Windows XP Repair virus

shermans · ‎07-09-2007

I am pretty certain tha I have been infected with a trojan called Windows XP Repair. The sysptoms are simply that I keep getting warnings that there are hard disk errors, RAM is fragmented, and on, and on and on. I cannot do anything, because everything is blocked and I cannot close the Windows XP Repair. When I restart, the same thing happens again. I cannot access TaskManager either because it is blocked, nor can I get Avast ! antitvirus to scan or remove it.
When I Google for Windows XP repair, it is clearly identified as a trojan, with all the symptoms I have just described.
If I boot in Safe Mode, things appear to work normally, most of the time this Windows Repair immediately reboots into Normal Mode as soon as Safe Mode loads and I am back at square one. But sometimes I do manage to get into Safe Mode, as I have at present. However, it appears that I cannot run my Avas ! anti-virus software in Safe Mode to do a scan either.
Does anyone have experience of this malware ? What can I do to recover from it ?

HPsauce · ‎02-02-2008

Sounds like a variation of a common "fake antivirus" that's been around a while.
Sometimes system restore can get you back in control.
Sometimes safe mode with networking will let you install Malwarebytes to gain control.
Sometimes you just have to take the disk out and connect it to a known clean system to scan it with multiple tools to clean it.
Rarely you need to save data and reinstall windows.

shermans · ‎07-09-2007

I can confirm that it must be a virus. Firsly, "Restore to an earlier setting" does not work, even in Safe Mode.
Secondly, all my files have had the "Hidden" attribute attached to them.
Can you recommend a a Malware removal tool ? I can access the internet in Safe Mode. But of course what I am now worried about is dowload ing a Malware removal tool which either is not uptdate or , worse still, is itself another trojan. That is why I would like to know of something on which I can rely.
Thanks

AlaricAdair · ‎21-03-2011

malwarebytes generally deals with this one. Be sure to download it from www.malwarebytes.org only. I have once deleted it using a combination of taskmgr.exe and regedit on an XP machine, but it was tedious.

Now Zen, but a +Net residue.

ReedRichards · ‎14-07-2009

If you know what you are doing you can use a program like Autoruns to list all the programs that start automatically when Windows starts. Malware is almost never digitally signed, if often located in the Documents and Settings or Users folder and often has a name that is just a random string of characters. So it's easy to spot, in which case you can just turn it off then restart the computer. After that, use security software to clean up the mess left behind.

shermans · ‎07-09-2007

Thanks. www.malwarebytes.org has largely sorted it out but I have lost all the shortcuts on my desktop - actually been deleted. All my folders had been hidden and I have used attrib to unhide them. No terminal damage but having difficulty using restore to restore to an earlier point. I am now trying again in safe mode. I will then run anti virus to make sure all of it is gone - www.malwarebytes.org found 6 of them, all identified as fake anti virus including of course the Taskmanager blocker. I have wasted so far about five hours on it.
I do know how I got infected. A member of the family asked me if I could open a photo taken off a mobile phone. I identified it as an Apple format and I could read the header in Firefox which referred me to a Facebook page (don't use Facebok normally). I opened the Facebook page. In the process of trying to kill this trojan, I saw a reference to Facebook which surprised me as I don't use it, and then I remembered this photo business. I am sure that is where the infection came from, although I am certain the request was genuine and innocent.
Thanks anyway for all the advice.

ReedRichards · ‎14-07-2009

If a web page infected your computer it probably exploited some out-of-date software with a known security hole that needs to be updated. Make sure:

All Windows security updates are installed

You are running Java version 6.26

You have the latest version of Flash Player - see http://www.adobe.com/software/flash/about/

Same applies to Shockwave Player if you use it

Adobe Reader is up to date - version 10.1

Your web browsers are up to date

Real Player and Quicktime are up to date or any browser add-ons from them are disabled

shermans · ‎07-09-2007

I think I am to blame because I utned off automatic updates for Winows because I got fed up with it trying update the same .net faremwork update over and over again. I reported it to MS security who made me reinstall .net framework but when it started happening again - always the same old update - I eventually turned it off and updated always manually. To be honest, I have not updated for about two months. So I only have myself to blame in view of what you have said !

I will now do as you say and check all the rest. The avast! anti virus boot scaner also found someting which was related to Java and removed it. So I fear there were several loopholes.

Mav · ‎06-04-2007

I've never set Automatic updates for windows as I like to check what is being installed but I do monitor the updates regularly (daily) and install them as soon as they are available.
As for any updates that fail or you don't want you can hide them so that you are not constantly nagged to do so.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

pjemmanuel · ‎05-04-2007

Just had the pleasure of dealing with a variant of this, Windows 7 Repair on one of the kids laptops. Malware bytes took care of most of it but I had to change the read only setting on a large number of folders to "find" all the files again. One major annoyance of the Windows 7 variant was that it deleted - not hidden, but actually deleted all of the links from the start menu. Fortunately I have another identical Windows 7 machine here to copy them back over from.
Not sure how this machine got infected either. Automatic updating for Windows, Java and AVG, yet it still got on the machine.

VileReynard · ‎01-09-2007

I stopped downloading ALL automatic updates for my Windows XP laptop - except for the virus checker (antivir).
AFAIK I have no malware.
It's generally used in a reasonably sensible way - e.g. ignore invitations to enter online banking details (or even use online banking).
However, it uses the default "run as administrator" mode and as such, all M$ files are to be considered suspect.

"In The Beginning Was The Word, And The Word Was Aardvark."

ReedRichards · ‎14-07-2009

Quote from: Phil_E
Not sure how this machine got infected either. Automatic updating for Windows, Java and AVG, yet it still got on the machine.

Flash Player?

Quote from: A
I stopped downloading ALL automatic updates for my Windows XP laptop...

Then your living on borrowed time, Jeremy. Except that you're such a fan of Linux I doubt that you use your XP machine a great deal.

shermans · ‎07-09-2007

I have done as ReedRichards recommends and :
•All Windows security updates are now installed - several months out of date
•I am now running Java version 6.26 - at least three eyars out of date
•I now have the latest version of Flash Player - see http://www.adobe.com/software/flash/about/ - I posted elesewhere about the prblems installing the latest version but got there eventually
•Same applies to Shockwave Player if I use it - Is there any need for this ? I installed the latest anyway
•Adobe Reader is up to date - version 10.1 - Done - very different look and feel to what Ib ahd before, so my old version must have been just that - old !
•Your web browsers are up to date - Only use IE as standard and I did alreday have the latest version
•Real Player and Quicktime are up to date or any browser add-ons from them are disabled - Done.
The damage was annoying but I recovered from most of it through back-ups. But I shudder to think what is waiting for others who never back up anything, and I suspect that is the norm still. Let this be a lesson to all who do not back up their data.
So again thanks are due for good and helpful advice.