"Windows Restore" malware/virus

View previous topic View next topic Go down

"Windows Restore" malware/virus

Post by moreyag on 11th April 2011, 6:26 pm

Hello to all
Running Windows XP Pro SP3 on a woek PC and picked up a beauty called "windows restore"
Can't get to System Restore, ran AVG in "Safe Mode" but it's still with me.
I'm using my laptop now to post this.
Help.
thanks in advance and best regards
Morey G

moreyag
Intermediate
Intermediate

Posts Posts : 95
Joined Joined : 2009-12-05
OS OS : windows xp & xp pro
Points Points : 26929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by Crush on 11th April 2011, 7:11 pm

Hi,

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42148
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by moreyag on 11th April 2011, 7:24 pm

i am getting a message to uninstall avg antivirus - "it will be dangerous to contnue uninstall avg or use another tool"
i disabled AVG and i still get this message?
i then ran malwarebytes anitmalware removal which seems to have removed the virus but now i have NOTHING in my programs on the strat menu
i can't find system restore to restore the system.
what a mess!

moreyag
Intermediate
Intermediate

Posts Posts : 95
Joined Joined : 2009-12-05
OS OS : windows xp & xp pro
Points Points : 26929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by Crush on 11th April 2011, 8:24 pm

Hi,

So now nothing works after running malwarebytes? Or just the Start Menu>All Programs is blank?

We need to uninstall AVG for ComboFix to work.

Please download Revo Uninstall from here: [You must be registered and logged in to see this link.]

  1. Download and run the setup file for Revo Uninstaller.
  2. Once setup, run Revo Uninstaller.
  3. Select the following item for removal by clicking on it once.

    AVG

  4. Then hit the "Uninstall" button at the top.
  5. Close Revo Uninstaller.

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42148
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by moreyag on 11th April 2011, 8:35 pm

OK - so here's where i'm at now.
i guess the fact that combofix terminated all processes allowed me to run AMB and it appears that it found and removed the virus.
i then found system restore in the sys32 folder, ran it from there, and restored to an earlier point.
it appears that the PC is ok now but my IE Favorites folder is EMPTY.
is there a back-up of that somewhere?
Thanks in advance and regards
mg

moreyag
Intermediate
Intermediate

Posts Posts : 95
Joined Joined : 2009-12-05
OS OS : windows xp & xp pro
Points Points : 26929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by Crush on 11th April 2011, 9:05 pm

Hi,

Can you post the malwarebytes log please? Try running ComboFix once more as well and post that log. We'll deal with the other issue after we confirm the malware is gone. I have a tool in mind that will fix it

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42148
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by moreyag on 11th April 2011, 9:20 pm

i can't locate the AMB log file. when i try to run malwarebytes i get this error message now:
MBAM_ERROR_LOAD_DATABASE(0, 53)

and an IE update - the favorites folder is there, it's got everything in it, but it will not display when i click on "Favorites" on either the start menu OR the Favorites link on the IE toolbar.

moreyag
Intermediate
Intermediate

Posts Posts : 95
Joined Joined : 2009-12-05
OS OS : windows xp & xp pro
Points Points : 26929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by Crush on 11th April 2011, 9:25 pm

Can you open My Computer?

Try navigating to C:\Program Files\Malwarebytes Anti-Malware\Logs

and tell me if the log is there

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42148
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by moreyag on 12th April 2011, 3:39 pm

i looked in the program folder and there is no sub-folder "logs" or any text files anywhere in the ABM folder. i can't recall if it's a ".txt" file extension to do a complete search.

moreyag
Intermediate
Intermediate

Posts Posts : 95
Joined Joined : 2009-12-05
OS OS : windows xp & xp pro
Points Points : 26929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by Crush on 12th April 2011, 4:21 pm

Hmm. Is it at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42148
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by moreyag on 12th April 2011, 6:47 pm

i used the revo and uninstalled the remanants of the non-fucntioning AMB and ran it again. i still have issues with IE8 and the "Favorites" but for now AMB found 2 issues, i deleted them and here is the log from that scan:
(and thanks!)

Malwarebytes' Anti-Malware 1.50.1.1100
[You must be registered and logged in to see this link.]

Database version: 6343

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/12/2011 1:35:46 PM
mbam-log-2011-04-12 (13-35-46).txt

Scan type: Quick scan
Objects scanned: 187618
Time elapsed: 22 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

moreyag
Intermediate
Intermediate

Posts Posts : 95
Joined Joined : 2009-12-05
OS OS : windows xp & xp pro
Points Points : 26929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by Crush on 12th April 2011, 9:03 pm

Hi,

This will fix the issue.


  • Please download and run [You must be registered and logged in to see this link.] by Grinler.
  • Once finished let me know how things are running after this.

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42148
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by moreyag on 13th April 2011, 1:06 pm

Crush
Thanks! That did it.
IE favorites restored and the system appears to be running malware-free (at the moment, anyway)
Thanks again for all your help and regards
MoreyG

moreyag
Intermediate
Intermediate

Posts Posts : 95
Joined Joined : 2009-12-05
OS OS : windows xp & xp pro
Points Points : 26929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by Crush on 13th April 2011, 7:57 pm

Fantastic. Can you try running ComboFix again. Let's see if it will run this time

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42148
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by moreyag on 14th April 2011, 3:26 pm

Crush
since combofix is pretty invasive, do you think i need to run it?
the pc seems to be running just fine, i did spybot, amb, and avg scans and nothing was detected.
i await your reply and thanks again
morey

moreyag
Intermediate
Intermediate

Posts Posts : 95
Joined Joined : 2009-12-05
OS OS : windows xp & xp pro
Points Points : 26929
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Windows Restore" malware/virus

Post by Crush on 14th April 2011, 4:34 pm

I would run ComboFix just to be sure everything is gone, yes

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42148
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum