"Windows Restore" malware/virus

View previous topic View next topic Go down

"Windows Restore" malware/virus

Post by moreyag on Tue 12 Apr 2011, 5:26 am

Hello to all
Running Windows XP Pro SP3 on a woek PC and picked up a beauty called "windows restore"
Can't get to System Restore, ran AVG in "Safe Mode" but it's still with me.
I'm using my laptop now to post this.
Help.
thanks in advance and best regards
Morey G

moreyag

Rookie Surfer
Rookie Surfer

Posts : 95
Joined : 2009-12-06
Operating System : windows xp & xp pro

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by Crush on Tue 12 Apr 2011, 6:11 am

Hi,

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by moreyag on Tue 12 Apr 2011, 6:24 am

i am getting a message to uninstall avg antivirus - "it will be dangerous to contnue uninstall avg or use another tool"
i disabled AVG and i still get this message?
i then ran malwarebytes anitmalware removal which seems to have removed the virus but now i have NOTHING in my programs on the strat menu
i can't find system restore to restore the system.
what a mess!

moreyag

Rookie Surfer
Rookie Surfer

Posts : 95
Joined : 2009-12-06
Operating System : windows xp & xp pro

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by Crush on Tue 12 Apr 2011, 7:24 am

Hi,

So now nothing works after running malwarebytes? Or just the Start Menu>All Programs is blank?

We need to uninstall AVG for ComboFix to work.

Please download Revo Uninstall from here: Revo Uinstaller

  1. Download and run the setup file for Revo Uninstaller.
  2. Once setup, run Revo Uninstaller.
  3. Select the following item for removal by clicking on it once.

    AVG

  4. Then hit the "Uninstall" button at the top.
  5. Close Revo Uninstaller.

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by moreyag on Tue 12 Apr 2011, 7:35 am

OK - so here's where i'm at now.
i guess the fact that combofix terminated all processes allowed me to run AMB and it appears that it found and removed the virus.
i then found system restore in the sys32 folder, ran it from there, and restored to an earlier point.
it appears that the PC is ok now but my IE Favorites folder is EMPTY.
is there a back-up of that somewhere?
Thanks in advance and regards
mg

moreyag

Rookie Surfer
Rookie Surfer

Posts : 95
Joined : 2009-12-06
Operating System : windows xp & xp pro

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by Crush on Tue 12 Apr 2011, 8:05 am

Hi,

Can you post the malwarebytes log please? Try running ComboFix once more as well and post that log. We'll deal with the other issue after we confirm the malware is gone. I have a tool in mind that will fix it

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by moreyag on Tue 12 Apr 2011, 8:20 am

i can't locate the AMB log file. when i try to run malwarebytes i get this error message now:
MBAM_ERROR_LOAD_DATABASE(0, 53)

and an IE update - the favorites folder is there, it's got everything in it, but it will not display when i click on "Favorites" on either the start menu OR the Favorites link on the IE toolbar.

moreyag

Rookie Surfer
Rookie Surfer

Posts : 95
Joined : 2009-12-06
Operating System : windows xp & xp pro

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by Crush on Tue 12 Apr 2011, 8:25 am

Can you open My Computer?

Try navigating to C:\Program Files\Malwarebytes Anti-Malware\Logs

and tell me if the log is there

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by moreyag on Wed 13 Apr 2011, 2:39 am

i looked in the program folder and there is no sub-folder "logs" or any text files anywhere in the ABM folder. i can't recall if it's a ".txt" file extension to do a complete search.

moreyag

Rookie Surfer
Rookie Surfer

Posts : 95
Joined : 2009-12-06
Operating System : windows xp & xp pro

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by Crush on Wed 13 Apr 2011, 3:21 am

Hmm. Is it at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by moreyag on Wed 13 Apr 2011, 5:47 am

i used the revo and uninstalled the remanants of the non-fucntioning AMB and ran it again. i still have issues with IE8 and the "Favorites" but for now AMB found 2 issues, i deleted them and here is the log from that scan:
(and thanks!)

Malwarebytes' Anti-Malware 1.50.1.1100
[You must be registered and logged in to see this link.]

Database version: 6343

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/12/2011 1:35:46 PM
mbam-log-2011-04-12 (13-35-46).txt

Scan type: Quick scan
Objects scanned: 187618
Time elapsed: 22 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

moreyag

Rookie Surfer
Rookie Surfer

Posts : 95
Joined : 2009-12-06
Operating System : windows xp & xp pro

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by Crush on Wed 13 Apr 2011, 8:03 am

Hi,

This will fix the issue.


  • Please download and run UnHide.exe by Grinler.
  • Once finished let me know how things are running after this.

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by moreyag on Thu 14 Apr 2011, 12:06 am

Crush
Thanks! That did it.
IE favorites restored and the system appears to be running malware-free (at the moment, anyway)
Thanks again for all your help and regards
MoreyG

moreyag

Rookie Surfer
Rookie Surfer

Posts : 95
Joined : 2009-12-06
Operating System : windows xp & xp pro

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by Crush on Thu 14 Apr 2011, 6:57 am

Fantastic. Can you try running ComboFix again. Let's see if it will run this time

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by moreyag on Fri 15 Apr 2011, 2:26 am

Crush
since combofix is pretty invasive, do you think i need to run it?
the pc seems to be running just fine, i did spybot, amb, and avg scans and nothing was detected.
i await your reply and thanks again
morey

moreyag

Rookie Surfer
Rookie Surfer

Posts : 95
Joined : 2009-12-06
Operating System : windows xp & xp pro

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by Crush on Fri 15 Apr 2011, 3:34 am

I would run ComboFix just to be sure everything is gone, yes

Crush

Tech Officer
Tech Officer

Posts : 3889
Joined : 2010-01-28

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by Sponsored content Today at 4:35 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum