Jump to content

WindowsRepair or WindowsRecovery Malware

Recommended Posts

I posted my notes regarding WindowsRecovery malware on April 1. Today, the malware reappeared when I logged in in the admin mode (this is my 3rd infection). This time, the screen had the name WindowsRepair. Same screens and messages. As described in the MBAM Self-Removal log, this malware hides most of your folders and programs. You can unhide the folders using the method described in the log, but I found out that the malware immediately hides the folders again. The problem is that you cannot update MBAM. In my case, I tried to update MBAM, it tried to download three times, and then gave an error message similar to "access denied, file could not be saved". It appears that MBAM tried to save the downloaded file, but since MBAM folder was hidden, it could not update.

Also, since the MBAM folder was hidden again by the malware (after I "unhid" it), I could not see the MBAM folder and run MBAM. I got around the problem by opening My Computer, then right-clicking on "C" drive and selecting Scan with MBAM. Since I had updated last night, I ran MBAM (active scan) and it found the infection. Then I re-booted, and ran a full scan. More malware files were found (including one in Temp folder named "internetexplorerupdate)". I hope the file that was bringing back the malware was finally found and destroyed.

I was lucky that I had an updated MBAM that was less than a day old. If you already have MBAM installed with an older version, (I did not try this) you may try to boot in safe mode with networking, unhide MBAM folder, run and update MBAM, boot in normal mode and run MBAM.

I am also requesting MBAM programmers for two refinements: (a) have MBAM save downloaded update even if the MBAM folder "hidden", "read only" etc., and (B) install MBAM in a folder under C:\, not under "program files" or with long file names. Then MBAM could also be run from Start Menu Run by typing run c:\mbam\mbam etc., instead of having to figure out the path name for long file names.

BTW - VSS Toolkit and RKUnhooker LE both reported "clean" after the last infection - this does not appear to be a rootkit virus.

Thanks and hope you all kill this malware.

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.