This thread provides information on malware removal, links to malware removal tools, and recommendations & links to anti-virus software. The intention of this thread is to provide quick and accurate support for malware-related issues and questions.
Many people here are willing to provide assistance if you're having computer problems, and this thread is not meant to discourage people from asking for help.... but, please read the information provided first, or else there's a good chance you'll be sent here, here, or here . We aren't Geek Squad, so while we won't grossly overcharge you for information and advice, we also aren't responsible for anything you do to your computer.
Also, feel free to make suggestions on the content of this post, and I'll try to keep it up to date.
Research
A lot of information can be found at this EliteKiller link, including...
Step 3 unzip the Kit, read the instruction file and run the tools in the order given.
Step 4 Thank me in about 3 hours for fixing your shit.
The Rogue Removal Kit is is a zipped file that includes malwarebytes, CCleaner (a registry cleaner that will also delete temporary files), Combofix, Hitman Pro, and HiJackThis (HiJackThis is optional, see below). The instructions guide you through running these tools in Safe Mode With Networking; then running malwarebytes and an online scanner in Normal Mode.
Some people don't recommend running Combofix unless you're fairly certain you need to use it, but I've never heard of people having major problems with it. Here's a list of symptoms to Vundo infections, which may help determine if you need to run Combofix. You can also look here to see instructions with screenshots on how to use Combofix.
Taken from the readme in the Rogue Removal Kit:
Quality Online Virus Scanners: (all scanners offer detection and removal)
My two cents on downloading anti-malware software...
Download it from another computer if possible, or from Safe Mode With Networking on the infected machine.
Verify you are downloading from a legit source and are not being redirected to a site where you'll end up downloading more malware. If you click on any links above, verify the link in the bottom left before clicking on it, then after clicking the link verify that's where you were taken in the address bar.
The elitekiller article mentions downloading the software to a USB drive. Do not download the software to a USB drive on the infected machine if you're not in Safe Mode, or else you risk infecting the USB drive and other computers you connect the drive to in the future.
Other Helpful Tips & Tools
Rkill will kill processes that may be preventing scanners from completely removing malware.
To get into Safe Mode With Networking, press F8 every couple of seconds while the computer is starting (before the Windows splash screen). If you see the Windows splash screen, you will need to try again. The safe thing to do is log into Windows, restart, and try pressing F8 several times before seeing the Windows splash screen. Alternatively, my advice that falls into the category of “what I'd do if it was my own computer, but wouldn't tell someone to do it if I worked in tech support” would be, if you didn't get into Safe Mode the first time and you're at the Windows splash screen, hold down the power button until the computer turns off. When you start the computer again, it should automatically ask you if you want to go into Safe Mode With Networking.
Still infected, or just want to make sure everything is okay?
HiJackThis is a tool that will create a log file that can be analyzed by geeks to see what is running on your computer. Install and run HiJackThis (preferably in Safe Mode With Networking), and select 'Do a system scan and save a log file'. You can then copy/paste the output to this thread, and with any luck, someone will stop by and let you know what you can delete. You can then checkmark the items in HiJackThis and click 'Fixed checked'.
If you don't get a quick response here or would rather do it yourself, you can also go to http://hijackthis.de/, which is an online analyzer for your HiJackThis log. Simply copy and paste the log into the text box and click the Analyze button. During my testing of the site, I found it wasn't perfect, especially when a proxy was setup (the visitor rating would be 'extremely nasty', but the site itself would say it was safe)... but, it's at least a good tool that can significantly shorten the time it takes to analyze the log, and it gives you an idea of which entries you can delete or at least Google/post here for further research.
You can also look at the responses to HiJackThis posts in this thread to get an idea of what is safe and what should be removed.
Windows Performance
A good starting point to knowing what processes and services are running on your computer is a HiJackThis log. There's also a lot of information that's only a Google search away.
To manage the process that start when Windows starts, use msconfig (Start button -> Run... -> msconfig -> Startup tab). This is a good resource on startup processes, and it includes a large database of startup processes with information on whether they're required to run Windows or if it's okay to uncheck them. You basically want processes that are in c:\Windows checked, and you can generally uncheck processes in c:\program files (but there are exceptions, like your antivirus), but do some research (Google, the provided links, this thread) if you're not sure. Adobe, Apple (including qttask, Boujour, AppleUpdater, etc), and any messenger program (unless you have it sign you in at startup) are always the first ones to get unchecked on my computer.
Services can be a little tougher to manage, because it's usually a much longer list, and it's not as simple as flipping them on or off. This is a great resource for managing Windows services (Start button -> Run... -> services.msc). Simply choose your version of Windows and then click on the Service Configuration link. It presents the default setup, a safe setup (what most people can use without any consequences), a tweaked setup for faster startup, and a bare bones setup for the super geek. There's also a Tweaks page for stuff like Adding/Removing programs and System Restore. [Reply]
I don't see anything malicious. Lots and lots of clutter. But nothing malicious. You could improve performance by turning off a bunch of stuff that's autostarting when it doesn't need to. But I don't see any bugs... [Reply]
Originally Posted by Fish:
I don't see anything malicious. Lots and lots of clutter. But nothing malicious. You could improve performance by turning off a bunch of stuff that's autostarting when it doesn't need to. But I don't see any bugs...
Like?
