Last night my laptop at home got infected with a trojan calling itself “Memory Optimizer”. Somehow it got past Avast, and I remember seeing a Java 6 splash screen appear after visiting a web site and thinking that was odd, and then things started to get a bit weird.
All of a sudden I started getting popups saying Windows couldn’t find the hard disk, RAM was critically low, files were getting corrupted and a reboot was required. In fact it rebooted automatically and then this thing called “Memory Optimizer” presented itself as a kind of “scan/fix your PC utility”, but it wouldn’t actually fix anything unless I bought an advanced version. According to google it actually seems to be known by various different names but the screen looks the same:
It took me to a web site asking for my credit card details that covered the whole window, there were no forward and back buttons and I couldn’t close it.
I was immediately suspicious because I never installed this utility in the first place, then I figured it must have installed itself when the Java screen appeared earlier. Just to make sure I rebooted Windows into recovery mode and ran a full chkdsk /r on my Windows partiton – it took a while but no problems were found, so I knew the messages I was getting were bogus.
Now I had to figure out how to get rid of it. Fortunately google provided the answer, although none of the blogs I found were complete. These steps are a good start though:
Delete Memory Optimizer files:
%Programs%\Memory Optimizer\Memory Optimizer.lnk
%Programs%\Memory Optimizer\Uninstall Memory Optimizer.lnk
Delete Memory Optimizer registry entries:
After doing this, and rebooting, the damn thing still came back to haunt me. It re-instated the shot cut links on the start menu and desktop, and looking at the destination of the short cut it was pointing to a random .exe file name in c:\program data (not program files!). I couldn’t delete it because it was actually running, so I killed it in task manager, deleted all files in c:\program data that had the same file creation/modification date as the random file name, and deleted everything in %TEMP%. Curiously there was nothing in the registry or startup menu, so not sure how it managed to start itself. Anyway, after rebooting again it’s finally gone.