Fake System Restore is a Virus

Fake computer repair/Restore software infects your computer with a bad virus that is hard to remove, hides your desktop icons and all of the items in the start menu and makes all of your folders hidden and read only. The Virus Also kills Task Manager.
On Windows XP windows 7 and windows vista.
The program has been called pc repair, system restore, pc restore, and probably a few more names I haven’t expected yet.


The pop up tells you that your hard drive can’t be read and your video card is overheating and that this semi-legit looking (except for the buy now button) can fix the issue.
This Virus is a bad one. Killed my computer at work. First Got a pop up that looks like System restore (kind of. never really looked at it) Except in the corner it says “buy Now” and across from it is the cancel button. Now me being a vet of these pop ups I assumed that by clicking the red X in the corner I have better odds than if I click either of the offered buttons.
Boom. all of my icons Vanished and my start menu became emptied, completely. Start menu was completely void of all options. Everything I had in my quick launch deleted off also.Not cool.
I tried the ol 1-2, and rebooted. Nope. Blue screen of Death. Safe mode, nope blue screen of death. Put another hard drive in and use it as the primary hard drive and scan the first hard drive with it’s virus scanner. Which was Windows Essentials. Found the ROOT KIT right away. After the delete and another reboot, blue screen of death.
But after about 6 hours of freaking out hoping the boss does not see. I get my computer restored
Here’s what I used.



RogueKiller.exe
ATF-Cleaner.exe helps clear up what’s on your computer in folders that you got locked out of in the attack.
Spybot
Believe it or not I used ESET Online Virus Scanner  to clear out the Viruses that this System restore thing gave me (worked great on Xp computer, did just okay on windows 7)
Microsoft Essentials Not a bad free Virus Scanner. Works pretty good. Makes the computer a bit slow though. I uninstalled it after I used it. This one finds the trojans left behind from the System Repair virus on Windows 7, and finds some for the system restore virus on xp. and windows 7
unhide.exe will get your icons back and your files back that disappeared when the virus hit you.

 

Then to get my icons back in order on my desktop, killed Explorer and restarted Explorer. To get the Explorer to run, I hit Windows button and the letter “D”, until I could right click on my desktop. You might have to do this three times or so. once you can right click, select “New” and select “Shortcut” Then it will ask you what you want to name it and where you want to point it. point to “C:\Windows\System32\taskmgr.exe” and save. Now double click that shortcut, and kill all instances of Explorer.exe. Then while still in taskmanager on the applications tab, look at the bottom, click the “new task” button. when it opens, type Explorer.exe.

Your folders are not gone, they are hidden and put into “read only” mode. You have to navigate to drive c: find and empty space (no icons in the way) Right click and select “properties” find the view tab. Scroll down and make it makes hidden folders visible folders. Click apply . Now you have to go to each folder one by one, or you can just use that program I posted up there called “unhide.exe” Does all of the unhiding of the folders again. Not sure which one but one brings back all of your uninstalls and fills your start menu again. It’s not a perfect science but it gets you closer with a mess ton of less work. One of those files looks like you have to register, don’t fill anything in just hit ok, it will work in trial mode.. you’re just going to use it once anyway. I did it backward and manually started doing all of this while my friend looked up what to get, by then I was about 30% into it, so some stuff the programs were to do, I already did it and some stuff I did, I bet the programs don’t do. but run all of those before you get to far into it that way you can see for yourself what they fix. Should make a lot of stuff much easier once you use the virus scanners and empty all of that stuff out.
Eset, I never liked them until this. They did quite a bit, and Microsoft essentials found the root kit.

That’s what did it for me.
Hope this works for you.

If this works for you, please share the link or comment below, let me know I am helping. If you need any ideas or tips or better understanding of anything, post below. I will do my best.

In the comments section of another post, someone made a connection between this virus and the software I noted . Netsession_win.exe

PS… If you are here because of Reddit. Hook me up with some Karma. !

Free Online Virus Scan

Bit Defender. Supposed to be the fastest scanner. I have no idea how accurate this can be. and I think this one only works in internet explorer.

EmsiSoft’s Asquared online Virus scanner.


Free online Virus and Malware scan. Feel free to use this, bookmark the page share with your friends, on what ever Social site you use. This virus scanner is the strongest Virus scanner I know that is totally free. Removes all virus and trojans and worm parts from your computer for complete internet safety and security. Well, at least no current virus will be active on your computer after a scan. This virus scanner group is fast at updating and many virus scan companies contribute to their research, and back the other way.
This will remove all known trojans and malware from your computer even suspicious cookies.
I am happy to have EmsiSoft’s Asquared on my website.

