Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake windows activation screen variant


  • Please log in to reply
10 replies to this topic

#1 lourocky

lourocky

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 28 July 2010 - 10:11 AM

Hi, I have been infected with the fake windows activation virus. I have not been able to find a solution as all the fixes posted everywhere so far are for the credit card version (randome.exe, mtl.dll) and the version I have simply keeps booting me off (internet doesnt work and telephone numbers are listed only as xxx-xxx-xxxx)

I cannot logon at all anymore unless in Safe Mode (without networking).
- Have run Malwarebytes, Spybot, Super Anti-Spyware, etc - all of them have found infections and removed them, but as soon as I reboot and try to get in to Normal mode, the activation screen is back.
- Tried doing a Windows system restore but there are no available dates other than July 22 (which I assume is the date I became infected)
- Have gone through the registries but cannot find any of the files mentioned by people fixing the credit card version of this virus

Has anyone else experienced this and can you help?!

Thanks

BC AdBot (Login to Remove)

 


#2 urobolus

urobolus

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 28 July 2010 - 11:28 AM

EXACT same situation I am in (minus the fact that it shows no phone number at all). Would love to hear the fix.

Uro

#3 lourocky

lourocky
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 28 July 2010 - 11:48 AM

Likewise...also I noticed that my add/remove programs option has disappeared (not sure if this is a safe mode issue or virus related)

#4 urobolus

urobolus

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 28 July 2010 - 12:13 PM

I'll have to check that out when I get home, but I noticed I can't get into my Network Connections even in safe mode. Same problem when I actually could log into the computer normally.

#5 urobolus

urobolus

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 28 July 2010 - 05:59 PM

It looks like I am able to access both the Add/Remove and now my Network Connections, but yep, still keep getting activation screen if I boot anything other than safe mode w/o networking.

Here is a link to my thread about it since it sounds like we are dealing with pretty much the same thing:

http://www.bleepingcomputer.com/forums/t/335432/fake-windows-activation/

Thanks,

Uro

I guess if no one has a fix for it in the next few days, I'm probably just going to format it. Hate to have some low-lifes with nothing better to do get the best of me, but oh well.

#6 lourocky

lourocky
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 29 July 2010 - 12:59 PM

Okay, so I ran Microsoft Malicious Software Removal tool and it found the virus Win32.Alureon.H in C:System Volume Information. Tried to delete it but it won't allow me to so I googled that and followed the instructions to remove it using TDSSKiller and then a registry fixer. After 7 consecutive hours of scans and updates it seemed like the virus was gone but of course when I rebooted into Normal mode the fake windows activation was still there. AAAARgh! I am out of ideas now...

Someone please help!!

#7 dellrick

dellrick

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 29 July 2010 - 01:22 PM

my computer is in far worse shape but a way to get past that is to run sysprep in safe mode that will give you 30 days but you should be able to activate it then

#8 lourocky

lourocky
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 29 July 2010 - 03:48 PM

My computer says it cannot find "sysprep" is this a run command or some kind of program?
Also, that will not remove the virus but just allow me to get aroun dit temporarily?

#9 urobolus

urobolus

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 29 July 2010 - 04:04 PM

Hey, I got a reply in my thread so you might want to check it out (like 4th or 5th post is a link). Running it right now and it has found 112 threats so far. Might want to give it a try; should know in the next few hours if it works or not. Not getting my hopes up.

#10 urobolus

urobolus

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 29 July 2010 - 04:06 PM

My computer says it cannot find "sysprep" is this a run command or some kind of program?
Also, that will not remove the virus but just allow me to get aroun dit temporarily?


Here is a link to Microsft's explanation of it: http://support.microsoft.com/kb/302577

I might give it a try if nothing else works.

Uro

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:45 PM

Posted 29 July 2010 - 09:11 PM

lourocky

If you cannot use the Internet,you will need access to another computer that has a connection.
From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.
***
Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine..


Also add this to the drive and run it off of it.
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


This is also a possibility with "sysrep"
Its not unusual to receive such an error after using specialized fix tools.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users