We help IT Professionals succeed at work.

Windows 7 - system restore hung after PC got malware

FWeston
FWeston asked
on
My dad got some sort of malware on his office computer that was sending out spam and got his local exchange server blacklisted since both his computer and the exchange server are behind the same NAT ip address.  He has a small business so he doesn't have any IT support, so I try to do what I can for him.

I figured easiest thing to do would be to run system restore and restore to a point before the problem happened.  I tried that and it sat at "Windows is restoring..." for about 30 minutes.  My wife was with me and was unhappy that this was taking time away from our Xmas shopping, and since 30 mins is about 10x longer than I've ever had a system restore take, I figured it was hung and pressed the reset button to try something else.

So, long story short, I got what I figured would happen...now the system won't boot up.  In normal boot it sits with the Windows logo on the screen.  It continuously "pulsates" but never boots to a login prompt.  In safe mode it hangs at classpnp.sys.

There are a ton of programs installed on the computer, so if I formatted and reinstalled Windows, it would take 3-4 days to track down the install discs and product keys and reload them, so I would like to avoid doing so if at all possible.

I assume before making changes to the computer, system restore probably makes a backup copy of the files it is going to modify.  If that is the case, can I boot using a rescue CD and manually copy those files back, or is there some other trick I can use?

The PC is running Windows 7 x64, I believe it is SP1 but not sure and not sure how to verify that without being able to boot the OS.  Basically I am looking for any tricks that I could possibly use to restore the PC to a bootable state so I don't have to reinstall Windows.
Comment
Watch Question

Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
I don't know what may have happened when you cancelled the restore. My own Thinkpad thought it had a memory error in October (it didn't) and the Windows 7 repair took about two hours. And the Thinkpad has been splendid since. So it does take time.

Yes, you can boot with a bootable CD (Ultimate Boot CD) and back up files.

But you are probably going to have to re-install Windows, so get the data, track down the important disks and start in. You should be able to get back to basic operation inside of a day.

..... Thinkpads_User

Author

Commented:
thinkpads_user, that is very strange.  I am the IT guy for a small company, about 100 employees and I use system restore with Windows XP on a pretty regular basis, and it usually takes about 5 minutes total.  Maybe it is different with Windows 7.

The problem is that it isn't me that will be doing the reinstalling, it is my dad's secretary who is basically computer illiterate.  So if I reinstall, he, she and I will have to go through a lot of frustration and he will probably be without his PC for everything except basic e-mail for the better part of a week, and I'd like to avoid that if possible.

It seems like SR must create a backup of the registry files it is replacing, and if that is the case then I should be able to manually copy them back and end up right back where I started.  Or at least if it doesn't create backups, then it seems like I ought to be able to manually copy the files (basically do what system restore was trying to do).  I am very hesitant to format and spend 20-30 hours on this when I could possibly get out under 2-3 hours if I can just figure out how to recover from a failed system restore.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I have not seen much success here in fixing a broken system restore. I do not know what copies System Restore would do. There is a huge (12Gb store of restore-type data in the WinSxS folder) but I do not know how you would manually do the copying from it. Windws 7 is not XP in many major ways.

Let us see if anyone else can guide you, but you may wish to begin planning on how to rebuild the machine. Also, do not forget on top of all this that a virus may have hosed the computer anyway.

.... Thinkpads_User

Author

Commented:
Yes, a virus has definitely hosed the computer but I am betting that it will require far less effort to get rid of the virus than it will to rebuild the whole system.  Before I tried running system restore I found several utilities online that claim to remove it, but I figured it would be better to do SR to be certain that anything else that may be installed would be gone as well...

Author

Commented:
Also, I was looking at the option to do an in place upgrade or a repair install, as I believe that would retain the installed programs.  The problem is I'm not entirely certain what version or SP level of Windows 7 is installed.  Is there some way I can find out without booting into Windows?
Top Expert 2012
Commented:
At the same time, keep in mind that when you are fairly certain that the system is already clean, performing a System Restore could potentially inject the malware right back into the operating system, or at least some of the elements like registry changes.  As a result, it's typically better to leave the system as-is once your cleaning procedures are done.  Here is a very good article written by one of the EE community's top malware experts that explains the pros & cons:

Viruses in the System Volume Information (System Restore)

Author

Commented:
Run5k: I think you misunderstood what I was trying to say.  In place of running the removal utility, I ran system restore thinking that it would accomplish the same thing, and more, as the removal utility.
Top Expert 2012

Commented:
I see.  While that idea certainly sounds good on the surface, it's probably more prudent to follow some of the standard "best practices" for removing the malware rather than diving right into a System Restore.  As I mentioned above, you can't be certain that a System Restore would actually cleanse the machine.  And even though you obviously had the best of intentions, you never really want to power-off a Windows system in the middle of a System Restore unless you are ready & willing to perform some type of operating system reload.

For future reference, here is another comprehensive EE article that explains the best procedures to eliminate a malware infestation:

Stop the Bleeding: First Aid for Malware!

That being said, considering the overt malware problems and the recent obstacles after the cancelled System Restore, I would tend to agree with Thinkpads_user's assessment that it would be better to reinstall Windows.

Additionally, in the aftermath it may be a good idea to scrutinize that computer's security configuration.  These days, if a Windows 7 operating system is configured properly from the very beginning it's exceedingly difficult to get a virus or malware on your machine:

- What type of security application was installed?  Was it up-to-date?

