Posted on Wed, Apr 20, 2011
This week, I ran into a very intense virus called Windows Restore. It tries to make you think that there is a problem with everything from hardware to software applications on your PC. The reason it was so difficult to remove was the fact that it hides all your icons and stops your IE from being operational.
From past experiences, I know that it looks for certain software like Malwarebytes or ComboFix and disables them. If you do need anti-malware to run, your best bet is to rename it to something different like 123456. This will trick the virus and usually let you install your virus/malware removal programs. Below is a list of manual keys in the registry to look at when trying to remove this virus. Also, remember to go into folder options and show all files and folders.
Malicious Files Added by Windows Restore Virus :
%UserProfile%\Start Menu\Programs\Windows Restore\Windows Restore.lnk
%UserProfile%\Start Menu\Programs\Windows Restore\Uninstall Windows restore.lnk
%AppData%\Microsoft\[random].exe
%UserProfile%\Desktop\Windows Restore.lnk
%UserProfile%\Start Menu\Programs\Windows Restore\
Windows Restore Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘yes’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ‘0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ‘1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random].exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[random]”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policie \Associations “LowRiskFileTypes” = ‘{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ‘1′
Dennis Foote – System Engineer
Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!
Sincerely, Terminal We Serve All of Greater Boston and Cambridge, MA
Posted on Tue, Mar 08, 2011
A client this week had a virus that kept rebuilding itself. I found through trial and error in my past that the bad ones should be dealt with by removing the hard drive from the notebook. I removed the drive and then proceeded to hook it up to my IDE/SATA reader to run a scan with Symantec Antivirus and Malwarebytes. Once the drive was fully scanned, I placed the hard drive back into the notebook where it came from and then started it back up without giving it a chance to boot normally.
I still wanted to make sure all was okay with the drive and the virus would not rebuild itself. So when starting the notebook, I made sure to get it into safe mode right away so I could run Combo fix to see if the notebook was in fact cleaned of any and all malicious software. I suggest you run Combo fix more than once. It may tell you it deleted something but once the notebook is back up and running, the root kill that was thought to be deleted can reinsert itself back into your windows and cause you to end up back in the same place.
I suggest that you run all your malware and antivirus software multiple times before calling your hard drive clean of all and every virus and malware.
Dennis Foote - Systems Engineer
Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!
Sincerely, Terminal We Serve All of Greater Boston and Cambridge, MA