Urgent Fire Fox Update Notice
I keep getting a screen popping up that says "Urgent Firefox Update". My protection software is blocking it, saying it's a Trojan. When I go to Mozilla, it says my Firefox is up to date. Is there an Urget Update or not?
Chosen solution
Hi
We are aware of this issue are are working to resolve it. From what you are saying this is almost certainly malware.
Firefox will always update from within the browser and not from a random web page. If you ever unsure of whether you are using the most recent version, this page will walk you through how to check.
Comment added by a forum moderator Please also see our help article
If you do see one of these fake updates please as a reply to this thread post the web address of the fake orange page and if possible the address of the genuine website it appears to have come from - the back arrow on the address bar of the orange page may sometimes help find that.
Read this answer in context 👍 236All Replies (20)
I have been seeing this spoof on twincitiesgasprices.com for I think over a month now. Two weeks ago, after trying their website feedback option, I ended up emailing the moderator. I forwarded them the URLs and screenshots for 2 weeks. Yesterday, they emailed me that they had concluded that the problem was on my end (suggesting that I was infected). I am so far unable to convince them.
Yesterday, in preparing a response back to them, I encountered another page hijack to a different spoof however, I suspect it is the same group distributing the Firefox spoofs.
This is not the Urgent Firefox Update, but the Firefox spoof download is the predominate one that their malware infection(s0 redirects to.
URL that it came from:
http://www.twincitiesgasprices.com/forum_msg.aspx?category=1162&topic=96836&page=1&page_size=30
(incidentally, that is a tread discussing the occurrences of the 'Urgent Firefox Update' happening to members on twincitiesgasprices.com)
URL that did the redirecting (middle step):
http://engine.spotscenered.info/Redirect.eng?MediaSegmentId=30262&dcid=1_ctx_ea43df8d-b7cf-4685-8a8d-bfa9fbc2bf7b&vmId=5fb6670f-2ffe-4ba0-9697-1a0158d5a769&abr=false&timeZoneOffset=
URLs it redirects to (get different target pages when I used 'back'):
(Microsoft spoof download to 'fix' your computer, tailored to look like a legitimate Microsoft page,)
[www.adsupplyads.com/... URL I would have to dig up from email sent]
(advertising and with links to 'luminosity.com')
I may have mixed up the sequence; the luminosity spamvertisement might have been linked with only one URL jump.
I don't know if this URL is related to the one serving all the 'Urgent Firefox Update' that are coming from twincitiesgasprices.
I will post (to this thread) the list of source URL and 'Urgent Firefox Update' URLs (and a sample screenshot) when I have time and retrieve them from the emails I sent to twincitiesgasprices support.
(I don't know if it is helpful if they are up to 2 weeks old, but the infection [Urgent Firefox Update] appears to be still active on twincitiesgasprices currently).
Thank you for the great forum resource! Mr KL
Not sure if it's coincidence or not, but I haven't had the page displayed for over 2 weeks now. I cleaned some stuff off my computer, but I can't remember everything I removed. I had two Jusched.exe (java updater), deleted both. Deleted flvga tray (came with a usb to vga monitor adapter I have), and also got rid of unified remote (server on pc that allows android phone to be a mouse/keyboard/mc remote). I probably removed more stuff, but that's all I can remember. I'll give it more time to see if it comes back or not, but this is way longer than I've gone before without getting the fake page. Oh, also updated flash and haven't allowed it to display on most pages yet.
alwaysbroke said
Not sure if it's coincidence or not, but I haven't had the page displayed for over 2 weeks now. I cleaned some stuff off my computer, but I can't remember everything I removed. I had two Jusched.exe (java updater), deleted both. Deleted flvga tray (came with a usb to vga monitor adapter I have), and also got rid of unified remote (server on pc that allows android phone to be a mouse/keyboard/mc remote). I probably removed more stuff, but that's all I can remember. I'll give it more time to see if it comes back or not, but this is way longer than I've gone before without getting the fake page. Oh, also updated flash and haven't allowed it to display on most pages yet.
so funny you should post this....I was gonna do the same....I have not seen it for 2 weeks either....looks like it stopped after 49.1 update if I was gonna take a wild guess.....It was popping up on ebay for me 3 times a day...
