Malware acquired. :(

[AWdeV]

Last thursday a highly suspect pop-up popped-up on my computer which had been idling for a few hours and I found the pop-up when I came back. It gave me some natter about updates but I found it suspicious because of the look of the thing and because of some weird typo's. I didn't want to click anything on it because it seemed super iffy.

A bit of googling on my phone led me to believe it was a so-called browser-hijacker which wanted me to install it so that any searches I made would be done through 'web search'.

What I found was that it may have been related to the Pokki-startmenu (I'm on windows so I uninstalled that (it was ****e to use anyway), removed every trace of it, and uninstalled some other programmes (I refuse to call them apps) that I wasn't using for good measure as well and sent ccleaner over it to empty the trash can, delete empty registry things and so on. Had McAfee scan for viruses and malware as well and it came up empty.

And that, I thought, was that.

However, this morning I did some actual updates (comodo asked for the umptillionth time so I allowed it) and wanted me to restart the computer.

I did so but when it was finished the original pop-up was back! I shut down the process via task manager but I can't find the villain behind it!

Anyone any idea?

Looking at task manager there are always a ridiculous amount of processes going on, often an immense amount of duplicates as well. The biggest issue is that I do not know which processes are legit and which are not and how many processes one program actually needs.

 

[Pharaoh Llandy]

Don't suppose you got a screenshot of the popup?

 

[AWdeV]

No, but I think I can find a picture of a similar one on the internet. That's how I recognised this one after all, although this one was also in Dutch.



Hmpf, no I can't. I had originally searched on my phone but I don't know what I searched on it and I'm now a bit wary about searching and opening anything on my laptop. 

 

[Splintert]

Best bet is to backup all your necessary data and reinstall Windows after a clean wipe. Viruses that have already infected your computer are extremely difficult to get rid of without really knowing exactly what it is and where it hides.

 

[havoc]

You could try a minimal startup to see if it stops doing the bad thing. Then slowly enable things until it starts doing the bad thing again. At least then you might be able to get some info on it by knowing the service or process name.

You could also post screenshots of your startup items, running process and services. Might be able to spot something.

 

[Jace]

A quick and easy method which hasn't failed me yet:

1. Get HijackThis!
2. Run (might need to do this in admin mode), scan, save log
3. Copy/paste log here

The page on 3. does give good hints on what might be right/wrong, but if still unsure, paste the log 'ere in a spoiler or something.

I did so but when it was finished the original pop-up was back! I shut down the process via task manager but I can't find the villain behind it!

You should be able to right-click on a process and check its properties. That should give you the folder location too.

 

[Lerber]

My method is to install malwarebytes portal and boot to safe mode.

 

[In Vain]

My method is to wipe everything off the face of the world the harddrive. If you don't have backups of your personal files yet (which you really, really, really should have done), backup them using a live Disk or USB and search your backup storage separately with one of those free "rescue disks" all antivirus providers offer.

Takes you half a day at most, which is probably less time than you have spent on the problem, by now.

 

[AWdeV]

I have not spent half a day because I don't have a clue what I could/should have done. All I did do, I mentioned in the OP.

I have some usb-sticks laying around but calould I not accidentally transfer this thing to there?

I should've done a wipe and complete install when I got it in the first place (it was a showmodel) but didn't know how amd I'm a lazy bum anyway.

I'm running a scan now and I'll reboot it later, if the popup is back, I can take a screenshot of that and of my start-up processes.

edit; scan's empty.

 

[AWdeV]

After that scan I rebooted again and the pop-up was there.

Spoiler: that's the blighter.

App store update yadda yadda yadda, the little checked box in the bottom says "set starting page and search function of my web browser to Web Search, by clicking OK you agree with the terms & conditions and this privacy policy".

Checked via task manager, found where it came from, it was as I surmised the Pokki start menu and apparently I hadn't removed it completely (at all?)

Spoiler: Task manager

.

I deleted it at the specified path, deleted the whole pokki folder, saw a seperate pokki folder nearby, got rid of that, emptied the trashcan, ran ccleaner, comodo scan, mcafee scan, etc.

Rebooted it, no pop-up this time! It looks to be gone now and I'd like to keep it that way.

 

[Jhessail]

You can also always google the process name to get more information what it does. Disabling services that you don't need or at least preventing them from being automatically started at boot-up is a good way to reduce stress on the PC and minimize the amount of background stuff that's happening.

 

[The Bowman]

BitDefender actually managed to help me in a similar situation. Try that one.

 

[AWdeV]

Thanks for the ideas but it seems to be fixed, mostly based on J's help and my realising I hadn't looked at where it came from properly.



Issue resolved!