Recent Virus WindowsRepair

[MattProle]

On my step-dad’s computer there is a virus I’ve never encountered before called WindowsRepair. It provides fake alerts that the computer is corrupted and requires some special software support. I didn’t bother following the links, but I’m sure there is a prompt to send them money eventually.

Looks like the virus does the following:
Redirects internet searches
Removes the option to use task manager (at least on Vista)
Blocks attempts to delete files associated with virus
Also blocks system recovery

When I run safe mode I no longer can find an option for system recovery, and downloads of antivirus software are blocked no matter what I try. I was able to find a program Process Explorer that allowed me to access the same functions as task manager, but i wasn’t sure what programs to terminate.
Any suggestions?

[Shark_Sandwich]

I’d tell you to start by searching the forums. This topic has come up a few times in the past months, and you’ll find lots of good info.

That being said…

What browser is he using? Is the virus preventing you from running .exe files? Can you get into safe mode?

This (or these) virus can be pretty sophisticated and nasty, so before doing anything, understand that I’m only relaying info that has worked for me in the past. YMMV. I’ve heard stories of some people trying to remove the virus and it’s resulted in boot loops, catastrophic edits/deletions to the registry and all around Bad Things.

Reboot and enter safe mode.

If IE is the browser, go into Tools>Internet Options>Connections. At the bottom of the tab, there should be a button marked “LAN settings.” Click that button, and at the bottom of the next window you should see a box labeled as “Use a proxy server for your LAN.” That box should be UNchecked. If it’s checked, click it to uncheck it, and then see if that solves your browser redirect problem. If it does, do a Google search for Malwarebytes Anti-Malware, download it and run it.

If that doesn’t fix your redirect problem, find a thumbdrive and another computer, and download Malwarebytes on the thumbdrive and then transfer it onto the infected computer.

Sometimes these viruses prevent you from running .exe (or any other) files. You’ll get a bogus error message that says something is infected or corrupted. If this is the case, download Rkill.exe onto the thumbdrive, and copy it to the desktop of the infected machine. Click it to run. The virus may give you a message that says you can’t run it, but keep clicking it until a window opens that tells you it was successful.

Sometimes the virus is smart enough not to let Rkill run. So you can rename it to something random to get it to work (16hr2.exe or something).

Rkill does NOT remove viruses or malware. It simply stops the process that is preventing you from running .exe files (like anti-virus software, getting updates, etc.). You’ll still need to download Malwarebytes (or similar) to scrub the virus.

Hope that helps, but I’m far from an expert. Here’s hoping someone else joins this thread to give you better info.

[RealityChuck]

Most viruses hide from the Task Manager these days, so that’s no help. It probably didn’t actually block System Recovery, but rather erased all the restore points so there’s nothing to recover.

You can sometimes get software to run by renaming them from “program.exe” to “program.com.”
I’d suggest downloading Malwarebytes onto a flash drive (using another computer). Also, there’s a way to download the latest definitions. Do that, too. Rename the programs so that the file extension is “.com.”

Install Malwarebytes. Then go into the folder it creates and change the “.exe” version to “.com”. Install the definitions, then run Malwarebytes. You may have luck with that.

If not, then it could be a rootkit. The best solution I’ve found to that is to create a BartPE or WindowsPE boot disk and book your computer from it. Then go into the hard drive and look for suspicious files – usually in C:\windows\system32. They’ll be time stamped at about the time you got the virus. You can delete these (or just rename them in case they’re not the virus), reboot, and then see if Malwarebytes will work.

[clairobscur]

MattProle:

When I run safe mode I no longer can find an option for system recovery, and downloads of antivirus software are blocked no matter what I try. I was able to find a program Process Explorer that allowed me to access the same functions as task manager, but i wasn’t sure what programs to terminate.

Any suggestions?

Have you a problem accessing the sites of the anti-virus providers, or is it the download itself which is blocked?

If the former, you could try to access foreign internet sites of the provider. I had once a virus that blocked my access to the English sites of AVG, etc… but not to the French ones.