Virus, Crash, Restore & No Windows

J W Alexander · From: Reynoldsburg, Ohio, USA

Saturday morning about 6:30am EST I got what was a false security alert which suggested I do a security scan after which I could clean, disinfect and otherwise rid myself of the threat. Not recognizing the icon I attempted to use my Symantec Client anti-virus which seemed to have been disabled along with the warning. Running Windows XP Pro, dial up ISP with Symantec firewall and anti-virus software I thought had been updated automatically or frequently.

After a few attempts to also run the SuperAntivirus software it too was disabled. Nearly every function which required an internet connected received an error message to the effect all .exe programs failed, were infected with yet another suggestion I do the scan using the unknown anti-virus program that seemed to have self installed.

I did NOT at any time click on an unknown link or pop-up as I believed those had been blocked. After a while my entire desktop background image along with all desktop icons were replaced with a black screen, large red letters warning me of the infection etc. At this point I enlisted the help of a trusted friend who found and deleted the suspected virus. After this we could not get Windows to load in---wouldn't reboot fully, only had the original desktop original background photo provided by MicroSoft as an option, NOT a downloaded image.

Today I have a few internet icons/shortcuts which do allow internet access where I can navigate and visit as before however none of the Windows programs are displayed onscreen. I am signed on presently and creating this topic on that very computer. My system tray is not visible; shortcuts to MS MediaPlayer and Control Panel are visible however they don't bring up anything when double-clicked.

Most of the Windows functions seem to be accessible in the safe mode if that needs to be known.

Naturally I have ton of information and semi-valuable stuff but nothing so vitally important or irreplacable. Any suggestions what to do or try would be greatly appreciated. I live in the Columbus, Ohio area and will gladly take my computer anywhere in order to fix this without a clean reinstallation unless that is the only option.

Thanks all---once again Steelers to the rescue!

J W

John Roche · From: England

If you are running XP do a system restore to a time before this happened

J W Alexander · From: Reynoldsburg, Ohio, USA

A system restore might be the trick however I don't know how to do that---not competently anyway.

Windows won't display but perhaps the restore function could be accessed in the safe mode?

J W

Jon Light (deceased) · From: Saugerties, NY

I had an XP virus last year that sounds somewhat similar and among other things it did, it disabled system restore---I tried to restore and there were no saved restore points. However I agree that this is the first thing you should try.
Try safe mode boot, go into Start menu>>Accessories>>System Tools (this is from memory--I'm on Vista now.)

Finally my only option with the XP situation was to reinstall Windows.

J W Alexander · From: Reynoldsburg, Ohio, USA

My current problem is I can't access or see any Windows icons---nothing. The system tray is also missing.

Thanks so far!

Earnest Bovine · From: Los Angeles CA USA

Maybe the Windows key will bring up the start menu, whence you can go to Programs -> Accessories -> System Tools -> System Restore.

John Roche · From: England

Restart in safe mode , that will give you the option to restore..

John Roche · From: England

try this..Go to task manager and start a new process called explorer.exe and it should show up

Wiz Feinberg · From: Mid-Michigan, USA

If all of the other suggestions fail to restore Windows and if you possess the XP Pro CD, insert it and reboot. When asked to boot from the CD, press any key. When activity stops select the option to run Setup. When the Setup options screen appears choose the option to Repair an existing installation of Windows, highlight your Windows installation (usually C:\Windows) and proceed. Note, this is not the same Repair as the Recovery Console repair. This one is also known as an in-place re-installation. It will restore system files that were corrupted by the virus/malware.

After you finish the repair setup and are able to enter normal Windows you will have to go straight to Windows Update manually and re-download all updates released since that CD was published. Do not browse to any other website than Windows Update. Get there via the link in Internet Explorer, on the Tools or Safety menu item.

Note, that Automatic Updates will not function until a code fix is applied, as shown below the next paragraph.

Be sure you reboot when requested, then return to Windows Update until there are no more patches available. Once you have gotten every available Windows Update you will need to re-register your new Automatic Updates file, which will have been replaced by the original file during the repair reinstallation. Follow these directions to fix this:

Open a Command Window by going to Run and typing in CMD, then pressing Enter.
Type: net stop wuauserv
Press Enter
Type: regsvr32 %windir%\system32\wups2.dll
Press Enter
Click OK on each verification message that you receive.
Type: net start wuauserv
Press Enter
Type Exit and press Enter to close the Command Window.

_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog

J W Alexander · From: Reynoldsburg, Ohio, USA

Hey Wiz-----thanks for your input as always!

Question though---if I do the re-installation does that wipe out my existing files, settings and so on? If so how can I first back them up or save to a disc on the affected computer?

Thanks again guys----

J W

Alan Brookes · From: Brummy living in Southern California

Go into DOS, the Command Interpreter, and copy the files onto an external drive, or second internal drive if you have one, then disconnect the second drive before you re-install Windows. The problem here is that your drivers may not be working, so you may not have access to an external disk. Is your CD Drive still working ? Maybe you could copy files onto CD-Rs or DVD-Rs.

I've had to re-install Windows XP Pro on both of my machines in recent months. On both of them my other data was unaffected, but on one of the machines my internet stopped working and I haven't been able to figure out why. Unfortunately, sometimes those evil people who write viruses anticipate what you're going to have to do to restore your system and they create batch files, etc., which will operate when you try to restore and prevent it. They also write code which operates when you remove the virus and move the virus somewhere else, timed to return in the future.

I often wonder if the manufacturers of anti-virus products create the viruses in order to keep themselves in business. Whoa!

Wiz Feinberg · From: Mid-Michigan, USA

Wiz Feinberg · From: Mid-Michigan, USA

I didn't mention anything about backing up your files because you stated that you cannot log into Windows anymore. Any solution for backing up files will involve a bootable CD or DVD that contains a Linux operating system and system backup and repair utilities. If you wish to pursue that route you should use another PC, which has a CD recorder, to learn about the BartPC and the Ultimate Boot CD recovery tools. These are professional level tools that can be used to repair a corrupted operating system, or to backup data files to a USB drive or memory stick.

I often recommend Acronis True Image for backing up your entire PC. When stuff like this happens and you can't boot into Windows at all, a recovery CD made during the installation of True Image can be used to recovery the entire computer, using the most recent backup image, hopefully saved to another disk.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog

Alan Brookes · From: Brummy living in Southern California

If the worst happens, and you lose data, remember that unless you do a hard reformat on your disk all that happens to deletions is that they're renamed in the File Allocation Table. There are several programs available which will find deleted files for you.

John Cipriano · From: San Francisco

A repair installation is a good idea in this situation. If that doesn't work, do a regular reinstall. First use Safe Mode to move your data to a CD-R if possible or a USB key. I'm not sure if you can access external discs or burn CDs in Safe Mode, but if not you can use a Linux live CD.

You can also try the ClamAV live CD here:
http://www.volatileminds.net/projects/clamav/

It's an offline virus scanner. I don't think it checks for other kinds of malware.

Building a BartPE disc is one way to check for malware offline, but in my opinion it is not the best use of your time. It can take hours on a slow machine and if you're only going to use it once you're better off spending that time backing up your data and reinstalling Windows. Just do the repair install and optionally use a ClamAV disc to scan for viruses. Then, if you determine it to be necessary (it's usually the best and safest thing anyway), do a regular reinstall of Windows, which will wipe the old copy.

If you are using IE to browse the web, you should consider using Firefox or Chrome or Opera in the future. I don't really have anything against IE but in most of the cases where someone asks me to look at the computer, the cause of the infection was either a trojan horse (careful with those screensavers) or a pop-up that IE let through. At the very least turn on the pop-up blocker and put your security settings to medium-high or high.
_________________
MSA Semi-Classic S10 w/ 4P+4L and some shiny new tuners

J W Alexander · From: Reynoldsburg, Ohio, USA

One more question Wiz before I begin your suggestion about the in-place reinstall........

You say Note, that Automatic Updates will not function until a code is applied, as shown below the next paragraph..

Would I be in error thinking your steps 1>9 will apply that code and allow for Updates, Automatic or prompted?

