recovery from virus

Microsoft Windows xp media center editio...
February 25, 2010 at 14:22:23
Specs: MS Windows XP Media Center 2005, AMD 64X2 DC 44+, 2046MB Ram, DX9.0c, NVidia GeF 7600 GS 256MB
I had a virus attack my system and I had to reload from the os disk, but I had a system image backup on WD My Book USB 2.0 drive. Once the OS disk wiped the drive and reloaded the OS I ran the backup thru the wizard. BK restore did not place ANY of the updates or settings back in as it should have and my outlook will not function. Outlook would not even install and I had to double check all Services settings and activate some of them before it would install. Now I click on icon and it opens but with the warning "The operation failed!" and then closes when click ok. I tried a repair install for Outlook, but still no joy. I double checked Services again (under manage, not msconfig), and everything appears to be in order and dependencies covered for everything I want/need to run (I was that thorough); still no joy. I've searched how to restore from a system image (MS) to see if I did something wrong (first time I've ever had this happen and do it myself), but the directions are for MS7 Control panel and I can't get where they tell me to go.

Two major problems are updates for my MS Office 2000 Pro which is not serviced anymore and I cannot seem to download updates from the site - keep getting 'the expected version of the product was not found on your system' - and Outlook not working. I thought a system image backup was supposed to keep everything for you! I did use the MS backup utility to do it and the resultant bk file was the same size as the drive(s), so I assumed it did! HELP! The only thing I did not reformat original OEM (Gateway) 'restore partition' to NTFS instead of default FAT32, could that be causing my bk file restoration to go bad? I also noticed that the wizard for the restore has three check points that may be causing the problem: 1. leave existing files (recommended); 2. replace existing files if they are older than the backup files; and 3. replace existing files. I chose #3. Then it has three additional check points: 1. restore security settings; 2. restore junction points, but not the folders and file data they reference; and 3. preserve existing volume mount points. I left all three of those checked. Should I uncheck #2 and if I do will it not restore the junction points, or will it simply restore everything (including the folders and file data they reference)? My system works, but even regular Windows Update cannot complete .Net Framework 3.5 download and it won't complete installation of 2.0 or higher either (Add Remove shows 1.1). I don't know what to do.

The virus blocked me from formating the drive, turned my antivirus off, would not let me run S&D bot, or even windows defender (well, I started that, but it soon cut it off too), and would not let me disable my wireless internet card. I removed my external HD (would not let me do a safely remove for that), and I turned the sys off and went back in to disable wireless connection before virus could stop me (success), but then it started blocking any attempts to access anything in the sys, including msconfig. Turned it off and went in through OS disk under BIOS. I did not know at the time that it might have been possible to restore/recover directly from my external bk file, so that may have started all the problems -- you tell me, please!

Please note that the restore run on the bk file took less than 4 hours, but took over 28 to back up (it contained bkup for 2 internals, only 1 with OS - both WD's 1TB, 2nd 300GB). I thought that really odd and soon found that the supposed recovered system did not recognize any hardware (2nd internal HD, external HD, TV tuner, GPU, 2 printers, wireless card, and on) and I had to go thru each one under hardware and update drivers (they all had ? question marks by them) as well as suffer thru endless hours of Windows updates (some of which will not complete). Thanks for any help.

See More: recovery from virus

February 26, 2010 at 01:22:46
COCO, I may be all wet, but sounds to me like you have a rootkit, worm/trojan at work. Some can be a real P.I.A. to clean. You might even have to clean in safe mode to get around it.
Be aware that a virus and a Trojan are similar, but not the same. Many times, an AV detects one it can't clean, other times, it gets missed entirely.
If you need to clean one, Superantispyware (info only. I’m not paid for recommendation) can do the job and you can get it free @:
among other places. They have a Vista compatible version if needed Dunno about Windows 7..
If it turns out that you need to use it, be sure to update Superantispyware prior to running and disable 'restore' (restart after cleaning) so the nasty doesn't get put back. They just released a new update recently and it changes all the time. Things are in a constant state of flux.
The restore thing is critical. May not be your deal at all, but won't hurt anything to try.
Ed in Texas.

Report •

February 26, 2010 at 10:45:48
Ed in Texas - my home land!

Thank you for your post. Makes sense that it is a worm/trojan. However, I'm not certain I completely understand your instruction to disable 'restore' (restart after cleaning)... so would appreciate if you would expound on that - hate to appear dense, but my mom always said they can't kill you for asking, and I rather be humbled than foolish! FYI I'm running MS Media Center 2005 (not sure if it was based on the XP Home or XP Pro because they released OEM's under both and never diferrentiated them to the common peon), so I'm assuming that the site will have something compatible for XP generally. I'll wait to visit the site though until I understand your instruction. Thanks in advance!

Report •

February 26, 2010 at 11:20:13
"....instruction to disable 'restore' (restart after cleaning)..."

means disable system restore before running any anti-virus/clean up utilities....

