"windows xp restore" virus--- dangerous

erco

The wife clicked on a tricky popup window that launched a trojan into her computer. Now her computer is fairly useless; it restarts itself fairly regularly, the desktop is gone, windows restore doesn't work, and the main window seen is basically an ad to buy software to fix the problem.

Here are a few sites that offer info and "help", usually wanted you to download or buy something:

http://news.loaris.com/windows-xp-restore-virus-how-to-uninstall-windows-xp-restore-fake-system-defragmenter/

http://freeofvirus.blogspot.com/2011/06/windows-xp-restore-removal-guide.html

http://www.cleanpcguide.com/remove-windows-xp-restore-removal-guide-how-to-remove-windows-xp-restore-2



After some research, it looks like a free trial program called malwarebytes will solve this particular program. Hopefully without loading some other time bomb on her computer. Anyone use that program?

And it seems highly likely that the company that automatically pops up onscreen selling the solution is who caused the virus. It's been around for a while. How come nobody has "brought these criminals to justice" and why hasn't Microsoft updated their "Security Essentials" in all this time?

A complete system restore is likely required this weekend , but I'm hoping to get her computer running tonight. Any suggestions?

wjsteele

MalwareBytes is a great program to use. I'd also recommend installing Microsoft's Security Essentials which can monitor for malicious links and prevent you from executing bad code.

Bill

erco

Thanks, Bill. She had MSE running and updated... it didn't provide any protection at all.

LoopyByteloose

Probably Russian mob malware. Sadly you likely have to buy something to clean it up and you obviously feel that trusting the vendor of the clean up is both costly and difficult to determine.

The only reliable no cost solution is probably to install Linux, like Ubuntu Linux with Open Office and you won't have to ever buy a fix again. You might be able to save your Windows documents and use them in Linux by partitioning and installing in a dual boot arrangement as Linux will allow you to open Windows partitions and Open Office will read Windows Office and Excel documents.

Leon

I can't find that "windows xp restore" virus in the Mcafee virus and trojan list.

Were you running virus protection software?

I disabled my virus protection once and deliberately infected my system with one that looked fairly safe to see what would happen. It immediately started sending out stuff over the internet at a tremendous rate. I disconnected it, ran the anti-virus software, and it fixed the problem. I've not had a problem since I started using such software. I think I got a harmless one in the early days of PCs. I use McAfee on my laptop, and AVG on the desktop PC.

Our (rather unpopular) boss where I once worked threatened everyone in the group with instant dismissal if anyone introduced a virus into our network. He then put some dodgy software on his PC without checking it first, and infected it! Much hilarity ensued.

erco

Microsoft Security Essentials was the only thing running at the time. I had heard such good things about it...

Have to see how MalwareBytes handles it tonight. Will advise.

Publison

erco,

Just this week, I had a friend with a similar problem. Right clicked on an icon that had not been on his desktop before, and it launched a Trogan. Result was Blue Screen of Death.

I downloaded a bootable "Bitdefender Rescue CD" .iso :

http://download.bitdefender.com/rescue_cd/

burned a CD and set his system to boot from the CD. After about an hour and a half scan , Bitdefender cleaned the offending trogan and his system was back up and running.

It's free, so worth a try.

RDL2004

MalwareBytes is good.

AVG is an excellent free anti-virus

AVG Free

Another thing you might want to use:

Spybot - Search & Destroy

Also, you might want to look at a Hosts file manager.

http://www.abelhadigital.com/hostsman


Last of all, hopefully you do not use Internet Explorer.

erco

Great info guys, thanks much!

Microcontrolled

My dad got this virus or one similar to it about 1~2 years ago at his office. It got into the network and infected multiple computers. I think he used MalwareBytes (it sounds familiar) to get rid of it, but even AVG wasn't able to catch it.

Humanoido

Loopy Byteloose wrote: »

The only reliable no cost solution is probably to install Linux, like Ubuntu Linux with Open Office and you won't have to ever buy a fix again. You might be able to save your Windows documents and use them in Linux by partitioning and installing in a dual boot arrangement as Linux will allow you to open Windows partitions and Open Office will read Windows Office and Excel documents.

I'm with Loopy on this. You could also install Mac which can read PC drives and transfer data and the new OSX is nearly impervious to virus. I had to give up PCs for the same kind of problem discussed in this thread.

Humanoido

Another problem I ran into was the antivirus program itself was designed to destroy the hard drive. Once it destroyed the hard drive, the company was betting you'd go back to them and pay more moola to have your computer drive restored. It was a real scam! You can't be safe in the PC world.

kwinn

RDL2004 wrote: »

MalwareBytes is good.

AVG is an excellent free anti-virus

AVG Free

Another thing you might want to use:

Spybot - Search & Destroy

Also, you might want to look at a Hosts file manager.

http://www.abelhadigital.com/hostsman


Last of all, hopefully you do not use Internet Explorer.

I have used all of the above except malwarebytes and they are good. You might want to consider taking the time to back up all the data on the hard drive, format the hard drive, reinstall windows and all your software, and at this point make a disk image. Once you have the disk image copy your data back.

It's a lot of work but if you also take the time to organize and document everything you have a great backup and XP will boot and run faster.

Shawn Lowe

Humanoido wrote: »

Another problem I ran into was the antivirus program itself was designed to destroy the hard drive. Once it destroyed the hard drive, the company was betting you'd go back to them and pay more moola to have your computer drive restored. It was a real scam! You can't be safe in the PC world.

Just curious, how would it destroy the hard drive?

kwinn

Shawn Lowe wrote: »

Just curious, how would it destroy the hard drive?

Writing over or scrambling the boot sector/directories/files will make it unusable.

Tracy Allen

The PC we use for UPS shipping caught windows XP restore last week. Ouch.

The desktop goes black and the one official looking window comes up, purports to scan the disk with very clever looking graphics, and reports fatal errors to the boot blocks and RAM. It offers a link to a web site where you can pay for a program that will "fix" the problem. Hehe. How can these parasites operate via the credit card networks anyway? The scan should be instantly suspect, because it reports a ridiculous number of problems. One insidious thing is that it hides all of the files on the desktop and start menus, so there is a lot of cleaning up to do.

I found one recommendation that did clean things up completely and in the process took care of other ailments. (I'm mainly a Mac guy, and often feel lost on the PC). The combination of shareware or demo versions was,
Malwarebytes
Superantispyware
Combofix
CCleaner
It was the final step with CCleaner that restored all the hidden files.

davejames

Erco - sorry to hear.

Others have suggested MalewareBytes and I add my recommendation. It's caught things that MSE and McAfee haven't.

Unknown

erco wrote: »

After some research, it looks like a free trial program called malwarebytes will solve this particular program. Hopefully without loading some other time bomb on her computer. Anyone use that program?

Erco,

At this point in time, if you use Malwarebytes, it will delete Windows because Windows is now the Virus and your computer won't boot as a result of getting rid of the virus.

I would take the hard drive out and put it in an external case and install another hard drive if you have a Windows installation CD and drivers.

Install Windows on a new hard drive and then rescue the data on your old hard drive.

I can't guarantee that clicking on any of the old files on your old hard drive will not cause re-infection.

Malwarebytes would have prevented a lot of this nonsense.

Chuck

propMaker

I caught it last year. I used it as an excuse to upgrade to windows 7. I found a solution after I had already wiped my drive. It hides some files in a folder, I forget where, and if you delete them it prevents it from blocking other programs from opening.

I'm a PC, I caught a nasty virus and decided to make Windows 7 my idea. They should put me in their commercials.

Beau Schwabe

In general you want to use at least two independent anti-virus programs. The hope is that they both would be capable of converging on the problem, but if one fails the other would hopefully be able to take up the slack. Obviously the more the better because you are increasing your odds of preventing a future attack, but be warned, some anti-virus programs don't play nice with each other and see each other as a threat.

davejames

Beau Schwabe (Parallax) wrote: »

...some anti-virus programs don't play nice with each other and see each other as a threat.

A few years back, McAfee treated the Ad-Aware by Lavasoft as a problem. So far, it hasn't treated MalwareBytes as a threat.

RDL2004

I have been using the three software programs I mentioned in post #8 above for over 3 years and I have never gotten a single virus or any malware during that time. I've actually been using AVG a lot longer than that. However, when I need to buy online, check my 401k or do any online banking, I go to my other computer and boot up into Ubuntu Linux.

Really, everyone should have at least one computer running Linux for exactly that reason. Setting up a dual boot system is not hard at all, but if that's too much trouble, just run it directly off the CD. I don't know about the latest version, but previous releases installed Firefox by default, making it no harder to get on the internet than it is in Windows and it's way, way more secure

LoopyByteloose

Very nasty stuff. I feel sorry for Erco and recall my own "Got the Windows Crashed" blues. I do get occasional attempts to install a Windows virus in my Firefox on Linux, but they always just leave a downloaded .exe file on my desktop. Since Linux doesn't run .exe files, I know what it is and move it to Trash.

I went through years and years of making Ghost images, even having a second hard drive just for Ghost images in order to avoid problems with rebuilding my system from scratch (you have to dig out all the licenses and registrations). I finally quit after I paid good money for XP Professional and found it still never did quite run right.

So now, all my computers (3 of them) are dual boot - Linux and M$. I have the XP, a Vista, and a Windows 7. For daily surfing and office work I use Ubuntu Linux. If I need Windows for microcontroller programing, I have it. I use Avasta AV for the Windows side of these machines as it is FREE.

End result - I am happier and get more done. Maintenance and repair of Windows is a huge waste of time and energy as well as needlessly costly.

erco

Chuckz wrote: »

I would take the hard drive out and put it in an external case and install another hard drive if you have a Windows installation CD and drivers.

Install Windows on a new hard drive and then rescue the data on your old hard drive.

