Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Restore Virus After Effects


  • This topic is locked This topic is locked
14 replies to this topic

#1 Sonic98

Sonic98

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 03 November 2011 - 11:23 AM

I cleaned out the System Restore virus with Malwarebytes. THen the person complained later of slownes. It seemed to me to be mainly an issue with IE. So, I installed Firefox and update Win7-64 to SP1 and installed all other important updates. After the last reboot, all the sudden System Restore virus is back. This time I got the whole infection including the hidden folders and critical error pop-ups. I cleaned it out again with Malwarebytes with both a quick and full scan. I also ran SuperAntiSpyware. Now that I got it off again, certain things are not functioning properly even some that worked in the midst of the infection: pinned shortcut to Windows Update is completely gone from system, still only able to browse with Firefox, Windows Update is unable to check for updates, windows firewall won't turn, most exe files wont run( install fille for AVG, unhide.exe, rkill, iExplore, and one other from one of the system restore threads but I forget the name because I renamed file). Neither spyware program is finding anything and neither is TDSSKiller. I also get a webstie I think it was testendonline.com. I might have to check the removal guide for that one and see if that solves all my problems

BC AdBot (Login to Remove)

 


#2 Doc Watson

Doc Watson

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 03 November 2011 - 12:27 PM

This is a particularly invasive little nasty that I've just had the misfortune of becoming acquainted with a couple days ago. I too, seem to have gotten the full load from this thing in what appeard to be a string of hardware error popups, occuring over a couple days, referring to insufficient RAM or corrupt RAM or bad sectors on my primary drive. Then I got several "critical error" popups and then a whole string of them. After closing these windows using the red "x" a screen entitled System Restore popped up and began an unrequested scan that could not be stopped and the program could not be closed. Did a hard shutdown and went Google to see what I had.

Research led me to the necessary tools and warnings about not running cCleaner or it's like and not to delete any Temp files or folders because our friend removes files & links, storing backups of them in a Temp folder in Documents & Settings/Local Settings/..... Followed the instructions, ran the tools and, like you, only got some of my configuration back. Now, after a day of attempting to restore function it seems to have dug in like an Alabama tick and rebuffs all attempts to change things. I can get to my profile in Safe Mode and do all the things I've read about, but any normal reboot either logs on and then off or logs me on to a generic but bastardized desktop with only My Computer & Recycle Bin on the desktop.

I get a USB error when I try to run the Acronis True Image rescue CD and all attempts to use Windows System Restore utility from Safe Mode results in the generic desktop. My guess at this point is the Master Boot Record is trashed and need to be repaired, but I'm looking for some guidance (and guts) before I go down that path. Ideas ???

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:27 PM

Posted 03 November 2011 - 01:07 PM

Hello,in both your cases we need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Include a link back to this topic.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Sonic98

Sonic98
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 03 November 2011 - 01:22 PM

Hello,in both your cases we need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Include a link back to this topic.

Let me know if that went well.


Oh yeah forgot to post my logs

#5 Doc Watson

Doc Watson

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 03 November 2011 - 03:52 PM

Hello,in both your cases we need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Include a link back to this topic.

Let me know if that went well.

Hello and thanks for your reply. I may have some difficulty following these instructions on the infected machine, but am willing to try whatever you suggest.

I have come to a point in this infection where I believe this thing has dug into the registry and replaced my system files with a mini-set of it's own that get's between me and the system on bootup. I seem to be able to access Safe Mode, but it doesn't behave right during the transition into Safe Mode offering an option to try System Restore. I took that option one time and went back 2 days prior to the infection,booted to Safe Mode, and ran Malwarebytes and removed 2 items. Rootkit.TDSS & MALWARE.PACKAGER.GEN. Then befor reboot ran rkill.exe and the kapersky tool and then unhide.exe. All ran and then I rebooted into Last Known Good and got the popup error,
"Isass.exe System Error
An I/O operation initiated by the Registry failed unrecoverably. The Registry could not read in, write out, or flush, one of the files that contains the system's image of the registry."
Then, behind this window appears a blue/grey MS box that gives the OS name and says Windows is starting up. This boots to a welcome screen with my account and the Administrator account shown. Administrator is PW protected and my account is not. I live alone and do not use passwords or the Welcome screen and Administrator is hidden. Can't access administrator and accessing my account brings up my desktop wallpaper, system tray and quicklaunch icons and then shuts down and reboots back to the welcome screen.

Can I follow your instructions in Safe Mode (if it is in fact Safe Mode)?

