cllocc
asked on
I have a heavily infected system that can no longer access the internet
We have a client machine that was heavily infected with trojans. I ran Malwarebytes, Super anti spyware and trend micro anti virus scans, which found viruses and showed that the viruses were quarantined and removed. However, the trend micro security console on our server continued to point to the affected client machine as problematic. After running the virus scans, the client machine lost network connectivity and was receiving a 169 address. I attempted to give the client machine a static ip following the scheme from our DNS server however even after the static ip settings were configured, the client machine was still unable to get online or connect to our network. I attempted to run trend micro again but noticed that would no longer start. I decided to perform a system restore and booted in safe mode however after two attempts with two different restore points, I received the message: System Restore did not complete successfully.
I then booted in windows regularly and after logging in i noticed the color scheme was similiar to safe mode and the start button had the classic look to it. However, safe mode was not displayed in the four corners of the screen. I nonetheless ran system restore in this state and after two attempts (with 2 different restore points) I had the same problem as before, windows reported system restore did not complete successfully. the system restore displayed the following details:
System restore failed to extract the file (D:\Windows\$NtUninstallKB 236603$\40 13077249) from the restore point. The restore point was damaged or was deleted during the restore.
I'm puzzled as to why system restore is looking to the D: drive, since our client machines have the OS loaded on the C: drive and the D: drive is reserved for the HP recovery partition for the machine.
Also, I ran a netsh int ip reset and netsh winsock reset and restarted but was still experiencing network issues.
Anyways, I am stuck and not sure how to proceed further, any help would be greatly appreciated.
Thanks.
I then booted in windows regularly and after logging in i noticed the color scheme was similiar to safe mode and the start button had the classic look to it. However, safe mode was not displayed in the four corners of the screen. I nonetheless ran system restore in this state and after two attempts (with 2 different restore points) I had the same problem as before, windows reported system restore did not complete successfully. the system restore displayed the following details:
System restore failed to extract the file (D:\Windows\$NtUninstallKB
I'm puzzled as to why system restore is looking to the D: drive, since our client machines have the OS loaded on the C: drive and the D: drive is reserved for the HP recovery partition for the machine.
Also, I ran a netsh int ip reset and netsh winsock reset and restarted but was still experiencing network issues.
Anyways, I am stuck and not sure how to proceed further, any help would be greatly appreciated.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yes, that is a good point. I was hoping there may be something I was overlooking before having to resort to system recovery and maybe there was someone out there who might there who point me in the right direction. however if the consensus is to reformat and restore then I'll be hard pressed to go that route.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the excellent suggestions. I followed the guides posted by users on this question however it seemed that even the root kit scans may not have been enough. I was still getting a 169 address, system repair was not working, and windows was still booting up with a strange color scheme and classic start menu.
I decided that it would be much faster to reformat and recover the machine so I backed up the user's critical files after consultation and started the HP factory recovery mode using the f11 key from the bios. It was quicker than i expected and it brought the computer back to its original state with full network connectivity. I will be reinstalling the user's required applications shortly.
One thing i definitely learned from this whole experience....these root kits sure are a nightmare to deal with.
I decided that it would be much faster to reformat and recover the machine so I backed up the user's critical files after consultation and started the HP factory recovery mode using the f11 key from the bios. It was quicker than i expected and it brought the computer back to its original state with full network connectivity. I will be reinstalling the user's required applications shortly.
One thing i definitely learned from this whole experience....these root kits sure are a nightmare to deal with.
ASKER