Does this help?? 184.97.223.64
about 10 min old Unfortunately, it is not redirecting to the Urgent Firefox Update; it went to an 'ISP survey/$70 offer' (http://www.wpvsurveys.com/)
It is on the same site that I was getting literally dozens of Firefox spoofs, so possibly it might be the same source?
Tell me what to look for; I have the page up and Page info
I found references to an intermediate URL:
I pulled the IP off the Page source, which shows 'data source' as the URL that page info also says is 'Referring URL' and then gives the IP of the data source.
from page source (of final page): "data-referer="engine.spotscenered.info" data-ip="184.97.223.64""
and from 'page info' (...I have seen this domain before): "Referring URL: http://engine.spotscenered.info/Redirect.eng?MediaSegmentId=30262&dcid=1_ctx_18f63c08-9215-4924-b625-60db928d4777&vmId=d78eeffd-4241-4d31-aaef-cff806be0b56&abr=false&timeZoneOffset=
Is this (following code) possibly how the page opens without user input? From page source (of final page): lines 30 thru 53: </head> <body data-sid="isp.opt.3a6x" data-ow="us.ao96ho9gbr467d49" data-isp="your ISP" data-browser="Firefox" data-os="Windows" data-region="Minnesota" data-city="Minneapolis" data-ip="184.97.223.64" data-countryname="United States" data-device="DESKTOP" data-brand="Desktop" data-model="Desktop" data-country="US" data-track="www.boltedsurvey.com" data-tid="0ba6f51c-279d-4a68-82c0-dc5e8b9e9e67" data-caid="3fc624b7-4074-4b7f-aa2a-a68cbc6a0c97" data-pool="selxb" data-did="4484" data-voluumdata="BASE64dmlkLi4wMDAwMDAwNS00ZThmLTRlMTgtODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLmE5Y2JkODAwLThjNWItMTFlNi04MjdiLTdiZDk4MDZkODQ4NF9fY2FpZC4uM2ZjNjI0YjctNDA3NC00YjdmLWFhMmEtYTY4Y2JjNmEwYzk3X19ydC4uSEpfX2xpZC4uMmQ0NzA5NjAtN2ZmYi00NDI5LTk5NmUtMTVmNWI1ZDBjZmU5X19vaWQxLi5mMjQyZmIwOC05OWY5LTRiOTUtYTY5Yi00ODA4ZmY4MTE2OTlfX29pZDIuLmNmOTIwMWRiLWYyZjEtNGExYS1hZDI4LWRlYmVlNWI2ZDYxMF9fb2lkMy4uMTliZThlOTMtYzZiYS00M2FhLTgzY2UtZDYxZjhhNzE3ZDBlX19vaWQ0Li5kMjg3Y2ZlZS1jZDkzLTRkNDctOTMyZS1iY2ViM2ZlYjJjNTVfX29pZDUuLjFiY2RlMTI0LTEwYWQtNGEwNC04YWE5LTUxNzk0N2YzYjNhZV9fb2lkNi4uMjVlYzUyMGItNjc2YS00Y2Q4LWE0ZGMtMjg3M2MwMzIyMjA5X19vaWQ3Li42NDIzMGVjYy1jMTRiLTQwMTItOTI3Mi0wNzYyNTgzZjVmZDBfX29pZDguLmU0NWIxNjMyLWM3MGUtNGVjYi04YzE0LWIwYmM1NjE4MzhhMV9fb2lkOS4uNzA2NjY2MTItMTc1ZC00ZjVjLWFlZDQtOTFiMzFlOWI3YTg4X19vaWQxMC4uNGFiNTk5MjctMmU5OC00MDIwLTk0OGItZTI3NGZhN2E2ZGM3X19vaWQxMS4uMTUyZTBkYjktNTNkMy00NTkwLThlMmItMmM0N2JkNTY3NjJkX19vaWQxMi4uZjgyZmQwYTktYzQzZi00ZjY5LTgwMzQtMjNmZGNkMjJlZjE5X19vaWQxMy4uMzhkMWY0MzktMGE0NC00MzBlLWI0NGQtZTZmNWZiMjM5NDZlX192YXIxLi40NDg0X192YXIyLi4xMzAzMV9fdmFyMy4uNDU0MTRfX3ZhcjQuLlVTX192YXI1Li5NaW5uZWFwb2xpc19fdmFyNi4uRmlyZWZveF9fcmQuLmVuZ2luZVwuXHNwb3RzY2VuZXJlZFwuXGluZm9fX2FpZC4uX19hYi4uX19zaWQuLg" data-c1="4484" data-c2="13031" data-c3="45414" data-c4="US" data-c5="Minneapolis" data-c6="Firefox" data-serverhash="191135" data-clickhash="rlw6j640e70z1dov" data-referer="engine.spotscenered.info" data-ip="184.97.223.64" data-pixel="" > <script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-54004102-5', 'auto');
