Windows 8 Premier Opinion malware: how to completely nuke?
May 19, 2015 11:28 PM Subscribe
My brand new Windows 8 installation somehow picked up Premier Opinion, which seems to be an old piece of malware making a comeback. I've started a cleanup but want to make sure I'm completely thorough.
I restarted my computer shortly after midnight tonight after Windows Update, and the first time I ran Firefox (fitted with NoScript) it asked whether I wanted to give Premier Opinion permission to run. I didn't allow this, of course, and went to the control panel for a look. Premier Opinion showed up as an installed program, with an installation date of today (May 20), but I couldn't find anything dodgy in my browser history for today or late yesterday, so I don't know how it was delivered.
So from Control Panel, I formally uninstalled it (as advised here).
I don't see any suspicious processes in Task Manager.
There is still a PremierOpinion folder, holding pmropn.exe, in my Program Files (x86) folder. I'm ready to just delete this completely (and clean out Recycle), but is there a better option? I don't know if there's a payload hiding somewhere else that will just reinstall itself. I've searched "opinion" and various permutations of possible file names but haven't found anything on my drives.
I ran a quick scan with Microsoft Malicious Software Removal Tool (no hits, even though the bloody EXE file is right where I said it is), so I'm running a full scan right now, but should I just cancel and use Malwarebytes instead? The most recent discussion I can find on the MS support site here recommends those tools, but it's weird that I can't find any discussion more recent than 2010. Is there anything better that I should try?
If necessary, I can just nuke from orbit. This is a brand new install and it will be pretty straightforward to bring my data back onto this machine.
(And OH SHIT -- I got a prompt to install Chromium earlier tonight and stupidly did so. It looked like a Windows 8 update of Chrome. THAT is probably the culprit.)
Forget everything else, full format/reinstall of Windows 8.1 instead?
I restarted my computer shortly after midnight tonight after Windows Update, and the first time I ran Firefox (fitted with NoScript) it asked whether I wanted to give Premier Opinion permission to run. I didn't allow this, of course, and went to the control panel for a look. Premier Opinion showed up as an installed program, with an installation date of today (May 20), but I couldn't find anything dodgy in my browser history for today or late yesterday, so I don't know how it was delivered.
So from Control Panel, I formally uninstalled it (as advised here).
I don't see any suspicious processes in Task Manager.
There is still a PremierOpinion folder, holding pmropn.exe, in my Program Files (x86) folder. I'm ready to just delete this completely (and clean out Recycle), but is there a better option? I don't know if there's a payload hiding somewhere else that will just reinstall itself. I've searched "opinion" and various permutations of possible file names but haven't found anything on my drives.
I ran a quick scan with Microsoft Malicious Software Removal Tool (no hits, even though the bloody EXE file is right where I said it is), so I'm running a full scan right now, but should I just cancel and use Malwarebytes instead? The most recent discussion I can find on the MS support site here recommends those tools, but it's weird that I can't find any discussion more recent than 2010. Is there anything better that I should try?
If necessary, I can just nuke from orbit. This is a brand new install and it will be pretty straightforward to bring my data back onto this machine.
(And OH SHIT -- I got a prompt to install Chromium earlier tonight and stupidly did so. It looked like a Windows 8 update of Chrome. THAT is probably the culprit.)
Forget everything else, full format/reinstall of Windows 8.1 instead?
Best answer: Malware/spyware are like cockroaches, there is never just one and dealing with this stuff can take days. Format and reinstall is your quickest option.
posted by epo at 3:25 AM on May 20, 2015
posted by epo at 3:25 AM on May 20, 2015
Response by poster: Thanks. I cleaned out pretty well with Malwarebytes, which did detect the Premier Opinion EXE and a couple of associated DLLs in the system files. It also found quite a bit of stuff re PUP.Optional.RelevantKnowledge.A in C:\Users\[MyProfile]\AppData\Local\Google\Chrome\User Data\Default\Extensions\.
After rebooting:
1) Premier Opinion stuff was gone.
2) Relevant.Knowledge A files were still in that Chrome path. Malwarebytes identified them but didn't touch them.
3) The Chromium browser launched on reboot every time . I disabled it from StartUp and confirmed that its folder with chromium.exe and associated files was still in C:\Users\[My Profile]\AppData\Local (nothing in Roaming or LocalLow). I'm looking at Chromium like it's malware right now.
I uninstalled Chrome and all its user files, so the Relevant.Knowledge.A crap was gone (Malwarebytes didn't clean it out). Re-installed Chrome and it asked what I wanted for my default browser, and it listed Chromium as an option (I chose Firefox.) Aaaand -- all those suspicious folders and files are back in the "new " C:\Users\[MyProfile]\AppData\Local\Google\Chrome\User Data\Default\Extensions\
I have to run out soon, but there may be a nuking in my near future.
posted by maudlin at 8:07 AM on May 20, 2015
After rebooting:
1) Premier Opinion stuff was gone.
2) Relevant.Knowledge A files were still in that Chrome path. Malwarebytes identified them but didn't touch them.
