Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP Recovery Virus + Possible Redirect Problem


  • Please log in to reply
2 replies to this topic

#1 richard7116

richard7116

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 30 April 2012 - 09:45 AM

My friend is running XP Professional and Firefox. I think it possible his PC was infected with Windows XP Recovery. It also appears there is some kind of redirect problem.

Here is what I see is the basics of removing Windows XP Recovery:

* Start Windows in Safe Mode.

* Run RKill (iExplore, RKill.com, etc, etc)

* Run tdsskiller

* Install (mbam-setup) and run Malwarebytes to remove infections.

* Reeboot and start Windows in Normal Mode.

* Run Unhide.exe

* Add back menu items in Windows Start Menu.
-------
After obtaining the files, using another PC and putting them on a USB stick, I tried to follow the above process.

I ran iExplore.exe.

Running tdsskiller found "Rootkit.Boot.wistler.a" (which required a reboot to remove).

I installed and then tried to run Malwarebytes. I believe I got a "cannot run in Safe Mode" message.

So, I then rebooted into Normal Mode.

Then I ran Malwarebytes. Then ran Unhide.exe, then rebooted.

I've also run AVG. (In fact I had both Malwarebytes and AVG running- not good). Okay, I don't know how far I've got in removing viruses, but I do see the following in AVG vault:

FakeAV_r.DD
IDP.Program.D1B0A5C0
Unknown
IDP.Trojan.4C70E441
IDP.Trojan.85B05343

I would have said the Windows XP Recovery virus was removed. Because the menu associated with that malware no longer appears.

However, there is some kind of redirection problem. When in Google, clicking a search result produces no change in page. I think the address in the address bar just stays the same. Not in every instance, but many.

Question: Did I run through the process sufficently correctly? I did a reboot after running Rkill, and I ran Malwarebytes in Normal Mode without having run Rkill beforehand. But, tdsskiller ought to have removed the rootkit on reboot.

I think possibly my main problem now is the redirect problem. Is there a slight error in the process as given? Because I could not start Malwarebytes in Safe Mode? Thanks.

Edited by richard7116, 30 April 2012 - 09:46 AM.


BC AdBot (Login to Remove)

 


#2 richard7116

richard7116
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 30 April 2012 - 11:19 AM

Here is the article I have been trying to follow:

Removal Windows XP Recovery

The issue is whether one has to run an antivirus program right after RKill, but before tdsskiller has removed a rootkit (on a reboot) or whether it is okay to run an antivirus program after tdsskiller has removed a rootkit, but without again running RKill.

The process given, shows running antivirus Malwarebytes in a state where malevalent processes are killed (by RKill) and after tdsskiller has run (but before a rootkit is removed, which occurs on a reboot). The process given is running an antivirus program without removal of the rootkit yet, but while those virus processess are stopped.

As I say, I was forced to run Malwarebytes after a reboot. Which removed the rootkit, but after that I did not start from scratch, that is, running RKill, before I ran Malwarebytes in Normal Mode. I hope this makes sense.

Edited by richard7116, 30 April 2012 - 11:20 AM.


#3 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 34,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:59 AM

Posted 30 April 2012 - 08:46 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users