Fake System Restore Virus
I have had a number of instances of having to remove the virus Fake System Restore ( and viruses like it). Here are my notes on removing it.
Overview
The fake System Restore falsly reports a number of system errors, prevents execution of programs, redirects internet access vi a TDSS infection and hides files and desktop.
Methods Tried
AVG Rescue CD - Failed to identify infection
Succesful Method - See Below
Removal Method
Stage 1 - Collect Virus Removal Tools on an uninfected PC and put on a USB/CD
unhide.exe - Change permissions to re-show files and desktop
Kaspersky Virus Removal Tool - Rename downloaded file as iexplore.exe
TDSKiller - You may also need to rename this as iexplore.exe after you have unzipped the file
MalWareBytes - The amazing malware bytes
Stage 2 - Start the infected PC in safe mode.
Restart the infected PC and press F8 during boot. Then choose Safe Mode with networking.
Stage 3 - Remove the TDSS infection
Without the removal of this you will not be able to proceed.
Run the renamed TDSKiller. This will scan the PC and remove the TDSS component of the virus
Once the TDSS component is identified and removed it is plain sailing.
Stage 4 - Remove all components of the virus
Run Kaspersky Virus Removal Tool. This will remove all the active components of the virus
Stage 5 - Restart PC and restore Desktop and Files
Restart the PC and start in Normal Mode. Your machine should now run but be missing the desktop and with hidden files an applications.
Run unhide.exe on the PC. This should then restore your machine to its origional state.
Just to be safe install MalWareBytes And run a full scan
Strathclyde Police UKash Virus
Overview
This is an updated guide as I found recently ( Mar 2012 ) that malware bytes failed to recover a customers UKASH infected machine.
The UKash virus pretends to be a punative police notice. That demand the payment of a penalty.
Methods Tried
MalwareBytes - This no longer works
Removal Method
Stage 1 - Collect Virus Removal Tools on an uninfected PC and put on a USB/CD
Stage 2 - Start the infected PC in safe mode.
Restart the infected PC and press F8 during boot. Then choose Safe Mode with networking.
Stage 4 - Remove all components of the virus
Inser the USB/CD and run Kaspersky Virus Removal Tool . This will remove all the active components of the virus
Stage 5 - Restart PC
Restart the PC and start in Normal Mode. Your machine should now run. A cmd box will open as Kaspersky Virus Removal Tool attempts to remove all traces of the virus.
Just to be safe check that your virus software is enabled, force it to update and run a full scan.