Recovery from Virus Infection

[J. Lynn]

My Anti Virus program notified that it had detected 8 viruses and
quarantined them. Then a box popped up on my screen which said: “Files
that are required for Windows to run properly have been replaced by
unrecognized versions. To maintain system stability, windows must restore
the original versions of these files. Insert your Windows XP Home Edition
Service Pack 3 CD now.”



I ran a virus scan and identified the 8 viruses and deleted them. I also
restored my system to an earlier day. My problem now is that I do not have
a Service Pack 3 CD, since I downloaded SP3 from the Microsoft site. I have
tried my SP2 CD and my original XP Operating System CD and neither work.
After I restarted my computer, the box requesting the SP3 CD had
disappeared. What should I do next?



Any help is appreciated.

J. Lynn

 

[David H. Lipman]

From: "J. Lynn" <[email protected]>

| My Anti Virus program notified that it had detected 8 viruses and
| quarantined them. Then a box popped up on my screen which said: “Files
| that are required for Windows to run properly have been replaced by
| unrecognized versions. To maintain system stability, windows must restore
| the original versions of these files. Insert your Windows XP Home Edition
| Service Pack 3 CD now.”



| I ran a virus scan and identified the 8 viruses and deleted them. I also
| restored my system to an earlier day. My problem now is that I do not have
| a Service Pack 3 CD, since I downloaded SP3 from the Microsoft site. I have
| tried my SP2 CD and my original XP Operating System CD and neither work.
| After I restarted my computer, the box requesting the SP3 CD had
| disappeared. What should I do next?



| Any help is appreciated.

| J. Lynn

I STRONGLY DOUBT you had "8 viruses". Malware in the form of trojans yes, but not
viruses.

Copy the i386 folder from the Windows SP2 CD to the root of C: such as c:\i386

Download the administrators WinXP SP3 EXE file
http://www.microsoft.com/downloads/...A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en

Rename the EXE file to; WinXP-SP3.exe

Run the following command line which will slipstream the C:\i386 folder to SP3 level...

WinXP-SP3.exe -u -s:c:\

Run; REGEDIT.EXE

go to...

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

find; SourcePath

set; SourcePath to be; C:\

When the OS next determines "windows must restore the original versions of these files..."
it will find them in; c:\i386 and will NOT need to prompt you for the CD.

 

[Leonard Grey]

David's advice is good. I'm only presenting a different point of
view...just my opinion.

If my computer had 8 separate malware infections, I would probably not
try to remove them. That's a seriously compromised computer, and it's
possible that it will never be completely right again. Instead, I would
copy my user files and then erase my hard disk and start fresh. Of
course, it's easy for me to say that because I backup my system
partition daily (sometimes more often than that) so I can easily restore
a good backup.

Just one more reason to recommend regular backups.

 

[Ken Blake, MVP]

David's advice is good. I'm only presenting a different point of
view...just my opinion.

If my computer had 8 separate malware infections, I would probably not
try to remove them. That's a seriously compromised computer, and it's
possible that it will never be completely right again. Instead, I would
copy my user files and then erase my hard disk and start fresh.

J. Lynn, I strongly agree with Leonard's advice here.

Despite what many people think, the effect of malware is not
necessarily simply present until the malware is removed. Lots of
malware (viruses in particular) can do severe damage to your system
that can never be repaired. Sometimes the only solution is
reinstallation of Windows, and that's especially likely when there are
so many infections.

 

[J. Lynn]

Thanks for the help David and others. I inserted the Windows XP Home
Edition SP2 Cd into the drive and it wants to "install", I presume the
entire SP2. How do I find the i386 folder to copy it? Sorry to be so
dense, but this is way above my knowledge base.
J. Lynn

 

[Daave]

Start | Search | All files and folders

All or part of the file name:
i386

Look in:
CD or DVD Drive

Search.

Or just use Windows Explorer. You'll find it eventually.

 

[Serge]

My Anti Virus program notified that it had detected 8 viruses and
quarantined them. Then a box popped up on my screen which said: “Files
that are required for Windows to run properly have been replaced by
unrecognized versions. To maintain system stability, windows must restore
the original versions of these files. Insert your Windows XP Home Edition
Service Pack 3 CD now.â€



I ran a virus scan and identified the 8 viruses and deleted them. I also
restored my system to an earlier day. My problem now is that I do not have
a Service Pack 3 CD, since I downloaded SP3 from the Microsoft site. I have
tried my SP2 CD and my original XP Operating System CD and neither work.
After I restarted my computer, the box requesting the SP3 CD had
disappeared. What should I do next?



Any help is appreciated.

