How can I find and remove hidden malware from my computer?

[nomadreid]

I have recently had some malware infect my Internet sites, of three types all at once
one, a webpage will disappear and in its place a page saying "And now a word from our sponsors... you will be redirected in a moment" (at which point I kill it);
two, words on the web page are double-underlined and a window appears for it, and
three, pop-ups).
I scanned and cleaned the computer with the (free versions of the ) following programs:
Malwarebytes
Super Anti-Spy
Adwcleaner
Junk Removal Tool
(I also then scanned it with HitmanPro, but no results were found, which is good because it won't fix anything unless you buy it.)
Of course even before that I looked for unwanted programs in Control Panel>Programs and Features, but naturally not all sneaky programs are listed.
I also read of Combofix, but it was advised not to use it unless I had considerable technical knowledge, which I don't.
Anyway, with all these attempts, the infections are still there. Well hidden. What else can I do?

 

[mfb]

Do you have them independent of the browser? They could be some sort of browser plugin.

 

[nomadreid]

Good question. So far I have been using only Firefox. I just tried Internet Explorer and Chrome, and the problem doesn't arise on a five-minute trial, but I shall try using only the other two browsers for a while to see what happens. So, let us assume that it is only Firefox. How do I go about getting rid of the plug-in or whatever it is?

 

[mathman]

(Firefox) Click on tools -> add-ons. Look at extensions and plugins to see if you have anything unusual.

 

[mfb]

And if they don't show up there, save your bookmarks and so on before if you want to keep them, deinstall Firefox, remove the folder (if still there) and reinstall.

 

[StevieTNZ]

You could try HijackThis - http://en.wikipedia.org/wiki/HijackThis - and check the log generated on http://www.hijackthis.de/

 

[nomadreid]

Thanks, mathman, mfb, and StevieTNZ. (Sorry for the delay in the reply: different time zone) I will try one thing at a time. First, mathman's suggestion: in "Add-ons" I have three items, two of which are disabled and known, but one of which is odd: it is listed as "S-Foxer 1.2" from "sfoxer", with a website listing email address, and installed last Sunday. I googled "S-foxer" but the search came up with nothing. For the moment I have disabled it, but before removing it altogether will wait to see if (a) that solves it, and (b) any of you helpful people can tell me whether it is something legit. Thanks!

 

[StevieTNZ]

I get the impression it wouldn't be an add-on in Firefox causing the page re-directs and links appearing with pop-up boxes, but I could be wrong.

 

[nomadreid]

I used Firefox for a whole day after I had disabled that add-on, and no more pop-ups and underlinings occurred; they also didn't occur in the other two browsers. So, apparently that was the problem. It's nice to have the other suggestions for the future, though. So, again many thanks to all three of you who responded!

 

[Routaran]

Malware rarely ever installs itself in isolation. If a toolbar/add-on managed to get on your system, it's likely there's other things on there too.
I would suggest running some scans on your computer in addition to just disabling add-ons. First do a full system scan with whatever antivirus software you are currently using. Fix/Clean/Quarantine if it finds things.

Then go get MalwareBytes anti-spyware, the free version
https://www.malwarebytes.org/bf3/

This is one of the best free tools available. Download>Install>Update>Scan>Clean>Reboot>Scan>Clean>Reboot.

Once you have done scanned and cleaned twice, you'll effectively have the system about as clean as it's going to get without getting help from someone trained in using tools like Hijackthis. In the majority of cases, just doing a Malwarebytes scan is good enough.

 

[nomadreid]

Thanks, Routaran. However, notice that in my original post I mentioned that I had scanned my system with Malwarebytes as well as a few other good cleaning programs that I listed. In fact, I scan with Malwarebytes and Super Anti-Spy regularly. As you say, good programs.

 

[Routaran]

Doh! I completely missed Malwarebytes in that list. My apologies. I was surprised that you hadn't used Malwarebytes when I read the thread but obviously I was mistaken.

