As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options
Manually removing a malware program
ElJeffe
Moderator, ClubPA mod
Moderator, ClubPA mod
So my mom decided to install a bunch of malware on her computer because she fails at the internet. I am trying to eliminate it.
The source of it all, apparently, is a program called ViewPlay. Uninstalling it using Uninstall Programs didn't work, because of course it didn't (it just hangs in perpetuity and won't allow you to try uninstalling anything else until you reboot, as best I can tell). I located the program files, and tried manually deleting them. Some could be removed, but several of them said I didn't have permission to do that. (I'm using an administrator account, btw.)
So okay, go in there and change the permissions to grant myself full access, right? Except even when I ostensibly grant myself all permissions, it still says I don't have permission. I thought maybe it was a "program is currently running" sort of thing, so I tried manually ending the process from the task manager and then trying to delete the file I've isolated as the culprit in the few seconds before it starts running again. (It's one of those things where one file is spawning other files, and the one that's spawning all the others is the one that's resisting deletion.) Anyway, that doesn't work either. I also tried removing the system's permissions from the file, wondering if maybe that would keep it from running itself, but that didn't work, either.
I'm not exactly a computer guru, so I'm hesitant to go too much deeper without understanding what I'm doing, lest I break something I can't unbreak. So how can I get rid of this fucking thing?
The source of it all, apparently, is a program called ViewPlay. Uninstalling it using Uninstall Programs didn't work, because of course it didn't (it just hangs in perpetuity and won't allow you to try uninstalling anything else until you reboot, as best I can tell). I located the program files, and tried manually deleting them. Some could be removed, but several of them said I didn't have permission to do that. (I'm using an administrator account, btw.)
So okay, go in there and change the permissions to grant myself full access, right? Except even when I ostensibly grant myself all permissions, it still says I don't have permission. I thought maybe it was a "program is currently running" sort of thing, so I tried manually ending the process from the task manager and then trying to delete the file I've isolated as the culprit in the few seconds before it starts running again. (It's one of those things where one file is spawning other files, and the one that's spawning all the others is the one that's resisting deletion.) Anyway, that doesn't work either. I also tried removing the system's permissions from the file, wondering if maybe that would keep it from running itself, but that didn't work, either.
I'm not exactly a computer guru, so I'm hesitant to go too much deeper without understanding what I'm doing, lest I break something I can't unbreak. So how can I get rid of this fucking thing?
I submitted an entry to Lego Ideas, and if 10,000 people support me, it'll be turned into an actual Lego set!If you'd like to see and support my submission, follow this link.
0
This discussion has been closed.
Posts
Even the best malware removal software usually can't get it all.
To be rid of it, you'll have to format the drive. Are your mother's essential files backed-up, by chance?
To save sentimental/important stuff, burn yourself a Ubuntu installation disk (freeware Linux OS which is similar enough to OSX and Windows for anyone to use) and boot the trial; this will let you access the files on the computer without the malware dicking with your non-Windows control. Copy anything you need off, then reformat with Windows. Or Ubuntu if you like it! :P
Shame that most software isn't ported to Linux.
EDIT: Also, to be fair to your mom Jeffe, ViewPlay is a sneaky sonofabitch. You only need to accidentally click on a banner or visit an ad running page that's been infected with a malicious ad to get it on your system.
Lots of people with plenty of computer knowledge have been hosed by ViewPlay.
Anyway, thanks for the tips guys. I'll break the news to her.
boot into safemode
disable it from booting via msconfig
delete it's .exe files
- or -
if it keeps saying you can't delete it cause it's running (your msconfig changes didn't help)
close it via taskbar then quickly rename it's .exe files
then now (or next reboot) you can delete them
but yeah, like they said some are irreparable, but some can be killed with some effort.
B.net: Kusanku
Also, I second the Malwarebytes recommendation. That's how I got the crapload of malware & spyware off my Mom and younger sister's computers. My sister incorrectly followed my brother's instructions to "uninstall Norton anti-virus and install free anti-virus software," leaving her computer vulnerable. My mom clicked on basically every single "your computer has viruses! download this program which obviously isn't malicious software to get rid of them!" add.
Can't click on what doesn't come up... Ad-Block Plus on Firefox seems to block most everything I run into.
I can has cheezburger, yes?
http://www.fixyourbrowser.com/removal-instructions/remove-viewplay-adware-virus/
Might help in your situation before going scorched earth on the installation.
The other thing you can try is to use the SysInternals tool movefile which schedules file deletions for the next reboot so it deletes it before it can be opened and locked.
http://steamcommunity.com/id/BretonBrawler
This is not really relevant to the question. He is not asking what computer to buy, he is asking how to fix a problem with the one available.
Because Macs get viruses too. This isn't 1986, when they were limited to those who wield coloured pencils. An OSX virus is now worth creating, particularly when so many Mac users don't run AV "because Macs don't get viruses". As someone who had to disinfect a whole editing suite of them, yes. Yes they do.
OP, just format the drive and reinstall. If you want to, you can swap out the hard drive for a fresh one, then once it has an up to date AV scanner attach the other hard drive and retrieve any important files.
Nusquam Findi Factionis
My Digital Pin Lanyard
Jesus. I'm not sure I'd even help somebody in that case. Not even my mom. I'd not be rude about it, mind you, I'd do the blank stare, head shake, and "I don't know..." and just pretend I have no idea how to fix it. Though I guess that can be hard to get away with.
I'll second or third the whole "wipe the drive after copying what you can off under Ubuntu or some other OS." Maybe even buy a new drive, just to be sure.
- Pedro - actually, Macs don't get viruses - I think what you may mean is that it is possible to get infected with malware - while that's true - it is MUCH more difficult on a Mac - you actually have to manually install it with your admin password. With parents the solution is just to tell them only to use the app store to install anything unless you do it for them, or even don't give them the admin password - then you're done - there's nothing in the wild that will infect a Mac without the user entering the admin password.
A lot of elements of a piece of malware are inert when you get important parts - they can get everywhere, and ideally you remove them everywhere, but it's not always necessary, registry keys that aren't actually being used by anything are just database clutter.
Reboot in safe mode with networking - this way you won't be fighting a live program as you describe in the OP, you'll be murdering a sleeping victim. First, run internet explorer with addons disabled, and in manage addons, find Viewplay, right click>more information, and save the ClassID someplace. You can disable viewplay here if it'll let you, but it probably won't help and after the rest you won't need to.
First, the automated stuff: Run TDSSkiller (in settings, enable "Detect TDLFS file system" - see spoiler), Hijackthis and delete its BHOs (don't blindly "fix" everything hijackthis throws at you, the bulk of stuff there is for informational purposes), then malwarebytes and spybot S&D (I do recommend running both as overkill).
From there, check file locations and registry settings via:
http://www.enigmasoftware.com/adwareviewplay-removal/
Start by nuking the Viewplay folders in C:\Program Files and/or C:\Program Files(x86), and any under c:\Users\(user names)\AppData (they can be quite buried in the various hidden folders). In safe mode you should be able to do this without issue. When you get to the registry settings, substitute the classID you saved earlier for the {6336AAF8-3481-495B-BB79-70DEB1F1590D} you see repeated several times.
Lastly, disable any related entries in services.msc and msconfig.
If that all looks clear, reboot back to normal. Check the Task Scheduler for some final residuals, and rerun scans. All said and done, create a new restore point - existing ones during the infection are suspect.
My mom could find a way to get a virus on her goddamn coffee machine. I'm sure she could wreak havoc on a Mac.
Anyway, thanks for the tips, guys. I tried several of the solutions presented, but ultimately I said fuck it and did a clean install. It might take a little bit more effort in the end, but everything past getting the actual fresh install of Vista and updating a few drivers is her problem. At this point, I don't feel too bad about her doing a little unnecessary work.
Don't bet on it - seriously, as the person who does technical assistance for the extended family I support Macs, PCs and iPads of various relatives on an informal basis. I just never get calls from the ones on Macs like I do with PCs, and its always the same "I clicked on this banner ad and now my computer is acting up" rubbish. Macs are MUCH more secure out of the box, and for the worst offenders there are the parental controls which can be used to limit what can be installed or changed. Good luck!