The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.

searchqu, am I fucked?

CasualCasual Wiggle Wiggle Wiggle Flap Flap Flap Registered User regular
edited April 2011 in Help / Advice Forum
I booted up my PC just now, went into firefox and I noticed I have a new addition, a toolbar called searchqu its also now my default search engine and I can't seem to uninstall it from the program list.

Looking through my downloads I can see where I made my fuckup, I went to download some minecraft stuff last night and wasn't paying much attention to what I was doing. I think I clicked one of the adverts download links instead of the actual download link, a pretty major fuckup I know.

I have two questions.

1) How fucked am I?

2) How do I get rid of it?

Casual on

Posts

  • ThanatosThanatos Registered User regular
    edited April 2011
    Have you tried downloading and running MalwareBytes?

    Have you tried booting into Safe Mode and uninstalling it?

    What operating system are you running? What browsers are you using?

    Thanatos on
  • DaedalusDaedalus Registered User regular
    edited April 2011
    http://www.youtube.com/watch?v=aCbfMkh940Q

    Back up anything you value, wipe out everything on the drive, and reinstall Windows. If you don't, you'll never really trust the thing again. You don't know what other stuff came in with that thing.

    Daedalus on
  • CasualCasual Wiggle Wiggle Wiggle Flap Flap Flap Registered User regular
    edited April 2011
    Thanatos wrote: »
    Have you tried downloading and running MalwareBytes?

    Have you tried booting into Safe Mode and uninstalling it?

    What operating system are you running? What browsers are you using?

    The quick scan ended in two minutes and found nothing which I do not think bodes well even slightly. Trying a full scan now.

    No I haven't done that.

    OS is windows 7 64 bit. I use firefox 99% of the time and chrome the rest.

    Casual on
  • ThanatosThanatos Registered User regular
    edited April 2011
    You generally don't want to waste your time with a quick scan when you know you have an infection.

    Try Microsoft Security Essentials next. Then, SuperAntiSpyware.

    Thanatos on
  • CasualCasual Wiggle Wiggle Wiggle Flap Flap Flap Registered User regular
    edited April 2011
    Full scan found nothing. I believe I'm going to go with the nuking from orbit option, I have a mate coming round to do some work on a PC next week anyway. He can take care of this, am I stupid for waiting a week for this to be sorted?

    Casual on
  • Joe Camacho MKIIJoe Camacho MKII Registered User regular
    edited April 2011
    Casual wrote: »
    Full scan found nothing. I believe I'm going to go with the nuking from orbit option, I have a mate coming round to do some work on a PC next week anyway. He can take care of this, am I stupid for waiting a week for this to be sorted?

    Well... Last week I got one of those dumb fake antivirus programs installed on my laptop, and after several tries of trying to run MalwareBytes (Which according to the web it was the program that could get rid of "Win 7 Home Security 2011) so I nuked my windows installation from orbit.

    I would say that if you use your PC for sensitive stuff (Online Banking, using email, playing on Steam) I would just nuke it and change all of your passwords, just to be sure.

    And backing what Thanatos has already recommended, always try doing your scans on safe mode.

    Joe Camacho MKII on
    steam_sig.png I edit my posts a lot.
  • tarnoktarnok Registered User regular
    edited April 2011
    Casual wrote: »
    Full scan found nothing. I believe I'm going to go with the nuking from orbit option, I have a mate coming round to do some work on a PC next week anyway. He can take care of this, am I stupid for waiting a week for this to be sorted?

    Not necessarily, but I would recommend disconnecting it entirely from the internet (or just leaving it turned off) until it _is_ sorted. There really is no telling what a given piece of malware is going to do and it could do something to cause you headaches even if you're not typing in passwords or credit card numbers. For all we know your computer could now be part of a bot-net distributing child pornography.

    I am not an expert but I'd make sure the thing is disconnected from the network at least, and probably just keep it turned off till I could work on it.

    tarnok on
    Wii Code:
    0431-6094-6446-7088
  • Hahnsoo1Hahnsoo1 Make Ready. We Hunt.Registered User, Moderator, Administrator admin
    edited April 2011
    Nowadays, Malwarebytes doesn't really solve the problem unless you're running in safe mode. This is because the malware in question generally runs a program as a service which prevents you from changing the malware's contents or updating your registry. Try uninstalling the program in safe mode.

    Hahnsoo1 on
    8i1dt37buh2m.png
  • DerrickDerrick Registered User regular
    edited April 2011
    Process Explorer is also a really handy tool. You can surgically remove processes that are attempting to hide under other common processes. I'd recommend safe mode. Then go into Process Explorer and start the surgery. Finish by throwing every scanning program you know to not be malware at it.

