Windows System Restore Virus

In the past two months I've seen this virus crop up on two completely separate Windows 7 systems, both running the latest updated version of MSE and Windows Update. This virus/trojan/malware is extremely problematic and messes with the system so severely that even after sucessful removal, one needs to clean install Windows to get it back to its native state.

For those of you who haven't yet encountered this virus, it appears to tell you that your hard drive is failing via a fake Windows 7 hard drive failure prompt. Clicking the repair button causes the viruses' program to activate and basically crash your computer and make it unusable (opening many windows, freezing, disable access to explorer, etc). It can be removed by utilizing safe mode and deleting various specific files. However, it makes changes, I'm guessing via the registry to Windows Explorer. It does things like empty your Program Files folder in the start menu as well as other ridiculous things. Removing the virus does not fix the damage already done.

So my question to you guys it, this virus seems to have been around for sometime already and it is extremely effective on systems running W7 with MSE and all the latest updates. Why hasn't Microsoft stopped this virus with some sort of update for Windows and MSE? And how does this virus mainly spread? I was never able to find the source of the virus on both systems. While removal is quite easy, the damage it does is annoying and time consuming to repair. Has anyone else encountered this virus?

Remove System Restore (Uninstall Guide)

 

Most new viruses do similar damages to the system. They spread through Java exploits, most free AV's would let them in without a hint.

I got infected by the Win 7 antivirus infection just by visiting the laptopvideo2go site once. The Java icon appeared in the taskbar, then I noticed the pop from Win7 antivirus. Fortunately running the system restore from the recovery mode saved me.

 

Trojans like this are rewritten and repacked all the time in order to evade detection by AV's.
While some AV's might pick up such a trojan and prevent harm, AV's usually play catch up, hoping to have a signature/detection fast enough to protect the user.
-edit; Read this article for instance for more information on how malware tries to evade AV's; link
First I'd advice to keep all your software up-to-date with a program like Secunia PSI/OSI, to especially have the latest versions of Java and Flash.
Make sure to remove ANY old versions still lingering around, use JavaRa to remove (an) old java version(s); JavaRa link
To completely remove the chance of having such a trojan mess with your OS and files, I'd recommend to browse the web using a program like Sandboxie (aka SBIE).
Sandboxie will contain your browser in a secluded space and thus shield your OS and files; a trojan might popup and try to do it's malicious work but it is inside the shielded sandbox where it can't do any harm.
You can simply close your browser with SBIE (whether it's IE or FF or Chrome) when you see a popup from some fake AV (or any popup you don't trust) and the sandbox will be wiped/emptied, and no harm has been done to your OS/files.
See sig for SBIE link.

 

First off, I wouldn't put any faith in MSE. Yes, I know it's free, it's better than nothing and it's even better than the worst paid anti-malware suites. It's not good enough. I also don't place complete faith in Microsoft's ability to patch new exploits.

Second, any user need to use selective script blocking. Or to put it another way, users need to STOP using IE! I'm talking about using NoScript with Firefox/Seamonkey or Notscripts with Chrome/Chromium. Basically, IE is just fundimentally unsafe.

I'd wager that in both instances, the users in question weren't using browsers with selective script blocking and didn't decent paid internet security suites. Probably IE and MSE?

 

Internet Security Suites are way overrated and unnecessary.
As for MSE, I'm using it myself and hadn't had issues.
Granted, some people did experience an occasional problem, but that was remedied with MSE itself pretty fast once they knew how to approach the issue.

Then again I also use Chrome with adblock... and I have had no need for 'no-script' - because most of the websites I visit actually need them to display properly (otherwise, they go bonkers).

Aside from that, no paid av program or internet security suite will offer 100% protection.
Viruses get updated to exploit variety of safety issues, and as such until the companies making antivirus programs update their database, people are 'in danger' either way.

 

Again, the issue is that Windows PCs still can succumb to malware even with fully patched Windows 7 and fully updated MSE.

First off, "no-script is a Mozilla add-on, not for Chrome. "Notscripts" is the Chrome/Chromium add-on with similar functionality.