Online Malware Scans

If you are like me and do not like bloating your computer with virus scanners and anti virus programs that run the whole time your computer is on. Then you at least need to scan every now and again to make sure you do not have a computer virus or some sort of spy ware. Most people just call it malware.So for you , the better bet is to use an online scanner to help locate and remove the virus or spyware you may obtain in a regular day’s computer use.
See I have a funny little phrase that describes the usage of a search engine. It’s like playing mine sweeper, Some times you get a nice good run, sometimes you get nailed left and right. BOOM. ” You may be infected” I hate that dang fake virus scanner. So it’s all about CTRL ALT DELETE and pray your web browser does not re-open the same dang page again.
So in my years of computer repair and internet fun I have found a few sites that do not charge you to use their online virus scanner. and they are not a trap or have any special usage clause. Also sometimes your installed virus scanner gets a virus that attaches it’s self to the virus scanner, so now you can’t remove the virus because the virus scanner is not self destructive. (would help if they had a self back up and repaired such issues on reboot).
I now share these with the readers of the TruXtertech.Com Site.
Here is a list of Online Virus scanners that work. For Free
A-Squared online Scanner a very good scanner that seems to be the strongest I know of . I also use the Emergency kit, I keep that malware scanner on a thumb drive.

BitDefender The longest running online malware scanner I know of. This malware scanner has removed a virus from every single computer I have ever used/repaired. Bitdefender also sells a copy of their virus scanner from their site. But it runs like all antivirus programs. Constantly.

Eset Online Virus Scanner. Menu to select the type of scan and actions you would like it to take.

Panda– online scanner

CA– Formerly InnoculateIT formerly Etrust now just CA. I love their virus scanner and performance tools. but again they are constant so I use the online scanner and that’s plenty for me. Their virus scanner is worth a buy though. So if you know someone who needs protection and they aren’t as OCD as me when it comes to keeping the pc fast, do it, get them CA for their birthday or Christmas or just for the heck of it.

Single file Virus Scanners. For scanning something you just downloaded to make sure it doesn’t have a Trojan in it or any other type of malware.

Virus Chief – Uses a few other online single file virus scanners, so you get a large number of virus scanners at one time.
Virus Total – same as above, mostly the same virus scanners.

Jotti– this one is the one that has been around the longest. The guy used to list the “latest in the wild” which would show what cooties have recently been caught, It was fun to watch that page. I guess he got sick of the wasted bandwidth because of people refreshing the page constantly.

Virscan.org – online single file virus scanner. Scans with like 30 virus scanners at once like the others. Takes a bit longer but it gets confirmed by 30 scanners that you do or do not have a virus in your hands.

Try the list, go through it and scan for a virus see what you get. you may, you may not have malware.

I did a virus scanner comparison using a well known virus and all of these scanners listed. come see how they scored. My test was just to see what virus scanners couldn’t detect it. From that point on, I consider those virus scanners that did not detect the virus, garbage and useless.

What is Google Analytics

If you have ever  clicked in to see a website and noticed that by you launch/start button you notice your browser says that you are waiting for  some program to start up from google. If you have ever said ” Hmmm should I be scared?”

If you are looking for a simple answer,

It’s a program you link with code on your website. The code in your  website sends information to google. Th information gathered is really thorough.  Types of data gathered are about the people surfing your website, such as point of origin, screen resolution, operating system, Exact search query, time on site, exit location.

For me some of this information is pretty useful. It tells me what size pictures I can put on my site to please the common public, what browser and operating system is my target to please. What content people where looking for and if I have exactly what they want or should I cover that content also or should I give a link to someone who does.

Google’s Version of the story

Not to be super conspiracy filled, but.

Um, that’s to much info about me. I am not comfortable with that much data. I really wouldn’t want the guy’s on the adopt a pet, website seeing that I whent straight to their site from an athlete’s foot site, and when I left I whent to a site about people who liked to eat with their feet.

Why is it that the google urchin gathers personal info about  us, kinda adware info. I mean really isn’t it for advertisement purposes….. why doesn’t my spybot ,asquared and addaware find it?  it is a js file so it does have beef.

