I recently fixed a problem on my computer involving an infection by a rogue software called "Windows Vista Restore" (Version June 12, 2011), and eight infections including Rootkit.TDSS. After restoring the visibility on my hard drive, my files were visible but still in "hidden" format. Now that I've unhidden them, I get an "Access Denied" message whenever I click on them but I can still access MS Word documents directly through Word, images directly through Paint, etc.
The following is a list of procedures I went through. You may skip this section and go directly to helping resolve the problem if you wish.
When I was browing the Internet, one of my windows suddenly displayed a rogue error message saying that my computer had suffered a "Hard Drive Failure". I left my Internet on for 30 minutes not realizing there was a problem, before I came back and shut off the computer. Next, I went to a different computer in hopes of finding a solution.
The infection itself tried to lead me to the website by windows-vista-restore.com, and the company claimed to be SecurePay, INC. However no other websites were accessible.
Getting back to the infected computer, the screen was black and half my files were hidden away, and the computer tried to restart itself. Error messages and the typical "11 infections" kept popping up. I tried to restart my computer myself and switch to safe mode, which was unsuccessful because of an existing screen display setting. So, I bypassed the recommended Safe Mode and worked on the problem in regular mode.
First, I unplugged my Internet, and went to the Registry Editor as indicated on multiple websites (a risky procedure), and deleted items including ...\Advanced "Hidden"='0' (which resurfaced), and ...\Advanced "ShowSuperHidden='0', which remained deleted. After restarting my computer again, I turned on Windows Task Manager, which was unaffected by the malware. I shut off a few running programs, including one with the name "SwPGvtLdJxoV", which later turned out to have an associated symbol identical to one used by the rogue software. After discovering this, I deleted this file from the RegEdit, which temporarily solved some problems. It turns out that online instructions asked to delete Run "Windows_Vista_Restore.exe", but in the same location the random-character file was found. There is not much info available, but it looks like the new version of the program used a new name to hide its identity.
I ran MalwareBytes on my computer, which took 14 minutes for a quick scan and discovered Rootkit.TDSS. I quarantined that infection, then restarted my computer. Upon doing this, however, I ran another scan and this one took two hours. It discovered seven infected items, which I again quarantined, and later deleted.
Afterwards, I ran the in-built Vista System Restore feature, which had a name similar to the rogue software. After backing up the system to a previous date, my files appeared to all be deleted yet they were accessible from the program itself (ie. Word). The System Restore stated that my documents were unaffected.
Browsing through my files again, I discovered a folder that had a strange alphanumeric name and contained the file "spclite". This was created during a previous infection by a rogue software named "Vista Total Security", which I had removed the month before. After searching through the Internet, I deleted this folder.
After changing a few configurations, all my files were now visible, but in a faded-color "hidden" form. I could open them easily, but they were hidden. Several more scans using MalwareBytes revealed no problems.
I used a cmd script (
attrib -h "C:\*.*" /s /d) to unhide my files, which worked in that they now all had a normal color. However, this is when the "Access Denied" error message kept showing up, even though I was fully able to access my documents through Word.
Now that I've resolved the other issues, I'd like help on how I can fix this access problem. I have tried going through folder properties and changing the permissions, but to no avail, so I'd like further help on this problem.
Finally, after the infection another problem in MS Word occurred, but is not currently of much concern. Whenever I try to close a Word document, it asks me to save a new version of the Template "Normal", which I have to close twice in order not to do. How do I stop this from occurring?
Many thanks for any input.
P.S. Some websites have recently shown rogue files. Is it worth reporting the websites that actived malware on my computer to a clearinghouse site for malware or could the sites be unrelated to the viruses?
Edited by hamluis, 15 June 2011 - 08:28 AM.
Edited for clarity.