Got the S.M.A.R.T. virus, not so smart on my part

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jimpeel, May 10, 2012.

  1. jimpeel

    jimpeel Sergeant

    Okay, I got it. I was also able to get rid of it for the most part.

    I already know about READ & RUN ME FIRST Malware Removal Guide (incl. spyware, virus, trojan, hijacker) so that is not my problem.

    What I want to do is to get to the system restore to restore the unit back to a date before this debacle. Unfortunately, it seems to have disabled this function. :cry My question is "Is there any way to get to the system restore using other means besides selecting it on the infected unit?"

    My D: drive is the restore drive. Do I have to do anything to that drive to get the system restore to recognize it; or am I just screwed and all of the info is likely gone forever?

    Any help would be appreciated.

    j
     
    jimpeel, May 10, 2012
    #1
  2. jimpeel

    jimpeel Sergeant

    I get the message "System Restore is not able to protect your computer. Please restart your computer, and then run System Restore again." when I try to use System Restore.

    I went to Start>Control Panel>System>System Restore and the drives are checked and "Turn off System restore on all drives" is not checked.

    I went to Start>Control Panel>Administrative Tools>Services>System Restore Service and it is stopped. When I tried to force a start, it said "Could not start the System Restore service service on Local Computer. Error 5: Access is denied."

    Went to Start>Run>msconfig>Services and it shows the service is stopped. The service is checked.

    I tried the tweak at THIS SITE #289 to no avail. The service still will not start and access is denied.

    There is a file rstrui.exe which is mentioned in the registry. It was mentioned at one site that if this is corrupted it will make the registry not work. The one I have on my unit that is in c:\Windows\System 32\Restore is dated prior to the infection (2008). The one in c:\I386 is dated from 2004. I have done nothing to this file.

    Is there something that I am missing or something that needs to be set in the registry or elsewhere that will allow me to access the System Restore?

    Should I set the Start>Control Panel>Administrative Tools>Services>System Restore Service>Log On to "This Account" with my password?
     
    jimpeel, May 10, 2012
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, May 10, 2012
    #3
  4. jimpeel

    jimpeel Sergeant

    I can do that but they need to be remade. I was able to restore the registry to an earlier date and everything is back to normal except the System Restore. This thing was a mess.

    Will get back to you.
     
    jimpeel, May 11, 2012
    #4
  5. jimpeel

    jimpeel Sergeant

    Problem: I cannot uninstall Java 6 Update 29. It says the resource is unavailable. When trying to install the latest version it pukes because it cannot uninstall Java 6 Update 29. Catch 22.

    I was able to install Java 7 Update 4 from the Java webpage but not the file jre-6u32-windows-i586.exe which I was instructed to download, save, and install after all other versions were removed.
     
    Last edited: May 11, 2012
    jimpeel, May 11, 2012
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    TimW is away for a few days. Just post the logs when you are able to please.
     
    Kestrel13!, May 11, 2012
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    As you said in PM, if something does not work, just continue on with the next step.
     
    Kestrel13!, May 13, 2012
    #7
  8. jimpeel

    jimpeel Sergeant

    I've kinda just given up on this. The fixes aren't running.

    MalwareBytes found problems and I clicked the fix button but it didn't save a log and there is no Logs folder.

    SuperAntiSpyware didn't make any logs either.

    ComboFix detects Avira Antivir is running on the system when Avira does not exist anywhere on my computer. I ran it anyway and after 25 hours it had done nothing at all. It did mirror my C:\ tree structure over, and over, and over under a folder called 32788R22FWJFW over, and over, and over. I stopped when I opened 42 iterations. They seem to be infinite. I don't know what will happen if I delete any of them. It also says that I do not have MS Restore Console loaded on this computer but it is there. I loaded it myself.

    RootRepeal will not extract to my desktop or anywhere else on my computer so it is impossible to run it. God knows what it would do if I was able to run it.

    My audio card no longer works.

    System restore doesn't work.

    I can't get back to where I started. The damage has compounded with every attempt to fix this mess.

    I was able to get a log file with MGTools. I am attaching it. As for the rest <shrug>.
     

    Attached Files:

    jimpeel, May 13, 2012
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Did you set this proxy yourself?


    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.
    Code:
    :reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"SearchSettings"=

:files
C:\WINDOWS\system32\REN1C.tmp
C:\WINDOWS\system32\REN1D.tmp
C:\WINDOWS\system32\REN20.tmp
C:\WINDOWS\system32\REN21.tmp
C:\WINDOWS\system32\REN22.tmp
C:\WINDOWS\system32\REND3.tmp
C:\WINDOWS\system32\REND4.tmp
C:\WINDOWS\system32\REND5.tmp
C:\Program Files\Common Files\Spigot

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


    Please attach these logs.
    • C:\Documents and Settings\Ray\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2012-05-09 (23-00-31).txt
    • C:\Documents and Settings\Ray\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2012-05-11 (09-10-41).txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, May 13, 2012
    #9
  10. jimpeel

    jimpeel Sergeant

    The proxy was mine. It is a leftover from the old Guidescope add-on which was a pop-up suppression program. That program is now defunct although a WEBPAGE still exists which now merely directs previous users to use Firefox with the AdBlockPlus plugin. The remnants of the program, blocklists, etc. are still on my unit but the .exe program file is gone. The shortcut is still on the unit but all of the Guidescope files will be deleted after tonight.

