View Full Version : Britannia Malware

26-11-2009, 11:52 AM
I suspect I will get a friend's computer with what sounds like the Britannia search redirect trojan in it. It sounds really nasty so am not looking forward to this one. Won't let you run msconfig or regedit etc.

Anyone had to deal with this one?

26-11-2009, 12:04 PM
Not specifically, but boot into safe mode with networking if possible, disable system restore, install Trojan Remover, update and run it, as well as running all the tools in the Options menu, and then post a Hijackthis log here.

26-11-2009, 01:35 PM
Thanks. Will do this but more drastic action seems to be needed. Combofix has been used I note. Main thing is to get data off it and hope my friend has the XP CD (or restore partition) if all else fails!

Anyway, I haven't got the machine yet so no panic at this stage.

Speedy Gonzales
26-11-2009, 01:43 PM
Or boot into safe mode / networking do a full scan with malwarebytes

26-11-2009, 02:54 PM
Yea, malwarebytes was going to be my starting point.


26-11-2009, 04:35 PM
You might need to rename the Malwarebytes exe
some of these nasties block it from running.

28-11-2009, 04:42 PM
Thanks for the tip. This one does seem to block exe's.

28-11-2009, 05:09 PM
IF it blocks Every exe ( cleaning software) it may be more of a problem than you think - just finished reinstalling a customers PC, had a virut.56 virus, stopped EVERY cleaner out there, malwarebytes, Comodo etc, even in safe mode, nothing would run.

Hope you dont have this (http://www.computer-juice.com/forums/f49/virut-pe-win32-virut-56-polymorphic-virus-rise-22233/) - only way to fix it was drag the data from the drive Via a linux Live CD, couldn't use Windows as originally it infected the workshop PC as well and reinstall -- Real nasty piece of work.

Heres an example, when I copied the driver folder to a flash drive (the exe files from Compaq) then scanned with Nod32, it found 45 infected files - guess what ? didn't use those drivers :)

Speedy Gonzales
28-11-2009, 05:12 PM
Could be similar to this post (http://pressf1.co.nz/showthread.php?t=105316) the link on the last post is a virut variant. Its in the HJT log that was posted