3) The Chromium browser launched on reboot every time . I disabled it from StartUp and confirmed that its folder with chromium.exe and associated files was still in C:\Users\[My Profile]\AppData\Local (nothing in Roaming or LocalLow). I'm looking at Chromium like it's malware right now.
I uninstalled Chrome and all its user files, so the Relevant.Knowledge.A crap was gone (Malwarebytes didn't clean it out). Re-installed Chrome and it asked what I wanted for my default browser, and it listed Chromium as an option (I chose Firefox.) Aaaand -- all those suspicious folders and files are back in the "new " C:\Users\[MyProfile]\AppData\Local\Google\Chrome\User Data\Default\Extensions\
I have to run out soon, but there may be a nuking in my near future.
posted by maudlin at 8:07 AM on May 20, 2015
Best answer: Another vote for format and reinstall.
Trying to remove the malware any other way will expend the same amount of time (as a format and reinstall) but leave you with a computer that still might be infected.
Not to mention that one of the main points of malware is to avoid being easily removed.
You can get free apps to back up drivers, backup and restore windows activation tokens and quickly reinstall the most common software. It needn't take too much effort.
posted by mr_silver at 2:43 PM on May 20, 2015
Trying to remove the malware any other way will expend the same amount of time (as a format and reinstall) but leave you with a computer that still might be infected.
Not to mention that one of the main points of malware is to avoid being easily removed.
You can get free apps to back up drivers, backup and restore windows activation tokens and quickly reinstall the most common software. It needn't take too much effort.
posted by mr_silver at 2:43 PM on May 20, 2015
Response by poster: Nuked from orbit, folks, just as advised. The reinstall didn't go quite as smoothly as I expected. Installing from scratch with the DVD was hell, but an ISO downloaded from Microsoft and my software key finally achieved a clean install after a few hours of head clutching and some outside help.
Oh, and I found the source for the Premier Opinion adware: it was installed along with FileZilla earlier this week. I saw and rejected the option to make Yahoo my default browser, etc. when I first installed FileZilla, but there must have been some fine print on the Eula screen about Premier Opinion (they've done this before). Today's install at least had the decency to make a big, clear splash screen saying I could opt out of Premier Opinion -- which I did -- but it still left some files in my User profile Temp folder that I deleted with a vengeful flourish. Bastards. I really should have used the installer files at Ninite.
posted by maudlin at 6:36 PM on May 21, 2015 [2 favorites]
Oh, and I found the source for the Premier Opinion adware: it was installed along with FileZilla earlier this week. I saw and rejected the option to make Yahoo my default browser, etc. when I first installed FileZilla, but there must have been some fine print on the Eula screen about Premier Opinion (they've done this before). Today's install at least had the decency to make a big, clear splash screen saying I could opt out of Premier Opinion -- which I did -- but it still left some files in my User profile Temp folder that I deleted with a vengeful flourish. Bastards. I really should have used the installer files at Ninite.
posted by maudlin at 6:36 PM on May 21, 2015 [2 favorites]
Best answer: maudlin: "Nuked from orbit, folks, just as advised. The reinstall didn't go quite as smoothly as I expected. Installing from scratch with the DVD was hell, but an ISO downloaded from Microsoft and my software key finally achieved a clean install after a few hours of head clutching and some outside help.
Oh, and I found the source for the Premier Opinion adware: it was installed along with FileZilla earlier this week. I saw and rejected the option to make Yahoo my default browser, etc. when I first installed FileZilla, but there must have been some fine print on the Eula screen about Premier Opinion (they've done this before). Today's install at least had the decency to make a big, clear splash screen saying I could opt out of Premier Opinion -- which I did -- but it still left some files in my User profile Temp folder that I deleted with a vengeful flourish. Bastards. I really should have used the installer files at Ninite."
Just a note to any reinstallers. Ninite, Ninite, and, oh Ninite. (Even if they never pick any of my suggestions of programs to add.)
posted by Samizdata at 7:27 PM on May 30, 2015
Oh, and I found the source for the Premier Opinion adware: it was installed along with FileZilla earlier this week. I saw and rejected the option to make Yahoo my default browser, etc. when I first installed FileZilla, but there must have been some fine print on the Eula screen about Premier Opinion (they've done this before). Today's install at least had the decency to make a big, clear splash screen saying I could opt out of Premier Opinion -- which I did -- but it still left some files in my User profile Temp folder that I deleted with a vengeful flourish. Bastards. I really should have used the installer files at Ninite."
Just a note to any reinstallers. Ninite, Ninite, and, oh Ninite. (Even if they never pick any of my suggestions of programs to add.)
posted by Samizdata at 7:27 PM on May 30, 2015
This thread is closed to new comments.
Comscore variants aren't usually hard to remove; if there is still a leftover EXE after reboot you can likely delete it just fine.
But if this came from a bogus Chrome download, I would expect you to have some other more stealthy remote-install component which may bring more friends with it. If you can't account for the Comscore infection from some more benign source, I would personally format/reinstall. (You could try scanning it with anti-malware, but be aware that these tools are of limited and decreasing usefulness today.)
posted by BobInce at 3:19 AM on May 20, 2015