Monday, August 18, 2014

Optimizer Pro Virus Removal; iStart123 Virus Removal

How to: Remove Optimizer Pro; iStart123 Virus Removal

This article has been replaced.  See this improved Keyliner article:
Virus Cleanup Steps

> Historical

My daughter arrived at a website and got a popup, "A new version of Firefox is available.  Update now?".  She clicked yes and got two viruses - Optimizer Pro and iStart123.  If she were running IE or Chrome, the message would change to match that browser.  

Additionally, I suspect, but did not research or prove, but a new Video Plugin was also installed, known as "New Video Player", or "Video Player", or as "VPlay".  This is also a virus

As I had warned her in the past, if you arrive at a website and an unexpected message appears, no matter how legitimate, immediately close your browser; do not click Yes or No or even "X". As soon as she clicked Yes/Install, she knew it was a mistake, but the damage was done.

This article discusses how to remove these two viruses.  The same steps are used for both, with a minor difference for iStart123.  You will find the steps tedious, with some redundancy, but this brings the best results.

1. Pre-Download files.
On a non-infected computer, download the following programs and burn them to a CD (steps on how to burn are not detailed here; if needed, ask a knowledgeable friend to help).

Ideally, burn downloaded files to a CD -- not a pen drive; media should be Read-Only; this keeps some viruses from infecting the downloaded software and this is a reasonable precaution.  If a second PC is not available, the download may or may not work on the infected machine.  Some viruses are able to block downloads and can replace them with their own infected copies.

A.  Download MalwareBytes: Malwarebytes
Choose the free edition.  Save to the CD.

B.  DownLoad SuperAntiSpyware: superAntiSpyware
Choose the free edition; this is a legitimate program, despite its flaky name.   Save to the CD.

2. Disconnect the infected computer from the Internet.

* Important: Unplug the Cat-5 network cable or press your laptop's function key/other key to disable wireless (many viruses calm-down when not active on the internet)

3.  Install and run the MalwareBytes program.

Even though you downloaded the most recent version, there are database updates that should happen and the program will complain that it can't update (because you disconnected the workstation from the Internet).  This is OK.  Continue with a full system scan.

The scan will take an hour or more, depending on your data and disk.
Allow MalwareBytes to clean up anything it finds.  It will do a good job, but will miss some of the OptimizerPro on the first pass. 

4.  After the scan and cleanup, Reboot. 
If prompted to reboot (you likely will be asked), reboot, but leave the machine *off* the Internet.

5.  Open the Control Panel, "Programs and Features" (Add Remove Programs) and uninstall MalwareBytes (it conflicts with the next step). 

Reboot if prompted. 
Again, stay off the Internet.

6.  Install and launch SuperAntiSpyWare.
I always like to run multiple virus scans, from different (trusted) vendors.  Often, one company will find something the other does not.  In this case, SuperAntiSpyware (as of 2014.08) will find something missed by MalwareBytes.

It too will complain about not being able to update its database.  Ignore and run a full-scan.

When done, at least on my machine, it will find a few additional vestiges of OptimizerPro (and it may find other viruses that were missed by MalwareBytes). 

Allow it to clean all that it finds.

7.  Uninstall SuperAntiSpyWare.

8.  Enable your wireless or Internet connection.  Do not launch any browser sessions.

9.  Re-Install MalwareBytes.

This time, allow it to update its database/signatures. 
Do yet another Full-System Scan.  Yes, I know this is somewhat redundant and I did this out of an abundance of caution.  The previous steps likely killed the virus, but the newest database update may catch more on this (or other) viruses.

10.  After this final scan, I recommend un-installing MalwareBytes for a second time.

(I tend to use this program as a utility and have not allowed it to remain installed).  You should not leave this program and your other, normal anti-virus installed at the same time.  See the closing notes, below.

11.  If your browser's home page was hijacked to "iStart123" (see second illustration, "Quick Start", at the top of this article), continue with these next steps. 

If your browser was not hijacked, you are done and the Optimizer Pro virus should be removed -- Malwarebytes saves the day.

iStart123 Additional Steps

MalwareBytes and SuperAntiSpyware cleaned up the OptimizerPro and the iStart123 virus, but neither program completely cleaned the iStart123 hijack.  Follow these additional steps:

A.  On your Windows 7 or Windows 8 Desktop, locate all browser icons  (if you have IE, Firefox, or Chrome, all three icons will be damaged.

B.  For each desktop *or* taskbar icon, "other-mouse-click" the icon and choose "Properties".  Note the end of the Target field.  After the (.... .exe") name and closing quote, if you find a bunch of "crap" (numbers, letters, punctuation, etc.); this is the hijack.

Remove the appendages, removing all text after the .exe's closing quote.
You will have to do this on every Start Menu, Task Bar, and desktop icon that launches the browser(s).

In Windows 8, some of these icons are hidden (such as on the Start Page).  From a Tile, select "Open File Location".  Then, within that folder, "other-mouse-click" the shortcut and select Properties -- cleaning up from there.  Exact steps not detailed in this article, but these are standard Windows icons and tiles.

C.  Alternately you can do the following -- and in many respects, this is easier than editing each icon.  Fix one icon for each type of program (IE, Firefox, Chrome), as described above (usually on the standard desktop).

D.  Then, fearlessly delete (unpin from Start Menu, Unpin from the Tile Menu) all other browser icons, leaving the one repaired icon.  Then, from the Repaired icon, "other-mouse-click" and choose "Pin to Start" and "Pin to TaskBar" -- rebuilding the icons.

This completes the cleanup for iStart123.

Additional Comments:

My daughter was running MSE (Microsoft Security Essentials - the free virus scanner for Windows).  It clearly failed to detect this virus -- but on the other hand, she did click "Yes" (I approve - UAC approval), allowing the virus to install -- giving it full, administrative access to the computer.

Not recorded in the steps above, a full, MSE after-the-infection-scan failed to detect either of these viruses.  This saddens me.

Once again, MalwareBytes deserves credit for fixing the computer.  And even if you do not leave the program installed, they deserve a donation for a fine product.

Your comments are welcome.

No comments:

Post a Comment

Comments are moderated and published upon review.