Antivirus Software Hijacks My Computer

Do you have boot disk for 'A' drive, are there files you wish to save? I'm not familiar with the virus, but info might help others solve the problem.

Regards JD.

Hi JD,

Thank you for helping. I misplace the boot disk when I moved in 2005. I will try to request a boot disk from Dell.

There are files I like to save but I am concerned that the spyware or .... may get save with the files. I have a backup copy 10 days before this 2009 happen so I may loose 10 days works.

Boot up in safe mode and uninstall the McAfee crap product, common problem.

Get AVG it's free and works very well. C net has it on their download site.

Thanks Dances with Trees,

Thank you for your help. Will you show me how do I boot up in safe mode and uninstall McAfee? Will I be able to get on internet to download the AVG software?

Just reboot and watch the screen, on mine I press f4 for safe mode, other brands differ.

On dell press F12 once the bios screen comes up, select boot in safe mode

I had pretty good experience in the past with AVG but the last time I installed it on a computer with XP it "locked" my computer!! I haven't tried it again recently because then when I tried to uninstall it there was a stubborn file that had to be renamed to be able to remove it.

Sounds like you have the "antivirusxp2009"? or whatever. If you have access to another computer, go on google and type "how to remove (type virus name here)". some removal tools are available, but the process may be long and tedious. Depending on which version you have and whats been written to remove it, it may be simple or complex. Once you get the directions or software make sure you print out the directions and follow it to the letter. All should be well. Then download AVG.

Download the Malicous Softeware Removal Tool from Microsoft Update page and the Windows Defender program.

Run the maclious stfeware removal tool and then window defender they will remove the bugs.

GA this initiator file is known now by many anti-viral products and this you mention is fully capable from safe mode.

GOOD LUCK!!

I also tangled with that virus. I did use Cnet written explanation Was not enough.

I lost my computer and the back up. In retrospect $120 would have been cheap compared to losing two months of computer use and access. If the Cnet instructions do not work out, better get an expert soon.

How weird is that...I just covered everything you need to know about getting rid of the 2009 anti-virus software in this thread... http://cr4.globalspec.com/thread/35160#comment366087

First of all.... don't use the removal tool on the web site that the pop up sends you to...that web site is too slick for words. It is NOT what it seems to be. Don't use it. Seriously...it is a re-director site which looks very real and good, but it is not real, and it is not going to do what it says it will do. The removal tool will install another trojan. Check on a few sites on google...especaially some of the forums which discuss this trojan.

second. Dont dump McCaffee. There is no reason to dump it. It is not broken.

The fellow who answered me in the above comment goes into depth on how to clean your computer. I won't repeat his excellent instructions here.

Thirdly, if you own a computer, you should know how to format your C drive. You can learn, its not so hard. There is nothing quite like flushing the electronic toilet and seeing all the bad things go down the electronic drain. Providing you have backed up your data of course.

Forth, Don't blame Dell or Microsoft. As tempting as it may be.

good luck. You will need it.

I suggest contact McAfee Technical Center on line with your problem they are slow in reacting but they would give you a solution it took couple of weeks for their Technical team to solve similar problem with my system

crm

Thirdly, if you own a computer, you should know how to format your C drive. REPLY Any sage advice when the normal program methods cannot format the drive. BIOS start up says a drive of zero byes and zero sectors is connected. Yet when you try to reformat the drive and reinstall an O/S the message comes bcck :no readable drive installed" or words to that effect..

Further to your good comments, the OP should understand that he (or someone who uses this computer) actually downloaded this virus themselves.......going onto "dodgy" web sites is the normal reason.....don`t do it again!!!

All good answers, these. I've had to tackle a few of these annoying "anitvirus" trojans. Have to act quickly. I had one on the laptop and kept ignoring it. Bad idea. It got so bad I had to reformat and reinstall. The one that drove me closest to the edge though, was the one that I had rooted out every trace, but when I rebooted I had that stupid error screen. This screen wouldn't let me close or minimize. It just sat there, mocking me. I searched high and low, no trace of the trojan, but there was the screen, laughing at me. Turns out the trojan had replaced my wallpaper with a picture of the error screen. I decided then that the death penalty would be just fine for those that write these things.

Go to this site

www.bleepingcomputer.com

They are a mine of information and support.

i went to the website i scanned my pc but the virus still remain.

Sign in and log on and then we can help....

That's terrible, I know how the feeling is having experienced it on several occasions.

What has invaded your computer actually is not a virus, what has occurred is a nasty malware piggy-backed in with a legitimate program then installed itself without asking permission. Then it authorized the "Anti-virus" program to download onto your computers hard drive; after that all manner of debilitating events are on going.

Good news, on another computer go here and download to disc the 'anti-virus rescue system' tool , antivirus bootsektor repair tool and follow the directions to rescue your machine and processes so you can retrieve your data and resume use of it.

Really good post. GA for that!

My one and only quibble is that the D Disk, should be a physically separate disk inside your PC. Its the only safe way.....a partition on the same disk is only a few % safer than a single partition...not worth the trouble to make......get a second disk built in! Buy one that is really reliable, speed is nice but less important...

Obviously this is not quite so easy on a Laptop......and not always possible......but on a PC, a second hard disk is really really easy.......

My drive D approach started when I was a broke student with no chance of buying a second drive. I kept it a primary partition (so it wouldn't get erased along with C like extended partitions do) and crossed my fingers, toes and offered sacrifice to the hard-drive gods whenever I was absolutely forced to reinstall windows.

The habit has stuck since drives are so big now it seems wasteful to give windows and software 200+GB yet alone even 100GB...windows programs are fat but nowhere near THAT fat!

Storage space is so cheap now there really isn't much excuse to not have space...

It is still, with XP, far too easy to lose the whole physical disk to a fresh install (seen it, done it and not got the T-Shirt!). Don't do it!!! Its simply too dangerous for many who are not computer professionals (and some who are!!).

Whereas with a seperate disk drive, you just pull the power lead on it, install XP again on the C drive (or the Windows of your choice), wait till the install does the final boot, power down safely, install power cable to drive D, power on and "VOILA", your data drive is there the same as it ever was....(seen it, done it and still not got the T-Shirt!).

agreed...best keep it simple for the unaware. It does take a few mistakes to get the hang of partitions and one mistake can be too many when your wife's family pictures are at stake.

Hi Andy,

Good points and an external HD is an easy solution too. Pulling the plug is the best firewall

I agree with most of your post. The only issue with two partitions is if for some reason the disk fails you still have lost your data, this happened to me years ago. I prefer an extenal device whether it be copies on CD, external drive, other pc. Lately with the cost of memory sticks going down I have a few of these that I alternate to back up my "cherished" data. The last stick I bought at Wally Mart was 8 GB for 19 bucks.

Keep the mantra going " Back Up Often, Back Up Often, Back Up Often"

Bob

My epistle must have missed the mark since my other partition was just to put the originals on...not a backup. Keeping original files on a separate partition keeps program files from becoming so fragmented as more files are added and programs upgraded. It also allows the possibility of reinstalling windows on C without having to restore a backup when you're finished.

Any backup you want to survive should always be on another drive and stored in another place.

Memory sticks are very convenient but a touch small if you're into taking a lot of pictures...my last trip added about 12GB to my collection. I have a 80GB drive for the backups and it's about full. I'm looking at the 1TB iocell drive ($169) since I really like the product reliability (my current drive is also made by them) and I like to have the backup drive just plugged into the network somewhere. It's easy to tuck it away on a shelf by the router or run a dedicated line somewhere physically safe from theft or fire.

What he said was true.....having your data on one partition of the same drive where the system is, is still dangerous.....I personally would not recommend it.

If a system disk clone is made, there is no need for it to be on the same physical disk, in fact most people would NOT recommend it!!

If your system disk goes down, you can restore to a new drive from the other hard disk where your data is stored.

Data should also be on a USB drive (not a stick!) as well.

If the data/system klone drives goes down, you have the system still to copy to the replacement drive and the data is on the USB drive as well = very safe......

Even better is to have a copy of both in another location as well......because of fire, flood and theft!!

It's a cool boxpun intended but all things being equal (bandwidth) RAID 1 configuration thru-put capabilities exceed this configuration for less...money and with SATA 6GB's around the bend...see where this is going eh?

I think what bothers me most is that there is a whole family of trojans which call themselves anti-virus, when of course, they are not. After a short while, one wonders what is real and what is not! Any advice you receive can so easily become garbled or mis-interpreted...which of course makes them a good trojan, I guess. This one likes to hide in your screensaver files as well as in brand new registry files it creates. I also hear that it mutates, but I saw no evidence of that...it is possible what looks like mutations are just different fascets of the same glittering crystal which is embedded in the heel of your shoe.

It cost me 99 bucks from Symantec to scrub my wife's (newer xp) computer and remove the infestation. To me, it was worth every penny since she had data which was too important to lose. Took the pro 5 hours and about 5 reboots. Most techs here say it is much the same. If there really IS a removal tool, I think the local techs (at Future Shop) would like to know of it. My 'puter of course, is a bulletproof windows 98. Nobody writes virii for it anymore. And it is really easy to wipe clean and re-install for the odd time the poor old thing stumbles. The downside is that the vintage IBM processor is clocked too low to run youtube videos. Hmm...thats a downside?

Oh, and I really liked Adaware. I believe the free version is not no longer offered, but it is a stunning program. I run "spy hunter" every night, and "Norton" once a week. (Don't install McAffee on a system which is running Norton, or vice versa.)

Anyway, I'm NOT a computer tech, just a guy who is trying to use the "new" technology...the driver, not the mechanic. So I hear ya man! Remember, the trojans are just trying to scare you! They are not really quite as bad as all that.

And would it be off topic to ask if anybody has evaluated the REAL microsoft protection system?

You may want to consider installing Linux in a dual-boot configuration. You should be able to install Linux even with a contaminated Windows sector, since the installation is booted from a CD. Then, you can examine the Windows partitions and extract the important stuff. If you know what you are doing, you may be able to find the offending application and identify it- you can see things from Linux on the Windows partition that are not visible to the Windows operating system. Also, there is much less chance of getting attacked when surfing the net with a Linux system (at least at present- eventually the bad guys are going to start attacking Linux as well...)

Even downloading a linux live-cd and learning a thing or two about can be a HUGE help. Even if windows won't boot at all you can still start the machine with the live-cd, connect to the hard drive and copy files from it to dvd or some usb connected storage.

HUGE help. I would recommend everyone keep one of these live-cds squirreled away someone for a rainy day. The only other option is to remove the drive and plug it into another functioning computer to be able to get the data off of it.

Burn this to a cd, boot off it and play. You'll likely be surprised how easy it can be to use linux. Connecting to the drive is a 'bit' more complicated but just ask questions at www.fedoraforum.org and you'll get plenty of answers.

All of the previous answers are based on making the eradication attempt during the very early stages just after infection takes place. That may very well work. For several good reasons I kept trying to combat this trojan or malware instead of just erasing the drive and starting over. As a result I ended up with a vastly different version than what people experience in the early stages. Based on my observations, this program does call home every time you boot up. Other people have noticed the same thing. Presumably this is to get additional stuff downloaded or to report on what it has found. One person told me they discovered th emalware included a keystroke logger. When the extortion attempt of trying to get you to buy a "fix" does not work, stage two kicks in. If you are on a high speed link the malware starts to use your computer for spewing out spam. I was fortunate in that my ISP was already aware of my having a problem. So when the spam cops enforced a total block of my address world wide and notified my ISP to take punitive action, the contacted me first. With my only link to the world cut of I continued to fight the trojan but I had to go ove rto the church and use the ministers computer to down load "alleged fixes" to a thumb drive and then take it home to try. Needless to say by now the trojan had mutated to a point these Cnet fixes failed to eradicate the monster. Because download speed here is so slow I had to get a LINUX CD from elsewhere. I had by now got a spare computer going and installed Linux on it. I think it was Andy who recommended that I install the infected Hard drive as a slave in this other (linux) computer. Although Linux had worked perfectly on the computer as soon as I booted up with the infected drive installed, I got an error message saying no bootable drive found. Experimentation over several weeks of nearly full time effort revealed that the infection can jump across to another computer as soon as the computer boots. It can erase or damage or alter the boot sector. I also installed the infected drive into a shell for an external hard drive with a USB link. Booted up a working computer with Linux, then plugged in the inected drive. Clicking on the "MY COMPUTER" icon showed the external drive. Thinking I coudl now copy out My Document directory I clicked on the icon for the external drive. It literally diappeared before my eyes. Suddenly no icon. All attempts to read it met with failure. It was as if the malware had somehow changed the external drive to HIDDEN FILE or equivalent so I could no longer read it. Remember; I am at this point using a Linux computer. Supposedly this cannot happen. But it did. I also discovered that the drive in the cobbled together LINUX machine was no longer usable. I attempted to reinstall UBUNTU from the CD. No joy! But this time I had collected a number of drives, chassis etc. At this time I have six unusable drives and two complete computers that I cannot get to start up. Probably the drives inside are also infected. Two of the drives are in fact Western digital laptop types from USB pocket books. I downloaded the specifc program from Western digital to reformat theses drives. Didn't work. Whatever was done to the drives by the malware defied the ability of the reformatting software to recover the WD drives. The local computer store is stumped. I'm told by computer guys who have tangled with AntivirusXP 2010, it is much nastier than the variant that I tangled with. Furthermore there is a now a new variant that has not been activated. There is a strong suspicion this particular nasty is going to be activated on April 01. Look Out!! Be warned.

I dread those days when my wife calls and says "I think we have a virus! ...a webpage said the computer was infected so I clicked on it" <*GASP*>

There are so many viruses out there it's practically impossible to know about all of them from first hand experience and, unfortunately, there are always infections between when a new one comes out and the patches are downloaded and running on individual computers. My PC at home has windows XP pro (64bit edition) so I was forced by default to use AVAST antivirus since it was the only company that made a 64bit compatible anti-virus at the time...all the others waited for the Vista cash cow to come to town before doing anything. This move by AVAST won a loyal customer (for the free version) and it has done a very good job over the last few years at saving the computer, in spite of the wrong thing getting clicked.

Both my wife (NOT a computer guru) and I have laptops that run linux. They're fast, secure, and a breeze to install...each takes only about 20min and there's no drivers to install afterward and especially nice since viruses and trojans aren't a problem. Even if I download something I have to make it executable before it would ever run and then type in an admin password before the program could ever get access to any system files...

Viruses CAN hide in the Master Boot Record and resurface on a newly installed (but unformatted) windows machine. I prefer to wipe the drive at least once a year. The windows registry gets bloated with time and it's nice to trim the fat and have the machines power available to do what I want it to...not juggle old files and try to maintain patches around problems long forgotten.

I use Knoppix......its pretty easy to use and no install needed, as you pointed out...

Thank you all for spending your time to give me advices. I will follow your advice and do it myself. What I donot understand is how did it get in to my computer?????

I do not open any unfamiliar emails or go to unfamiliar websites.

How is McAfee compare to AVG? Should I keep both programs running?

Again, thank you all for your help.

TTKLD

Don't use two anti-virus programs...it will really slow down your computer and cause problems since each will think that it's the boss.

AVG is a pretty good program considering it's free. McAfee is something you have to pay an annual subscription to use.

To protect your computer a bit more, install things with an administrator account but then create yourself a normal (non-administrator) account or normal use. This will prevent any accidents...any process started by you in an administrator account gets administrator privileges (meaning FULL access to system stuff)

Good luck!

Check with your ISP. Mine offers "free" Mcafee with access. Maybe yours does as well.

Bob

I'm barely functional with these damn machines, and have run into many of the same problems as have been discussed here. The Vista on this new Compac was giving me a lot of problems from day one. I finally bit the bullet and contacted HP Help and after explaining what the problems were, and what I had done to correct them, I got an updated operating system to replace the corrupted one in D drive. It took about 40 minutes with a courtious and verrry patient technician from Delhi. Whew! What a relief when it worked. I could then go about doing all the clean-up and maintanence that was needed.

One trick I learned along the way was to reboot the D drive. This may help if you have startup problems: As soon as you turn on your computer, hit the f11 key repeatedly untill you get 'System Reboot', or 'Reinstall D' or some such, then follow instructions. Let it work, because on this system it doesn't tell you it's working or when it's finished. What it does is reasks one of the first questions if you want to go through with the reboot. Close this, your done, and get back to reinstalling whatever you didn't back up, including passwords. You will have to reupdate everything that you previously updated. Do this right away , especially for security.

This thread has so much good advice I would like to save it. Can anyone help me there?

Thanks to all.

Carl

One of the more effective approaches to controlling and eradicating this cretin is to eliminate and reassign the changed registry keys. At present your system is likely overwhelmed and any attempt resolve is inadequate because the registry is corrupted.

The following article will provide the steps to restore your system to the state prior to this trouble with all files intact.

Manual steps to recover a corrupted registry that prevents Windows XP from starting

The procedure that this article describes uses Recovery Console and System Restore. This article also lists all the required steps in specific order to make sure that the process is fully completed. When you finish this procedure, the system returns to a state very close to the state before the problem occurred. If you have ever run NTBackup and completed a system state backup, you do not have to follow the procedures in parts two and three. You can go to part four.

Part one

In part one, you start the Recovery Console, create a temporary folder, back up the existing registry files to a new location, delete the registry files at their existing location, and then copy the registry files from the repair folder to the System32\Config folder. When you have finished this procedure, a registry is created that you can use to start Windows XP. This registry was created and saved during the initial setup of Windows XP. Therefore any changes and settings that occurred after the Setup program was finished are lost.

To complete part one, follow these steps:

1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so.

2. When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

3. If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console.

4. When you are prompted to do so, type the Administrator password. If the administrator password is blank, just press ENTER.

5. At the Recovery Console command prompt, type the following lines, pressing ENTER after you type each line:

md tmp
copy c:\windows\system32\config\system c:\windows\tmp\system.bak
copy c:\windows\system32\config\software c:\windows\tmp\software.bak
copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak
copy c:\windows\system32\config\security c:\windows\tmp\security.bak
copy c:\windows\system32\config\default c:\windows\tmp\default.bak

delete c:\windows\system32\config\system
delete c:\windows\system32\config\software
delete c:\windows\system32\config\sam
delete c:\windows\system32\config\security
delete c:\windows\system32\config\default

copy c:\windows\repair\system c:\windows\system32\config\system
copy c:\windows\repair\software c:\windows\system32\config\software
copy c:\windows\repair\sam c:\windows\system32\config\sam
copy c:\windows\repair\security c:\windows\system32\config\security
copy c:\windows\repair\default c:\windows\system32\config\default

6. Type exit to quit Recovery Console. Your computer will restart.

Note This procedure assumes that Windows XP is installed to the C:\Windows folder. Make sure to change C:\Windows to the appropriate windows_folder if it is a different location.

If you have access to another computer, to save time, you can copy the text in step five, and then create a text file called "Regcopy1.txt" (for example). To use this file, run the following command when you start in Recovery Console:

batch regcopy1.txt

With the batch command in Recovery Console, you can process all the commands in a text file sequentially. When you use the batch command, you do not have to manually type as many commands.

Part two

To complete the procedure described in this section, you must be logged on as an administrator, or an administrative user (a user who has an account in the Administrators group). If you are using Windows XP Home Edition, you can log on as an administrative user. If you log on as an administrator, you must first start Windows XP Home Edition in Safe mode. To start the Windows XP Home Edition computer in Safe mode, follow these steps.

Note Print these instructions before you continue. You cannot view these instructions after you restart the computer in Safe Mode. If you use the NTFS file system, also print the instructions from Knowledge Base article KB309531. Step 7 contains a reference to the article.

1. Click Start, click Shut Down (or click Turn Off Computer), click Restart, and then click OK (or click Restart).

2. Press the F8 key.

On a computer that is configured to start to multiple operating systems, you can press F8 when you see the Startup menu.

3. Use the arrow keys to select the appropriate Safe mode option, and then press ENTER.

4. If you have a dual-boot or multiple-boot system, use the arrow keys to select the installation that you want to access, and then press ENTER.

In part two, you copy the registry files from their backed up location by using System Restore. This folder is not available in Recovery Console and is generally not visible during typical usage. Before you start this procedure, you must change several settings to make the folder visible:

1. Start Windows Explorer.

2. On the Tools menu, click Folder options.

3. Click the View tab.

4. Under Hidden files and folders, click to select Show hidden files and folders, and then click to clear the Hide protected operating system files (Recommended) check box.

5. Click Yes when the dialog box that confirms that you want to display these files appears.

6. Double-click the drive where you installed Windows XP to display a list of the folders. If is important to click the correct drive.

7. Open the System Volume Information folder. This folder is unavailable and appears dimmed because it is set as a super-hidden folder.

Note This folder contains one or more _restore {GUID} folders such as "_restore{87BD3667-3246-476B-923F-F86E30B3E7F8}".

Note You may receive the following error message:

C:\System Volume Information is not accessible. Access is denied.

If you receive this message, see the following Microsoft Knowledge Base article to gain access to this folder and continue with the procedure:

309531 (http://support.microsoft.com/kb/309531/ ) How to gain access to the System Volume Information folder

8. Open a folder that was not created at the current time. You may have to click Details on the View menu to see when these folders were created. There may be one or more folders starting with "RPx under this folder. These are restore points.

9. Open one of these folders to locate a Snapshot subfolder. The following path is an example of a folder path to the Snapshot folder:

C:\System Volume Information\_restore{D86480E3-73EF-47BC-A0EB-A81BE6EE3ED8}\RP1\Snapshot

10. From the Snapshot folder, copy the following files to the C:\Windows\Tmp folder:

o _REGISTRY_USER_.DEFAULT

o _REGISTRY_MACHINE_SECURITY

o _REGISTRY_MACHINE_SOFTWARE

o _REGISTRY_MACHINE_SYSTEM

o _REGISTRY_MACHINE_SAM

11. Rename the files in the C:\Windows\Tmp folder as follows:

o Rename _REGISTRY_USER_.DEFAULT to DEFAULT

o Rename _REGISTRY_MACHINE_SECURITY to SECURITY

o Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE

o Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM

o Rename _REGISTRY_MACHINE_SAM to SAM

These files are the backed up registry files from System Restore. Because you used the registry file that the Setup program created, this registry does not know that these restore points exist and are available. A new folder is created with a new GUID under System Volume Information and a restore point is created that includes a copy of the registry files that were copied during part one. Therefore, it is important not to use the most current folder, especially if the time stamp on the folder is the same as the current time.

The current system configuration is not aware of the previous restore points. You must have a previous copy of the registry from a previous restore point to make the previous restore points available again.