    If that fails, nuke from orbit.

    After nuking (because honestly cleaning an already dirty machine is really annoying and difficult), you want to get a firewall, and the noscript firefox add-on. Also, since you clicked an advert, you may want to pick up adblock for firefox as well.

    Derrick on
    Steam and CFN: Enexemander
  • DrFrylockDrFrylock Registered User regular
    edited April 2011
    Some Google searches indicate that others have removed this with a combination of high-power tools including ComboFix. They all required several passes of ComboFix with manual, system-specific instructions to the tool on a couple passes. That is, a person with experience with these tools could probably clean this up, but it's not an automatic process.

    DrFrylock on
  • CasualCasual Wiggle Wiggle Wiggle Flap Flap Flap Registered User regular
    edited April 2011
    DrFrylock wrote: »
    Some Google searches indicate that others have removed this with a combination of high-power tools including ComboFix. They all required several passes of ComboFix with manual, system-specific instructions to the tool on a couple passes. That is, a person with experience with these tools could probably clean this up, but it's not an automatic process.

    *sigh*

    I guess this computer is due a wipe anyway, its just with lans coming up now is not a great time. Backing up steam is so tedious and time consuming.

    For what it's worth a full scan in safe mode still found nothing, the toolbar still showed up in the browser in safe mode too.

    Well thanks for the advice guys, I'm just going to keep it offline untill next week and then nuke it. This thread can close.

    Casual on
  • TetraNitroCubaneTetraNitroCubane Not Angry... Just VERY Disappointed...Registered User regular
    edited April 2011
    I certainly agree with nuking from orbit - I'll note, though, that it's important that you completely reformat the drive. Don't just reinstall Windows over the top of the previous installation. You want to clear the entire drive, including (most importantly) the Master Boot Record. Some malware can live in the MBR and survive reinstallation.
    Hahnsoo1 wrote: »
    Nowadays, Malwarebytes doesn't really solve the problem unless you're running in safe mode. This is because the malware in question generally runs a program as a service which prevents you from changing the malware's contents or updating your registry. Try uninstalling the program in safe mode.

    Just wanted to comment on this, since I see it a lot. Malwarebytes sometimes does need to do its thing from safe mode, but the developers themself have commented that it's not designed to work that way
    MBAM works from safemore but it is not designed to work that way .

    MBAM will work better from regular mode both in terms of what it detects and what it can remove .

    Doing a safemode scan with MBAM should only be done when a regular mode scan fails .

    TetraNitroCubane on
  • TeaSpoonTeaSpoon Registered User regular
    edited April 2011
    Maybe it's installed as a Firefox Add-on. I suggest trying to uninstall through Firefox before the nuclear option.

    TeaSpoon on
  • CasualCasual Wiggle Wiggle Wiggle Flap Flap Flap Registered User regular
    edited April 2011
    Apparenty it's usless either way, I did full scans in both safe and regular and it found nothing. A little research reveals it's some kind of rootkit, is the drive really going to need a full format?

    Casual on
  • TetraNitroCubaneTetraNitroCubane Not Angry... Just VERY Disappointed...Registered User regular
    edited April 2011
    Casual wrote: »
    Apparenty it's usless either way, I did full scans in both safe and regular and it found nothing. A little research reveals it's some kind of rootkit, is the drive really going to need a full format?

    If it is a rootkit, absolutely and without question. The nature of a rootkit makes it impossible for you to have any confidence that you've removed the infection without a reformat, and also explains why you're not able to see it while scanning. Rootkits are seriously bad news. Full stop. Reformat. Change all passwords.

    If reformatting is positively not an option there are alternatives, but none will give you the assurance of a reformat and reinstall, and I wouldn't recommend them.

    TetraNitroCubane on
  • CasualCasual Wiggle Wiggle Wiggle Flap Flap Flap Registered User regular
    edited April 2011
    Well I've removed the wireless ariel and it's remaining switched off untill I can deal with it. Can I even salvage files from it? Or is it not worth the risk?

    Casual on
  • TetraNitroCubaneTetraNitroCubane Not Angry... Just VERY Disappointed...Registered User regular
    edited April 2011
    Casual wrote: »
    Well I've removed the wireless ariel and it's remaining switched off untill I can deal with it. Can I even salvage files from it? Or is it not worth the risk?

