WinXP system restore question

PhantomOG
PhantomOG Posts: 2,409
edited August 2009 in The Clubhouse
Quick question. One of my computers was infected with a nasty virus this morning that will not allow anything to run. Can't run process explorer, notepad, you name it. Because of the nature of the virus I know for a fact that it happened this morning.

I got the infected computer to boot in safe mode and have system restore points for the past week or two. Will system restore work to remove this?
Post edited by PhantomOG on
«1

Comments

  • heiney9
    heiney9 Posts: 25,197
    edited August 2009
    Probably not. A friend of mine had a very nasty virus and we were able to system restore in safe mode and it didn;t help one bit. She ended up having her entire HD wiped and we reloaded everything.

    Ironically, I use Vipre for virus protection and I had an attack yesterday and while Vipre caught it before it did any real damage I am having a few after affects. My firewall no longer allows traffic in or out, so it's currently disabled. Also I have full computer functions back but everytime I do a Google search and click on a result I am redirected to a bunch of different random commercial websites. All my favorites and saved tabs work fine however.

    The big thing is my system restore function has been disabled as in there are no longer any restore points. Luckily my brother works in IT and he's always willing to help me and we are figuring it out.

    If I hadn't had Vipre it would have been much worse. You situation sounds almost exactly like my friends situation and she lost everything and had to start over.

    Good luck

    H9
    "Appreciation of audio is a completely subjective human experience. Measurements can provide a measure of insight, but are no substitute for human judgment. Why are we looking to reduce a subjective experience to objective criteria anyway? The subtleties of music and audio reproduction are for those who appreciate it. Differentiation by numbers is for those who do not".--Nelson Pass Pass Labs XA25 | EE Avant Pre | EE Mini Max Supreme DAC | MIT Shotgun S1 | Pangea AC14SE MKII | Legend L600 | BlueSound Node 3 - Tubes add soul!
  • PhantomOG
    PhantomOG Posts: 2,409
    edited August 2009
    hmm... this virus seems so up-to-date I'm thinking it was probably smart enough to infect my restore checkpoints. Damn.
  • PhantomOG
    PhantomOG Posts: 2,409
    edited August 2009
    I wonder how far reaching this is. The computer has two hard drives on it, with most of my important data on the non-system drive.

    I'm in safe mode now, and wonder if I can turn on my external hard drive and let it run backup on my data. Its a freeagent external drive that I have set to only backup data--no system stuff. If so, I will do that and just re-install Windows.
  • PhantomOG
    PhantomOG Posts: 2,409
    edited August 2009
    and furthermore if any of that data could propogate the virus again
  • heiney9
    heiney9 Posts: 25,197
    edited August 2009
    PhantomOG wrote: »
    I wonder how far reaching this is. The computer has two hard drives on it, with most of my important data on the non-system drive.

    I'm in safe mode now, and wonder if I can turn on my external hard drive and let it run backup on my data. Its a freeagent external drive that I have set to only backup data--no system stuff. If so, I will do that and just re-install Windows.
    PhantomOG wrote: »
    and furthermore if any of that data could propogate the virus again

    Those are good questions. In my friends case I referenced above she has a laptop and has just a single drive for everything. You're probably OK with the 2nd drive, but with viruses you never know.
    "Appreciation of audio is a completely subjective human experience. Measurements can provide a measure of insight, but are no substitute for human judgment. Why are we looking to reduce a subjective experience to objective criteria anyway? The subtleties of music and audio reproduction are for those who appreciate it. Differentiation by numbers is for those who do not".--Nelson Pass Pass Labs XA25 | EE Avant Pre | EE Mini Max Supreme DAC | MIT Shotgun S1 | Pangea AC14SE MKII | Legend L600 | BlueSound Node 3 - Tubes add soul!
  • PhantomOG
    PhantomOG Posts: 2,409
    edited August 2009
    yeah... on second thought I don't really think I have anything important between now and my last backup so I think I might just re-install windows on the system drive and go from there.
  • billbillw
    billbillw Posts: 6,815
    edited August 2009
    This is why everyone needs to run full system backups (via Norton Ghost or similar) on a monthly (or weekly) basis. You never know when your system is going to get fracked!
    For rig details, see my profile. Nothing here anymore...
  • heiney9
    heiney9 Posts: 25,197
    edited August 2009
    billbillw wrote: »
    This is why everyone needs to run full system backups (via Norton Ghost or similar) on a monthly (or weekly) basis. You never know when your system is going to get fracked!