ga('require', 'displayfeatures');
sid = $( "body" ).data( "sid" );
ga('set', 'dimension1', sid);
fclick = true;
$(document).mousedown(function(){ if(fclick) {
ga('send', 'event', 'Page Clicks', 'Click', 'Click');
fclick = false; } });
</script>
I have the whole thing (page source).
I can screenshot what you need. Maybe this is not relevant to the Firefox problem...
I include it because I figure the same influence is behind all the page hijacks happening on this (original) site, including the Firefox ones...
Mr KL PS, the back history does not show the (intermediate) "http://engine.spotscenered.info/Redirect.eng?"... URL, only the originating and final spam sites.
The starting URL is "http://www.twincitiesgasprices.com/index.aspx?mss=263700" The ending URL is "http://www.wpvsurveys.com/"
(however, that is my saved personal page, so you won't see it without being signed in on my account, so "http://www.twincitiesgasprices.com" should suffice, since it seems to occur on any of their pages that have ads.)
info and IP are now about 30 min old.
Edit: what I meant to say is that the Page Info shows a domain that I encountered before when investigating these redirects; and the the final page's 'page source' also had references to the same. (I mean, I don't know if this is a clue, or simply where the page info gets the 'referring URL' from).
Edit: clarified grammar and added final URL that I forgot to include.
Modified
Hijack is very active right now on my gasbuddy website: I just got another page hijack as I opened another (new) tab with the (originating) site to prepared the above post!
It is yet another (different) possible trojan, offering software to repair Vista.
Website is twincitiesgasprices.com I will now look if there are similarities in the code/page info...
Mr KL
Update: Referring URL: http://engine.spotscenered.info/Redirect.eng?MediaSegmentId=30646&dcid=1_ctx_8d672e29-38cc-46ad-afd6-1f0bf4cf684c&vmId=2deefac0-26a2-40f0-b0ef-310f7eb52d41&abr=false&timeZoneOffset=
interesting, this one does not have the referring URL (from the page info) showing up in the page source...
Oh, final URL: http://www.reimageplus.com/lp/sqh/index.php?tracking=ReimageNetworkCon&banner=RNadsu&adgroup=4484&ads_name=45443&keyword=US-WL
starting URL (in a new tab) was still: http://www.twincitiesgasprices.com/index.aspx?mss=263700
Modified
Fresh occurrence (about an hour ago):
Starting URL: https://web.mail.comcast.net/zimbra/mail?app=mail#1
Page Info (looks the same as 'Final URL' to me): Referring URL: https://hahghpixelstores.net/6891229018401/663d19d87ed8abe307aca4df3d1161c7/4257860852ba9df43696a689e2fcdc1b.html
It is on my screen right now...
Attached, screenshot and saved page. (not sure why other member says save both ways; isn't complete include the HTML only file? [convenience?] -anyway...)
