Manually removing a malware program

ElJeffe

So my mom decided to install a bunch of malware on her computer because she fails at the internet. I am trying to eliminate it.

The source of it all, apparently, is a program called ViewPlay. Uninstalling it using Uninstall Programs didn't work, because of course it didn't (it just hangs in perpetuity and won't allow you to try uninstalling anything else until you reboot, as best I can tell). I located the program files, and tried manually deleting them. Some could be removed, but several of them said I didn't have permission to do that. (I'm using an administrator account, btw.)

So okay, go in there and change the permissions to grant myself full access, right? Except even when I ostensibly grant myself all permissions, it still says I don't have permission. I thought maybe it was a "program is currently running" sort of thing, so I tried manually ending the process from the task manager and then trying to delete the file I've isolated as the culprit in the few seconds before it starts running again. (It's one of those things where one file is spawning other files, and the one that's spawning all the others is the one that's resisting deletion.) Anyway, that doesn't work either. I also tried removing the system's permissions from the file, wondering if maybe that would keep it from running itself, but that didn't work, either.

I'm not exactly a computer guru, so I'm hesitant to go too much deeper without understanding what I'm doing, lest I break something I can't unbreak. So how can I get rid of this fucking thing?

The Ender

Modern malware - if it's half decent at what it does - gets everywhere. Your registry, your user profile, various subfolders within Windows, etc.

Even the best malware removal software usually can't get it all.


To be rid of it, you'll have to format the drive. Are your mother's essential files backed-up, by chance?

Dark Raven X

Your best bet is to reformat, as much as it sucks. Actually thoroughly getting rid of something once it takes root is Tough Times. Tried running MalwareBytes and HitmanPro?

To save sentimental/important stuff, burn yourself a Ubuntu installation disk (freeware Linux OS which is similar enough to OSX and Windows for anyone to use) and boot the trial; this will let you access the files on the computer without the malware dicking with your non-Windows control. Copy anything you need off, then reformat with Windows. Or Ubuntu if you like it! :P

The Ender

...As a related aside, as much of a pain in the ass it is for Ubuntu to constantly prompt you for passwords to do anything, this is why.


Shame that most software isn't ported to Linux.


EDIT: Also, to be fair to your mom Jeffe, ViewPlay is a sneaky sonofabitch. You only need to accidentally click on a banner or visit an ad running page that's been infected with a malicious ad to get it on your system.

Lots of people with plenty of computer knowledge have been hosed by ViewPlay.

ElJeffe

Don't feel too bad for my mom. Her justification for letting ViewPlay install stuff on her system was "I knew it was probably bad, but it just kept popping up so I gave in."

Anyway, thanks for the tips guys. I'll break the news to her.

mastman

you can give it a fight at least.

boot into safemode
disable it from booting via msconfig
delete it's .exe files
- or -
if it keeps saying you can't delete it cause it's running (your msconfig changes didn't help)
close it via taskbar then quickly rename it's .exe files
then now (or next reboot) you can delete them

but yeah, like they said some are irreparable, but some can be killed with some effort.

Creagan

If you need to shut down the program, you may be able to go into the Task Manager, click on "processes" and then end the process of the offending program without actually shutting down your computer.

Also, I second the Malwarebytes recommendation. That's how I got the crapload of malware & spyware off my Mom and younger sister's computers. My sister incorrectly followed my brother's instructions to "uninstall Norton anti-virus and install free anti-virus software," leaving her computer vulnerable. My mom clicked on basically every single "your computer has viruses! download this program which obviously isn't malicious software to get rid of them!" add.

JaysonFour

Maybe you ought to toss in some kind of ad-blocking software on there after you reformat, too- like a browser add-on?

Can't click on what doesn't come up... Ad-Block Plus on Firefox seems to block most everything I run into.

Psychotic One

Google seemed to return this

http://www.fixyourbrowser.com/removal-instructions/remove-viewplay-adware-virus/

Might help in your situation before going scorched earth on the installation.

Tofystedeth

If you're getting access denied trying to remove a file while an administrator, there's a couple things I'd try. First, is try taking ownership of the file. If you right click on the file/directory and go to properties -> security tab -> advanced -> owner tab you can change the owner of the files to your current account which is sometimes sufficient. Normally that's just a problem if it's say a file on a hard drive from another computer that you just popped in.

The other thing you can try is to use the SysInternals tool movefile which schedules file deletions for the next reboot so it deletes it before it can be opened and locked.

breton-brawler

So I recently ran into some malware trouble, and went to a forum called malwareremoval.com ... so far so good, seemed very helpful and legit, it takes some time, but at least I can try to fix it without a complete re-format. Although if there is no real data that you need to have, I think the re-format is the quickest and easiest way (not really an option for me as I'm away from home for an extended period and no access to system disks, a re-format for me would involve a new OS, and possibly a new HD)

Greggy88

Is there a reason why you wouldn't just buy her a Mac?

ceres

Greggy88 wrote: »

Is there a reason why you wouldn't just buy her a Mac?

This is not really relevant to the question. He is not asking what computer to buy, he is asking how to fix a problem with the one available.

PedroAsani

Greggy88 wrote: »

Is there a reason why you wouldn't just buy her a Mac?

Because Macs get viruses too. This isn't 1986, when they were limited to those who wield coloured pencils. An OSX virus is now worth creating, particularly when so many Mac users don't run AV "because Macs don't get viruses". As someone who had to disinfect a whole editing suite of them, yes. Yes they do.