If you don't then system restore will note that possible nasties have gone - and restore them - thinking they are valid items... Once (and only when) system is clean then re-enable system restore...

Also before you re-enable system restore - if anything was quarantined... delete whatever is/was quarantined...

Ideally run a scan in safe-mode too if possible...

Report •

Related Solutions

February 26, 2010 at 11:31:51

That is what I thought Ed in Texas meant, but wanted to be sure. Thank you. I already disabled restore on my non-OS HD's just in case the little buggers tried to go and hide there, but will now do it for :C.

Report •

February 26, 2010 at 14:39:49
I tried to come in under safe mode (owner is listed as administrator, and I also have a separate administrator file password protected). Under owner it will take me to the desktop where I saved the Superantispyware program and it loads and then warns me that the "administrator has set parameters that disallow this"...or something like that. Going in under administrator password, my computer, owner, desktop: does not give me access to any programs, files, etc. So, is it fairly safe to run this program in regular startup with 'restore' turned off all drives?

I've never run this type of program in safe mode before (or any program other than a registry deal), so don't quite understand what the downfalls could be. Still learning though!

Report •

February 26, 2010 at 15:42:34
mmm I would think so... But before you go that path... run a freebie "housecall" scan - via Knoppix or Ubuntu boot up.

Booting with one of those Linux on CD/DVD disks means that nothing is installed on the system; the whole OS runs in RAM. The hard-drive is just a resource to that Linux OS; can be completely scanned etc without need to install anything onto the system - other than a few essential files to run the "housecall" scan (and I'm surmising they will also go into RAM...).

Report •

February 26, 2010 at 16:24:52

Both are OS open source, so as I understand it, they do in fact load on-system (separately, of course) so that Boot option comes up with one of them in addition to the XP Media Center OS. It is also my understanding that both OS's have a lot of additional software that can be difficult to extricate - especially since running in own OS. I don't really understand what benefits loading a separate OS, or for that fact running an AV program in safe mode, accomplishes. I really don't like the idea of loading an open source OS on my system and going well beyond my ability to understand. I would like to run in safe mode if someone can tell me how to change the Administrator parameters to run the program - I'm at complete loss as to where to even look.

I currently use AVG9.0 - that missed the attack but loaded back in afterwards and run again - and I also ran a separate TrendMicro housecall (not in safe mode) without any results from either on the... umph...restored system. I'm going to go ahead and just run the Superspyware program that Ed in Texas suggested in regular start mode with 'restore' turned off all drives and see what happens (I'm also going to scan the backup file even though that was done a full week before the attack and was pulled as quickly as I could after I realized my system was compromised). I'll run again in safe mode when and if I can do that.

Thank you both so much for your time in considering my problem, and thanks in advance for any further help you're willing to offer.

I have a sneaking suspicion my problems may be stemming from the backup file not doing what it was supposed to do and I would really appreciate it if you or Ed (or anyone else willing to help) take a look at my original questions on the restoration, running the bk selections.

Report •

February 26, 2010 at 17:04:47
Booting with a Linux variant off a cd/dvd (CD/DVDROM is set to first boot-choice on power up) does not bring up or run anything other than its own system - and installs nothing onto the existing hard-drive. That is unless you choose to "install" it - somehow... I and many others too have run those variants more than once on assorted systems - and never have they installed themselves - or written anything to the drives... They run entirely within installed RAM; do not affect/alter or otherwise affect the mbr, the existing boot-loader (if exists) on the internal/installed hard-drive. And it is for those reasons alone that they are frequently recommended and used a suggested... To say nothing about the lower risk of infection with them overall - most pests are aimed Windows products...; although a few may have popped up in the past trying to hit both Linux and MAC OSs...

When you ran Trend Housecall presumably you did disable System Restore before hand? Probably not an issue at this stage as if it found anything at all it would have told you regardless. It's just that running scans with System Restore active/enabled merely means that when you reboot... the pests are restored by System Restore; but if it isn't active (i.e. is disabled) before a scan and only re-enabled later then any pests found /removed etc. - stay removed... But I have a pheeling you know this already...

I'd be interested to learn what Ed'd utility finds - if it does find anything... Useful item to know about if it does... Incidentally you do have M$ Windows Defender installed and upto date too?

Will have another look shortly at your other (original) questions on the restoration, running the bk selections. And hopefully others will too...

Report •

February 26, 2010 at 18:18:20
Hi Trvlr,

Thank you for explaining the cd linux variant - just never did it before, so my comfort level button got pushed! If all else fails I'm more than happy to go try that.

I ran Ed's Superantispyware and all it came up with were some tracking cookies from sites that I've searched today for answers and a few existing allowed programs. So AVG, TrendMicro, and Super... all nothing. I even scanned my external HD with the bkup file separately in addition to whole system just in case.

