A Virus/Trojan + System Restore problem. Help?

[Superboy]

I'm running Windows XP, SP3.

I recently got a pretty nasty virus/trojan/something that installed some Security Centre program on my computer and caused havoc. Aside from causing constant pop ups trying to get me to pay for and install a virus scanner, it disabled use of the Task Manager, disabled System Restore and wouldn't let me run or open any programs.

The first thing I tried to do was boot into safe mode to see if I could use a System Restore, but safe mode didn't work. When I try to boot safe mode, I get a message saying "Pres esc to cancel loading of sptd.exe". If I press esc the computer reboots into normal windows, if I don't press esc after a few seconds it still reboots into normal windows.

Eventually I managed to run some programs from an alternate account before the virus/trojan stopped me. I did the standard Adaware, Spybot, AVG and some other malware programs. These seemed to fix the problem for the most part. Windows loads normally, I can run all programs and task manager is working again.

The problem is, I still can't open System Restore. When I try to open it from System Tools, I get a message saying that it's been disabled by the Domain Administrator. I'm the Admin of this computer and have full Admin access to the network. If I try to access it from Control Panel -> System, there is simply no System Restore tab.

On top of that, I still can't boot into Safe Mode, getting the same error message as before.

My anti-virus/firewall has been picking up and blocking various things about twice a day, way more than it used to, so I'm certain my computer is still somehow infected but I'm at a loss of how to fix it.

Suggestions? I appreciate any help anyone can provide.

[wautd]

Sounds a bit similar like something I got a few months ago (named System Security 2009). Yours might be different but I tell you how I done it.

The good news is that I could solve it without formatting the whole bunch.

The bad news is that it took ages to clean up, and that it had the nasty habit of coming back after a few days of a false feeling of safety.

How I got rid of it was
- startup normally,
- press Control+shift+escape asap to get into task manager.
- Find the program and end the process (it was called something like SystemSecurity.exe, 9912121.exe or 11215544.exe or something else random). If you're too late (as in, your system is hijacked again) simply log out/log in and rince&repeat untill you're fast enough
- locate and delete any related files (Documents and Settings%\All Users\Application Data\suspicious folder)
- do a basic search on the virus name and the random numbers you might have seen in tast manager, delete any related files.
- do the same into regedit
- check startup in msconfig. Uncheck the related boxes
- unleach all the antispyware and antivirus scanners you can find and pray to Zeus. And then scan some more.

[Perseid]

I deal with these quite regularly on a side business. Your best bet if wautd's method didn't work, is to search for the exact name of the Security Centre that was installed and follow the removal instructions to the letter. System Restore won't do you any good, and neither will installed security apps. Hope you get it off your system as they are bastards on your resources.

[SAMAS]

Damn, that shit hit me about a week ago, too. Fortunately, this computer has a restore function that can be accessed right when you turn it on. Unfortunately, it goes all the way back to the initial configuration.

[Mr Bean]

Can you run msconfig? If you can run msconfig you have hope. There are six variants of Security Center Pro which are all based along the fake anti-virus method that's been popular the last year. You'll also run across Antivirus2009 and the worst of the lot Police Pro-Antivirus 2009 which corrupts windows files needed for safe mode but still lets windows work normally and of course disables regedit, msconfig, task manager and installs all of it's program under the system label to make finding them hard as it will look like windows compenents.

But if you can get into MSconfig then lovely. What you do is get to there, go to the startup tab and turn off everything. Then restart windows and start your anti-virus manually and do scans(With your net connection off/unplugged) And you should be fine.

(FYI The Police Pro method of corrupting safe mode is genius as what it does is corrupts the safe mode logon screen. Safemode works fine but you can't progress past the login screen which has all of it's buttons disabled)

[BruceSmith]

Hi Superboy,
I had a same problem like you have can access the whole computer and every time it pop up. I thought of formatting the whole hard disk as it also resides in the System Restore point also, But then I tried the solution provided by the “wautd” and it works well. After finishing with that try the technique provided by “Mr Bean”. The process to do is very long but we have to do this if we want the virus out of our computer. It will be better if you use the Antivirus have the features like Antivirus, Spyware, firewall and others.