Posted 06 November 2009 - 03:45 AM
rootkits - my documents for adminstator & others users changed into files marked as archives
windows xp media center edition 2005 - sp3, standard hp 7570n tower
was helping my dads cousin out with his computer, seemed like a fairly regular malware removal.
-Safe mode bsod 7b
-chkdsk /r, makes some changes
-boot into normal xp, can't execute anything, desktop icons covered up/disabled, explorer worked. damaged avast install(avast says that, had attemped to remove something before it got to me)
-boot winpe, remove some obvious infections in c:\program files, temps, etc, reboot. now have desktop icons, can excute autoruns/msconfig, cleanout startup items/services/etc.
-reboot, startsup much better. dl'd combofix, start that, running, picks up a rootkit, reboots, bsod.
-go back and replace the files it removed using the winpe disc, didn't remove any registry stuff so i didn't add any of that back
-bsod 7e, safe mode, normal, recovery console
-winpe disc, remove some obvious infections, run malware bytes and kaspersky av over the drive. removes portions of vundo, a few trojans, & 2 or 3 rootkits
-now bsod 7e, recovery console off system does the same.
-fustrated I force an attempted system restore back to around the end of october (stupid).
-boot xp disc, doesn't detect hdd due to disc not having raid driver; hp's site doesn't have it. switch sata from raid to ide hoping
-boot xp disc, detects hdd. recovery console picks up hp partitions recovery installs, doesn't see mce install
-Repair install with xp mce 05 not picking up; xp disc's recovery console doesn't see the actual os installation to do a repair
-try fixboot to get install to show up from repair install no luck(wrong version of discs possible, using mce 2005 media/sticker says mce2005)
-no luck; sacfrice goat, boot
-same thing, 7e bsod or a message saying "system needs to load dlls" - new one for me at least
I realize the system is probably both virus free and toasted right now; my issue has become more what happened to the data in my documents; this might not be the right forum for this also.
At this point I realize I'm going to wipe the system(time) so I go back and look to backup the my documents(I should have originally, along with an image of the whole system, I know!) but thinking back I don't remember anything being in his my docs when I got his desktop back. Looking in the documents and setting folder I find local services, network services, administrator, hp_administrator have been turned into extension less files and marked as archived.
Also looking for some clarification as to whether the system restore or virus or harddisk(chkdsk did some rearranging) stupidity or my own did this.
I poked around with testdisk/photorec, recuva, and getdataback a little to not real luck.