The Coin Return Foundational Fundraiser is here! Please donate!

Virus, System Restore Issue (SOLVED!)

The Crowing OneThe Crowing One Registered User regular
edited August 2009 in Help / Advice Forum
So the inevitable finally happened, and I picked up a nasty trojan on my main machine. It snuck past my anti-virus and malware screen. I'm running Vista Basic, and I tried repairing my OS, but to no luck.

It seems that the virus did some real damage. I can boot in safe mode, and have done so. Ran my anti-virus, and ad-aware. Ad-aware picks up a trojan, but when it tries to clean house the file doesn't exist.

I have a great system restore point, but I can't seem to get it to work as I'm being told that there are problems with the disk, "file system corruption", and that I need to run the dskchk to fix those up. When I reboot my machine for the check, I'm told that my disk is FAT and cannot be checked with the utility.

Any idea for how I can salvage this mess? I've come to terms with the fact that my drive may be beyond repair, but I have a fantastic restore point that I'd love to do if there were any way to fix the problems with the drive, itself.

Everything is backed up, and the infected drive is actually really just hosting "My Documents" and the OS. Everything important is on my other 1TB.

Thank you!

3rddocbottom.jpg
The Crowing One on

Posts

  • ronyaronya Arrrrrf. the ivory tower's basementRegistered User regular
    edited August 2009
    Hosing and reinstalling is nowadays much easier than trying to pick through all the numerous and possible ways viruses can hide themselves.

    So just format and reinstall from scratch. You may want to move your documents off to your other 1TB first, of course.

    ronya on
    aRkpc.gif
  • The Crowing OneThe Crowing One Registered User regular
    edited August 2009
    ronya wrote: »
    Hosing and reinstalling is nowadays much easier than trying to pick through all the numerous and possible ways viruses can hide themselves.

    So just format and reinstall from scratch. You may want to move your documents off to your other 1TB first, of course.

    This is my last option. I'm attempting to get the chkdsk to run, but it doesn't seem to load after a reboot even after I schedule the action.

    The Crowing One on
    3rddocbottom.jpg
  • LaCabraLaCabra MelbourneRegistered User regular
    edited August 2009
    You should probably not be rollin' with FAT rather than NTFS.

    LaCabra on
  • The Crowing OneThe Crowing One Registered User regular
    edited August 2009
    LaCabra wrote: »
    You should probably not be rollin' with FAT rather than NTFS.

    I just got the dskchk to actually run by booting off CD. Apparently, it is NTFS. Dskchk is running, though, which is a huge step forward.

    The Crowing One on
    3rddocbottom.jpg
  • ronyaronya Arrrrrf. the ivory tower's basementRegistered User regular
    edited August 2009
    With some branded computers (Lenovo, for instance), I've found that scheduling chkdsk-on-boot doesn't work due to some proprietary setting on boot. And no, there's no warning. Sucks, but that's how they roll. Could that happening?

    You could always run convert /fs:ntfs C: to change your hard drive to NTFS. No reason to use FAT nowadays, unless you dualboot hackintosh or something.

    edit: late'd. Good luck with chkdsk, then.

    ronya on
    aRkpc.gif
  • underdonkunderdonk __BANNED USERS regular
    edited August 2009
    This is my last option.

    It really should be your first in this case, especially with a virus that made it past what countermeasures you had in place.

    underdonk on
    Back in the day, bucko, we just had an A and a B button... and we liked it.
  • The Crowing OneThe Crowing One Registered User regular
    edited August 2009
    underdonk wrote: »
    This is my last option.

    It really should be your first in this case, especially with a virus that made it past what countermeasures you had in place.

    Are you saying that a system restore before the point of infection won't work? I'd like to at least attempt to avoid a reformat if possible. If the system restore doesn't work I'll gladly reformat. Call me hopeful, but while I'm prepared to reformat and reinstall, I'd rather try to get an alternate solution first.

    The Crowing One on
    3rddocbottom.jpg
  • RBachRBach Registered User regular
    edited August 2009
    Look at it this way. Even if you remove this particular virus/trojan/whatever you'll never be sure there isn't also something else that it brought along with it and is successfully hiding. The only way to be sure you're clean is to erase everything* and start over.

    *OK, maybe not everything. You're probably OK backing up media and such.

    Also, many viruses et al will attempt to also infect System Restore's backups. It really isn't that reliable in these situations (or at all IMO, but that's another issue).

    RBach on
    [SIGPIC][/SIGPIC]
  • The Crowing OneThe Crowing One Registered User regular
    edited August 2009
    RBach wrote: »
    Look at it this way. Even if you remove this particular virus/trojan/whatever you'll never be sure there isn't also something else that it brought along with it and is successfully hiding. The only way to be sure you're clean is to erase everything* and start over.