The entire point of selective script blocking is that its selective. Perfectly legitimate websites can have scripts from up nearly a dozen different domains, while at most, only one or two need to be enabled to enjoy the full functionality of the site.

No, but it's clear that MSE and other free alternatives, while better than some paid options, are worse than the best paid options.

The real message for posters is to update Windows, use the best Internet Security suite you can afford, and use selective script blocking to protect yourself against the treats that aren't patched by Microsoft or detected by Microsoft's MSE or other security software.

In short, don't place absolute trust in Microsoft. You'd think that would have been universally understood 5 or even 10 years ago, but we're still having to educate Windows users today.

 

Whoever said about placing 'absolute trust' into anything?
And actually, I've seen the so-called 'best paid internet suites' do more damage to the OS than a 'worse' free solution.
Besides, what people will consider 'better' or 'worse' is entirely subjective and individual - because various solutions will work differently for people.

Windows for that matter can be run without an AV of any kind and be virus-free at the same time.
And yes, an OS of any kind with all the latest updates for that matter can succumb to malware (Windows is hardly exclusive to this).

As for 'no-script'... I am aware it's Firefox only, and I was merely writing down my experience with it.

 

I'd say that 'the best security suite one can afford' can actually be had for free.
With options to combine a free AV like MSE, Avast or Panda with a free FW+HIPS like from Online Armor and the free version of Sandboxie, a 'paid-for suite' isn't necessary imo.
With an approach like from Sandboxie, selective script blocking isn't even necessary as all a malicious script can do, is muck about in the sandbox.
I like Noscript though, I use it myself so to be clear, I don't consider selective script blocking bad advice.
Windows 7 itself also offers a plethora of options to secure the OS with integrity levels, UAC levels, Parental Control/SRP, SUA, (EMET) etc. but that's a different story alltogether.

 

The computers that I've run into with this virus were not used by me although they were both using MSE. I've been running MSE on my desktop and notebook without encountering this virus. It's also worth noting that the two of the three computers I have seen with the virus were running FireFox instead of IE. The third one was running IE9 which in my impression was supposed to be a lot safer than older IE's.

I'm guessing this virus spreads through some Java exploit most likely. I'm using Chrome now as my primary browser on all my systems and I have not had any problems. All I use is AdBlock and have not tried any script blocking add-ons for Chrome because they are kinda a pain in the rear every time you visit a new website and have to figure out what scripts from where to block.

I think in the end though anti-virus and anti-malware isn't gonna protect you as well as decent Internet smarts. Of course, the majority of users don't have these and fall victim to lousy and annoying viruses like the system restore virus which requires a full reinstall to fix all the damage, although it doesn't seem to harm user data so it can be recovered before reinstall, it just has to be "unhidden".

 

Not a big surprise. If Microsoft isn't quick or bright enough to have it patched, why would anyone believe that they'd have it in their latest MSE definitions. With MSE, you get what you paid for. Nothing.

That's not proof positive of invulnerability.

Selective script blocking is more of an issue when it comes to unpatched Java exploits than the browser itself. If IE supported selective script blocking, I'd change my advice. As it stands, I'd advise any user to stop using IE9, since the lack of selective script blocking leaves users vulnerable. Moreover, a lot users don't realize that it's important to keep any browser updated.

You just create your whitelist once. Besides, you can always temporarily allow every script on a page. It's not a big deal. It just takes a little more effort.

I think that even novice users can be taught decent habits. The real issue is that we do these people a disservice when we tell that IE 9 is "good enough" and MSE is "good enough." I think all advice should reflect "best practices," not just "good enough."

That's why I advise a selective script blocking add-on in a Mozilla browser or Chrome/Chromium and actually spending money on an Internet Security suite.

I'm not specifically recommending Firefox/Seamonkey with NoScript over Chrome/Chromium with NotScripts. I'm also not advising a specific paid Internet Security suite, mostly because users are better off looking at the annual rankings in Consumer Reports, or doing their own research.

I do advise all users to STOP using Internet Explorer. That bit of advice rang true back in 2004 and its still true to day. MSE is better than nothing and better than the worst paid software, but there are better paid options - and I think it's wrong to think solely in terms of "free."