locked
off topic - Malware removes all System Restore points RRS feed

  • General discussion

  • The following is what the malware does:

     

    1. Somehow it gets past McAfee's Firewall and Virus protection.

     

    2. Removes all System Restore points preventing you from going back to a time before the malware was installed.

     

    3. Removes your Desktop images and replaces it with a desktop showing bugs eating your screen until you press a key and then there is a Large message in the center of your desktop Stating:

     

                                 Warning!                            

             Spyware Detected on your Computer    !

        Install an Antivirus or Spyware remover     

                         to clean your computer.              

     

    You can add another desktop image but rebooting returns the images of the bugs and the malware desktop.

     

    4. Installs a program with links taking you to their website to buy there removal software for $49.95. I was able to remove that program and the links.

     

    5. I did a search of and removed all files created just prior to installation of the malware. However, the program to keep changing the desktop images as described in #3 above remains

     

    Other than the above it appears to do no harm. However, without the System Restore points, I know of no way to remove what remains of the malware and restore my original Windows Desktop image so that it is not removed and replaced upon rebooting. My only solution is to format and reinstall Windows XP and my programs. That takes six hours.

     

    Thursday, June 5, 2008 5:03 PM

All replies

  • You can get help with your McAfee product and malware removal here - http://service.mcafee.com/Default.aspx

     

    Tuesday, June 10, 2008 3:55 PM
    Moderator
  • mcafee, norton or avg cannot stop this one and the only fix, is... reformat

    on my personal machines at home, when i see the initial pop up, i use the task manager to shut it down before it installs

    once it places that yellow/blue image on your desktop, its over

     

    can someone just follow the money (the 49.95 they are trying to extort) and shut them down?

     

    i have seen it now twice in my office, and i have concluded that people are hijacking possible landing pages on web servers. it seems to come in from google and yahoo search results pages and i have seen it on myspace pages

    Monday, July 28, 2008 2:23 PM
  • You do NOT need to reformat your system to get rid of this issue. However, you'll need some tools. I'd start off by going to a working non-infected computer and downloading BART (a bootable cd), super antispyware (or adaware and Spybot if you prefer). You'll also need hijack this and I'd suggest CCleaner also.

    Once you have the tools, boot with the CD and check under C:\program files and also C:\windows\system32 folders for odd-named files, you can sort the files by date to show files that have changed since you got the spyware. Also, delete the files inside the temp and temp internet files folders for each user.

    If you are comfortable dabbling in the registry, you can use BART's remote registry to view and modify the registry and removing the most obvious junk that is in the run section under HKLM and/or each user.

    Now, reboot in safe mode and again try to kill as many items by using Hijack this. Hopefully you'll have gotten the bulk of the spyware removed by this point so reboot in standard mode and install Super antispyware, update it, then run it.

     

    Also, on a side-note about the desktop images, often you will need to go to control panel\display and hit the customize desktop button, then web and delete any websites listed.

     

    One last ditch idea if you are simply trying to run windows long enough to back everything up, there are 5 registry items in the C:\windows\repair that you can copy to C:\windows\system32\config (I'd suggest renaming those files here before over-writing them). Even just to do this however, you'll need either the BART CD previously mentioned, a different computer to set this drive as slave, or you'll have to work from XP's recovery console which isn't very friendly.

     

     

    If this is too far above your head, then you might check out one of the many sites that have a free community of spyware experts that are glad to help. Or, you could also take it in to a trusted computer shop to clean it up for you. Most cases you'll be up and running within a day or two without having to reinstall every piece of software you need...

     

    Monday, August 4, 2008 9:25 PM