Question

Locked

Virus hidden in restore folder in XP ..... how to remove

By Dusterman ·
Found massive infection removed , only to find that it was also in the system restore :-(
.
Loaded new [ older ] hard drive and rebooted the machine with the original as a slave .....can access all pertanent info .... all is good [ may be ok ? ].
.
Works great ......... but can't stand to be beaten ....... any info about cleaning out the restore folder will be appreciated .
.
Thought about trying to delete the infected folder and replace it with the "new" one ....but in case it's needed it would only have the very basics and no old "important" info.
.
Thank you in advance .
.
Mike

This conversation is currently closed to new comments.

13 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

System Restore...

by scott_heath In reply to Virus hidden in restore f ...

Have you tried booting from the original drive and turning off system restore from safe mode then scanning for viruses again?

Collapse -

Disable system restore

by jamesatmaisonverre In reply to Virus hidden in restore f ...

Disable system restore and reboot your pc.Then do a disk clean,delete everything out of your temp folders and i mean everything.When you DISABLE SYSTEM RETORE IT DELETES ALL PREVIUOSLY SAVED DATA ON THE COMPUTER

Collapse -

Deletes All Data?

by PC_Techie, MCP In reply to Disable system restore

When system restore is turned off, it doesn't delete all data on the computer, just the system restore points. It will not delete data like important files, programs, etc.

System Restore does not monitor changes to or recover personal data files such as Word documents, graphics, e-mail, etc.

As System Restore monitors a core set of specified system and application file types, any downloaded or saved file which has an extension type monitored by System Restore (e.g. .exe, .dlls) and stored on a monitored drive will be lost if restoring to a point prior to the download or save. If you do not want to lose files with a monitored extension due to a restore, you should move these files to the My Documents folder or to a non-monitored partition not restored during a restore process. If you have unknowingly deleted some files due to a restore on your system, you can always recover them by undoing the restore process in question.

Collapse -

Possible solution for your situation!

by bijoy.y In reply to Virus hidden in restore f ...

We have been witnessing some strange incidents on some of the desktops of the users here at the Malad, Mumbai site.
It is strange enough that our corporate antivirus is not able to find any of the worms, trojan variants and cloaked malwares
such as this case.
I have put down some of my findings here for your perusal which could be of some use as a reference by the time our antivirus
team comes up with a possible solution or a patch for this existing situation.

SYMPTOMS:

1) User not able to access web pages.
2) Antivirus definitions too old on systems infected and are not able to detect any viruses.
3) Sytem processing very slowly.
4) DNS address changes.

OBSERVATION:

1) Strange hidden folders like "SYSTEM"; "RESTORE" and a file named "autorun.ini" are found in all the drive
partitions present in the PC. On deletion of the abovementioned folders and files, they have been noticed to
regenerate in a fraction of a second.

2) On isolating the autorun.ini file, it showed reference to an exe within the restore folder called RanDll.exe
which is triggered to execute when the user double-clicks the drive to access his/her files.
Following is a sample of the malicious code found within the autorun.ini file.
"[autorun]
open=RESTORE\k-1-3542-4232123213-7676767-8888886\RanDll.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RESTORE\k-1-3542-4232123213-7676767-8888886\RanDll.exe
shell\open\default=1

3) On zeroing on the RanDll.exe file, it was found to be responsible for all the unusual activities on the system.
Follow Link (FOR MORE DETAILS): http://www.prevx.com/filenames/895167598895702954-X1/RANDLL.EXE.html
Also please find attached a report received after submitting the file to www.virustotal.com .

REMOVAL:

Step 1> Disable system Restore on all Drives.
Step 2> Disconnect Lan Cable
Step 3> Reboot system into Safe Mode.
Step 4> Go into the registry editor. Take backup of the registry and search for the file named "randll.exe".
Delete all entries found from the registry.
Step 5> Delete all the hidden "RESTORE" folders from all the drive partition and the "autorun.ini" files
carefully using the Windows Explorer (Winkey+E). For a change, we did not find the folder options getting disabled here.
Step 6> Reboot the system to normal mode.
Step 7> Re-connect the LAN cable.
Step 8> Update your antivirus to the latest definitions and scan your system.
Update antispyware to the latest definitions and scan ur system thoroughly.

Collapse -

>>> ZOMBIE ALERT!!! <<<

by OldER Mycroft In reply to Possible solution for you ...

You are by far the most prolific of Zombie Hunters !!

No less than 31 months ago, this thread was put to rest. Then two and a half years later, you come along and dig it all up again.

WOO HOO !!

Collapse -

maybe

by .Martin. In reply to >>> ZOMBIE ALERT!!! <<<

he say this article two and a half years ago, and has been working on an answer ever since.

Collapse -

Certainly stoic if not stupid. { nt }

by OldER Mycroft In reply to maybe
Collapse -

While that may work

by OH Smeg In reply to can download file fix

I think you'll find you are about 4 years too late. This question was asked in 2006.

I very much doubt that the OP still wants an answer.

Col

Collapse -

Twice reanimated, no less...

by AnsuGisalas In reply to While that may work

*Peers at contributor list*
Well, isn't it so : that is not dead which may eternal lie?

Back to Malware Forum
13 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums