URGENT HELP PLZ! DISK REPAIR VIRUS!

Discussion in 'Computer Games and General Discussion' started by Wizerzak, Dec 21, 2010.

Dec 21, 2010
  1. Wizerzak
    OP

    Member Wizerzak Because I'm a potato!

    Joined:
    May 30, 2010
    Messages:
    2,784
    Location:
    United Kingdom
    Country:
    United Kingdom
    First the facts: I was on GBA temp forums which i know don't contain viruses, i am running McAfee security centre, with windows firewall off as it clashes and i and using an account which is not an administrator account on Vista Home Premium x64 bit. I noticed the little yellow triangle a bit like this [​IMG] in the taskbar; i've seen it before somthing to do with windows sercurity. So clicked it and it came up with this 'Disk repair' program which i immediately knew was a virus as i've seen similar things before
    Warning: Spoilers inside!
    It came up with some scanning thing at the bottom and then came up with all these critical error and other crap (see above) . i tried closing it and it stayed as another icon in the taskbar. I've just opened task manager and managed to end process to both the triangle and the disk repair and am currently running a malwarebytes anti-malware full scan. I also notice that on my desktop there is an icon for the program (which is in the screenshot) and it has a link in my start menu, neither of which were there about half an hour ago; and i havn't even typed in the administrator password today so i shouldn't havn't been able to install anything. I haven't downloaded anything dodgy recently and i can't understand how it got past my mcafee and installed itself without me knowing. One thing though, i have recently been using chrome instead of ie as it has been crashing recently so i have no mcafee site advisor bar.

    Also, a few give aways that it is a virus:
    > It has a blue and yellow shield for 'run defragmentation' which i know is windows 7, not vista.
    > It has not got very crisp, sharp images for the links on the tabs and help and support etc.
    > It also, on right click of taskbar icon, came up with:

    Minimize/restore
    Diagnostics
    Run defragmentation
    Setting
    Help support
    Buy Now!

    > the minimize in bold and being at the top and the buy now! and the two spaces between help & support are all giveaways.

    So:
    >Is it a virus?
    >How did i get it?
    >Why wasn't it picked up by Mcafee?
    >How should i remove it?

    P.S. NVgT5Kv7Y6tq.exe *32 is it's image name in task manager.
    P.P.S There is an 'Uninstall Disk Repair' exe in the taskbar folder but i don't trust that.

    EDIT: i've also noticed, cleverly, it has disguised itself as windows' disk defragmentator which does actually defragmentate your system.
     


  2. Minox

    Supervisor Minox Spytech Employee

    Joined:
    Aug 27, 2007
    Messages:
    5,617
    Country:
    Sweden
    This site should cover the removal of it.
     
  3. Wizerzak
    OP

    Member Wizerzak Because I'm a potato!

    Joined:
    May 30, 2010
    Messages:
    2,784
    Location:
    United Kingdom
    Country:
    United Kingdom
    kk thanks, ill try that in a sec i've just done a full search on my pc and it is only located in C:\Users\Isaac\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ no where else (and i've got about 5 other users) this implies that it is not actually installed... shall i restart my pc and see if it's still there?

    EDIT: i've also noticed, cleverly, it has disguised itself as windows' disk defragmentator which does actually defragmentate your system.
     
  4. Wizerzak
    OP

    Member Wizerzak Because I'm a potato!

    Joined:
    May 30, 2010
    Messages:
    2,784
    Location:
    United Kingdom
    Country:
    United Kingdom
    I dont really want to install another program so can someone plz explain what this means?

    Disk Repair manual removal guide:

    Delete Disk Repair files:
    %TempDir%\[random]
    %TempDir%\[random].exe
    %TempDir%\[random].dll
    %TempDir%\dfrg
    %TempDir%\dfrgr
    %TempDir%\Windows Update.exe
    %Desktop%\Disk Repair.lnk
    %Programs%\Disk Repair
    %Programs%\Disk Repair\Disk Repair.lnk
    %Programs%\Disk Repair\Uninstall Disk Repair.lnk
    Delete Disk Repair registry entries:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run “[random]”
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run “[random].exe”

    i sorta get it but where is TempDir located on vista?
     
  5. GH0ST

    Member GH0ST Your Hero is a Ghost

    Joined:
    Dec 17, 2006
    Messages:
    924
    Location:
    I was here... before...
    Country:
    France
    No. Close any open browsers but do not reboot before you clean it first with a malware removal tool and run tools like CCleaner or Clean after me.


    % refers to windows variable name like %Temp% refers to usually something like C:\Windows\Temp. [Random].exe means the name is something like NVgT5Kv7Y6tq.exe
     
  6. Wizerzak
    OP

    Member Wizerzak Because I'm a potato!

    Joined:
    May 30, 2010
    Messages:
    2,784
    Location:
    United Kingdom
    Country:
    United Kingdom
    what about malwarebytes anti-malware? (which is currently scanning, so far nothing picked up)
     
  7. GH0ST

    Member GH0ST Your Hero is a Ghost

    Joined:
    Dec 17, 2006
    Messages:
    924
    Location:
    I was here... before...
    Country:
    France
    http://www.mywot.com/en/scorecard/gridinsoft.com gridinsoft is ok
    Malwarebytes anti-malware is fine but not perfect. You can try some others check with free tools like Cureit.

    Be carefull since there is a lot of fake tools. Always check twice from recommended lists or from security sites.

    Don't panic it looks not that bad but take your time to clean your computer and ( IE cache ) and use a better browser (than IE) & a good firewall.
     
  8. Wizerzak
    OP

    Member Wizerzak Because I'm a potato!

    Joined:
    May 30, 2010
    Messages:
    2,784
    Location:
    United Kingdom
    Country:
    United Kingdom
    Malwarebytes anti-malware scan just finished - didn't pick up anything. any help with that manual removing?

     
  9. GH0ST

    Member GH0ST Your Hero is a Ghost

    Joined:
    Dec 17, 2006
    Messages:
    924
    Location:
    I was here... before...
    Country:
    France
    TempDir located on vista? There is many first something like C:\Windows\Temp

    Unless you turn off UAC or disable Protected Mode for IE, in Windows Vista, most of the cache, temporary files, cookies and history will be stored in special Low version location :

    Cache: %userprofile%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
    Temp: %userprofile%\AppData\Local\Temp\Low
    Cookies: %userprofile%\AppData\Roaming\Microsoft\Windows\Cookies\Low
    History: %userprofile%\AppData\Local\Microsoft\Windows\History\Low

    %userprofile% refers to C:\Users\Isaac\ I guess ;-)

    Tools like those mentionned before ( CCleaner... ) should help you to clean them. Cureit itself will download as a random like r6blnt22.exe file to avoid detection.

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run “[random]”
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run “[random].exe”

    are Keys you can access them by running regedit.exe or you can try to desinstall the tool with a third party tool like Revo uninstaller free version ( developed by the VS Revo Group, is a software utility for the Microsoft Windows operating system designed to be an alternative to the built-in Windows "Add/Remove Programs" control panel applet )
     
  10. Minox

    Supervisor Minox Spytech Employee

    Joined:
    Aug 27, 2007
    Messages:
    5,617
    Country:
    Sweden
    I'd say it's likely to be in either %temp% (C:\Users\USERNAME\AppData\Local\Temp) or %appdata% (C:\Users\USERNAME\AppData\Roaming).
     
  11. raulpica

    Supervisor raulpica With your drill, thrust to the sky!

    Joined:
    Oct 23, 2007
    Messages:
    10,674
    Location:
    _____________ PowerLevel: 9001
    Country:
    Italy
    Have you tried Combofix (download here)?

    It should get rid of it automatically. Or at least, in most cases it does [​IMG]
     
  12. GH0ST

    Member GH0ST Your Hero is a Ghost

    Joined:
    Dec 17, 2006
    Messages:
    924
    Location:
    I was here... before...
    Country:
    France
    Combofix is really fine but dangerous too be carefull ( read the warnings )

    Since we don't know how it started ( read this about "rogueware") I would like to recommend 2 things :

    * A list of good tools for reference : http://www.spywarewarrior.com/uiuc/soft6.htm

    * Wilderssecurity.com a trusty site that can help you after you send a full check log of your computer if you want to fully clean your computer look at http://www.wilderssecurity.com/showthread.php?t=252253 ( not to mention their live assistance and lists of various tools )

    Last update :
    * A recent and possible cause of your infection http://news.yahoo.com/s/pcworld/20101211/t...itbywithmalware
    * Some solutions in a linked article : http://answers.yahoo.com/question/index?qi...08204045AAPivmU

    Keep cool & good luck ;-)
     
  13. Wizerzak
    OP

    Member Wizerzak Because I'm a potato!

    Joined:
    May 30, 2010
    Messages:
    2,784
    Location:
    United Kingdom
    Country:
    United Kingdom
    it all right, i've fixed it now, system restore. thanks for your help anyway though, any mods, feel free to lock this.

    Wizzerzak
     
  14. Rydian

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    System restore doesn't remove infections (at least not those that make themselves persistent in user data), at the most it temporarily disables it. Run through the sticky's basic removal steps, then run through the "future prevention" to close the hole that the infection came through, because unless you fix it something else will exploit it.

    I mean honestly, why do I bother fucking making guides...
     
  15. Slyakin

    Member Slyakin See ya suckers

    Joined:
    Oct 15, 2008
    Messages:
    4,450
    Location:
    Soviet Slyakin
    Country:
    United States
    Well, maybe the guy panicked. No need to whine. :/

    Anyway, you really should listen to Rydian and check the guide. I used to believe in System Restore... For about 5 minutes.
     
  16. Rydian

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    I mean two mods came in and didn't even mention it. What's the point of stickying any user guides?
     
  17. raulpica

    Supervisor raulpica With your drill, thrust to the sky!

    Joined:
    Oct 23, 2007
    Messages:
    10,674
    Location:
    _____________ PowerLevel: 9001
    Country:
    Italy
    Sorry Rydian [​IMG] This is not my section, so I actually forgot there was your guide there [​IMG]
     
  18. Rydian

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    The only time it really gets mentioned is by me. But fuck, there have been threads where I went in and REPEATEDLY mentioned it, only to have everybody ignore my posts for two pages or so.

    I'm just going to start posting shit like this.

    [​IMG]
     
  19. Mazor

    Member Mazor Z80 master arch

    Joined:
    Feb 14, 2008
    Messages:
    547
    Country:
    Sweden
    Speaking of ignoring relevant posts.

     
  20. GH0ST

    Member GH0ST Your Hero is a Ghost

    Joined:
    Dec 17, 2006
    Messages:
    924
    Location:
    I was here... before...
    Country:
    France
    Roger ;-)
     

Share This Page