Resolved backup problems and corrupted system files

I've got a Lot of questions, most of which I really hope are easy for you to answer. The malware thing I can take care of, however this is more of a System re-install and backup matter.

The Scenario:
So Recently a HIGHLY infected laptop came into my possesion that had Windows XP Professional SP2 PRE-INSTALLED, but upgraded to SP3 via MS updates into the system with NO EXTERNAL BACKUP Software-and-driver system install CD made, nor any backups for that matter. Unfortunately it came infected with an infection identifying itself as the "W32.Blaster.worm" - officially named the MSBlaster Worm (GOOD THING IT DID IT FOR ME! LOL) - which popped up as some random generic anti-spyware interface module, except without anything useful to clean with, and tabs that were basically just useless props, asking to buy the program to get everything cleaned off (you know the usual scam). It had locked the user out of ANY *.EXE's whatesoever on there: No Run command, no command prompt, no Regedit, not even the solitaire games. It was insane. Worse off, the owner started to panic as it proceeded to scan his system again and again, mimicking a normal anti-spyware, and started "turning up" very concerning, suggestive, and potentially compromising files associated with incriminating activity.....NOT that kind of user. I SWEAR! lol


The Fix (for those with the same problem): (Don't need to read unless necessary)
Now following procedure that I was given from prior infestations on my own system, I proceeded to first look for specialized removal tools for it, along with other usual anti-malware progs: all the usual anti-virus/-malware scanners, and sysinternals tools, autorun lockdowns, and WindowsBBS tools from my own prior infestation instructions (all updated of course). I found tools galore all over the web and downloaded them all to run just in case, including the discovery of a few new ones: rkill, appremover, TDSS, FreeFixer, McAfee Stinger, Norton Power Eraser, all awesome and lifesaving! I used my computer to download and transferred the corrective files via USB (complete with it's own protection: NO AUTORUN, and USB WRITE PROTECT to prevent the virus from jumping ship). Lucky for me (and the worm's biggest self-defeating mistake, aside from revealing itself in the scan, and purposely blowing it's own cover, which is curious... o.0) the worm allowed me continued access to windows explorer. I can still open folders like normal and dig around (AWESOME!!). I snuck the RKILL.EXE (renamed) counter-bug into the startup folder to deploy before the worm's bootup-lockdown procedures kicked in and ran most of the tools and specialty scanners/removers from Bleeping computer, Symantec virus removal chest, McAfee stinger, FreeFixer, etc. in safe mode (at least the ones that would allow me to unless specified otherwise from the progs themselves). I also found Malware removal manuals from Norton, and BleepingComputer has the list of associated files and associated registry keys with this specific bug, Found and cleaned them out, and got it to boot normally. The bug is finally slain! YES! But then I proceeded to scan the computer for whatever other random infestations and bad files that could still be lingering, along with looking for bad system settings alterations. Aaaand the trouble grows deeper.....

The Minor Warning: (Spybot Portable Scam)
I don't currently have any anti-anything installed on the system while I'm using different programs to scan the it. I UNFORTUNATELY installed a wrong version of Spybot S&D. So I think I made the problem worse. I INTENDED to use a portable version of the anti-spyware via USB to scan it. Then I found out it put so much **** into the registry with random URL addys and it evaded add/remove progs, Revo uninstaller, AND the appremover prog from uninstalling it. I looked it up and the internet confirmed several false scam-links perpetrating as Spybot S&D in both full and portable versions. I just happened to click on a bad link to one on "portableapps.com "! I NEARLY had a heart attack. I didn't trace the install at all, and I don't have REVO uninstaller pro. HOW THE HELL am i going to manually search the ENTIRE system for this to get it uninstalled? and then the registry???!! noooo, forget it.... Lucky for me somehow System Restore was turned back on somewhere in all the scanners running through (happy camper) so I reversed it back, and the problem LOOKS like it was fixed. I dont find any viewable access to that fake prog, but considering it was once installed, I'm assuming it's still sitting on the computer. Lesson learned: Find a good program or ritual and TRACE EVERY INSTALL!! Use RegUndo to help uninstall and reverse the effects if you have to. Plus, Reg backups before any installation whatsoever. It's measures that are lifesavers! I got lucky.


