Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 Recovery Virus Help


  • This topic is locked This topic is locked
27 replies to this topic

#1 Claytronic

Claytronic

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 03 June 2011 - 04:23 PM

Hello, I'm new here.. I created this topic just so I could get some help for that dreaded Windows 7 Recovery virus..

Yesterday I was browsing the internet [on what I thought were safe sites.. I literally got the Avast notices popping up while looking for recipes] and then the fake Windows warnings started coming up. My friend told me this was the Windows 7 Recovery virus. I immedietly started scanning with Malwarebytes but the virus restarted my computer after about 10 minutes or so.
I got onto my dad's laptop [which is the one I'm on right now] and booted my own laptop in Safe-Mode hoping I could catch the virus. I believe I originally "caught" it and deleted it out of quarantine but the virus icon remained on the desktop and the fake scareware ad pops up whenever I restart.
Then I found BleepingComputer's solution to this virus and downloaded RKill onto my computer [in safe-mode, just to be sure I could even download anything] and then rebooted out of safe-mode to try and use RKill. Avast blocked it and wouldn't let me open it no matter what setting I chose on it's popup [Open normally, for example] and that's where I'm stuck.

Any help getting me rid of this virus would be extremely appreciated, thank you!!

EDIT: I should also mention that whenever I start MalwareBytes, it wants to update but I get an "Malwarebytes update error 5, 0, Createfile" error, and the update fails. I found this solution here: http://forums.malwarebytes.org/index.php?showtopic=69083 but didn't want to try it right away because I didn't want to uninstall my anti-malware only to have the virus tell me I can't re-download it... so I thought it would be best for me to ask you first.

EDIT EDIT: I think I need to mention that I'm no computer expert by any means, but I will try my best to follow the instructions/supply any information needed.

Thanks!

Edited by Claytronic, 04 June 2011 - 02:46 AM.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:42 PM

Posted 06 June 2011 - 08:22 PM

Have you been able to run Malwarebytes?

#3 Claytronic

Claytronic
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 06 June 2011 - 08:55 PM

Have you been able to run Malwarebytes?

I've run it in Safe-Mode and it did catch something one of the first times I scanned but that didn't get rid of the problem.

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:42 PM

Posted 06 June 2011 - 09:30 PM

Can you post the log of what it did find?

#5 Claytronic

Claytronic
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 06 June 2011 - 09:41 PM

Can you post the log of what it did find?

I will try to get on the forums in safe mode and post the logs tonight [I'm not on my own computer right now]

#6 Claytronic

Claytronic
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 06 June 2011 - 10:12 PM

Malwarebytes' Anti-Malware 1.50.1.1.1100
www.malwarebytes.org

Database version: 5363

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

6/03/11 2:18.26 AM
mbam-log-2011-06-03 (02-18-26).txt

Scan type: Quick scan
Objects scanned: 154982
Time elapsed: 3 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Clayton\AppData\Local\Temp\0.07506300300614721.exe (Trojan.Dropper) -> Quarantined and deleted successfully.



#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:42 PM

Posted 06 June 2011 - 10:13 PM

Can you try the scan in Normal Mode?

#8 Claytronic

Claytronic
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 06 June 2011 - 10:19 PM

Can you try the scan in Normal Mode?

I'm trying but the computer is really slow. To the point that Malwarebytes isn't responding and I kepe getting "RAM uses is critically high" warnings.. [which is probably the virus]

EDIT: It's quick-scanning but the virus keeps popping up those annoying warnings

Edited by Claytronic, 06 June 2011 - 10:21 PM.


#9 Claytronic

Claytronic
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 06 June 2011 - 10:42 PM

PUM.Hijack.DisplayProperties Registry Data HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\A


Then a DELAYED WRITE FIELD ir something popped up and I had to restart my computer in safe-mode cause it was slowing my computer down way too much that I couldn't see the rest of "Policies\A"

So now I'm in Safe-Mode scanning to see if I can see it again.

EDIT: I caught it again, but my computer isn't wide enough to see the name of it. Should I click 'Remove Selected" to see if a log will be created?

Edited by Claytronic, 06 June 2011 - 10:47 PM.


#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:42 PM

Posted 06 June 2011 - 10:54 PM

Have you tried downloading rkill from this site?

#11 Claytronic

Claytronic
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 06 June 2011 - 10:55 PM

Have you tried downloading rkill from this site?

Yes, I have RKill

#12 Claytronic

Claytronic
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 06 June 2011 - 11:45 PM

Alright, I removed that warning I caught in Safe-Mode and this is the log I got

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

6/07/11 12:39:23 AM
mbam-log-2011-06-07 (00-39-23).txt

Scan type: Quick scan
Objects scanned: 155053
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And then it told me to restart to finish deleting whatever it caught but I haven't restarted yet because I don't know if you want me to.

#13 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:42 PM

Posted 06 June 2011 - 11:51 PM

Reboot and go into normal mode then run rkill.

#14 Claytronic

Claytronic
  • Topic Starter

  • Members
  • 212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 06 June 2011 - 11:55 PM

Avast! won't let me open it, should I disable Avast? I don't want to potentially let any more viruses in.. even though I have disconnected my wireless internet.
[I'm kind of paranoid]

Edited by Claytronic, 07 June 2011 - 02:04 AM.


#15 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:42 PM

Posted 07 June 2011 - 06:54 AM

Disable Avast to allow rkill to run.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users