Refreshing Windows Directories XP from a Recovery

Posted on 2011-05-06
Last Modified: 2013-12-09
I have a computer which is infected with malware. Combofix will not run on it. It seems the desktop and various files are executing through a proxy application. Some time ago I recall executing a program from the windows recovery environment which recopied all files in I386 to the associated windows directories. Am running X:P SP3. I would greatly appreciate any recovery advise restoring the system files back to original images... Afterwhich, will reinstall the AV and clean the system.

Thanks again.
Question by:TimPeer
    LVL 38

    Accepted Solution

    You may need one of the rogue process tools to allow your scans to start.
    I would not start with ComboFix, rather with Malwarebytes.

    Use "Rogue Killer" first - using any of the additional Menu Items needed - then immediately install (and update) Malwarebytes and scan.

    Details here: (Stop-the-Bleeding-First-Aid-for-Malware) (Rogue-Killer-What-a-great-name)
    LVL 10

    Expert Comment

    You may have to install from safe mode. Before the rogue has an opportunity to start. Younghy is correct. Combofix would require a 'trust' similar to the activity of the malware.
    LVL 11

    Expert Comment

    What was inappropriate??

    Author Closing Comment

    Thanks Younghv,

    The process of removing the  %$#ware was very tedious and long. I used a number of the other tools also which, when combined with yours, seemed to catch everything.

    Lastly, updated the AV and ran it. 21 Issues caught and corrected. Let see how long this will last before the next round of "catch me if you can" %$#ware.

    FWIW:  The posting was located on EE. I didn't catch the link but have the other tools for references.

    1. Try Vundofix.
    Please download VundoFix.exe to your desktop.
    * Double-click VundoFix.exe to run it.
    * Click the "Scan for Vundo" button.
    * Once it's done scanning, click the "Remove Vundo" button.
    * You will receive a prompt asking if you want to remove the files, click YES
    * Once you click yes, your desktop will go blank as it starts removing Vundo.
    * When completed, it will prompt that it will reboot your computer, click OK.
    * Please post the contents of C:\vundofix.txt.

    Note: It is possible that VundoFix encounters a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above
    instructions starting from "Click the Scan for Vundo button." when
    VundoFix appears at reboot.

    2.  Or Combofix.
    Please download ComboFix by sUBs from either of these locations:

    You must download it to and run it from your Desktop
    Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    Double click combofix.exe & follow the prompts.
    When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
    Re-enable all the programs that were disabled during the running of ComboFix..

    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    LVL 38

    Expert Comment

    Hi Tim,
    Glad you were able to resolve this.
    I've always said that there is a special place in hell for malware writers.

    "ComboFix" remains a current tool for us to use and is constantly updated by the creator. I sometimes think he is like the little Dutch boy in the story about plugging holes in the dikes.

    "VundoFix" (to my knowledge) hasn't been updated for several years. I will try to confirm that for you, but when fighting malware we should all be using tools that are current.

    If you did use ComboFix, please be sure to uninstall it now that you are done:

    To uninstall Combofix:
    Go to Start > Run and 'copy and paste' next command in the field:

    ComboFix /Uninstall

    The Virus & Spyware Zone Advisors keep an open question going about the proper use of ComboFix and Malwarebytes.

    Please feel free to subscribe and/or post any comments.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
    Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now