    I know after this episode I will be buying Acronis True Image and doing frequent backups.

    Luckily for me I just put a new HD in (strictly for system files) and used the free version of Acronis to transfer the image from the old drive to the new drive and I still have the old drive. This was less than a month ago so I can just us that as a starting point if I need to go that far with it.

    H9
    "Appreciation of audio is a completely subjective human experience. Measurements can provide a measure of insight, but are no substitute for human judgment. Why are we looking to reduce a subjective experience to objective criteria anyway? The subtleties of music and audio reproduction are for those who appreciate it. Differentiation by numbers is for those who do not".--Nelson Pass Pass Labs XA25 | EE Avant Pre | EE Mini Max Supreme DAC | MIT Shotgun S1 | Pangea AC14SE MKII | Legend L600 | BlueSound Node 3 - Tubes add soul!
  • PhantomOG
    PhantomOG Posts: 2,409
    edited August 2009
    what a PITA. I was all stoked because I'm getting my new receiver today, but now I'm just pissed about having to re-install windows on a computer.
  • Fongolio
    Fongolio Posts: 3,516
    edited August 2009
    I have had much success with this kind of virus in the past by removing the infected drive(s), putting them in another computer as secondary drives and running a virus scan/cleaner. When the infected drive is clean re-install into computer and 8/10 times the problem is fixed. But not always. Good luck.
    SDA-1C (full mods)
    Carver TFM-55
    NAD 1130 Pre-amp
    Rega Planar 3 TT/Shelter 501 MkII
    The Clamp
    Revox A77 Mk IV Dolby reel to reel
    Thorens TD160/Mission 774 arm/Stanton 881S Shibata
    Nakamichi CR7 Cassette Deck
    Rotel RCD-855 with modified tube output stage
    Cambridge Audio DACmagic Plus
    ADC Soundshaper 3 EQ
    Ben's IC's
    Nitty Gritty 1.5FI RCM
  • PhantomOG
    PhantomOG Posts: 2,409
    edited August 2009
    damn, that's a good idea. I'm right in the middle of running the "repair" Windows XP from the OS disc I have. I'm not really sure what that is going to do as I've always done full blown re-installs. If that doesn't work I will try your idea next. Should be very easy to do as I have another computer right here.
  • John30_30
    John30_30 Posts: 1,024
    edited August 2009
    PhantomOG wrote: »
    what a PITA. I was all stoked because I'm getting my new receiver today, but now I'm just pissed about having to re-install windows on a computer.

    Once upon a time when computers had floppy drives, you could use a bootable AV floppy to clean the hard drive. If the virus hasn't locked you out of safe mode, it's not that mean. Check here for an alternative to a wipe/install, or for future virii disasters-
    http://www.askvg.com/download-free-bootable-rescue-cds-from-kaspersky-bitdefender-avira-f-secure-and-others/
  • Sami
    Sami Posts: 4,634
    edited August 2009
    PhantomOG wrote: »
    what a PITA. I was all stoked because I'm getting my new receiver today, but now I'm just pissed about having to re-install windows on a computer.

    In most cases there is no need to reinstall, although the cleaning process can take more time than basic reinstall. It does however save you time and effort by saving your settings and installed programs.

    Boot the system with a live CD and clean it up. Here are some options for a live CD:

    http://www.ubcd4win.com/
    http://www.nu2.nu/pebuilder/
    http://www.ubuntu.com/getubuntu/download

    Once your system gets infected, DO NOT try to clean it from inside the system, always boot something else to clean it.
  • nguyendot
    nguyendot Posts: 3,594
    edited August 2009
    Why not just remove and repair? (Not repair install).