Now The Questions:
1. The progs I've tried to use is SAS, MBAM, and a fake SPYBOT. I'm throwing everything in the book at this computer, because Im not sure if there are some files that some scanners will miss, that others will catch, to be sure it's thoroughly cleaned. But with each one, it keeps finding the same adware files and cleaning the same ones over again. I use Safe mode with networking so as to download all of the updates for each program on install before running it's scanner. However considering I don't have any protection on it for concern of prog interference, anytime I connect to the internet without using the browser at all, is it STILL vulnerable to attacks and random malware installs while just being connected at all? And the only firewall enabled is the basic windows firewall with default settings, nothing's been altered. Is there anyway I can configure the firewall and/or Network connections and ports to block all access to the internet and downloads EXCEPT to the server that the anti-malware prog is downloading updates from to avoid pointless reinfection?

2. Before I did anything else, I thought it would be a good idea to make a system backup CD for him since laptops tend to have their own Vendor-Brand name Rescue and Recovery Programs. (I wish Desktops came with these!) And since this computer has Win XP pro as previously mentioned, there's also the ASR feature available. But first logically, I need to make sure that each file is windows validated as uncorrupted. So I researched SFC.exe and rerouted the Reg-key target to the DLL CACHE folder, and found out that if it keeps asking for the installation CD (which it does), that the DLL CACHE folder has ALSO been compromised. (which I think It has).
A. Using SFC /purgecache - does it COMPLETELY wipe the entire folder and refill ( "rebuild the library ") it with confirmed copies of the system files already installed and in use on the computer automatically? or does it ask for user confirmation to do so before it looks to refill it. Otherwords Can I throw it out since it's basically useless and kept empty until I can get a hold of another XP-Pro SP2 hardware disk? will it let me do that and is it wise?
B. If it can't complete the folder via the system components on file which could also be compromised, does it lock down the system until it gets the request fulfilled once it's empty? (pop ups galore asking for the disk for each file I mean? I've never needed to do this.)
C. I found a thread concerning the discontinued support service on all versions Win-XP: http://www.windowsbbs.com/windows-xp/93479-end-support-windows-xp-sp2.html , which has a link to download Win-XP SP3 on ISO. image. I looked up the Whitepaper and it's titled "WIN-XP PRofessional SP3 ". Can I download and use this as a replacement install hardware CD to reinstall the OS files back to normal and restore system stability? or is this just an Service Pack upgrade? (I feel like this is a redundant question) Do I still need to get a hold of a XP PRO sp2/3 installation disk?
D. And considering that it's already an SP3 upgrade, if I get a hold of an SP2 disk, do I need to uninstall the upgrade to do the system file reinstatement, or will the SP3 be compatible with the SP2 disk?
E. Concerning making a System backup restore disk: Can I rely on the rescue and recovery software installed from the computer vendor, or do I need another specialized type of software to make a Recovery System re-install CD (different from a normal .BKF backup which can't technically be used to reinstall anything from scratch if it ends up wiped out right??) And does the ASR feature do that exact same function? (I've never used it, I have XP HOME on my system.) *unfortunately, this computer has never had any kind of backup made. But for future knowledge...
F. I've tried getting the SFC command to output a text log file on what Files need to be replaced, but it just returned an empty file. I know you can find the results in Event viewer, but is there anyway to get a logfile that's easier to analyze out of SFC command?
G. Trying to make a backup System restore/install CD, does it do install backups of every single program you have currently installed on that system at the time of creation, including external third party programs downloaded from elsewhere, or does it just concentrate on Windows Verified and signed files? Do systems that come with OS's preinstalled get THE ENTIRE DISK backed up into the harddrive itself with every single file on an original OS disk as if you bought it right out of the box? Or is there a lot missed by having it pre-installed? Because I've examined my XP HOME disk, and there's a lot of hidden files on there. And will creating the backup System install CD on an infected system result in creating an INFECTED backup disk? Will it save the viruses as well, or is it only the .BKF backups that save viruses and 3rd party progs as it saves the entire system SETTINGS/configuration state? I think it'll only be an infected disk if it copies corrupted system files, which the system currently has, correct?

