted?

    Revolver Ocelot
    i write amazing erotic fiction

    its all about anthropomorphic dicks doing everyday things like buying shoes for their scrotum-feet
  • Joe Camacho MKIIJoe Camacho MKII Registered User regular
    edited April 2011
    Casual wrote: »
    Full scan found nothing. I believe I'm going to go with the nuking from orbit option, I have a mate coming round to do some work on a PC next week anyway. He can take care of this, am I stupid for waiting a week for this to be sorted?

    Well... Last week I got one of those dumb fake antivirus programs installed on my laptop, and after several tries of trying to run MalwareBytes (Which according to the web it was the program that could get rid of "Win 7 Home Security 2011) so I nuked my windows installation from orbit.

    I would say that if you use your PC for sensitive stuff (Online Banking, using email, playing on Steam) I would just nuke it and change all of your passwords, just to be sure.

    And backing what Thanatos has already recommended, always try doing your scans on safe mode.

    steam_sig.png I edit my posts a lot.
  • tarnoktarnok Registered User regular
    edited April 2011
    Casual wrote: »
    Full scan found nothing. I believe I'm going to go with the nuking from orbit option, I have a mate coming round to do some work on a PC next week anyway. He can take care of this, am I stupid for waiting a week for this to be sorted?

    Not necessarily, but I would recommend disconnecting it entirely from the internet (or just leaving it turned off) until it _is_ sorted. There really is no telling what a given piece of malware is going to do and it could do something to cause you headaches even if you're not typing in passwords or credit card numbers. For all we know your computer could now be part of a bot-net distributing child pornography.

    I am not an expert but I'd make sure the thing is disconnected from the network at least, and probably just keep it turned off till I could work on it.

    Wii Code:
    0431-6094-6446-7088
  • Hahnsoo1Hahnsoo1 Registered User regular
    edited April 2011
    Nowadays, Malwarebytes doesn't really solve the problem unless you're running in safe mode. This is because the malware in question generally runs a program as a service which prevents you from changing the malware's contents or updating your registry. Try uninstalling the program in safe mode.

    Steam ID: Hahnsoo, Steam Name currently: Hahnsopolis | PSN: Hahnsoo | Monster Hunter Tri: Hahnsoo, E8HJCA
  • DerrickDerrick Registered User regular
    edited April 2011
    Process Explorer is also a really handy tool. You can surgically remove processes that are attempting to hide under other common processes. I'd recommend safe mode. Then go into Process Explorer and start the surgery. Finish by throwing every scanning program you know to not be malware at it.

    If that fails, nuke from orbit.

    After nuking (because honestly cleaning an already dirty machine is really annoying and difficult), you want to get a firewall, and the noscript firefox add-on. Also, since you clicked an advert, you may want to pick up adblock for firefox as well.

    "The welfare of each of us is dependent fundamentally upon the welfare of all of us."
    Spoiler:
    -Theodore Roosevelt
  • DrFrylockDrFrylock Registered User regular
    edited April 2011
    Some Google searches indicate that others have removed this with a combination of high-power tools including ComboFix. They all required several passes of ComboFix with manual, system-specific instructions to the tool on a couple passes. That is, a person with experience with these tools could probably clean this up, but it's not an automatic process.

    Spoiler:
  • CasualCasual Revolver Ocelot (Revolver Ocelot)Registered User regular
    edited April 2011
    DrFrylock wrote: »
    Some Google searches indicate that others have removed this with a combination of high-power tools including ComboFix. They all required several passes of ComboFix with manual, system-specific instructions to the tool on a couple passes. That is, a person with experience with these tools could probably clean this up, but it's not an automatic process.

    *sigh*

    I guess this computer is due a wipe anyway, its just with lans coming up now is not a great time. Backing up steam is so tedious and time consuming.

    For what it's worth a full scan in safe mode still found nothing, the toolbar still showed up in the browser in safe mode too.

    Well thanks for the advice guys, I'm just going to keep it offline untill next week and then nuke it. This thread can close.

    Revolver Ocelot
    i write amazing erotic fiction

    its all about anthropomorphic dicks doing everyday things like buying shoes for their scrotum-feet
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited April 2011
    I certainly agree with nuking from orbit - I'll note, though, that it's important that you completely reformat the drive. Don't just reinstall Windows over the top of the previous installation. You want to clear the entire drive, including (most importantly) the Master Boot Record. Some malware can live in the MBR and survive reinstallation.
    Hahnsoo1 wrote: »
    Nowadays, Malwarebytes doesn't really solve the problem unless you're running in safe mode. This is because the malware in question generally runs a program as a service which prevents you from changing the malware's contents or updating your registry. Try uninstalling the program in safe mode.

    Just wanted to comment on this, since I see it a lot. Malwarebytes sometimes does need to do its thing from safe mode, but the developers themself have commented that it's not designed to work that way
    MBAM works from safemore but it is not designed to work that way .

    MBAM will work better from regular mode both in terms of what it detects and what it can remove .

    Doing a safemode scan with MBAM should only be done when a regular mode scan fails .

    qwlru.png
  • TeaSpoonTeaSpoon Registered User regular
    edited April 2011
    Maybe it's installed as a Firefox Add-on. I suggest trying to uninstall through Firefox before the nuclear option.

  • CasualCasual Revolver Ocelot (Revolver Ocelot)Registered User regular
    edited April 2011
    Apparenty it's usless either way, I did full scans in both safe and regular and it found nothing. A little research reveals it's some kind of rootkit, is the drive really going to need a full format?

    Revolver Ocelot
    i write amazing erotic fiction

    its all about anthropomorphic dicks doing everyday things like buying shoes for their scrotum-feet
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited April 2011
    Casual wrote: »
    Apparenty it's usless either way, I did full scans in both safe and regular and it found nothing. A little research reveals it's some kind of rootkit, is the drive really going to need a full format?

