Jump to content

Fake SYSTEM RESTORE virus


Recommended Posts

I have a fake SYSTEM ReSTORE virus on my computer and have been trying to get rid of it for five days, now. I have run Malwarebytes at least six times and it removes the virus until I reboot. The virus then affects the computer again! As long as I don't turn off the computer after running anti-virus programs, I can get back all my programs, though the computer runs very slowly. If I turn it off, it's over. Don't know what to do anymore. Thinking about pitching the computer through the nearest window. PLEASE HELP.

Link to post
Share on other sites

Hi and Welcome to Malwarebytes' Forum,

Download DDS and save it to your desktop from HERE or HERE.

dds_scr.gif

Disable any script blocking programs you may have active (such as Norton script blocking), and then double-click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt

    [*]Save both reports to your desktop

    [*]Please copy and paste dds.txt into your next reply and hold on to attach.txt for now.

Please perform the "Automated Removal Instructions for System Restore using Malwarebytes' Anti-Malware" in this Bleeping Computer Guide (exactly as written):

http://www.bleepingcomputer.com/virus-removal/remove-system-restore

Please let me know how things went and post DDS.txt

Link to post
Share on other sites

Please run rkill again to kill all processes associated with the Infected System Restore Rogue Program.

This is the one that is showing up in DDS.txt:

C:\ProgramData\mpdonxRWd2Yvlz.exe

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to winlogon.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it winlogon.exe.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers and programs.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  • If Combofix asks to update, please allow it to do so. If it renames itself back to Combofix.exe - this is normal!!

To Launch Combofix

1. Right-Click the renamed Combofix Desktop Icon, and select the option to Run as Administrator

2. When Combofix is finished running, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

If You have problems running Combofix then try running it in "Safe Mode with Networking" as follows:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading normally, the Advanced Options Menu should appear;
  • Select the option, to run Windows in "Safe Mode with Networking", then press Enter.
  • Choose your usual account, and launch Combofix as directed above.

=============

NOTE: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.