J. Lynn

Are you using CA Anti-Virus by any chance? If yes, have a look at their
forum. You might have taken action too swiftly. I had the same problem. I
contacted Computer Associates by phone and was advised that they will have
an update to solve the problem in the nex 24 hours.

Serge

 

[David H. Lipman]

From: "J. Lynn" <[email protected]>

| Thanks for the help David and others. I inserted the Windows XP Home
| Edition SP2 Cd into the drive and it wants to "install", I presume the
| entire SP2. How do I find the i386 folder to copy it? Sorry to be so
| dense, but this is way above my knowledge base.
| J. Lynn

Browse the disk with Explorer just like you would browse any media.

 

[Slider76]

Ok, I have downloaded the administrators file
(WindowsXP-KB936929-SP3-x86-ENU.exe) to my computer. It is showing as a
self-extracting cab file. Do I rename it now or after the file self-extracts?

 

[Slider76]

Yes, I am in the same boat running CA. Unfortunately, I was over zealous and
deleted my quarantined files. Now attempting to restore as per David's advice
above.

 

[Serge]

Yes, I am in the same boat running CA. Unfortunately, I was over zealous and
deleted my quarantined files. Now attempting to restore as per David's advice
above.

I did not do anything rash as my computer seemed to be running normally.
This morning CA was updated and I restored the files.

Now I am keeping my fingers crossed.

Good Luck!

Serge

 

[db]

well, the main problem
you should worry about
before proceeding is:

how did the infections
get pass your anti virus
protection?

the point of anti virus
programs is to prevent
infection.

however, once the computer
becomes infected and
corrupts those system files
it was intended for,

then it is too late.

another point is that I have
never heard of "windows
telling it's user that it needs
a system restore point
initiated"

so this is likely more
evidence that your system
is still contaminated and
wants you trick you into
doing something,

perhaps so it can contaminate
your restore points with dormant
infections.

so what should you do now?

if the infection is that severe,
I would consider a disk format
and a re-installation of the o.s.

I don't think that installing and
using a different a.v. at this
time is reasonable "because"

you likely have corrupted system
files that can only be restored
with genuine ones from the cd.

you should begin moving all
your personal data/files off
the disk to prevent them from
being wiped out with the format.

and don't put them back onto
the disk, until you have a good
anti virus in place and it has
scanned your disk "because"
the infection may travel with
your personal data/files, including
pics and music files.

--

db·´¯`·...¸><)))º>
DatabaseBen, Retired Professional
- Systems Analyst
- Database Developer
- Accountancy
- Veteran of the Armed Forces
- Microsoft Partner
- @hotmail.com
~~~~~~~~~~"share the nirvana" - dbZen

 

[David H. Lipman]

From: "Slider76" <[email protected]>

| Ok, I have downloaded the administrators file
| (WindowsXP-KB936929-SP3-x86-ENU.exe) to my computer. It is showing as a
| self-extracting cab file. Do I rename it now or after the file self-extracts?

Rename it as my directions stated.

 

[Scary Kitty]

I followed these instructions exactly. According to the search results, there
is NO i386 folder on my SP2 CD. And yes, the CD is legit, I got it direct
from Microsoft.

Will someone please take pity on me and give me precisely detailed
instructions for how to find this thing? Like J. Lynn, this is way above my
knowledge base, and I'm on the verge of tears trying to figure this out so I
can get the files restored to my mom's laptop.

Help!

 

[Daave]

Scary Kitty, it is always best to start your *own* thread for best
results. Piggybacking on (or as others say, "hijacking") someone else's
thread tends to cause confusion and will not maximize your chances of
getting a useful solution.

That being said, it seems to me you are confuing the Windows XP
installation CD (that happens to contain SP2) with a CD consisting
*only* of Service Pack 2.

Furthermore, are you experiencing the same problem so many others have
seen regarding the CA Antivirus program detecting false positives and
causing legit Windows files to be quarrantined? See:

http://news.cnet.com/8301-1009_3-10283199-83.html

http://homeofficeforum.ca.com/homeofficeforum/showthread.php?t=4881

http://homeofficeforum.ca.com/homeofficeforum/showthread.php?t=4831

If so, hopefully you didn't delete the quarrantined files. Simply update
the signature file to 6066 or later and then restore the quarrantined
files.

 

[Scary Kitty]

My problem is the same as the original poster's; seconding the prior request
for a clarification is hardly "confusing" or "hijacking." I was taught that
keeping it in the original thread maintains the context of the discussion.
There's no need to get snippy with me for it.

Now, to get back to the topic: According to the instructions given in David
H. Lipman's post above, I am supposed to use a "Windows SP2 CD." Logically,
one would assume that "SP2" refers to Service Pack 2 and thus that the CD in
question is supposed to be the Service Pack 2 (only) CD, which I have and
have tried (and failed) to find the required folder. If the instructions were
referring to something other than the Service Pack 2 only disc, then the
instructions should have specifically said that. They did not.

Yes, I am experiencing the same problem with the CA Anti-Virus program, and
yes, the quarantined files were deleted. A post made on the CA forum about
the problem is directing users who need to replace deleted files here for
help in replacing the files. That's why I'm here. But this has been more a
waste of my time than a help.

 

[Jim]

If you are using a "forum" , your message is also being seen on the
WWW. , so we are not seeing the above or below messages . In other
words , millions of people can see your message , literally .

 

[Leonard Grey]

I'll bet you're the type who interrupts a conversation at a party and
takes over the discussion.

 

[Daave]

Scary Kitty, you should not delete all that text like you just did if
you want others to know what you are talking about. Even though you are
using Microsoft's clunky and problematic Web interface, you are still
accessing a newsgroup in Usenet and most of the other people who are
accessing this same newsgroup (at least the ones who would be most
likely to help you) are using a news reader, which is the preferred
method. As a result, some of those people will have absolutely no idea
what you are talking about or who you are replying to. *Most* of them
will know, of course, because they can see the outline of the thread.
But the point is that *some* won't and if you want to maximize your
chances of success, you should use established Internet etiquette and
learn the rules and follow them. If you would rather not do this, that
is your choice (and that choice will have its consequences); I am merely
attempting to show you the best way to post so that you will have the
highest chance of success.

So if you plan on being a regular member in this newsgroup, I recommend
that you use proper netiquette. Don't snip all the text for starters. If
you want to judiciously snip the parts that are extraneous, that's fine,
but keep the relevant parts and attributions in. And don't hijack other
people's threads for the reasons I cited. And using a news reader will
be a much better experience:

http://michaelstevenstech.com/outlookexpressnewreader.htm

http://support.microsoft.com/default.aspx?kbid=171164

My problem is the same as the original poster's; seconding the prior
request for a clarification is hardly "confusing" or "hijacking." I
was taught that keeping it in the original thread maintains the
context of the discussion. There's no need to get snippy with me for
it.

I am puzzled why you thought I was snippy when I was politley guiding
you toward the correct, accepted behavior. If *you* start a thread and
wish to reply to someone else who replied to you or if you wish to add
extra information to *your* original post, that should always be done in
the same thread, yes. But you should never hijack someone else's thread
as it can cause confusion. If you wish to provide context, a link to the
other thread is sufficient.

Now, to get back to the topic: According to the instructions given in
David H. Lipman's post above, I am supposed to use a "Windows SP2
CD." Logically, one would assume that "SP2" refers to Service Pack 2
and thus that the CD in question is supposed to be the Service Pack 2
(only) CD, which I have and have tried (and failed) to find the
required folder. If the instructions were referring to something
other than the Service Pack 2 only disc, then the instructions should
have specifically said that. They did not.

One should never assume if they lack all the requisite understanding.
There's no shame in admitting this; I have no problem stating when I
don't understand something. David was clearly referring to (actually, he
seemed to be quoting someone else who was referring to) the installation
CD (Windows XP Home Edition *with* SP2), which definnitely does contain
the i386 folder. J. Lynn understood this, too. Of course you will fail
in trying to find that same folder in the SP2 CD. It's not there!

Yes, I am experiencing the same problem with the CA Anti-Virus
program, and yes, the quarantined files were deleted. A post made on
the CA forum about the problem is directing users who need to replace
deleted files here for help in replacing the files. That's why I'm
here. But this has been more a waste of my time than a help.

It is only a waste of time if you make it so. Just take a deep breath
and read the advice. It is correct. And you will get your help if you
are open to it.

Did you delete the quarrantined files? If not, simply restore them once
the antivirus definitions are up to date. If you emptied them, you will
either need to obtain the XP installation CD or if you are lucky, there
is already an i386 folder in your root drive.

This post should help you:

http://homeofficeforum.ca.com/homeofficeforum/showpost.php?p=15691&postcount=84

which gives you this link in the event you deleted the quarrantined
files:

http://homeofficeforum.ca.com/homeofficeforum/showpost.php?p=15544&postcount=61

When you see this line:

Copy the i386 folder from the Windows SP2 CD to the root of C: such as
c:\i386

remember that this is referring to the *installation CD*! Also, if you
already have the i386 folder in your C: drive, there is no need to
perform this step.

Prior to this problem, were you running XP at Service Pack level 3?