Cannot get rid of Maleware

[jyeh74]

Help! I keep getting malware and even after I uninstall it from "UNINSTALL a PROGRAM" under the Control Panel, random programs keep coming back after I restart my Win7 computer. These annoying popup adds won't go away!!!!! It's like they come back under a different name.

I also use the following programs, run full scan and remove but it keeps randomly coming back with different program names.
I use these: CCleaner, Malwarebytes AntiMalware, SUPERAntispyware, AdwCleaner and Hitman Pro.

I just went to Uninstall a program and I see installed on 6/27 (I didn't install these and have no recollection of it being installed)

1) MaxComputerCleaner Maintenance
2) Microsoft Visual C++ 2013 Redistributable (x86)
3) Solid YouTube Downloader and Converter 6.2.0.1
4) NinjaLoader
5) KNCTR
6) Infonaut 1.10.0.14

I also go to Tools --> Extensions --> in my Chrome and Firefox browser to delete anything that looks funky, but its not getting rid of everything completely. Am I missing something?
Help!

[Bjs]

The root cause is Infonaut

Infonaut removal guide

[jyeh74]

I even did a MSCONFIG and go to "startup" tab. I disabled this funky item called itibiti.exe. It was the KNCTR that I removed from the control panel. It says the location C:Program Files (x86)/Itibiti Soft Phone/itibit.exe

However, when I go to that folder on my C drive, I cannot even find it. I deleted it from the Uninstall Program in the Control Panel, but why is it showing up in the "Startup" tab in MSCONFIG?

I am guessing this is the malware that is causing it to install all these other strange programs like NinjaLoader and MAxComputerCleaner Maintenance and Infonaut 1.10.0.14

[jyeh74]

The root cause is Infonaut

Infonaut removal guide

I ran Rkill and it couldn't find any malware service to stop or malware processes to kill.
I already ran Malwarebytes 2.1.6.1022 (trial version) also.

[roma_turok]

Malwarebytes is not antivirus
Try run NOD32 online scan http://download.eset.com/special/eos/esetsmartinstaller_enu.exe

[jyeh74]

Isn't Infonaut a malware, not a virus? I ran Microsoft Security Essential and nothing is found.

[roma_turok]

Antivirus can find malware also
Not all antiviruses equal on finding

[hech54]

Dont forget HiJackThis:
http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

and hijackthis.de (analyzer)

[Cauptain]

For Windows 7 x86 or X64, just run COMBOFIX.

Link: http://www.bleepingcomputer.com/download/combofix/


1 - Restart in safe mode/security mode (F8 at power button to select this before start Windows)

2 - Disable any antivirus.

3 - Run it and enjoy.

Sometimes, run twice.



Claudio

[newpball]

My general suggestion is that if a system is infected or compromised to restore a system(image) backup.

[jyeh74]

Thanks all.

I already ran all these programs. I don't understand why itibiti.exe (KNCTR) is still found under my "startup" tab under Msconfig? Why is it still there?
I unchecked it. But why does it still show up?

[Krispy Kritter]

Run MalwareBytes (or your favorite malware tool) from Safe Mode.


It could still be listed in the Registry even if it's uninstalled. Just because you see it listed in MSConfig does not mean it's still present and/or running. Manually remove it from the registry.

[roma_turok]

Why is it still there?
I unchecked it. But why does it still show up?

Some times when you accidentally disable important startup program
and you want start run again
So on Msconfig use fail safe, its disable program from running
but not remove from the list

In others programs you have option to remove from list:

[Cauptain]

If use CCLEANER (any version), try this:






Claudio

[aedipuss]

"disable" only leaves them set to not run. "delete" would remove them from the start up list.

[Bjs]

The problem tends to be two side.

1: Removal by any means to succeed ... 50/50

2: Removal by adhering to a set of rules and applications in a particular order to succeed

Your in 2 ... Where some applications will fail to detect due to other scanners removing key elements already.

---------------------------------------

Hopefully you kept logs and notes to identify problematic files.

