How to get rid of "Memory Optimizer" virus

Last night my laptop at home got infected with a trojan calling itself “Memory Optimizer”. Somehow it got past Avast, and I remember seeing a Java 6 splash screen appear after visiting a web site and thinking that was odd, and then things started to get a bit weird.

All of a sudden I started getting popups saying Windows couldn’t find the hard disk, RAM was critically low, files were getting corrupted and a reboot was required. In fact it rebooted automatically and then this thing called “Memory Optimizer” presented itself as a kind of “scan/fix your PC utility”, but it wouldn’t actually fix anything unless I bought an advanced version. According to google it actually seems to be known by various different names but the screen looks the same:

image

It took me to a web site asking for my credit card details that covered the whole window, there were no forward and back buttons and I couldn’t close it.

I was immediately suspicious because I never installed this utility in the first place, then I figured it must have installed itself when the Java screen appeared earlier. Just to make sure I rebooted Windows into recovery mode and ran a full chkdsk /r on my Windows partiton – it took a while but no problems were found, so I knew the messages I was getting were bogus.

Now I had to figure out how to get rid of it. Fortunately google provided the answer, although none of the blogs I found were complete. These steps are a good start though:

Delete Memory Optimizer files:
%TempDir%\[random]
%TempDir%\[random].exe
%TempDir%\dfrg
%TempDir%\dfrgr
%Desktop%\Memory Optimizer.lnk
%Programs%\Memory Optimizer
%Programs%\Memory Optimizer\Memory Optimizer.lnk
%Programs%\Memory Optimizer\Uninstall Memory Optimizer.lnk
Delete Memory Optimizer registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run “[random]”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run “[random].exe”

After doing this, and rebooting, the damn thing still came back to haunt me. It re-instated the shot cut links on the start menu and desktop, and looking at the destination of the short cut it was pointing to a random .exe file name in c:\program data (not program files!). I couldn’t delete it because it was actually running, so I killed it in task manager, deleted all files in c:\program data that had the same file creation/modification date as the random file name, and deleted everything in %TEMP%. Curiously there was nothing in the registry or startup menu, so not sure how it managed to start itself. Anyway, after rebooting again it’s finally gone.

Advertisements
This entry was posted in Computers and Internet. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s