Windows 7 System Restore Virus/Rootkit and browser redirect

Posted on 2011-10-24
Medium Priority
Last Modified: 2013-11-22
One of the machines on the small network that I maintain was infected by the System Restore malware/scamware. It is a Windows 7 32 bit Dell Optiplex 380 connected to a Windows 2003 R2 network. I have run Malwarebytes, Radix, Combofix, and several others. Malwarebytes is my usual go to, and it did catch quite a bit of stuff, but it hasn't resolved everything... the one thing that still hasn't been resolved is the browser redirect. I have not been able to find anything that will help with the redirect issue. Can anyone help?
Question by:Roger Bailey

Author Comment

by:Roger Bailey
ID: 37020656
The machine does not have any vital information on it, so I am very close to simply reformating...will this eliminate the rootkit?
LVL 14

Expert Comment

ID: 37020671
Browser redirects are usually fixable with hijackthis.  However, if you are able to do a re-install, that's your safest bet.
LVL 12

Assisted Solution

by:Gary Coltharp
Gary Coltharp earned 400 total points
ID: 37020674
Yes, at about 2 hours of effort on malware removal, it is time to wipe and reload.

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

LVL 17

Expert Comment

by:Chris Millard
ID: 37020697
Before doing that however, you could use a program such as ROOTALYZER to check for Rootkits. There are some malware that is HIDDEN from Windows. If Rootalyzer finds anything (use the deep scan option), then you could boot from a Linux LiveCD and remove the offending files...

Author Comment

by:Roger Bailey
ID: 37020836
I am at about 4-6 hours of fighting with this at this point...mostly because I have never run into something this tenacious, and was curious to see what it would take to beat it. Typically I run a few scans, run a fix and its done. I did run ROOTALYZER and it did not give me anything to work with. I ran Malwarebytes first, and after it was done nothing else has been flagged, but I know something is still not right, and the browsers randomly redirect. I ran GMER and it came back with much more info than usual, but I really don't know what I am looking for in all of that. I have not run Hijackthis yet. But it sounds like you guys think that if a wipe and reload is possible that is the best bet?
LVL 14

Accepted Solution

sentner earned 800 total points
ID: 37020865
Yep, reload is always the safest bet.  Back up any important data, and re-install from scratch.  

If you're just curious though, run hijackthis real quick, and you can paste the logfile here.  


Author Comment

by:Roger Bailey
ID: 37020981
Sentner, the attached txt file is the hijackthis log that you requested. I saw a BHO (the second 02) that had no designation and looked out of place, but other than that everything looked good to me. Any help is appreciated.

LVL 23

Assisted Solution

edbedb earned 400 total points
ID: 37021365
LVL 38

Assisted Solution

younghv earned 400 total points
ID: 37021464
Please read through the entire guide for reparing your system found here:

Note that there are several applications that you are going to have to use, but you can get your system back to normal. The guides written by "Grinler" (MS MVP) are among the most detailed and accurate available.

Where he mentions "RKill", you can substitute "RogueKiller" as described in this EE Article:

With many current variants of malware, you MUST run a rogue process stopper before you can do any other scans.

Author Comment

by:Roger Bailey
ID: 37030225
Hey, I have been out of the office...will try to get back to this later on today.

Author Closing Comment

by:Roger Bailey
ID: 37034248
Well folks, I had tried everything that everyone has posted before you all posted, and I have a functional computer, but there are still things that are off< like certain programs not running in certain profiles etc> At this point, I am chalking this up to my first runnin with a rootkit. I learned a lot about what is available out there. I appreciate your input. My main takeaway, is that backups are important, and after a couple of hours of fighting with it, just wipe and reload. Thanks for your help. I tried to spread the points around to the different ones that had input.

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Following on from our article on "The Murky World of Consent and opt in", we thought we would issue some helpful guidance, not only on consent itself but knowing what information you are capturing, what you are doing with this data and how you can p…
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question