What's your go-to malware removal tool?
6I managed to get the oh-so-fun srvtrck virus/malware. Any files I can think of that were dl'd that day have been removed. Malwarebytes has been run, updated, then run again. Extensions from browsers have been scoured.
I'm still getting the browser redirect hijack.
So uh, anybody have a kick-ass malware/junkware removal tool that doesn't just add more junk?
- 17 comments, 13 replies
- Comment
Malwarebytes has been our go-to backup; work uses Webroot as the primary these days but its a paid option.
We used to use McAfee Stinger as another option for already infected systems; I think its still a free download BUT it now includes a 'realtime' component (meaning it installs and stays, and why we haven't used it at work for a while); I don't know if that is optional or not on the current product. May be worth a look though.
Good luck...
Hitman Pro and Combofix. You have to make to download Combofix from the bleepingcomputer site - there are some fake ones out there.
Seconded. My initial comment before reloading this thread is below:
Combofix has always been good to me. They caution to only run it at the request of a support advisor but I always found it to work well.
Another tool I had success with was Hitman Pro, for which there was a free trial.
Another one which fixed some tricky issues was Malwarebytes' Anti-Rootkit, available on Malwarebytes.org under Other Tools.
Back when I had a PC, Malwarebytes.
So you're getting website redirection - is it possible that your browser's DNS settings have been tampered with? Try changing your computer's DNS settings to Google.
https://developers.google.com/speed/public-dns/docs/using
http://www.howtogeek.com/164981/how-to-switch-to-opendns-or-google-dns-to-speed-up-web-browsing/
I've seen some malware that tampers with DNS settings in order to route all web traffic through a sniffer.
@Thumperchick @Collin1000 also check browser's settings, things like to mess with search settings, homepages, and proxies where applicable
If Malwarebytes doesn't get it, Google the issue and remove manually - if that doesn't work, employ a hammer.
There's a couple of other online scanners you can try:
ESET's
Bitdefender's
Trend Micro's
Microsoft's
F-Secure's
I don't think any of them are truly online, but all of them are free, and usually just a single-scan type of thing.
If you want a recommendation to start with, I'd say Microsoft's, then F-Secure, then any order.
I'm sorta partial to EMSIsoft...
https://www.emsisoft.com/en/
Link to the EEK! (emsisoft emergency kit)
https://www.emsisoft.com/en/software/eek/
If you end up backing up your data and re-installing windows heed this advice: Backup, Backup, Backup
PS if you are looking for your next av here are the april results from av comparatives:
http://www.av-comparatives.org/real-world-protection-test-april-2016/
I recall using a free tool from Symantec once to remove a ransom lock from someone's computer when Microsoft's tool that insisted it could fix it repeatedly failed to. It basically boots into its own OS and removed it. You may need to find the specific tool for your virus. I was sufficiently impressed to try their antivirus software again, and they're not the resource hog on Windows anymore that they used to be. That's also when I stopped recommending Microsoft Security Essentials to people. It's been a few years so I don't know if they still offer those tools.
@jqubed I've used Microsoft security essentials a lot. It's my go to!
Backup scan on a clean machine wipe and reload Windows works for me. Every time!
Then slow down on the questionable porn sites. That seems to always be the culprit... ;)
@sohmageek that’s no fun.
Hijackthis! Also various boot CDs that scan WITHOUT loading the OS. Kaspersky has one.
http://support.kaspersky.com/us/viruses/rescuedisk
Another vote for HitmanPro. When my PC got the Alureon root kit, it was the only tool I found that detected AND fixed it.
Has anyone said “Fuck.” yet?
Fuck. Sorry to hear of this. Sorry I have no experience to offer help.
I’ve found the really tricky ones sometimes require rerunning the removal tools several times. I start with Malwarebytes. But I also sequentially run multiple tools since they all seem to miss something. Spybot is another oldie but goodie I didn’t see mentioned above.
If the bug resists letting you run the removal tools, pull the infected drive and let the removal tools loose from a second PC via a docking station or USB-SATA cable.
Another good lesson in backing up your key data regularly on removable or cloud media. Choose your backup frequency based upon the amount of data you’d feel comfortable losing. If a week’s stuff is the pain point, do it weekly, etc…
@RedOak oh man, I haven’t used SpyBot in years… It’s been that long since I’ve had an issue.
@Thumperchick old habbits, old dog. It is still actively supported and updated. And it sometimes finds stuff that Malwarebytes misses.
@RedOak
Spybot and some of the others have portable versions. I keep a usb stick for when family members call me screaming about stuff.
Malwarebytes has been my go to for quite a few years. One new tool I’ve been using for almost a year now and have had great results with is ADWCleaner. It’s a nice little, powerful, tool. I used to use and love Spybot but when they released version 2 it didn’t seem to work as well as it used to, too many false positives.
I have been a fan of tronscript recently
https://reddit.com/r/TronScript/comments/4jgoeu/tron_v910_20160516_aq_fix_caffeine_crash_improve/
It combines anti malware, anti virus and browser addon ( it also deletes Brower data as some ad-ware hides in the browser)
It also only takes 2 clicks and anywhere from 5-9 hours to run
Any luck fixing your issue yet @Thumperchick?
If not, I’ve got some other things you can try.
@dashcloud I haven’t even had the chance to dive further into this yet. Luckily, I’m rarely on my laptop these days, so it’s not urgent.
Here’s something fun - it genuinely wasn’t me. Well, the first part was. Here’s what happened.
I dl’d a program from a site I’ve dealt with before, it had some nastygram that came with it. I only caught that because… Woot is using a really clunky reference tracker while they switch affiliate partners. To me, it looked like a tracking virus.
So woot made me double check, which was a damn good thing because I had indeed caught something. I thought it was still there because I was still seeing the clunky woot redirects. According to non-staffer-but-still-knows-everything-at-woot @lichme - that clunky mess should clear up soon.
Thank you all for you help, suggestions, and only 1 person mentioning porn.
@Thumperchick Actually, that clunky mess is here to stay as far as I know. The cut over that is supposed to happen by June 15th is to the new, crappy format with the crappy tracker. So it’s not while they switch affiliate partners, it’s how the new affiliate partner does things, and is the permanent structure.
Here is an example of the new format, which takes you to the deal on electronics.woot with my tracking on it. You can see the huge string at the end of the url, which may be offputting to a lot of people. I’ve managed to find a way to cut this down a lot on my site, but it still has the siteID section of it, which, while simple enough, is still a change that is inconvenient to the way I have to handle things to make it work like that.
@lichme boo
@Thumperchick soooo… tl;dr it’s @lichme’s fault?
Are you comfortable using regedit?
If so you might run some registry searches to see what you can find.
Regedit can do a lot of damage (like maybe a machine won’t boot if someone screws up), pls be cautious.
Also you might look at what’s loading on startup. Then disable the non-os (non-windows) stuff, temporarily, re-boot, check system for probs. re-enable them one by one. If still a prob, check some of the “date modified” filestamps on MS system files. See if anything looks “off”.
Also check if some of the stuff you disabled from auto-starting is starting up anyway.
Have you disabled all browser extensions on all browsers? If so, and if you reboot, do any of them come back enabled after the boot?
Does the problem happen in all browsers, or just one?
Open a DOS box @and run
ipconfig /all <hit enter>
Copy the results and paste them here.
If I were infected, I would run several rootkit scanners from different companies, in addition to the regular antivirus and antimalware scans, also from several companies. Some of these will run portably or without full installation.
What is the exact re-direct you are seeing?
@f00l read one full comment up.