Anyone read this B4 7PM CST today, let me know what steps I should do to provide best help here! ie, cookies? page source? try reloading? etc.
Anyone tell me about the wireshark program, and how I can do that? It still appears repeatable here on my Gasbuddy local area site.
Mr KL (OK-How do I attach a folder; or a file? -couldn't attach the saved webpage) Update: browser crashed, so don't have hijack page active anymore...) Edit: Just remembered I saw something in the 7 pages long thread; do I zip it and it will attach?
Modified
Another 'Urgent Firefox Update' just came in... (~5:40PM CST) -still on my screen...
Starting URL: http://www.twincitiesgasprices.com/index.aspx?mss=263700
Trojan download is: firefox-patch.js
Screenshot attached:
Mr Kim Lindstrom (my hyperlinks don't appear to be linked?) edit: OK - they turned blue (linked) after it is posted - threw me for a moment there...
Modified
TS, you are a unique individual. Two "left turns" in the same day to the same URL. But twincitiesgas was the starting point only once, so I jokinhly say you are just unlucky yesterday. :) Unfortunately, due to the long lag-time till the emails went out, the whois and trace/routing to the download site were not available. If you looked, my guess is that PublicDomainRegistry did the registering.
Comodo gives/sells their version of FF. So far, they have been the issuser of the security certificates for the httpS. But, like everyone else, they have not been helpful at all in this quest.
My duckduckgo search months ago produced this item, as something to read, to understand more:
http://deletemalware.blogspot.com/2013/06/fake-flash-player-update-virus-removal.html
Unfortunately, I'd have to dig too much in my computer to find the really really good article which preidicted these types of events in 2013.
(Big smile) So glad to hear back from you! I was thinking this thread died in the two days it took me to read it all! (thought maybe you were occupied with your roof!)
I don't think I was unlucky; I have had about 20++ in the last 2-3 weeks, and 90% are the Firefox spoof. [EDIT: I just reread you reply, the (spoof) URLs are different each time, er, oops, what?] [EDIT: OK, I just re-reread it; Which URLs? If you mean the spoof, they are different every time, but the starting URL(s) is the same always (and the members are seeing the same)] Also, on their forum, a user brought it up, and several others agreed they were/are experiencing it too. One was a moderator had seen them too and thought nothing of it, until participating in that thread and realizing that she only experienced them when on Gasbuddy. (that thread is where a member linked to this thread here!) Gasbuddy forum discussion: http://www.twincitiesgasprices.com/forum_msg.aspx?category=1162&topic=96836&page=1&page_size=30 (you don't need to read it, gives indication of prevalence and time frame) Looks like it has been noticed for the last 3 months.
It seems this malware has found a happy home on this site for a while now. Sometimes it goes a day or so with none, and once it was so frequent, I could not work on another task. Usually it occurs once, maybe twice or more each day.
This might be a good test bed to trace this operation (at least this particular group).
I reported it to their support, and they asked me to include screenshots and URLs. After 2 weeks of accepting these, they returned a single response stating - that they concluded they had no problem, and that my computer must have a virus... o.O Interestingly, their forum has participating volunteers or staff, who KNOW about the problem; but they don't know that support and admin DON'T know about it! (anyway, I let admin know, and awaiting to see what they do now...)
If you tell me what to do, maybe I can capture some useful information. (I have not yet read the link you sent, but will do so). If there isn't info about 'wireshark' in the link, tell me if it is relevant to my capturing this (or is it something only the website can do?) I used to trace spam back to it's ISP, so know some of the tools and tricks, however, websites and email are two different entities, and I am a novice to website structure/functions. [Electronics, microcomputer technician]
I believe if you go to any Gasbuddy website, you will see them occur too. (what city are you in? I will try it)
The Gasbuddy forum said UBlock addon was effective stopping it, so you may have to disable ad-blockers or pop-up blockers to see them happen.
