Results 1 to 6 of 6
  1. #1
    New Lounger
    Join Date
    Dec 2009
    Location
    Sacramento, CA
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Trouble with malware and System Restore

    My son's laptop has recently been 'infected' with the "XP Home Security" malware. It takes over his system and doesn't allow internet access or use of anti-(virus/malware) programs.

    I've goggled it and it seems fairly rampant with several suggestions for a method to remove it. Several claim success with removal.
    * Use system restore to restore to a point prior to 'infection' or
    * An updated malwarebytes can remove it but the 'infection' does not allow it to run so you have to play games to get it to run (rename mbam.exe) even if you can an updated version of Malwarebytes' signatures.
    * plus some other vary manually intensive methods.

    I liked the simplicity of the "use System Restore to return to a previous good restore point". Since this cropped up only the day before he had several potential good restore points. Because of this I felt rather confident on this method so I had him attempt it. Note: unfortunately I do not have the laptop in my hands and it is very remote... he in Spokane, WA, I in Sacramento, CA so this is being done over the phone.

    HOWEVER... after doing a restore and the system reboots, his laptop is not in full working order. Some programs will not run. But most importantly IE will not start, something about a proxy error. I had him reboot into SAFE mode to see what that would do. In SAFE mode he is able to use IE. While he was able to access the internet I had him update his Malwarebytes in hopes maybe we could use it should we get his machine working back to normal and should this nasty show up again.
    However, whenever he'd reboot into NORMAL windows... again is laptop is not fully functional and IE gets this proxy error. The 'infection' seems to be gone but the laptop is not usable.

    I then instructed him to choose the "Undo my previous restore" in hopes of returning his laptop back to it original setup with the "infection" so we could attempt the MalwareBytes 'fix'. That UNDO option was not available (gone from the System Restore options list). sigh.

    Questions
    Any insights on why his laptop would not be functional after the System Restore?
    (note: I've not had him attempt any other restore points as yet, but is on my list to next things to attempt.)
    Any other insights on this "XP Home Security" malware removal.

    Thanks
    Bill in Sac

  2. #2
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Here's a thread where a very similar problem was discussed.

    Key thing is to remove the trojan that's at work. Boot into Safe Mode without Networking, run the system restore (returning the Safe Mode Without Networking to complete the restore), then attack it with standard tools.

  3. #3
    New Lounger
    Join Date
    Dec 2009
    Location
    Sacramento, CA
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks Tinto. I've had my son reboot to Save Mode WITH networking. I'll have him try your method.
    Do you think using Safe Mode with Networking could be his issue with his laptop not being fully functional after the restore? FYI: the restore was a restore point prior to the 'infection'.

    Thanks again.
    Bill
    Last edited by billgeo; 2011-05-30 at 16:20.

  4. #4
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Do you think using Safe Mode with Networking could be his issue with his laptop not being fully functional after the restore? FYI: the restore was a restore point prior to the 'infection'.
    Depends on exactly what you mean by not fully functional.

    I'm assuming that your son did not click to follow the instructions to "register" or "clean me" or "Activate" or whatever the activation button is in that variant. If he did, then it's potentially a much more serious problem.

    So, if IE is complaining about a proxy error, then it is possible that the System Restore has been successful and disrupted the connection between the trojan and the browser. That being the case, what you're seeing is the aftermath of the problem - the browser complains because it can't find the hijack.

    He could check the network connection settings to see if the trojan has hijacked them by installing a proxy instead of using DHCP. He could also navigate to C:\Windows\System32\Drivers\Etc and check the date/time stamp on the hosts file. It should be the same as all the others in that folder. If it isn't the same, then it's likely the hosts file has been hijacked and needs cleaned.

    Anyway, if your son follows the route in the post I referred to above, he should have a stable platform to check. It's important to follow the whole process in that other post, not just the System Restore.

  5. #5
    New Lounger
    Join Date
    Dec 2009
    Location
    Sacramento, CA
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks again. Good info!

    Bill

  6. #6
    Super Moderator Deadeye81's Avatar
    Join Date
    Dec 2009
    Location
    North Carolina, USA
    Posts
    2,654
    Thanks
    7
    Thanked 113 Times in 97 Posts
    Moderator Note: This thread was moved to the appropriate Forum, Security & Backups.
    Deadeye81
    Forum Moderater Staff

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •