Question

Locked

bad virus?

By joshfoxxx ·
i cannot get my system to restore

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

To start the System Restore tool from a Command Prompt

by Jacky Howe In reply to bad virus?

Restart your computer, and then press F8 during the initial startup to start your computer in Safe Mode with a Command Prompt.

Log on to your computer with an administrator account or with an account that has administrator credentials.

Type the following command at a command prompt, and then press ENTER:

%systemroot%\system32\restore\rstrui.exe

Follow the instructions that appear on the screen to restore your computer to an earlier state.


If you can't enter Safe Mode try this.

Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console.

1: C:\WINDOWS

Which Windows Installation would you like to log on to (To cancel, press ENTER)?

After you enter the number for the appropriate Windows installation, Windows will then prompt you to enter the Administrator account password.

Note If you use an incorrect password three times, the Windows Recovery Console closes. Also, if the Security Accounts Manager (SAM) database is missing or damaged, you cannot use the Windows Recovery Console because you cannot have correct authentication. After you enter your password and the Windows Recovery Console starts, type exit to restart the computer.

Type the following command and press Enter.

Type CD\ then Enter

Then type cd system~1\_resto~1 then Enter

Type dir then Enter

When you hit enter it will list all the restore points folders like rp1, rp2 ??.. If the restore points have more than one page then you will have to keep on hitting the <Enter> key to view the last restore point folder. You will have to choose the second to last option folder

Type cd rp {the second to the last restore point no. } (Note: Example: cd rp9, if rp9 is the second to the last restore point where the last restore point no. is 10

Then type cd snapshot

Now the command prompt will look like this c:\system~1\_resto~1\rp9\snapshot

Type: copy _registry_machine_system c:\windows\system32\config\system

Press enter

Then type: copy _registry_machine_software c:\windows\system32\config\software

Then type exit

TIP!.

If you get an access denied error when doing the above, then do the following at the recovery console:

Type CD\ then press Enter

Type cd windows\system32\config then press Enter

Type ren system system.bak then press Enter

Type exit and press Enter

Your PC will reboot, go back into the Recovery Console and then you have access.

<i>Keep us informed as to your progress if you require further assistance.</i>

<HR>
<i>If you think that any of the posts that have been made by all TR Members, have solved or contributed to solving the problem, please Mark them as <b>Helpful</b> so that others may benefit from the outcome. </i> :-bd

Collapse -

To test for Virus activity

by Jacky Howe In reply to To start the System Resto ...

Follow the steps below with the System started and restarted in Safe Mode with Networking. Running in Safe Mode loads a minimal set of drivers for the Operating System. You can use these options to start Windows so that you can modify the registry or load or remove drivers.

Removing malware from System Restore points
To remove the malware, you must first disable System Restore, then scan the system with up-to-date antivirus software - allowing it to clean, delete, or quarantine any viruses found. After the system has been disinfected, you may then re-enable System Restore. The steps for disabling System Restore vary, depending on whether the default Start Menu or the Classic Start Menu is being used.

Default Start Menu XP
If using the default Start Menu, click Start | Control Panel | Performance and Maintenance | System. Select the System Restore tab and check "Turn off System Restore".

Classic Start Menu XP
If using the Classic Start Menu, click Start | Settings | Control Panel and double-click the System icon. Select the System Restore tab and check "Turn off System Restore".

Vista
Start, right mouse click Computer and select Properties. Select Advanced System Properties, click contine and then System Protection. Untick the box nect to Local Disk C: and click on Turn System Restore off.


After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".

Click Start, Run type msconfig and press Enter.

Now if you have the Configuration Utility open.
Configure selective startup options
In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
Click to clear the Process SYSTEM.INI File check box.
Click to clear the Process WIN.INI File check box.
Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
Click the Services tab.
Click to select the Hide All Microsoft Services check box.
Click Disable All, and then click OK.
When you are prompted, save the settings and restart the PC.
When the System is disinfected re-run the Configuration Utility and in the System Configuration Utility dialog box, click the General tab, and then click Normal Startup.

