I'm going out to pick up a USB backup drive and am faced with a dilemma...How do I back-up my working files, scattered throughout dozens of, maybe over a hundred dirctories, without grabbing the infection source too?
I could search directory-by-dirctory, only copying working and data files (could take days with 2TB of files and the result will have no organization.
Or, I could back up the entire drive(s) then search and delete all exe and dll files (that way maintaining the directory structure for easier use later). That sounds like a bad idea, but if I don't actually EXECUTE the exe's or dll's maybe I'm ok? Any other file types or extensions to avoid? Like any kind of script ot java files (don't know file types)?
Working files (some intermediate and unknown in normal software use) have so many different file extensions, I'm afraid I will miss something critical.
Also, should I dis-infect the PC with all 3 drives connected, or just the C:\ drive? (that would seem smartest, but the risk is higher).
Don't want to screw this up, and to post to the whatthetech forum, they want you to start by adding the problem description, and posting a text file of the "OTL program" output with it. So before I post, I guess I should do my backup, so I'm ready to roll.
Pay attention to what those here with experience of removing the malware suggest but my suggestion would be, since this at this stage is a fail safe source of the files if removing the malware should destroy your system, to make a total backup and not worry about whether it is infected at this stage.
It was suggested to ask at the site you go to for help in removing the malware about backing up before taking any action and see what they say.
But I defer to others with direct experience of your situation.
Normally, in this situation, you would back up your "My documents, music,videos, pictures." A screen print of your desktop could be useful in a worst case scenario, a copy of your address book, and a copy of whatever emails you have saved in your email client. You should be able to archive those and save the archive.
As Huwyngr mentioned, this is a worst case scenario. Usually there is minimal damage, like losing the occasional audio or network drivers. You will not be able to save programs. Take the time to save a list of activation keys in case reloading should become necessary.
It is also a good time to take a look and see what you can clear out that you never use and don't need.
Followed all their (whatthetech) directions, Ran their OTL diagnostic and posted it all at 1:30 eastern (under the Madscien name there too, in case you're interested). Do some of you guys work those forums too?
I await instructions on the backup. Figure I should do what they think is best, having seen the diagnostic output. Looks like a lot of MSFT error reporting stuff isnt working correctly, but what do I know?
Backing up now is a big, and very important task, just in case bug removal goes bad. Decided for the cautious route. Hope they get to me soon!
We can keep track of you on whatthetech. Follow their instructions only at this point. From one of your questions, and one of my responses earlier, I need to remind you that you have Norton Antivirus. It does not have a firewall. You would have been relying on Window's firewall unless you had a separate stand alone firewall.
One of you Pros may want to advise Chubfrank in whatever forum he is switched to (assuming he has XP), to put a copy of explorer.exe, copied from a PC with the same XP version running on it, on a flash disc and start it from program manager to at least get the screen up. You need that to do anything else.
Funny that I, who is still in it up to my eyeballs, can actually help someone else out!
Please stay on your thread. We had chubbfrank moved for that purpose. It will take some time for them to assist you, plus apparently you have found something new and it may take thm some time to figure it out. Patience will be required.
Quads has what looks like the installer for this new change which is enough of a difference, So Tools to remove previous versions can't deal with this one.
Sorry, that was an accident. I was following his thread too in anothr window, and posted to wrong thread.
Re explorer.exe.....I AM able to run it, just not from its propr directory.
It works from the thumb drive. So if something is corrupting explorer, why doesn't it do that to the one on the thumb?
(that'll probably be in the next bug rev, eh?
I'm backing up anything non-executable while I wait, the Seagate SmartAgent software is good for that. You can select drives and directories, it scans for all the extensions, then you select the extensions to back up. Pretty handy for this situation (though I have had some USB issues, possibly related to the bug).
Looking at what you guys (bug-hunters and slayers, in general) have to deal with, I sort of have to wonder why you do it?
Dont get me wrong, it's a truly wonderful thing, but you guys must need heavy medication!
If you guys solve this and I'm gonna be looking for someplace to send flowers (or maybe a bottle of Jack).
I infected my machine with the installer tonight and let the critter just go for it.
Good news, it is removable and tools should be updated for this shortly, I have been able to remove or swap the files involved on my PC, so that the driver, "explorer.exe" and "winlogon.exe" that the PC is using is no longer infected.
Anybody know if when whatthetech board automatically sends you an email if they post a reply?
And do they work on weekends?
I've, perhaps foolishly, been waiting here for the magic bullet (can't do much else) and being late on a Friday, I'm thinking I may be outa luck for a while.
Not to be a pest, but I really am new to this, and the process I must go thru.
Every member automatically has email notification enabled. When your topic gets a reply, you'll automatically get an email at the address you used when registering. Additionally, you can check your subscribed topics by clicking on View Topic Subscriptions found within My Controls.
The link that floplot kindly provided also provides a link for what to do if you have not been answered for three days. It is also explained that not all of the volunteers are at the same level of expertise and you will require some pretty capable assistance. The link says 5 days, but the notice says 3 days.
The whole situation is unfortunate, but it will apparently take the same amount of time to save and reformat as it will to wait for assistance.
I had seen the 3 day action request. Not there yet, And I know I'm not the only one in line. But I have to wait.
I've given the altrnative a lot of thought and I just can't lose all that software. Over several years I've moved, lost disks and keys, and even changed the email accounts I communicated with online stores and individual companies through. And the OS was on the drive when I got th beast. I can go back to gateway for install discs...another delay and get SP1, then have to deal with that too.
I guess everyone should use Ghost to back up everything to a second drive every month or so. That way you have a drop-in replacement. Did it for my laptop, but not my desktop, where all the hard work is done.
I do feel for you. I lost three hard drives, one after the other, to over-heating problems I wasn't aware of. It's maddening!! Imaging software has made that sort of thing quite painless. With your situation it just can't be handled that way.
Give some thought to different storage methods, so that you can limit the amount of damage and wasted time this kind of infection can cause. While it might be convenient to have all of your documents at your fingertips, it would be safer for them to be stored off the machine, and an external drive plugged in when needed to access the archive.
After the loss of the drives, I had to contact several software distributors to retrieve keys and activation information. They are quite cooperative. Now I keep a list of that necessary information.
It would still be a good idea to have recovery disks at hand, on the basis of Murphy's Law. If you are prepared for every eventuality, nothing will go wrong.
I have to assume you're with whatthetech too if you're getting info on the details of my bug, and working on it.
Thanks a lot.
Lack of a response from me is by no means lack of interest.
Just being patient.
No I'm not with "whatthetech" or the other forums in Malware removal, I got the sample(s) from somewhere else entirely and when I had time last night ran it in real world (not VM or Sandboxed) then set about breaking and cleaning the PC.
