10

There's a persistent browser pop-up affecting Mozilla Firefox which has evaded a number of security pre-cautions and attempts to find a remove it. It's gone on for at least 3 months.

The pesky pop-up always advertises "super-resume.com" with a https://href.li/ link.

Here's the security that was in place during the original infection and every time the malware has popped up, without ever setting off any warning or alert:

  1. Symantec Endpoint Protection (Virus, Spyware, Proactive Threat and Network Threat Protection modules all enabled and updated)
  2. Daily anti-virus and anti-malware scan
  3. Corporate firewall

Here are the things that have been done off the top of my head to try to find/remove it:

  1. Uninstalled and reinstalled Mozilla Firefox
  2. Tried using different builds of Firefox, including Beta and Alpha releases (now back to the production release)
  3. Many Malware Bytes scans
  4. Removing all browser addons
  5. Using Ad Block Plus with pop-ups disabled
  6. Many Spybot Search and Destroy scans
  7. Audited the registry
  8. Many CCleaner runs

All failed miserably. Nothing ever detected a threat and nothing has prevented the pop-up from recurring. User has not visited an infected site since the original infection.

Any thoughts?

Hack-R
  • 213
  • 2
  • 8
  • 6
    Nuke from orbit. Persistent infections need to be handled more seriously than a surgical remedy. – schroeder Jul 14 '15 at 18:41
  • Screenshots would really help. Also audit process running and process that is running at boot using tools like autorun and Process Hacker. Also try to scan the OS from safe mode or even live linux OS – Freedo Jul 15 '15 at 06:42
  • @schroeder Nuke from orbit as in reinstall Windows? I see this is considered off topic (sorry) -- what's the appropriate Stack Exchange? Area 51? In Area 51 the hacking/virus related proposed Stack Exchange sites get shot down because this board is said to cover the same material... – Hack-R Jul 15 '15 at 15:21
  • @Freedom Yea, I took a screenshot months back and could hunt for it. I'd try to provide the requested detail but the post has been put on hold : / – Hack-R Jul 15 '15 at 15:22
  • 1
    "nuke from orbit" as in "reformat the drive and reinstall everything". This question is more of a tech support question than it is an InfoSec question. You aren't asking about hacking/viruses, you are trying to recover from one. I don't believe there is a malware recovery site on Stackexchange, but there are multiple other forums dedicated to this topic, including on AV vendor's sites. – schroeder Jul 15 '15 at 15:26
  • 3
    @schroeder I see. I'd respectfully argue that dealing with infections is either a part of InfoSec or system administration and definitely something that SO should be able to handle. So, I will take it to Area 51. – Hack-R Jul 15 '15 at 17:08
  • 1
    FWIW, "Take off and nuke it from orbit" is a meme used to indicate that in general once malware has become resident on a machine, the only viable solution is to reinstall the system from known good installation media. The reason for this is that much malware uses rootkits and other techniques to evade A-V and other common removal mechanisms, so especially when commenting in the abstract (i.e. we can't see the system in question) that is the best advice to provide. – Rory McCune Jul 15 '15 at 19:21
  • 1
    ... and in the worst case even "reinstall OS from known good" doesn't help if the malware is (also) sitting in USB sticks (BadUSB), or in the HDD firmware (NSA did / does this) or in the BIOS / UEFI (many people do this) -> "Get a new computer from known goods"? BTW: If you want to ask if this kind of question is appropriate *here*, use [Meta InfoSec SE](http://meta.security.stackexchange.com/). You may want to ask there why the question got closed although reaching +5. – SEJPM Jul 15 '15 at 21:20

0 Answers0