How can I get rid of "PC Fix Speed", a particularly nasty PC malware infection. 2

[SantaMufasa]

Saturday, my wife was using one of our PCs. During her session, she said that a window popped up that said the PC needed a Java update. She hit the [OK] button [Yikes!!!]

What got installed is a piece of **** malware named. "PC Fix Speed". According to Google searches, the results seem to suggest that trying to remove "PC Fix Speed" manually is messy. They also generally say that I can download an automatic uninstall of "PC Fix Speed" if I click a link...(Yeah, right !!!)

I've done a full scan with my Microsoft Security Essentials (2.5 million files...took 6 hours). MS-SE says it found one malicious file, which I told MS-SE to remove. Unluckily, the PieceOfC is still there, with icons in both my QuickStart and Icon Tray areas. I get "helpful" pop-ups offering me new additions constantly and my PC is about 50% slower now. When I tried to [Preview] this post from the infected PC, it would not preview, and [Submit Post] was deactivated. (Pretty smart infection if you ask me.)

Any suggestions of how to get rid of this infection?

Mufasa
(aka Dave of Sandy, Utah, USA)
“People may forget what you say, but they will never forget how you made them feel.

 

[DTracy]

Do a system restore to a date a couple of days (or however close you can get) before this happened. It should be gone.

Dave.

 

[cmeagan656]

If the System Restore that DTracy suggested works, then don't forget to blow away all your restore points so that you don't inadvertently "restore" the malware at a later date.

Hope this helps.

Please help us help you. Read Tek-Tips posting polices before posting.
Canadian members check out Tek-Tips in Canada for socializing, networking, and anything non-technical.

 

[edfair]

Yeah, the manual is messy. A combination of msconfig, task manager, and regedit to halt stuff and remove stuff, hopefully without removing anything critical. If you are lucky you won't have one that reloads if you miss one small detail.

Pulling for your restore to work.

Ed Fair
Give the wrong symptoms, get the wrong solutions.

 

[goombawaho]

Why are we not trying some of the standard removal tools? We'll need to if the S.R. doesn't work. And, if it does work, I would remove all system restore points to flush out any bad stuff, then reboot and start system restore again.

I thought our little wild time had just begun.

 

[SantaMufasa]

Thanks to all who contributed. Since I got "cold feet" about doing the removals myself, I took my machine into my in-company tech support who kindly removed the problems from my machine.

Regards,

Mufasa
(aka Dave of Sandy, Utah, USA)
“People may forget what you say, but they will never forget how you made them feel.

 

[goombawaho]

How much did it cost you?

I thought our little wild time had just begun.

 

[SantaMufasa]

How much did it cost you?

They are good guys...It just cost me a sincere "Thank you."

Mufasa
(aka Dave of Sandy, Utah, USA)
“People may forget what you say, but they will never forget how you made them feel.

 

[MakeItSo]

A follow up on this:
Yesterday a friend asked me to take a look at his laptop because of some crappy "PC Speed fix" or the like...
Nasty piece this!
Did a system restore to before the installation (or so the restore point would make me believe) - it was still there!
Killed all processes and deactivated all startup entries of that piece of crap so it wouldn't start with the system, restarted & tried to deinstall. No cigar yet. For now it won't start anymore though (good).
Will have another go this evening using MBAM and a few other tools to rid him of this.

After that, I'll try to harden his OS, browser settings and hosts file a little so he won't catch it right away again.

“Knowledge is power. Information is liberating. Education is the premise of progress, in every society, in every family.” (Kofi Annan)
Oppose SOPA, PIPA, ACTA; measures to curb freedom of information under whatever name whatsoever.

 

[goombawaho]

If you can't get it running, you can do a manual system restore using BartPE.
See my procedure in this thread. It works, unless there is major carnage to the O.S. files.
Link

Then, to fix the malware problem, try combofix AFTER uninstalling the A-V and rebooting. That should root out almost anything. MBAM is to Combofix as a standard hammer is to a 20 lb sledge hammer.

I thought our little wild time had just begun.

 

[SantaMufasa]

MakeItSo and goombawaho,

I agree with you that "PC Fix Speed" is a lot more sinister than my tech-support people realized...There are still active artifacts from this piece-of-crap infection spoiling my web-browsing experience. I will show both of your follow-up posts to my tech-support folks on Monday.

Continued thanks for your on-going follow-ups. Once I can confirm that we have killed this Bad Boy, I'll post back with

s for the key posts that contributed to the resolution.

Thanks,

Mufasa
(aka Dave of Sandy, Utah, USA)
“People may forget what you say, but they will never forget how you made them feel.

 

[goombawaho]

I have never encountered that specific program/malware, so I can't say how evil it is. Could be that 15 minutes in my hands and it would be gone. It might also beat the pants off me. Like I said though, if Combofix doesn't fix it, then you have a big problem.

So, try MBAM, TDSSKiller, Rogue Killer and then Combofix. Even if you think it's gone, CF will likely find some leftover junk.

I thought our little wild time had just begun.

 

[SantaMufasa]

Goombawaho,

Thanks for the advice.

I figured that the best route was to go straight to the "giant killer" right off the bat. I attempted to download "Combofix", but each time I tried to download it from the recommended site (BleepingComputer.com), the download stie changed to a completely different domain. For example, the most recent attempt changed from BleepingComputer.com to:

http://popdls.com/combofix/download.php?keyword=COM_download*combofix

This continuing domain change-up has made my palms very sweaty. The download process looks nothing like the process that the "Combofix" tutorial led me to believe I should expect. (Could this domain jumping be yet another behavior of the "PC Fix Speed" virus?)

What do you recommend now?

Thanks again for your help.



Mufasa
(aka Dave of Sandy, Utah, USA)
“People may forget what you say, but they will never forget how you made them feel.

 

[edfair]

I can't recall that specific one either, But since Thursday I've done 2 money-paks and an unknown.
I put the money-paks on secondary SATA and let MBAm at them. First was the FBI version and MBAM catching them and MSE deleting them on the fly. Didn't think to disable MSE and once I saw the results just let it continue through the 84 infected files. Second was the Homeland Security version and MSE flagging, then removing, the 3 files. The unknown locked everything up so I did a nuke & pave.

I pull any required files off the net to a memory stick and install from there, figuring that anything downloaded to an infected machine stands a good chance of being infected also.


Ed Fair
Give the wrong symptoms, get the wrong solutions.

 

[SantaMufasa]

Great suggestion, Ed. I'll download from an uninfected machine to a thummb drive.

Mufasa
(aka Dave of Sandy, Utah, USA)
“People may forget what you say, but they will never forget how you made them feel.

 

[MakeItSo]

Sound advice indeed, Ed. It's what I always do.
I always carry my "first-aid kit" on a USB drive with me. Used to have HJT, MBAM, Spybot & CCleaner on it.
But now, ComboFix is a mandatory one for me. It managed to get rid of that PC Fix Speed nicely. Some residual dead links remain in Start menu etc., but they do no damage and are easy to remove.

All that remains now is that darned son of a bee called "Ask toolbar". I'd bet non-vital parts of my anatomy on that having been the startoff-point of it all...
Hell, I'd PAY to see that piece of that crap removed permanently from the web

“Knowledge is power. Information is liberating. Education is the premise of progress, in every society, in every family.” (Kofi Annan)
Oppose SOPA, PIPA, ACTA; measures to curb freedom of information under whatever name whatsoever.

 

[goombawaho]

You have a DNS redirector malware and that's why you're getting the wrong page. You'll have to download the programs I mentioned on a different computer and transfer via flash drive.

I thought our little wild time had just begun.

 

[edfair]

I've found the "ASK" toolbar to be benign /w/r/t malware but one of a series of toolbars that seriously restrict browsing by reducing page size. Most seem to get installed during software updates where machine owners don't pay attention to what the upgrade is adding to their systems.

When I run across something with 3 or more toolbars I start questioning whether the owner really needs particular ones and suggest that the unused ones be removed.

So far as toolkits, I carry a couple of sticks with stuff ranging from the malware/spy stuff to browser downloaders to service packs to drivers for the systems I see most. Also have most of it burned on CD too. Never know what I'll need when I go out the door.

Ed Fair
Give the wrong symptoms, get the wrong solutions.

 

[kjv1611]

This is my highly technical solution:

In other words, back up whatever data you need, wipe and restart from scratch. Though it takes a little time and effort, I usually get it done quicker this way than trying to battle with the bugs.

Then once installed, make sure you have these installed:[ignore][/ignore]
1. MBAM - good to have installed before an infection, so they have a harder time stopping it.
2. AV of choice, of course - I use MS Security Essentials, personally, as a general rule. Have used AVG, Avira, Avast (very short time) - I just like the simplicity of MSE
3. 3rd Party Firewall - I prefer Online Armor and Comodo (free versions) - I've used both, each has pros and cons over the other, but they generally work very well.
4. I use Google Chrome and Firefox most of the time for web browsing, with these addons/plugins/extensions: AdBlockPlus (or AdBlock on Chrome), NoScripts(Firefox) or ScriptNo(Chrome) - well, if I am remembering the names. If you search, the correct names will come up.

I know that sounds like a lot, but once you get used to it all, it makes for a much more impentatrable PC experience.

Other options to try to prevent infections:
1. Create virtual PC instances within your OS - and only operate from those. So if one is infected, you still have your files, but you simply delete the infected one, open a copy of a backup, and move on. This in theory would work well, though I've honestly not even bothered - started to test, but then got busy w/something else.

2. Setup your User Account as a "User level" account in security settings, not Admin - but make sure you have a separate Admin account first. Then whenever you need to make changes other than maybe Windows Update, make sure to change your account back to Admin (or use the Admin account if possible), make your changes, and back to the User account. Since the User account cannot change most system/program files, you are usually safer from infection than an admin-level account.

**side note that probably doesn't need be mentioned, since you have more than one PC... use a firewalled router between your PC and your modem. Basically, if you pick up any wireless router, it'll have a decent enough firewall. Some will be better than others, but generally speaking, any should work.



"But thanks be to God, which giveth us the victory through our Lord Jesus Christ." 1 Corinthians 15:57