OP, just format the drive and reinstall. If you want to, you can swap out the hard drive for a fresh one, then once it has an up to date AV scanner attach the other hard drive and retrieve any important files.

Unknown

This content has been removed.

Greggy88

ceres wrote: »

Greggy88 wrote: »

Is there a reason why you wouldn't just buy her a Mac?

This is not really relevant to the question. He is not asking what computer to buy, he is asking how to fix a problem with the one available.

Sure - but the long term solution is to get a computer that doesn't have the same issues with drive-by infections and viruses. Answering the question of 'how do I remove this particular PC virus?' will simply result in the same issue some weeks down the line. The solution to the problem is to give his parents a machine that is easier to secure.

- Pedro - actually, Macs don't get viruses - I think what you may mean is that it is possible to get infected with malware - while that's true - it is MUCH more difficult on a Mac - you actually have to manually install it with your admin password. With parents the solution is just to tell them only to use the app store to install anything unless you do it for them, or even don't give them the admin password - then you're done - there's nothing in the wild that will infect a Mac without the user entering the admin password.

Hevach

I hate seeing people say, "Just reformat, it's easier." Reformatting is almost always overkill, my shop has done nearly a thousand malware removals this year, we've had one reformat (which I'm not convinced was necessary but was by request) and only two warranty repeats (both of which were new infections but we generally cover it anyway). Several sites, like enigmasoftware.com, have some very nice in depth file and registry key lists for more stubborn examples. Viewplay isn't too bad, I've been seeing it a lot since around December.

A lot of elements of a piece of malware are inert when you get important parts - they can get everywhere, and ideally you remove them everywhere, but it's not always necessary, registry keys that aren't actually being used by anything are just database clutter.

Reboot in safe mode with networking - this way you won't be fighting a live program as you describe in the OP, you'll be murdering a sleeping victim. First, run internet explorer with addons disabled, and in manage addons, find Viewplay, right click>more information, and save the ClassID someplace. You can disable viewplay here if it'll let you, but it probably won't help and after the rest you won't need to.

First, the automated stuff: Run TDSSkiller (in settings, enable "Detect TDLFS file system" - see spoiler), Hijackthis and delete its BHOs (don't blindly "fix" everything hijackthis throws at you, the bulk of stuff there is for informational purposes), then malwarebytes and spybot S&D (I do recommend running both as overkill).

TDLFS file system isn't related to Viewplay, but it's a good smoking gun for the really big bads. If it's present but nothing else is, you'll only get a warning. In this case, it's not a problem, the system itself isn't a virus but a trick some use to hide themselves. Having it or not having it doesn't make it any easier or harder for a new one to use it. If it's there, they'll use it, but if it's not, they'll just make it again.

From there, check file locations and registry settings via:
http://www.enigmasoftware.com/adwareviewplay-removal/
Start by nuking the Viewplay folders in C:\Program Files and/or C:\Program Files(x86), and any under c:\Users\(user names)\AppData (they can be quite buried in the various hidden folders). In safe mode you should be able to do this without issue. When you get to the registry settings, substitute the classID you saved earlier for the {6336AAF8-3481-495B-BB79-70DEB1F1590D} you see repeated several times.
Lastly, disable any related entries in services.msc and msconfig.

If that all looks clear, reboot back to normal. Check the Task Scheduler for some final residuals, and rerun scans. All said and done, create a new restore point - existing ones during the infection are suspect.

ElJeffe

Greggy88 wrote: »

ceres wrote: »

Greggy88 wrote: »

Is there a reason why you wouldn't just buy her a Mac?

This is not really relevant to the question. He is not asking what computer to buy, he is asking how to fix a problem with the one available.

Sure - but the long term solution is to get a computer that doesn't have the same issues with drive-by infections and viruses. Answering the question of 'how do I remove this particular PC virus?' will simply result in the same issue some weeks down the line. The solution to the problem is to give his parents a machine that is easier to secure.

- Pedro - actually, Macs don't get viruses - I think what you may mean is that it is possible to get infected with malware - while that's true - it is MUCH more difficult on a Mac - you actually have to manually install it with your admin password. With parents the solution is just to tell them only to use the app store to install anything unless you do it for them, or even don't give them the admin password - then you're done - there's nothing in the wild that will infect a Mac without the user entering the admin password.

My mom could find a way to get a virus on her goddamn coffee machine. I'm sure she could wreak havoc on a Mac.

Anyway, thanks for the tips, guys. I tried several of the solutions presented, but ultimately I said fuck it and did a clean install. It might take a little bit more effort in the end, but everything past getting the actual fresh install of Vista and updating a few drivers is her problem. At this point, I don't feel too bad about her doing a little unnecessary work.

Greggy88

Greggy88 was warned for this.

Is there a reason why you wouldn't just buy her a Mac?

My mom could find a way to get a virus on her goddamn coffee machine. I'm sure she could wreak havoc on a Mac.

Don't bet on it - seriously, as the person who does technical assistance for the extended family I support Macs, PCs and iPads of various relatives on an informal basis. I just never get calls from the ones on Macs like I do with PCs, and its always the same "I clicked on this banner ad and now my computer is acting up" rubbish. Macs are MUCH more secure out of the box, and for the worst offenders there are the parental controls which can be used to limit what can be installed or changed. Good luck!