I have a heavily infected system that can no longer access the internet

We have a client machine that was heavily infected with trojans.  I ran Malwarebytes, Super anti spyware and trend micro anti virus scans, which found viruses and showed that the viruses were quarantined and removed.  However, the trend micro security console on our server continued to point to the affected client machine as problematic.  After running the virus scans, the client machine lost network connectivity and was receiving a 169 address.  I attempted to give the client machine a static ip following the scheme from our DNS server however even after the static ip settings were configured, the client machine was still unable to get online or connect to our network.  I attempted to run trend micro again but noticed that would no longer start.  I decided to perform a system restore and booted in safe mode however after two attempts with two different restore points, I received the message: System Restore did not complete successfully.

I then booted in windows regularly and after logging in i noticed the color scheme was similiar to safe mode and the start button had the classic look to it.  However, safe mode was not displayed in the four corners of the screen.  I nonetheless ran system restore in this state and after two attempts (with 2 different restore points) I had the same problem as before, windows reported system restore did not complete successfully.  the system restore displayed the following details:

System restore failed to extract the file (D:\Windows\$NtUninstallKB236603$\4013077249) from the restore point.  The restore point was damaged or was deleted during the restore.

I'm puzzled as to why system restore is looking to the D: drive, since our client machines have the OS loaded on the C: drive and the D: drive is reserved for the HP recovery partition for the machine.

Also, I ran a netsh int ip reset and netsh winsock reset and restarted but was still experiencing network issues.

Anyways, I am stuck and not sure how to proceed further, any help would be greatly appreciated.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

clloccAuthor Commented:
also i tried running startup repair thru f8 and it keeps reporting that there is no problem detected.
Not that this is a solution that fixes the issue, but wouldn't it be a better idea to wipe out this machine and reload Windows?  If it is "heavily infected" you may not clean everything up.  Reloading would probably take longer than fixing, but at least you have pretty good confidence that the machine is clean.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
clloccAuthor Commented:
yes, that is a good point. I was hoping there may be something I was overlooking before having to resort to system recovery and maybe there was someone out there who might there who point me in the right direction.  however if the consensus is to reformat and restore then I'll be hard pressed to go that route.
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

I agree with Homer - at this time rather than taking a chance in your production environment, wipe and reload this guy. It is MUCH SAFER!
I would be concerned with root kits.  At least try to scan for those if you can.  They may be present even after a reformat.  I am no expert in root-kits, but I think this would be a valid concern.
Thomas Zucker-ScharffSolution GuideCommented:
I also agree with Homer.  But if you want to check for rootkits, please check out my article first:


Also check out younghv's article on rogue killer.
Fred MarshallPrincipalCommented:
Since I do this quite often, here are some observations:

If you have everything you need then reloading is usually more time-efficient than cleaning up.  The trades are:
- is the investment in system configuration great enough that cleanup will be a real benefit?  This is true of workstations with lots of important app's with lots of tailored setups.  It's true for many home systems with unskilled users.  It isn't the case for simple configurations such as office "dumb terminal" situations.  Only you can decide.
- still, reloading often requires:
  .. finding and installing drivers.
  .. bringing the OS fully up to date
  .. installing common tools like Adobe Reader, internet security, etc.
  .. backing up data; making sure the data is "clean"; restoring the data.  Sometimes this is more time-consuming than you think it would be.  (You cannot rely on the users to tell you what to back up and you can't and don't want to use blanket backups without ending up dealing with restore problems of one kind or another).
But, it does give confidence.

Cleanup can be time consuming (certainly wall-clock time!) as the scans take hours and there can be many of them done before one is finished.  Assuring that a cleanup has been fully/reasonably successful can be tricky.  That said, I've not often been fooled - but I do it all the time.  You want to have some tests to run to reach a level of assurance.  For example, will www.windowsupdate.com work on the system?  Can you reach sites that have parasite removal tools?  Do there continue to be misdirects with the browsers?  Do there continue to be popups of strange orgin?

I'm generally biased to do the cleanup because the users are going to be able to be "back in business" without a lot of their own effort.  That has value.  But, if they won't know the difference then I will be earlier motivated to rebuild.   The risks of a cleanup, which have some similarity to the risks of cloning a failing hard drive, are:
- some programs may be damaged and have to be reinstalled
- the OS may be damaged.  I would definitely run the System File Check with an OS disk in an optical drive.  You may want or need to do a Repair Install - but in truth I almost never need to do this.  Your mileage may vary.

I find that cleanups start showing improvement gradually.
Safe mode *without* a network connection is a good place to start.  Have some concern that a network connection can be a source of new problems - as well as a threat to the network.  So, I use an isolated network when I feel there's a need for a connection.  Up to some point you may want to introduce everything using CDs or DVDs - including manual signature updates.

At this stage I'd suspect a root kit.  By design they are harder to find and eradicate.  Using some drastic tools is likely in order now.  And I'd start in Safe Mode without a connection .. as above.
The symptoms you are describing are fairly typical of current malware infections and this can probably be repaired without the obvious "format/reinstall" decision.

If by "client" you mean that this is part of a network, the first step is to isolate (disconnect) it from your network and make sure that your corporate policy allows you to attempt a repair.

The basic steps in proper repair are contained in the EE Articles listed below. The 'rogue process stoppers' both have either menu options to repair the symptoms you describe or will auto-fix them (connectivity).

Please be sure to post all of the logs from the tools/scanners you use so that we can analyze them.

Malware Fighting – Best Practices

You can substitue "TheKiller" for "RogueKiller" - in my experience the efficacy is quite similar.

Download TheKiller to your Desktop

Note that TheKiller is renamed as explorer.exe
Run it by double click
Press OK button after program finish
Do not restart your system after this step, but immediately run the next scan: MalwareBytes, TDSSKiller, ComboFix
Please do not try to perform any "Safe Mode" scans with any of the automated malware tools. Windows File Protection service is NOT running and you can inadvertently delete critical system files - without the replacement being made...leading to a BSOD.

This advice is too often posted in many forums and it is always wrong.
cllocc--Once you have deleted all the malware the various scans can, you might consider a Repair Install of the operating system.
This should not affect your personal data or installed programs, but it never hurts to back them up.
clloccAuthor Commented:
Thanks for the excellent suggestions.  I followed the guides posted by users on this question however it seemed that even the root kit scans may not have been enough.  I was still getting a 169 address, system repair was not working, and windows was still booting up with a strange color scheme and classic start menu.

I decided that it would be much faster to reformat and recover the machine so I backed up the user's critical files after consultation and started the HP factory recovery mode using the f11 key from the bios.  It was quicker than i expected and it brought the computer back to its original state with full network connectivity.  I will be reinstalling the user's required applications shortly.

One thing i definitely learned from this whole experience....these root kits sure are a nightmare to deal with.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.