My Gasbuddy site that is affected: http://www.twincitiesgasprices.com/index.aspx?mss=263700 or try: http://www.twincitiesgasprices.com
You can tell by the tab name when it has been redirected. Also, sometimes it would steal focus if I was on another tab/page (but it seems to have quit that).
Thanks for you help, I will help if I can, Mr. KL
Modified
forget my post from a few days ago...just popped up on EBAY after not seeing it for 2 weeks...
OK, so I read the link. (and thank you!) I'm not sure what the relevance is; I did see one of those months back, but don't recall seeing any spoof Flash Updates in this current issue.
So if I understand; you are trying to get the whois on the spoof URL, right?
I am a bit rusty (and never proficient anyway): (I don't remember which gives which information)
-first I take the URL on the active spoof, and put in whois, right? -then what do I do with traceroute?
don't need step-by-step; it should come back to me as I do it... (hopefully! haha)
Mr KL
The phony Flashplayer is a variation, that's all. The phony FF update (I call the "orange screen" or OS) is the topic here, and has been in at least one other forum thread (if you want to read more about the effort put into research.) One thread was closed/locked, and the other just doesn't have activity lately.
The whois info, for Your Info only) I use mostly is: http://cqcounter.com/search because of the whois AND the routing. The routing was interesting to me for a pattern (always chicago and always ending in NJ) and the wonderment IF a network computer/server was involved.
Other owner info sites are: drwhois/whois publicdomainregistry.com (use the 2nd box for whois.) Note it does no good asking them for help. They just cancel the registration.
The whois info was interesting for its consistancy, but has been of no use so far. As for one guy that said he reported the malware situation to the FBI, etc., it just did not SOUND legitimate. No history either. Nevermind.
The spoof site URL is all you enter into the box, such as: hahghpixelstores.net
Because the site wants to know the folder and subfolder, or folder and program (thats the long first and 2nd numbers in the long URL), anyone visiting the main page is not going to see the orange screen, or be able to look at the program which has the pop-up which downloads the malware. And thus companies which will check for malware give the site a clean bill of health.
I think you will find that going to the OS site with the same LONG URL will also not give another orange screen.
As for the 'it's not our fault - its your machine' responses, it might be true, even if true for hundreds of others, OR it means the web site people could not duplicate your results.
If the bad guys are using the targetted-ads programs, you know, only jump to the orange screen if user is located in TwinCities and has FF browser and has ordered a book titled "mating rituals of american earthworms', they could also decide to block out a visitor with the same zip code as the origin web site. Hence eBay would not get the OS if they tried.
I'm isolating myself into why web sites are downloading new ads for the space an existing ad occupies. Why do I have to endur the downloads. And why one ad-agency can cause the physical ad to come from another computer. This is a 'featur' but dan also facilitate the ";eft turn to the orange screen" while the origin web site (gasbuddy) is noe the wiser.
Web sites don't really know what abuses can happen, and customer service even less so. Advertisers (home-depot for example) may not know there ad is only on for 10 or 30 seconds or that one person technically has seen their ad twenty times. They pay for 1000 insertions. Why have morals been replaced by greed in America? And my computer runs like I'm connected to a 56K dialup modem. (huh?)
Fresh on, active right now:
Starting URL I was on at the time: http://www.twincitiesgasprices.com/index.aspx?mss=263700
(think that only works when logged into my account) try: www.twincitiesgasprices.com
Interestingly, there is only one media entry in page info: https://eixuvtrf5.net/PR1-2/img/bg.jpg
Also, 'Referring URL' looks to be identical to the 'Address' (URL).
EDIT: Is this any help?:
Domain Name: EIXUVTRF5.NET Registry Domain ID: 2064901534_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.publicdomainregistry.com Registrar URL: www.publicdomainregistry.com Updated Date: 2016-10-10T11:00:00Z Creation Date: 2016-10-10T11:00:00Z Registrar Registration Expiration Date: 2017-10-10T11:00:00Z Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registrar IANA ID: 303 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: Not Available From Registry Registrant Name: Chad N. Wessels Registrant Organization: Registrant Street: 4145 Diane Street Registrant City: Atascadero Registrant State/Province: California Registrant Postal Code: 93422 Registrant Country: US Registrant Phone: +1.8054618382 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email:
Name Server: ns1.europedns.net Name Server: ns2.europedns.net DNSSEC:Unsigned Registrar Abuse Contact Email: Registrar Abuse Contact Phone: +1.2013775952 URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2016-10-10T22:52:07Z <<<
- There was more contacts, but it duplicated same info for all contacts...
(single person info entered in all places)
UPDATE: Address (street) of registrar appears to be fictitious
Mr. KL
Modified
How to cleanse malware foolishly installed via fake urgent firefox update.
I got the urgent firefox update webpage. Half asleep I downloaded and installed it...this update looked different installing so I looked at the URL from where it came (as I said I was half asleep) and saw it looked strange.
https://geifiisango.net/410849213806/1476191156427735/firefox-patch.js
I then looked online to find out about such malware. I still have the .js file if someone knows how to inspect it to see what it will do. Is there a recommended action to remove the malware? Can I un-install Firefox? Or do a system restore point restore?
Thanks. UGH!!!
Hi pwgarcia, do not double-click .js files, as that will execute them. To view their contents, rename the file extension from .js to .txt (plain text).
By default, Windows hides these extensions. I recommend showing all file extensions. See: http://windows.microsoft.com/en-us/windows/show-hide-file-name-extensions
Then you can right-click the file and choose Rename, then change .js to .txt.
For cleaning up, see: Troubleshoot Firefox issues caused by malware (start with Malwarebytes Anti-Malware)
Another page hijack: ~6:50PM CST
my browser crashed (unrelated) so I lost it before I could get here...
spoof Firefox OS URL: https://ovorelike-interactive.net/8021229018401/80e4c443e3ddd5adff132cabe2f2d769/ee5057af3e4a9204a043e093689f23d6.html
Page I was on before it appeared: http://www.twincitiesgasprices.com/index.aspx?mss=263700
PS; is there a different thread ppl are posting these to? should I keep putting them here? (ie, is there anything we can accomplish with the URLs I am posting here?)
Mr KL
And again when I got home. Interesting, same domain, different URL hash...
Spoof Firefox OS URL: https://ovorelike-interactive.net/5551098952165/477ba42b8f955247ce25e9da72ad4ac5/55931535e9bde5b8e38d394c1708f561.html
Page I was on before it appeared: http://www.twincitiesgasprices.com/index.aspx?mss=263700
They must track who has been served the spoof, because it doesn't seem to refresh, even when the same domain serves the same spoof to another connection/computer ~3 hours later...
>cliffontheroad< UPDATE: I just looked at the page info; this certificate was verified by COMODO CA. Point is, this is the first one I've seen from COMODO; all my other ones were from AVAST Web/Mail something...
I didn't mention this earlier because I thought I was looking in the wrong place. Is this good? can we get more help from the AVAST group?
(so this domain, IIRC sent once with AVAST and once from COMODO,,, crap, I don't remember for sure, maybe was another one; OK, 'maybe' this one did send using two different certifiers...)
Mr KL
Modified
troubleshooter said
PS; is there a different thread ppl are posting these to? should I keep putting them here? (ie, is there anything we can accomplish with the URLs I am posting here?)
I am keeping track of many of these urgent Firefox update sites serving the fake firefox-patch that is reported on forum in https://support.mozilla.org/en-US/forums/contributors/712056 . I even had to make a archive thread for older stuff as there was a 10,000 characters limit.
Over the last year there has not really been any fake Firefox update sites and then this urgent update page came along in June or even May.
There was actually one new fake Firefox security update site concept today that I mentioned in https://support.mozilla.org/en-US/forums/contributors/712227 though discussion of that site would be off topic for this thread.
Modified
I'm sure the people who wrote the "Troubleshoot ... caused by malware" are smarter than me, but I would use a system restore point from prior to the phony update install. I'd also use the IE browser and download FF from the mozilla.org site. Then use Windows update to get any updates from Microsoft back into your system. Do note if this update functions. People have seen it sit there forever. Then you have a problem I can not help with.
The orange screen and pop-up box to download always have the same starting URL. Later in the day it happens, the URL registration gets cancelled. The person in Calif is always the same (and yes, one map web site, or 2, do have a problem with the address. The registration compand PDR doesn't give a crap and doesn't follow their own legal rewuirement of verifying anyone as real, so it is a waste of time ....
Submit the .js file you downloaded to a site which an check it out. Virus/malware/ or might it check out as innocent. That's a worry onto itself. Do not bother to submit the URL for several reasons.
My machine is currently having a problem with privledges. I get folders locked/unavailable, special privledges assigned, a user I don't understand, and on and on. Because I also fell for the phony orange screen in Feb, I can not be sure someone has not gained access and run some other program to create these weird things.
To: cliffontheroad
System restore doesn't help if your system has been compromised. That's because the people who write viruses usually infect the restore information and all you do is to restore the virus. The same can happen with the startup-repair sequence.
If you want to do things right you need to get an external hard drive that is big enough to hold several of your backups. Initially install your system BUT DO NOT GET ONLINE. Use a good backup program to back up your system to the external hard drive. Make sure you backup ALL of the OS. Find a good program that you can boot to in order to do a restore also. For Windows XP there was UBCD but that doesn't work with Windows Vista and beyond. Still, there are several ways in which you can make a bootable CD/DVD and put whatever program you used to create the backup onto that CD/DVD.
Once you have your CD/DVD created and your backup created, put both back into the box the disk drive came in. Mark it as your emergency restore disk.
Be sure to install all Antivirus software, anti-spyware software, anti-malware software on to your system before going online. Also any special firewall software you might use. THEN go online and do all updates.
Once you have gotten that far - get your backup disk drive, shut down the network again, and back up your system again. (Hopefully just doing this doesn't put anything onto your system that you do not want.) Afterwards unplug and put the disk drive back up again.
Next, install any/all other software you want on your system (like Office, Photoshop, etc...) - get the drive back out after you have finished with all of that and verified it is installed properly, running properly, and doesn't act weird in some way that would make you suspect you have a virus. Make your third backup.
Now you are pretty much set to do anything you want. Should you have a problem later on - boot off of the CD/DVD, wipe the hard drive - and restore from the last backup. Don't plug the backup disk drive in until after you have wiped the hard drive and rebooted to the CD/DVD again.
This will pretty much keep your system safe.
If you want though, you can get a second drive and start doing daily, weekly, or monthly backups. But not on the first disk drive. That is you golden boy backup. If the second drive gets corrupted - like a virus takes it over - you just first wipe your main hard drive again, then the second external hard drive, restore your system, and keep going.
It is unlikely though, if you protect your system before going online initially, that you will get a virus. It is possible - but unlikely.
My other advise is - use Avira as your main antivirus and if, for whatever reason you still get a virus, have the free Kaspersky antivirus handy. (Or the other way around.) Second opinions are always good for finding what ails your computer. Just don't leave the second Antivirus program on your computer - unless you just like to have it crawl along. Just pause the main antivirus, install and run the free one and then uninstall it immediately. I do the same with anti-spyware software.
For those who are interested: I use Avira but keep Kaspersky handy. I use SuperAntiSpyware but keep Malwarebytes handy.
I also suggest going in to the control panel->network area and disabling the File and Printer Sharing as well as uninstalling it. You don't need it if you aren't in a company. It is one of the things that hackers use. They set your hard drives up to be mounted automatically on their systems when your system boots. Don't need to hack in then. They just start downloading everything you have. Had it done to me once.
I also suggest turning off the "Client for Microsoft Networks". Again, unnessesary. Use TeamViewer or TightVNC or some other program. Works just as well and you can turn off both when you are through and not have to worry if someone's getting onto your system.
Stay safe everyone! :-)