TechSpot

Host of viruses on my WinME C:\_RESTORE\TEMP - made sysrestore non-disableable

By Mammalian
May 18, 2009
  1. Someone put these on my computer months ago.

    I scanned with Avast and Kaspersky for Windows Workstatiuons 6.0, and it discovered several viruses. Here's what Avast said.


    A0600588.CPY\nodhelp.exe\[RL-Pack] | Win32 PoisonIvy
    A0608957.1 | LordPatch
    A0009043.0\[PE-Pack] | Win.32 Wollf-C
    A0023711.1 | Win.32 DialerGen
    A0037817.1\{app}\passwds.exe | Win.32 Trojan-gen
    A0037821.1 Win.32 Trojan-gen
    A0048409.CPY\[RL-Pack] Win.32 PoisonIvy


    -------------------------------------------

    I also scanned with HijackThis. Since this is one of my first few posts I have to put as an attatchment (has url of my IE homepages in datadump).


    As you know with the Sysrestore exploit, these files can't be deleted. Every time I check the disable System Restore box, when I check it after restart the box is unchecked. I even went into safe mode and restarted in safe mode. Same thing. System Restore non disableable. Avast set them to be deleted at system start, but these viruses are being regenerated by something.


    I must also add that malawarebytes and superantispyware will not install. Says I need Windows NT 5.0 or above.

    This pisses me off. Any ideas, guys?
     

    Attached Files:

  2. touch

    touch TS Rookie Posts: 978

    Hello

    You should be able to run SuperAntiSpyware on WinMe:
    http://www.superantispyware.com/supportfaqdisplay.html?faq=6

    Please download: http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE (SAS)
    Install it and double-click the icon on your desktop to run it.
    It will ask if you want to update the program definitions, click Yes, Let it through your firewall!

    Under Configuration and Preferences, click the Preferences button.
    Click the Scanning Control tab.
    Under Scanner Options make sure the following are checked:
    Close browsers before scanning
    Scan for tracking cookies
    Terminate memory threats before quarantining.
    Please leave the others unchecked.
    Click the Close button to leave the control center screen.

    On the main screen, under Scan for Harmful Software click Scan your computer.
    On the left check C:\Fixed Drive.
    On the right, under Complete Scan, choose Perform Complete Scan.
    Click Next to start the scan. Please be patient while it scans your computer.
    After the scan is complete a summary box will appear. Click OK.
    Make sure everything in the white box has a check next to it, then click Next.
    It will quarantine what it found and if it asks if you want to reboot, click
    Yes.

    Reboot normally.
    After reboot, double-click the SUPERAntispyware icon on your desktop.
    Click Preferences . Click the Statistics/Logs tab .
    Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .
    It will open in your default text editor (such as Notepad/Wordpad).
    Please highlight everything , then right-click and choose copy.
    Click close and close again to exit the program.

    Attach Superantispyware log
     
  3. Mammalian

    Mammalian TS Rookie Topic Starter

    Tried again, but again wil not install. Says runsas.exe is linked to missing file, isn't there, expects a newer version of windows. Maybe it works on someone else's, but not mine. I've also used Spybot S&D and Ad-Aware, and actually, Avast was the only AV that could detect them. And Malawarebytes won't install either.

    There anything else I could use?
     
  4. touch

    touch TS Rookie Posts: 978

    Try DrWeb-

    Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
    Doubleclick the drweb-cureit.exe file and Allow to run the express scan.

    This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

    Once the short scan has finished, move Dot to Complete scan.
    Click the green arrow at the right, and the scan will start.
    Click 'Yes to all' if it asks if you want to cure/move the file.

    When the scan has finished, in the menu, click file and choose save report list
    Save the report to your desktop. The report will be called DrWeb.csv
    Close Dr.Web Cureit.

    Please attach the Dr.Web report in your next reply.
     
  5. Mammalian

    Mammalian TS Rookie Topic Starter

    Amazing. This detected more viruses than any of the other AVs I've used put together. Here's the DrWeb report. Still wondering how to nudge open that _RESTORE folder since it's nondisableable.
     
  6. touch

    touch TS Rookie Posts: 978

    Yes, it is an effective scanner.
    Try this ->
    To completely remove the infected file or files in the _RESTORE folder,
    disable and re-enable the System Restore
    feature by following this procedure:

    1.Click Start, point to Settings, and then click Control Panel.
    2.Double-click System, and then click the Performance tab.
    3.Click File System button, and then click the Troubleshooting tab.
    4.Select the Disable System Restore check box, click Apply and Close.
    5.Restart the computer when you are prompted to do so. When the
    computer restarts, the Restore Utility will be disabled.

    To enable the System restore function, repeat steps 1-5 above,
    but remove the check mark next to Disable System Restore.
    After a restart restart of the computer the Restore Utility will be enabled.


    Also read this:
    http://support.microsoft.com/kb/290700/us
     
  7. Mammalian

    Mammalian TS Rookie Topic Starter

    Using your advice has done it. I installed the Windows System Restore fix from Microsoft's website and when I restarted SysRestore was disabled and DrWeb finished them off!. These viruses are finally gone after a month of questing.

    I love you.
     
  8. touch

    touch TS Rookie Posts: 978

    That´good news :wave:
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...