Good call. Ironically, the wife's computer (unlike mine) has very few files on it and is quite easy to restore, I've done it in about an hour. She deletes nearly everything in paranoid hopes to keep her computer operating fast and efficiently. Last time she deleted some system file (DOH!) and I just threw in a new $50 hard drive, did a clean windows install on that, and kept her old hard drive as a secondary. It was easy to move her small group of files onto the new HD.

I'll do that dance one more time this weekend. But I'm hoping Malwarebytes works tonight to get her computer at least temporarily operational; for now, she's using my computer (ULP), and God only knows what she's clicking on...

Oldbitcollector (Jeff)

@erco,

If it doesn't work, PM me. I've got some rather "sharp" tools that do a good job with these kinds of bugs. I deal with this stuff all the time in the computer business I run here in Orrville.

OBC

Tracy Allen

When I encountered windows XP restore, it was on a computer we use for shipping, and it had no virus protection at all. (sorry!) People use it for other stuff too. I started it up in safe mode (F13 I think) with network access enabled. That came up fine with no evidence that the malware had dug into the recesses of windows. Then I downloaded all the programs listed in post #16, installed them, let them go out to get the latest definition and settings files, and then ran them one after another and took their various recommendations. Everything was normal after a reboot into the standard XP, but the desktop and start menu came back after running CCleaner as the final step.

Now the lesson is learned and all 4 of those programs are ready for prophylactic use. They even found malware that was masquerading as a UPS worldship file.

sam_sam_sam

This is a good idea

In general you want to use at least two independent anti-virus programs. The hope is that they both would be capable of converging on the problem, but if one fails the other would hopefully be able to take up the slack. Obviously the more the better because you are increasing your odds of preventing a future attack,

This is not good
but be warned, some anti-virus programs don't play nice with each other and see each other as a threat.

Phil Pilgrim (PhiPi)

Aside from tricky popup windows (which my browser blocks) which websites do I need to stay away from to avoid this nasty virus? I try to practice safe computing, but if erco's wife and Tracy can get hit by something like this, no one is immune.

I've just gone through one complete Win XP rebuild due to a failed Windows Update to .NET, which toasted my system; and I don't want to spend another whole week doing it again. (Just say no to Windows automatic updates. If it something works, don't screw with it or let Microsoft screw with it.)

-Phil

localroger

I have had nothing but very poor results trying to clean up infected systems. I have ultimately had to reformat the hard drives of two computers in the last year because NONE of the tools I tried could get at all the places the trojan had hidden itself. (It would be clean until reboot, then magically show up the first time you ran the browser, even after deleting and reinstalling the browser software.)

The best thing to do is to have a sector level restore image of your machine BEFORE it is infected. I went out and got a USB hard drive which is never plugged into a computer that is on the internet or wasn't booted from the PING CD. (PING is a Linux-based utility which packages up the Partimage utility; it stands for "Partimage Is Not Ghost," Ghost being Norton's non-free utility.) Whenever I install a major piece of software and at reasonable intervals I make a new PING backup. Now if something nasty hoses my drive, all I do is copy off any relatively new data, and restore from the air gapped USB. Since this is a perfect snapshot of your machine in a moment of working order, it avoids the need to redo 4 years of Windows updates, re-register your copy of Photoshop, and a day eating list of other things that have to be done to prep a "new" machine.

The only problem is you can't use such a sector-level backup if you replace the machine because the drivers and hardware signatures won't match. But that's a different problem.

SSteve

Humanoido wrote: »

I'm with Loopy on this. You could also install Mac which can read PC drives and transfer data and the new OSX is nearly impervious to virus. I had to give up PCs for the same kind of problem discussed in this thread.

Erco's wife got a trojan horse, not a virus. The Mac is just as susceptible to trojan horses as Windows. There's one called Mac Defender that has gotten a lot of press in the last month. It does the exact same thing: uses a little social engineering to trick you into installing it, then "finds" lots of problems that it will fix if you give it your credit card info.

Tracy Allen wrote:

How can these parasites operate via the credit card networks anyway?

That's what I thought when I first read about the Mac Defender scam. But I don't think they charge your credit card for the purchase. They probably either use or sell the buyer's personal info for identity theft or fraudulent credit card use.

Ron Czapala

I have been frustrated several times by XPs inability to do System Restore. I wrote this batch file to backup the systemstate (registry, etc) and set up a scheduled task to run it daily.

It creates a backup in a folder based on the day of the month e.g. F:\SystemState\Day01.. Day31 and creates a file name like: 110609-Thu.bkf

It has saved me several times.
-Ron

@echo off
set bkname=%date:~12,2%%date:~4,2%%date:~7,2%-%date:~0,3%
del "F:\SystemState\Day%date:~7,2%\*.bkf"
ntbackup backup systemstate /f "F:\SystemState\Day%date:~7,2%\%bkname%.bkf"

I have used Norton Internet Security for years and it has caught many viruses, trojans etc and is a top rated product by PC World magazine and others. You can get a three computer license.