-
01Apr
Google Installer Virus Removal – Updated!
Update – Download Link Fixed
Well, along with Conficker, the Google Installer Virus is still at large. I just removed this virus from a friends computer, this information is collected from multiple sources across the Internet, thanks to everyone’s favorite… Google.
Technically, Google Installer Virus is actually malware, not a “virus” This form of malware is a tricky one, known as a RootKit. A RootKit is a virus that embeds itself (either through Hardware or Software) in the system, and doesn’t come out with your usual Anti-Virus/Anti-Spyware. It also blocks almost every anti-spyware, anti-virus and the like.
Through a combination of ComboFix, MalwareBytes Anti-Malware, Spybot S&D (mentioned here) and Ad-Aware Free, we’ll remove the virus (and anything else that’s hiding on your computer.) I have all of these applications in a convenient zip folder for you. Download here.
If you are on a Windows Machine:
Disconnect from the Internet
1. First things first. We’ll run ComboFix first. ComboFix is an excellent RootKit remover. But, before we proceed, ComboFix requires all Anti-virus to be shut off. Visit here for help on that.
Disabled your anti-everything software? Read on.
Note: Before Running ComboFix, close ALL applications and DO NOT, DO NOT, click on ComboFix’s window while it is running just let it run it’s course.
Run ComboFix.exe. Uh oh! It won’t run! The RootKit has an advanced detection system that won’t allow certain executables to run, such as ComboFix.exe It’s ok, there’s a solution.
Right-Click on ComboFix.exe, and rename it to something like “Ieexplore.exe” (without quotes) Then run it. Once again, do not click on the ComboFix window. ComboFix may take a while, and may ask you to restart. It may also request you to write down some information. Write it down, restart, and let ComboFix work it’s magic. This may take 45min.- 1 Hour. if it’s less, good… lets move on.
After ComboFix finishes the scan, it brings up a log. Close that down, read it if you like. It’ll look like nothing’s happening.. nothing is, press Ctrl+Alt+Del, hit New Task, and type explorer.exe. You should find that Explorer runs faster, at least a little.
2. MalwareBytes Anti-Malware. Run a quick scan. This will remove some other malware, that ComboFix didn’t catch… it should find 13 things, click Remove Selected Items. You can also run a full scan, but it didn’t find anything else for me with a full scan. Done so soon? Who’s Next?
3. Now we’re to my old favorite, Spybot Search and Destroy, something I would recommend running once every two weeks(at least). For more info on running Spybot S&D, visit my Essential Security Toolbox post.
4. Ad-Aware. Once again, an in the post mentioned right above, something to keep and install on every computer you get.
5. Run an online scan from ESET.
Run a free scan with ESET Online Scanner
I know it’s not everyone’s favorite, but you will need to use Internet Explorer for this scan.
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish! Once it’s done, it should fix/delete the items.
6. You most likely still won’t have it completely removed. If, when you start Windows (regular mode) and you get all of these command prompt windows, (including command.com) then follow these directions. If not, go ahead and skip down below these instructions.
Download Killbox. Boot into Safe Mode. Do this by restarting the computer, when you hear a beep, and before the Windows logo appear, hit F8, and select Safe Mode from the options.
From Safe Mode, run KillBox, and select the “delete on reboot”
Click the All Files button.
Enter these, one by one, into KillBox, after each one, click the button with the red circle and white x. After each one, select no when the reboot option is given, until the last one. Then reboot.
C:WINDOWSSystem32x3cqp0.dll
C:Program FilesMsConfigsMsConfigs.exe
C:Windowssystem32p2pnetwork.exe
C:Windowssystem32CMD.COM
C:Windowssystem32netstat.com
C:Windowssystem32ping.com
C:Windowssystem32regedit.com
C:Windowssystem32tasklist.com
C:Windowssystem32taskkill.com
C:Windowssystem32taskmgr.com
C:Windowssystem32tracert.com
C:Windowssystem32bt.exe
C:Windowssystem32z.tmp
C:Windowssystem32bszip.dll
EDIT: Run ComboFix, Spybot S&D, Your Anti-virus, and Ad-Aware again after following the above steps
Then enjoy your cleaned computer!!!
If you have a Mac
Happy Malware-Killing!
Ben
Feel free to comment, or shoot us an e-mail with your problem, if this didn’t solve it, and we’ll try our best to help you!
Disclaimer: The intent of this post is for aiding in the removal of malware/spyware/viruses. By following the steps detailed above, you take full responsibility for any damage you cause your computer, you, or anyone around you.
Thank you thank you thank you Ben!!