#6 Doc Watson

Doc Watson

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 03 November 2011 - 07:41 PM

As an update to my problem, it seems what I have is some sort of ZeroAccess Trojan. I am now completely locked out of the system. A normal boot leads in reboot circles and now I cannot access Safe Mode. It will start to boot into Safe and then freeze and after many minutes (more than 10) puts up a blue screen with the message...
Stop: c0000218 {Registry File Failure}
The registry cannot load the hive (file)\Systemroot\System32\Config\SECURITY or it's log or alternate
It is corrupt, absent or not writable.

Is it worth trying to slave the drive to a laptop with all the tools installed and run the scanns to clean the drive that way?? Or dose the drive have to be bootable?

My alternative is to restore an image of the drive that is 4 months old. Not a tragedy, but perhaps a better alternative. I copied all my personal data from the drive to an external while in Safe Mode last night, so I can restore that after restoring the image and only lose some system configuration changes since then and updates.

Thoughts... advice ????

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:27 PM

Posted 03 November 2011 - 08:46 PM

Yes, both options are plausible,in that order. The slave should work.

Here's my info on reformatting.
Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Doc Watson

Doc Watson

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 03 November 2011 - 09:36 PM

Thank you for your advice and all of the useful information. As it's tired and I'm gettin late, here, I'll sleep on this, weigh my options in the morning and move forward.

If I slave the drive, I'll do a new backup after I view the files and structure on the slaved drive to another partition on the same drive. Then I'll go to work with the tools.

Again, thanks for your time and interest and for all you guys do here. I'll post back with my results.

~Doc

#9 Sonic98

Sonic98
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 03 November 2011 - 10:22 PM

I remember now why didn't post logs. DDS wouldn't run and GMER didn't give me anything

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:27 PM

Posted 04 November 2011 - 10:21 AM

If you can run DDS and want to post there run this and just skip the GMER for now. Downside is a 3-5 day reply wait.

If you cannot get DDS to work, please try this instead.

Please download OTL by OldTimer and save it to your Desktop.
  • Close all other applications and windows so that you have nothing open.
  • Double click on the Posted Image icon on your desktop.

    Vista/Windows 7 users right-click and select Run As Administrator.
    If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  • Under Output, ensure that Minimal Output is selected.
  • Click the "Scan All Users" checkbox.
    Leave the remaining selections to the default settings.
  • Click the Posted Image button.
  • Do not use the computer while the scan is in progress.
  • When the scan is complete, two log files will open in Notepad:
    • OTListIt.txt <- (will be maximized)
    • Extras.txt <- (will be minimized in the Task Bar).
  • Both logs are automatically saved to the Desktop.
  • Please copy and paste the contents of OTListIt.txt and Extras.txt in your next reply.
    If the Extras.txt log is too long, you may need to add a second reply to your thread or upload it as an attachment.
  • Click the red X in the upper right corner to exit OTL.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If OTL did not work, then reply back here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Doc Watson

Doc Watson

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 04 November 2011 - 11:10 AM

To update this, I could slave the drive to another system and run the tools from there on the infected drive. But, given the extent of the infection and an uncertainty that the system could be cleaned and restored without the setup damaged in some way, I opted to restore the 4 month old image. That accomplished I am now scaning my data for infection and restoring it when it comes back clean.

Thanks again for your input.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:27 PM

Posted 04 November 2011 - 07:41 PM

Good choice.. you will need to go to windows Update. Also upate your AV,and any Java and Adobe reader.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Sonic98

Sonic98
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 05 November 2011 - 11:46 AM

If you can run DDS and want to post there run this and just skip the GMER for now. Downside is a 3-5 day reply wait.

If you cannot get DDS to work, please try this instead.

Please download OTL by OldTimer and save it to your Desktop.

  • Close all other applications and windows so that you have nothing open.
  • Double click on the Posted Image icon on your desktop.

    Vista/Windows 7 users right-click and select Run As Administrator.
    If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  • Under Output, ensure that Minimal Output is selected.
  • Click the "Scan All Users" checkbox.
    Leave the remaining selections to the default settings.
  • Click the Posted Image button.
  • Do not use the computer while the scan is in progress.
  • When the scan is complete, two log files will open in Notepad:
    • OTListIt.txt <- (will be maximized)
    • Extras.txt <- (will be minimized in the Task Bar).
  • Both logs are automatically saved to the Desktop.
  • Please copy and paste the contents of OTListIt.txt and Extras.txt in your next reply.
    If the Extras.txt log is too long, you may need to add a second reply to your thread or upload it as an attachment.
  • Click the red X in the upper right corner to exit OTL.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If OTL did not work, then reply back here.


Forgot all about OTL. BTW is it normal for GMER to not let you check every box?

Edited by Sonic98, 05 November 2011 - 12:01 PM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:27 PM

Posted 05 November 2011 - 07:51 PM

At times, I cannot explain why,only that I see it happen.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,851 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:27 PM

Posted 06 November 2011 - 04:57 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic426513.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users