The whole backup deal really bothers me because I've applied a backup before and it took just as long, or almost as long, as the original backup (28+ hours in this case). Yet, this application took less than four - it really freaked me out and should have been my first clue that it didn't work as I intended.

Yes, Windows Defender is loaded and UTD. Although, AVG seems to turn it off and I believe that is the only reason I was able to begin a defender scan in the midst of the attack before it shut that down too since it had already shut me out of Task Manager access. I usually run Defender when/if I have concerns over sites visited, programs installed, etc. And, of course, Windows Auto update is on and runs that pretty much each time too. I usually have (but have not loaded back) Seach&Destroy and only run that occassionally as too much AV/ASPY stuff running at same time causes problems. I am aware of Hijackthis, but have never used it (never been hit with a virus before - lucky me) and would need someone to decipher the info (you?) if you would like me to do that. I really don't think that Worm/Trojan is issue at this point unless it affected my bkup somehow (I jerked it out really fast). And then there is the issue that the drive was wiped reformated and the OS installed clean.

Yes. "Restore" has been turned off since earlier today on all drives (:c was turned off after your first post). My other internal HD and the external were never on 'restore' before the attack (the restore partition is not large enough to handle all of my drives, especially my external backup HD - it's at the 1TB max- and I must clean down the other HD's before I back up each time to get it to fit (think there may be 3G or less available), and I immediately removed them after the fresh install so that nothing on them would be affected or put strain on the partition allowance.

FYI, I've contacted Microsoft CS because after searching the tech base articles, the Windows installer may have an issue and may have been corrupted because the MCE oem CD is old now - it could have caused the bk file to not reinstall properly, as well as any other Windows installer dependent program (outlook, Media Center, Nero, Hauppague, Word, etc.). I did download their installer cleaner utility, but when I tried it, nothing came up in my system as the directions explained...sooooo. Just one more place to look and wait on.

Look forward to any other assistance, and can't thank you enough for taking the time!

Report •

February 27, 2010 at 16:14:11

has a useful range of tools; many will help reboot/rebuild a damaged system. Some are specfic too data recovery too...

If you trawl via google/yahoo etc. for:

data recovery software

you will get a range of hits; and many offer a free download version to try out/test etc...

Also a trawl for:

get my data back

will bring that one up; and it does get good reviews...

Again avoid writing to the drive in question if at all possible. Either slave the drive to another working system - or usb it (via an adapter); or possibly run any third-party utils via a Knoppix/Ubuntu disk boot up? I'd be inclined to give the Ultimate boot disk a run first if you don't already have Knoppix/Ubuntu disk?

Incidentally I have never personally come across a CD/DVD that failed due to age...; as in the software on it somehow no-longer worked as it ought to... But I have had times (one or two) when RAM was a little flakey and consequently error messages arrived which gave the impression that all was not well with a cd/dvd containing a given OS or application...

Report •

February 27, 2010 at 18:30:59
Hi Trvlr,

I'm so fed up with trying to figure this out -- and other OS items are not complete too. I could spend another week trying to figure it out and still not have it working addition to adding more stress and time constraints. I think I'm going to wipe the system, reformat drive, do any critical updates, install Windows installer 4.5 if needed, and then apply my bkup again. I'll make sure the OS is working properly before I apply the bkup even though it will once again cause more setup time. If the bkup causes things to go wonky, then I'll at least know where the prob is and can make decisions based on that. Likewise with the OS, of course. If it turns out my bkup file is the problem, then I'll go a-trawling, as suggested (good to know there are trial/test versions that I don't have to spend money on - big issue right now). If it's the OS, then I may have to just take it down to the local Geek Rescue and have them load from my license - yuck, yuck, yuck!!!! (out of work and little money to spend on this, but trying to earn some money via the computer), or I might just run Knoppix or Ubuntu if I can't afford it - and I have you to thank for that jewel! However, I really use my Media Center and have a lot of recorded programs that I wouldn't be able to watch.

BTW, the geniuses at Windows Update CS contacted me and wanted me to install a 3rd party tool to clean up .Net Framework 1.1, but the Readme file on that says that it specifically will not repair the 1.1 v that is part of the MCE 2005 OS system. The installer cleanup utility I downloaded also did not pull up .Net Framework 1.1 and other non-working OS applications due to the same reason. I will wait until Monday or Tuesday when Microsoft is supposed to get back to me again and see if they have a simple and useful program in mind before I do a reinstall.

I did not mean to say that any of the applications on the OS install disk are bad because of age...but that's what I wrote! DOH! I just meant to say that the Windows installer application may have been corrupted and that my OS cd is getting a little long in the tooth now (could have scratches or something).

I'll post back probably Tuesday or Wednesday to let you know whats going on - hopefully good news...or just progress.

Once again, I can't express how much I truly appreciate your knowledge, time and effort, Trvlr. Thanks!

Report •

Ask Question