Anyone who tell's you to turn of your av shield should be avoided

If the av product has be compromised then do not waste time ... backup files and either reload a system backup image or reinstall the os again.

----------------------------------------

1: Enter safe mode
2: Head to users account folder in windows explorer
3: Enable hidden files and folders to display
4: Head into users application data folder
5: Check for remnants here of the offend application by folder / file name and remove them
6: Clear out all temp folder ... temporary internet files, etc.
7: Repeat this search under "program files" and remove folders and contents of these folders if found
8: Clean out windows/temp and windows/precache (only a few files should remain in temp as these are being currently used by the system)

9: Run regedit and search for remnants and delete them

This guide includes info on where startup items are found in registry and under startup programs group

10: Suggest you now make a system backup image pre disabling system restore

Reboot ... if no more popups etc then success

If not then

1: Restore system image, or
2: Backup user files and perform clean os reinstall

---------------------

Combofix should only be used under guidance ... not for the inexperienced.

[sophisticles]

At this point I would just do a clean install.

[Cauptain]

At this point I would just do a clean install.

Once again, try COMBOFIX. Its a 3 clicks only.




Claudio

[fritzi93]

My general suggestion is that if a system is infected or compromised to restore a system(image) backup.

Yeah. But something tells me the OP has neglected to provide himself with that option.

The first time you get a really screwed system, man you'll be glad you made a system image. Better than fighting to clean it up and maybe having to do a clean install anyway. Even if you only image once, after install, updates and program install/configuration.

[jyeh74]

My general suggestion is that if a system is infected or compromised to restore a system(image) backup.

Yeah. But something tells me the OP has neglected to provide himself with that option.

The first time you get a really screwed system, man you'll be glad you made a system image. Better than fighting to clean it up and maybe having to do a clean install anyway. Even if you only image once, after install, updates and program install/configuration.

Not the most system savvy person so not sure how to backup everything and do an image and completely reinstall everything. If can clean out, then its easier. I haven't run the Malwarebytes in safe mode, only in normal mode.

[fritzi93]

Well, I hope you're able to fix it. Follow the suggestions already given

Once you've squared things away, either by killing the malware or a clean install, think seriously about making a backup image.

It doesn't help you at this moment, but imaging your OS drive is very easy.
Get the free version of Acronis available from Seagate or WD.
All you need is a drive in or attached to your computer from one of those two makers and the matching version of Acronis.
And of course a separate drive from the OS with enough space for the image. From within Acronis, you make a rescue CD to boot from.
Imaging takes a few clicks and then 10 minutes or so, depending. Restore takes about the same time.

Good luck.

[WazaKrash]

Strange, normally MalwaresBytes or Adwcleaner should help you to eradicate all malwares

To uninstall completely something and be sure that no component doesn't stay on your computer, you can use Revo Uninstaller.

[jyeh74]

Revo could not find it.

Arg....this spyware cannot be removed. It keeps coming back after I delete extensions and reset settings and run all these programs in safe mode.
I can't even find it in control panel -> uninstall programs. It's hiding!

[roma_turok]

Run HiJackThis
click on Scan
after Scan click on Save log
attach log file to you next replay
I will try to see, what keep virus running

[lovingit]

Run HiJackThis
click on Scan
after Scan click on Save log
attach log file to you next replay
I will try to see, what keep virus running

Roma, here you go.

[roma_turok]

Can you attach HOST file by
In HiJackThis click on Main menu -> Open misc tools -> Open host file manager -> Open in Notepad
save the file by Save as...

[lovingit]

This one? Doesn't seem to say anything.

[roma_turok]

This one? Doesn't seem to say anything.

Yes its nothing right now
but sometimes virus using HOST file to download

[roma_turok]

What is on line 20?
O20 - AppInit_DLLs: c:\progra~3\{a2af4~1\1173~1.1\siso.dll

[lovingit]

What is on line 20?
O20 - AppInit_DLLs: c:\progra~3\{a2af4~1\1173~1.1\siso.dll

Hmm, I have no idea what that is. I tried a search for "AppInit" but nothing shows up.