Thanks------

J W

Wiz Feinberg · From: Mid-Michigan, USA

J.W.;
By any chance, was the bogus security alert from Spyware Protect 2009? If so, MalwareBytes AntiMalware (MBAM) would have fixed the problem without damaging your system files. Should you succeed in restoring normal operation please consider installing MBAM to protect against a re-infestation (paid version has realtime protection and auto-updating).

MBAM is one of the premier tools used in fighting off rogue security alert malware infections. The other tools that J.W. has were "taken out" by a Trojan, rendering them ineffective. SAS and Symantec CS failed to protect themselves from unauthorized termination, in violation of the third law of robotics.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog

Wiz Feinberg · From: Mid-Michigan, USA

J W Alexander · From: Reynoldsburg, Ohio, USA

Wiz I do believe you have the name correct Spyware Protect 2009. Naturally I will heed your advice regarding the MBAM---having visited their site it seems to be a great product. I will access it through your site for whatever benefit that affords you.

I will say an icon appeared in my system tray that closely resembled the Symantec symbol, the difference being it was black and yellowed stripes running at about 45 degrees whereas Symantec is a solid red with a symbol in its field.

My next step will be to purchase an authorized copy of Windows XP Pro and go about the in-place installation. I hope I can't do much more damage than already experienced yet it will be what it will be.

Any advice for this next phase for me apart from what's here already would be greatly appreciated. The patience here is amazing--wish I had just a smidgen of it! Very Happy

J W

Wiz Feinberg · From: Mid-Michigan, USA

J.W.;
Why don't you take the PC to a local computer shop and have them do this, saving you from searching for an unsold, never before licensed copy of XP Pro? They are hard to find anymore as Microsoft has pulled XP from distribution channels.

Bleeping Computers forums have trained volunteers who can help people remove these rogue anti-spyware Trojans and rootkits from their computers, without reinstalling the OS. MBAM is one of the tools they have you use, under their guidance, among others.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog

John Roche · From: England

Try Prevx. it will tell you what viruses you got..
http://www.freedownloadscenter.com/Reviews/r4010.html

J W Alexander · From: Reynoldsburg, Ohio, USA

Wiz the only problem I'd have taking this to a local shop is I really have no idea who's truly knowledgable and who's simply in business. Just as appears here more than a few ideas are forwarded yet none (save your own) really, really addresses my issue. A few I've already spoken to simply suggest wiping the IDE clean, reinstalling XP Pro and being done with it. Seems similar to removing the hand because we have a splinter----both sooooooo NOT what I hope to accomplish.

Would it be possible to find a live person in my area to help via the Bleeping Computers site or are they 100% virtual? I'm guessing obtaining a copy of XP Pro is important regardless as it is required even for the in-place reinstallation?

Wiz Feinberg · From: Mid-Michigan, USA

John Cipriano · From: San Francisco

J W Alexander · From: Reynoldsburg, Ohio, USA

Here’s an update on this saga........

Finally decided and committed to letting the pro’s do what was needed since their original estimate was reasonable, all things considered. Immediately upon arriving at their shop the price had doubled from $150 to 300. I understood their reasoning behind that increase but their attitude and impatience made me uneasy so I thought to regroup and try one more avenue before turning them loose on my gear. With some limited use still on the affected computer I thought to go back online and possibly buy the XP Pro disc and attempt my own in place re-installation. After returning home and reconnecting everything upon first starting EVERYTHING was “fixed” and running as before! Not a thing had been lost so it seems.

Taking Wiz’s advice I updated everything I could: Windows, Symantec, SuperAntiVirus and scanned all files. Next I installed the demo version of Malwarebyte’s Anti Malware and scanned once again. I have to say that is one very impressive program as it found 6 or 7 infections the other in-place anti-virus functions had missed. I will buy the full edition as the $25 is insignificant compared to the aggravation this has caused to date. If it can augment my other protection it’s worth much much more.

So it would seem in this case doing essentially nothing for a while paid off in that my original data is secure. I will look into the back up systems and software suggested here because I’m sure this isn’t the last time I’ll be in danger or vulnerable. Thanks to all who helped---I knew this would be a great resource for advice NOT motivated by profit!!

Thanks to you especially Wiz------a true asset to the SGF!!

J W

Forum Index > Computers	Goto page 1, 2 Next	Next oldest topic :: Next newest topic