WinXP system restore question

PhantomOG

Quick question. One of my computers was infected with a nasty virus this morning that will not allow anything to run. Can't run process explorer, notepad, you name it. Because of the nature of the virus I know for a fact that it happened this morning.

I got the infected computer to boot in safe mode and have system restore points for the past week or two. Will system restore work to remove this?

heiney9

Probably not. A friend of mine had a very nasty virus and we were able to system restore in safe mode and it didn;t help one bit. She ended up having her entire HD wiped and we reloaded everything.

Ironically, I use Vipre for virus protection and I had an attack yesterday and while Vipre caught it before it did any real damage I am having a few after affects. My firewall no longer allows traffic in or out, so it's currently disabled. Also I have full computer functions back but everytime I do a Google search and click on a result I am redirected to a bunch of different random commercial websites. All my favorites and saved tabs work fine however.

The big thing is my system restore function has been disabled as in there are no longer any restore points. Luckily my brother works in IT and he's always willing to help me and we are figuring it out.

If I hadn't had Vipre it would have been much worse. You situation sounds almost exactly like my friends situation and she lost everything and had to start over.

Good luck

H9

PhantomOG

hmm... this virus seems so up-to-date I'm thinking it was probably smart enough to infect my restore checkpoints. Damn.

mshan242700

http://forums.anandtech.com/messageview.aspx?catid=76&threadid=2108933&enterthread=y

PhantomOG

I wonder how far reaching this is. The computer has two hard drives on it, with most of my important data on the non-system drive.

I'm in safe mode now, and wonder if I can turn on my external hard drive and let it run backup on my data. Its a freeagent external drive that I have set to only backup data--no system stuff. If so, I will do that and just re-install Windows.

PhantomOG

and furthermore if any of that data could propogate the virus again

heiney9

PhantomOG wrote: »

I wonder how far reaching this is. The computer has two hard drives on it, with most of my important data on the non-system drive.

I'm in safe mode now, and wonder if I can turn on my external hard drive and let it run backup on my data. Its a freeagent external drive that I have set to only backup data--no system stuff. If so, I will do that and just re-install Windows.

PhantomOG wrote: »

and furthermore if any of that data could propogate the virus again

Those are good questions. In my friends case I referenced above she has a laptop and has just a single drive for everything. You're probably OK with the 2nd drive, but with viruses you never know.

PhantomOG

yeah... on second thought I don't really think I have anything important between now and my last backup so I think I might just re-install windows on the system drive and go from there.

billbillw

This is why everyone needs to run full system backups (via Norton Ghost or similar) on a monthly (or weekly) basis. You never know when your system is going to get fracked!

heiney9

billbillw wrote: »

This is why everyone needs to run full system backups (via Norton Ghost or similar) on a monthly (or weekly) basis. You never know when your system is going to get fracked!

I know after this episode I will be buying Acronis True Image and doing frequent backups.

Luckily for me I just put a new HD in (strictly for system files) and used the free version of Acronis to transfer the image from the old drive to the new drive and I still have the old drive. This was less than a month ago so I can just us that as a starting point if I need to go that far with it.

H9

PhantomOG

what a PITA. I was all stoked because I'm getting my new receiver today, but now I'm just pissed about having to re-install windows on a computer.

Fongolio

I have had much success with this kind of virus in the past by removing the infected drive(s), putting them in another computer as secondary drives and running a virus scan/cleaner. When the infected drive is clean re-install into computer and 8/10 times the problem is fixed. But not always. Good luck.

PhantomOG

damn, that's a good idea. I'm right in the middle of running the "repair" Windows XP from the OS disc I have. I'm not really sure what that is going to do as I've always done full blown re-installs. If that doesn't work I will try your idea next. Should be very easy to do as I have another computer right here.

John30_30

PhantomOG wrote: »

what a PITA. I was all stoked because I'm getting my new receiver today, but now I'm just pissed about having to re-install windows on a computer.

Once upon a time when computers had floppy drives, you could use a bootable AV floppy to clean the hard drive. If the virus hasn't locked you out of safe mode, it's not that mean. Check here for an alternative to a wipe/install, or for future virii disasters-
http://www.askvg.com/download-free-bootable-rescue-cds-from-kaspersky-bitdefender-avira-f-secure-and-others/

Sami

PhantomOG wrote: »

what a PITA. I was all stoked because I'm getting my new receiver today, but now I'm just pissed about having to re-install windows on a computer.

