General discussion

Unable to restore after cleaning trojan

Hi I would be grateful for your help.
HP desktop XP Pro SP3 with macafee TP2011

Was infected by fake alert trojan, used safe mode and Malwares anti malware to detect and quarantine - 7 trojans found in scan. Have log.

Rebooted but no programs shown in start menu and no files on c drive accessible. Control panel can still find all programs if I click "add remove programs tab" and my computer still shows drive exists, correct size , file system and correct size and used / free space- just cannot explore it or access it.

Tried numerous times to restore system in both safe mode and normal- but restore fails and get error message - "unable to restore no changes made". Have run chkdsk in auto fix mode but still no joy.

Please advise on what I might try next. The malware log lists registry keys changed- is this something that might be of use to a none techie?


Discussion is locked
Follow
Reply to: Unable to restore after cleaning trojan
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: Unable to restore after cleaning trojan
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
update

Found all folders and files had been set to hidden so can now view them and save to external HDD, just got to find the programs now. Advice still welcome please

- Collapse -
Unhide Them Like This

First, see the link below and you'll note there are instructions for using an "unhide.exe" program at the end.. A number of the current malware types are "hiding" your personal files. The unhide.exe program should help.

http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery

It might be a good idea to follow ALL of the instructions there to make sure all things are clean.

_____________________________

And after all that, if you still can't run some of the programs in your system, try these steps:

Go to the link below and scroll down to line 12 (left column). RIGHT click on "EXE (lnk and regfile) Fix for Windows XP", choose "Save Target As " or "Save Link As", to download a reg file fix. Save the REG File to your hard disk. Double click it or right click it and choose "merge" and answer yes to the import prompt.

http://www.kellys-korner-xp.com/xp_tweaks.htm


Hope this helps.

Grif

- Collapse -
Great link

Many thanks for your very helpful advice. Yes the windows xp recovery was exactly the unwanted program I was infected with.

Unhide worked a treat but a number of links still broken and some programs not running correctly or at all.

I followed the instruction and followed the bleeping computer instructions, running the anti malware for the 3rd time discovered another malware object in the registry.

What beats me is there was a windows xp recovery icon on the desktop and windows recovery program in the all programs list and even when I ran the mcafee and antimalware scans they stil did not find them- I deleted manually because I assumed that the uninstall option was probably a catch. Dont know if I did right in doing this.

I installed secunia but it did not run as described- the welcome screen flashed up but then disappeared after a second or so.

I also had no luck with kellys korner - 404 not found error. Is this the malware again or is the site really no longer there?

Meanwhile system restore still not working. Wil run another scan now.
Best regards


Many thanks for your advice - I would be lost without your help.

- Collapse -
Download The Kellys Korner File On A Separate Computer...

...then transfer it over to the problem machine.. Although the removal tools mentioned will work great, they aren't always perfect, especially if you have multiple malware infections on the machine. Frequently, you'll need to download some of the tools on a separate computer, copy them to a CD or flash drive, then transfer them to the infected computer..

And to get a "second opinion" on the topic, be sure to download, install, update, then run a full system scan using the second removal program below. As before, you may want to start the computer into "Safe Mode with Networking" to download, install, update, and run the full system scan.:

SUPERAntispyware Removal Tool

Hope this helps.

Grif

- Collapse -
Superantispyware found a couple more issues

Thanks again, superantispyware found a couple more issues, the pc appears to be running fine now, some of the program folders in the list (those I never use like hardware utilities and games) are empty but they seem to return if I go into control panel, search for installed programs and use the repair option where there is one.

Theres a few things not quite right such as several icons missing from the notifications area of the task bar - network connections only show up if I disconnect then reconnect (the boxes are checked in properties).

I have not been able to download the registry fix from kellys korner on any pc there does seem to be a problem with the link. Is there any other recommendation you can give?

I still cannot use system restore to go to the condition prior to the infection but the restore program does work in that I can set a new restore point now and use it.

I an considering checking to see if I am offered the option to repair windows if I put in the original OS disk. Would this be a good idea do you think?

Thanks once again for your help. I could not have resolved this without your advice and support.

- Collapse -
Let's vote on these 2 question/items.

1. I still cannot use system restore to go to the condition prior to the
infection but the restore program does work in that I can set a new
restore point now and use it.

Here's my vote: Turn off System Restore then turn it back on. It will dump the old unusable restore points and give SR a fresh start. REMEMBER THAT NORTON can block SR. Symantac writes about that on their site.

2. I an considering checking to see
if I am offered the option to repair windows if I put in the original
OS disk. Would this be a good idea do you think?

I don't suggest this. Most folk are not prepared for the usual vanishing of their files in the usual ONE USER ACCOUNT they have. Without backup, the XP CD, and sometimes the loss of that XP CD KEY many make matters worse (and more expensive to fix) by doing this.

-> HERE'S WHAT I SUGGEST: Go get BELARC ADVISOR, run it's report and PRINT IT OUT! That report is GOLD because it has those missing details such as CD KEYS and more.
Bob

- Collapse -
Thanks for the tips.

Will follow them up.

- Collapse -
The trouble with trojans is

That the damage they can do is "unknown." Many are remove control things so it's not possible to write a "do this" to cure the installed OS. Yes it is possible to write "backup your stuff and reinstall the OS" but many already know that answer.

Recovery of the installed OS is rarely possible for the non-tech. I suggest you re-think the idea of fixing this OS.
Bob

CNET Forums