Travel Technology - I got a virus. How do I 'restore' my computer to the day before

My wife was able to restore our Dell computer once, after a virus. She somehow managed to get the computer to go back to the day before.
It worked.

She doesn't remember how she did the restoration. I've been entrusted (as are you) to help solve this problem.

A search of restore/restoration didn't help. Can you.

Thanks.

system> all programs> accessories > system tools > system restore.............. then pick your date from the calendar

MisterNice

Its likely the virus will still be present and that the system restore may not work at all... in fact it could leave you worse off.

I've said this before and its often not what anyone wants to hear, but...
Your only real viable option is to backup all your files to an external or 2nd disk. Wipe the computer, re-install windows, install some good virus protection and then move the files back.

I did just this to a friends box that was severally compromised just this week.

Specifically, here are the steps I recommend.

1) Download Blink from eEye, install it on the infected computer and do a full scan. (its tempting to leave it at that and move on, but since you are infected, you can never trust the system again, you cannot even trust the Bink is reporting accurately) the goal here is to try and clean the files before you back them up, as a cautionary measure against bringing them back over to the new system.
2) copy your documents and settings to a 2nd drive or external USB drive. I actually like the built in "transfer settings" wizard that its in the Accessories folder in the start menu. It will do all the hard work, including copying in-use protected files
3) wipe the drive, format it during a fresh install of windows
4) Install the latest service packs and updates
5) install Blink from eEye again ... this is the best virus/malware/intrusion detection software out there, period.
6) bring your files back over... either through the transfer wizard again, or by manually copying
7) re-install programs

Its not a fun process at all...it sucks in fact. But its the only way to know that your system is clean. Blink will do an amazing job of keeping you clean and safe going forward. But you might also take the time to change a few habits and processes...install Firefox, or use the VMware Player and a browsing appliance (www.vmware.com) ... start making weekly backups, etc

Good luck!

We'll give it a go tomorrow. Wish me luck. Otherwise, iMac, here we come.

dh

Do you have any idea which virus?
There are a bunch of specific tools here:
http://www.f-secure.com/security_center/malware_removal_tools.html
and you can downlaod an evaluation version of their product here:
http://www.f-secure.com/home_user/support_and_downloads/evaluations/

And then get yourself some anti-virus software.

AVG still has a free version.

And then get yourself some anti-virus software.

AVG still has a free version.

The Blink product http://www.eeye.com/html/index.html that I mentioned above is free for the first year and then somewhere around $25/year.

I'm still blown away by how powerful yet lightweight it is... I'd recommend it over anything else that I've tried.

My second choice is ClamWin - free as in speech followed by AVG's free version...

As we all know, Norton is a virus in and of itself ;)

One other approach - a bit safer.

Install a fresh copy of Windows (preferably to a different drive or partition). If the same drive/partition, choose to install into a different directory (like c:\safeboot). Not a bad time to purchase a second hard drive, IMHO. Do not access anything on the infected drive/partition (unless you install to the same drive, in which case you have no choice).

Install your virus scanner and update to current definitions.

Update Windows with all current security patches (windows update).

Scan & clean. Note: by booting to an alternate Windows, you can effectively clean system files.

Check the cleaned (or quarantined) files. If any seem to be critical windows files, copy a replacement from your safe windows to the "bad" one. (Alternatively, after cleaning, do an upgrade install of Windows on top of the "bad" install. As before, update with all security patches & make sure your virus scanner is installed and up to date).

This is why the TCO for Mac (or Linux) is probably way lower than for Windows.

I would run a virus scan, the online version of bitdefender works well, free and runs background and memory too. Then, let it do its work, then download something like the AVG free product and run that.

Then, once all are done, then do the restore if all things are clear. then, run the bitdefender and AVG again.

Then, keep the AVG running forever!

Not sure to help in this situation, but I did want to mention backups again.

I'm a bit more geek than most, so this may not work for everyone -- but I dump an image of my HD to an external drive once a month -- and the drive can hold three images. Restoring an image will lose any new data you've saved -- but it will bring your machine back clean.

I had a laptop stolen last year on a Saturday; on Sunday I got another identical laptop we had at work -- Monday morning I walked into work with a fully operating machine. Since I don't store email on the laptop but on servers...I lost virtually nothing.

And as a mention for backups -- keep them separate from your computers for just those kinds of reasons. If the external drive had been inside my house, I am sure it would have gotten taken as well.

Steve

Not sure to help in this situation, but I did want to mention backups again.

I'm a bit more geek than most, so this may not work for everyone -- but I dump an image of my HD to an external drive once a month -- and the drive can hold three images. Restoring an image will lose any new data you've saved -- but it will bring your machine back clean.

I had a laptop stolen last year on a Saturday; on Sunday I got another identical laptop we had at work -- Monday morning I walked into work with a fully operating machine. Since I don't store email on the laptop but on servers...I lost virtually nothing.

And as a mention for backups -- keep them separate from your computers for just those kinds of reasons. If the external drive had been inside my house, I am sure it would have gotten taken as well.

Steve

Yes - backups are hugely important. But... if you're trying to recover from a virus, especially a new one, it's possible that the backups are infected. This typically happens when a signature update & subsequent scan (usually weekly) find the virus. The infection could be as old as the oldest useful backup. So, use the backup, but scan it from a clean machine before applying it.

Star by TURNING OFF RESTORE! If you go back the virus is till present. You won't remove it that way.

So TURN OFF RESTORE!

Then download a trial of an antivirus software that you plan to eventually purchase. Burn that on a disk as well so you have a back up.

Close browser and mail and anything you can think of.

Install antivirus. Run the updated and run a complete check of your system. Go away and have lunch/coffee and come back to see the results. If anything is moved to quarantine - delete.

Then go to symantec.com and download (for free) every concievable virus removal tool you can find. Burn them on a disk.

Get your computer OFF LINE so it is not connected to the internet anymore.

Run ALL of the removal tools (even if you have a tool for a virus that didn't get flagged) one after another.

Run your antivirus software and see if it finds anything. If it does - see if you have the tool for it and run it again. If not - go online and find the removal tool.

If you go about it as above you will not have to do a complete install. However - Once your system is cleaned I'd recommend you back up your files, format the hard drive and reinstall everything including the antivirus.

Also make sure your firewall is activated and get anti spyware while your at it. Including pop-up blockers.

This is what I used to do when I was working for a small ISP and servicing client computers.

Just note that for removal tools to efficiently work RESTORE MUST BE TURNED OFF!!

Then leave it off. Restore is evil. It is much better to get a good back up software/workflow and stick with that than using restore.

Remember - Restore is EVIL!

:-)

Star by TURNING OFF RESTORE! If you go back the virus is till present. You won't remove it that way.

So TURN OFF RESTORE!

Then download a trial of an antivirus software that you plan to eventually purchase. Burn that on a disk as well so you have a back up.

Close browser and mail and anything you can think of.

Install antivirus. Run the updated and run a complete check of your system. Go away and have lunch/coffee and come back to see the results. If anything is moved to quarantine - delete.

Then go to symantec.com and download (for free) every concievable virus removal tool you can find. Burn them on a disk.

Get your computer OFF LINE so it is not connected to the internet anymore.

Run ALL of the removal tools (even if you have a tool for a virus that didn't get flagged) one after another.

Run your antivirus software and see if it finds anything. If it does - see if you have the tool for it and run it again. If not - go online and find the removal tool.

If you go about it as above you will not have to do a complete install. However - Once your system is cleaned I'd recommend you back up your files, format the hard drive and reinstall everything including the antivirus.

Also make sure your firewall is activated and get anti spyware while your at it. Including pop-up blockers.

This is what I used to do when I was working for a small ISP and servicing client computers.

Just note that for removal tools to efficiently work RESTORE MUST BE TURNED OFF!!

Then leave it off. Restore is evil. It is much better to get a good back up software/workflow and stick with that than using restore.

Remember - Restore is EVIL!