3. If I continue with protocol to completely purge the computer based on the instructions given here from my malware problems, and set up a makeshift security suite, would it matter if the system files are compromised? And If I tried to do the Windows updates, would they be able to ID the corrupted files and replace them through the MS windows updates? or just append the Windows updates like normal and leave the corrupted system files untouched?

4. Most importantly, If I do get the main install CD and get the system cleaned up, updated and protected, make all kinds of backups of all sorts, restore points etc., the DLL CACHE folder keeps copies of all sys files INCLUDING the Windows file and system updates right? Is it JUST the DLL CACHE folder that's used for backup copies or is it the I386 folder, or is the whole Windows directory with various locations used as a resource vault for backup copies? I need to know because I intent do keep backups of these folders consistently, but I need to know I'm going to get it all and not miss files that are in other locations. Furthermore, is it possible to completely lockdown these "cache folders: with restricted password access and/or write- protect so as not to risk getting these files/folders overwritten again by malware progs or even other legitimate progs.? Or is it necessary to let legit progs have write-access to these? Will Restricted Password access prevent legit progs from accessing these system files to run? Basically What can I do to keep and protect these important folders/files from being overwritten by anything EXCEPT MS updates? And is there a way I can specify access to those particular folders from a specific website like MS without anything else getting through?

Thank you so much for your support!!

 

Hi Pete!

I was just going to follow the same instructions I was given from my malware infection. It's all basically minor stuff now, as I've already taken care of the BLASTER WORM. Nothing a few scan/removals can't deal with. At least I hope not. Right now I'm just facing corrupted System Files. And researching needed answers to some of these questions before I move forward with anything. But if you still insist on the scans, I'll post straight away.

Questions Answered:
- Is there anyway I can configure the firewall and/or Network connections and ports to block all access to the internet and downloads EXCEPT to the server that the anti-malware prog is downloading updates from to avoid pointless reinfection?

Basically, Internet connection control goes through the Firewall. So get a better one, hehe. You can block all incoming and outgoing traffic, and stipulate exceptions that can gain access for immediate needs. Like Updates. Otherwise, just pull the cord from the wall. Unless there's additional tips going amiss?
​

- Can I download and use this as a replacement install hardware CD to reinstall the OS files back to normal and restore system stability? or is this just an Service Pack upgrade? (I feel like this is a redundant question) Do I still need to get a hold of a XP PRO sp2/3 installation disk?

I wouldn't think you can as it would be like putting the entire WINDOWS OS up for free download and make making revenue off its sales completely pointless. So I think it answers itself. It can't be used, can it? It be PARTIALLY used, at least whats available in that file to refreshen the SP3 upgrade but not other sys files right?
​

Questions Remaining:

1. The progs I've tried to use is SAS, MBAM, and a fake SPYBOT. I'm throwing everything in the book at this computer, because Im not sure if there are some files that some scanners will miss, that others will catch, to be sure it's thoroughly cleaned. But with each one, it keeps finding the same adware files and cleaning the same ones over again. I use Safe mode with networking so as to download all of the updates for each program on install before running it's scanner. However considering I don't have any protection on it for concern of prog interference, anytime I connect to the internet without using the browser at all, is it STILL vulnerable to attacks and random malware installs while just being connected at all? And the only firewall enabled is the basic windows firewall with default settings, nothing's been altered.

