Fake Windows XP Restore Virus

Discussion in 'Computer Information' started by John, Jun 8, 2011.

  1. John

    John Guest

    I just wondered if anyone else has ever had the following on their
    computer:
    http://i41.photobucket.com/albums/e259/john10001/sec/fake_xp_restore_virus.jpg

    I believe it is some sort of malware of virus that tries to imitate
    Windows XP Restore. It apears as though it is scanning your hard
    drives and returns a load of messages saying there are critical errors
    even though there is not and there's nothing wrong with your hard
    drive, well apart from this bit of nastiness. I think it's possible
    that by naming itself as Windows XP Restore it gets around the
    Microsoft Security Essentials running on my computer.

    I've had this thing the last few nights. Ccleaner doesn't help to rid
    it. Neither does EmsiSoft AntiMalware. It reapears some point later
    the next day or day after that and I go through the whole process
    again of rebooting in safe mode and restoring to a previous point.
    From what I can tell it seems to disable Microsoft Security Essentials
    once you have finally restored using the correct restore program not
    the fake one (you have to watch out for this but it is easy to tell
    which is which). Show Desktop goes missing from left of task bar
    (quick launch), and it also messes with the Normal.dot template file
    of Microsoft Word.

    Anyone experienced this before, and how do you get rid of it? Are
    there any ant-virus/anti-malware programs that account for this tricky
    customer? I'd also be grateful of any recommendations at the moment
    for a AV or AM program to deal with nasties, even if it is a pay one.
    I have been reasonably happy with MSS until now but it appears I am
    going to keep having this particular issue as this problem seems to
    have a away around MSS.

    Thanks for any help,

    John
     
    John, Jun 8, 2011
    #1
    1. Advertising

  2. John

    Paul Guest

    John wrote:
    > I just wondered if anyone else has ever had the following on their
    > computer:
    > http://i41.photobucket.com/albums/e259/john10001/sec/fake_xp_restore_virus.jpg
    >
    > I believe it is some sort of malware of virus that tries to imitate
    > Windows XP Restore. It apears as though it is scanning your hard
    > drives and returns a load of messages saying there are critical errors
    > even though there is not and there's nothing wrong with your hard
    > drive, well apart from this bit of nastiness. I think it's possible
    > that by naming itself as Windows XP Restore it gets around the
    > Microsoft Security Essentials running on my computer.
    >
    > I've had this thing the last few nights. Ccleaner doesn't help to rid
    > it. Neither does EmsiSoft AntiMalware. It reapears some point later
    > the next day or day after that and I go through the whole process
    > again of rebooting in safe mode and restoring to a previous point.
    > From what I can tell it seems to disable Microsoft Security Essentials
    > once you have finally restored using the correct restore program not
    > the fake one (you have to watch out for this but it is easy to tell
    > which is which). Show Desktop goes missing from left of task bar
    > (quick launch), and it also messes with the Normal.dot template file
    > of Microsoft Word.
    >
    > Anyone experienced this before, and how do you get rid of it? Are
    > there any ant-virus/anti-malware programs that account for this tricky
    > customer? I'd also be grateful of any recommendations at the moment
    > for a AV or AM program to deal with nasties, even if it is a pay one.
    > I have been reasonably happy with MSS until now but it appears I am
    > going to keep having this particular issue as this problem seems to
    > have a away around MSS.
    >
    > Thanks for any help,
    >
    > John


    For rogue software, you can try MBAM.

    http://en.wikipedia.org/wiki/Malwarebytes

    The free version is like a "morning after" pill, for cleaning out the rogue.
    Their commercial version, is as much for prevention as for removal. The free
    version should be sufficient to help you out. It all depends on how recent this
    rogue is, as to whether definitions exist for it. In some cases, if you've
    got a "freshly minted" piece of malware, it can take as much as a couple
    weeks for the good guys to figure it out.

    One problem with tools like MBAM, is the person who wrote the malware,
    knows sooner or later, you're going to use it. Perhaps they'll block
    your browser, so it can't reach malwarebytes.org . Or, maybe you download
    the code, and it has a particular "name.exe" which the malware
    recognizes. Every time you double click it, the launch of the program
    is blocked. So there can be problems getting MBAM to start.

    MBAM is recommended for usage in normal system mode. But if you want,
    you can boot into Safe Mode (press F8 early in the boot process),
    and in Safe Mode, a little less of the malware will be active.

