Got rid of a virus, but need to undo some damage

auric

New member
Local time
12:07 AM
Messages
7
I contracted the "system cleaner" ransomware, probably due to having java plugin enabled in firefox. I think i've gotten it off of my system now by hard-deleting the files in safe mode while logged in as administrator.

However, I am unable to login my other user profile that I was logged in with when I contracted the virus. Once it starts logging in instead of going to desktop it immediately shuts the system down (with or without safe-mode). If someone knows and can tell me what registry keys might be suspect then I should be able to fix this...
 

My Computer My Computer

At a glance

windows 7 home premium 64 bit
OS
windows 7 home premium 64 bit
Run SFC /SCANNOW Run in Command Prompt at Boot if necessary from the DVD or Repair CD.

You may still be infected so need to run a bootable AV scan from Troubleshooting Windows 7 Failure to Start.

Google the exact name of the infection to learn about any specialized removal tools.

Serious infection often requires a Clean Reinstall - Factory OEM Windows 7 (same for retail) after backing up your files to quarantine and then scanning them thoroughly with Malwarebytes, your AV and the removal tools specified for the virus.
 
Thanks, but I'm satisfied the virus is gone (I'll spare you the details as to why) and i'm willing to run the risk of being wrong.

There is some kind of crude command line script running on that particular user. I say crude because I can manage to login by logging in with administrator first, so that when I come to login the other user it gives me a warning that other users are logged in and do I wish to shut down? I click cancel and then i'm on with no further obstacle. taskmgr doesn't show any suspicious processes (this is in safe mode).

I'm just wondering what would be the likely key in the registry that would cause this. I've checked startup folder in the start menu (looks fine), and HKCU/blah/blah/Windows/CurrentVersion/Run (looks fine). I did a search of the registry on 'shutdown' without luck. In other words, what are all the registry keys that can cause an event where the computer attempts to shut down? Can event logger be used to reveal this info? I don't know how to use it.
 

My Computer My Computer

At a glance

windows 7 home premium 64 bit
OS
windows 7 home premium 64 bit
I'll ask a Security expert to have a look.

My own specialty is Installation so perhaps biased but if ever I've seen the need for a reinstall it's here.
 
Last edited:
I'm quite cavalier with my own system I suppose. I've had an infection last year and dealt with it similarly and was fine afterward. I didn't notice the security subforum or I would have posted there first. Thanks for the help.
 

My Computer My Computer

At a glance

windows 7 home premium 64 bit
OS
windows 7 home premium 64 bit
You may still have 'left over' temp files ... download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
 

My Computer My Computer

At a glance

Windows 7 Ultimate 32bit SP1Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz4 GBATI Radeon HD 2600 Pro
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Bruce ... somewhere in his 40's
OS
Windows 7 Ultimate 32bit SP1
CPU
Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz
Motherboard
INTEL/D975XBX2
Memory
4 GB
Graphics Card(s)
ATI Radeon HD 2600 Pro
Monitor(s) Displays
Samsung SyncMaster 914v
Screen Resolution
1280 x 1024
Hard Drives
2/500GB each ... ST3500630AS ATA Device.
One is not connected
PSU
Rocketfish 700 W
Case
G.Skill Gigabyte Chassis
Keyboard
Standard PS/2 Keyboard
Mouse
Microsoft PS/2 Mouse
Internet Speed
DSL
Antivirus
Avira Internet Security
Browser
IE 11
Other Info
ATI HDMI Audio
Sure, I'll do that and see if it pulls anything out, when I'm done running MSE (already done symantec online scan and avg 2013 scan so far).

The way I got rid of it by hand was to login to administrator in safe mode and search my harddrive with * wildcard, sort by date, and I was able to pinpoint a collection of files at the time of infection (including the scare html file that took over my display, which I viewed in a text editor). But I wonder if viruses are able to manipulate the system clock so that this is not always reliable?

What has me worried is how a java plugin got turned on again in the first place... I thought I turned it off the last time I got an infection. Don't they ever release a secure version of java browser plugins?