    That's what I do. My roommate dumped some nasties on my pc because he's ignorant and I had to do a full remove...even malwarebytes wouldn't run.
    Main Surround -
    Epson 8350 Projector/ Elite Screens 120" / Pioneer Elite SC-35 / Sunfire Signature / Focal Chorus 716s / Focal Chorus CC / Polk MC80 / Polk PSW150 sub

    Bedroom - Sharp Aquos 70" 650 / Pioneer SC-1222k / Polk RT-55 / Polk CS-250

    Den - Rotel RSP-1068 / Threshold CAS-2 / Boston VR-M60 / BDP-05FD
  • PhantomOG
    PhantomOG Posts: 2,409
    edited August 2009
    nguyendot wrote: »
    Why not just remove and repair? (Not repair install).

    What do you mean? I booted from the Windows disc and chose repair. What is the "remove" step? Thanks. Good ideas here.
  • kawizx9r
    kawizx9r Posts: 5,150
    edited August 2009
    heiney9 wrote: »
    Also I have full computer functions back but everytime I do a Google search and click on a result I am redirected to a bunch of different random commercial websites. All my favorites and saved tabs work fine however.

    H9

    Everyone else has already covered the virus issue, but regarding what I'm quoting you should run checks for malware. Unlike adware that'll constantly open ads and the sort, malware will do just as you describe, it'll redirect you to different pages such as cruise/travel ads/etc. Get something like malwarebyte's anti-malware, it's free.
    Truck setup
    Alpine 9856
    Phoenix Gold RSD65CS

    For Sale
    Polk SR6500
    Polk SR5250
    Polk SR104


    heiney9 wrote: »
    Any clue how to use the internet? Found it in about 10 sec.
  • nguyendot
    nguyendot Posts: 3,594
    edited August 2009
    Remove the virus/malware and repair the OS..... Usually just a remove is fine.

    Try Malwarebytes antimalware. If it doesn't run, rename the executable.
    Hijackthis works wonders too
    The only thing that fixed my last issue was a program called Trojan Remover....odd off brand but it worked. Normally i don't trust off brand programs.
    Main Surround -
    Epson 8350 Projector/ Elite Screens 120" / Pioneer Elite SC-35 / Sunfire Signature / Focal Chorus 716s / Focal Chorus CC / Polk MC80 / Polk PSW150 sub

    Bedroom - Sharp Aquos 70" 650 / Pioneer SC-1222k / Polk RT-55 / Polk CS-250

    Den - Rotel RSP-1068 / Threshold CAS-2 / Boston VR-M60 / BDP-05FD
  • kawizx9r
    kawizx9r Posts: 5,150
    edited August 2009
    Lol just said that regarding malware, but like nguyendot said get rid of what you can before repairing the OS. :D
    Truck setup
    Alpine 9856
    Phoenix Gold RSD65CS

    For Sale
    Polk SR6500
    Polk SR5250
    Polk SR104


    heiney9 wrote: »
    Any clue how to use the internet? Found it in about 10 sec.
  • PhantomOG
    PhantomOG Posts: 2,409
    edited August 2009
    yeah, my first step was to try malwarebytes. however, this thing knows every single thing I tried. It basically won't let you run any programs at all, not even notepad. So I was basically hosed from inside windows.

