Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Recovery fix did not work for me (not yet)


  • Please log in to reply
43 replies to this topic

#1 roymail

roymail

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:18 AM

Posted 27 April 2011 - 10:27 AM

Hi guys,

Last Friday my pc was attacked by aliens who planted the so-called "Windows Recovery Virus". In Normal Mode the pc is useless due to all the crap that shows up when I boot up. However, in Safe Mode I have the limited options that Safe Mode provides. So I set up my old pc, slow but works, found this forum and the Windows Recovery Virus fix.

I downloaded RKill and Malwarebytes onto a thumbdrive and loaded them onto my infected pc via Safe Mode. I followed the instructions. RKill loaded and ran successfully after several attempts. The log indicated that no processes were addressed, and I still had the black background. Humm. So, I did not reboot but proceeded to run Malwarebytes. I ran the full system scan and it found 1 infection (I should have written down the name) which I immediately quarantined.

At this point I did reboot, and to my dismay nothing was changed and the virus remains. I'm not sure what to do now or what my next move should be. Should I continue to run RKill or Malwarebytes multiple times or what?

I would really appreciate any suggestion or advice from you techs who know what to do. My last resort is to reformat and reload. I don't mind doing that, but I need to recover some valuable data which I can't do at this point without gaining further control of the pc.

Thanks to all. Great forum. This is my first post. I hope it's productive.

BC AdBot (Login to Remove)

 


#2 roymail

roymail
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:18 AM

Posted 27 April 2011 - 11:21 PM

I ran two more scans tonight with Malwarebytes, and both showed no infections. Yet the black background and Windows Recovery virus screens all remain. This was all done in Safe Mode, of course.

In my previous post, I mentioned that Malwarebytes found one infection the first time I ran it. I found it in Quarantine, and it's called *PUM.Hijack.Taskmanager* I removed the infected file.

I'm not sure what I should do now to get rid of this thing. It's got to be hiding someplace.

#3 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:05:18 AM

Posted 28 April 2011 - 10:53 AM

Hi roymail,

I see that you have gone through the instructions posted here. I just want to make sure you paid close attention to this line:

RKill Download Link - (Download page will open in a new tab or browser window.)

When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.



Also, Please post your Malwarebytes log in your next post.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#4 roymail

roymail
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:18 AM

Posted 28 April 2011 - 03:45 PM

Hi techextreme,

Thanks very much for your reply. Sorry for the delay, but I just got back to my pc.

Regarding RKill, I did not use iExplore.exe but probably rkill.exe or something like that. The reason was because I use Firefox exclusively and not Internet Explorer. I'm guessing from your question that may have been a mistake on my part. I thought the purpose of RKill was to free up certain processes in order to allow Malwarebytes to run. Since mwbam ran OK and found an infection, I thought that RKill had done it's job. Anyway, should I download the iExplore.exe and run it instead?

I'll have to replace this pc with the infected one in order to run the mwbam log. I'll do this and get back to you asap. Thanks very much for your help.

Roy

#5 roymail

roymail
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:18 AM

Posted 28 April 2011 - 06:46 PM

I just ran RKill with iExplore.exe, and it generated a short log which stated, c:\windows\system32\verclsid.exe processes terminated by RKill or while it was running.

Then without rebooting, I ran another Malwarebytes full system scan. Here is the log it generated in Notepad:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

4/28/2011 4:55:24 PM
mbam-log-2011-04-28 (16-55-24).txt

Scan type: Full scan (C:\|)
Objects scanned: 166166
Time elapsed: 27 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Nothing has changed. The last reboot brought up all the same fake Window Recovery screens with the full black desktop with assorted icons. What now? I can get around and generally carry out computer tasks as instructed, but I'm no tech. Please continue to help. I'm absolutely stuck without someone's help. I know it can be repaired, but I don't have a clue how to do it. Thanks for your assistance!

