My daughter's Acer Aspire One netbook has a virus - a root kit, I think (TROJAN HORSE AGENT_R.XJ). I made the mistake of shutting it down before the root kit was eliminated. Now it boots as far as the screen with the status bar showing that Windows XP is loading but goes no further. SAFE MODE does not work nor does Last Known Good Config.
I'd like to save her files if possible so here's what I'm thinking of doing:
--Change BIOS to boot first from USB
--Get a new HDD and external enclosure - will cost me around $75 total
--Place the new HDD in the PC
--Install Windows XP on new HDD using thumb drive
--Perform all Windows updates
--Install Avast Antivirus
--Move new HDD to external enclosure and old HDD to PC
--Boot from new HDD which is in the external enclosure
--Access files from old HDD and copy important files to new HDD (scan them with Avast)
--Put new HDD back in PC
--Install and use a root kit remover first on the new drive (in the PC) and then the old drive (in the external case)
--Scan and rescan using at least two antivirus programs until certain PC and old drive are clean
--Format the old HDD in the external enclosure and use it as a backup drive
Here are some elements of the plan that worry me:
--Will I be able to run XP on the external drive since I did the install on the PC while the same HDD was internal?
--Will I be able to access files on the old, infected drive and copy them to the new drive?
--What did I fail to consider?
Was her old XP User Account password protected? If so, you won't easily gain access to her files and may haev to take Ownership iof them or involve L:iunux in the recovery.
Secondly, I can't see the point in moving the drives around once the new installation is in place. You can heal the old HDD while it remains in its enclosure and after you've deleted all the Windows and Programme files as well as all the temporary folders where nasties hide. Might save you a few moments. Once its connected and part of the system, ComboFix can be run and it will include the external in its examination but read the CF tutorials at http://www.bleepingcomputer.com thoroughly first.
Yes, Windows XP was protected by a password. I presume you meant to type "Linux" rather than "L:inux". If I need to do a Linux install - I presume on the new HDD - it sounds like the road to recovery may be reaching the point of diminishing returns. If there is a way I can "take Ownership of them" (what do you mean by "them" - the files?), I'd rather do that. I do have the password. But have no idea how to do take ownership and, what's more, how to do that without being able to load Windows XP.
I would prefer to be able to heal the old HDD without having to swap drives around so much. If I understand correctly, I install Windows XP on the new drive mounted in the PC and then heal the old drive while it is in the external case. Then move the files to the new HDD and leave it in the PC. Is that right? If so, that definitely sounds better than my original plan.
Another option you have is if you know how to use winrar and an ISO program is you can download UBCD4Win and burn the iso to a disc. You can then boot of that disc to a preboot environment in which you can do file transfer so you can save her data. Once done, you can then format and restore your OS, which is the best idea if you have a rootkit.
It also has multiple AV scanners for you to use to scan the USB drive to verify it is clean.
Yep - I confess - Linux is spelt without a colon I recommended that route because I believe the password will get in the way in any Windows environment, including UBCD4Win, unless it's changed since last I used it and knowing the password won't help where there's nowhere to input it. Taking ownership remains a possibility - even using that UBCD4Win but I maintain the Linux route has a better chance of success. I'm doing one now with the other hand and using an old Ubuntu disk, can rescue fiels form a disk Windows can't even mount.
TDSS Killer deals with some Rootkits - ComboFix deals with most. Either way, always use the most up-to-date version and follow the instructions. When ComboFix says wait, do just that however long it takes. It will get there in the end.
Your interpretation of my suggestion regarding the hard disks is correct - much quicker and easier.
Thanks, saga lout and alaskan IT. I'm exploring some other options right now including having the tech dudes at my wife's office give it a go. But I may need to order the recovery CDs from Acer. While there is an "eRecovery" partition (ostensibly) on the HDD which should be accessible via Alt+F10 on power-up, I've not been successful in accessing it. It's also known as "D2D". I read online that I might need to do a BIOS update to make eRecovery accessible but have been unable even to flash the bios using the new bios files and a bios flash program using the Fn+Esc buttons per numerous instructions I found on the web.
Whoa! While typing this it dawned on me that I had read that it's important to change the HDD controller to IDE mode. I've done that in the BIOS setup utility, pressed Alt+F10 on power-up and have accessed the eRecovery utility. Am running it now in one of two optional modes - the one that allows user files to be saved to a new backup folder on C: rather than the option that completely wipes the partition and installs XP.
I'll report the results. The key, if this works, will be getting rid of the root kit. I'll also need to remember to bring the BIOS back to the default settings.
I was so close....I ran eRecovery, was able to load Windows XP, went back through the initial setup process (language, time zone, etc), used the root kit remover, successfully, I believe. Then, on reboot (which the root kit remover requires), I decided to go into the BIOS setup and change back to AHCI mode (from IDE). After saving and exiting BIOS setup, I thought Windows would load and I'd be back in business. Instead, got a blinking cursor in the upper left of a black screen. After 10 minutes, did a hard stop and tried to reboot.
White letters on black screen read:
For Atheros PCIE Ethernet Controller v22.214.171.124(2008/10/15)
Check cable connection..!
PXE-M0F: Exiting Intel PXE ROM
No bootable device -- insert boot disk and press any key
I've tried going back into the BIOS and changing settings back to IDE and changing the boot order (not all at once) and even tried setting the BIOS back to factory defaults. No dice. Same message on reboot.
I don't know what went wrong but, perhaps I should have rebooted after the virus removal WITHOUT resetting the BIOS and then, after a successful reboot, shutting down and doing the BIOS reset.
Try reverting the BIOS setting you altered after it worked the first time. It's only trying to boot from your networking devices because it can't see the hard disk. It could before you made that change to AHCI from IDE. Are there no SATA options in BIOS?
I did revert (back and forth) between AHCI and IDE and even tried using the option to revert to default BIOS settings. Nothing worked. Here's what I think the problem is - TDSS Killer stated that atapi.sys was infected - that's the file that it "cured". I did some reading on atapy.sys. I think it's a key file for the system to be able to see the HDD. My guess is that it is gone or corrupted. Not sure if there is any way to replace it without being able to boot into Windows.
I can't think how Windows could start without atapi.sys so there must be a version of it. Rootkits are dangerous but their developers have little to gain from disabling a system completely - they usually want the system to to work but work for them as much as for you.
I think it's back to basics time for you - get the files out and format completely, or bin that disk and buy a new one.
Disk arrived today so I'm going to give her a try. But just for your reference, atapi.sys was working when I was able to get into XP. I ran TDSS Killer and probably made a mistake when I selected "Quarantine" when the infected file was found. I later "cured" atapi.sys with the software but never took it back out of quarantine before shutting down and trying to reboot.
Now to see if I can do anything with the recovery disk that enables access to the current XP install by repairing it in place so I can save my daughter's files. If not, bye bye files and settings.
So I was about to press the Enter button to do a full restore (wiping out all user files) when my wife told me she would rather bring the PC in to her office and have their contractor tech support guys take a look at it. It's now been nearly two weeks and no PC. The wife doesn't do a particularly good job of relating what they tell her each time she asks what's going on so I'm not sure how to update this topic quite yet.