Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is this virus still on my computer?


  • Please log in to reply
11 replies to this topic

#1 UpNDown

UpNDown

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 17 April 2011 - 08:43 PM

Hello, I was just wondering if anyone could help. Today, I contracted a virus called 'Windows Recovery' and I think it was from visiting a bad website. Anyway, I encountered Windows Recovery a few weeks ago but got rid of it quite easily but this time it was quite stubborn. Anyway, I already have Malwarebytes' Anti-Malware installed, so I used rkill and I quickly ran a full scan and after two hours it found four rogues and restarted. But Windows Recovery then popped back up again and so I went to Task Manager and ended the process. It then did not pop back up again (like it usually does) and so I ran two Quick Scans on Malwarebytes' Anti-Malware but it found nothing each time. So I then tried using the Internet and here I am... It's working fine at the moment. The only problem is that all my files are hidden, but I know I can unhide them with unhide.exe (but will this unhide OS files like 'desktop.ini'?).

So is Windows Recovery still on my computer? Is it safe to turn off the computer?

Thanks to anyone who can help...

BC AdBot (Login to Remove)

 


#2 UpNDown

UpNDown
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 17 April 2011 - 08:52 PM

I'm using Windows Vista if this helps...

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:25 PM

Posted 17 April 2011 - 09:03 PM

I take it you did noy have it's issue of when it hides your files.
You did also uodate MBAM before you ran it and qownloaded a new copy of RKill as it's updated often.

Let's run an online scan and see if it finds anything.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 UpNDown

UpNDown
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 18 April 2011 - 02:14 PM

It won't finish it keeps on stalling. However, I did try another Full Scan on MBAM and it found 10 threats, so I removed them. I restarted it, and Windows Recovery hasn't popped up again... My files are still hidden however.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:25 PM

Posted 18 April 2011 - 02:24 PM

Can you post the infected log so we can get an idea of what we are dealing with.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 UpNDown

UpNDown
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 18 April 2011 - 03:14 PM

Here it is:

--------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6389

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19048

18/04/2011 17:20:21
mbam-log-2011-04-18 (17-20-21).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 357076
Time elapsed: 2 hour(s), 22 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FpoJEykxWu (Trojan.Agent) -> Value: FpoJEykxWu -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\fpojeykxwu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\programdata\42196744.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Admin\AppData\Local\put.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Admin\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\WGSF7T2E\rlmfz_62[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Admin\AppData\LocalLow\Sun\Java\deployment\cache\6.0\52\44d78734-42175d29 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Admin\AppData\LocalLow\Sun\Java\deployment\cache\6.0\6\412d8346-3313cda8 (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Admin\AppData\Roaming\thinstall\CSDATA\10000006e00002i\searchindexer.exe (Rootkit.Dropper) -> Quarantined and deleted successfully.
c:\Users\Admin\AppData\Roaming\thinstall\CSDATA\1000000800002i\svchost.exe (Rootkit.Dropper) -> Quarantined and deleted successfully.
c:\Users\Admin\AppData\Roaming\thinstall\CSDATA\1000000e00002i\rundll32.exe (Rootkit.Dropper) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------

Thanks again!

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:25 PM

Posted 18 April 2011 - 06:41 PM

OK thanks
Let;s run another tool first..
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


Now do this to see your files...
How to see hidden files in Windows

If that failed....
This infection family will also hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop:

Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 UpNDown

UpNDown
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 19 April 2011 - 08:42 AM

Windows Recovery hasn't been popping up, but I'll still run it?

#9 UpNDown

UpNDown
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 19 April 2011 - 08:47 AM

Wow, it only took 35 seconds! And it didn't find anything! What now?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:25 PM

Posted 19 April 2011 - 03:31 PM

Looks good...
If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 UpNDown

UpNDown
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 19 April 2011 - 03:55 PM

Ah, thank you boopme!

Just a few questions, my desktop background is all black, can I just reset it by right click and Properties (after unhiding the wallpapers)?

And that leads me to my next question, 'unhide.exe'. Will it remove the hidden attribute on all files or just my personal files? Will it unhide files (e.g. system files like desktop.ini) which were hidden before Windows Recovery hid all my files or just reverse what Windows Recovery did?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:25 PM

Posted 19 April 2011 - 06:51 PM

Yes,that should worl . If it fails run SFC

Please run SFC (System File Checker)
Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista/WIN 7 users..The command needs to be run from an Elevated Command Prompt.Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the CD when asked.


To Re Hide files
Go to How to see hidden files in Windows
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/#vista
Under Vista, ADD the checkmarks in steps 6 and 7.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users