[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Infected PC with System Restore Virus

Posted on 2011-10-13
15
Medium Priority
?
578 Views
Last Modified: 2013-11-22
Boss has a PC that came down with a virus today. PC is running WinXP SP3. I cannot access the drive or any programs. The only thing running is a system restore program, obviously a fake, that wants me to follow a link to pay for a restoral. There a many popups indicating a write failure to disk. Another popup shows that Windows cannot determine how much free space there is.

I tried starting up in Safe Mode. Problem persists. Command prompt is not available at normal boot up nor in safe mode.

I ran an AVG rescue CD and it only found issue with some cookies.

Looking for help on how to get this booted to load some tools to clean up the problem.

Thanks.
0
Comment
Question by:jh11
  • 4
  • 3
  • 2
  • +4
15 Comments
 
LVL 26

Expert Comment

by:pony10us
ID: 36963610
Have you tried the steps on this site:  http://www.precisesecurity.com/rogue/windows-restore-virus
0
 
LVL 3

Expert Comment

by:MattyW
ID: 36963636
UBCD http://www.ubcd4win.com/contents.htm

That is the easiest tool for booting off a CD or memory stick and scanning a system.

Remember to disable windows system restore before booting windows in normal mode. A virus that disguises its self as system restore undoubtedly infected it.  

I use a customized version of this tool on a bootable memory stick and scan with malewarebytes, hitman pro, spybot, and AVG.
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 36963698
I would recommend you to get any of the below Live Bootable CD and scan the system with it since you are unable to boot into normal or safe mode.

My personal favourite is Kaspersky and Dr Web Cureit!

Kaspersky Rescue Disk
http://support.kaspersky.com/viruses/rescuedisk

Dr.Web CureIt!
http://www.freedrweb.com/cureit/?lng=en

BitDefender Rescue CD
http://download.bitdefender.com/rescue_cd/

F-Secure Rescue CD
http://www.f-secure.com/en_EMEA-Labs/security-threats/tools/rescue-cd/

Avira AntiVir Rescue System
http://www.avira.com/en/support-download-avira-antivir-rescue-system

I hope that would help.

Sudeep
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Accepted Solution

by:
youngrmy earned 1200 total points
ID: 36963741
PCcleaningguide.com is  a great place to guide you through step by step on removing virus and spyware.

This particular infection is pretty simple to remove

With this infection you should be able to click on Start - Then System Protection - Then Uninstall

if that option is not there then

1.) hit CTRL+ALT+DEL
2.) Open Task Manager
3.) End the process on the files named like 6dss92c31apgjk.exe and HIalmcwgyd.exe or 2 running proccess named like that.  Write the names of the files down before you end the processes
4.) do a search for the names of the files you just ended
5.) delete the files that you ended the proccess on
6.) run MSConfig and uncheck any box that may refer to the file names you deleted
7.) if confortable open regedit and search for those file names and remove the entrys from the registry. 4 instances
8.) run Unhide.exe which can be found pccleaningguide.com/donloads.html

When you are done it is best to scan your system with SuperAntiSpy or Malware bytes you can find the download links and instructions here http://pccleaningguide.com/WIN7Guidestep5.html
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 36963789
There have been some good suggestions here, especially SSharma's.  My particular favorite is to use all of them.  I use SARDU to create an alternate bootable device (DVD, CD, USB).  SARDU lets you check the boxes of the things you want included and downloads those images (free stuff like UBCD).  It also has options to include an UBUNTU distro and some WIN PE distros.  There are some rescue disks in there for xp, vista and win7.  When you are done you click the button to create an ISO (which you then burn to disk) or create bootable USB button.  Take a gander at my article about SARDU version 1.x (it is now up to 2.x).

http://www.experts-exchange.com/Storage/Misc/A_3038-Boot-Disks-UBCD-UBCD4Win-and-SARDU.html
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 400 total points
ID: 36963799
You don't need a Command Prompt to run an application, you can start one from the "Task Manager".

