Refreshing Windows Directories XP from a Recovery

I have a computer which is infected with malware. Combofix will not run on it. It seems the desktop and various files are executing through a proxy application. Some time ago I recall executing a program from the windows recovery environment which recopied all files in I386 to the associated windows directories. Am running X:P SP3. I would greatly appreciate any recovery advise restoring the system files back to original images... Afterwhich, will reinstall the AV and clean the system.

Thanks again.
Who is Participating?
You may need one of the rogue process tools to allow your scans to start.
I would not start with ComboFix, rather with Malwarebytes.

Use "Rogue Killer" first - using any of the additional Menu Items needed - then immediately install (and update) Malwarebytes and scan.

Details here: (Stop-the-Bleeding-First-Aid-for-Malware) (Rogue-Killer-What-a-great-name)
You may have to install from safe mode. Before the rogue has an opportunity to start. Younghy is correct. Combofix would require a 'trust' similar to the activity of the malware.
What was inappropriate??
TimPeerAuthor Commented:
Thanks Younghv,

The process of removing the  %$#ware was very tedious and long. I used a number of the other tools also which, when combined with yours, seemed to catch everything.

Lastly, updated the AV and ran it. 21 Issues caught and corrected. Let see how long this will last before the next round of "catch me if you can" %$#ware.

FWIW:  The posting was located on EE. I didn't catch the link but have the other tools for references.

1. Try Vundofix.
Please download VundoFix.exe to your desktop.
* Double-click VundoFix.exe to run it.
* Click the "Scan for Vundo" button.
* Once it's done scanning, click the "Remove Vundo" button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt.

Note: It is possible that VundoFix encounters a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

2.  Or Combofix.
Please download ComboFix by sUBs from either of these locations:

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Hi Tim,
Glad you were able to resolve this.
I've always said that there is a special place in hell for malware writers.

"ComboFix" remains a current tool for us to use and is constantly updated by the creator. I sometimes think he is like the little Dutch boy in the story about plugging holes in the dikes.

"VundoFix" (to my knowledge) hasn't been updated for several years. I will try to confirm that for you, but when fighting malware we should all be using tools that are current.

If you did use ComboFix, please be sure to uninstall it now that you are done:

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /Uninstall

The Virus & Spyware Zone Advisors keep an open question going about the proper use of ComboFix and Malwarebytes.

Please feel free to subscribe and/or post any comments.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.