The registry files that were copied to the Tmp folder in the C:\Windows folder are moved to make sure that the files are available under Recovery Console. You must use these files to replace the registry files currently in the C:\Windows\System32\Config folder. By default, Recovery Console has limited folder access and cannot copy files from the System Volume folder.

Note The procedure described in this section assumes that you are running your computer with the FAT32 file system. For more information about how to access the System Volume Information Folder with the NTFS file system, click the following article number to view the article in the Microsoft Knowledge Base:

309531 (http://support.microsoft.com/kb/309531/ ) How to gain access to the System Volume Information folder

Part Three

In part three, you delete the existing registry files, and then copy the System Restore Registry files to the C:\Windows\System32\Config folder:

1. Start Recovery Console.

2. At the command prompt, type the following lines, pressing ENTER after you type each line:

del c:\windows\system32\config\sam

del c:\windows\system32\config\security

del c:\windows\system32\config\software

del c:\windows\system32\config\default

del c:\windows\system32\config\system

copy c:\windows\tmp\software c:\windows\system32\config\software

copy c:\windows\tmp\system c:\windows\system32\config\system

copy c:\windows\tmp\sam c:\windows\system32\config\sam

copy c:\windows\tmp\security c:\windows\system32\config\security

copy c:\windows\tmp\default c:\windows\system32\config\default

Note Some of these command lines may be wrapped for readability.

3. Type exit to quit Recovery Console. Your computer restarts.

Note This procedure assumes that Windows XP is installed to the C:\Windows folder. Make sure to change C:\Windows to the appropriate windows_folder if it is a different location.

If you have access to another computer, to save time, you can copy the text in step two, and then create a text file called "Regcopy2.txt" (for example). To use this file, run the following command when you start in Recovery Console:

batch regcopy2.txt

Part Four

1. Click Start, and then click All Programs.

2. Click Accessories, and then click System Tools.

3. Click System Restore, and then click Restore to a previous RestorePoint.

Back to the top

REFERENCES

For more information about using Recovery Console, click the following article n...

For more information about using Recovery Console, click the following article numbers to view the articles in the Microsoft Knowledge Base:

307654 (http://support.microsoft.com/kb/307654/ ) How to install and use the Recovery Console in Windows XP

216417 (http://support.microsoft.com/kb/216417/ ) How to install the Windows Recovery Console

240831 (http://support.microsoft.com/kb/240831/ ) How to copy files from Recovery Console to removable media

314058 (http://support.microsoft.com/kb/314058/ ) Description of the Windows XP Recovery Console

For more information about System Restore, click the following article numbers to view the articles in the Microsoft Knowledge Base:

306084 (http://support.microsoft.com/kb/306084/ ) How to restore the operating system to a previous state in Windows XP

261716 (http://support.microsoft.com/kb/261716/ ) System Restore removes files during a restore procedure

Bwire; the malware I dealt with disabled the RESTORE Function right off the bat. I normally have daily restore points. My version of malware erased ALL restore points and replaced it with one only. Namely the time of boot up. Sucessive boot ups proved it also erased its own RESTORE points. Naturally the registry is similarly affected. One and only one RESTORE point could be found. Always it coincided with the boot up time. All of this advice we have seen is based on what we knew from before. The Stanford like provided by one posted led to a nice article covering how virus detectors worked etc. good stuf. But it pointed out the weak point in virus defense. ALL of it is reactive. A virus cannot be detected or defeated until it has been executed and then a sample captured and analyzed. What we are dealing with today has never been seen before. It is not a variant of some old bogeyman that was simply an annoyance virus. The latest virus goes right for the jugular.

That's not the type restore I was refering to; refer to post #31

Bwise, how would you go about doing this to a drive which the computer cannot read.

I have 2 ideas, both of which might be both totally useless, see what you think:-

1) Have you loaded up a Linux from CD like Knoppix and looked to see if the disk is then visible? If yes, format to FAT32 (there is a reason for that!). Then remake MBR from Unix.

if that does not work then:-

2) Ask the disk manufacturer to take a look at one drive and tip you what is REALLY wrong. I personally cannot believe that there is anything electronically wrong, what may have happened is that the basic format is gone or damaged, the OEM must be able to supply a software utility to remake that......(I know that you have a low level formatter, but is it "low" enough?

As described earlier I did install Linux from a CD. Machine ran perfectly. Then I connected the infected CD. After booting up I got a message saying no bootable drive in machine. Removed infected drive thinking it was just interference. Rebooted. Still no go. Then attempted to reinstall Linux. could not do so. Installed another of my older drives. Linux installed just fine. Repeated process. Result another drive rendered useless. Total collection at this point is now six unusable drives. Suggestion to get Mfg to look at it. Mfg is overseas in Japan. Data recovery company far away and wants min $300 to look at it. Shipping alone is $30 each way. In today's disposable society no one wants to actually "repair" anything. I have two working computers which I am not going to risk with tinkering to trouble shoot. However, I have by now also collected a bunch of discards and managed to coble something together that does work. With Microsoft's policy of requiring validation before they will activate a copy of XP I am unable to get a windows machine to run. My only choices are Linux. so far I have not found a lot of tools to work with . I have a copy of UBUNTU but was unable to download a working copy of knoppix. I have one from 2003 but it doesn't have a lot of useful stulf.

This sentence is confusing me:-

Then I connected the infected CD.

Please explain.

Sorry, typo. should be HD hard drive in an external drive housing and connected b ya USB cord. Up to that point I was under the impression virus and malware stayed resident in the infected C:/ drive or propagated itself as a kernel but stayed dormant until it was activated with the next boot up in a main drive. I had never heard of a virus that immediately destroyed or corrupted the MBR as soon as the computer tried to read the drive. The result was; as soon as the BIOS sequence was completed and you should normally see the O/S being loaded instead there was some read/write activity and then the message came up saying no bootable drive found. Since I had just verified that a bootable drive was in fact present and it did run Linux prior to connecting the infected drive as an external drive, I can only conclude something went active and immediately caused changes to the normal routine.

