5 Replies Latest reply on Dec 29, 2011 6:19 AM by exbrit

    Windows XP Repair Virus Left Computer a Mess

      My computer had the Windows XP repair virus. I shut off System Restore, and ran both McAffee full scan and Malwarebytes full scan with Windows in Safe Mode. The programs reported removing the virus, but it seems to be back, or to have re-infected somehow. What am I doing wrong?

       

      Message was edited by: SamSwift moving to Top Threats and adding category on 11/07/11 18:57:15 IST
        • 1. Re: Windows XP Repair Virus Left Computer a Mess
          Hayton

          Either you are being re-infected or the original infection was not cleared properly. Malwarebytes is said to perform best when run in normal mode (ie in Windows, not Safe Mode).

           

          I would like you to try the McAfee Fake AV Stinger, which is just being rolled out. The instructions for it are at

          http://www.mcafee.com/us/downloads/free-tools/fake-alert-stinger.aspx.

          There is a fair chance that it will catch XP Repair, since it's a slightly-modified version of a rogue program called XP Recovery which was around a little while back. Try it and let us know if it clears the infection (if not, the techs will take the new variant apart to see what's so different about it).  Then run Malwarebytes again, but in Normal Mode (Windows) and tell us what it found that the Stinger didn't.

           

          Two other things to note : other posters in other forums have said that XP Repair hides files and folders. That's easy to fix : just open Explorer, select Tools-->Folder Options-->View, and select 'Show Hidden Files and Folders'. One or two have said that some Start Menu shortcuts vanish, but these are just moved into a folder called 'smtmp'  in your user's Temp directory.

           

          All this is assuming that you have a straightforward fake AV infection. Some people are getting infected by a rootkit, which is much, much worse.

          To make matters worse, recent variants of this family have been installing the TDSS rootkit as well. This rootkit will perform redirects when visiting search links in Google, play strange audio advertisements, and make it so that you are unable to update your security programs. If you are infected with WindowsXPRecovery and are unable to update your Malwarebytes's Anti-Malware definitions then you most likely have this rootkit installed

           

          In which case read - carefully - the instructions given on the BleepingComputer diagnosis page HERE. You may need specialist help to clear the infection.

           

          For future reference, Ex_Brit has brought together a list of anti-malware solutions which covers just about all the angles : it's in https://community.mcafee.com/docs/DOC-2168.

           

          Message was edited by: Hayton on 28/06/11 04:52:08 IST
          1 of 1 people found this helpful
          • 2. Re: Windows XP Repair Virus Left Computer a Mess

            Thanks for this. Despite the fact that I seem to have the rootkit version (Google redirects, strange internet radio transmissions) I did go ahead and run Stinger, both on Low and Medium sensitivity; in both cases it reported all files clean.

             

            My problem now: the system will not let me transfer any of the various names of RKill to the hard drive. I get a message that the hard drive is full or write-protected. This happens regardless of whether I try to load it from a CD or USB drive. Any ideas? Would attempting to unzip the files from a USB drive to the hard drive have better success?

             

            -- Scott K

            • 3. Re: Windows XP Repair Virus Left Computer a Mess

              Yes, despite having a full Mcafee subscription service on my wife's computer I've just paid our local expert £65 to clear off the "XP Repair Virus" that she's picked up. 

               

              Mcafee didn't stop it infecting her PC and couldn't fix it once it was on the machine - despite apparently everyone on the Internet knowing all about it?  Not impressed.....

              • 4. Re: Windows XP Repair Virus Left Computer a Mess

                If one compuiter is infected with System Repair, WinXPRecovery, XP Security, XP Repair in most of the cases we are losing the Start menu Shortcuts and the infection is hiding all of our personal as well the system files. Please go through the below steps so that we can fix that issues.

                 

                 

                Please select the Tools menu and click Folder Options.

                After the new window appears select the View tab.

                Put a checkmark in the checkbox labeled Display the contents of system folders.

                Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

                Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

                Remove the checkmark from the checkbox labeled Hide protected operating system files.

                After this please press the Apply button and then the OK

                 

                Press on the key Alt+Crtl+Delete key on the keyboard. Now you will get a new window called Task Manager.  Now hold the Ctrl key on the key board and click on File, New Task on the Task Manager.  Now you will get a new black window.

                Inside that black window type CD/ and hit on enter.

                Now type ATTRIB –H –R –S /S /D and hit on enter.

                 

                Associated System Restore Files:

                 

                 

                %LocalAppData%\<random>

                %LocalAppData%\<random>.exe

                %LocalAppData%\~<random>

                %LocalAppData%\~<random>

                %StartMenu%\Programs\System Restore\

                %StartMenu%\Programs\System Restore\System Restore.lnk

                %StartMenu%\Programs\System Restore\Uninstall System Restore.lnk

                %Temp%\smtmp\

                %Temp%\smtmp\1

                %Temp%\smtmp\1

                %Temp%\smtmp\2

                %Temp%\smtmp\3

                %Temp%\smtmp\4

                %UserProfile%\Desktop\System Restore.lnk

                 

                Don't delete the folder

                %Temp%\smtmp\

                %Temp%\smtmp\1

                %Temp%\smtmp\1

                %Temp%\smtmp\2

                %Temp%\smtmp\3

                %Temp%\smtmp\4

                 

                These are the shortcuts in your start Menu.

                If you delete these folders you will lose all of the shortcuts in the start menu. First take a back up of these folder

                 

                %Temp%\smtmp\

                • 5. Re: Windows XP Repair Virus Left Computer a Mess
                  exbrit

                  Old thread, locking.