Help with Windows Restore Virus on Win 7

Hello, I'm a newbie at this forum, but I suddenly encountered the windows restore virus earlier today. Upon seeing messages of hard drive failure, I contacted Dell (still in Warranty) and the chap, after much ado, indicated that it truly was a hardware failure, despite my initial description of Mcafee catching and disabling a trojan just prior to failure. After this diagnoses (and the possible loss of a lot of data), I started surfing and came upon a couple of sites that described this virus--exactly what i saw. The first site on Youtube showed how to remove the virus--which I did (involving deleting some files with strange names). Afterwards, I saw your threads and decided to follow your instructions (with the exception of two steps). I tried to follow closely all of the instructions in READ & RUN...The only steps that I had trouble with were Combofix--when I tried to install it(after disabling Mcafee), I got a message that the program was not for Win 7, so I skipped it. The other step was one that I forgot--I forgot to disable CD Emulation using Defrogger.
I was able to run successfully (at least to me) SuperAntiSpyware, Malwarebytes, and MGTOOLS (seemed a bunch of errors in MGTOOLS).
SuperAnti---found 4 instances of a virus and 360+ cookies--I quarantined them. Malware... didn't find anything and MGTOOLS went to the indicated end. I will tag the log files for the 3 programs I ran. I also Toggled system restore. Several Questions:

1) I seem to have successfully gotten rid of the virus. However, there are a bunch of programs on the Start menu - Programs that Indicate empty files--however I can call up the program--ie, Microsoft Word--I can't see the program, but when I click on a doc file, it opens up in word... I also ran Unhide but this didn't help.

2) Several directories are protected from me--I cannot get into them even when logged in as an Administrator---I fear the virus screwed around with protections. Is there any way to run a system restore to say 1 month ago--would that help?

3) Finally, When I toggled System Restore, I saw the C drive and a Recovery Partition--I clicked on that and it was already toggled off. After rebooting, I restored the use of system restore to that partition. Was that correct or should I have designated the C: drive?

I'm sorry that this is long and didn't follow completely your instructions. Any guidance to my cleanup problems would be welcomed. I'm seriously considering backing up all of my data and reinitializing the whole system--it is only one year old and not much was on it. I'd prefer not to, given i would lose some programs...

Thanks for your help. Regards, Eric L.

 

Hi TimW,

Sorry it took a couple of days to respond, but I tried to follow your instructions:

1) When I clicked on your Avenger link (after allowing download to my system), I got a blank screen. I then googled the avenger by swandog469 website and downloaded it directly from there.

2) I then ran analyse and looked for the line you wrote out--with
reference to UYhaQsSEGdkYay but it was not there--i searched thoroughly.

3) I exited HJT and then created fixme.reg and ran it successfully. it added the script to the registry.

4) Then ran Avenger and copied and executed the script u wrote. It ran successfully and asked for a reboot. Upon reboot, i searched the entire c drive for avenger.txt and couldn't find it. it was not in the root directory.
NOTE-- my Mcafee software popped up and said they had removed a trojan.

5) I the ran getlogs.bat and created the mglogs.zip. I have enclosed.

6) I don't seem to have the virus. However, as before, a lot of programs on the start menu show as empty (although I can run them by clicking on a file with correct extension. I have unhidden everything i can. My last resort is that Dell is coming with a new hard drive with a factory image and i will start over, having backed up all files. Only thing is I must reinstall the programs that I added to this machine. Not so worried about doing this, but it is a pain. Have others experienced the same degradation in accessing programs?

Regards, Eric L.

 

Hi TimW,

I performed the following steps:

1) I ran Unhide (actually ended up running it 2). I did notice that some programs ended up on my desktop--they had been there before the virus and then had disappeared.

2) I then ran OTM as suggested. I did not get to copy the results before the reboot and cannot find them. I have attached the log and the mgtools log.

3) Upon reboot, 2 things (possibly unrelated) were noticed: When I clicked on Explorer on my toolbar, came back with a message that program had been removed and asked me if i wanted to remove it?? I pressed no, but the icon on the toolbar then disappeared. Also, noticed a message from Malwarebytes that something from Skype had been blocked --is it possible that this was the original source of the Malware? I don't remember seeing such a message from Macafee.

4) Although I can pretty much run the programs on my pc, when i click on Start>All programs--when i click on numerous programs previously installed, they are indicated as EMPTY. Programs (such as Malwarebytes and SuperAntispyware ) that were installed after ridding myself of the virus are ok and visible. My best bet is a reinstall--that is going to be done today. I sincerely thank you for your efforts--I hope that some of the information I've given u helps in diagnosis for others.

Regards,

eric l.