Sign in with
Sign up | Sign in
Your question

"System Restore" not a solution to remove sudden new infec..

Last response: in Windows XP
Share
July 23, 2005 1:28:03 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

At approx. 6:30 pm yesterday, I realized suddenly, my system had become
infected with something ... I now once again keep getting those "Only the
Best" darn things popping up. (I've been through this before a year ago ...
it was much worse then ... had to completely overhaul the entire hard drive)

Well, anyhow, what I tried to do this time is simply creat a restore point
and revert back to that. Surprisingly, that did not eradicate the presence of
this pop-up thing; I'm sure the restore point predates the pop-up
reappearance.

Wow, what's up with that?

Anyhow, am still trying my Spybot, Ad-Aware, and my up-to-date Norton ...

I would greatly appreciate any suggestions on the System Restore process,
since strangely, that did not preserve my set-up (apparently?) to what I had
before.

Thanks greatly,

Michael


--
Michael
July 23, 2005 2:36:11 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Trojans and viruses often infect the system restore repository (the system
volume information directory tree). Running system restore sometimes make a
parasite problem worse by actually restoring some items you may have
cleaned. In general, it's best to clean the system, test it with a few
reboots (to make sure the cleaning process didn't impact major system files
and cause problems), and then delete all restore points by disabling and
then reeenabling SR.
--

"Michael" <Michael@discussions.microsoft.com> wrote in message
news:7606B952-21D7-4158-BB86-E647BD58DD05@microsoft.com...
> At approx. 6:30 pm yesterday, I realized suddenly, my system had become
> infected with something ... I now once again keep getting those "Only the
> Best" darn things popping up. (I've been through this before a year ago
> ...
> it was much worse then ... had to completely overhaul the entire hard
> drive)
>
> Well, anyhow, what I tried to do this time is simply creat a restore point
> and revert back to that. Surprisingly, that did not eradicate the presence
> of
> this pop-up thing; I'm sure the restore point predates the pop-up
> reappearance.
>
> Wow, what's up with that?
>
> Anyhow, am still trying my Spybot, Ad-Aware, and my up-to-date Norton ...
>
> I would greatly appreciate any suggestions on the System Restore process,
> since strangely, that did not preserve my set-up (apparently?) to what I
> had
> before.
>
> Thanks greatly,
>
> Michael
>
>
> --
> Michael
July 23, 2005 2:36:12 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thanks for both replies.

I did a norton full scan last night in Safe mode; rebooted this morning;
problem's still there; then went and did the system restore disable; and then
re-enable.

Hmm, still there.

Is there some specific procedure you can share or direct me to, to get into
whatever files/paths/scripts that I may tinker wth to dissect and remove the
invading virus?

Norton's online info reference library is not specific about this particular
virus ... or at least I have not found it.

Again, the pop-up I am getting is that "Only the Best" ... which is hardly
an apt description of the thing (!)

Thanks much, Michael


--
Michael


"GTS" wrote:

> Trojans and viruses often infect the system restore repository (the system
> volume information directory tree). Running system restore sometimes make a
> parasite problem worse by actually restoring some items you may have
> cleaned. In general, it's best to clean the system, test it with a few
> reboots (to make sure the cleaning process didn't impact major system files
> and cause problems), and then delete all restore points by disabling and
> then reeenabling SR.
> --
>
> "Michael" <Michael@discussions.microsoft.com> wrote in message
> news:7606B952-21D7-4158-BB86-E647BD58DD05@microsoft.com...
> > At approx. 6:30 pm yesterday, I realized suddenly, my system had become
> > infected with something ... I now once again keep getting those "Only the
> > Best" darn things popping up. (I've been through this before a year ago
> > ...
> > it was much worse then ... had to completely overhaul the entire hard
> > drive)
> >
> > Well, anyhow, what I tried to do this time is simply creat a restore point
> > and revert back to that. Surprisingly, that did not eradicate the presence
> > of
> > this pop-up thing; I'm sure the restore point predates the pop-up
> > reappearance.
> >
> > Wow, what's up with that?
> >
> > Anyhow, am still trying my Spybot, Ad-Aware, and my up-to-date Norton ...
> >
> > I would greatly appreciate any suggestions on the System Restore process,
> > since strangely, that did not preserve my set-up (apparently?) to what I
> > had
> > before.
> >
> > Thanks greatly,
> >
> > Michael
> >
> >
> > --
> > Michael
>
>
>
Related resources
July 23, 2005 2:36:13 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Michael wrote:

> Thanks for both replies.
>
> I did a norton full scan last night in Safe mode; rebooted this
> morning; problem's still there; then went and did the system restore
> disable; and then re-enable.
>
> Hmm, still there.
>
> Is there some specific procedure you can share or direct me to, to get
> into whatever files/paths/scripts that I may tinker wth to dissect and
> remove the invading virus?
>
> Norton's online info reference library is not specific about this
> particular virus ... or at least I have not found it.
>
> Again, the pop-up I am getting is that "Only the Best" ... which is
> hardly an apt description of the thing (!)
>
> Thanks much, Michael
>
>
Michael, you'll need to go through these malware removal steps
systematically. It is crucial to do everything with updated tools in
Safe Mode. You may need to go as far as to run HijackThis and there are
instructions and links to forums where you can post those logs (not
here, please).

http://www.elephantboycomputers.com/page2.html#Removing...

Malke
--
MS-MVP Windows User/Shell
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"
July 23, 2005 7:46:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

You seem to have misunderstood my post. I was answering your specific
question about System restore and my advice was to clear it AFTER removal of
parasites and testing. Emptying SR in itself will not clean your system.
Spyware has gotten increasingly sophisticated and Spybot and Ad-aware,
though excellent, are often not sufficient to remove it. See
http://www.pchell.com/support/onlythebest.shtml for some specific info. re.
the 'only the best' pop up. Also, see the links Malke and others provided.
--

"Michael" <Michael@discussions.microsoft.com> wrote in message
news:33944CA3-4312-4F4B-ADD0-BCCFE447AA1C@microsoft.com...
> Thanks for both replies.
>
> I did a norton full scan last night in Safe mode; rebooted this morning;
> problem's still there; then went and did the system restore disable; and
> then
> re-enable.
>
> Hmm, still there.
>
> Is there some specific procedure you can share or direct me to, to get
> into
> whatever files/paths/scripts that I may tinker wth to dissect and remove
> the
> invading virus?
>
> Norton's online info reference library is not specific about this
> particular
> virus ... or at least I have not found it.
>
> Again, the pop-up I am getting is that "Only the Best" ... which is hardly
> an apt description of the thing (!)
>
> Thanks much, Michael
>
>
> --
> Michael
>
>
> "GTS" wrote:
>
>> Trojans and viruses often infect the system restore repository (the
>> system
>> volume information directory tree). Running system restore sometimes
>> make a
>> parasite problem worse by actually restoring some items you may have
>> cleaned. In general, it's best to clean the system, test it with a few
>> reboots (to make sure the cleaning process didn't impact major system
>> files
>> and cause problems), and then delete all restore points by disabling and
>> then reeenabling SR.
>> --
>>
>> "Michael" <Michael@discussions.microsoft.com> wrote in message
>> news:7606B952-21D7-4158-BB86-E647BD58DD05@microsoft.com...
>> > At approx. 6:30 pm yesterday, I realized suddenly, my system had become
>> > infected with something ... I now once again keep getting those "Only
>> > the
>> > Best" darn things popping up. (I've been through this before a year ago
>> > ...
>> > it was much worse then ... had to completely overhaul the entire hard
>> > drive)
>> >
>> > Well, anyhow, what I tried to do this time is simply creat a restore
>> > point
>> > and revert back to that. Surprisingly, that did not eradicate the
>> > presence
>> > of
>> > this pop-up thing; I'm sure the restore point predates the pop-up
>> > reappearance.
>> >
>> > Wow, what's up with that?
>> >
>> > Anyhow, am still trying my Spybot, Ad-Aware, and my up-to-date Norton
>> > ...
>> >
>> > I would greatly appreciate any suggestions on the System Restore
>> > process,
>> > since strangely, that did not preserve my set-up (apparently?) to what
>> > I
>> > had
>> > before.
>> >
>> > Thanks greatly,
>> >
>> > Michael
>> >
>> >
>> > --
>> > Michael
>>
>>
>>
Anonymous
July 23, 2005 8:15:08 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <7606B952-21D7-4158-BB86-E647BD58DD05@microsoft.com>,
Michael@discussions.microsoft.com says...
> At approx. 6:30 pm yesterday, I realized suddenly, my system had become
> infected with something ... I now once again keep getting those "Only the
> Best" darn things popping up. (I've been through this before a year ago ...
> it was much worse then ... had to completely overhaul the entire hard drive)
>
> Well, anyhow, what I tried to do this time is simply creat a restore point
> and revert back to that. Surprisingly, that did not eradicate the presence of
> this pop-up thing; I'm sure the restore point predates the pop-up
> reappearance.
>
> Wow, what's up with that?
>
> Anyhow, am still trying my Spybot, Ad-Aware, and my up-to-date Norton ...
>
> I would greatly appreciate any suggestions on the System Restore process,
> since strangely, that did not preserve my set-up (apparently?) to what I had
> before.

In general, if you reboot in safe mode, remove the bad RUN / RUN ONCE
entries in the registry and run AV and Ad-Aware Se, then reboot and
you're still compromised, then it's time to do a wipe and fresh/clean
install.

There are many ways to clean a machine without wiping it, but if you've
already got yourself compromised, twice, then you are better off
learning to wipe/reinstall and then to secure your machine before going
on-line again - there are a number of MS articles that explain how to
secure your computer before you go on-line.

If you have DSL or Cable, start by getting a NAT router.

--

spam999free@rrohio.com
remove 999 in order to email me
July 23, 2005 8:15:09 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

many thanks for directing me everyone ... ....sigh .... I got a feeling
strong coffee better start brewing ... though presently after a few more
reboots, I am no longer seeing the beast .. but I'm scarcly ready to wave the
checkered flag ....

,,, thanks everyone .... (Who's behind this "Only the Best" thing
anyhow????? geez, ought to run 'em outta town!)
--
Michael


"Leythos" wrote:

> In article <7606B952-21D7-4158-BB86-E647BD58DD05@microsoft.com>,
> Michael@discussions.microsoft.com says...
> > At approx. 6:30 pm yesterday, I realized suddenly, my system had become
> > infected with something ... I now once again keep getting those "Only the
> > Best" darn things popping up. (I've been through this before a year ago ...
> > it was much worse then ... had to completely overhaul the entire hard drive)
> >
> > Well, anyhow, what I tried to do this time is simply creat a restore point
> > and revert back to that. Surprisingly, that did not eradicate the presence of
> > this pop-up thing; I'm sure the restore point predates the pop-up
> > reappearance.
> >
> > Wow, what's up with that?
> >
> > Anyhow, am still trying my Spybot, Ad-Aware, and my up-to-date Norton ...
> >
> > I would greatly appreciate any suggestions on the System Restore process,
> > since strangely, that did not preserve my set-up (apparently?) to what I had
> > before.
>
> In general, if you reboot in safe mode, remove the bad RUN / RUN ONCE
> entries in the registry and run AV and Ad-Aware Se, then reboot and
> you're still compromised, then it's time to do a wipe and fresh/clean
> install.
>
> There are many ways to clean a machine without wiping it, but if you've
> already got yourself compromised, twice, then you are better off
> learning to wipe/reinstall and then to secure your machine before going
> on-line again - there are a number of MS articles that explain how to
> secure your computer before you go on-line.
>
> If you have DSL or Cable, start by getting a NAT router.
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me
>
Anonymous
July 23, 2005 9:53:08 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

System Restore FAQ:
http://www.microsoft.com/technet/community/newsgroups/f...

How antivirus software and System Restore work together
http://support.microsoft.com/default.aspx?scid=kb;en-us;831829



"Michael" <Michael@discussions.microsoft.com> wrote in message
news:7606B952-21D7-4158-BB86-E647BD58DD05@microsoft.com...
> At approx. 6:30 pm yesterday, I realized suddenly, my system had become
> infected with something ... I now once again keep getting those "Only the
> Best" darn things popping up. (I've been through this before a year ago ...
> it was much worse then ... had to completely overhaul the entire hard drive)
>
> Well, anyhow, what I tried to do this time is simply creat a restore point
> and revert back to that. Surprisingly, that did not eradicate the presence of
> this pop-up thing; I'm sure the restore point predates the pop-up
> reappearance.
>
> Wow, what's up with that?
>
> Anyhow, am still trying my Spybot, Ad-Aware, and my up-to-date Norton ...
>
> I would greatly appreciate any suggestions on the System Restore process,
> since strangely, that did not preserve my set-up (apparently?) to what I had
> before.
>
> Thanks greatly,
>
> Michael
>
>
> --
> Michael
!