Other than the issue with my personal self not liking the monitoring, I love being able to  tweak my site with the info I gather.

How Can I Use A Hosts File To My Advantage?

[tags]ip adress,malware,virus,trojan,security,computer,hack,intrusion,backdoor,safety,privacy,protection,prevention[/tags]

A hosts file is a file located in the ETC folder of almost every operating system (with some exceptions). The hosts file is a file that is scanned at the first accesses of a network. Be it a program that you expect to go to the internet or not. Your computer will first try and resolve the dns with the host. It does this by checking the hosts file.

In your hosts file, you can tell your computer what IP address to assign web addresses. By doing this, you bypass all network look ups on the internet for specific addresses. It is impossible to knock out every single website there is. You can how ever knock out all sites submitted, reported, and confirmed as malware sites.

You can also stop your kid from hitting sites you do not want her/him going to. The way it works is you move to the lowest section in the hosts file and type in the IP address you would like that website to go to. Like this:

127.0.0.1 a_site_you_do_not_want_to_go_to.com

This blocks that site from ever loading on your computer.

If you have a program that goes to “a_site_you_do_not_want_to_go_to.com” by default, the program will not be able to update. This can be used to your advantage if the site that the program is trying to connect to is a virus site, and the program is a virus, trojan or a malware notification type program (like a spider). We call them adware and spyware these days, the program will not be able to contact it’s owner, this hides you from the owner and increases your security. Some malware updates itself by connecting to its owner’s location, unless it is specificly assigned an IP address to connect to. That, of course, would be a mistake on the writer’s part. Much easier to locate that way, and you could actually block that IP address if you took the time.

I use mvps host because he has a much larger list than I do. I just add my stuff to his when i download it and set up my hosts file. If you have a list of bad sites, do what I and a few others do, email it to mvps site. I do suggest that you read everything on the wiki and mvps site before you do anything to change your hosts. Really, if you block yourself from the interenet (god only knows how that could ever happen) you just clear out all IP addresses and domain names in the list and you are back to the way it was.

If you have any questions related to this topic feel free to ask them.

TruXter

Owner and writer of :

iworkwithtech.com and iworkwithpeople.com

Re-Evaluation of Dr.Web

After years of not touching Dr.Web, I could not remember, in full, why I did not like it. I could not remember why I did not trust it. It has been at least five years since I tried it and someone I see is trusted by quite a few people recommends it. I gave it a go. Well the first download is 14 MB. Quite tiny and happens in a blink — although the file downloaded was actually just a tool to download the actual program. After the download was complete and the install was nearly finished, it asked for a verification key (I did not have one). So the program allowed me to press a button and have a key automatically inserted. Why? Dunno. The scan seemed pretty smooth; I didn’t see the scanner get hung up on anything. The list of files being scanned was pretty steady. Boots and reboots of the system were smooth and there was no delay or hang time from Dr.Web.

I consider any program that you have to find a program from a second party to remove to be malware. If the program does not allow me to see the size of the actual install until after it is finished installing (I had to navigate to the folder it was contained in), I consider it to be deceptive.

Granted, this is a workplace computer. I am not the first employee to use this computer and formatting it is not an option. I did find traces of Limewire once installed on this machine, so you should have a pretty good idea how beat down this machine is because of misuse. Since this program found nothing and ran smoothly, I decided to break out some of the tried and true programs: Ad-Aware, Spybot, and A-Squared. All three found something, and no, it was not all cookies. Ad-Aware found what it labeled as a w32.novarg.a@mm (aka MY DOOM) file. A-Squared found a few hijackers, and Spybot found, like, 60 things.

Now here comes the issue. I decided I do not need this program to start when I start my computer. Since it never found anything, I was not impressed enough that I could leave it on the workplace computer throughout the trial period. I went to un-install Dr.Web, but it wasn’t happening. The un-install actually tries to install the program again. I went through the whole step of seeing if it would say “before we can install you must un-install; would you like to un-install?” Never happened. Full install right over the current.

So I did a Google search on it. The best information I found was sad and scary, all in one. Delete all registry entries and then go back to the directory of install and delete all signs of Dr.Web. I really do not suggest you do that. I mean, it did not damage this machine. I booted fine afterwards with no errors, but if you are new to ‘regedit,’ stay out. It is much safer that way.

After 14 years of doing this online and nine years on local networks (before the Internet), you would think I learned my lesson. Well, I have learned that sometimes you just have to try stuff and be prepared to put things back together. Good thing I do and can.

