Go Premium for a chance to win a PS4. Enter to Win


I have a heavily infected system that can no longer access the internet

Posted on 2012-04-04
Medium Priority
Last Modified: 2013-11-22
We have a client machine that was heavily infected with trojans.  I ran Malwarebytes, Super anti spyware and trend micro anti virus scans, which found viruses and showed that the viruses were quarantined and removed.  However, the trend micro security console on our server continued to point to the affected client machine as problematic.  After running the virus scans, the client machine lost network connectivity and was receiving a 169 address.  I attempted to give the client machine a static ip following the scheme from our DNS server however even after the static ip settings were configured, the client machine was still unable to get online or connect to our network.  I attempted to run trend micro again but noticed that would no longer start.  I decided to perform a system restore and booted in safe mode however after two attempts with two different restore points, I received the message: System Restore did not complete successfully.

I then booted in windows regularly and after logging in i noticed the color scheme was similiar to safe mode and the start button had the classic look to it.  However, safe mode was not displayed in the four corners of the screen.  I nonetheless ran system restore in this state and after two attempts (with 2 different restore points) I had the same problem as before, windows reported system restore did not complete successfully.  the system restore displayed the following details:

System restore failed to extract the file (D:\Windows\$NtUninstallKB236603$\4013077249) from the restore point.  The restore point was damaged or was deleted during the restore.

I'm puzzled as to why system restore is looking to the D: drive, since our client machines have the OS loaded on the C: drive and the D: drive is reserved for the HP recovery partition for the machine.

Also, I ran a netsh int ip reset and netsh winsock reset and restarted but was still experiencing network issues.

Anyways, I am stuck and not sure how to proceed further, any help would be greatly appreciated.

Question by:cllocc
  • 3
  • 2
  • 2
  • +4

Author Comment

ID: 37807209
also i tried running startup repair thru f8 and it keeps reporting that there is no problem detected.

Accepted Solution

HomerTNachoCheese earned 504 total points
ID: 37807217
Not that this is a solution that fixes the issue, but wouldn't it be a better idea to wipe out this machine and reload Windows?  If it is "heavily infected" you may not clean everything up.  Reloading would probably take longer than fixing, but at least you have pretty good confidence that the machine is clean.

Author Comment

ID: 37807246
yes, that is a good point. I was hoping there may be something I was overlooking before having to resort to system recovery and maybe there was someone out there who might there who point me in the right direction.  however if the consensus is to reformat and restore then I'll be hard pressed to go that route.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Assisted Solution

Geodash earned 252 total points
ID: 37807307
I agree with Homer - at this time rather than taking a chance in your production environment, wipe and reload this guy. It is MUCH SAFER!

Assisted Solution

HomerTNachoCheese earned 504 total points
ID: 37807327
I would be concerned with root kits.  At least try to scan for those if you can.  They may be present even after a reformat.  I am no expert in root-kits, but I think this would be a valid concern.
LVL 30

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 252 total points
ID: 37807355
I also agree with Homer.  But if you want to check for rootkits, please check out my article first:


Also check out younghv's article on rogue killer.
LVL 26

Assisted Solution

by:Fred Marshall
Fred Marshall earned 248 total points
ID: 37807378
Since I do this quite often, here are some observations:

If you have everything you need then reloading is usually more time-efficient than cleaning up.  The trades are:
- is the investment in system configuration great enough that cleanup will be a real benefit?  This is true of workstations with lots of important app's with lots of tailored setups.  It's true for many home systems with unskilled users.  It isn't the case for simple configurations such as office "dumb terminal" situations.  Only you can decide.
- still, reloading often requires:
  .. finding and installing drivers.
  .. bringing the OS fully up to date
  .. installing common tools like Adobe Reader, internet security, etc.
  .. backing up data; making sure the data is "clean"; restoring the data.  Sometimes this is more time-consuming than you think it would be.  (You cannot rely on the users to tell you what to back up and you can't and don't want to use blanket backups without ending up dealing with restore problems of one kind or another).
But, it does give confidence.

Cleanup can be time consuming (certainly wall-clock time!) as the scans take hours and there can be many of them done before one is finished.  Assuring that a cleanup has been fully/reasonably successful can be tricky.  That said, I've not often been fooled - but I do it all the time.  You want to have some tests to run to reach a level of assurance.  For example, will www.windowsupdate.com work on the system?  Can you reach sites that have parasite removal tools?  Do there continue to be misdirects with the browsers?  Do there continue to be popups of strange orgin?

I'm generally biased to do the cleanup because the users are going to be able to be "back in business" without a lot of their own effort.  That has value.  But, if they won't know the difference then I will be earlier motivated to rebuild.   The risks of a cleanup, which have some similarity to the risks of cloning a failing hard drive, are:
- some programs may be damaged and have to be reinstalled
- the OS may be damaged.  I would definitely run the System File Check with an OS disk in an optical drive.  You may want or need to do a Repair Install - but in truth I almost never need to do this.  Your mileage may vary.

I find that cleanups start showing improvement gradually.
Safe mode *without* a network connection is a good place to start.  Have some concern that a network connection can be a source of new problems - as well as a threat to the network.  So, I use an isolated network when I feel there's a need for a connection.  Up to some point you may want to introduce everything using CDs or DVDs - including manual signature updates.

At this stage I'd suspect a root kit.  By design they are harder to find and eradicate.  Using some drastic tools is likely in order now.  And I'd start in Safe Mode without a connection .. as above.
LVL 38

Assisted Solution

younghv earned 496 total points
ID: 37807400
The symptoms you are describing are fairly typical of current malware infections and this can probably be repaired without the obvious "format/reinstall" decision.

If by "client" you mean that this is part of a network, the first step is to isolate (disconnect) it from your network and make sure that your corporate policy allows you to attempt a repair.

The basic steps in proper repair are contained in the EE Articles listed below. The 'rogue process stoppers' both have either menu options to repair the symptoms you describe or will auto-fix them (connectivity).

Please be sure to post all of the logs from the tools/scanners you use so that we can analyze them.

Malware Fighting – Best Practices

You can substitue "TheKiller" for "RogueKiller" - in my experience the efficacy is quite similar.

Download TheKiller to your Desktop

Note that TheKiller is renamed as explorer.exe
Run it by double click
Press OK button after program finish
Do not restart your system after this step, but immediately run the next scan: MalwareBytes, TDSSKiller, ComboFix
LVL 38

Assisted Solution

younghv earned 496 total points
ID: 37807411
Please do not try to perform any "Safe Mode" scans with any of the automated malware tools. Windows File Protection service is NOT running and you can inadvertently delete critical system files - without the replacement being made...leading to a BSOD.

This advice is too often posted in many forums and it is always wrong.
LVL 50

Assisted Solution

jcimarron earned 248 total points
ID: 37807511
cllocc--Once you have deleted all the malware the various scans can, you might consider a Repair Install of the operating system.
This should not affect your personal data or installed programs, but it never hurts to back them up.

Author Closing Comment

ID: 37808557
Thanks for the excellent suggestions.  I followed the guides posted by users on this question however it seemed that even the root kit scans may not have been enough.  I was still getting a 169 address, system repair was not working, and windows was still booting up with a strange color scheme and classic start menu.

I decided that it would be much faster to reformat and recover the machine so I backed up the user's critical files after consultation and started the HP factory recovery mode using the f11 key from the bios.  It was quicker than i expected and it brought the computer back to its original state with full network connectivity.  I will be reinstalling the user's required applications shortly.

One thing i definitely learned from this whole experience....these root kits sure are a nightmare to deal with.

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
If you are like me and like multiple layers of protection, read on!
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question