Download Malwarebytes Anti-Malware, install it and update it.

<a href="http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe" target="_blank"><u>Malwarebytes</u></a>

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.

If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
<a href="http://malwarebytes.gt500.org/mbam-rules.exe" target="_blank"><u>mbam-rules</u></a>

I would keep scanning with it until it is clean by closing out and rebooting and running it again.


From another PC download and install Spybot, update it and copy the the installed folders to a USB Stick.

Restart the PC in Safe Mode, navigate to the USB stick and run Spybot.

Download Spybot - Search & Destroy and install it. Update it. http://www.safer-networking.org/en/download/index.html

With the new strains of Virus that have been created you may find it necessary to rename the executable files so that they will work. Rename mbam-setup.exe and then navigate to the install folder and rename mbam.exe. Do not change the files extension from .exe. Do the same with Spybot.

Also run this Rootkit Revealer GMer
<a href="http://www.gmer.net/index.php" target="_blank"><u>Gmer</u></a>

FAQ
<a href="http://www.gmer.net/faq.php" target="_blank"><u>FAQ</u></a>

BleepingComputer
<a href="http://www.bleepingcomputer.com/malware-removal/" target="_blank"><u>bleepingcomputer</u></a>

How to check the Host file

Step 1: Click the Start button and select Run. Now type the following text in that Run box and press Enter:

notepad c:\WINDOWS\system32\drivers\etc\hosts

Step 2: You will see a new notepad window on your screen containing some information. You should have a single entry of 127.0.0.1 localhost. If there are any other entries in there it means that those sites are being blocked and it is probably due to an infection. Unless you made the extra entries delete them all but 127.0.0.1 localhost.

If it is the DNS changer fixwareout will remove this.

<a href="http://download.bleepingcomputer.com/lonny/Fixwareout.exe" target="_blank"><u>Fixwareout</u></a>

The DNSChanger trojan is usually a small file (about 1.5 kilobytes) that is designed to change the 'NameServer' Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim's computer will contact the newly assigned DNS server to resolve names of different webservers. And some of the resolved names will not point to legitimate websites - they will point to fake websites that look like real ones, but are created to steal sensitive information (like credit card numbers, logins and passwords).

VARIANT: Trojan.Win32.DNSChanger.al

Update your Antivirus software.


If TaskManager has been disabled this will enable TaskManager to allow access to the Registry.

Command line removal
Click Start Run and type cmd and then press Enter.

Execute the following commands in the command line in order to activate the registry editor and Task Manager: answer ?y? and press Enter.

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools

Just to be on the safe side when you finish do an online scan with Bitdefender. Or Google for an online scanner.

<a href="http://www.bitdefender.com/scan8/ie.html" target="_blank"><u>bitdefender</u></a>

Collapse -

Maybe...

by Jay217 In reply to bad virus?

But more importantly what type of restore are you trying to do and why?

Are you trying a windows system restore? Are you trying to use the restore/recovery cd's that came with your system?

If you did have an infection then the windows system restore may have been damaged.

Collapse -

Well with the dearth of information provided

by OH Smeg In reply to bad virus?

it must be a really nasty Virus to so adversely affect your Mac.

OSX is remarkably resilient to Virus Attacks but that by no means means that the OS is immune to them. You should use a Standard AV Product and keep it up to date.

If this is a Windows System Viri Attacks are to be expected and a System Restore is pointless you need to clean the infection. If you have tried the usual things you need to wipe the HDD with a Utility like Boot & Nuke

http://www.dban.org/download

Then use the Disc supplied with the computer to reload the OS and any associated software then install a AV Product and some Malware scanners to keep the system clean.

AVG Free is a good AV Product and it is available here

http://free.avg.com/download-avg-anti-virus-free-edition

Malware Bytes is one of the better malware Scanners available from here

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol&cdlPid=11004434

and Spy Bit S&amp is the last thing that should be installed it is available here

http://www.safer-networking.org/en/download/index.html

Between these 3 free Products you should be able to keep any home Windows system clean.

Col

Back to Malware Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums