System Restore Virus After Effects

User avatar
Doc Watson
4StarLounger
Posts: 412
Joined: 25 Jan 2010, 06:46
Location: New Jersey

System Restore Virus After Effects

Post by Doc Watson »

I've just had the misfortune of becoming acquainted with the System Restore Virus a couple days ago. I too, seem to have gotten the full load from this thing in what appeard to be a string of hardware error popups, occuring over a couple days, referring to insufficient RAM or corrupt RAM or bad sectors on my primary drive. Then I got several "critical error" popups and then a whole string of them. After closing these windows using the red "x" a screen entitled System Restore popped up and began an unrequested scan that could not be stopped and the program could not be closed. Did a hard shutdown and went Google to see what I had.

Research led me to the necessary tools and warnings about not running cCleaner or it's like and not to delete any Temp files or folders because our friend removes files & links, storing backups of them in a Temp folder in Documents & Settings/Local Settings/..... Followed the instructions, ran the tools and, like you, only got some of my configuration back. Now, after a day of attempting to restore function it seems to have dug in like an Alabama tick and rebuffs all attempts to change things. I can get to my profile in Safe Mode and do all the things I've read about, but any normal reboot either logs on and then off or logs me on to a generic but bastardized desktop with only My Computer & Recycle Bin on the desktop.

I get a USB error when I try to run the Acronis True Image rescue CD and all attempts to use Windows System Restore utility from Safe Mode results in the generic desktop. My guess at this point is the Master Boot Record is trashed and need to be repaired, but I'm looking for some guidance (and guts) before I go down that path. Ideas ???
If life gives you melons,
You may be dyslexic.

User avatar
Argus
GoldLounger
Posts: 3081
Joined: 24 Jan 2010, 19:07

Re: System Restore Virus After Effects

Post by Argus »

Doc Watson wrote:I can get to my profile in Safe Mode and do all the things I've read about, but any normal reboot either logs on and then off or logs me on to a generic ...
The generic desktop, when there's a successful normal log on, could be a result of a new, temp, profile created, i.e. without the tweaks one usually have done over the years, and could perhaps be seen if one take a look at the profiles under Documents and Settings. (I had one such experience when trying to solve a transfer mode problem, UDMA/PIO etc. I got a complete new temp profile, but that was solved with restarts etc. The cause was probably difficulties to read some reg files related to the profile, in my case.)

Haven't read much about this particular one, yet; but what are your experiences using different antimalware software (such as Malwarebytes') in Safe Mode, what do they report?
Byelingual    When you speak two languages but start losing vocabulary in both of them.

User avatar
Doc Watson
4StarLounger
Posts: 412
Joined: 25 Jan 2010, 06:46
Location: New Jersey

Re: System Restore Virus After Effects

Post by Doc Watson »

Thanks for the reply Argus. I just had my "Duh !!!" moment a few minutes after posting here and at bleepingcomputer.com and realized that I had run Malwarebytes initially when the problem began and it cleaned 3 or 4 issues. Then ran rkill.exe or something and another cleanup program designed for this nasty and the rebooted to finish up Malwarebytes work, but not into Safe Mode to run MBAM again. Doing so now. Pardon my old age moment. I'll report the results.
If life gives you melons,
You may be dyslexic.

User avatar
Argus
GoldLounger
Posts: 3081
Joined: 24 Jan 2010, 19:07

Re: System Restore Virus After Effects

Post by Argus »

No problem. These things are quite nasty nowadays, and I realised after, although I was reading a bit at the time, that several things might be hidden in some way. But I still wanted to mention the possibility with a new profile causing a "generic look"; but then one should also get the whole "out of box"-experience as with a new user, and that is clearly not the case here. Things are hidden.

With nasty I meant having to use several tools and techniques; some mention rkill, as you did, other mentions other tool combinations, and in the end there might be need for some manual changes. I saw some video on the net using other tools, some may not be free, instead of using the fake "system restore" as part of the solution to unhide folders as mentioned at the other site you mentioned.

Then I don't know about the step using msconfig (System configuration tool); but as a quick test it might be OK; we can't remove things with that one, only disable start-up entries; so for a clean look in msconfig, later, one has to go and remove the disabled entries (in the registry), or use another tool to remove the "msconfig orphans", or use another start-up manager from the beginning. But it's good since it's already there on the PC.
Byelingual    When you speak two languages but start losing vocabulary in both of them.

User avatar
StuartR
Administrator
Posts: 12577
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: System Restore Virus After Effects

Post by StuartR »

It would be interesting to know why you can't boot from your TrueImage rescue CD. this should be independent of what is on your hard drive. Do you have a recent backup that you could restore if you are able to boot the CD?
StuartR


User avatar
Doc Watson
4StarLounger
Posts: 412
Joined: 25 Jan 2010, 06:46
Location: New Jersey

Re: System Restore Virus After Effects

Post by Doc Watson »

I'm beginning to suspect that this thing has put up some barrier between me and the "real" registry and has created it's own little install of Windows that runs in a loop.

What I've done is use what I believe is Windows System Restore to revert to 2 days prior to the infection and then booted into Safe Mode. There I Ran Malwarebytes and removed 2 items..
Rootkit.TDSS
MALWARE.PACKER.GEN
Then ran rKill.exe and the Kapersky tool (name escapes me) and the unhide.exe tool and allowed it to reboot. No joy. Then I tried Last Known Good.... I got an error window that said
"Isass.exe System error
An I/O operation initiated by the registry failed unrecoverably. Tha registry could not read in, write out, or flush, one of the files that contains the system's image of the registry."

Then, behind this window,appears the default blue and grey MS box that give OS Name and Version and says "Windows is starting up...."

At this point I knew that I was back in the "loop" of reboots and did a hard shutdown.

I'm thinking safe mode w a command prompt and do fixmbr ?? or perhaps find a registry backup somewhere in my stuff (bad option at best) ??

Stuart... TI gave an error message about a system file being corrupt and to contactmy system administrator. It named the file, but I hadn't written it down or have misplace that note. Now when I try to use the disk It stays in the TI screen but states, "Usb Device not accepting new address." The TI forums say this is a USB keyboard issue and to replace it with a PCI board. If I can't fix it I'm gonna first work towards getting TI up and restoring a 2 month old image. I backed up my data today from safe mode before I started working and can restore most of the way things were if need be, or reinstall XP and then restore the image. But that's a lot of work.
If life gives you melons,
You may be dyslexic.

User avatar
StuartR
Administrator
Posts: 12577
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: System Restore Virus After Effects

Post by StuartR »

Last time I had a major infection I found restoring the backup a lot easier than the work it would have taken to never quite be sure the computer was completely clean.
StuartR


User avatar
Doc Watson
4StarLounger
Posts: 412
Joined: 25 Jan 2010, 06:46
Location: New Jersey

Re: System Restore Virus After Effects

Post by Doc Watson »

Would that I could. <sigh>
If life gives you melons,
You may be dyslexic.

User avatar
Bigaldoc
PlatinumLounger
Posts: 3757
Joined: 24 Jan 2010, 11:00
Location: Lexington, KY, USA

Re: System Restore Virus After Effects

Post by Bigaldoc »

Doc, I've never done this, but could you use the Win XP disk to FORMAT the drive, as if it were a new install. Then try to boot from the TI boot disk?

I'm like Stuart, I can't understand why TI's recovery CD won't work since it's independent of Windows OR what's on the drive to start with. VERY puzzling indeed. Good luck.

User avatar
Doc Watson
4StarLounger
Posts: 412
Joined: 25 Jan 2010, 06:46
Location: New Jersey

Re: System Restore Virus After Effects

Post by Doc Watson »

Al & Stuart.....

I've been playing with this damn thing all day and finally, out of frustration, pulled all the USB cords out of the damn machine. Voila !!! True Image then booted and offered me my drives to choose an image from. Unfortunately, I'm not on top of things as I once was and the latest backup is June of this year.

So, I'm gonna wait until and see if I get anything useful from bleepingcomputer that gives me some hope of restoring things to just prior to the infection. I'm not holding out a lot of hope given the way things have deteriorated with this damn thing today. It's gonna require the right tools used in the correct order and some expert advice interpreting logs and such. So, I may just bite the bullet and restore the image tonight.

I'm gettin' too old for this *@#%$* !!!
If life gives you melons,
You may be dyslexic.

User avatar
Doc Watson
4StarLounger
Posts: 412
Joined: 25 Jan 2010, 06:46
Location: New Jersey

Re: System Restore Virus After Effects

Post by Doc Watson »

To update this, I got info from bleeping computer that I could slave the drive to another system and run the tools from there on the infected drive. But, given the extent of the infection and an uncertainty that the system could be cleaned and restored without some unknown thingy left behind or the setup damaged in some way, I opted to restore the 4 month old image. That accomplished I am now scaning my data for infection and restoring it when it comes back clean.

Tedious, but better than running scans and waiting for posted log files to be read and interpreted. Just don't have the patience for that stuff these days.
If life gives you melons,
You may be dyslexic.

User avatar
viking33
PlatinumLounger
Posts: 5685
Joined: 24 Jan 2010, 19:16
Location: Cape Cod, Massachusetts,USA

Re: System Restore Virus After Effects

Post by viking33 »

Make sure you check for MS updates after the system is back and running OK.
I'm sure you know that but just a heads up, Doc.
BOB
:massachusetts: :usa:
______________________________________

If I agreed with you we'd both be wrong.

User avatar
Doc Watson
4StarLounger
Posts: 412
Joined: 25 Jan 2010, 06:46
Location: New Jersey

Re: System Restore Virus After Effects

Post by Doc Watson »

Thanks Bob. Just got the system back up and running, scanned my data before and after restoring and then booted into Safe Mode and ran a full scan with MBAM (updated before restoring data) before doing a normal boot.

Now I'm gonna shut it down and have a fun Friday night and see wht else is screwd up after this fiasco tomorrow.
If life gives you melons,
You may be dyslexic.