#6 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:05:18 AM

Posted 29 April 2011 - 06:52 AM

Hi roymail,

You will need to use the iExplore.exe version of Rkill once again and re run Malwarebytes after it is updated. From this information here:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

4/28/2011 4:55:24 PM


Your Database version is out of date. Currently ( as of 7:40 am EST ) the Malwarebytes Database version is 6470.

If you are unable to update malwarebytes from your infected computer after running the iExplore.exe version of rkill, you can manually down the Malwarebytes Database from here.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#7 roymail

roymail
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:18 AM

Posted 29 April 2011 - 08:54 AM

I downloaded the Malwarebytes updates to my travel drive per this working pc and will install them on my infected pc asap. Then I will run the whole process again as per your instructions. Thanks again. Hoping this works. I post the results.

#8 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:05:18 AM

Posted 29 April 2011 - 09:16 AM

Sounds good.

I will be available most of today and will be away for the weekend.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#9 roymail

roymail
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:18 AM

Posted 29 April 2011 - 11:16 AM

Good news, it worked this time, and I'm free of that stinking virus. I can't thank you enough for all your help. I hope this thread will be able to help others, too.

I think I have an unrelated problem. For some reason I'm getting frequent script errors and I'm being redirected from Google to other websites. Any idea why or what to about this one? Please let me know.

techextreme rocks!

#10 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:05:18 AM

Posted 29 April 2011 - 12:03 PM

Please download GMER from one of the following locations and save it to your desktop:

* Main Mirror
This version will download a randomly named file (Recommended)
* Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

* Disconnect from the Internet and close all running programs.
* Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
* Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
* Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
Posted Image

* GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
* If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
* Now click the Scan button. If you see a rootkit warning window, click OK.
* When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
* Click the Copy button and paste the results into your next reply.
* Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#11 roymail

roymail
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:18 AM

Posted 29 April 2011 - 01:14 PM

As you requested:

GMER 1.0.15.15572 - http://www.gmer.net
Rootkit quick scan 2011-04-29 13:07:44
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST340014AS rev.8.12
Running: jv8jkw55.exe; Driver: C:\DOCUME~1\User1\LOCALS~1\Temp\pxtdapob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Threads - GMER 1.0.15 ----

Thread System [4:124] 8A580E7A
Thread System [4:128] 8A583008

---- EOF - GMER 1.0.15 ----

#12 roymail

roymail
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:18 AM

Posted 29 April 2011 - 01:16 PM

It seems I have temporarily lost access to "All Programs". Suggestion?

#13 roymail

roymail
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:18 AM

Posted 29 April 2011 - 02:21 PM

The redirect seems to always go to some ad. I've also gotten message to open a file named application/json a number of times. I just close the browser when that happens.

It does the same thing using Yahoo search. Sometimes you tell it to search for a particular topic and it just sits there and does nothing. I've never had this happen before.

#14 roymail

roymail
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:18 AM

Posted 29 April 2011 - 03:14 PM

I just ran an update to Malwarebytes, and here are the results. Mbam shows to be up to date. All infections were removed.



Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6475

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/29/2011 3:04:13 PM
mbam-log-2011-04-29 (15-03-24).txt

Scan type: Quick scan
Objects scanned: 148289
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YnnAflICEeXU (Rogue.Agent.SA) -> Value: YnnAflICEeXU -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
c:\documents and settings\User1\start menu\Programs\windows recovery (Trojan.FakeAV) -> No action taken.

Files Infected:
c:\documents and settings\User1\start menu\Programs\windows recovery\uninstall windows recovery.lnk (Trojan.FakeAV) -> No action taken.
c:\documents and settings\User1\start menu\Programs\windows recovery\windows recovery.lnk (Trojan.FakeAV) -> No action taken.

#15 roymail

roymail
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:04:18 AM

Posted 30 April 2011 - 04:58 PM

Techextreme, I'm posting an update for when you return from your weekend.

The Windows Recovery virus issues are apparently gone. I'm very grateful for all your help. Thanks so much!

However, I'm left with the following problems: Google redirect, numerous script error popups, random audio, Windows "All Programs" (in the start menu) programs do not come up.

Can you please help me with these problems, too? Thank you again! :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users