[Urser]

Okay, so I just downloaded a .exe which after running infected my computer with trojan/malware. A lot of desktop icons are missing and now there are some new ones telling me to install anti-virus programs. And my desktop background has this window saying what I'm infected with or some crap.

This happened about 30 minutes ago so I know when I was infected with this virus. I googled to see if I can get rid of this by simply doing system restore to yesterday or something. But I'm getting a bunch of conflicting answers. Some people are saying to delete restore points, while others are saying I need them. They're also saying that using system restore won't get rid of the file.

So do I either...

a) Use system restore to go back to an earlier date to rid the system of the virus that I know I got today?

or

b) Use my antivirus to clean my system of the infection, and then delete my restore points?

I really don't want to do the second one as that means that I can't use system restore in case I stuff up. And the first option seem fool-proof. But I'm not so sure.

Halp!

[opn4bzns]

I'd run screaming to my antivirus (which are you using?), do a deep scan, and wouldn't do anything with system restore, since I don't think it deletes files.

[miimii]

1. Boot up in safe-mode and make sure networking is disabled then run a virus scan.
2. Google the file name of the trojan you downloaded, and if it is public then there will be other people that have had the same trouble as you or reports on AV sites telling you how to get rid of it.
3. Backup any important files onto another Hard-Drive, DVD's, Flash Drive, whatever.
4. Format the disk completely and reinstall windows
5. Put back the important files.

That's the safe version I guess, the other version is to just run a virus scan, delete anything suspicious and forget about it.

Also yeah system restore won't get rid of it, and could you upload the file somewhere please and pm me link?

[Axidos]

Edit:

Quote:

Originally Posted by miimii

3. Backup any important files onto another Hard-Drive, DVD's, Flash Drive, whatever.
4. Format the disk completely and reinstall windows
5. Put back the important files.

That's the safe version I guess, the other version is to just run a virus scan, delete anything suspicious and forget about it.

Also yeah system restore won't get rid of it, and could you upload the file somewhere please and pm me link?

FUCK NO!! The It's just a fucking virus, a full system reformat is completely uncalled for. System Restore will get rid of any changes the virus made to any crucial or program files which will effectively disable it, if it isn't removed completely.
If the reformat is because you're worried the virus might have shoved infected files elsewhere like into his documents, he'll probably end up copying them over during the back-up process and then put them right back, achieving nothing.

Running the virus-scan in safe mode and googling information on whatever you downloaded is a good idea (that means just steps 1 and 2), but the rest of this post is trash.

The advice you just provided is a perfect example of why technical help should never ever be brought into private conversations. If you give him stupid advice - like you just did - in a private conversation, then there's nobody to tell him not to do it.

Now, back on track:

Quote:

Originally Posted by opn4bzns

I'd run screaming to my antivirus (which are you using?), do a deep scan, and wouldn't do anything with system restore, since I don't think it deletes files.

According to Microsoft, part of what System Restore does is this: when a program wants to modify crucial files (such as system files or the registry) or program files, it saves a copy of that file before it's changed. So if the virus changed any system files (which it probably did), system restore can remove them.

Regarding the deletion of restore points, Urser, the only time you'd want to remove a restore point is if you know it was infected. For example, you got a virus today, so after restoring to a past date you'd want to remove any restore points from today.


So Urser, you should definitely run a full virus-scan as well as Spybot if you have it.
Afterwards, use system restore to revert to a safe point prior to your infection. System Restore will also change your desktop to how it was at that time (that means deleting or creating files and shortcuts on it) so save a copy of any files from your desktop that you want to keep. It shouldn't affect your personal files though in places like My Documents.



Though I advise strongly against doing this, an MSDN article about antivirus & system restore interaction mentions the removal of infected files from the System Restore archive by completely destroying all system restore points, which in your case you would only do after restoring to an uninfected point. I will let Beefynick have the final say on whether you do this (but until then, don't).

[Urser]

Okay, I've used System Restore (to yesterday's restore point) as a last ditch effort and everything seems okay. My desktop is back and everything. And since no errors are coming up, I think I'm in the clear.

Also, since my virus was downloaded today (October 20th), is it safe to say that it's completely gone? When I was using system restore, they said that there were no restore points for October 20th, so the last restore point was October 19th (which is what I'm using).

EDIT: Functions like the task bar and task manager have returned aswell. (I couldn't use them before)

[miimii]

Probably, where did you get it from in the first place?

[Antisaint]

Quote:

Originally Posted by Urser

Okay, I've used System Restore (to yesterday's restore point) as a last ditch effort and everything seems okay. My desktop is back and everything. And since no errors are coming up, I think I'm in the clear.

Also, since my virus was downloaded today (October 20th), is it safe to say that it's completely gone? When I was using system restore, they said that there were no restore points for October 20th, so the last restore point was October 19th (which is what I'm using).

EDIT: Functions like the task bar and task manager have returned aswell. (I couldn't use them before)

Do a virus scan, Fox. What scanner are you using?

EDIT: For future reference, order of seriousness is:
Scan > Scan in safe mode > System restore > A real tech support hotline/forum with HijackThis > Format hard drive

Also HijackThis comes with a task manager built in if something blocks the Windows one.

[Beefynick]

I would not say it is completely gone. System restore works to restore items to a previous date, such as system files, but that does not mean that the virus is gone. It may have not allowed system restore to overwrite the file it is residing in.

I would do a virus scan again and see if any results come up. If they do, then you need to work on removing the virus. If you give us the name we can give you instructions how. Then you would not have to delete all your system restore points, just those taken since you were infected with the virus.

Do a virus scan and spyware scan and if anything is found post the results here and we can take it from there.

[miimii]

Quote:

Originally Posted by Antisaint

Do a virus scan, Fox. What scanner are you using?

EDIT: For future reference, order of seriousness is:
Scan > Scan in safe mode > System restore > A real tech support hotline/forum with HijackThis > Format hard drive

Scan in safe mode should always come first. When you boot up the computer normally, the virus/worm/trojan is going to become active, using safe mode it won't start up with windows, you need to minimize the time it has to do it's dirty work.

Quote:

If the reformat is because you're worried the virus might have shoved infected files elsewhere like into his documents, he'll probably end up copying them over during the back-up process and then put them right back, achieving nothing.

If the virus has shoved infected files into his documents then they are still going to be there on a system restore... For complete removal, if he actually has any important files that he does not want to lose (I'm talking document files here that a virus would not actually be able to infect), then a format is the way to go. It may seem extreme but it's the only way to be completely sure, and who doesn't like a good format anyway?

[Antisaint]

Quote:

Originally Posted by miimii

Scan in safe mode should always come first. When you boot up the computer normally, the virus/worm/trojan is going to become active, using safe mode it won't start up with windows, you need to minimize the time it has to do it's dirty work.

It isn't "do this then this then this," it's "If you just visited a shady site, do this, if you have something fucking your shit up do this, etc."

Quote:

If the virus has shoved infected files into his documents then they are still going to be there on a system restore... For complete removal, if he actually has any important files that he does not want to lose (I'm talking document files here that a virus would not actually be able to infect), then a format is the way to go. It may seem extreme but it's the only way to be completely sure, and who doesn't like a good format anyway?

Formatting a drive is ALWAYS a last ditch effort. Fix it any other way first, not every last virus is going to fuck with your restores and other settings.

[Axidos]

Quote:

Originally Posted by miimii

who doesn't like a good format anyway?

People who want to install and configure their operating system and programs once and once only? I'm not sure what sort of advice you've run into, but for just about any situation short of "I put my hard drive in a pile of magnets" there is a better solution than reformatting.

[Urser]

Well I do have a lot of crap on my computer and it does need a good formatting. And I have all of my stuff backed up on a separate computer from about a month ago, so it wouldn't be that bad if I needed to. But everything is fine now! Thanks everyone.