Here’s an alternative.

TruXter

Owner and writer of :

iworkwithtech.com  and iworkwithpeople.com 

What to do when infected with spyware/adware

[tags]adaware, adware, asquared, computer, hijacker, hijackthis, hosts, infected, infection, log, maliciouse program, malware, popup, redirect, scanner, spybot search and destroy, spyware, trojan, virus[/tags]

We all have had infestations, pop ups that never go away, something that changes your home page, or something that redirects the site you type to a totally different site. Even worse than all that, when there is a combination of those problems.

Well, I have some good news and some help for you.

Next time, you might want to consider this stuff first before you even go anywhere on the internet.

For starters, I would begin stopping most malware from even connecting to the net from your computer, this step stops your computer from ever going to the sites where malware is created, uploaded, and/or updated. Fix your “hosts” file by going to MVP’s site and reading up on the subject. I actually just scroll down like 20 lines and he has a zipped file with 5 or so items in it. Extract the contents to the desktop, double click the batch file, and in a blink, I am Protected from tons of malware servers. http://www.mvps.org/winhelp2002/hosts.htm

Please read mvps site to get a full understanding and to be on the same page as me. Yes the hosts project started out as a way to block banner ads, but it was later found that you can do much more. PLEASE READ THE MVPS SITE.

Before installation of new “hosts” file, I head to my existing “hosts” file and open it with Notepad to see if there are any changes made to it that are located here “C:WINDOWSsystem32driversetc”

There is a line that should say “127.0.0.1 localhost” which means local host is YOU. If it says anything other than 127.0.0.1, then your machine has been routed to someone else’s server and everything you do and type is being passed through them first. They filter through it and crack what they want. If you have anything different there, please post it here as a comment so I, and others, can help take care of someone like this.

Next, let’s go scan your machine. If you can, install this, “http://www.emsisoft.com/en/software/download/” and install a-squared Free 3.1

Run that program and remove anything and everything it finds. Let the scan finish before you start the next step. If both scanners try to remove the same files, it could cause problems.

Next, go get Spybot-Search and Destroy, you will find it here “http://www.safer-networking.org/en/download/index.htmlspybot – Search & Destroy 1.5.2

Now, go get Ad-Aware “http://www.lavasoftusa.com/single/trialpay.php

Run Ad-Aware after Spybot. The same rules apply.

If your issue persists, HJT that stands for “hijack this” found here “http://www.spywareinfo.com/~merijn/programs.php

You can join their forums “http://www.spywareinfo.com/~merijn/forums.php” and get help from people who spend all day, every day just helping people decipher what HJT finds in it’s logs. They all will tell you what to keep and what to kill. They are an excellent group.

In most cases, you would have prevented this from ever happening if you would have started with MVP’s “hosts” file. That is a very good practice. Also, it would be wise prevention to not install anything and everything you find on the internet. First thing you must always do when you download anything is scan it with as many virus scanners as possible. I use Jotti’s site for the online single file scanner. It scans with like 20 different virus scanners at one time and shows you a real time results area at the bottom of the page. If you watch the scan result, you can see what scanners are worth a darn and what scanners are worth being cup holder….. AVG is garbage.. See for yourself. “http://virusscan.jotti.org/

If anyone has protection tips of the malware kind, drop a note here ..

Good free firewall to prevent this kind of thing:

Sygate firewall:

http://smb.sygate.com/products/spf_standard.htm

Trojan killers:

http://swatit.org/download.html

Trojan Hunter trial version:

http://www.misec.net/

Do this immediately:

Disabling system restore in Win Xp
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239?Open&src=sec_doc_nam&docid=2001111912274039&nsf=tsgeninfo.nsf&view=docid&dtype=∏=&ver=&osv=&osv_lvl

More Xp resource:

XP resource info:

www.blackviper.com

http://grc.com/dos/xpsummary.htm

http://www.annoyances.org/exec/forum/winxp
If you do not have SpyBot and Adaware, do this:

Spybot:

Download and Read the SpyBot tutorial here:

http://s89223352.onlinehome.us/mirror/spybot/index1.php

Download it, Unzip the program, and immediately check for updates, install the updates and then do the scan.

Let it fix everything marked in red. Reboot but not with restart, shut it down for two full minutes. You�ve got two measely minutes and it�s worth it, and let Spybot run if it indicates.

To add an item to your �Ignore List� click on the little �+� sign next to the item and left click it to highlight it, then right click it and a menu appears, select the function you want.

When you are done reboot again same way. Two full minutes shut sown is best.

Tea Time discussed by designer here:

http://forums.net-integration.net/index.php?showtopic=13433

Also, go to the update page. Notice 3 icons across the top. Between “Search For Updates” and “Download Updates” there is an icon for the download mirror location. After you click on �search for updates,� the one in the middle will change. If it doesn’t say “Spybot.US by Rootboxen.net USA” click on the dropbox arrows and click on Rootboxen, and use only that one. If you got a “checksum error” trying to download –that’s why.

Ad-Aware:

Download AdAware from http://www.lavasoft.de/

check for updates at “webupdate”.

I use these settings (green check)

From main window click “Start” then make sure ” Activate in-depth scan” has a green check next to it.

Put a black dot nest to “Use custom scanning options� and click Customize” next to it, then green check these options:
“Scan within archives” ,”Scan active processes”, “Scan registry”,
“Deep scan registry” ,”Scan my IE Favorites for banned URL”
“Scan my host-files”

At the top of the �STATUS� page notice the Tweak (gear) icon. Click on it.

The first setting is �Scanning Engine.� Click on the little plus sign next to it, and in the drop-down green check “Unload recognized processes during scanning”, and �include basic Ad-Aware settings in log file�. Next click on the �+� next to “Cleaning Engine” and in the drop-down green check “Let windows remove files in use at next reboot” and Delete quarantine objects after restoring�

Click “proceed”, that will save those settings.

Click “Scan”

When the scan finishes, mark everything for removal and delete it. Right-click the window and choose “select all” from the drop down menu, press �next� and then �yes� to the prompt: �remove all these entries�.

However, if you have certain programs running that will give a false indicator of a browser hijack attempt, such as Script Sentry, which places a monitoring function in the registry and looks like a browser hijacker but is not, then you may want to add that to the ignore list because you want to keep it there to do it�s job. To add an item to the ignore list, put the a cursor on the file it reveals and left click it to highlight it, then right click it and a menu appears. Click on �ignore list.�

Shut down, two minute shut down is best, and let Adaware run on reboot if it indicates.
When you are done all that, go into Safe Mode and run Adaware, SpyBot, and Av. Then go to ‘search files and folders’ and search for the file name of the trojan and delete it in Safe Mode. If you are clean there, that’s about it. Re-enable your system restore.

I also use these:

Spyware Blaster

http://www.javacoolsoftware.com/spywareblaster.html

MRU Blaster

http://www.javacoolsoftware.com/mrublaster.html

and Script Sentry.

Run Adaware, SpyBot and your AV in normal mode. Clean? good. Go here:

Jason�s Browser Security Test:

http://www.jasons-toolbox.com/BrowserSecurity/

Gibson tests:

http://www.grc.com/default.htm

I use LeakTest, DCOMbobulator, ShieldUp, and plugnpray.

Love for the tech community.

Is Norton better than free?

Let’s look at a free online virus scanner compared to Norton antivirus

noton.PNG

I scanned with Norton first and found nothing, then scanned again with bit defender online free virus scanner.

what do you think is the better choice?

A-Squared

Found Riskware.PSWTool.Win32.Brutus

AntiVir

Found SPR/Brutus

ArcaVir

Found Trojan.Psw.Tool.Brutus

Avast

Found Win32:PolyCrypt-ASO

AVG Antivirus

Found nothing

BitDefender

Found Application.PWCrack.Brutus.A

ClamAV

Found Virtool.Brutus

CPsecure

Found PSWTool.W32.Brutus

Dr.Web

Found Tool.BrutusPWS

F-Prot Antivirus

Found security risk or a “backdoor” program

F-Secure Anti-Virus

Found not-a-virus:PSWTool.Win32.Brutus (6, 2, 605)

Fortinet

Found HackerTool/PWCrack

Ikarus

Found HackTool.Win32.Brutus

Kaspersky Anti-Virus

Found not-a-virus:PSWTool.Win32.Brutus

NOD32

Found Win32/PSWTool.Brutus application

Norman Virus Control

Found nothing

Panda Antivirus

Found Application/Brutus.A

Rising Antivirus

Found nothing

Sophos Antivirus

Found nothing

VirusBuster

Found nothing

VBA32

Found Win32.PSWTool.Brutus