Most BIOSs can protect the MBR from being changed, have you set this correctly? Assuming its available on your PC......

It is not an option on what I have.

Its been a BIOS option an all the PCs I have had since Win98 days. I cannot remember if it was in the PC for Win95 or not!!! I never specifically bought for that, just lucky I guess.

Are you sure you know what I mean?

Maybe not! Kindly enlighten me. I am always willing to learn new things.

Go into the BIOS after switch on, look for something like the following (it depends upon the company that built the BIOS and you haven't told us yet what you have!):-

Boot Virus Detection

Detect Boot Virus by Trend

Virus Warning

Read your manual as well....

Knoppix can re write the MBR in Windows format......should help.

Looks like I have a BIOS by Award copyright 2000. Anti virus protection is enabled. First boot device is CDROM and MPS version is 1.4 There is no other mention of any virus or boot in either the standard or advanced CMOS setup facility.

Your PC appears to be quite old and the only Award BIOS info that I found, supports your thoughts that there is no way of stopping a virus changing the MBR. By the way, this is a common way (or was at one time) for a virus to take over a PC....

In personally have had no experience (been lucky!) of such viruses, I just read about them in the press....

Most of the press I found with Googling "MBR Virus" was in German, I can read the language, but can you.....but Google knows I live in Germany, so if you search, you might find more infos in English....

The web page I found is at:-

http://www.buildeasypc.com/sw/bios_setup.htm

May I suggest that if you are unable to save the disk drives with Knoppix as I previously mentioned, that a good idea might be to get a new PC as your present one appears to be always open to attacks in this manner.....

Furthermore, I personally (rightly or wrongly) believe that with the right method (Knoppix is what I would have first tried), you could at least recover the disk drives for further use, although all data will probably be lost.....

I do feel that the most likely problem is that the MBR has been rewritten by a virus.....

A German magazine recommends a partition repair tool like:-

Ranish Partition Manager 2.43 (Freeware für DOS, 172 KB)

for example.

Also booting a DOS floppy and using the command "fdisk /MBR", but whether that would work properly on an NTFS disk I could not say personally. I have used the Knoppix way on a friend's PC some years ago, that does have promise...it might allow re-formatting at least....

Also a software called "MBRCLEAN.EXE" might help you, search on the web.

MBR Rootkits seem also to be almost perfect (!! Wrong word I know) and exceedingly difficult to clean off....

Here are some interesting tools and reading for you:

http://www.ntfs.com/mbr-virus.htm

What appears to be general, the problems are some years old and mainly affect older PCs, or that is at least my impression as many links are not dated, but those that are, are all old.....

Best wishes.

AG

PS Never buy an Award BIOS PC again, make sure it has "Boot Sector Security", ASK!

I am going to check out the links you posted. Sounds promising.

As for never buying an AWARD BIOS again, beggars can't be choosers.

What I have I scrounge. All of my computers have been cobbled together from scrap. Hey It's all I can afford!

Its hard enough to pay the houehold bills. If I want something I either make it myself or scrounge for it in the scrap heaps. Even got my truck that way. It had been abandoned for three years. So I fixed it up and drove it away with the owners blessing. Otherwise he would have had to pay $100 to get rid of it.

Hey elnav,

It may not be associated with a virus, I've experienced that effect too. I determined it as the result having two MBR's; i.e. your external HD has a MBR though corrupted is it there yet. It may cause confusion resulting in a default message 'no boot record found.'

Quite possible. But in that case would the removal of the second drive not clear the conflict? In which case the computer with only one drive should then be able to restart. I was also under the impression that when you select SLAVE on the jumpers on a hard drive this disables the MBR for that drive. And that being so it would not present a conflict during stat up. However remember in my initial description I mentioned that the computer was booted up as stand along and then the second drive was added as a USB drive plugged in to a Linux computer. People keep telling me that a hot plug in to a Linux computer is perfectly safe.

No selecting slave does not disable the MBR and don't know what complications the conflict may have caused in a Linux O/S. Suggest bench testing to post for reference.

a hot plug in to a Linux computer is perfectly safe.

Whoa up there!

In linux, you need to mount** a storage device. this can be done very easily as long as you know the device names.

to mount you do ...

mount <device driver> <folder to link to the device> //Now this is the easy mount, but if linux doesn't know what type of file format it is, you have to specify it manually, like so...

mount -t<format> <dev. driver> <folder to link>

I.E. mount -t vfat /dev/hda /mnt/harddrive

There is a dir(folder) that you should use to linux, it's called either the /mnt or new linux versions have it as /media, in there you should create a folder that you will link to the device, I.E. /mnt/harddrive. This Will Be the folder to which you go into to look at the folders on the device.

in linux, there is a Dir(Folder) that contains most of the device drivers you would need. it's called /dev and under it is about 200 device files. so, the question is, which is for your device?

**

mount

mount [options] [[device] directory]

System administration command. Mount a file structure. The file structure on device is mounted on directory. If no device is specified, mount looks for an entry in /etc/fstab to find out what device is associated with the given directory. The directory, which must already exist and should be empty, becomes the name of the root of the newly mounted file structure. If mount is invoked with no arguments, it displays the name of each mounted device, the directory on which it is mounted, its filesystem type, and any mount options associated with the device.

Options

-a

Mount all filesystems listed in /etc/fstab. Use -t to limit this to all filesystems of a particular type.

--bind olddirectory newdirectory

Bind a mounted subtree to a new location. The tree will be available from both the old and new directory. This binding does not include any volumes mounted below the specified directory.

-f

Fake mount. Go through the motions of checking the device and directory, but do not actually mount the filesystem.

-F

When used with -a, fork a new process to mount each system.

-h

Print help message, then exit.