    Another option, is a tool like RKILL, which is for kicking the malware
    in the nuts, so you can try and get tools like MBAM to run.

    http://www.bleepingcomputer.com/download/anti-virus/rkill

    Hmmm. This looks like trouble. You can see already, all my
    suggestions aren't going to work...

    http://www.bleepingcomputer.com/forums/topic401198.html

    There is another person suffering here.

    http://www.bleepingcomputer.com/forums/topic400337.html

    One of the steps, involves turning off a proxy the malware sets up.

    http://www.bleepingcomputer.com/virus-removal/remove-system-tool

    Either post to that site for help (which could take days),
    or keep looking for a recipe. A rogue isn't going to give
    up easily. Some will attempt to hide all your files (by
    changing a file attribute). There is a program to undo that (unhide.exe ?).
    But it's still going to be not a lot of fun to clean up.

    Since there is good money to be made, writing programs like that,
    the variants are never-ending.

    Paul
     
    Paul, Jun 8, 2011
    #2
    1. Advertising

  3. John banged his head on his keyboard to write :
    > I just wondered if anyone else has ever had the following on their
    > computer:
    > http://i41.photobucket.com/albums/e259/john10001/sec/fake_xp_restore_virus.jpg
    >
    > I believe it is some sort of malware of virus that tries to imitate
    > Windows XP Restore. It apears as though it is scanning your hard
    > drives and returns a load of messages saying there are critical errors
    > even though there is not and there's nothing wrong with your hard
    > drive, well apart from this bit of nastiness. I think it's possible
    > that by naming itself as Windows XP Restore it gets around the
    > Microsoft Security Essentials running on my computer.
    >
    > I've had this thing the last few nights. Ccleaner doesn't help to rid
    > it. Neither does EmsiSoft AntiMalware. It reapears some point later
    > the next day or day after that and I go through the whole process
    > again of rebooting in safe mode and restoring to a previous point.
    > From what I can tell it seems to disable Microsoft Security Essentials
    > once you have finally restored using the correct restore program not
    > the fake one (you have to watch out for this but it is easy to tell
    > which is which). Show Desktop goes missing from left of task bar
    > (quick launch), and it also messes with the Normal.dot template file
    > of Microsoft Word.
    >
    > Anyone experienced this before, and how do you get rid of it? Are
    > there any ant-virus/anti-malware programs that account for this tricky
    > customer? I'd also be grateful of any recommendations at the moment
    > for a AV or AM program to deal with nasties, even if it is a pay one.
    > I have been reasonably happy with MSS until now but it appears I am
    > going to keep having this particular issue as this problem seems to
    > have a away around MSS.
    >
    > Thanks for any help,
    >
    > John


    This puppy is a common one.
    For cleaning your system,the following links found by searching Google,
    MyPoints, and Microsoft are directed specifically at the Windows XP
    Restore virus:

    http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery

    and

    http://www.bleepingcomputer.com/forums/topic400955.html

    Bleepingcomputer is a well known and respected site.
    ----------------------------------------------------------------
    http://blog.teesupport.com/remove-f...us-fake-windows-restore-manual-removal-guide/

    Additional Tech support is available. It's probably not free.
    ---------------------------------------------------------------
    http://www.virusremovalguru.com/?p=7538

    Suggests how to go about removing the problem. Note the recommended
    removal tool is commercial software, but it suggests how to manually
    remove the virus. Use at your own risk.
    -------------------------------------------------------------
    http://news.loaris.com/windows-xp-r...-windows-xp-restore-fake-system-defragmenter/

    Offers a removal tool and gives manual instructions (use at your own
    risk). Don't know if it's freeware or commercial, but downloads free.
    ----------------------------------------------------------------
    The MS forum has a couple links that might help:

    http://answers.microsoft.com/en-us/...re-virus/3640846f-d963-e011-8dfc-68b599b31bf5

    Note that a lot of people recommend using Malwarebytes. I'll get to
    that later.

    -----------------------------------------------------------------
    There is also a freeware program called Remove Fake Antivirus that may
    or may not catch the bad guy.
    http://www.freewarefiles.com/downloads_counter.php?programid=53247
    --------------------------------------------------------------

    Personally, I believe MS antivirus products to be bloated and sometimes
    next to useless. It's good to keep the basic Firewall under the MS XP
    Security Center, though, just as an extra layer.

    I recommend 2 antivirus programs for web shields and virus scans.

    1) Avast Antivirus. There is a free version and a paid version. The
    free version is great, the paid gives you more features. Run Avast as
    a real-time shield and you'll be amazed at how much it stops.