2. Before I did anything else, I thought it would be a good idea to make a system backup CD for him since laptops tend to have their own Vendor-Brand name Rescue and Recovery Programs. (I wish Desktops came with these!) And since this computer has Win XP pro as previously mentioned, there's also the ASR feature available. But first logically, I need to make sure that each file is windows validated as uncorrupted. So I researched SFC.exe and rerouted the Reg-key target to the DLL CACHE folder, and found out that if it keeps asking for the installation CD (which it does), that the DLL CACHE folder has ALSO been compromised. (which I think It has).

A. Using SFC /purgecache - does it COMPLETELY wipe the entire folder and refill ( "rebuild the library ") it with confirmed copies of the system files already installed and in use on the computer automatically? or does it ask for user confirmation to do so before it looks to refill it. Otherwords Can I throw it out since it's basically useless and kept empty until I can get a hold of another XP-Pro SP2 hardware disk? will it let me do that and is it wise?​

B. If it can't complete the folder via the system components on file which could also be compromised, does it lock down the system until it gets the request fulfilled once it's empty? (pop ups galore asking for the disk for each file I mean? I've never needed to do this.)​

C. I found a thread concerning the discontinued support service on all versions Win-XP: End of Support for Windows XP SP2, which has a link to download Win-XP SP3 on ISO. image. I looked up the Whitepaper and it's titled "WIN-XP PRofessional SP3 ". ​

D. And considering that it's already an SP3 upgrade, if I get a hold of an SP2 disk, do I need to uninstall the upgrade to do the system file reinstatement, or will the SP3 be compatible with the SP2 disk? ​

E. Concerning making a System backup restore disk: Can I rely on the rescue and recovery software installed from the computer vendor, or do I need another specialized type of software to make a Recovery System re-install CD (different from a normal .BKF backup which can't technically be used to reinstall anything from scratch if it ends up wiped out right??) And does the ASR feature do that exact same function?​

(I've never used it, I have XP HOME on my system.) *unfortunately, this computer has never had any kind of backup made. But for future knowledge... ​

F. I've tried getting the SFC command to output a text log file on what Files need to be replaced, but it just returned an empty file. I know you can find the results in Event viewer, but is there anyway to get a logfile that's easier to analyze out of SFC command? ​

G. Trying to make a backup System restore/install CD, does it do install backups of every single program you have currently installed on that system at the time of creation, including external third party programs downloaded from elsewhere, or does it just concentrate on Windows Verified and signed files? Do systems that come with OS's preinstalled get THE ENTIRE DISK backed up into the harddrive itself with every single file on an original OS disk as if you bought it right out of the box? Or is there a lot missed by having it pre-installed? Because I've examined my XP HOME disk, and there's a lot of hidden files on there. And will creating the backup System install CD on an infected system result in creating an INFECTED backup disk? Will it save the viruses as well, or is it only the .BKF backups that save viruses and 3rd party progs as it saves the entire system SETTINGS/configuration state? I think it'll only be an infected disk if it copies corrupted system files, which the system currently has, correct?​

3. If I continue with protocol to completely purge the computer based on the instructions given here from my malware problems, and set up a makeshift security suite, would it matter if the system files are compromised? And If I tried to do the Windows updates, would they be able to ID the corrupted files and replace them through the MS windows updates? or just append the Windows updates like normal and leave the corrupted system files untouched?​

4. Most importantly, If I do get the main install CD and get the system cleaned up, updated and protected, make all kinds of backups of all sorts, restore points etc., the DLL CACHE folder keeps copies of all sys files INCLUDING the Windows file and system updates right? Is it JUST the DLL CACHE folder that's used for backup copies or is it the I386 folder, or is the whole Windows directory with various locations used as a resource vault for backup copies? I need to know because I intent do keep backups of these folders consistently, but I need to know I'm going to get it all and not miss files that are in other locations. Furthermore, is it possible to completely lockdown these "cache folders: with restricted password access and/or write- protect so as not to risk getting these files/folders overwritten again by malware progs or even other legitimate progs.? Or is it necessary to let legit progs have write-access to these? Will Restricted Password access prevent legit progs from accessing these system files to run? Basically What can I do to keep and protect these important folders/files from being overwritten by anything EXCEPT MS updates? And is there a way I can specify access to those particular folders from a specific website like MS without anything else getting through?​

 

HI pete... you win. This computer isn't cooperating. hehe. I'm sorry I took so long to post. I didn't abandon. I'm gonna post to Broni but I'm trying to get all the scans together first, and it's giving me a really rough start. Most everything I've done is in Safe Mode w/ networking unless required otherwise.

 

the xp-pro sp1 .bkf I speak of is mine. I had it at one point installed on my computer before my legitimate copy of XP home sp2 that I have now got installed. I used to make a ton of .BKF's when my computer came back from getting freshly fixed. BUt it never crossed my mind to do a boot install CD.

 

HI Pete. I'm sorry , I do bombard this site a lot. My whole strategy is to post all the questions that I have, in addition to looking for the answers on my own. That way, there's a chance for me to find somebody that could understand the answer better than I can to reply to however many they can. I usually get a few people that contribute while just randomly browsing through these threads looking for other answers. I figured with that kind of traffic, I may strike some luck. I don't expect to get them ALL answered, but maybe a few, while I research in the mean time. Then to be fair, once it's found, to post those answers back here for anybody else that needs them. It's publicly available.

So I'm looking through the windows 7 table you posted, and I noticed that on the RAM requirements, it states home premium needs a max RAM of 16 gb for 64-bit computers? Now whenever browse the specs at bestbuy, most new computers are 64-bit but only come stock with 4-8 gigs of RAM, and WIN-7 Home Premium, w/ maybe a couple with multiple cores, and different speed processors. Does that mean those computers are actually RAM deficient for that OS? Or would a multi-core and fast processor offset the lack of RAM space since it'll execute commands that much faster, and decrease the likelihood of circumstances for the need of MAX RAM? Or is there other reasons for an OS to need max RAM that's unavoidable by a fast processor with multiple cores? Also, on one system, the HP PAVILION ELITE, we noticed a spec that said 512 MB of RESERVED RAM out of 8 GB of RAM. What is that for?

I was planning to upgrade the 8 gig's of RAM to 16 assuming that would be twice the sufficiency needed to run just the OS alone. Is that now just basically the fair minimum I would be installing? I wasn't aware you could install anything over 16 gigs. I'm trying to go for surplus RAM, and speed.

---

Ok so basically, on a normal users computer, partition at least 2 other drive sections - one for data and one for backup - you use ACRONIS to append to the internal daily, and WIN 7 backup to save the final load to the EXTERNAL drive weekly. GOT it. I'm still comparing image software.

 

problem update:

Still no access to the XP pro disk. I was advised to just give it back to him and let him take it to the technicians at his work to see what they can do for him. But that's just me basically handing it back and leaving it up to him, which he may never take it in, and just start using it again like normal. It's why I asked what the fall-out would be if it's just virally cleaned, but not repatched. I even want to setup all the security "suites for him" - sandboxie browser, spyware blaster, spybot S&D (the correct legit version ), adaware, Avira, Threat fire, Zone Alarm or Comodo firewall, SAS and MBAM, turn on auto win updates, you know the usual suspects. But will that guarantee him security even if it's unrestored? I'm gonna do a .BKF of his system after all of that, but should I even bother doing a boot install disk for him if the files are still corrupt?

I'm still virally cleansing with BRONI.

Still researching rescue boot disks, and customizing your own.

 

The Initial Plan:
---------------
COMODO - Firewall
AVIRA or MSE - Anti-virus
MBAM / SAS - malware scanners
Spybot S&D + tools - Side Malware defense
Spyware Blaster + webguard - Main Malware defense + browser defense
WOT - Web detect
Sandboxie - guarded browser
Adaware or pop-up blocker - pop up blocker
Win updates - system patcher
THREATFIRE or Winpatrol or Windows Defense - HIPS
Spyware terminator tools - System Defense

I read somewhere (can't remember where) it was smart to have at least a main defense and a side backup defense, hence the two malware detectors. Spyware Blaster has a brower guard, which used in combo with WOT & Adaware or maybe just a regular popup blocker, and sandboxie via Firefox should be fort knox, and threatfire and winpatrol are both HIPS defense (need only one). I actually might skip on the HIPS, I heard it makes your techie life a complete nightmare.

---

So spybot and Ad-aware ISN'T as reliable as formerly trusted to be? If that's the case, maybe it is a good idea to install the backup scanners.

I don't mean activate them ALL with real-time shields, it'll bury the poor guy in pop-ups. But just use one for real-time protection, and the other for tools, and scans. Been down that road before. It was a nightmare. Then again, I made the mistake of fencing off the whole WINDOWS folder with Spyware Terminator's "System Guard" and the pop-up marathon was excruciating. I was a wee beginner then at that time. I thought I was really protecting my system. I really wish somebody would write a mega-installer program that sorts through the active x's and taps into ALL the security software on your system so when you try and install something, it could easily just add the prog components on all the white lists, and bypass the pop-ups all together as "this program is voluntary and safe." Then again, I sincerely wish even more they would write a Security prog system scanner that would scan all the other progs and system state/settings you're system currently has on it and add it to each white list so it knows what's safe and what's not, and be updated with windows updates, and WFP/SFC scans and replacements. PLus save ALL of that to a few simple .ini's and EVERYBODY's life would be a heck of a lot easier. I wouldn't care if I had to pay for that. It would be freakin' worth it! If you're good at writing code, write one will ya? lol. I'm still practicing code to work CMD.

---

Thank you for clearing up the RAM confusion. This computer is being shared with other members of the family, so we're trying to get our facts straight before we decide. We want to amp up our new system as best as we can to accomodate at least a few the future advancements and upgrades to come so we're not blowing through computers every couple of years. Plus I'm updating the owner of the current "oldie" I'm trying to fix. I've got him shopping around for a new system as well. Might as well, if this thing is gonna be this much trouble. No way is this old IBM geezer going to handle windows 7 though.

---

Update: so far the scans are mostly coming out clean, according to BRONI. A few glitches here and there, but nothing major. I'm pretty sure it's through the rough patch for now. It's about as good as it's going to get, for as much as I can do for it w/ what's available. At this point, patch it up with a **** load or bandage tape and send it off. Without a disk, what else is there to do? The owner informed me he found somebody that DOES have the disk, however, he wants to completely wipe out the system, and do a fresh install. I told him the dilemma in that: one, it'll undermine all the security I'll have set up for him (as of now, none yet), two, it'll erase all the computer settings he's used to (easy fix, do a backup), three, you have to repartition the disks which I doubt they know how to do correctly, four it takes forever, and most importantly FIVE: it'll erase the trace of legit Windows pre-installed that he has the Product key for, making his new copy of windows illegitimate and therefore impossible to update or connect with any perks given from MS through the WGA. So it's a bad idea to do a complete win-install. I told him to consider a repair install....but I'm not sure that's even right. I've only done it with my disk, but my disk is the genuine upgrade disk we bought when XP first dropped. SOOOOOO.....I dunno. That's the best and worst case scenarios at the moment. After 2 weeks of work on this puppy, I think it's best to just call it as is, set up the security progs, make a .BKF of system state, MAYBE still do a boot disk in case the other guy's "repair" goes awry, and just send it on it's way. We did our best.

THANK YOU, PETE for staying with me on this. I highly appreciate it again sir. All the info you're expertise enlightened me with does a number. This can get crazy, but I actually enjoy learning this stuff, when it wants to cooperate. lol

Don't close this thread yet. I did say I was going to update on ALL the millions of questions I had, and what answers I've dug up so far. For future reference.

----

PROBLEM: Blaster Worm infection, aftermath clean up, system file corruption

SOLUTION: computer setup questions and info obtained, security progs to be set up, backs ups, back ups, back ups, Viral cleansing with Broni, sys-file repair w/ disk.