-l

When reporting on mounted filesystems, show filesystem labels for filesystems that have them.

-L label

Mount filesystem with the specified label.

--move olddirectory newdirectory

Move a mounted device to a new location. Keep in place any options and submounts.

-n

Do not record the mount in /etc/mtab.

-o option

Qualify the mount with a mount option. Many filesystem types have their own options. The following are common to most filesystems:

async

Read input and output to the device asynchronously.

atime

Update inode access time for each access. This is the default behavior.

auto

Allow mounting with the -a option.

defaults

Use all options' default values (async, auto, dev, exec, nouser, rw, suid).

dev

Interpret any special devices that exist on the filesystem.

dirsync

Perform all directory updates to the filesystem synchronously.

exec

Allow binaries to be executed.

_netdev

Filesystem is a network device requiring network access.

noatime

Do not update inode access time for each access.

noauto

Do not allow mounting via the -a option.

nodev

Do not interpret any special devices that exist on the filesystem.

noexec

Do not allow the execution of binaries on the filesystem.

nosuid

Do not acknowledge any suid or sgid bits.

nouser

Only privileged users will have access to the filesystem.

remount

Expect the filesystem to have already been mounted, and remount it.

ro

Allow read-only access to the filesystem.

rw

Allow read/write access to the filesystem.

suid

Acknowledge suid and sgid bits.

sync

Read input and output to the device synchronously.

user

Allow unprivileged users to mount or unmount the filesystem. The defaults on such a system will be nodev, noexec, and nosuid, unless otherwise specified.

users

Allow any user to mount or unmount the filesystem. The defaults on such a system will be nodev, noexec, and nosuid, unless otherwise specified.

-O option

Limit systems mounted with -a by -O's filesystem options (as used with -o). Use a comma-separated list to specify more than one option, and prefix an option with no to exclude filesystems with that option. Options -t and -O are cumulative.

-r

Mount filesystem read-only.

--rbind olddirectory newdirectory

Bind a mounted subtree to a new location. The tree will be available from both the old and new directory. Include any volumes mounted below the specified directory.

-s

Where possible, ignore mount options specified by -o that are not supported by the filesystem.

-t type

Specify the filesystem type. Possible values include adfs, affs, autofs, coda, cramfs, devpts, efs, ext2, ext3, hfs, hpfs, iso9660, jfs, minix, msdos, ncpfs, nfs, nfs4, ntfs, proc, qnx4, reiserfs, romfs, smbfs, sysv, tmpfs, udf, ufs, umsdos, vfat, xfs, and xiafs. The default type is iso9660. The type auto may also be used to set mount to autodetect the filesystem. When used with -a, this option can limit the types mounted. Use a comma-separated list to specify more than one type to mount. Prefix a list (or type) with no to exclude those types.

-U uuid

Mount filesystem with the specified uuid.

-v

Display mount information verbosely.

-V

Print version, then exit.

-w

Mount filesystem read/write. This is the default.

Files

/etc/fstab

List of filesystems to be mounted and options to use when mounting them.

/etc/mtab

List of filesystems currently mounted and the options with which they were mounted.

/proc/partitions

Used to find filesystems by label and uuid.

Not quite plug'n play eh?

Whoa up there! In linux, you need to mount** a storage device. this can be done very easily as long as you know the device names. REPLY Not in UBUNTU I don't. Plug in a USB thumb drive and it instantly shows up as a drive icon Plug in a second thumb drive and I get two icons. Plug in my camera and the computer comes up displaying what is on my camera storage disk. Click on either thumb drive icon and it immediately displays the directories and folders contained on that drive.

What does clicking the icon display when you plug in the external HD?

Ubuntu behaves pretty much like Windows. Click on the icon and you immediately get a display of folders and files contained on the external drive. However in the case of examining the infected drive; while still displaying content of the whole Linux computer, it showed the drive icon only . As soon as I clicked on the icon there was a pause, then the screen dissolved and an error message appeared.. Since I did not understand exactly what the error message was reffering to I tried to back track. Clicking on the left pointing arrow ( back one page) I got back to the view of entire computer. Only difference being the external drive icon was no longer shown. Subsequent attempts also failed to show an external drive. Thinking there was a fault with the USB interface, I later on attempted to plug the infected drive in as a D:/ drive in slave mode. This is when the Linux computer died. Having verified that the Linux would boot up on its own, I then connected the infected drive internally with the IDE ribbon cable . Now the computer booted up and I got a message of "no bootable drive found. Unplug the infected drive and attempted to reboot. Same result. "no bootable drive found". At that point I attempted to reinstall Linux from the same CD I had used originally. No joy! Although the install process seemed to take place when I removed the CD, I was not able to get the computer to boot up in Linux. I went through this process several more times. Final body count; six drives rendered un-usuable. I tried to go back to an earlier version of Windows to try and format the drive that way. . W2K I think it was. No luck! I could not format the disk. Tried an old Disk Manager from Maxtor. In the past it has always been able to reformat a drive and install partitions etc. Not this time. At this point I am stumped as to what to try next. One of the infected drives was my external Western Digital passport USB I was using for my back ups. I found and downloaded the correct software for re-formating this particular drive. I could not format the drive. Even the computer guys I have contacted are stumped as to what to try next. Their advice is to toss it and forget it. Just buy new. Well that doesn't do anything about learning why and how the virus works does it?

elnav,

Thanks for explanation, a couple questions, in what way did you try to connect the external drive as D:\ in slave mode. I am assuming you have the ribbon cable with twin connectors which of the ribbon cable connectors did you connect to the infected drive?

When you attempted to reinstall Linux did you reboot with the CD still in the drive?

Is possible trouble is not related to virus at all but a conflict of drive assignments and connections, wouldn't that be rosy. Except that your old unit is no longer supported and is exceptionally vulnerable in the environment we currently endure Linux or not.

If nothing else as a last resort you could http://www.support.microsoft.com/kb/330184 and repair the infected drive; remember if the virus can use the system so can you

Brilliant!! GA from me, just for that one part sentence:-

"remember if the virus can use the system so can you "

Absolutely perfectly put!!!!

When I connected the infected drive as an external drive I used the USB port. When I connected it as an internal D:/ drive I used the extra connector. I assumed the end connector was for the C:/ drive. since that is where it was originally connected. Isn't it only the 80 wire ribbon cable that has the cable select feature enabled? When the infected drive was the only drive in the box I used the end connector.

Yes 80 conductor cable is cable select (CSEL) capable and connections appear correct.

Have you check continuity pin to pin of the ribbon cable?

Is the red stripe aligned with pin 1?

You checked the BIOS utility and verified that it recognizes the drive and positioned it correctly in the drive hierarchy? Auto detect is selected? Give the infected drive boot priority over any other drive if the option is available.

Could be the partition table that is missing, try TestDisk. for windows or what is applicable, here is the windows guide.

Unzip the downloaded file to your C: drive.
Open C:\testdisk-6.10\win > double click the "testdisk_win" icon

The program runs in a command window and doesn't have to be installed.

Each of the steps (A, B, C etc) below corresponds to a new TestDisk window.
Use the keyboard's arrow keys to navigate.


A. At the first window, select "No Log" and press the <Enter> key.
B. Select which drive to analyse, choose "Proceed" and <Enter>.
C. Select partition type – Intel then <Enter>.

D. Select "Analyse" then <Enter>. The drive will be analysed.
E. Select "Quick Search" at the next screen, then <Enter>.

F. Press "Y" if the partitions were created under Vista – "N" if not.
G. TestDisk should say "Structure OK". If so, press <Enter>.

H. Select "Write" and press <Enter>.
I. Press "Y" to confirm.
J. Press <Enter>.

Exit and restart
The drive/partition should now be fixed and your data available again.

Thanks Bwire

Can this TestDisk be run from a CD?

Would I have to do something additional to make a CD bootable.

I do not wish to risk my only working windows machine. I was wondering if I could assemble some hardware and then select Boot from CD and just run the testdisk program. That way it might recover a non functional hard drive.

Or is it a case of TestDisk needing a lot of essential files from the O/S in order to function?

I was thinking you'd use it on the Linux machine to rectify that boot error or assign the infected HD master and go thru the steps.

Here is how to create a "TestDisk FreeDos LiveCD"

ubuntu-rescue-remix-8.10.iso

rescue-remix-8.10.gz

To write the image to a usb drive, insert the usb drive, determine the device's name and run the following command:

zcat rescue-remix-8.10.gz | sudo tee /dev/sdXx >/dev/null

Where "Xx" is the appropriate device (for example /dev/sdc1). Be careful since it will erase the filesystem on the device's partition! You can partition the device any way you like. The rescue-remix USB version occupies 200 Megabytes of disk space on the drive. The partition to which you write it should be set as bootable and an MBR should be written to the device.

Alternatively, the image can be written to the entire USB drive (Example /dev/sdc) for simplicity. This avoids having to partiion the drive or set up an MBR. However, you will not be able to use the remaining space on the drive.

Follow the directions

You can also download Spybot. There are functions in it that tell you whena registry change is being requested. If you are just plinking away at keys you can deny the changes. If you are installing or modifiying programs you can allow changes to be made. The program will also eradicate many spyware, ad ware type programs. The draw back is it takes longer to boot and shut down. The scans take forever. But safety sometimes requires loss of speed.

Bob

I made some tests recently and the end effect was that I removed Spybot Search and destroy because it found only a very limited number of Malware on my PC. I saw a test in a very good German magazine that supported this completely, SpyBot was the LEAST effective program they tested....

Also I recently removed AdAware, as the latest version puts a continuously running "Scanner" in place that slowed down my PC dramatically, as well as seemingly not finding anything to remove!!!

I now use A-squared-free and Dr Web (also free), both of which found Malware on my PC that the other two mentioned had simply ignored......combined with my software firewall and anti virus software from Kaspersky.

The magazine emphatically recommended the use of A-S-F and Kaspersky together as giving the best alround safety, so thats exactly what I have......

I am aware that Spybot, AdAware and others do not neccessrily catch all pests. So running different ones is probably wise.

Does A-squared-free or Dr Web also indicate changes to the registry??

I gave up on running multiple programs like that. Too many conflicts and as Andy indicated it slows the machine down to a crawl. It now takes more than one working day to complete a scan of the whole disk. If i try to do it overnight I sometimes wake up with the machine halted asking for a decision requiring a key stroke input. Meanwhile the computer is locked up. Any attempt to abort the scan before it completes a cycle is blocked. I can only assume it has to do with virus protection to stop a virus from blocking the scan before the virus is detected. Kasperkey or Eset seem to be th eonly companies with effective protection these days. That is if you run Windows. I have to for my CAD work. For th erest I now use Linux. But it really pisses me of that some worm can defeat me and ruin my hard drives. Grrr!!

Dr Web does not, I am not sure about ASF.....

It simply works very well, and I also have a good registry cleaner that I use weekly.....weakly?

I'm a long time advocate of spybot S&D but SuperAntiSpyware rules!

Like Andy I found Spybot much too slow. Running a scan took all day. It totally ruins work. It really destroys productivity.

I could not find a way to run it in back ground durign scan. And for some reason it took my normal use as a constant change to registry. So every minute I locked things up to tell me a parameter was being changed did I allow or not. Impossibel to work with?

Now I suppose you are going to tell me superantispyware is soooo much better as to be invisible? Only thing is there seems to be a clash with my paid for NOD32 protection program.

Only thing is there seems to be a clash with my paid for NOD32 protection program.

Tell superantispyware that NOD32 protection program is an exception.