Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP Restore Virus


  • Please log in to reply
6 replies to this topic

#1 kamerlet

kamerlet

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Virginia
  • Local time:01:40 PM

Posted 15 June 2011 - 08:18 PM

Hello

I'm trying to fix an HP desktop running XP that has a Windows XP Restore virus that is not allowing me to get to my desktop, programs or the Internet. All I get is a black sceen with the fake alert telling me my Hard Drive Failed and a bunch of false error messages.

I am able to boot up in SafeMode(blank desktop)but I was able to run Malwarebytes by going thru My Computer. But, upon rebooting the virus was still there. I'm trying to get the RKill download but I don't know how. Any suggestions?

Thank you,
If Jimmy cracks corn and nobody cares, why did they write a song about him?

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:40 PM

Posted 19 June 2011 - 02:42 PM

Can you post the logs from Malwarebytes?

Edited by cryptodan, 19 June 2011 - 02:47 PM.


#3 kamerlet

kamerlet
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Virginia
  • Local time:01:40 PM

Posted 20 June 2011 - 09:44 AM

Here is the log from the Malwarebytes scan. Additionally, I was able to run RKill and unhide in SafeMode. However, when I rebooted and went to normal log in, the Windows XP Restore was still there. I am not able to do anything in a regular log in only in Safemode.

Thanks.
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6902

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

6/20/2011 10:37:04 AM
mbam-log-2011-06-20 (10-37-04).txt

Scan type: Full scan (C:\|)
Objects scanned: 271565
Time elapsed: 2 hour(s), 26 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yxEebvTBWi (Trojan.FakeAlert) -> Value: yxEebvTBWi -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\yxeebvtbwi.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\18472740.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\Desktop\unused desktop shortcuts\ymsgr_beta.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\226.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\227.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\e.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3345\A0281240.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3345\A0281241.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3345\A0281242.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3345\A0281243.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3345\A0281249.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3345\A0281252.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3345\A0281253.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3345\A0281272.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
If Jimmy cracks corn and nobody cares, why did they write a song about him?

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:40 PM

Posted 20 June 2011 - 01:34 PM

Try running the programs in normal mode.

#5 kamerlet

kamerlet
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Virginia
  • Local time:01:40 PM

Posted 20 June 2011 - 03:55 PM

As I mentioned I can't run them in normal mode. The virus takes over and keeps me from running anything. I don't know how to stop it.

Anyone have any ideas on how I can run RKILL in normal mode?

Edited by kamerlet, 20 June 2011 - 05:06 PM.

If Jimmy cracks corn and nobody cares, why did they write a song about him?

#6 kamerlet

kamerlet
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Virginia
  • Local time:01:40 PM

Posted 21 June 2011 - 10:48 AM

Ok after some doing I got RKill running and Malwarbytes running in normal mode. Did it twice and looks like the XP Restore Virus is gone.

Now my new problem is when I try to run Unhide.exe I am following the info on

http://www.bleepingcomputer.com/forums/topic405109.html

But while I can see the programs all the files read "empty". For example: Accessories, System Tools, Internet Explorer (no add-ons). Or any of my other programs just read empty.

How can I get these back?
If Jimmy cracks corn and nobody cares, why did they write a song about him?

#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:40 PM

Posted 21 June 2011 - 01:29 PM

Try this: http://download.bleepingcomputer.com/grinler/beta/unhide.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users