    If it is a rootkit, absolutely and without question. The nature of a rootkit makes it impossible for you to have any confidence that you've removed the infection without a reformat, and also explains why you're not able to see it while scanning. Rootkits are seriously bad news. Full stop. Reformat. Change all passwords.

    If reformatting is positively not an option there are alternatives, but none will give you the assurance of a reformat and reinstall, and I wouldn't recommend them.

    qwlru.png
  • CasualCasual Revolver Ocelot (Revolver Ocelot)Registered User regular
    edited April 2011
    Well I've removed the wireless ariel and it's remaining switched off untill I can deal with it. Can I even salvage files from it? Or is it not worth the risk?

    Revolver Ocelot
    i write amazing erotic fiction

    its all about anthropomorphic dicks doing everyday things like buying shoes for their scrotum-feet
  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited April 2011
    Casual wrote: »
    Well I've removed the wireless ariel and it's remaining switched off untill I can deal with it. Can I even salvage files from it? Or is it not worth the risk?

    You can certainly salvage files if you're careful. The main issue here is that the rootkit now owns your computer. Think of your system as a building with a series of floors, each of which is separated by a one-way mirror. Stuff on the upper floors can see all the way down, but no one can see up. The rootkit now lives on the top floor, so your operating system and antivirus can't see it. In addition, it can issue orders to your operating system, antivirus scanners, and anything else it wants. To those programs, the orders are transparent and legitimate. So if the rootkit says "Ignore this trojan I'm installing right now", everything in the system says "What trojan?". That's a gross oversimplification, but the point is that once the rootkit is in place, you can't trust the system.

    Copying your files to some variety of removable media, then reformatting and reinstalling the operating system will restore a trustworthy environment. Before you put your files back, you should update the operating system completely, and then install and update security software (antivirus and Malwarebytes). Since you'll be backing up from an infected machine, there's a high likelihood that the removable media will become infected in this process. USB media get infected just by plugging them into other infected machines, and I'm pretty sure burned DVDs can be tainted the same way. Actually, you ought to scan the backup files regardless, just to be sure none of the nasty stuff carried over.

    To get around this, I recommend using a Linux LiveCD or some other bootCD to access your machine and backup your files. The infection ought to be toothless in a Linux environment. If this isn't to your liking, you can always backup to the removable media, disable autorun/autoplay on the newly installed OS, and then scan the media before restoring files. Actually, you ought to scan the backup files regardless, just to be sure you're not carrying over anything nasty. Most files you'd want to preserve are probably not infected themselves, though. It's the media and executables you want to be wary of. I rambled on too long about the specifics of such an operation over here recently, in terms of backups from infected machines and file types.

    qwlru.png
  • Marty81Marty81 Registered User regular
    edited April 2011
    I certainly agree with nuking from orbit - I'll note, though, that it's important that you completely reformat the drive. Don't just reinstall Windows over the top of the previous installation. You want to clear the entire drive, including (most importantly) the Master Boot Record. Some malware can live in the MBR and survive reinstallation.

    Just out of general curiosity, how do you do this? Is there an option to reset the MBR when reinstalling Windows or something?

  • TetraNitroCubaneTetraNitroCubane Registered User regular
    edited April 2011
    Marty81 wrote: »
    I certainly agree with nuking from orbit - I'll note, though, that it's important that you completely reformat the drive. Don't just reinstall Windows over the top of the previous installation. You want to clear the entire drive, including (most importantly) the Master Boot Record. Some malware can live in the MBR and survive reinstallation.

    Just out of general curiosity, how do you do this? Is there an option to reset the MBR when reinstalling Windows or something?

    When reinstalling Windows, just be sure to format the HDD you'll be installing the OS to. Delete all existing partitions, and create new ones, rather than selecting existing partitions.

    If you want something a bit more extreme, there's always Darik's Boot and Nuke. Burn the image to a disk, boot from it, and let it do its thing. Then you can boot from your OS installation disk, repartition, and reinstall. DBAN is more of a method to wipe out data you don't want others recovering, so it might be a little overkill, but it'll destroy anything living on the HDD including malware.

    qwlru.png
  • tarnoktarnok Registered User regular
    edited April 2011
    A thought occurs to me; may not be relevant here but I'm curious. A lot of computers don't come with windows disks anymore. Instead they'll have a recovery partition. Would it even be possible for someone in that situation to clean the MBR and reinstall or would one have to spring for the windows cds?

    I guess what I'm asking is, would it be possible to be sure the disk is clean but leave behind the recovery partition?

    Wii Code:
    0431-6094-6446-7088
  • TychoCelchuuuTychoCelchuuu ___________PIGEON _________San Diego, CA Registered User regular
    edited April 2011
    Often computers with a recovery partition have an option to burn a recovery CD when you've booted into the partition. Otherwise you can always make an image of the partition and store it somewhere.

  • corky842corky842 Registered User regular
    edited April 2011
    Often computers with a recovery partition have an option to burn a recovery CD when you've booted into the partition. Otherwise you can always make an image of the partition and store it somewhere.

    It's available straight from Microsoft.

    Darmak wrote: »
    Something is wrong with me
  • TychoCelchuuuTychoCelchuuu ___________PIGEON _________San Diego, CA Registered User regular
    edited April 2011
    corky842 wrote: »
    Often computers with a recovery partition have an option to burn a recovery CD when you've booted into the partition. Otherwise you can always make an image of the partition and store it somewhere.

    It's available straight from Microsoft.

    Typically the computer that comes with an OS installed will have an OEM key of Windows 7 that won't activate any of the copies you can download on that website.

Sign In or Register to comment.