Ben,
I would love to provide you with a complimentary SUPERAntiSpyware Professional Lifetime Edition license. Is there an email address that I may send a license registration/activation code to directly?
Thank you very much for your time and consideration,
Mike
SUPERAntiSpyware
@Mike Duncan,
I’d love to give it a try with that license and give it a review on my blog.. I have e-mailed you from aol.
Thanks,
Ben
Nice Mac logo Ben(jo)! Could you send it to me? Thx.
My laptop has this problem. I’m trying to follow your guide, but the machine crashes or freezes before I can run the scans all the way through. I did manage to use MalwareBytes Anti-Malware, which as you said found 13 things, but no luck removing the virus. I also was able to run killbox, but no effect.
Any suggestions for people with this problem?
Just wanted to thank you very much for these instructions. I had to run them twice, but it looks like I was able to clean my system of this pernicious malware thanks to your detailed instructions. Please accept my sincere appreciation!
SUPERAntiSpyware alone seemed to take care of my conficker symptoms: “Google Installer” popups, applications freezing, etc.
Thanks so much for posting this article and thank you, SUPERAntiSpyware!!
I renamed Combofix and ran, and immediately a message pops up that says c:\windows\system32\msiefiu is trying to attach itself to Combofix. I clicked ok, but now it just hangs up with the message, “ComboFix is preparing to run.” It’s been stuck for about 15 mins. Should I keep waiting or restart?
[...] Usage (not even during a user-started scan!) There are ups and downs, as Heather noted, on the Google Installer Virus Removal Post. So give it a trial, if you enjoy it, purchase a license and support these folks. If [...]
hi
you were a great help to me in getting rid of the ‘google installer’ virus, so i’m asking you for more advice. my friend has a virus that is sending emails to me and everyone on her mail list. the email subject line always is numbers in a format of ’28/09′.
i never opened the email, thankfully, but the emails are still coming and its been over a week. i told her that her virus scanner is probably never going to find it now(mcafee). have you heard of this virus? any help?
Hi Leisa,
It looks like your friend has what is called an “Address Book Worm”. There are so many of them out there there and it might only be a portion of the problem that she has that without any other information, it would be impossible to identify the exact problem she is facing. All I can offer is what I would recommend someone do with any virus. The first thing she should do is disconnect from the internet and backup all of her data to either CD or External Hard Drive just to be safe. After that, she should run a full McAfee scan, as well as Spybot Search and Destroy. What I would do next would depend on other symptoms and what Spybot found.
I’d be happy to help troubleshoot the problem if you would like. Please email me a report to jack@tonysgeektips.com of what McAfee and Spybot find if you are interested.
Thanks,
Jack
jack@tonysgeektips.com
Note: Please remember that everything I suggest is only my opinion and that I am not responsible for what anyone who follows my advice does.
i wil recommend the spybot search and destroy for her. i’ll let you know what happens. thanks.
Thank you very much for your help getting rid of this malware !!!!
Love your work, typical tech expert when looking at this rootkit was complete overhaul and hard drive re-format… your advice saved my business computer
Thank you, thank you, thank you for your help! Your steps did the job!
hello…me again
sorry to put this here and not ina new thread.(not sure how to start a new one)
I am trying to rename pictures on my computer. it tells me it i rename, the pic may become unusable (which does indeed happen, cause i tried)
any ideas. Both my computers tell me this.
I want to burn these pics onto disc, but i really want them renamed first.
thanks
Hi Leisa,
Sorry about the delayed response. When you are renaming the files, are you ensuring that the extensions are preserved?
For example, let’s say that you have a file: mypicture.jpg. If you wanted to call it “golf-with-friends”, instead, you would need to make sure to call it “golf-with-friends.jpg”.
The important part is the “.jpg”. If you leave that out, the file will be unusable. Of course, if your picture ends in “.png”, etc., you would need to make sure that you used that instead.
Let me know how it goes.
Thanks,
Jack
tonysgeektips.com
My computer won’t even let me open up Spybot S&D or install any new malware/virus removal software. Is there any way to force start this stuff??
Hi Brad,
Please try booting your computer into safe mode (hold the
F8key on bootup, and select “Safe mode” from the list). Try installing it again.Let me know how it goes. If it doesn’t work, we may be able to try some other things.
Thanks,
Jack
tonysgeektips.com
I’m trying to follow the instructions above and I’m getting an error when I execute ComboFix that says:
Windows cannot find NircmdB.exe. Make sure you typed the name correctly and try again….
I’m on Windows Server 2003 which has posed some problems with running some other malware removers I’ve tried in the course of trying to resolve this problem. They aren’t compatible. Any suggestions?
Thank you in advance!