Anyway, assuming I am rid of the infection, is there a way to trace what's causing the shut down when logging in to my normal user account?

I've found the following events but they don't tell me much:

- System

- Provider


[ Name] Microsoft-Windows-Winlogon


[ Guid] {DBE9B383-7CF3-4331-91CC-A3CB16A3B538}



EventID 7001


Version 0


Level 4


Task 1101


Opcode 0


Keywords 0x2000000000000000

- TimeCreated


[ SystemTime] 2012-12-03T22:20:20.302069100Z



EventRecordID 274529


Correlation

- Execution


[ ProcessID] 2380


[ ThreadID] 2096



Channel System


Computer Contuter

- Security


[ UserID] S-1-5-18

- EventData

TSId 2

UserSid S-1-5-21-3021841014-1162341245-2895752552-1000

- System

- Provider


[ Name] Application Popup


- EventID 26


[ Qualifiers] 16384



Level 4


Task 0


Keywords 0x80000000000000

- TimeCreated


[ SystemTime] 2012-12-03T22:20:21.000000000Z



EventRecordID 274530


Channel System


Computer Contuter


Security
- EventData


Windows


Other people are logged on to this computer. Restarting Windows might cause them to lose data. Do you want to continue restarting?
 

My Computer My Computer

At a glance

windows 7 home premium 64 bit
OS
windows 7 home premium 64 bit
I ran that app for deleting temporary files as you suggested. I still get the attempts to shut down when logging in. I'm not convinced it's a script, just some way the registry has been abused to make it behave in this way.

Is it within anyone's knowledge to tell me what I might need to look for?
 

My Computer My Computer

At a glance

windows 7 home premium 64 bit
OS
windows 7 home premium 64 bit
Hmm, at the speed this is going maybe I would have saved time just reinstalling... to me though that's like a retailer throwing a fridge in a landfill because it has a scratch on it. It's a huge PITA waiting for windows to reinstall, then you have to reinstall every single app you had before, then you have to import the old settings (where possible), and reinstall all your steam games, which will still happily lose all your save game config unless you take precautions, etc etc. and then still something isn't quite the same as before.

I'll look around the web and see if there is such a thing as an expert on the windows registry... although if someone can help me here in the meantime, all the better. :)
 

My Computer My Computer

At a glance

windows 7 home premium 64 bit
OS
windows 7 home premium 64 bit
I don't know if it would be helpful to point out that the shutdown attempt occurs if I login with safemode & networking, but if I login with safemode & command prompt this does not happen, even after launching explorer manually from the shell...
 

My Computer My Computer

At a glance

windows 7 home premium 64 bit
OS
windows 7 home premium 64 bit
Have you added any new hardware?
 

My Computer My Computer

At a glance

Windows 7 Ultimate 32bit SP1Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz4 GBATI Radeon HD 2600 Pro
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Bruce ... somewhere in his 40's
OS
Windows 7 Ultimate 32bit SP1
CPU
Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz
Motherboard
INTEL/D975XBX2
Memory
4 GB
Graphics Card(s)
ATI Radeon HD 2600 Pro
Monitor(s) Displays
Samsung SyncMaster 914v
Screen Resolution
1280 x 1024
Hard Drives
2/500GB each ... ST3500630AS ATA Device.
One is not connected
PSU
Rocketfish 700 W
Case
G.Skill Gigabyte Chassis
Keyboard
Standard PS/2 Keyboard
Mouse
Microsoft PS/2 Mouse
Internet Speed
DSL
Antivirus
Avira Internet Security
Browser
IE 11
Other Info
ATI HDMI Audio
Another way to look at it is that getting a perfect Clean Reinstall - Factory OEM Windows 7 is really better than getting a new PC since most come larded with sponsored bloatware and duplicate utilities that corrupt and throttle Win7.

We are also the top resource on the web for this so you are assured of getting it perfect if you apply yourself. Then the modern way to proceed is to save a backup image once it's setup and running perfectly so you never have to reinstall again, just reimage the HD or its replacement in 20 minutes.
 
Back
Top