View Full Version : Fake Windows Restore Recovery Virus

22-10-2011, 03:23 PM
I can't remember the last time I was troubled by a virus - 6-7 years at least. But now...

Somehow a fake Windows Restore Recovery (it has other names too) virus got running and all desktop icons and Start programs disappeared.

Safe mode didn't help and the real Windows Restore would not run.

Using another pc I saved RKill, Malwarebytes, and Unhide to a flash drive and used them. My grateful thanks to Bleepingcomputer.com. http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery

The repairs have mostly worked although I'm not confident everything is fixed.

My problem: I cannot access the internet. Plus Windows Firewall cannot be turned on despite running Fix It from Microsoft. http://support.microsoft.com/kb/914230

Got the ethernet cable plugged in, wireless is also trying but no connection. I cannot see any yellow question marks on the hardware. Tried turning the firewall on in Services but no go.


22-10-2011, 04:33 PM
Personally I'd do a clean format and reinstall windows if I were you,
What version of windows are you using? Do you have any 3rd party firewalls installed?

22-10-2011, 06:23 PM
You'll find either setting have been corrupted, or Malwarebytes has not got everything. Sometimes it does miss a lot.

Two things to try -- Available links from my sig - download and run in this order --- Super antispyware, then Spybot. Make sure with Super - you do a full scan not a quick.

What AV do you have installed ?

If its still not going, then run combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) the download links are under the title of Using ComboFix.

Two warnings -- under NO circumstances stop it once you start, it can cause problems if you do.

Second -- On the rare occasion it will make the system worse - hence the suggestion to try the other antimalware programs first.

Finally whats the OS ???? ----- the TCP/IP stack may need to be rebuilt, or may need a repair install, or full reinstall.

23-10-2011, 07:08 PM
Thanks Wainui, I've followed your suggestions but unfortunately no luck. The good news is the laptop is running well and all of the data is there. Just will not connect to the net.

I think its a TCP/IP problem although Fix It should have solved that.

I'm probably at the point where I'll have to take it to an expert.

23-10-2011, 07:15 PM
Not just yet -- rebuilding the TCP/IP stack may fix it ---- Whats the OS ???

Also look under Internet Options ( in control Panel) / Connections Tab, LAN settings - Make sure proxy Server is NOT ticked

23-10-2011, 07:22 PM
Open command prompt and type in - netsh winsock reset catalog
Enter and you should get a message saying it was successful
Restart the computer.

23-10-2011, 07:30 PM
Open command prompt and type in - netsh winsock reset catalog
Enter and you should get a message saying it was successful
Restart the computer.

Thats only half the fix, to rebuild it fully its ( assuming its windows 7)
Winsock entries tells Windows 7 how to access your network services. Additionally, your TCP/IP protocol can be corrupted. The TCP/IP protocol is a stack of 4 layers that includes several transport layers, but when this stack is corrupt you will constantly have connectivity issues.

netsh int ip reset reset.log

Check the setting as I mentioned previously first under internet connections, from memory it often does tick the use proxy server, which will stuff things up.

23-10-2011, 07:42 PM
netsh winsock reset catalog is the fix for corrupted winsock files which 9 times out of 10 is the problem especially after running all those spyware removal programes.
netsh int ip reset reset.log resets the TCP/IP
No harm doing both at the same time though while the command prompt is open.

23-10-2011, 08:05 PM
Completely true :)

Some of those infections change the proxy setting as well, so hopefully one of the fixes will sort it.

23-10-2011, 08:44 PM
Apologies, thought I'd posted OS earlier: Windows XP professional

I'll do as you suggest but right now am watching the Cup. Go Blu..er Noirs!!

23-10-2011, 09:12 PM
I can not understand why people do not make an Image of their systems. If I ever have a similar problem I just restore from the Image. Only takes as long as a cup of Coffee to do!

23-10-2011, 11:37 PM
I encountered that a couple of days ago. It uses a MBR rootkit to restore itself. Need to boot into recovery console from a windows CD & run fixMBR then clean out the virus in safe mode.

I was reading an interesting article today talking about the changes Eset have discovered in what I assume is a version of the same virus. If the boot drive doesn't already have 4 primary partitions, it creates a hidden boot partition at the end of the disk & sets it as the active partition so it has the same effect as a MBR rootkit, but without modifying the MBR.

23-10-2011, 11:45 PM
Feeling a bit wrung out after that match. Got to admire the French for playing out of their socks. Its a relief the All Blacks won and they emotion displayed by them afterwards was heart warming.

So on with the problem. I have run the two command lines and restarted but still no connection. Ping and ipconfig do not show anything being sent or received. I've tried the network diagnostics which says there is a winsock problem which will be reset. But no dice.

24-10-2011, 12:27 AM
Did you access the recovery console through a windows install CD? If you don't boot from CD, the computer boots the virus, then the virus boots windows.

The game was a lot closer than I expected. France really stepped it up a notch for the final & we were still worn down from beating Aussie.

24-10-2011, 02:45 AM
No, this is one of those pcs with Windows on a partition. No discs.

Yes I think the ABs were stuffed after the remarkable effort against the Aussies. Still a win is a win. :D

24-10-2011, 09:36 AM
Try WinsockFix (http://www.softpedia.com/dyn-postdownload.php?p=15337&t=4&i=1)

24-10-2011, 10:08 PM
No further progress unfortunately.

I ran Superantispyware again, then Combofix in Safe mode which did find a root kit problem (not that I understand that). I've run Combo again and then WinsockFix but still cannot connect. The taskbar icons detect a connection (wired and wireless) but cannot connect.

Combofix said the Microsoft Recovery Console (or something like that) was not installed or not up to date. Odd because the pc generally updates automatically all the time.

I'm running MSSE and Windows Defender, plus I use Advanced SystemCare 4 which has proven to be reliable.

Speedy Gonzales
24-10-2011, 10:19 PM
Try trojan remover update it it then scan. Then select all the options under utils. So, it'll reset everything. I would also disable system restore if its still enabled

25-10-2011, 08:09 PM
What version of windows are you running?

26-10-2011, 01:50 PM
Windows XP.

I'm about ready to take it to an expert. However out of curiosity, what is a Windows Repair? Is it beyond my pretty basic knowledge? I do not have an XP disc because its on a partition, and don't recall ever seeing a key.

26-10-2011, 02:37 PM
If you are meaning a Windows Repair install, in its real basic form, it replaces all the windows main system /operating files, leaving all your data and programs intact. Sometimes this works for what ever is causing problems, other times it can actually make things worse or have no effect at all.

Taking it to someone (a tech, so called expert ) is sometimes the best bet, while lots of help is offered here, sometimes its simply a lot easier to have a problem PC in front of you to sort out its problem. Theres been many times over the years, I have gone to peoples places, seen the problems, and know what is required, simply because it can be seen.

I get this all the time -- some people know a little bit and actually can cause more problems than they fix. Like at the moment, got 2 Vista Computers with screwed OS's -- someone who "knows all about computers" ;) had to fiddle -- now both require a full reinstall from scratch.

26-10-2011, 02:54 PM
LOL Wainui, yes well said. A little knowledge can be a dangerous thing. :D Thats why I am only looking for advice and directions to go in. At least I understand the problem in a rudimentary way.

Speedy Gonzales
26-10-2011, 03:33 PM
Put teamviewer on it and I'll check it

26-10-2011, 06:26 PM
Put teamviewer on it and I'll check it
That may be a little difficult with broken networking.

Speedy Gonzales
26-10-2011, 07:20 PM
Have you tried safe mode / networking, to see if it works?

26-10-2011, 08:49 PM
I talked to another tech about this who deals with infections a lot more than I do & it would seem what I encountered was not the real deal - what you have inserts itself in the TCP/IP stack & completely borks it as well as installing a MBR trojan. Even a windows repair didn't fix it.

26-10-2011, 09:22 PM
what you have inserts itself in the TCP/IP stack & completely borks it Thats why i suggested rebuilding it, BUT sometimes that doesn't work either.

These days if things start going to wrong I'll save all the data if I haven't done so already, wipe the drive and reinstall.

Had to do that the other day, spent 1 1/2 days trying to fix a PC, got it going, all appeared to be running sweet after removing the infections, and even a repair install, humming along very nicely, then all of a sudden out of the blue -- bam-- crashed again :badpc: < insert plenty of swear words > :D, reinstalled it and now its going fine.

26-10-2011, 10:08 PM
Most of the scans and Winsock Fix etc I've tried have been in Safe Mode.

ComboFix is scarily deep and did find and remove a rootkit. Second scan found nothing which should be good news but still no connection.

I have to thank all of you for your patience and help. This will be the first time in 10 years I've encountered a completely insoluble problem - usually PF1 wins every time. Indeed I've solved problems that even techs haven't known about through the help on this valuable forum.

Wainui mentioned having the pc in front of you which made me chuckle: recently on the same laptop I suddenly lost wireless access. Repaired the connection, fiddled with hardware settings, tried to ping the router, all to no avail. Goggled on another pc and found pages of suggestions to read until eventually I chanced upon one small comment...check the wireless switch. What switch??? Ohhh...you mean that wee blue light on the keyboard? Duh thud!

Speedy Gonzales
26-10-2011, 10:14 PM
Run this on it (http://www.tweaking.com/content/page/windows_repair_all_in_one.html)

28-10-2011, 05:16 PM
Thanks Speedy, that Windows Repair is impressive. Sadly it didn't work but that's life.

I've taken this laptop to Jensen Technical Services here in Invercargill, whom I've dealt with for years. They are good guy geeks. As suspected, they've seen this before but couldn't cure the problem (which I think was a blow to their pride :D) and are doing a complete reinstall.

Thankyou everyone for all your help.

28-10-2011, 10:31 PM
:thanks for the Update.

Sometimes "When infections attack" ( almost a movie title there :D ) the only option is to wipe drive, and reinstall again from fresh.