In most cases there is no need to reinstall, although the cleaning process can take more time than basic reinstall. It does however save you time and effort by saving your settings and installed programs.

Boot the system with a live CD and clean it up. Here are some options for a live CD:

http://www.ubcd4win.com/
http://www.nu2.nu/pebuilder/
http://www.ubuntu.com/getubuntu/download

Once your system gets infected, DO NOT try to clean it from inside the system, always boot something else to clean it.

nguyendot

Why not just remove and repair? (Not repair install).

That's what I do. My roommate dumped some nasties on my pc because he's ignorant and I had to do a full remove...even malwarebytes wouldn't run.

PhantomOG

nguyendot wrote: »

Why not just remove and repair? (Not repair install).

What do you mean? I booted from the Windows disc and chose repair. What is the "remove" step? Thanks. Good ideas here.

kawizx9r

heiney9 wrote: »

Also I have full computer functions back but everytime I do a Google search and click on a result I am redirected to a bunch of different random commercial websites. All my favorites and saved tabs work fine however.

H9

Everyone else has already covered the virus issue, but regarding what I'm quoting you should run checks for malware. Unlike adware that'll constantly open ads and the sort, malware will do just as you describe, it'll redirect you to different pages such as cruise/travel ads/etc. Get something like malwarebyte's anti-malware, it's free.

nguyendot

Remove the virus/malware and repair the OS..... Usually just a remove is fine.

Try Malwarebytes antimalware. If it doesn't run, rename the executable.
Hijackthis works wonders too
The only thing that fixed my last issue was a program called Trojan Remover....odd off brand but it worked. Normally i don't trust off brand programs.

kawizx9r

Lol just said that regarding malware, but like nguyendot said get rid of what you can before repairing the OS.

PhantomOG

yeah, my first step was to try malwarebytes. however, this thing knows every single thing I tried. It basically won't let you run any programs at all, not even notepad. So I was basically hosed from inside windows.

I'm thinking this repair installation won't really fix anything. I wish I had read/thought of pulling the drive and putting it into another computer before I started this. It looks hung...

nguyendot

You need to rename the executable....
thats how it knows, it just stops that specific name from running.
Rename Malwarebytes.exe to Malwarebytes1.exe
rename hijackthis.exe to hijackthis1.exe

Same thing I got.

PhantomOG

yeah, tried that too. renaming doesn't work. It seems to stop EVERY program from running. CTRL+ATL+DEL and it kills the task manager automatically.

Anyways, the "repair" by itself didn't work, as expected. I pulled the drive, stuck it in a clean computer and I'm running malwarebytes on the drive. I'm hopeful but not confident. This virus seems pretty smart/recent, so I'm not sure malwarebyes might be up to date enough to catch it.

PhantomOG

now, assuming malwarebytes finds stuff and deletes it, do I immediately go back to another "repair" again?

kawizx9r

Phantom, my wife got the same thing on her laptop. Like you, I couldnt get IE/firefox to open at all so I couldn't even download malwarebytes. I restarted her laptop in safe mode with net., downloaded it and ran it as user admin. Afterward I ran it and it cleaned out almost all of her malware/etc and all that was left to do was a restart. Before that I went ahead and checked out the registry for affiliated files and got rid of them myself. After a restart, logging on her user and rerunning malware bytes everything worked out great.

PhantomOG

good to hear. I'm hopeful.

nguyendot

I ran mine in combination with Symantec Corporate, thats probably why mine wasn't as bad off as yours.

I'd msconfig it and kill everything.

PhantomOG

do you mean trying run "msconfig"? tried that, it blocked that as well. This one pretty much makes windows unuable.

I was trying all kinds of different programs that kill processes. It really does seem to block almost every action within Windows.

PhantomOG

DAMN. Malwarebytes couldn't find anything on that drive. Anyone know any other really up to date scanners I can try?

Sherardp

If you had a spare hard drive or another PC you could run the infected drive as a slave and get to it like that. Ive done that in the past and it works.

PhantomOG

yeah, that's what I'm doing right now. However, the current version of malwarebytes and AVG don't find anything so this must be pretty new. Screw it, I'm just going to re-install XP. I have my data on a separate hard disk, and I also have backup data of anything important on the system disk.

Man, I should be making love to my new Denon AVR-989 that the FedEx guy just dropped off. Instead I'm installing Windows