BleepingComputer.com: System Restore Virus After Effects

I cleaned out the System Restore virus with Malwarebytes. THen the person complained later of slownes. It seemed to me to be mainly an issue with IE. So, I installed Firefox and update Win7-64 to SP1 and installed all other important updates. After the last reboot, all the sudden System Restore virus is back. This time I got the whole infection including the hidden folders and critical error pop-ups. I cleaned it out again with Malwarebytes with both a quick and full scan. I also ran SuperAntiSpyware. Now that I got it off again, certain things are not functioning properly even some that worked in the midst of the infection: pinned shortcut to Windows Update is completely gone from system, still only able to browse with Firefox, Windows Update is unable to check for updates, windows firewall won't turn, most exe files wont run( install fille for AVG, unhide.exe, rkill, iExplore, and one other from one of the system restore threads but I forget the name because I renamed file). Neither spyware program is finding anything and neither is TDSSKiller. I also get a webstie I think it was testendonline.com. I might have to check the removal guide for that one and see if that solves all my problems

This is a particularly invasive little nasty that I've just had the misfortune of becoming acquainted with a couple days ago. I too, seem to have gotten the full load from this thing in what appeard to be a string of hardware error popups, occuring over a couple days, referring to insufficient RAM or corrupt RAM or bad sectors on my primary drive. Then I got several "critical error" popups and then a whole string of them. After closing these windows using the red "x" a screen entitled System Restore popped up and began an unrequested scan that could not be stopped and the program could not be closed. Did a hard shutdown and went Google to see what I had.

Research led me to the necessary tools and warnings about not running cCleaner or it's like and not to delete any Temp files or folders because our friend removes files & links, storing backups of them in a Temp folder in Documents & Settings/Local Settings/..... Followed the instructions, ran the tools and, like you, only got some of my configuration back. Now, after a day of attempting to restore function it seems to have dug in like an Alabama tick and rebuffs all attempts to change things. I can get to my profile in Safe Mode and do all the things I've read about, but any normal reboot either logs on and then off or logs me on to a generic but bastardized desktop with only My Computer & Recycle Bin on the desktop.

I get a USB error when I try to run the Acronis True Image rescue CD and all attempts to use Windows System Restore utility from Safe Mode results in the generic desktop. My guess at this point is the Master Boot Record is trashed and need to be repaired, but I'm looking for some guidance (and guts) before I go down that path. Ideas ???

Hello,in both your cases we need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Include a link back to this topic.

Let me know if that went well.

boopme, on 03 November 2011 - 01:07 PM, said:

Oh yeah forgot to post my logs

boopme, on 03 November 2011 - 01:07 PM, said:

Hello and thanks for your reply. I may have some difficulty following these instructions on the infected machine, but am willing to try whatever you suggest.

I have come to a point in this infection where I believe this thing has dug into the registry and replaced my system files with a mini-set of it's own that get's between me and the system on bootup. I seem to be able to access Safe Mode, but it doesn't behave right during the transition into Safe Mode offering an option to try System Restore. I took that option one time and went back 2 days prior to the infection,booted to Safe Mode, and ran Malwarebytes and removed 2 items. Rootkit.TDSS & MALWARE.PACKAGER.GEN. Then befor reboot ran rkill.exe and the kapersky tool and then unhide.exe. All ran and then I rebooted into Last Known Good and got the popup error,
"Isass.exe System Error
An I/O operation initiated by the Registry failed unrecoverably. The Registry could not read in, write out, or flush, one of the files that contains the system's image of the registry."
Then, behind this window appears a blue/grey MS box that gives the OS name and says Windows is starting up. This boots to a welcome screen with my account and the Administrator account shown. Administrator is PW protected and my account is not. I live alone and do not use passwords or the Welcome screen and Administrator is hidden. Can't access administrator and accessing my account brings up my desktop wallpaper, system tray and quicklaunch icons and then shuts down and reboots back to the welcome screen.

Can I follow your instructions in Safe Mode (if it is in fact Safe Mode)?