    You should run the (right click) scan feature on any item you download
    from any source (music, pictures, movies, programs, files, etc.).

    You should also run full system scans on a frequent and regular basis
    with this program.

    With this 3-tiered approach, you catch a lot of stuff.

    2)Malwarebytes. I use Malwarebytes as a backup. After doing a quick
    scan of all my downloads with Avast, I then do another quick scan with
    Malwarebytes. I also do additional full system scans with Malwarebytes
    after running full Avast scans on my regular scan schedule.

    Only one program should be kept as a real-time shield or the programs
    might conflict (varies by system and program), but with multiple
    scanners, you can sometimes catch something with one system that the
    other system missed. That a program doesn't catch every bug that gets
    through doesn't necessarily mean the program is bad; it means they just
    haven't gotten hold of and fixed this virus yet. Remember, you can't
    stop a virus that you don't know has been invented yet.

    I also used to use a 3rd scanner, AdAware, which primarily targets
    adware and spyware but sometimes catches other things. I had to stop
    using this one because I couldn't read the small gray font they
    switched to in the newer release. Otherwise, it was a helpful program.

    Many people prefer to use AVG Antivirus Free or Avira AntiVir Personal
    for their antivirus needs.

    There is no shortage of antivirus scanners you can try out that can be
    found on any freeware site. Some only target specific viruses, but
    most are versatile. One that operates outside Windows (such as in a
    temporary Linux environment) might be useful.

    I suggest you stear clear of Norton (Symantec).
    ------------------------------------------------------------------

    My favorite freeware site is www.freewarefiles.com - different people
    have different favorites. There is no shortage of freeware sites,
    either.

    --
    -There are some who call me...
    Jim


    "Distrust any enterprise that requires new clothes."
    - Henry David Thoreau (1817-1862)
     
    James D Andrews, Jun 8, 2011
    #3
  4. John

    stbann Guest

    The "Windows-XP-Restore" virus ...

    Don't worry, don't freak out, your computer and files are okay, but
    prepare
    to spend time cleaning up your computer. Don't buy the program, it's a
    scam.

    I just got rid of this virus myself. Don't waste your time downloading
    antivirus
    programs, I did, and most of them didn't find anything related to this
    virus.
    One even stated it found serious threats, but it turned out to find
    only cookies.

    You are most likely seeing ...
    No desktop icons (need to delete registry "NoDesktop")
    Task Manager blocked (need to delete registry "DisableTaskMgr")
    Nothing on C: drive (need to remove the "Hidden" attributes)

    The frightening thing was ...
    Internet Explorer was not running but every minute I would see the
    Windows pointer hour-glass flicker then iexplore task show up in
    Task Manager. I would end the task and a minute later, back again.

    I downloaded a program that shows network activity (cports.exe) and
    set it to a
    1 second Auto Refresh. YIKES !!! Coming from a Process Name "unknown",
    my computer
    was connecting to IP addresses, such as noname.inferno.name, and I had
    no idea what was
    being transmitted or received. (Maybe personal information, who
    knows !)

    I spent 2 days cleaning things up, MANUALLY. Most of the time was from
    downloading
    and trying every program that claims to be "The Best". Later on, I
    found a website
    that had pretty good directions:
    http://deletemalware.blogspot.com/2011/06/remove-windows-xp-restore-uninstall.html

    One thing I learned, if you try to run the tddskiller.exe program, and
    it doesn't start,
    chances are, it's being blocked by the virus. I moved the program to a
    flash drive, renamed
    it to iexplore.exe and it started.

    It found the volsnap.sys file infected, fixed it and the problem was
    solved.
    You can verify by running the original tddskiller.exe, it should no
    longer be blocked.
    Also, cports.exe was quiet, no internet connection activity.
     
    stbann, Jun 18, 2011
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim Murray

    A fake but good-looking Symantec site, with virus

    Tim Murray, Jun 26, 2004, in forum: Computer Security
    Replies:
    7
    Views:
    528
    Joe-46er
    Jul 4, 2004
  2. dfinc
    Replies:
    0
    Views:
    506
    dfinc
    Sep 30, 2009
  3. Buffalo

    Re: that fake anti-virus program

    Buffalo, Jan 5, 2010, in forum: Computer Support
    Replies:
    3
    Views:
    338
    Leythos
    Jan 8, 2010
  4. why?

    Re: that fake anti-virus program

    why?, Jan 6, 2010, in forum: Computer Support
    Replies:
    2
    Views:
    313
  5. dfinc
    Replies:
    1
    Views:
    752
Loading...

Share This Page