    Should I edit the registry to remove the proxy?

    Which begs the question ... is it possible that ComboFix is seeing remnants of Avira in the registry and that is why it pukes?

    Found the MalwareBytes files. There is one from 5-9-12 which is the day after I caught this bug. I ran it then. I am attaching both.
     

    Attached Files:

    jimpeel, May 14, 2012
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Not topic for the malware forum I'm afraid.


    1. Turn OFF System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    2. Reboot.
    3. Turn ON System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check Turn off System Restore.
    Click Apply, and then click OK.

    Has that helped?
     
    Kestrel13!, May 14, 2012
    #11
  12. jimpeel

    jimpeel Sergeant

    Merely a lamentation of the result of this virus.

    This is actually what I was trying to avoid. When I do this all of the previous restore points -- which are invaluable to my getting back to square one -- will be deleted and will no longer be useable. I have been leaning toward doing this; but I have avoided doing so in the hope that there might come some way of using them through some type of computer trickery and slight-of-hand.

    Any chances at all of that happening? Ever? Perhaps? Mayhaps?
     
    jimpeel, May 14, 2012
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No need to be sarcastic. And don't say you are not being sarcastic because you are. I KNOW you are frustrated. I do not know why you would want to use any of those old restore points because for one they could be infected.

    It might be, but it's STILL not topic for this forum as I said already.

    Do you wish to try the below or are you determined to keep old restore points?

    Quickly reset all the System Restore points (Windows XP)
     
    Kestrel13!, May 15, 2012
    #13
  14. jimpeel

    jimpeel Sergeant

    It was my cutesy way of hoping it might be possible, which have now been dashed completely. I will reset the restore function.

    Thank you for all of your assistance. I hope your issues you mentioned in the PM had a positive outcome.
     
    jimpeel, May 15, 2012
    #14
  15. jimpeel

    jimpeel Sergeant

    I tried both methods of killing the restore points; but I got the message "System Restore encountered an error trying to enable/disable one or more drives. Please restart your machine and try again."

    I rebooted and tried again with the same result.

    I have tried disabling each individual drive but got the same message for every one (D:, E:, F: ).

    The C: drive gave the message "XP (C: ) is the system drive. You cannot turn off System Restore on this drive without turning it off on all drives. ..."

    I then rebooted into Safe Mode as System Administrator and tried both methods again. The result was the same.
     
    jimpeel, May 15, 2012
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK, I am sorry, but I really think you will be better off posting in software forum regarding any remaining issues now. I am not seeing any malware in those logs.

    Do you happen to have your Win XP boot CD?
     
    Kestrel13!, May 15, 2012
    #16
  17. jimpeel

    jimpeel Sergeant

    I solved the audio problem. It was the USB port that the audio device was attached to9.

    That is always an ominous question. I have a boot disk. The unit originally came with Vista as the primary OS but my father-in-law had a legal copy of XP installed. He bought and downloaded it from the Internet. Vista is the secondary OS now.

    The XP copy I have is a Bittorrent download I used to recover a friend's unit. There was no way to get to the shadow copy of the OS restore partition so I loaded this copy and then reloaded the legal shadow copy from the HDD restore partition.
     
    jimpeel, May 16, 2012
    #17
  18. jimpeel

    jimpeel Sergeant

    By the by, should I now reinstall Avira AntiVir antivirus? Right now I have no AV program installed.
     
    jimpeel, May 16, 2012
    #18
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, go ahead. :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, May 16, 2012
    #19
  20. jimpeel

    jimpeel Sergeant

    All of that went smoothly with the exception of ComboFix, which never loaded, and System restore.

    You asked about the Win XP boot CD. Is there a way to non-destructively get the System Restore working again using the CD?
     
    jimpeel, May 17, 2012
    #20
  21. jimpeel

    jimpeel Sergeant

    Actually, it would be better if I start a thread in another forum. Thanks for everything.

    j
     
    jimpeel, May 17, 2012
    #21
  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes those software related questions will be better off addressed in another forum. :)
     
    Kestrel13!, May 17, 2012
    #22
  23. jimpeel

    jimpeel Sergeant

    Thanks again for all of your help.

    PROBLEM SOLVED
     
    Last edited by a moderator: May 18, 2012
    jimpeel, May 18, 2012
    #23

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds