Symanec Protection Suites

I have been working on the machine with the "windows repair virus" on it.

http://www.myantispyware.com/2011/03/26/how-to-remove-windows-repair-virus/ 

Symantec norton 360 version 5 with the latest updates has no idea the machine is infected.

I can't find any tools to remove it from Symantec.

Does anyone know anything about this?

The first thing I would do is run a full scan in safemode with the latest definitions installed..

Boot into safe mode and run a Disk Cleanup (right-click the C drive, Properties, Disk Cleanup) - that will delete all the files that are in these temporary locations, as well as IE's temporary files, etc. Perform a full system scan in safe mode.

If that fails to detect and remove the threats, try running the Norton Power Eraser Tool.

http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

Because the Norton Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully, and only after you have exhausted other options.

Another option is the Microsoft Malicious Software Removal Tool - http://www.microsoft.com/security/pc-security/malware-removal.aspx

In the furture, you can visit the Norton Community for Norton product issues.

http://community.norton.com/norton/

Let me know if this was helpful for you.

Best,

Thomas

Well I did most of that Thomas.There are no program group icons.There are no files shown in explorer.There is no internet thru IE but I did delete the files.Currently it is booted off the 360v5 CD scanning.150k nothing detected.The "Windows Repair " is not listed yet.

If all the above fails, try running Malwarebytes to detect and remove this thing.

Oh, and you may find your Internet Explorer security settings have been changed, particularly in regards to ActiveX settings.  Follow the prompts IE gives you to restore your security levels.

J

Hi Lightlyblazin,

I've recently worked on a machine with this virus.  I followed these steps to remove it - http://www.myantispyware.com/2011/03/26/how-to-remove-windows-repair-virus/

In addition to those steps, I found the virus sets the all the file properties on your hard drive to 'Hidden', and then changes your folder options to not show hidden files.

To resolve, in Windows Explorer, try going to Tools, Folder Options.  Select the View tab, then in Advanced Settings, find Files and Folders, Hidden Files and Folders, and select Show hidden files and folders.  Click OK.  You should now see all your files, however they will look kind of faded.

You should then change the file attributes for the folders - you can select them all and do as a group, or go through individually.  Whichever way you choose, right click on what you want to change the attributes for, and select Properties.  Unselect Hidden in the window that appears and click Apply.  A window will pop asking if you want to apply it to subfolders, select this option and click OK. If you get any error messages about being unable to change the attributes for a file, just skip that file and continue on.

I also ran a registry cleaning utlitity to tidy things up there as well - you can find a whole range of these, try searching cnet.com for reputable downloads.

Hope that helps,

J

edited:  wrong username

I worked on a machine with this virus just this afternoon. The virus changes the attributes of many of your files to hidden, going into file/folder options and showing hidden files allows you to view the hidden files, once that is done you can simply change the attributes back. The only anti-virus program that actually detected the virus was SuperAntiSpyware. Once that was finished I followed it up with MBAM and Eset, after those were finished most of the hard work was done. On a side note, this virus seems to like hiding in system restore points, I would recommend once the system is clean to delete all the old restore points and create a new clean one. Good luck,

thanks folder properties AND start menu properties both had to be tweaked - huge waste of time searching for these solutions (on iPhone no less) and those mentioned above but all in all no real damage done.

There are several products that will fix this virus. Unfotunately none of them are Symantec products. The ones that I have found that work are unhide.exe located here. http://download.bleepingcomputer.com/grinler/unhide.exe 

You will also need Combofix located here. http://download.bleepingcomputer.com/protected/0addf64e81b684e85bae3111415e485a/4d97c145/ComboFix.exe 

You can also download Malewarebytes here. http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1 

You will need to reboot your computer in safe mode and run unhide.exe first. This will unhide all the files that the Windows Repair virus have hidden.

Then you can run Combofix to remove the malware and any rootkits that may have been installed on your computer. Once Combofix completes, you can reboot your computer. Keep your computer off the network when you do the first reboot. It may try to restart the malware once you have logged back in to your computer. You may also get an error loading a certain dll file after logging in. The dll will be a random name and you will have to open regedit to search for the dll. it will be in the run folder of the registry. Delete that key and reboot the computer.

You may need to re-run unhide.exe and Combofix after the computer restarts. After that the computer should be free of the Windows Repair virus.

Once your computer is free from running the malware, install malwarebytes, run the update and do a full scan of your C:\ drive. This will find and remove and remnants of the malware.

How did you guys overcome the problem of the virus restarting the computer, every time I tried to fix it, it would restart.

Going on the internet made things worse. I tried copying my documents to a hard drive but they too got hidden. So I had to format the hard drive, and format my computer hard drive and reinstall windows. My computer works better now lol, but lucky I must of my stuff on another hard drive, pain in the ass reinstalling everything, but most was out of date…