I’m looking for some advice on dealing with some after effects of a malware attack that I have been able to rectify using the tools and techniques from the good folks on this site. Don’t worry, I won’t post any HijackThis etc logs, I have a clue about what I’m doing, but would like an opinion on the best way to proceed. I am running Win XP Pro SP3.
First of all, I do run a slate of anti-viral programs so it is very unusual for me to get a problem, but some sneaky thing did somehow get through. It showed no signs of immediate infection, but it did latch onto my boot routine. I normally put my machine on standby, so it is possible that I was infected for quite sometime before the gremlin was activated.
Before I did the reboot, I cloned my c drive to my d drive so I have a perfect snapshot of my system before infection. The infection appears to be of the rogue type that deletes files in various applications, including anti-virus software, though they don’t appear to be renamed or put into temp folders like some I have read about here. It also completely mucked my user profile. I was soon able to figure out which program files had been hit, plus a whack of dlls missing from \windows\system32 folder.
I was able to synch the effected folders to my d drive and recovered around 1500 files, then scrubbed the system using tools recommended on this website. All went well and I am satisfied that the infection has been purged. I figured I would run the system for a while and see if I missed anything or if there were any other problems. Everything has been fine with two exceptions. I am no longer able to perform any Windows updates. They run for a while, then hang and finally simply say “Some updates could not be installed”. I am also unable to print anything to my network printer. I tried stopping and restarting the spooler, then I tried to reinstall the drivers, I was able to uninstall, but the reinstall blew up with an unhelpful error message.
Evidentially some windows configuration files and/or the registry has been compromised. At this point I see two avenues of attack. First, I could try doing an xp repair install. I’m somewhat reluctant, haven’t done one of those in many years, I’m afraid if it fails it might leave my system unusable. Perhaps I’m being unduly pessimistic.
The other option is to back up my data to a stick, purge the malware from my mirror d drive, swap drives, reboot, restore my data and in theory I should be exactly where I left off, even my user profile should be faithfully restored. The problem is that if I have unsuccessfully removed the malware, then the moment I reboot it will again trash my files, and this time I will have lost my good backup forever. I have no idea if booting in safe mode would make a difference or not.
Which of these approaches do you prefer, or perhaps you have a third way that I haven’t thought of?