Host of viruses on my WinME C:\_RESTORE\TEMP - made sysrestore non-disableable

Status
Not open for further replies.
Someone put these on my computer months ago.

I scanned with Avast and Kaspersky for Windows Workstatiuons 6.0, and it discovered several viruses. Here's what Avast said.


A0600588.CPY\nodhelp.exe\[RL-Pack] | Win32 PoisonIvy
A0608957.1 | LordPatch
A0009043.0\[PE-Pack] | Win.32 Wollf-C
A0023711.1 | Win.32 DialerGen
A0037817.1\{app}\passwds.exe | Win.32 Trojan-gen
A0037821.1 Win.32 Trojan-gen
A0048409.CPY\[RL-Pack] Win.32 PoisonIvy


-------------------------------------------

I also scanned with HijackThis. Since this is one of my first few posts I have to put as an attatchment (has url of my IE homepages in datadump).


As you know with the Sysrestore exploit, these files can't be deleted. Every time I check the disable System Restore box, when I check it after restart the box is unchecked. I even went into safe mode and restarted in safe mode. Same thing. System Restore non disableable. Avast set them to be deleted at system start, but these viruses are being regenerated by something.


I must also add that malawarebytes and superantispyware will not install. Says I need Windows NT 5.0 or above.

This pisses me off. Any ideas, guys?
 

Attachments

  • hijackthis.txt
    3.5 KB · Views: 5
Hello

You should be able to run SuperAntiSpyware on WinMe:
http://www.superantispyware.com/supportfaqdisplay.html?faq=6

Please download: http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE (SAS)
Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes, Let it through your firewall!

Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining.
Please leave the others unchecked.
Click the Close button to leave the control center screen.

On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click
Yes.

Reboot normally.
After reboot, double-click the SUPERAntispyware icon on your desktop.
Click Preferences . Click the Statistics/Logs tab .
Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .
It will open in your default text editor (such as Notepad/Wordpad).
Please highlight everything , then right-click and choose copy.
Click close and close again to exit the program.

Attach Superantispyware log
 
Tried again, but again wil not install. Says runsas.exe is linked to missing file, isn't there, expects a newer version of windows. Maybe it works on someone else's, but not mine. I've also used Spybot S&D and Ad-Aware, and actually, Avast was the only AV that could detect them. And Malawarebytes won't install either.

There anything else I could use?
 
Try DrWeb-

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan.

This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, move Dot to Complete scan.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.

Please attach the Dr.Web report in your next reply.
 
Amazing. This detected more viruses than any of the other AVs I've used put together. Here's the DrWeb report. Still wondering how to nudge open that _RESTORE folder since it's nondisableable.
 
Yes, it is an effective scanner.
Try this ->
To completely remove the infected file or files in the _RESTORE folder,
disable and re-enable the System Restore
feature by following this procedure:

1.Click Start, point to Settings, and then click Control Panel.
2.Double-click System, and then click the Performance tab.
3.Click File System button, and then click the Troubleshooting tab.
4.Select the Disable System Restore check box, click Apply and Close.
5.Restart the computer when you are prompted to do so. When the
computer restarts, the Restore Utility will be disabled.

To enable the System restore function, repeat steps 1-5 above,
but remove the check mark next to Disable System Restore.
After a restart restart of the computer the Restore Utility will be enabled.


Also read this:
http://support.microsoft.com/kb/290700/us
 
Using your advice has done it. I installed the Windows System Restore fix from Microsoft's website and when I restarted SysRestore was disabled and DrWeb finished them off!. These viruses are finally gone after a month of questing.

I love you.
 
Status
Not open for further replies.
Back