Windows Restore - Malware Virus

[gtd2000]

My mother has reliably informed me that her computer has the "Windows Restore" virus - I've been trying to help her remotely after reading some solutions on the net which generaly include downloading a program called RKill and once it's done its magic running Malwarebytes.

Per this link:
http://www.bleepingcomputer.com/virus-removal/remove-windows-restore

So far nothing seems to be working to get rid of this bloody problem - have any of you guys come across this virus/malware and a solution?

Cheers in advance

 

[BoomerD]

http://www.techvts.com/fake-windows-restore-removal

http://www.virusremovalguru.com/?p=7103


I haven't checked to see if it's listed in the "list viruses" for Stinger, but it's worth a try:
http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

Also, I found a few more things for you:

http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

http://www.myantispyware.com/2011/03/26/how-to-remove-windows-repair-virus/

http://www.symantec.com/connect/forums/windows-repair-virus

http://remove-malwares.blogspot.com/2011/04/how-do-i-get-rid-of-windows-restore.html

(windows repair virus is very similar to windows restore virus)

 

[Matt1970]

All those sites tell you to run MalwareBytes but none of them tell you how you need to run it. 99% of the time you can't run it in normal mode, you need to reboot in safe mode. 99% of the infections will be blocked from running in safe mode. If they are running in safe mode, you need to kill the associated process, download Malwarebytes but you need to rename it as it saves, then run it as administarator. I usually rename it something like "Lappy"

Nopw reboot in normal mode and remove any proxy settings for your LAN. Then run Spybot and then Super Anti-Spyware.

 

[gtd2000]

Yeah we took the safe mode route from the beginning but the virus still runs.

It seems to block out desktop icons and if you go to the programs via the start button nothing is listed.

I did manage to get malwarebytes running by telling my mother to browse for it through My Computer, however, it appears that this virus has now learned this technique and she can't do it any more

Unfortunately, my mother is not particularly good with PC's and you need to tell her everything about 10 times before she actually does it and then continually wants to read everything back to me.....groan!!!

Fortunately this is a PC that has more than one user account and the virus seems to have only infected her account.

Thanks for the suggestions - I'll do some reading over lunch

 

[lowrider69]

Worse comes to worse pull the drive out of her machine and hook it up to another machine, take ownership of the drive and scan from there. Fortunately I haven't had to do that in a while because the removal tools have gotten better over the years. But years ago I had to do it all of the time.

 

[gtd2000]

Well so far it appears that the virus has been killed - the often ignored step to getting the thing killed is to make sure you turn off the real System Restore on all drives, otherwise it just keeps coming back.

Now that the virus has been removed there is still a problem to view the contents of the start/programs menu as it's now all blank.

I've told my mother to make sure the view all hidden files option has been selected but she still has virtually all of her desktop icons missing.

Looks like further reading is required over the weekend after work.

 

[Matt1970]

1. Right click on the Start Button
2. Click Properties
3. In the Start Menu Properties window click “customize”
4. Click on the “Use Default Settings” button
5. Click “Ok”
6. Click “Apply”

If the programs in start menu are still missing and only missing in your mom's account, just create a new accound and transfer doc&pics.

 

[gtd2000]

1. Right click on the Start Button
2. Click Properties
3. In the Start Menu Properties window click “customize”
4. Click on the “Use Default Settings” button
5. Click “Ok”
6. Click “Apply”

If the programs in start menu are still missing and only missing in your mom's account, just create a new accound and transfer doc&pics.

Cheers for the advise Matt but in XP the options appeared to be different without the USE Default Settings button - at least that's what my mum said anyway

I got her to download a program called Unhide.exe and fortunately all is now well with her account again.


Thanks for all the help and suggestions guys

 

[Matt1970]

Oh good.