MRfMM – Safe Mode and System Restore – Win 7/Vista

Full Segment

System Restore

If you are unable to access the internet, programs won’t run or too many popups are appearing then you need to restore Windows to a time before these problems occurred.

By default Windows creates system restore points at various times. You can access these restore points by using the System Restore utility.

Before you run System Restore make certain to disable your AV software. In particular, AVG Free will cause restores to fail.

Here are the steps to take:

  1. Go to the Start menu and type “system restore” in the search box at the bottom.
  2. Click on “System Restore”.
  3. When the System Restore box pops up, click Next.
  4. In the bottom left, check “Show more restore points”.
  5. Click on a restore point prior to when you started having problems.
  6. Click Next.
  7. Click Finish. System Restore will shut your system down and begin the restore process.

After restart, you should get a message saying System Restore completed successfully. If you get a message saying that it failed, make certain you disabled your antivirus and try again.

If you can access the internet and/or there are fewer popups then return to where you were in the main sections and continue.

 Safe Mode

If System Restore failed or you are still having too many problems with the system, then it is time to try using Safe Mode.

Safe Mode is a diagnostics mode of Windows. Only the basic services are started allowing you to track down or fix problems that may be occurring.

To enable Safe Mode do the following:

  1. Go to the Start menu and type “msconfig.exe” in the search box at the bottom.
  2. Click on MSCONFIG.
  3. In the window that appears, click on the Boot tab.
  4. Check “Safe boot”.
  5. Check Network in the “Safe boot” section. You will need the network to download required tools.
  6. Click Ok.
  7.  Click Restart.

If you are unable to run MSCONFIG, you can force your system into Safe Mode by doing the following:

  1. Go to the Start menu and click on Shutdown in the bottom right corner.
  2. As the system is shutting down, locate the F8 (Function 8) key at the top of the keyboard.
  3. Once the system is off, turn it on and immediately begin tapping the F8 key over and over and over again.
  4. In a few seconds you should be at the Windows Advanced Boot Options screen.
  5. Using the up or down arrow keys highlight the line that says “Safe mode with networking”.
  6. If the system asks you what operating system to boot, pick the one you usually use and hit the enter key.
  7. If you see a stream of messages about loaded drivers, then you are starting in Safe Mode.

If your System Restore failed before, try it now.

If it still fails, return to Safe Mode. You will need to use other tools to get at the malware.

Rkill

Because your system is in such a bad state, you will need to use two tools now that I normally use later in the cleaning process. The first tool is Rkill.

Download Rkill

Some malware prevents you from running tools to remove it. Rkill is a program that terminates known malware processes so you can use the tools you need to clean. It does NOT remove malware. It only kills processes active in memory.

Here’s how to use Rkill:

  1. Click the link above and download Rkill. Download the iExplore.exe program. It is rkill renamed to prevent malware smart enough to kill any program named Rkill.
  2. Find Rkill in your downloads folder.
  3. Right-click over it and select “run as administrator”.
  4. It will take a few seconds to run. When it completes close the window and move on to the next step.

Zoek

Download Zoek
Zoek script

Zoek is a very aggressive tool. It will more than likely remove the malware problems you have but it will more than likely damage some of your legitimate applications as well. To fix that you may need to reinstall some of them again. However, if you have reached this point your infections are so bad you may have no other choice.

Use Zoek as a last resort and definitely at your own risk!

  1. Download the Zoek  EXE file to your system using the link above.
  2. Before you run Zoek, disable your anti-virus software.
  3. Find the downloaded file, right-click over it and select “Run as administrator”. Zoek will take some time to start. Be patient and wait.
  4. Copy and paste the Zoek script listed above into the Zoek window.
  5. Check to make certain “Scan all users” is selected.
  6. Click “Run script”. As Zoek runs it displays what it is doing. It may take a bit to complete. Let it run until it has completed.
  7. When finished, Zoek will ask to restart the system. Do so.
  8. After restart, a log of what Zoek did is displayed. After reviewing, close the log.

If your problems are gone you can continue the cleaning process here. You do not need to run Rkill or Zoek again.

Exiting Safe Mode

If you entered Safe Mode using the F8 key, to boot normally go to the Start menu and click the down arrow to the right of the Shutdown option. Select Restart.

If you used MSCONFIG to select Safe Mode do the following:

  1. Go to the Start menu and type “msconfig.exe” in the search box at the bottom.
  2. Click on MSCONFIG.
  3. In the window that appears, click on the Boot tab.
  4. Uncheck “Safe boot”.
  5. Click Ok.
  6. Click Restart.

Now What?

Download ComboFix

If you still have problems, here are some options:

ComboFix

Combofix is a tool similar to Zoek. You can download it using the link above. Run it as administrator.

Search the Symptoms

Try searching on the symptoms you are experiencing. If the malware is showing any type of name include that in your search. Detailed info like that can really help narrow the search and help find a solution.

Bleeping Computer Forums

You can also try posting your problems in the forums at Bleeping Computer.

Consider My Immediate Assistance Call

I can help you with my Immediate Assistance remote support call. It’s a very inexpensive way to get your system back running correctly.

If I can’t fix your problem, I’ll cheerfully refund your money while we are on the phone.

Reinstall Windows

If all this fails then a reinstall of Windows may be necessary.

Before the reinstall, you will want to backup your personal data to an external drive or flash drive.

Use Windows 7 Easy Transfer to make one copy of your data. Then manually copy your profile. Your profile is typically found in c:\users\<your account name>

After the reinstall, make certain to apply Windows updates. You will need to reinstall any applications and drivers such as printers, scanners, cameras, etc.

< 7. Staying Clean                    Appendix B: Glossary of Malware Terms >