Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Got rid of a virus, but need to undo some damage


03 Dec 2012   #1

windows 7 home premium 64 bit
 
 
Got rid of a virus, but need to undo some damage

I contracted the "system cleaner" ransomware, probably due to having java plugin enabled in firefox. I think i've gotten it off of my system now by hard-deleting the files in safe mode while logged in as administrator.

However, I am unable to login my other user profile that I was logged in with when I contracted the virus. Once it starts logging in instead of going to desktop it immediately shuts the system down (with or without safe-mode). If someone knows and can tell me what registry keys might be suspect then I should be able to fix this...

My System SpecsSystem Spec
.

03 Dec 2012   #2
Microsoft MVP

 

Run SFC /SCANNOW Run in Command Prompt at Boot if necessary from the DVD or Repair CD.

You may still be infected so need to run a bootable AV scan from Troubleshooting Windows 7 Failure to Start.

Google the exact name of the infection to learn about any specialized removal tools.

Serious infection often requires a Clean Reinstall - Factory OEM Windows 7 (same for retail) after backing up your files to quarantine and then scanning them thoroughly with Malwarebytes, your AV and the removal tools specified for the virus.
My System SpecsSystem Spec
03 Dec 2012   #3

windows 7 home premium 64 bit
 
 

Thanks, but I'm satisfied the virus is gone (I'll spare you the details as to why) and i'm willing to run the risk of being wrong.

There is some kind of crude command line script running on that particular user. I say crude because I can manage to login by logging in with administrator first, so that when I come to login the other user it gives me a warning that other users are logged in and do I wish to shut down? I click cancel and then i'm on with no further obstacle. taskmgr doesn't show any suspicious processes (this is in safe mode).

I'm just wondering what would be the likely key in the registry that would cause this. I've checked startup folder in the start menu (looks fine), and HKCU/blah/blah/Windows/CurrentVersion/Run (looks fine). I did a search of the registry on 'shutdown' without luck. In other words, what are all the registry keys that can cause an event where the computer attempts to shut down? Can event logger be used to reveal this info? I don't know how to use it.
My System SpecsSystem Spec
.


03 Dec 2012   #4
Microsoft MVP

 

I'll ask a Security expert to have a look.

My own specialty is Installation so perhaps biased but if ever I've seen the need for a reinstall it's here.
My System SpecsSystem Spec
03 Dec 2012   #5

windows 7 home premium 64 bit
 
 

I'm quite cavalier with my own system I suppose. I've had an infection last year and dealt with it similarly and was fine afterward. I didn't notice the security subforum or I would have posted there first. Thanks for the help.
My System SpecsSystem Spec
03 Dec 2012   #6
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

You may still have 'left over' temp files ... download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
My System SpecsSystem Spec
03 Dec 2012   #7

windows 7 home premium 64 bit
 
 

Sure, I'll do that and see if it pulls anything out, when I'm done running MSE (already done symantec online scan and avg 2013 scan so far).

The way I got rid of it by hand was to login to administrator in safe mode and search my harddrive with * wildcard, sort by date, and I was able to pinpoint a collection of files at the time of infection (including the scare html file that took over my display, which I viewed in a text editor). But I wonder if viruses are able to manipulate the system clock so that this is not always reliable?

What has me worried is how a java plugin got turned on again in the first place... I thought I turned it off the last time I got an infection. Don't they ever release a secure version of java browser plugins?

Anyway, assuming I am rid of the infection, is there a way to trace what's causing the shut down when logging in to my normal user account?

I've found the following events but they don't tell me much:

Quote:
- System

- Provider


[ Name] Microsoft-Windows-Winlogon


[ Guid] {DBE9B383-7CF3-4331-91CC-A3CB16A3B538}



EventID 7001


Version 0


Level 4


Task 1101


Opcode 0


Keywords 0x2000000000000000

- TimeCreated


[ SystemTime] 2012-12-03T22:20:20.302069100Z



EventRecordID 274529


Correlation

- Execution


[ ProcessID] 2380


[ ThreadID] 2096



Channel System


Computer Contuter

- Security


[ UserID] S-1-5-18

- EventData

TSId 2

UserSid S-1-5-21-3021841014-1162341245-2895752552-1000
Quote:
- System

- Provider


[ Name] Application Popup


- EventID 26


[ Qualifiers] 16384



Level 4


Task 0


Keywords 0x80000000000000

- TimeCreated


[ SystemTime] 2012-12-03T22:20:21.000000000Z



EventRecordID 274530


Channel System


Computer Contuter


Security
- EventData


Windows


Other people are logged on to this computer. Restarting Windows might cause them to lose data. Do you want to continue restarting?
My System SpecsSystem Spec
04 Dec 2012   #8

windows 7 home premium 64 bit
 
 

I ran that app for deleting temporary files as you suggested. I still get the attempts to shut down when logging in. I'm not convinced it's a script, just some way the registry has been abused to make it behave in this way.

Is it within anyone's knowledge to tell me what I might need to look for?
My System SpecsSystem Spec
04 Dec 2012   #9

windows 7 home premium 64 bit
 
 

Hmm, at the speed this is going maybe I would have saved time just reinstalling... to me though that's like a retailer throwing a fridge in a landfill because it has a scratch on it. It's a huge PITA waiting for windows to reinstall, then you have to reinstall every single app you had before, then you have to import the old settings (where possible), and reinstall all your steam games, which will still happily lose all your save game config unless you take precautions, etc etc. and then still something isn't quite the same as before.

I'll look around the web and see if there is such a thing as an expert on the windows registry... although if someone can help me here in the meantime, all the better.
My System SpecsSystem Spec
04 Dec 2012   #10

windows 7 home premium 64 bit
 
 

I don't know if it would be helpful to point out that the shutdown attempt occurs if I login with safemode & networking, but if I login with safemode & command prompt this does not happen, even after launching explorer manually from the shell...
My System SpecsSystem Spec
Reply

 Got rid of a virus, but need to undo some damage




Thread Tools



Similar help and support threads for2: Got rid of a virus, but need to undo some damage
Thread Forum
Suspicious 'Undo Rename' and delayed 'Undo Delete' General Discussion
Solved Heat Damage or Virus? General Discussion
Solved can virus damage pc hardwares Hardware & Devices
Undo changes on your computer Backup and Restore
How to fix damage done by virus System Security
Help with Virus Damage System Security
SAL.xls.exe virus and resulting damage System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:54 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33