Fake Antivirus: “Windows Restore”

After clicking “something”, the Fake Software installed, then dialog box and windows come and come again. Clicking whatever program will produce that windows, saying that the computer is infected and destroyed and should run the program named “Windows Restore”. The horrible warning window came non stop.  It disabled Task Manager, and hide all programs and files.  My favorite tool, Malwarebytes Antimalware couldn’t run.  By experience, I didn’t click the button “Cancel”; but click the cross sign in top-right corner.

This is the steps I did to solve the problem:

  1. Using HijackThis, I found two .exe files of the virus. It was in C:\Documents and Settings\All Users\Application Data\Microsoft; I couldn’t easily deleted. I used Unlocker to delete them (deleted after re-boot)
  2. After re-boot, the windows of  “Windows Restore” didn’t come out anymore, but all file & programs still hidden. After start up, an error message  came out saying it failed to find C:\WINDOWS\iS-2REFT.exe; The computer couldn’t shut down, hang in “Windows is shutting down”.
  3. At that point, I could run Malwarebyte, so I run full scan. Caught 9 infected registries and files. But it didn’t solve the symptoms : all files in desktop were hidden.  Finally I change the attributes of the files manually.
  4. The Symantec Endpoint AV caught Bloodhound.MalPE;  after being quarantined, the next day it caught again.
  5. I downloaded and installed the newest version of CCleaner and did cleaning files and registries. The registries cleaning solve the error message in start up problem. But suddenly, I couldn’t open Add/Remove Software.
  6. I run once more Malwarebyte, this time it repair the registry for enabling Task Manager.
  7. For shutting down problem, I solved using Regedit (Start -> Run -> Regedit), then search Registry (using menu Edit -> Find) “WaitToKill” and set the value to 2000 (originally 20000)
  8. Finally I “Turn off  System Restore”.  Setting through right click “My Computer”, click Properties, then tab “System Restore”

After that steps, the computer works normal and Symantec Endpoint gets no virus anymore. I will come back after several days to turn on the System Restore if there is no more problem.

 

Advertisement

This entry was posted on Wednesday, April 6th, 2011 at 5:39 pm and is filed under malware, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to Fake Antivirus: “Windows Restore”

  1. Fake Antivirus « Rome Comp Dept Cronicle says:
    April 6, 2011 at 7:42 pm

    [...] elaborated the solutions in this link for Sr. M.Elisabeth’s and this one for Sr. Stefani’s.   LikeBe the first to like this [...]

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.