- Were they using a login account that has full admin rights to access the Internet?

- Was Java RE installed?  If so, do they really have a compelling need to use it?

Author

Commented:
Run5k: thanks for your advice.  While I agree on principle about not using an admin account, in real life I have found that it just isn't practical, especially when IT support is not available to fix things that don't work without admin permissions, and especially when you're running older software or industry specific software where the publishers can pretty much do whatever they want because they know they won't lose your business.

If this were for a different type of user where all they're using is MS Office and webapps, then I would say it would be a lot more feasible.

UAC is great and all, but when you put it in front of a 65 year old guy that doesn't know much about computers, you start to realize that after they see the prompt a few times, they just train themselves to click the allow button.

All I'm saying is that I agree with you, but in this instance, even taking into account 10-15 hours to rebuild the machine, trying to lock the machine down would probably have caused more issues.
Top Expert 2012

Commented:
I understand your predicament.  If you feel that's the best way to proceed, once that machine is up and running properly again it may be wise to implement at least a semi-regular schedule of backing up the system image to an external hard drive using the built-in Windows 7 capabilities.  If a similar problem occurs in the future, it is relatively quick and easy (and much faster than 10-15 hours) to restore the entire computer with a reliable, stable, pre-configured operating system:

Windows 7 - Backup Complete Computer - Create an Image Backup

Windows 7 - System Image Recovery
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Getting back to basics a bit, you have a machine hosed by malware, and then a subsequent restore (good idea or not) interrupted.

So as uncomfortable as it is, you probably need to reinstall this machine.

I would lock it down a bit, for anyone, including a user. And please do not allow them to disable UAC. That helps keep malware at bay in the first place. ..... Thinkpads_User

Commented:
You cannot do a repair (upgrade) install of Vista or Win 7 on a PC that will not boot into normal mode, so that is not an option.

Have you tried booting from a Win 7 DVD and using the repair options? You may be able to re-run System Restore form the repair options menu.

Run5k gave you good advice on dealing with malware.

Author

Commented:
Well, I selected the repair my computer option from the f8 boot menu, then I tried running system restore twice more thinking that perhaps if the process completed it would undo the problem.  Both time (different dates) it said it failed, so I selected the "fix boot problems" (or similar) option and it said it couldn't fix the problems, but lo and behold I rebooted and it booted into Windows and seems like the system restore did work because the malware is gone.

So it seems problem solved.

Thanks for the suggestions.

Author

Commented:
Thanks, found my own solution but I want to give you guys points for trying to help.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Thank you. I was pleased to help, and thank you very much for the feedback. I am glad you got it up and running given the circumstances. .... Thinkpads_User
Top Expert 2012

Commented:
Agreed... thanks for the kinds words, and I'm glad to hear that you were able to do a bit of juggling and boot into the operating system again.

As I mentioned earlier, amongst all the other things that we discussed you should give some serious consideration to the System Image backup solution.  It sounds like it may eventually save you a great deal of time & effort.
Author of the Year 2011
Top Expert 2006

Commented:
FWeston & Experts,
I was watching this question develop, but didn't have anything trouble-shooting comments to add.

Knowing that some of us of the 'Older Generation' can indeed create problems for ourselves, I do have some thoughts on the whole imaging idea.

"garycase" gave me this advice about 3 years ago and I've been using it every since.

As soon as the computer is 100% back the way you want it, capture a fully automated 'image' of the way you want it to be. The full discussion is here:

http://www.experts-exchange.com/Q_23528044.html

Keep the OS and applications loaded on one partition, data on another, and you are about one mouse click and 5 minutes of watching away from have your system - regardless of the infection - back to exactly what it was when you loaded it.

Creating a new image (good idea every month or so) is another one click + 5 minutes for Boot-IT to work its magic - and you can create a Desktop shortcut  to make it even simpler.

After what you've just been through, having a flawless one-click re-imaging option that takes 5 minutes to implement would be a really great Christmas present for you to buy (yourself).

Author

Commented:
younghv: I agree wholeheartedly with your suggestion.  Unfortunately, the problem in my case is that the applications that are in use are frequently updated (my dad is a CPA, and they release updates several times a year, and an entire new version of the program comes out each year).  The programs are not enterprise / imaging friendly because they are primarily used by smaller businesses, and I guess they don't get a lot of push back like they would if they tried to do what they do in an enterprise IT environment.  I do actually have an image of these systems, but the problem is that it is 1.5 years out of date, so all of the line of business apps would likely need to be reinstalled.  Keeping the image up to date has been a low priority, because paying me to do stuff that doesn't produce any tangible benefit is low on their priority list.

I think Windows Home Server has some sort of network-enabled time machine equivalent where you don't need a USB drive for each PC.  Is there something similar available for Windows 7 PCs on a domain?  Their network server is running VMware and it has a fair amount of free space available so I could spin up another VM if necessary.
Author of the Year 2011
Top Expert 2006

Commented:
Great question, but you just jumped way out of my comfort zone. We have any number of really solid Experts who can give you a lot of feedback though.

The best way to get them involved is to use the "ask a related question" link that appears just below this comment.

Doing that will link this question to your new one so that the Experts can get the background.

For "Zones", I would us Home Server (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Home_Server/), the primary Windows OS Zone, and the Hardware Zone.

We have a lot of very active and knowledgeable Experts in all 3.