Malware has hijacked system restore

G

Guest

I'm on a bug hunt and decided it would be easier just to do a system restore.
Searching the restore calendar, I had lots of points to choose from and it
correctly identified the addition of app's. However, when I try to use it, it
always comes back and states restore is incomplete. No changes to your
system. Hence, the bug has protected itself. Is there a way to reload the
system restore function without compromising the data file that contains the
system information. I presume it is intact since it lists things correctly.
Restore, I believe, is being told that there are no changes. Can I do this,
if so, what do I need to do ?
 
D

David H. Lipman

From: "wscott rowan" <wscott (e-mail address removed)>

| I'm on a bug hunt and decided it would be easier just to do a system restore.
| Searching the restore calendar, I had lots of points to choose from and it
| correctly identified the addition of app's. However, when I try to use it, it
| always comes back and states restore is incomplete. No changes to your
| system. Hence, the bug has protected itself. Is there a way to reload the
| system restore function without compromising the data file that contains the
| system information. I presume it is intact since it lists things correctly.
| Restore, I believe, is being told that there are no changes. Can I do this,
| if so, what do I need to do ?



Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

1) Download the following four items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Ad-aware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt480.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM .

2) Update Ad-aware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode [F8 key during boot]
and shutdown as many applications as possible.
5) Using Trend Sysclean, Stinger and Ad-aware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using the three
utilities; Trend Sysclean, Stinger and Adaware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point

* * Please report your results ! * *
 
G

Guest

David,

Thanks for the detailed instruction. Will try this, this evening. One
question, right torwards the end of your description you said to "create a
new restore point". Wording struck me odd, won't I merely be picking one of
my former restore points, say 01 Feb, 2005 ?

FTR, I've hit it with Ad-ware and the beta version of the microsoft product.
Found some stuff, particularly the MS product, but not this particular bug.

Scott

David H. Lipman said:
From: "wscott rowan" <wscott (e-mail address removed)>

| I'm on a bug hunt and decided it would be easier just to do a system restore.
| Searching the restore calendar, I had lots of points to choose from and it
| correctly identified the addition of app's. However, when I try to use it, it
| always comes back and states restore is incomplete. No changes to your
| system. Hence, the bug has protected itself. Is there a way to reload the
| system restore function without compromising the data file that contains the
| system information. I presume it is intact since it lists things correctly.
| Restore, I believe, is being told that there are no changes. Can I do this,
| if so, what do I need to do ?



Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

1) Download the following four items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Ad-aware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt480.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM .

2) Update Ad-aware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode [F8 key during boot]
and shutdown as many applications as possible.
5) Using Trend Sysclean, Stinger and Ad-aware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using the three
utilities; Trend Sysclean, Stinger and Adaware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point

* * Please report your results ! * *
Click to expand...
 
D

David H. Lipman

From: "wscott rowan" <[email protected]>

| David,
|
| Thanks for the detailed instruction. Will try this, this evening. One
| question, right torwards the end of your description you said to "create a
| new restore point". Wording struck me odd, won't I merely be picking one of
| my former restore points, say 01 Feb, 2005 ?
|
| FTR, I've hit it with Ad-ware and the beta version of the microsoft product.
| Found some stuff, particularly the MS product, but not this particular bug.
|
| Scott
|


Scott:

I hope that was Ad-Aware SE v1.05. Note the latest update was 3/8/05

Instruction #3 will remove all Restore Points. The reason being old Reestore Points would
be vectors to get reinfected.

The objective:

Disable System Restore, which flushes the cache.

Scan and clean the system

Re-enable the System Restore cache.

Manually create a new Restore Point that captures a CLEAN system.
 
G

Guest

David,

Thanks for clearing that up. Fair enough, old restore points will be
history. Your comment regarding Adware did strike a bell with me. No I'm not
running 1.05, but rather 1.03. The reason it strikes a bell is that everytime
I updated the signature file it reminded me that I have an older version,
1.03. Did I want to update. I ALWAYS clicked yes, but it has NEVER updated.
Think that was due to a pesky little bugger.
I've downloaded 1.05 fresh and will install it tonight.

Again, thanks.

Scott
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

System restore wont restore 13
Is System Restore Being Subverted and Used by Current Malware? 2
SYSTEM RESTORE POINTS KEEP DISAPPEARING 28
Windows XP - System Restore (Restoration Incomplete) 3
System restore incomplete 11
System Restore failures 2
Internet Explorer has stopped working correctly 12
privilege failure with system restore ? 2

Top