    I'm thinking this repair installation won't really fix anything. I wish I had read/thought of pulling the drive and putting it into another computer before I started this. It looks hung...
  • nguyendot
    nguyendot Posts: 3,594
    edited August 2009
    You need to rename the executable....
    thats how it knows, it just stops that specific name from running.
    Rename Malwarebytes.exe to Malwarebytes1.exe
    rename hijackthis.exe to hijackthis1.exe

    Same thing I got.
    Main Surround -
    Epson 8350 Projector/ Elite Screens 120" / Pioneer Elite SC-35 / Sunfire Signature / Focal Chorus 716s / Focal Chorus CC / Polk MC80 / Polk PSW150 sub

    Bedroom - Sharp Aquos 70" 650 / Pioneer SC-1222k / Polk RT-55 / Polk CS-250

    Den - Rotel RSP-1068 / Threshold CAS-2 / Boston VR-M60 / BDP-05FD
  • PhantomOG
    PhantomOG Posts: 2,409
    edited August 2009
    yeah, tried that too. renaming doesn't work. It seems to stop EVERY program from running. CTRL+ATL+DEL and it kills the task manager automatically.

    Anyways, the "repair" by itself didn't work, as expected. I pulled the drive, stuck it in a clean computer and I'm running malwarebytes on the drive. I'm hopeful but not confident. This virus seems pretty smart/recent, so I'm not sure malwarebyes might be up to date enough to catch it.
  • PhantomOG
    PhantomOG Posts: 2,409
    edited August 2009
    now, assuming malwarebytes finds stuff and deletes it, do I immediately go back to another "repair" again?
  • kawizx9r
    kawizx9r Posts: 5,150
    edited August 2009
    Phantom, my wife got the same thing on her laptop. Like you, I couldnt get IE/firefox to open at all so I couldn't even download malwarebytes. I restarted her laptop in safe mode with net., downloaded it and ran it as user admin. Afterward I ran it and it cleaned out almost all of her malware/etc and all that was left to do was a restart. Before that I went ahead and checked out the registry for affiliated files and got rid of them myself. After a restart, logging on her user and rerunning malware bytes everything worked out great.
    Truck setup
    Alpine 9856
    Phoenix Gold RSD65CS

    For Sale
    Polk SR6500
    Polk SR5250
    Polk SR104


    heiney9 wrote: »
    Any clue how to use the internet? Found it in about 10 sec.
  • PhantomOG
    PhantomOG Posts: 2,409
    edited August 2009
    good to hear. I'm hopeful.
  • nguyendot
    nguyendot Posts: 3,594
    edited August 2009
    I ran mine in combination with Symantec Corporate, thats probably why mine wasn't as bad off as yours.

    I'd msconfig it and kill everything.
    Main Surround -
    Epson 8350 Projector/ Elite Screens 120" / Pioneer Elite SC-35 / Sunfire Signature / Focal Chorus 716s / Focal Chorus CC / Polk MC80 / Polk PSW150 sub

    Bedroom - Sharp Aquos 70" 650 / Pioneer SC-1222k / Polk RT-55 / Polk CS-250

    Den - Rotel RSP-1068 / Threshold CAS-2 / Boston VR-M60 / BDP-05FD
  • PhantomOG
    PhantomOG Posts: 2,409
    edited August 2009
    do you mean trying run "msconfig"? tried that, it blocked that as well. This one pretty much makes windows unuable.

    I was trying all kinds of different programs that kill processes. It really does seem to block almost every action within Windows.
  • PhantomOG
    PhantomOG Posts: 2,409
    edited August 2009
    DAMN. Malwarebytes couldn't find anything on that drive. Anyone know any other really up to date scanners I can try?
  • Sherardp
    Sherardp Posts: 8,038
    edited August 2009
    If you had a spare hard drive or another PC you could run the infected drive as a slave and get to it like that. Ive done that in the past and it works.
    Shoot the jumper.....................BALLIN.............!!!!!

    Home Theater Pics in the Showcase :cool:

    http://www.polkaudio.com/forums/showcase/view.php?userid=73580
  • PhantomOG
    PhantomOG Posts: 2,409
    edited August 2009
    yeah, that's what I'm doing right now. However, the current version of malwarebytes and AVG don't find anything so this must be pretty new. Screw it, I'm just going to re-install XP. I have my data on a separate hard disk, and I also have backup data of anything important on the system disk.

    Man, I should be making love to my new Denon AVR-989 that the FedEx guy just dropped off. Instead I'm installing Windows :(