HP Pavillion Non-destructive system recovery lockup

Adaxa · 01-03-2009, 12:42 AM

My computer got infected with a particularly nasty virus, Antivirus xp 2008(9). I had no choice but to reformat, but unfortunately, something went wrong.

The system recovery process goes fine, but then at the finish, the system just locks up. As soon I press the finish button, the system stops. I can't do anything, and the only thing I can do is to do a hard shutdown. I could just do a destructive recovery, but I have a lot of family pictures that I don't want to destroy. I really need help guys. The confuddling thing is that I was able to do the non-destructive system recovery before, without a problem, and the virus was gone utterly.

The first time, and the successful time, my OS was Windows XP SP2.

The second time, my OS is Windows XP SP3, and I think this may have to do with it.

Not entirely sure though, but I really need a solution here, and again, the last thing I want is to reformat everything and lose my family pictures.

HELP!

EDIT: What I mean is that at the end of the system recovery, as soon as I press the finish button, the system just stops. I stay at that "finish" step, and the system just locks up. No start menu, desktop, nada. Just that "Congratulations, you're done" screen at the end of the recovery process.

Acreo Aeneas · 01-03-2009, 01:04 AM

This is after-the-fact, but that "rogue" program is easily removed. Here are the instructions to remove it from your system (for future reference).

Have you tried the Windows Repair again? Just because it locks up for first time may not mean it'll lock up again the second time.

Nerd Ferguson · 01-03-2009, 01:30 PM

My sons computer seems to have been hit by something very similar. "Antivirus 2009"

The removal instructions in the link above just have you run MalwareBytes (MBAM). Unfortunately, that won't run on that PC. Nothing happens when you try to launch the mbam setup. I can see it in the process list but no CPU usage and no change in memory usage. It seems like it is blocked somehow.

It somehow also blocks me from getting to windows update site and prevents AVG from connecting to the update server.

Anyone know where to find some more agressive instructions to try and remove this?

Acreo Aeneas · 01-03-2009, 03:55 PM

There might be a simpler workaround solution.

Try installing MBAM onto a USB flash drive from another computer. Then insert the USB flash drive onto the infected system and run MBAM.

In the meantime, I'll look for a more effective solution other than a complete reformat.

Edit: It seems having MBAM run directly off of a USB flash drive is the only alternative.

I'm going to try to find the other anti-malware software I used to remove a similar rogue AV program from my old rig.

I found it. Ewido Anti-Malware. Apparently AVG/Grisoft bought over Ewido...so I'm guessing no more Ewido Anti-Malware.

Nerd Ferguson · 01-03-2009, 05:52 PM

Success!

But I can't honestly say how I eventually got around all the roadblocks.

I was using a flash drive to copy stuff from this PC to the infected one, but I didn't think to run directly from the flash drive...maybe that would have worked?

In my case, I could get mbam's setup onto the infected Pc but it wouldn't run. I saw numerous suggestions on other forums about renaming it first etc to hide it from the malware.

Anyway I tried som many different things...regedit deletes, cache cleaning, inside and outside of safe mode...that I am not sure what was the key. But at somepoint, all the sudden, I was able to run the version of MBAM I had installed with the bogus name "asdf". Previously even the renamed version wouldn't run, so I don't know what I did that allowed it to run now???

Anyway, I was pessimistic because even though it would run, it couldn't connect to it's update servers (just like AVG and Widows Update). I ran the scan anyway and it found and removed 42 different infections, most labeled as Trojans. After the restart, it could then update, which I did and scanned again. It removed a couple more things.

Now AVG update works, Windows Update works...I'm running an AVG scan now and it found something as well, but I think I'm pretty close to being clean again.

All the wierd IE behavior, where every site shows up as "Possibly Infected...Don't you want to install Antivirus 2009?", is now gone.

Thanks for the input....this was a nasty one!

Acreo Aeneas · 01-03-2009, 06:49 PM

Quote:

Originally Posted by Nerd Ferguson

Success!

But I can't honestly say how I eventually got around all the roadblocks.

I was using a flash drive to copy stuff from this PC to the infected one, but I didn't think to run directly from the flash drive...maybe that would have worked?

In my case, I could get mbam's setup onto the infected Pc but it wouldn't run. I saw numerous suggestions on other forums about renaming it first etc to hide it from the malware.

Anyway I tried som many different things...regedit deletes, cache cleaning, inside and outside of safe mode...that I am not sure what was the key. But at somepoint, all the sudden, I was able to run the version of MBAM I had installed with the bogus name "asdf". Previously even the renamed version wouldn't run, so I don't know what I did that allowed it to run now???

Anyway, I was pessimistic because even though it would run, it couldn't connect to it's update servers (just like AVG and Widows Update). I ran the scan anyway and it found and removed 42 different infections, most labeled as Trojans. After the restart, it could then update, which I did and scanned again. It removed a couple more things.

Now AVG update works, Windows Update works...I'm running an AVG scan now and it found something as well, but I think I'm pretty close to being clean again.

All the wierd IE behavior, where every site shows up as "Possibly Infected...Don't you want to install Antivirus 2009?", is now gone.

Thanks for the input....this was a nasty one!

Great to hear you got rid of it.

I was hit by the first one (the one before the 2008 one) a while ago (maybe 2007). It took me quite a bit of thinking and two days to get rid of it. Eventually it became a use of Ewido from a flash drive and HijackThis logs to determine if I had gotten rid of it.

Adaxa · 01-03-2009, 07:52 PM

Does Antivirus xp 2008 cause your desktop to display a blue screen as the screen saver?

Anyway, it took a VERY long time, but finally I got to the start menu. However, my computer displayed that my 224 or something hard drive had no free space. I mean no free space whatsoever. 0 bytes of free space. Any idea why?

Acreo Aeneas · 01-03-2009, 11:16 PM

Quote:

Originally Posted by Adaxa

Does Antivirus xp 2008 cause your desktop to display a blue screen as the screen saver?

Anyway, it took a VERY long time, but finally I got to the start menu. However, my computer displayed that my 224 or something hard drive had no free space. I mean no free space whatsoever. 0 bytes of free space. Any idea why?

As far as I remember, it shouldn't be messing around with free space since the "virus" isn't equipped to start replicating itself non-stop.

You might be infected with another virus that is constantly replicating and taking up free space on your hard drive.

Are you running any anti-virus software?