I recently had a remote laptop user that got infected with some type of fake malware FBI virus. The virus was pretty cool, at least from a technical perspective. The malware activated the web cam in the laptop and took a picture of the user demanding to be paid in some form of money called Moneypak in order to “decrypt” the hard drive’s files. The laptop would not boot into safe mode without blue screening and the task manager/start menu/desktop were all locked out in normal mode. However, we were magically able to login as another user and the FBI virus wasn’t loading for that user profile. How someone could spend so much time doing a good job locking down the computer and then have it be bypassed with another user login is quite baffling to me. Anyways, I tried a system restore and it wouldn’t go, saying something about it was interrupted and therefore all the changes were being rolled back.
I used regedit to load the user’s profile as a hive, cleaned the autostart entries and deleted all of the virus EXEs from the user’s profile folder, but the darn virus kept coming back. So I did something I never did before: I gave myself rights to C:system volume information which is where system restore “hides” its restore points and then went looking in the RPXXX directories. Going by the dates, I was able to narrow down a “good” copy of the user’s profile. The ntuser.dat file will be in the format of something like _REGISTRY_USER_NTUSER_S-1-5-21-(long string of numbers that correspond to a particular SID). I compared the size of his current ntuser.dat to this file and viola: we had a near match! I copied over this file as ntuser.dat into his profile directory, had him login and viola: no more virus!
However, his profile was still trying to load EXE files that didn’t exist anymore, which meant he probably had some “sleeper” viruses that weren’t announcing their presence on his laptop. I cleaned these “dead” entries off with Autoruns. A full virus scan found a few more goodies on the laptop which were removed.
After doing all of this work, I found a good primer on working with system restore points manually here: http://wiki.lunarsoft.net/wiki/System_Volume_Information. Web sites can go down, so I’ve also published the file here as a PDF.
I looked at my Windows 8 C:system volume information folder and yeah: completely different animal, so this would be a trick for Windows XP machines only.
Of course, after a wrote this witty entry, I got a Windows 7 laptop with the same virus. I did an offline scan with Windows Defender Offline which removed the virus and then it wouldn’t boot…in any mode and was getting critical failure BSOD. I tried booting to WinPE and doing a system restore, however, it told me system restore was disabled for this drive even though I could see the restore points! I unfortunately had to back up the user data from WinPE and wipe the drive and reinstall Windows. I might try a system restore from MS DaRT next time this happens.
Yet another laptop with this virus, although this one was nastier. It was popping up on all logins to the laptop. I had a copy of MS DaRT, but it didn’t have the right mass storage drivers for the Dell e6430 laptop I had, so I was getting a STOP 7B BSOD on boot and didn’t feel like messing around injecting drivers and re-burning a new CD. System Restore failed to complete on this laptop as well. I used Wondershare’s Liveboot 2012 and used the “Analyze System Offline” feature of Autoruns and found our little friend: a weird named DLL sitting in the user’s temp folder under their profile. This DLL file was referenced in practically every startup location in Windows, even in ContextMenuHandlers sections and some bizzaro autorun feature of cmd.exe I never hear of before: HKEY_CURRENT_USER\Software\Microsoft\Command Processor. I removed all the entries with Autoruns and the malware screen was gone, however, after login, I would get a black cmd.exe window and that was it (no desktop). I could load explorer.exe from the task manager and get the desktop, but it wouldn’t autoload on its own and it looked like the shell was correctly defined. Anyways, I manually copied the system, software and user profile files out of the snapshots directory under C:System Volume InformationRPXXX from Liveboot and again: the laptop was cured. Well, almost. The infection took off on the night 6/13/13, but when I ran Norton Power Eraser, it found another naughty DLL dated 4 days earlier in the user’s profile directory (it was under Application Data under a Konica folder I believe). This means the first infection might have been a “sleeper” waiting to deliver a nasty payload at a later date or the virus skewed the time to hide.
Whatever the cause, this kind of malware is getting almost impossible to remove without a drive wipe. If I could figure out how it’s corrupting/attacking the system restore function, that would help a great deal.
I found a nifty program called the System Restore Explorer. This allows you to mount the restore points on Vista and later systems as a regular folder. I tried it on my VM and it works great (and yes, it works on Windows 8 too)! One little snag is that you will have to work from an elevated command prompt, since C:\windows\system32\config is a protected folder and the restore point is mounted read-only (i.e. you can’t change ACLs). You should be able to copy the SOFTWARE and SYSTEM out to a folder and replace the ones on the system from WinPE.
There’s also this utility that does nearly the same thing that I have not tested: http://sourceforge.net/projects/vistaprevrsrcvr/
There’s a better utility for exploring system restore points on Windows 7/8 called ShadowExplorer. It is available in a portable edition and if you run as administrator, you can export the file directly out without having to use the command console.
– Soli Deo Gloria