    *OK, maybe not everything. You're probably OK backing up media and such.

    Call me crazy, but since I have everything backed up (in multiple places, now) I'm going to try to get the system up and running without the reformat. I have a sneaking suspicion that it probably won't fix everything, but I'd like to try it, regardless.

    At the moment the chkdsk is running, and I'll be performing a memory check as well after.

    I understand that the reformat is the best option. If you could humor me I'll reformat after an attempt to get the system restore back up.

    So my question is simply, since system restore has an issue with the actual disk, is running the dskchk/memory check the correct course of action to fix this issue?
    RBach wrote: »
    Also, many viruses et al will attempt to also infect System Restore's backups. It really isn't that reliable in these situations (or at all IMO, but that's another issue).

    This answers my question! Thanks!

    So there's a good chance that system restore will be as infected as my computer is now, right? So (please excuse my hardheadedness) I'll see if that's the case assuming I can get the restore going.

    The Crowing One on
    3rddocbottom.jpg
  • RBachRBach Registered User regular
    edited August 2009
    Go for it. I figure there's no harm in experimenting. :)

    RBach on
    [SIGPIC][/SIGPIC]
  • underdonkunderdonk __BANNED USERS regular
    edited August 2009
    RBach wrote: »
    Go for it. I figure there's no harm in experimenting. :)

    Definitely no harm in that, just remember the end-game is rebuilding and restoring data. Also, for fuck's sake, don't do anything important (log in to email accounts, online banking, etc.) on the machine before you rebuild it.

    underdonk on
    Back in the day, bucko, we just had an A and a B button... and we liked it.
  • The Crowing OneThe Crowing One Registered User regular
    edited August 2009
    underdonk wrote: »
    RBach wrote: »
    Go for it. I figure there's no harm in experimenting. :)

    Definitely no harm in that, just remember the end-game is rebuilding and restoring data. Also, for fuck's sake, don't do anything important (log in to email accounts, online banking, etc.) on the machine before you rebuild it.

    I'm on the other computer for anything sensitive until I get this resolved. If I can get my system up and running, I'll be running ad-aware and anti-virus before anything else. I know that I'll end up having to wipe/reinstall, but if I can get the system functioning again I'll have an easier time with some sensitive back-up onto DVDs for the sake of being compulsive about keeping my actually important stuff safe.

    Disk Check ran fine (finally) and fixed some issues. System restore started (it didn't lock me out as before) but comes across a memory issue which prevents it from completing. I'm running the memory diagnostic now, which seems like my last chance to actually get the restore working, right?

    The Crowing One on
    3rddocbottom.jpg
  • The Crowing OneThe Crowing One Registered User regular
    edited August 2009
    So, dskchk finds and fixes a bunch of "orphaned" dll and exe files each time I run it. I still can't system restore due to a memory issue. I'm running the memory check again, but it has come back clean previous to this already.

    Is this the end of my road, or is there anything else I can try to resolve this issue? Is there a command prompt "memory check" I can run that I am unaware of? Is there a better way to run the dskchk other than by booting from CD and going to the prompt which allows me to unmount the drive to perform the check?

    Thanks!

    The Crowing One on
    3rddocbottom.jpg
  • ronyaronya Arrrrrf. the ivory tower's basementRegistered User regular
    edited August 2009
    System Restore is pretty hackish and unstable when used with anything that doesn't entirely conform to a clean install or uninstall, never mind viruses. And, yes, the restore information is often infected, especially on XP.

    Remember to run chkdsk with the /R switch.

    If you're running it repeatedly and there are new or persistent corrupted files popping up, something's not working. Either total failure is imminent, or chkdsk just isn't fixing it.

    You need to tell us exactly what error message System Restore is telling you, or we can't help much. The entire message, verbatim.

    ronya on
    aRkpc.gif
  • The Crowing OneThe Crowing One Registered User regular
    edited August 2009
    /R switch is all I've been running. It keeps finding (the same) "orphaned" files to fix. When I boot to install CD I can run chkdsk /r no problem. I have run the memory diagnostic 3-4 times and it comes back clean.

    When I try to system restore I'm told that:

    "The disk (C:) has errors.

    Windows has detected file system corruption on (C:). You must check the disk for errors before it can be restored."

    In addition, after "repairing" or running "chkdsk /r" the System Restore seems to work fine, but as soon as I click "go!" it spits out:

    "rstrui.exe - Application Error

    The instruction at 0x74252738 referenced memory at 0x00000004. The memory could not be read.

    Click OK to terminate the program."

    When I check for memory errors, there are none.

    I also tried to run SFC /SCANNOW from the boot disk command prompt and am told:

    "Windows Recovery Protection could not perform the requested operation."

    Out of curiosity I ran the "repair" function from the install disk again and low and behold, it has found errors and is repairing them. This is frustrating and points to a bigger issue considering I have fixed issues with repair and chkdsk /r many, many times now.

    SFC /SCANNOW not working is bothering me. Should I run it off safe mode instead of off the install cd command prompt?

    Thanks for all the help, everyone. I think I'll be reformatting and reinstalling tonight if I don't have luck before then.

    The Crowing One on
    3rddocbottom.jpg
  • ronyaronya Arrrrrf. the ivory tower's basementRegistered User regular
    edited August 2009
    From your description, I think your Master File Table is corrupted to a point where chkdsk doesn't know how to fix it. It is probably the error described here.

    It is probably manually fixable - see the link - but it is also probably easier to just wipe it and reinstall Windows.

    ronya on
    aRkpc.gif
  • The Crowing OneThe Crowing One Registered User regular
    edited August 2009
    I breezed through that thread, and it looks like a similar issue in that chkdsk /r keeps repairing the same thing. I'm finding that two different things are happening when I run chkdsk /r: 1) a three-step which recovers "orphaned" files, and 2) a five-step which takes a bunch longer.

    I'm not certain if there is a pattern, but I believe that after I use the install disk to "repair" it goes into the five-step chkdsk /r.

    So, I've been running myself in circles, and I think that a reformat/reinstall is closer than I thought. I've actually psyched myself into getting rid of all the crap that has accumulated over the past two years of use. So, my questions:

    1) I have two harddrives. One for files one for my OS. Reformatting and reinstalling won't touch the second drive, right?

    2) What is the best way to reformat? Are there any weird things I should know other than that I'll have to do some work to reinstall and update everything?

    The Crowing One on
    3rddocbottom.jpg
  • RBachRBach Registered User regular
    edited August 2009
    1) I have two harddrives. One for files one for my OS. Reformatting and reinstalling won't touch the second drive, right?
    Correct.
    2) What is the best way to reformat? Are there any weird things I should know other than that I'll have to do some work to reinstall and update everything?

    The Windows installer will ask you where to install to. This will be the point where you can format the hard drive. It may give you the option of doing a "quick" format--this is perfectly fine and will be much faster than the non-quick option. :)

    Once Windows is installed head directly to Windows Update and install everything it wants. It'll take several reboots to get everything (and you'll have to go to Windows Update again each time). Once that long and arduous process is over go ahead and start installing your normal applications and such.

    RBach on
    [SIGPIC][/SIGPIC]
  • ronyaronya Arrrrrf. the ivory tower's basementRegistered User regular
    edited August 2009
    1) No, it won't. As long you don't tell it to!

    2) Put your Windows 7 or Vista disc in, then just walk through the installation wizard.

    ronya on
    aRkpc.gif
  • The Crowing OneThe Crowing One Registered User regular
    edited August 2009
    Last question (hopefully)!

    I went to install, and there was an option in the Vista Install to "reformat" the drive. I clicked the option and nothing seemed to happen other than the machine working a little bit. Is this the "quick" reformat? I didn't get any confirmation or otherwise that anything had actually happened.

    The Crowing One on
    3rddocbottom.jpg
  • ronyaronya Arrrrrf. the ivory tower's basementRegistered User regular
    edited August 2009
    Yes, it's the "quick" reformat.

    You can read all about the differences here. The XP-era slow format just runs chkdsk on top of it. I think you've run it enough times today...

    ronya on
    aRkpc.gif
  • The Crowing OneThe Crowing One Registered User regular
    edited August 2009
    ronya wrote: »
    Yes, it's the "quick" reformat.

    You can read all about the differences here. The XP-era slow format just runs chkdsk on top of it. I think you've run it enough times today...

    Awesome.

    The new install is in process, and as I've said, I'm kind of now looking forward to a clean start with this machine. I have certainly run chkdsk far too many times today.

    Thanks a bunch!

    The Crowing One on
    3rddocbottom.jpg
  • The Crowing OneThe Crowing One Registered User regular
    edited August 2009
    Alright. Vista re-installed. No problem!

    Thanks a lot! This can now be safely locked.

    The Crowing One on
    3rddocbottom.jpg
  • SeñorAmorSeñorAmor !!! Registered User regular
    edited August 2009
    If it hasn't been suggested (I may have missed it) and you haven't done it already, disable system restore. Horrible, horrible "feature" System Restore is.

    SeñorAmor on
  • underdonkunderdonk __BANNED USERS regular
    edited August 2009
    SeñorAmor wrote: »
    If it hasn't been suggested (I may have missed it) and you haven't done it already, disable system restore. Horrible, horrible "feature" System Restore is.

    underdonk on
    Back in the day, bucko, we just had an A and a B button... and we liked it.
This discussion has been closed.