As an update to my problem, it seems what I have is some sort of ZeroAccess Trojan. I am now completely locked out of the system. A normal boot leads in reboot circles and now I cannot access Safe Mode. It will start to boot into Safe and then freeze and after many minutes (more than 10) puts up a blue screen with the message...
Stop: c0000218 {Registry File Failure}
The registry cannot load the hive (file)\Systemroot\System32\Config\SECURITY or it's log or alternate
It is corrupt, absent or not writable.

Is it worth trying to slave the drive to a laptop with all the tools installed and run the scanns to clean the drive that way?? Or dose the drive have to be bootable?

My alternative is to restore an image of the drive that is 4 months old. Not a tragedy, but perhaps a better alternative. I copied all my personal data from the drive to an external while in Safe Mode last night, so I can restore that after restoring the image and only lose some system configuration changes since then and updates.

Thoughts... advice ????

Yes, both options are plausible,in that order. The slave should work.

Here's my info on reformatting.
Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.

• How and Where to backup your files in XP or Vista
  
• How to Backup and Restore in Windows 7
  
• How to use Ubuntu Live CD to Backup Files from your dead Windows Computer

Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:

• How to partition and format a hard disk in Windows XP
  
• Prepping for a Clean Install Windows XP.

These links include step-by-step instructions with screenshots:

• XP Clean Install Interactive Setup
  
• How to reformat your computer in case of a severe malware infection
  
• Reformat & Clean Install Windows XP

Vista users can refer to these instructions:

• Windows Vista Clean Install
  
• How to Do a Clean Install and Setup with a Full Version of Vista
  
• How to Do a Clean Install with a Upgrade Version of Vista

Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.

Thank you for your advice and all of the useful information. As it's tired and I'm gettin late, here, I'll sleep on this, weigh my options in the morning and move forward.

If I slave the drive, I'll do a new backup after I view the files and structure on the slaved drive to another partition on the same drive. Then I'll go to work with the tools.

Again, thanks for your time and interest and for all you guys do here. I'll post back with my results.

~Doc

I remember now why didn't post logs. DDS wouldn't run and GMER didn't give me anything

If you can run DDS and want to post there run this and just skip the GMER for now. Downside is a 3-5 day reply wait.

If you cannot get DDS to work, please try this instead.

Please download OTL by OldTimer and save it to your Desktop.

• Close all other applications and windows so that you have nothing open.
  
• Double click on the icon on your desktop.
  
  Vista/Windows 7 users right-click and select Run As Administrator.
  If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  
  
• Under Output, ensure that Minimal Output is selected.
  
• Click the "Scan All Users" checkbox.
  Leave the remaining selections to the default settings.
  
  
• Click the button.
  
• Do not use the computer while the scan is in progress.
  
• When the scan is complete, two log files will open in Notepad:
  • OTListIt.txt <- (will be maximized)
    
  • Extras.txt <- (will be minimized in the Task Bar).
  
  
• Both logs are automatically saved to the Desktop.
  
• Please copy and paste the contents of OTListIt.txt and Extras.txt in your next reply.
  If the Extras.txt log is too long, you may need to add a second reply to your thread or upload it as an attachment.
  
• Click the red X in the upper right corner to exit OTL.

Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If OTL did not work, then reply back here.

To update this, I could slave the drive to another system and run the tools from there on the infected drive. But, given the extent of the infection and an uncertainty that the system could be cleaned and restored without the setup damaged in some way, I opted to restore the 4 month old image. That accomplished I am now scaning my data for infection and restoring it when it comes back clean.

Thanks again for your input.

Good choice.. you will need to go to windows Update. Also upate your AV,and any Java and Adobe reader.

boopme, on 04 November 2011 - 10:21 AM, said:

Forgot all about OTL. BTW is it normal for GMER to not let you check every box?

This post has been edited by Sonic98: 05 November 2011 - 12:01 PM

At times, I cannot explain why,only that I see it happen.

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic426513.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom