RSTRUI – Six letters you’ll learn to love
Here’s a tip you won’t remember until you need it. But this little tip can pull you out of some serious problems. There are several new rogue security programs on the Web, and they all follow the same M.O.
First you see a warning that looks for all the world like a genuine Windows warning. The crooks are making so much money now, they can afford to hire top-notch graphic artists that can and do design very Microsoft-looking graphics, like these:
All 4 of the pictures above, are actual examples of rogue security programs. They’ll try to get you to purchase them in order to clean the problems they find – but the problems they find aren’t real. Purchasing one of these rogues is, in essence, equivalent to buying spyware – and you may be offering up your credit card number, phone number and/or home address to the crooks behind these scams. It’s like a triple whammy.
The four examples above are just a few of the many rogues which are currently being distributed on the web. There are new ones appearing every day, and most of the time the new ones are simply old ones with new names and updated user interfaces. Some of these rogues spawn full-page alerts (or popups) that always stay on top of all other windows, no matter what you do. These kind are particularly annoying because you can’t access your browser, Windows Explorer or any other program because the rogue window is always on top. Some of these full page alerts and popups have no “X” in the top-right corner with which to close them, some do but the “x” does not work, while some work but only close the alert or popup window momentarily.. The above photos were taken from Microsoft Security Essentials after it detected a rogue trying to install itself on my Windows 7 laptop.
You can get these rogues popups simply by visiting a web site. We wish we could give you a list of these sites but there isn’t any way to do that. The sites distributing these rogues may be legitimate sites which have been duped into “selling” these rogues, they may sites which are owned by less-than-honest business people who are trying to make a quick buck by partnering with the crooks who make these rogue security products, or they maybe sites created by the crooks themselves. And even if we could give you a list of sites – it would change and grow every day – there’s just no way to keep up up with them.
But you don’t need to know the sites, all you need to know is this: When a warning appears telling you that a virus or Trojan has been detected on your computer – DO NOT PANIC. Take a deep breath. Look carefully at the warning. Pay no attention to fancy Windows-like graphics. Look to see if the name of your security program(s) appear anywhere on that warning. If you use Avast – does it say Avast? If you use Microsoft Security Essentials, does it say that? If you use SUPERAntiSpyware – does it say SUPERAntiSpyware? You get the picture. If it’s a rogue – it won’t know what security software you have installed, but the alert usually will have a legitimate sounding name on it – like Windows Internet Security 2011 or similar. You’re going to have to reach down and hold on – take a deep breath and use all your willpower so you don’t click the “Scan and clean my computer now” button. Remember, if you do click the scan and clean button on one of these rogues, you’ll be installing it. And if you do actually install one of these rogues, you’re going to have a lot more problems.
If you make a mistake and become infected or click a link that causes you to be infected, it’s important that you don’t panic. You can recover from this type of attack, but you need to stay calm and not do anything crazy like click “Purchase ….. now”, or “Clean your computer now”, or “Activate now”.
A number of these newer rogues are ingenious in their design. Their popups cover your entire screen when you start your computer. And you’ll have no way to minimize or close it – they give you one easy choice. The choice you’ll have is to buy the rogue security program by clicking the button on the popup which says “Buy now and clean your computer”, or similar. It can be very frustrating to users – many of whom don’t know how to get this popup off their screens. You can’t use ALT F4 to close it. There is no X in the top right corner, there is no icon on your taskbar to right-click and close – and sometimes you can’t see your task bar at all anyway.
If this happens to you – and it will happen to some of you sooner-or-later – there is a very simple solution. But you have to remember it and you have to remember not to panic. Here is the simple solution:
1. Shut your computer down. The only way you’ll be able to shut down is by turning off your computer using the power switch. You won’t be able to shut down normally because your start button will be covered by the popup. (Some of the rogue’s cover everything but the taskbar and the start button – but when you click anything on the taskbar, the rogue popup reappears as soon as you click “Start” or anything else.)
2. Turn the power button on and keep tapping the F8 key while Windows is booting. This will open your Safe Mode options. Choose “Safe Mode with Command Prompt”. This is the only option you should use in this scenario. The reason? Because it doesn’t start Windows Explorer – it opens a Window CMD window – the black and spooky “DOS window”. Have no fear.
3. When the command window opens – and this can take some time, so be patient – you’ll see something like C:\Windows\System32>
When you see C:\Windows\System32> type rstrui.exe and press the Enter key.
Sit back, grab some coffee – or if you’re really nervous, grab a double shot of Irish whiskey- and wait. It may take 5 or 6 minutes before you see anything change. But take heart, it will change. You’ll see Windows System Restore dialog appear. And when it does, you’re almost home. Choose a restore point at least 48 hours prior to the time you started having problems and initiate a System Restore. It will take a few minutes and then your computer will reboot. When Windows boots, your rogue security program will be gone, no more popups, no more trouble – it will be like nothing ever happened.
And the best thing is – you won’t lose any emails, photos, music files, or documents, etc. The only thing you’ll lose is any program(s) you’ve installed since the restore point you chose.
This tip can be used for many other problems too. Safe Mode with Command Prompt does not even load the Windows shell – but it does load the Windows system files. The key is RSTRUI.EXE which you can access from Safe Mode with Command Prompt, and then go back in time like the problem you had never even happened.