Options

Need assistance with unusual XP restore point issue..

TravlerTravler Member Posts: 61 ■■□□□□□□□□
in Off-Topic
I've inhereted a machine that a local repair shop screwed up. I am working on a hard drive that has had Windows XP removed from it. It no longer has any OS, but the old XP file system remains. (The new OS is Windows98se that has been installed on a new hard drive.) This system has been infected heavily with Spyware and I am trying to remove a trojan from the old drive (which is now drive D). The problem is that when I reboot after deleting the old infected XP files, they all reappear. I am sure this is due to the restore point files. I've tried deleting the entire systemrestore folder but it simply reappears after a reboot too. Therefore, I'm guessing there is something in the registry that I need to delete. Am I on the right track?

Any ideas?

Thanks!
· Share on FacebookShare on Twitter

Comments

  • Options
    RussSRussS Member Posts: 2,068 ■■■□□□□□□□
    If it is booting to Win98 it wont have any restore points as per Windows, but if it is a system that uses GoBack or something similar that is possible.
    I would suggest using MSCONFIG to stop assorted startups until you have cleansed the system.
    www.supercross.com
    FIM website of the year 2007
    · Share on FacebookShare on Twitter
  • Options
    TravlerTravler Member Posts: 61 ■■□□□□□□□□
    I have the C: drive cleaned up. There is nothing in Startup (the Registry's RUN items which show up in MSCONFIG) that is causing these files to reappear. There does not appear to be any programs like GoBack either. The problem is a file located at d:\windows\isrvs\edmond.exe This file is certainly a trojan, but with the remains of XP's system restore I can't get it to stay gone.

    More Googling has led me to attempt deleting the d:\windows\system32\config directory but to no avail. Anything deleted from D: returns upon reboot.
    · Share on FacebookShare on Twitter
  • Options
    RussSRussS Member Posts: 2,068 ■■■□□□□□□□
    The solution is ..........

    fdisk icon_wink.gif


    OK, edmond.exe is spyware - since you have W98 on your boot drive you wont be able to use Microsoft AntiSpy or Ewido - try Pest Patrol.
    Another suggestion would be to go to http://housecall.trendmicro.com/ and run their new Beta - does a pretty good job of removing spyware. AntiVir can be installed to run along side your existing AV system if you set it not to load at startup and not to register shell extensions.
    www.supercross.com
    FIM website of the year 2007
    · Share on FacebookShare on Twitter
Sign In or Register to comment.