:-)

Come one, what do you really feel about RESTORE :D

Come one, what do you really feel about RESTORE :D

Restore is God's punishment to I.T. people. Restore is what virus makers count on as they know their virus will ressurect and do it's evil things. Restore is a virus created by microsoft and users are fooled to think it is not.

I really hate restore.

Apple is coming out with something similar in Leopard. Unless it is really really really good I am so not going to activate it on my mac.

Oh yeah - the best advice is actually folow my list of what to do, back up files, reinstall PC, sell PC, buy Mac, put files on Mac.

*ducking*
:p:p

Star by TURNING OFF RESTORE! If you go back the virus is till present. You won't remove it that way.

So TURN OFF RESTORE!

Then download a trial of an antivirus software that you plan to eventually purchase. Burn that on a disk as well so you have a back up.

Close browser and mail and anything you can think of.

Install antivirus. Run the updated and run a complete check of your system. Go away and have lunch/coffee and come back to see the results. If anything is moved to quarantine - delete.

Then go to symantec.com and download (for free) every concievable virus removal tool you can find. Burn them on a disk.

Get your computer OFF LINE so it is not connected to the internet anymore.

Run ALL of the removal tools (even if you have a tool for a virus that didn't get flagged) one after another.

Run your antivirus software and see if it finds anything. If it does - see if you have the tool for it and run it again. If not - go online and find the removal tool.

If you go about it as above you will not have to do a complete install. However - Once your system is cleaned I'd recommend you back up your files, format the hard drive and reinstall everything including the antivirus.

Also make sure your firewall is activated and get anti spyware while your at it. Including pop-up blockers.

This is what I used to do when I was working for a small ISP and servicing client computers.

Just note that for removal tools to efficiently work RESTORE MUST BE TURNED OFF!!

Then leave it off. Restore is evil. It is much better to get a good back up software/workflow and stick with that than using restore.

Remember - Restore is EVIL!

:-)

Actually, you should never count on the integrity of any part of the system you're trying to recover. Do NOT download and make disks of the anti virus software on the infected machine. You'll likely end up with infected cd's. Also, you really want to boot from something clean. You could even install a minimal Window's partition onto a USB drive (if you can't boot from an external USB drive, you can install a new boot loader (grub, for example, or a multitude of commercial offerings) which redirect booting to the usb device.

You really want to do the scan from a clean system. That will, btw, usually detect infections in the RESTORE area. Doesn't make restore useful, but prevents re-infection.

Restore is a virus created by microsoft and users are fooled to think it is not.


I thought that virus was called "windows" :p

Lots of great ideas in this thread.

I know I sound like a broken record but I want to reiterate two points:
1) a clean install is the only solution where you can be reasonably sure that you are clean... think about it like this: any virus has the potential to manipulate the results from any scanner or cleaner (including Blink, although they claim otherwise...so maybe not). Regardless, you can never be sure of the results of any scanners or cleaners until you are on a fresh system.

2) Blink by eEye is a new product to me, but I am totally blown away by it. I cannot say enough... I took a machine that was heavly botted and "owned" (to borrow the vanacular)... I could watch it try and make about 50 concurrent malicious connections (mostly to china) ... I installed Blink and they dropped to zero ...it also found and cleaned a lot more viruses than AVG and ClamWin (admittadly, clamwin doesnt clean so well).

It was a find from Security Now (www.grc.com) and so far I'm really impressed. Its very lightweight for all the things it does which may be my favorite part.

this thread at a popular tech discussion site has a comprehensive set of links on how to remove all types of spyware, viruses, etc. from your computer. I've relied on this successfully when I stupidly downloaded a trojan and it refused to be cleaned by most of the removal programs I know:

http://forums.anandtech.com/messageview.aspx?catid=76&threadid=2004933&enterthread=y

I highly recommend this.

Actually, you should never count on the integrity of any part of the system you're trying to recover. Do NOT download and make disks of the anti virus software on the infected machine. You'll likely end up with infected cd's.


That is true. I used my work computer to download and burn and then go to client's.

However - those who don't have access to an uninfected comp may have to settle with burning off their own.

/E

I thought that virus was called "windows" :p

Windows is the trojan that carried the virus.

:P

Lots of great ideas in this thread...

SpaceBass's first post provided an excellent way of ensuring a clean system after a virus - or after 6 months of regular use on any computer running Windows (whichever comes first.) Keep your data backed up on an external drive and DVD's - then wiping and resinstalling everything is much less of a hassle.

must...resist...urge...to...promote OS X...
BUY A MAC

damn, I couldn't keep it in :D

SpaceBass's first post provided an excellent way of ensuring a clean system after a virus - or after 6 months of regular use on any computer running Windows (whichever comes first.) Keep your data backed up on an external drive and DVD's - then wiping and resinstalling everything is much less of a hassle.
Sadly, no. The issue with the external drive is that you're likely to back up the virus. If you got the virus, by definition your scanner missed it. It's likely it ended up on the last backup, and also infected the external drive.

DVD is better as already-written data won't be infected. But... it is reasonably likely that the most recent (most desirable) backup is infected.

So, back up (after all, you might not have a virus, but have a hard drive crash). But, update your virus scanner and scan the backup media & content before you restore. Also make sure autorun is disabled.

Sadly, no. The issue with the external drive is that you're likely to back up the virus. If you got the virus, by definition your scanner missed it. It's likely it ended up on the last backup, and also infected the external drive.

DVD is better as already-written data won't be infected. But... it is reasonably likely that the most recent (most desirable) backup is infected.

So, back up (after all, you might not have a virus, but have a hard drive crash). But, update your virus scanner and scan the backup media & content before you restore. Also make sure autorun is disabled.

I understand where you are coming from. There is always the risk, even with DVD or write-once media, that the virus will be present on the backups.

That said, these days you are more likely to get a bot or trojon as the virus and those are more likely to try and take over your system for malicious purposes than corrupt data. So more than likely a virus scanner missed it b/c of the use of a rootkit or by simply corrupting the scanner. If you do a fresh install, fully patch the system and then load some good virus and malware protection (not just scanning) software (like Blink, did I mention I'm a fan?) and THEN attach the external storage or mount your backup, you are more likely to be on the safe side. (one heck of a run-on sentence there...sorry).

I get passionate about this subject b/c I spend several hours a month taking care of this very problem for friends and family. All it takes is one little exploit and the system is totally compromised and you've got 100 bots all logging into IRC servers around the world, waiting to be spam agents or DDOS drones. Then I have to go through this whole process of backing up, wiping the drive, reinstalling... which isn't really that hard. The hard part is explaining to the user why it happened and what they could have done to prevent it.

What really burns me up is that this is 2007, you shouldn't have to be a nerd to own a computer and use it safely. We dont have to be mechanics to drive cars or repair men to own refrigerators... It shouldnt be this way...ok, I'm off the soapbox :D

I understand where you are coming from. There is always the risk, even with DVD or write-once media, that the virus will be present on the backups.

That said, these days you are more likely to get a bot or trojon as the virus and those are more likely to try and take over your system for malicious purposes than corrupt data. So more than likely a virus scanner missed it b/c of the use of a rootkit or by simply corrupting the scanner. If you do a fresh install, fully patch the system and then load some good virus and malware protection (not just scanning) software (like Blink, did I mention I'm a fan?) and THEN attach the external storage or mount your backup, you are more likely to be on the safe side. (one heck of a run-on sentence there...sorry).

I get passionate about this subject b/c I spend several hours a month taking care of this very problem for friends and family. All it takes is one little exploit and the system is totally compromised and you've got 100 bots all logging into IRC servers around the world, waiting to be spam agents or DDOS drones. Then I have to go through this whole process of backing up, wiping the drive, reinstalling... which isn't really that hard. The hard part is explaining to the user why it happened and what they could have done to prevent it.

What really burns me up is that this is 2007, you shouldn't have to be a nerd to own a computer and use it safely. We dont have to be mechanics to drive cars or repair men to own refrigerators... It shouldnt be this way...ok, I'm off the soapbox :D
Yup.

Get a mac :)

Or, linux.

I solved the household cleaning issue by telling my kids, "next time you click on something and say yes to the spybot warning" you get linux & Open Office. You'll be able to surf, IM and do school work, but sorry about those games."

They've been good ever since (and now are moving to Macs).

Yup.

Get a mac :)

Or, linux.

I solved the household cleaning issue by telling my kids, "next time you click on something and say yes to the spybot warning" you get linux & Open Office. You'll be able to surf, IM and do school work, but sorry about those games."

They've been good ever since (and now are moving to Macs).
Linux as a threat?
That's a reward my friend!

I just sent a "cleaned" pc home with its owner yesterday. I tossed in an older 40gb drive I had laying around and set it to dual boot to ubuntu...loaded OpenOffice, Picasa, Amarok and Thunderbird...setup his ~ to point to his windows My Docs folder...he loved it the setup. I said "you can use windows, but you can also boot into Ubuntu and do everything you could do before"...I even burnt and re-ripped his (25 or so) purchased iTunes tracks to remove the DRM so Amarok would play and sync them.

Linux as a threat?
That's a reward my friend!

I just sent a "cleaned" pc home with its owner yesterday. I tossed in an older 40gb drive I had laying around and set it to dual boot to ubuntu...loaded OpenOffice, Picasa, Amarok and Thunderbird...setup his ~ to point to his windows My Docs folder...he loved it the setup. I said "you can use windows, but you can also boot into Ubuntu and do everything you could do before"...I even burnt and re-ripped his (25 or so) purchased iTunes tracks to remove the DRM so Amarok would play and sync them.

At the time, removal of The Sims was the real threat.

I just sent a "cleaned" pc home with its owner yesterday.


I went to see a friend about a PC a few years ago. I couldn't even get in, that's how infected it was. I ended up taking the box back to my office and spent a week with removal tools to clean it before I got to the stage of backing up, formating, reinstalling, installing antivirus, firewall etc, check it again and bring in that back up of files, check again and again and again until I was certain it was clean. That box sat in my office for 2 weeks in total.

The funniest one was a call from an ad agency. I grabbed my rescue folder of discs and wandered over to their office. Inside I stood and looked around wondering what the h*ck I was doing there as all I saw was mac (before OS X days). The co-owner lured me in to a back office and there was the guilty PC. The guilty machine had spent the entire night spewing out thousands of infected e-mails to every person in the address book. I located the e-mail and the attachment that started it all only to realize the e-mail was internal.

I asked the co-owner who's email address that was and she came clean. It was her's. She had gotten the mail with the attachment to her mac. Couldn't open the attachment so sent it on to the PC. Clicked on it there and all that happened was that the screen flickered for a second and that was it. Thought it was nothing and left it at that.

A few hours and a lecture in internet security later I walked back to my office.

The other co-owner rang me at home later that night and thanked me.

/E

I asked the co-owner who's email address that was and she came clean. It was her's. She had gotten the mail with the attachment to her mac. Couldn't open the attachment so sent it on to the PC. Clicked on it there and all that happened was that the screen flickered for a second and that was it. Thought it was nothing and left it at that.

A few hours and a lecture in internet security later I walked back to my office.

The other co-owner rang me at home later that night and thanked me.

/E

I think we need to start a "technology nightmares" thread...
I was thinking last night about the time I shut down a server in Kentucky while I was in Virginia (far away from the KY side of VA)... that wasn't pretty...and I have more stories about trashed computers than I can even count.

I think we need to start a "technology nightmares" thread...
I was thinking last night about the time I shut down a server in Kentucky while I was in Virginia (far away from the KY side of VA)... that wasn't pretty...and I have more stories about trashed computers than I can even count.

My sysadmin has given me root to my machine but is contemplating setting up a different root with less privileges and himself as superroot. I think he's a bit tired of getting my calls in the middle of the night when I've done something and "apachectl restart" tells me to f*** off seconds before it dies.

I'm in UK the server is in Sweden and he's 30 miles/50 km from it.

I have got to stop doing stuff in the middle of the night.