Games changed, any new helpful ideas/tools?
So, just to state this, I am no infosec expert. I work as a sysadmin (windows obviously). I've been dealing with malware for a long time and a few years ago I noticed the game has definitely changed. They run in Safe mode, start up in new places, encrypt themselves, block known tools from running, redirect websites etc. I That and other resources helped me see why malware was changing, and being on the frontline, I getto see it everyday.(ugh)
So today I'm dealing with a fake AV product. WIndows_*_ AntiVirus200Whatever. So this malware is really trixie, I can't get it to die, I'm having to rename tools to run them (I.E. HijackThis, ComboFix, ProcExplorere, etc). I am going to beat this one, but the question I have is, are there any other tools or places to look in the OS to fix this, other than Malware Bytes, SuperAnti-Spyware, Hijack This, ComboFix, and all major AV software, etc that will not be brought down by things like this new baddy?
More importantly, since I like to learn where things live, how in the hell is it redirecting every browser that I install? I see no proxies set in any browser. Is there a hidden, proprietary proxy these things run, or am I missing something in the OS that can be changed to beat this thing blocking ALL access to anti-malware websites, which is pissing me off. That is a big one, since I want to know where is it redirecting the sites from? It is reminiscent of WindwosAntiVirus2008, but fresher and better written.
I couldn't even run certain EXEs until I ran a registry fix for EXEs that... well, I've had to do that before, someone wrote and published that, I got that reg file last year, sorry author don't remember your name. I am pretty fluent in WMI/VBS scripting, and the registry so if someone can point in the direction of where this thing is blocking sites from, I'll write my own tool. I used Autoruns to check and could find nothing out of the ordinary, I also pulled a BHO from Hijakc this, but that hasn't stopped it. Nothing in AppInit, Run Runonce, Winlogin, Startup, etc. I checked the HOSTS file too, no joy.
Tried SDFix, Fix Wlechia, FixVundo, FixVirtumonde, ConfikerFix, etc.
I plan on slaving the drive to get rid of the thing tomorrow, so I am not worried about beating it, I just want any help pointing me towards real time tools that I might be missing, whether they are written tools or just some part of the OS/Registry that I can edit/hack to stop this crap in the future I don't care, either would be great, but I would prefer a whole understanding of how this is happening.