MR APP Rootkit - how can I remove it?

Jo4

johndough wrote: »

Hi

I would try sysinternals (but it may not suit your OS), the link may help...

http://technet.microsoft.com/en-gb/sysinternals/bb897445

I am using Vista and it doesn't seem to suit my OS. Do you know if this is available for Vista?

Jo4

paddyrg wrote: »

Rootkits are hardcore - effectively they're more in control of your computer than you are. They've hidden deep inside for a reason. They may have held the doors open for other malware (remember antivirus are far, far from complete protection.

Personally, I'd be inclined to flatten and rebuild so at least you know it's good, otherwise it's like catching your Mrs cheating - trust is gone and you're never truly certain whether or not you can rebuild a relationship involving online banking with that niggling doubt

I haven't got s clue about computers. How do I do what you suggest? (Sorry I need simple step by step instructions)

paddyrg

It means to backup the files you need, then format the hard drive and reinstall the operating system from scratch. You then reinstall the OS patches and programmes you use (Office, etc) from the installation CD's/downloads. It's an afternoon's work. The upside is the machine will usually run faster after doing this as it won't have all the cruft installed (games trials/hooky codecs/whatever caused the rootkit installation to begin with).

There will be plenty of guides online for 'full reinstall step by step' or similar searches - this one http://windows.microsoft.com/en-gb/windows-8/clean-install came up on the first page, there are others.

Personally, I'd invest the afternoon in doing it as it's easy to end up playing whack-a-mole putting right the damage from strong malware - and chasing and fixing niggles which takes longer overall - your mileage may vary!!

waddler_8

I have my doubts it is a rootkit due to the location.

A bit of research shows some files in that folder aren't digitally signed & run as services (eg: mrapp.event.service.exe) - this may be enough for Avast to throw up the warning.

What's the detection? Win32:Evo-gen [Susp]. If it is, it's a generic detection so could be a false positive.

bluesnake

if it buries itself and is locked in, it could be very difficult to remove the normal way.

I would use a windows boot PXE cd, and these often run in memory locking no HDD files. Then i would install a virus checker that does not reboot after installation (often fat chance, but malware bytes did in the past work for me this way), and run a few online ones like trend etc.

If the virus is a stand-alone process, rather embedding itself into ie, or FF, a really fantastic tool is the free Process Explorer, as this will display the location, and often you can kill the process too. Then delete the files.

Jo4

When I searched my laptop "MR APP" shows up 4 times

Name Date Modified Type Folder

MR APP 23/11/2014 22:42 File Folder Program Files (C:)

MR APP 17/07/2014 22:23 File Folder System32 (C:\Windows)

MR APP 14/07/2014 22:44 File Folder Local (C:\Users\User2\AppData)

MR APP 03/07/2014 11:49 File Folder Local (C:\Users\User1\AppData)

Does this mean it should be on my laptop?

waddler_8

I'm just going over your logs now and it looks to be related to this in your programs list:

YouGovPulse

https://yougov.co.uk/find-solutions/profiles/pulse/

Jo4

waddler_8 wrote: »

I'm just going over your logs now and it looks to be related to this in your programs list:

YouGovPulse

Thank you!! What do I need to remove or how can I sort this?

waddler_8

Uninstall it.

http://windows.microsoft.com/en-us/windows/uninstall-change-program#uninstall-change-program=windows-vista

It looks as though it has something to do with online surveys etc

Jo4

waddler_8 wrote: »

Uninstall it.

http://windows.microsoft.com/en-us/windows/uninstall-change-program#uninstall-change-program=windows-vista

It looks as though it has something to do with online surveys etc

If I uninstall YouGovPulse will that resolve the issue? How will I know my laptop is safe again to do my online banking again?