Another I would suggest doing is just resetting your browser to it's factory defaults instead of disabling just an addon or two.
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems

Reset IE also while you're at it.
http://windows.microsoft.com/en-ca/internet-explorer/reset-ie-settings#ie=ie-11

 

[nomadreid]

Thanks for the good suggestions and links, Routaran. Very good idea.

 

[B0b-A]

I used Firefox for a whole day after I had disabled that add-on, and no more pop-ups and underlinings occurred; they also didn't occur in the other two browsers. So, apparently that was the problem. It's nice to have the other suggestions for the future, though. So, again many thanks to all three of you who responded!

Installing the FireFox addon "NoScript" will dramatically lower your odds of getting this type of adware again ... http://en.wikipedia.org/wiki/NoScript [ it's free ]

 

[nomadreid]

Thanks, BOb-A. Sounds very good. I presume I can add to the whitelist, which is good, except that I would have to investigate which of the sites I use depend on JavaScript. What is your comment to the following notes in the link you sent?
"NoScript's default behavior is to block all scripts that are not whitelisted. This may prevent a large number of sites from automatically working due to their reliance on JavaScript technologies ... Users may find this behavior overkill, unnecessary, or tedious despite the additional security."

 

[B0b-A]

... What is your comment to the following notes in the link you sent? ...

There is always a trade-off between security and convenience : unlocked doors are more convenient than locked ones , but unlocked ones are not secure,

Without something like NoScript your doors are unlocked : and are vulnerable to driveby-downloads.

Once you've white-listed your frequently-visited trusted-websites , NoScript is not very intrusive ,
( it blocks animated-adverts that require adobe-flash which are intrusive , and use lots of internet bandwidth and CPU ).

I would not browse the internet without NoScript or an equivalent.

 

[nomadreid]

Thanks, BOb-A and Ross Franklin.
BOb-A: sounds good (I looked up other reviews): I will try it.
Ross Franklin: that link is about one particular Trojan (Hey, how did you know that I can read Russian? ), but it does give some general methods as well. Thanks, спасибо.

 

[ImperialThinker]

I use malwarebytes, It stores the threat in quarantine, so if u have not deleted it yet, then please do so.

 

[nomadreid]

Thanks for trying, ImperialThinker (avatar Dr. House), but if you go back to my original post, I explicitly mentioned that Malwarebytes did not catch the problem. I found the problem the way mathman (above) suggested. However, I appreciate the effort.

 

[ellipsis]

noma: Instead of Noscript (which I've used, and found tedious to use), I use Ghostery and AdBlock. I never get redirected anywhere, no ads to click on, and can watch 8-second videos without a 30 second advertisement.

 

[ImperialThinker]

Thanks for trying, ImperialThinker (avatar Dr. House), but if you go back to my original post, I explicitly mentioned that Malwarebytes did not catch the problem. I found the problem the way mathman (above) suggested. However, I appreciate the effort.

I assumed you were lying... Everybody lies.

 

[B0b-A]

Ross Franklin: that link is about one particular Trojan (Hey, how did you know that I can read Russian? ), but it does give some general methods as well. Thanks, спасибо.

You shouldn't have clicked on the "bitl.y" short URL from first-time-poster Ross Franklin.
In this case the short URL is apparently to a disreputable site , see ...
https://www.mywot.com/en/scorecard/www.delete-malware.com says "unsatisfactory site",
http://www.siteadvisor.com/sites/www.delete-malware.com says "dangerous site".

Shortened URLs can be used to disguise malware sites which would have otherwise been blocked by your browser ...

... The short URL can allow blacklisted URLs to be accessed ..."

http://en.wikipedia.org/wiki/Short_URL#Privacy_and_security

If you clicked on the Ross's Bitly link my suggestion would be do a "system restore" to a point in time prior to clicking on it , just in case visiting that webpage installed malware.

 

[syhprum1]

My last resort malware buster is Exterminate It I don't know if a legitimate free version is available but even a test version would tell you where the malware is hidden.
I only say last resort because it takes about 15 minutes to run and spills out the result at the last moment but it has never failed me