My computer got hit by malware yesterday, which took all day to eliminate. Since there wasn't a lot of specific info online, I thought I'd post this in case it hits anyone else. Most of the web results point to 2012 recommendations that are out of date.
This particular redirect hijacks your address bar and search results (for all your browsers) to SearchMagnified or SearchingMagnified, obvious bogus domains that will no doubt take you to further exploit sites. It also redirected direct links and bookmarks to these sites.
I looked through the list of browser settings and add-ons (I don't run any), running processes, installed software, and even the hosts file and DNS settings, after dumping cache files and cookies in the browsers and refreshing them. Nothing obvious showed in the list of add-ons, processes, startup entries, or the Registry.
It went right through Avira Antivirus and Malwarebytes Anti-Malware – neither was able to detect anything wrong with a full scan. Windows Defender was, of course, useless.
First, I downloaded and installed (sequentially) a bunch of free antivirus apps, all of which have relatively good standing in their industry – Bitdefender, Avast, AVG, Kaspersky. I updated definitions and ran a full scan with each, which took all day and turned up nothing. I also uninstalled each app before trying the next one, which meant a lot of restarting.
I also used the following anti-malware apps – Malwarebytes AdwCleaner and Spybot Search & Destroy. No results there, either.
Eventually, I found a general help page on browser hijacks at the MalwareTips website (dodgy-sounding, I know, but I was at my wits' end by that point).
Going directly to the applications the page referenced (rather than clicking through their links), I followed their recommendations step by step:
1. Kaspersky TDSSKiller (rootkit detection and removal) – no results
2. RKill (process blocker removal) – no results
3. Malwarebytes Anti-Malware – no results
4. HitmanPro – we have a winner! HitmanPro listed a small number of tracking cookies (low threat), and removed 1 malware from a 2016 archive file. Deleting these fixed the browsers.
5. Zemana Anti-Malware – did not try
6. Reset browser to default settings – already tried. No effect
Takeaway lessons and reminders (most of these are pretty obvious):
1. Have up-to-date backups of your critical data as well as a system image
2. Make sure you know if System Restore is working if you have to revert Windows
3. Consider changing your user level down from Administrator
4. None of the browsers were safe. Modern hijacks are able to affect all of them. Windows 10 is obviously still vulnerable to drive-by website exploits
5. Have a second computing device, and at least a large flash drive or external hard drive to boot from in extremis
6. Hard drives are slow... the painful process of scanning the entire system (many hours) would have been much less painful on an SSD
8. Hybrid vigor: if you have the resources, experiment with multiple operating systems and virtualization to reduce your exposure
9. Keep a variety of these free anti-virus and anti-malware tools on an easily-accessible disk, and update them regularly. None of them are guaranteed to find all your viruses, spyware, adware, malware, and ransomware by themselves, so keep your options open. Paid security software (Norton, McAfee, premium versions of the vendors listed above) probably has the same pitfalls.
10. Update all your passwords and login information after an attack. Scan other volumes (e.g., external and networked drives) to ensure data security
11. Using cloud services reduces your reliance on a single device/system, but can introduce new weaknesses
12. Prepare for the worst-case scenario. Know what steps you would take if you lost all your data and possibly the entire computer (e.g., comparable to a theft, loss, or hardware failure)
Conclusions:
I suspected from the start that it was a simple browser hijack, but doing a thorough inspection with multiple programs confirmed the system and its data is essentially clean (I am running free Sophos Home now). I hadn't heard of a lot of the tools listed above, but they obviously vary in their effectiveness. In the end, I didn't lose any data and I only lost a day. It is important to act as quickly as possible against system security problems. You can't always rely on a previous set of security tools, so stay up to date and limit your vulnerabilities.
Good question – the version I downloaded (HitmanPro 3.7 x64) gave me an option to run the program as a one-shot deal or as a perpetual scanner. I chose the one-shot option and it seems to be completely gone from my system. The only thing it left was the scan log I saved on my desktop. I didn't realize it was a Sophos product, either. The screenshot on the MalwareTips site shows the SurfRight name, which Wikipedia says Sophos acquired in 2015. Maybe they realized the original product was too much like malware itself – they'll probably lose the questionable name as they incorporate the technology into their other products.
