"Windows 7 Recovery" SpyWare

[cah]

Last night (05/24/2011) while browsing some web sites, I unknowingly clicked on a pop-up window (I think) and got the nasty spyware.

It fakes itself as a disk fragmentation program and says my HD is damaged along with memory issue.
I knew immediately it is a virus, Trojan horse or spyware.

After searching on the internet with the other computer, I confirmed it is a spyware.
Found the information from:

http://www.wiki-security.com/wiki/Paras ... y_manually

I manually removed all registry entries mentioned on the page but I was unable to find the process, dll and exe files on my HD.

Registry Keys

Code: Select all

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = 0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s's:/ogn:/uyu:/dyd:/c'u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/'wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v'w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'

Processes (Couldn't find)

Code: Select all

%AllUsersProfile%\[RANDOM CHARACTERS].exe

DLLs (Couldn't find)

Code: Select all

%AllUsersProfile%\[RANDOM CHARACTERS].dll

Other Files (Couldn't find)

Code: Select all

%AllUsersProfile%\~[RANDOM CHARACTERS]
%AllUsersProfile%\~[RANDOM CHARACTERS]r
%UserProfile%\Desktop\Windows 7 Recovery.lnk
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery\Uninstall Windows 7 Recovery.lnk
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 Recovery\Windows 7 Recovery.lnk

One think I didn't do is I forgot to jot down the random characters associated with the program when I was removing the registry keys in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS].exe"


I downloaded SpyHunter trying to scan and detect any malicious files still exist on my computer but the computer had become so slow and it took forever to scan the system. I stayed up a little after 2 AM and it was just 20% done. I left it run over night and I found the scanning program disappeared when I woke up in the morning. Instead, it was complaining about not finding Adobe source media.

When coming to office, I did more searches and found some potential helpful links and tools:

Windows 7 Recovery (Spyware)

http://www.bvainc.com/blog/2011/05/wind ... y-spyware/

Microsoft Autoruns (This could be very helpful listing all autoruns!!)

http://technet.microsoft.com/en-us/sysi ... s/bb963902

Remove Windows 7 Recovery bad optimizer

http://removal-tool.blogspot.com/2011/0 ... mizer.html

I will try the autoruns tool first to see what the autoruns are on my computer. Then, hopefully, I can pin point to the malicious files and remove them.

I am just curious about why the computer becomes so slow. Booting up and opening any programs take an awfully long time while memory and CPU utilization are very low.

Hopefully, I will have some progress tonight. Otherwise, I will bring the laptop to office and work on it until it is fixed.

[cah]

The above attempts all failed.....

The computer is still very slow!!

[cah]

Coworker Danny recommended me to try F-secure online scanner.
I tried and the process stopped at 30+%.
My guess is it was intercepted by the spyware and stopped it.

I tried malwarebytes the other night but it didn't help either.
I thought it could be very straightforward but it turned out to waste me much time.
I followed some instructions I found on the internet to remove the programs and registry entries but didn't work.

The computer was just very slow in responding to anything.
Booting up took over 20 minutes. Starting any programs will take 3 to 5 minutes.
Most of time is spent waiting.
I am not that patient.

One interesting thing is, this spyware (Windows 7 Recovery) somehow manages to launch iexplore.exe in the background without browser popping up but showing in task manager. Then, the advertisement/commercial will be heard on the computer. Windows just has too many processes that aren't known. I was unable to tell which process was the real one. All processes look to be legitimate.

If I were to start from scratch in the beginning, the system should have come back to working mode a couple of days ago.

Right before I was trying to do the system recovery, HP offered to back up files. Since it didn't harm anything, I selected to back up files before the recovery.
What I didn't know was it scans all directories and files to look for files to back up. I don't know what criteria it uses to back up. Nor do I know what files have been backed up. The progress was really slow. For about 3 hours, the progress was just 10%, 11%.

By the time I woke up in the morning, it completed.
I let it reinstall from system recovery at home.
I will see if it completes when I get home today.

[cah]

Vista was successfully installed when I got home last Friday evening.
I then installed Windows 7 on top of Vista.

After Windows 7 was installed, no application was there.
I had to go to HP's web site and download needed software packages and install them individually.
Then, I started application by application. Some aren't needed right now so I leave them for future installation.

The hard part is to get files restored from the backups.
I had backup from ArcSoft and HP TotalCare.
I first applied the backup from ArcSoft (last backed up on 04/22). It was straightforward. However, there's a month gap between now and then.
So, I restored the backup by HP TotalCare. It restored to C:\System Recovery Files.
Once they were both done, I had to do a comparison between system recovery files\ and the real location. It was time consuming because I have to first compare file/folder size and number of files/folders. If different, I had to go into each location and compare what were missing. It took a long time to accomplish.

The current state is as I expected. Perhaps 80 ~ 90% done. The rest 10 ~ 20% can be done later when needed.

[cah]

This may be a tool that can be used to clean up rootkits.

http://connect.microsoft.com/systemsweeper

Thank you for contacting Microsoft Support. You have been directed here to download and install the beta version of Microsoft Standalone System Sweeper Beta, a recovery tool that can help you start an infected PC and perform an offline scan to help identify and remove rootkits and other advanced malware. In addition, Microsoft Standalone System Sweeper Beta can be used if you cannot install or start an antivirus solution on your PC, or if the installed solution can’t detect or remove malware on your PC.

Microsoft Standalone System Sweeper Beta is not a replacement for a full antivirus solution providing ongoing protection; it is meant to be used in situations where you cannot start your PC due to a virus or other malware infection. For no-cost, real-time protection that helps guard your home or small business PCs against viruses, spyware, and other malicious software, download Microsoft Security Essentials*.

To get started, please make sure that you have a blank CD, DVD, or USB drive with at least 250 MB of space. Next, download and run the tool – the tool will help you to create the bootable media required to run the software on your PC.

[The extension zip has been deactivated and can no longer be displayed.]

Should I download the 32-bit or 64-bit version?

1. Whether you download the 32-bit or the 64-bit version of the Microsoft Standalone System Sweeper Beta depends on the architecture (32-bit or 64-bit) of the Windows operating system of the computer infected with a virus or malware. See the Microsoft Help and Support article for instructions on how to determine whether a computer is running a 32-bit version or 64-bit architecture of the Windows operating system.

2. Ordinarily, the bootable media is created on a computer that is not infected. The architecture of Microsoft Standalone System Sweeper Beta does not have to be the same as the Windows operating system of the computer used to create the bootable media. It does need to be the same architecture (32-bit or the 64-bit) as the Windows operating system of the computer infected with a virus or malware.

* Your PC must run genuine Windows to install Microsoft Security Essentials. Learn more about genuine Windows. Internet access fees may apply.

Read the Microsoft Standalone System Sweeper Beta Privacy Statement and License Agreement.