"Windows Restore" malware/virus

Hello to all
Running Windows XP Pro SP3 on a woek PC and picked up a beauty called "windows restore"
Can't get to System Restore, ran AVG in "Safe Mode" but it's still with me.
I'm using my laptop now to post this.
Help.
thanks in advance and best regards
Morey G

Hi,

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

i am getting a message to uninstall avg antivirus - "it will be dangerous to contnue uninstall avg or use another tool"
i disabled AVG and i still get this message?
i then ran malwarebytes anitmalware removal which seems to have removed the virus but now i have NOTHING in my programs on the strat menu
i can't find system restore to restore the system.
what a mess!

Hi,

So now nothing works after running malwarebytes? Or just the Start Menu>All Programs is blank?

We need to uninstall AVG for ComboFix to work.

Please download Revo Uninstall from here: Revo Uinstaller

1. Download and run the setup file for Revo Uninstaller.
   
2. Once setup, run Revo Uninstaller.
   
3. Select the following item for removal by clicking on it once.
   
   AVG
   
   
4. Then hit the "Uninstall" button at the top.
   
5. Close Revo Uninstaller.
   

OK - so here's where i'm at now.
i guess the fact that combofix terminated all processes allowed me to run AMB and it appears that it found and removed the virus.
i then found system restore in the sys32 folder, ran it from there, and restored to an earlier point.
it appears that the PC is ok now but my IE Favorites folder is EMPTY.
is there a back-up of that somewhere?
Thanks in advance and regards
mg

Hi,

Can you post the malwarebytes log please? Try running ComboFix once more as well and post that log. We'll deal with the other issue after we confirm the malware is gone. I have a tool in mind that will fix it

i can't locate the AMB log file. when i try to run malwarebytes i get this error message now:
MBAM_ERROR_LOAD_DATABASE(0, 53)

and an IE update - the favorites folder is there, it's got everything in it, but it will not display when i click on "Favorites" on either the start menu OR the Favorites link on the IE toolbar.

Can you open My Computer?

Try navigating to C:\Program Files\Malwarebytes Anti-Malware\Logs

and tell me if the log is there

i looked in the program folder and there is no sub-folder "logs" or any text files anywhere in the ABM folder. i can't recall if it's a ".txt" file extension to do a complete search.

Hmm. Is it at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\

i used the revo and uninstalled the remanants of the non-fucntioning AMB and ran it again. i still have issues with IE8 and the "Favorites" but for now AMB found 2 issues, i deleted them and here is the log from that scan:
(and thanks!)

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6343

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/12/2011 1:35:46 PM
mbam-log-2011-04-12 (13-35-46).txt

Scan type: Quick scan
Objects scanned: 187618
Time elapsed: 22 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi,

This will fix the issue.

• Please download and run UnHide.exe by Grinler.
  
• Once finished let me know how things are running after this.
  

Crush
Thanks! That did it.
IE favorites restored and the system appears to be running malware-free (at the moment, anyway)
Thanks again for all your help and regards
MoreyG

Fantastic. Can you try running ComboFix again. Let's see if it will run this time

Crush
since combofix is pretty invasive, do you think i need to run it?
the pc seems to be running just fine, i did spybot, amb, and avg scans and nothing was detected.
i await your reply and thanks again
morey

I would run ComboFix just to be sure everything is gone, yes