Hello, I'm a first-time poster.
An Internet-connected system running Windows XP SP3 has become infected with the Data Restore virus.
The system runs Avira AntiVir, whose definitions were updated every three days or so. Windows Automatic Updates were turned on, and updates occurred regularly. I know that these settings had not changed recently, and I have no reason to believe that the definitions were not current. Nonetheless, the infection occurred.
The machine is capable of doing anything whatever (albeit nothing of any productive use) only if run in Safe Mode with Adminstrator privileges.
- If not in Safe Mode, then the virus is the only thing that runs.
- If in Safe Mode without Adminstrator privileges, then it seems that, while there's no evidence of the virus, nothing at all can be done (for example, it's impossible to run Windows Task Manager because its use has been "prohibited by ... Administrator").
Multiple attempts on different days to remove the virus using the then-current build of Avira's Rescue System (apparently updated several times per day--certainly the file sizes differ) on CD-R have all been unsuccessful. It's not that the rescue system is defeated by this virus. Rather, it's that, long before reaching that point, the Linux GUI program ends with the message "Self check failed! The file failed the check. Press OK to shutdown." The name of the file is absent. 'Web searches show that this is not an uncommon situation, but fail to suggest any solution. (The Avira web site is mute on the issue.)
Enter this forum. I have tried to follow the instructions at http://www.bleepingcomputer.com/virus-removal/remove-data-restore
, but the virus remains. Here are some details.
1. DDS.SCR produced no output. Its white-on-black CMD screen showed the expected preamble, but neither of the two NOTEPAD windows opened. I repeated it with the same result. To the limited availability afforded by Windows Explorer in the circumstances (e.g., no FIND command), I failed to find such files. (FWIW, DDS.SCR worked fine on a non-infected system.)
2. GMER was unsuccessful. I doubt that the virus had anything to do with its failure. Rather, it failed with the following message in white on blue: "NEL_DATA_INPAGE_ERROR". The message was offset to the left, so that the first few characters were invisible.
3. Defogger was uneventful.
4. RKILL.COM seemed to find nothing to do. The list of "Processes terminated by Rkill or while it was running" was empty.
5. TDSSKILL.EXE found one problem: \Device\Harddisk0\DR0 ( Rootkit.Root.Pihar.a )
6. MBAM reported that its definitions were 45 days old. Networking being unavailable, it was impossible to update its definitions, but I ran the program anyway. It finished after scanning for something over two hours, having processed 300k+ objects and finding 16 errors (six registry keys, three registry values, two folders and five files). All were moved to quarantine.
Hoping that the problem had been fixed, I rebooted the machine not in Safe Mode, only to find the virus extant.
I repeated the sequence some 12 hours later with the following results.
1. Again no results were available from DDS.
2. GMER was not run.
3. Again Defogger was uneventful.
4. Again RKILL.COM seemed to find nothing to do. The list of "Processes terminated by Rkill or while it was running" was empty.
5. TDSSKILL.EXE found nothing: 216 objects, 0 threats.
6. MBAM reported that its definitions were 47 days old. (Given that it had been less than 12 hours since I had first run it, I had expected it to say either 45 or 46 days.) This time Networking was available, but the update failed with the following two messages.
PROGRAM_ERROR_UPDATING (11004, 0, No address found)
The requested name is valid and was found in the database, but it does not have the current associated data being resolved for.
This time MBAM ran for just over one hour (about half as long), processed 300K+ objects, and found no errors.
Even though the virus remains extant (less surprisingly this time), it was inconvenient to have to continue to ask to show hidden files, so I ran UNHIDE.EXE, but without success. The program reported the following.
' PEV VOLUME ' is not recognized as an internal or external command, operable program or batch file.
Can't find script engine "VBScript" for script "C:\DOCUM~1\ADMIN~1\LOCALS~1\Temp\info.vbs"
I have spent over five days working on this now, and seem have run out of options other than either (a) trusting to a packaged solution, or else (
reinstalling Windows. I'd prefer to do neither, and would much appreciate any suggestions this forum can offer.