Download RogueKiller and Malwarebytes from a clean computer to a USB/thumb drive and plug it into the infected one. You can run the installation .exe files from Task Manager by selecting "File-->Run"", then navigating to the USB drive.

Please do not disable System Restore until after the computer is cleaned and running properly. There is NO danger of an infection from a System Restore point - unless you actually use the restore point.

I suggest that you hold off on using any Boot CD until you are sure that there is no other way to approach this from either Normal or Safe Mode.

The EE Articles below provide details on all of these comments:
Stop-the-Bleeding-First-Aid-for-Malware
IF YOU CAN'T RUN .EXES IN AN INFECTED SYSTEM:
Viruses in System Volume Information (System Restore)
Malware Fighting – Best Practices


0
 

Author Comment

by:jh11
ID: 36964126
All are great suggestions.

So far, I have removed the HD and booted up in another system and used that system to scan the infected HD. Malwarebytes has found trojan.fakealert. Cleaned.

I think I'll have to use the unhide utility as there is no access to any program files, explorer, msconfig, cmd.exe, etc.

I'll post an update after Spybot runs. I'll also read through some of the suggestions a  little closer also.

Thank you.
0
 

Author Comment

by:jh11
ID: 36964738
Ended up running Malwarebytes and Spybot SD. Also ran the app called unhide.exe as I had no access to any program files, command prompt etc.

Upon booting to drive, I was able to get task manager to run. Killed the process 6dss92c31apgjk.exe , which had already begun its process of scanning the PC to show how infected it was.

Ran unhide again, but it is failing to change all the necessary files. I cannot start msconfig to kill any startups nor can I access regedit. These files should reside in system32, shouldn't they?
0
 
LVL 30

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 400 total points
ID: 36964769
If you are able to boot into Normal mode then I would recommend you to run Rogue Killer followed by MalwareBytes

These are the articles from Younghv which would help you
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)

MalwareBytes:
http://www.malwarebytes.org/mbam-download.php

I hope that would help.

Sudeep
0
 
LVL 26

Expert Comment

by:pony10us
ID: 36964796
jh11:  If you can access task manager then you should be able to start regedit (or any program you know the name of) by clicking the "New Task" button and typing in the name of the program.
0
 

Author Comment

by:jh11
ID: 36965006
Thanks guys. Used Task Manager to run those programs.

I manually deleted anything in the registry for 6dss92c31apgjk.exe. The virus appears to be gone.

My main problem now is being able to see files under the folders in All Programs.
Unhide.exe has not been able to take care of all files that may have been hidden by the virus. Other things such as Start\Run is missing.

In the meantime, I'll follow the Rogue Killer link and see where it takes me.
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 36965042
This might be helpful is All programs in start menu are missing

Windows XP/Vista Recovery rogue - Desktop icons missing - Empty program files
http://www.experts-exchange.com/A_6209.html
0
 
LVL 7

Expert Comment

by:youngrmy
ID: 36965307
You need to download Unhide.exe form pccleaningguide.com/downloads.html that will restore your missing Icons and Files
0
 

Author Comment

by:jh11
ID: 36965578
@SSharma; I did review and use the utilities listed in the article. I should have went there first. Well written.

Of note, I tried to run the batch file remotesm.bat, but it failed. However, looking over the file in notepad, I reviewed the directories it was trying to do an xcopy from. Using that information, I manually restored the shortcuts for program files and all is well.

I will leave this case open until Fri 10/14. I'll let the end-user be the judge if all is finished or not.

Thanks again.
0
 
LVL 3

Expert Comment

by:MattyW
ID: 36981756
pretty sure that virus just changes the attributes of the files to hidden. You should be able to right click on the program files folder and go to properties and uncheck hidden and apply to sub files and folders. Do this for your user folder as well if documents and pictures are also missing.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Change your password...do it now!. Probably the easiest point of access to your account is through guessing your password. If your password is guessable, do change it now. If not for your sake but for everyone else in your friends list. Remember …
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question