Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP Restore


  • Please log in to reply
9 replies to this topic

#1 greg1952

greg1952

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 12 June 2011 - 04:05 PM

We had a window pop up called Windows XP Restore. It wants to scan our computer for problems. When we tried to "x" it out if froze. We turned it off and rebooted it and it popped up again. We didn't give it the go-ahead to scan, but it started scanning anyway. Is this a virus and what should we do?

Edited by hamluis, 12 June 2011 - 05:00 PM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:34 AM

Posted 12 June 2011 - 08:31 PM

Hello and welcome,yes it is.

Please follow our Removal Guide here Remove Windows Restore (Uninstall Guide) .
After reading how the malware is misleading you ...
You will move to the Automated Removal Instructions

After you completed that, post your scan log here,let me know how things are.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 greg1952

greg1952
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 15 June 2011 - 12:42 PM

First of all, I have to say how much I appreciate this website and the help it has been. I went from a completely unusable computer, to finally being able to get back on-line. After a lot of back-and-forth between my laptop and the infected desktop, using a USB to transfer downloads you suggested, and reading lots of other posts on this site about how to get rid of the virus, I am finally running again. The computer is still very slow and many of my files still say they are empty when I try to open them. Here is the MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6858

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18702

6/15/2011 11:26:35 AM
mbam-log-2011-06-15 (11-26-35).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 200613
Time elapsed: 1 hour(s), 18 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\matt gray\local settings\Temp\~dpzf.tmp\ibario-driverperformer-silent-us.exe (PUP.Zugo) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6965f33d-b286-4727-b59c-2042d35b488a}\RP497\A0052929.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{6965f33d-b286-4727-b59c-2042d35b488a}\RP497\A0052930.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.



Here is the Rootkit Unhooker Log:

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #1
==============================================
0x81AA0E7A Unknown thread object [ ETHREAD 0x81A1FDA8 ] TID: 120, 600 bytes
0x81AA3008 Unknown thread object [ ETHREAD 0x81A1FB30 ] TID: 124, 600 bytes
0x81A9C288 Unknown page with executable code, 3448 bytes
0x81A9DA91 Unknown page with executable code, 1391 bytes
0x81A9E191 Unknown page with executable code, 3695 bytes
0x81AA2CDC Unknown page with executable code, 804 bytes
0xF9281000 WARNING: Virus alike driver modification [VolSnap.sys], 53248 bytes

Thank you for looking at this. I appreciate any help you can give me in trying to get the folders back and the virus completely off my computer! Thanks again!

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:34 AM

Posted 15 June 2011 - 09:28 PM

It looks like you have important system file (VolSnap.sys) rootkited.

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread and post a DDS log HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 greg1952

greg1952
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 16 June 2011 - 09:34 AM

Unfortunately, now the XP Security 2012 virus is on our computer and I can't use it at all. Should I try using the RKill first (if it's even possible?).

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:34 AM

Posted 16 June 2011 - 11:59 AM

Can you run from Safe Mode with Networking?
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 greg1952

greg1952
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 23 June 2011 - 08:32 AM

I think I have the DDS log and can put it on a new thread, but I don't know how to include a link to this thread. How do I do that?

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:34 AM

Posted 23 June 2011 - 11:50 AM

Copy and paste this

http://www.bleepingcomputer.com/forums/topic403382.html/page__pid__2304607#entry2304607
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 greg1952

greg1952
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 23 June 2011 - 07:40 PM

I thought I started a new thread with the DDS log on it, but I don't see it anywhere in this forum. Should I post the thread again? Also, I can't get the GMER to complete a scan. It freezes in the middle of the scan every time I try to run it. Any thoughts on that? Thanks so much.

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:34 AM

Posted 23 June 2011 - 07:45 PM

I can see your topic here: http://www.bleepingcomputer.com/forums/topic405728.html/page__p__2305312__fromsearch__1#entry2305312

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users