Help me remove an IE-only browser hijack (not your usual problem) - Hardware & Software

So, there's this website. Take note of it, it's called [B]windowsxlive.net[/B] and it's a real a bad one; here's why: - The (supposedly) three creators are slinging modded windows dlls, themes and such - Their dlls (though they work) contain malware - it hijacks a lot of your browser stuff (including homepage, etc) at every startup through their patched uxtheme.dll, replaces your Flash/ActiveX Flash installations, etc - Not too many people have been affected by the site's seemingly useful, yet malicious software - NO ANTIVIRUS DATABASES HAVE THEIR FILE SIGNATURES YET I have managed to remove the active viruses (so I think). I did this by looking at my system files, which have been replaced on the date that I had installed their UXPatcher shit (I can't believe that these cunts put malware into this one, I've seen perfectly clean UXTheme patches before, and thought I was downloading the same one). Reverting the UXTheme DLL did a lot (at least stopped the recurring homepage hijacks), replacing flash with the original, deleting the spawned umonitor and uxtheme exe files, etc. But there's one problem: my google.ca for only Internet Explorer (again, so I think) is still seems to be hijacked. And the worst part: I can't find how. Basically, every time I fire up google.* through Internet Explorer 7, I'm getting 'Certificate Error'. This only applies to google.* (any TLD that google is on) and opening it in IE7. My Firefox seems to still have a verified cert from Kaspersky (although I get the exclamation mark on Firefox sometimes as well). Is this a hijack? It's driving me crazy! My other computer opens google.ca just fine on the same IE version, service pack, and update. I already tried checking: - Proxy settings (IE) - Hosts file - IPv4 and IPv6 DNS configs for Wi-Fi and Wired - CCleaner'd the hell out of my computer multiple times - Pretty sure there's nothing in the registry regarding google.ca - Reset my FF and IE settings the way I had been instructed. - No dumb plugins remaining - Sweeped left and right with KIS 2015. Using an outside boot (live CD) as well. No rootkits that KAV knows about... Also, to all of your antivirus using folk: spam the fuck out of report this site for windowsxlive.net They have disappointed me greatly. Let their reputation sink into the cesspool of all the other corrupted, malicious, low-life-authored bytes. [editline]2nd March 2015[/editline] Oh yeah, let it be noted that the symptoms of their virus(es) are the following: - Homepages on all browsers set to windowsxlive.net [b]after every reboot[/b] - Running any browser spawns a suspicious amount of flash plugin instances (for FF, it's plugin-containers) - Certificate issues (especially with Google) - Replaced Flash player files in System32 and SysWOW64 - UMonitor or Umonit executable popping up in System32 and SysWOW64 - Other small spy-related crap sprinkled left and right. Used ccleaner/hijackthis for most of it. [editline]2nd March 2015[/editline] Also, I may not have deleted the virus fully; I just realized that my browsers still automatically fire up FlashPlayerPlugins and plugin-containers in groups of two/three when no pages are open. Fuck. Can this really be happening? I need a new Win7 installation only after a few months. I hope the guys behind windowsxlive.net rot in hell -.-

Tried using Malwarebytes in safe mode yet?

I'm sure there's a good reason, but could I ask why you're using IE7?

[QUOTE=voltlight;47241743]I'm sure there's a good reason, but could I ask why you're using IE7?[/QUOTE] I was about to ask the same. Also to OP, check the targets for your browser shortcuts as well. Make sure there aren't any modifier strings after the .exe location forcing the homepage.

[QUOTE=wickedplayer494;47241741]Tried using Malwarebytes in safe mode yet?[/QUOTE] No, but wasn't a Kaspersky scan without Win7 booting better? Safe-mode, and even boot-up scans are still very prone to rootkits. I'm sure there are not more kits left on my computer, however. The problem is with what the virus already managed to do. Windows repair didn't seem to find anything wrong. Hell, it never even pointed out that my UXTheme was different, let alone fixing it. [QUOTE=voltlight;47241743]I'm sure there's a good reason, but could I ask why you're using IE7?[/QUOTE] Well, I don't really use IE. It's just that this symptom has been eating away at my conscious. I mean, any problem with IE could actually be much deeper down within windows, say an infected winsock, no?

[QUOTE=crowbarb;47241759]No, but wasn't a Kaspersky scan without Win7 booting better? Safe-mode, and even boot-up scans are still very prone to rootkits. I'm sure there are not more kits left on my computer, however. The problem is with what the virus already managed to do. Windows repair didn't seem to find anything wrong. Hell, it never even pointed out that my UXTheme was different, left alone fixing it.[/QUOTE] Yeah, but it never hurts. Malwarebytes is the go-to for most enthusiasts, as it could be covered by them. They've covered some Steam phishing files in the past, so maybe they've covered this obscure pile of shite.

Give it some hitmanpro, ADWcleaner, super anti spyware, MBAM and some revo uninstaller.

Not sure, but I might have done MBAM already as well, just not with the system unloaded. It's too late anyways, the status update on my machine is now this: I launched windows recovery CMD from the installation disc, and robocopied the whole C:\Windows folder from the disc onto my HDD. I seemed to have forgotten about the SAM file and the registry and such. Basically, I just nuked my Win7 by mistake. After a double boot loop, the Windows booted into 800x600 graphics mode that won't stop saying 'Please wait...' on the login screen. I've already backed up my crap off the drive, so oh well, off to do a fresh reinstall. Yeah, lesson learned, no sketchy system mods installed before I set up an anti-virus. The sad part is that KAV would have detected the virus only upon install. According to some guy in the comments section on that shitty site, the virus changes some protocol settings settings in a place. Interesting part is that the admin kept managing to calm people down every time a commenter said "it's a virus" by claiming "false positive, nothing to see here". You can all check out the site, the viruses start pouring in only once you run their software. I would still recommend a no-script, just to be safe. You never know with these fuckers >:( [editline]2nd March 2015[/editline] Lol, at least this was a learning experience on how [i]not[/i] to repair windows files manually.

Had the same problem, registered just to contribute here. It is those arseholes from [url]http://www.cleodesktop.com/[/url] When Win10 10586 disabled the previous theme patch, they provided a 'UXtheme patch' where they instruct you to use their own themeui.dll. EDIT: reinstating the original themeui.dll does not solve the hijacking. EDIt 2: Booting into Safe Mode and deleting the hosts file did it!