    You can certainly salvage files if you're careful. The main issue here is that the rootkit now owns your computer. Think of your system as a building with a series of floors, each of which is separated by a one-way mirror. Stuff on the upper floors can see all the way down, but no one can see up. The rootkit now lives on the top floor, so your operating system and antivirus can't see it. In addition, it can issue orders to your operating system, antivirus scanners, and anything else it wants. To those programs, the orders are transparent and legitimate. So if the rootkit says "Ignore this trojan I'm installing right now", everything in the system says "What trojan?". That's a gross oversimplification, but the point is that once the rootkit is in place, you can't trust the system.

    Copying your files to some variety of removable media, then reformatting and reinstalling the operating system will restore a trustworthy environment. Before you put your files back, you should update the operating system completely, and then install and update security software (antivirus and Malwarebytes). Since you'll be backing up from an infected machine, there's a high likelihood that the removable media will become infected in this process. USB media get infected just by plugging them into other infected machines, and I'm pretty sure burned DVDs can be tainted the same way. Actually, you ought to scan the backup files regardless, just to be sure none of the nasty stuff carried over.

    To get around this, I recommend using a Linux LiveCD or some other bootCD to access your machine and backup your files. The infection ought to be toothless in a Linux environment. If this isn't to your liking, you can always backup to the removable media, disable autorun/autoplay on the newly installed OS, and then scan the media before restoring files. Actually, you ought to scan the backup files regardless, just to be sure you're not carrying over anything nasty. Most files you'd want to preserve are probably not infected themselves, though. It's the media and executables you want to be wary of. I rambled on too long about the specifics of such an operation over here recently, in terms of backups from infected machines and file types.

    TetraNitroCubane on
  • Marty81Marty81 Registered User regular
    edited April 2011
    I certainly agree with nuking from orbit - I'll note, though, that it's important that you completely reformat the drive. Don't just reinstall Windows over the top of the previous installation. You want to clear the entire drive, including (most importantly) the Master Boot Record. Some malware can live in the MBR and survive reinstallation.

    Just out of general curiosity, how do you do this? Is there an option to reset the MBR when reinstalling Windows or something?

    Marty81 on
  • TetraNitroCubaneTetraNitroCubane Not Angry... Just VERY Disappointed...Registered User regular
    edited April 2011
    Marty81 wrote: »
    I certainly agree with nuking from orbit - I'll note, though, that it's important that you completely reformat the drive. Don't just reinstall Windows over the top of the previous installation. You want to clear the entire drive, including (most importantly) the Master Boot Record. Some malware can live in the MBR and survive reinstallation.

    Just out of general curiosity, how do you do this? Is there an option to reset the MBR when reinstalling Windows or something?

    When reinstalling Windows, just be sure to format the HDD you'll be installing the OS to. Delete all existing partitions, and create new ones, rather than selecting existing partitions.

    If you want something a bit more extreme, there's always Darik's Boot and Nuke. Burn the image to a disk, boot from it, and let it do its thing. Then you can boot from your OS installation disk, repartition, and reinstall. DBAN is more of a method to wipe out data you don't want others recovering, so it might be a little overkill, but it'll destroy anything living on the HDD including malware.

    TetraNitroCubane on
  • tarnoktarnok Registered User regular
    edited April 2011
    A thought occurs to me; may not be relevant here but I'm curious. A lot of computers don't come with windows disks anymore. Instead they'll have a recovery partition. Would it even be possible for someone in that situation to clean the MBR and reinstall or would one have to spring for the windows cds?

    I guess what I'm asking is, would it be possible to be sure the disk is clean but leave behind the recovery partition?

    tarnok on
    Wii Code:
    0431-6094-6446-7088
  • TychoCelchuuuTychoCelchuuu PIGEON Registered User regular
    edited April 2011
    Often computers with a recovery partition have an option to burn a recovery CD when you've booted into the partition. Otherwise you can always make an image of the partition and store it somewhere.

    TychoCelchuuu on
  • corky842corky842 Registered User regular
    edited April 2011
    Often computers with a recovery partition have an option to burn a recovery CD when you've booted into the partition. Otherwise you can always make an image of the partition and store it somewhere.

    It's available straight from Microsoft.

    corky842 on
  • TychoCelchuuuTychoCelchuuu PIGEON Registered User regular
    edited April 2011
    corky842 wrote: »
    Often computers with a recovery partition have an option to burn a recovery CD when you've booted into the partition. Otherwise you can always make an image of the partition and store it somewhere.

    It's available straight from Microsoft.

    Typically the computer that comes with an OS installed will have an OEM key of Windows 7 that won't activate any of the copies you can download on that website.

    TychoCelchuuu on
Sign In or Register to comment.