Remember, I'm as green as it gets when it comes to these things. [Reply]
These locations are what correspond with the "HKLM\..\Run:" entries in your HijackThis log. Navigate to these folder locations. The following are what you can safely delete to increase performance without losing any functionality:
This is a list of all services running on your system. Most entries have explanations. Different options for Autostart, Manual. Go through the list and see what you recognize as not necessary for loading auto.
For you, all of the following you can safely turned from autostart to manual start without losing any functionality:
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
I think my kid's computer is infected with the ME IE Zero Day virus. I guess MS is working on a patch, but I think the computer is already infected. The machine will only start in "safe mode," and multiple attempts to restore in safe mode have not been successful.
Any suggestions short of reinstalling Windows 7 Home Premium? If I do need to reinstall...in the restore and recovery ap...can I use the "fix" option, or do I need to reinstall everything? Will I need to reload the personal files from backup after I re-install Windows?
Again, any help would be greatly appreciated. And no, I'm not considering self-immolation, anti-freeze, an AIDS tree, or a rusty razor blade. At least not yet. Thanks, in advance for your concerns though.
Would mikey's EliteKiller link be the best route to remove it? I'm mildly tech savvy, but certainly no wizard or geeksquad guy. I'm just looking for the quickest and easiest fix--as time is at a premium for our family for the next couple weeks. If the EliteKiller thing is it, then so be it. Otherwise, any suggestions to help me remove the virus instead of starting over, would be greatly appreciated...
I'm guessing it's what they are talking about in these articles:
Originally Posted by Mr. Kotter:
I think my kid's computer is infected with the ME IE Zero Day virus. I guess MS is working on a patch, but I think the computer is already infected. The machine will only start in "safe mode," and multiple attempts to restore in safe mode have not been successful.
Any suggestions short of reinstalling Windows 7 Home Premium? If I do need to reinstall...in the restore and recovery ap...can I use the "fix" option, or do I need to reinstall everything? Will I need to reload the personal files from backup after I re-install Windows?
Again, any help would be greatly appreciated. And no, I'm not considering self-immolation, anti-freeze, an AIDS tree, or a rusty razor blade. At least not yet. Thanks, in advance for your concerns though.
Would mikey's EliteKiller link be the best route to remove it? I'm mildly tech savvy, but certainly no wizard or geeksquad guy. I'm just looking for the quickest and easiest fix--as time is at a premium for our family for the next couple weeks. If the EliteKiller thing is it, then so be it. Otherwise, any suggestions to help me remove the virus instead of starting over, would be greatly appreciated...
I'm guessing it's what they are talking about in these articles:
The IE thing isn't really a virus, it's an exploit that could give someone control of your system. It's probably not the cause. I'd start by assuming it's just a run of the mill virus and follow the usual steps. [Reply]
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:40:29 AM, on 6/24/2014
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16555)
Boot mode: Normal
Are you in a managed corporate environment or something? You've also got a program called DesktopAuthority running. It's a pretty powerful IT Admin app that can give the admin pretty much complete control of your computer. It can even monitor keystrokes and shit if the admin chose to use it that way. If you're in a corporate managed environment, it's probably OK. But if not, that could be serious trouble. I notice it's an Alienware with lots of normal consumer stuff, but also some admin stuff and Papercut client.
Regardless, your system need to be cleaned ASAP. I'd recommend a complete reimage or reinstall if possible. It might already be too far gone. But you might be able to resuscitate it. I'd run the malware cleaners listed in the OP. I'd also include Malwarebytes Anti-malware.
Considering all the unnecessary stuff running in the background, your system would feel like a new machine if you would format and reinstall. If you're in a corp environment, tell your IT to backup and reimage that mofo. [Reply]
Are you in a managed corporate environment or something? You've also got a program called DesktopAuthority running. It's a pretty powerful IT Admin app that can give the admin pretty much complete control of your computer. It can even monitor keystrokes and shit if the admin chose to use it that way. If you're in a corporate managed environment, it's probably OK. But if not, that could be serious trouble. I notice it's an Alienware with lots of normal consumer stuff, but also some admin stuff and Papercut client.
Regardless, your system need to be cleaned ASAP. I'd recommend a complete reimage or reinstall if possible. It might already be too far gone. But you might be able to resuscitate it. I'd run the malware cleaners listed in the OP. I'd also include Malwarebytes Anti-malware.
Considering all the unnecessary stuff running in the background, your system would feel like a new machine if you would format and reinstall. If you're in a corp environment, tell your IT to backup and reimage that mofo.
Yeah....work environment. I ran Malwarebytes and removed around 20 different fucking things. I've now run it two more times just to make sure it didn't miss anything. Desktop Authority and Papercut are mandated by my work....so they aren't going anywhere. [Reply]
I'd run EliteKiller as well. Or Spybot/Superantispyware. Just to be sure.
You might also consider deleting your old restore points. Shit can reinfect a system that way.
Originally Posted by :
To delete all restore points
Open System by clicking the Start button Picture of the Start button, right-clicking Computer, and then clicking Properties.
In the left pane, click System protection. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
Under Protection Settings, click Configure.
Under Disk Space Usage, click Delete.
Click Continue, and then click OK.
Tell your IT to get a real antivirus client that can prevent that shit. McAfee sucks goat balls. [Reply]
My file extensions are trying to be sent as a Pepper Zip now ? I have scanned the pc, found the uninstall icon, done that but there is still an intact file attachment somewhere. I can not compress a file to email out to a client.