Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Unable to remove Data Restore virus

  • This topic is locked This topic is locked
2 replies to this topic

#1 Rothbart


  • Members
  • 1 posts
  • Local time:09:24 AM

Posted 19 October 2011 - 02:27 AM

Hello, I'm a first-time poster.

An Internet-connected system running Windows XP SP3 has become infected with the Data Restore virus.

The system runs Avira AntiVir, whose definitions were updated every three days or so. Windows Automatic Updates were turned on, and updates occurred regularly. I know that these settings had not changed recently, and I have no reason to believe that the definitions were not current. Nonetheless, the infection occurred.

The machine is capable of doing anything whatever (albeit nothing of any productive use) only if run in Safe Mode with Adminstrator privileges.
- If not in Safe Mode, then the virus is the only thing that runs.
- If in Safe Mode without Adminstrator privileges, then it seems that, while there's no evidence of the virus, nothing at all can be done (for example, it's impossible to run Windows Task Manager because its use has been "prohibited by ... Administrator").

Multiple attempts on different days to remove the virus using the then-current build of Avira's Rescue System (apparently updated several times per day--certainly the file sizes differ) on CD-R have all been unsuccessful. It's not that the rescue system is defeated by this virus. Rather, it's that, long before reaching that point, the Linux GUI program ends with the message "Self check failed! The file failed the check. Press OK to shutdown." The name of the file is absent. 'Web searches show that this is not an uncommon situation, but fail to suggest any solution. (The Avira web site is mute on the issue.)

Enter this forum. I have tried to follow the instructions at http://www.bleepingcomputer.com/virus-removal/remove-data-restore and http://www.bleepingcomputer.com/forums/topic34773.html, but the virus remains. Here are some details.

1. DDS.SCR produced no output. Its white-on-black CMD screen showed the expected preamble, but neither of the two NOTEPAD windows opened. I repeated it with the same result. To the limited availability afforded by Windows Explorer in the circumstances (e.g., no FIND command), I failed to find such files. (FWIW, DDS.SCR worked fine on a non-infected system.)

2. GMER was unsuccessful. I doubt that the virus had anything to do with its failure. Rather, it failed with the following message in white on blue: "NEL_DATA_INPAGE_ERROR". The message was offset to the left, so that the first few characters were invisible.

3. Defogger was uneventful.

4. RKILL.COM seemed to find nothing to do. The list of "Processes terminated by Rkill or while it was running" was empty.

5. TDSSKILL.EXE found one problem: \Device\Harddisk0\DR0 ( Rootkit.Root.Pihar.a )

6. MBAM reported that its definitions were 45 days old. Networking being unavailable, it was impossible to update its definitions, but I ran the program anyway. It finished after scanning for something over two hours, having processed 300k+ objects and finding 16 errors (six registry keys, three registry values, two folders and five files). All were moved to quarantine.

Hoping that the problem had been fixed, I rebooted the machine not in Safe Mode, only to find the virus extant.

I repeated the sequence some 12 hours later with the following results.

1. Again no results were available from DDS.

2. GMER was not run.

3. Again Defogger was uneventful.

4. Again RKILL.COM seemed to find nothing to do. The list of "Processes terminated by Rkill or while it was running" was empty.

5. TDSSKILL.EXE found nothing: 216 objects, 0 threats.

6. MBAM reported that its definitions were 47 days old. (Given that it had been less than 12 hours since I had first run it, I had expected it to say either 45 or 46 days.) This time Networking was available, but the update failed with the following two messages.

PROGRAM_ERROR_UPDATING (11004, 0, No address found)

The requested name is valid and was found in the database, but it does not have the current associated data being resolved for.

This time MBAM ran for just over one hour (about half as long), processed 300K+ objects, and found no errors.

Even though the virus remains extant (less surprisingly this time), it was inconvenient to have to continue to ask to show hidden files, so I ran UNHIDE.EXE, but without success. The program reported the following.

' PEV VOLUME ' is not recognized as an internal or external command, operable program or batch file.

Can't find script engine "VBScript" for script "C:\DOCUM~1\ADMIN~1\LOCALS~1\Temp\info.vbs"

I have spent over five days working on this now, and seem have run out of options other than either (a) trusting to a packaged solution, or else (B) reinstalling Windows. I'd prefer to do neither, and would much appreciate any suggestions this forum can offer.



BC AdBot (Login to Remove)


#2 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,743 posts
  • Gender:Male
  • Local time:01:24 PM

Posted 24 October 2011 - 02:30 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:


Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/424122 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.


Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.


We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,743 posts
  • Gender:Male
  • Local time:01:24 PM

Posted 25 October 2011 - 05:12 PM

You have stated that you no longer need help with this issue, therefore I am closing this topic. If that is not the case and you need or wish to continue with this topic, please send any Moderator a Personal Message (PM) that you would like this topic re-opened.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users