I've made a huge mistake.
May 18, 2009 9:00 AM   Subscribe

Thinkpad T61 (Vista) doing scary things. Extremely naive about computer matters. Any help appreciated.

This morning I woke up and noticed that Avira had failed to update, but stupidly didn't think anything of it. Throughout the day, Opera kept crashing. I didn't think too hard on it, but I did run a system scan using Avira and it came up clean. Then this evening, I was innocently going about my business when suddenly all my programs closed on their own volition and I realized, "Oh, crap! I bet I have something bad on my computer!"

Since that reboot, I have been unable to access Avira, Adaware, Spybot, and Windows Defender. I was able to Download Malwarebytes, though, and a few things came up on the scan. One was a Trojan, the name of which I did not catch and the other was "rootkit.bagle." Oh no!

After I typed that last paragraph, my computer crashed again, flashing me the blue screen of death before it went. Eek. I apologize if there are millions of posts like this, but I have not been able to answer my questions from reading them. I looked at the advice from this post and plan on doing those things as soon as I can (unless you tell me otherwise). Here are my questions:
1. Do I need to say my goodbyes to all the movies, music, etc. on my external hard drive?
2. What should I do if I need to start from scratch? I just realized that I don't have the discs with me (I'm in China... I was sure I had brought the discs with me... Ugh.). Should I/Will I be able to use the "restore to factory settings" the Thinkvantage button gives me?

Please forgive me if I'm saying stupid things/leaving out important details/whatever. I'm typing fast so I can post this before my computer unexpectedly shuts down again. Oh, I just remembered, all these things are still true when I'm in safe mode. Ok. It's bedtime here, but I'll check on this thread as soon as I am able. Thank you, metafilter!
posted by mustard seeds to Technology (12 answers total)
 
OK, before you do anything else, copy any important data on your laptop hard drive to your external hard drive and disconnect it. That will probably secure your data, which is the hardest thing to replace.
posted by Busy Old Fool at 9:07 AM on May 18, 2009


Do you know how to burn a CD image? People have reported success with the free F-Secure rescue CD, which can be downloaded here. You can find a free utility for burning CD images here.

Don't be scared. If you are persistent in attacking the malware using a variety of tools you'll hit on a combination that works. You won't have to delete movies.

Avoid logging on to any important accounts (online banking, etc.) until the computer is completely clean.
posted by limon at 9:13 AM on May 18, 2009


I should say, people have reported success in specifically in removing rootkit.bagle, which is why I'm recommending it.

Mmm. Bagle.
posted by limon at 9:14 AM on May 18, 2009


Do I need to say my goodbyes to all the movies, music, etc. on my external hard drive?

No, those should be fine. You'll want to scan that drive for any malware when you get everything back up and running, but these days trojans mainly affect the system drive and don't go around corrupting or infecting a ton of files. If you have any important stuff on your system drive and can burn a CD then you can boot from a Live CD (a linux distro like Ubuntu or a specialized rescue cd like System Rescue) and safely copy them to your external drive.

What should I do if I need to start from scratch? I just realized that I don't have the discs with me (I'm in China... I was sure I had brought the discs with me... Ugh.). Should I/Will I be able to use the "restore to factory settings" the Thinkvantage button gives me?

If you have a rootkit and you don't have much luck with specific removal instructions then I would just suggest nuking everything and starting over. I always just restore from the standard Windows OS discs. Does your laptop have a sticker on it with your Vista license number? If so you can just get the install CDs from someone else (a friend or from certain *ahem* websites) and use your license key with it. One issue you might have is if you need any special drivers that aren't included in the normal Vista install, in that case you would need to have your original CDs or you would need to download them from the manufacturer's website.
posted by burnmp3s at 9:34 AM on May 18, 2009


Yeah, as limon says, don't log into anything while this problem persists and change the passwords of anything you've logged into in the past day or so. (Or, if you want to be 100% secure, change all your passwords.)

The other thread contains excellent instructions. Let us know how they go.

If you have access to a friendly geek, especially one with plenty of spare time, ask her/him to do it for you. You might not believe it, but some people enjoy cleaning up infected computers.
posted by Busy Old Fool at 9:38 AM on May 18, 2009


Some people have been successful at removing bagle with ComboFix. Download link and usage instructions here. You might have to rename the file after you download it (right-click on the file, click rename) into something else for it to run, because bagle might be checking for ComboFix.exe.

Free web-based virus scanners for you try:
Trend Micro Housecall
Dr. Web CureIt
Kaspersy Online Scanner
F-Secure Online Scanner
posted by limon at 10:21 AM on May 18, 2009


nthing backing up your data first. Can you log into Safe Mode successfully? If you haven't tried, press F8 as your computer boots and select Safe Mode. This may allow you to get your files moved before it crashes again.

Once you get everything back up, make sure to run an Anti Virus/Defender scan on your external hard drive as well. You don't want files on there to re-infect your system.

What should I do if I need to start from scratch? I just realized that I don't have the discs with me (I'm in China... I was sure I had brought the discs with me... Ugh.). Should I/Will I be able to use the "restore to factory settings" the Thinkvantage button gives me?

Definitely worth a try, but use it only as a last resort. Keep in mind that'll go back to factory settings, so if you've installed software that wasn't included at that point (MS Office, photoshop, etc), you're going to be without that as well.
posted by JuiceBoxHero at 10:56 AM on May 18, 2009


restore to factory settings from ThinkVantage, should reinstall the OS from a disk image on a hidden partition of your hard drive. So, it should be clean.
posted by geos at 12:41 PM on May 18, 2009


Response by poster: Update: Thanks for the advice, everyone (if you're still here...). The day after I posted this, the internet was down at work, too, so sorry I wasn't able to thank you earlier. After running Combofix (which identified the rootkit, but didn't seem to be able to get rid of it) and a few other programs, I decided to call it a day and chose the "restore to factory settings" options in the Thinkvantage menu. Does everyone agree that this should be fine? I ran Combofix and scanned with AVG, and neither detected any programs this time around. I also had my external drives scanned at a friend's house, so that should be ok. I feel paranoid that my computer may have come back wrong (like in pet sematary) because it seems a bitsluggish and my downloads keep pooping out (although this could be because of the lameo internet connection here).

Finally, if it turns out that I need to start over from discs, you're saying I can probably find them online?
posted by mustard seeds at 1:04 AM on May 20, 2009


Finally, if it turns out that I need to start over from discs, you're saying I can probably find them online?

I'm not sure exactly how that Thinkvantage feature that you used works, but according to IBM as long as your system is working you can burn your own recovery discs that are equivalent to the ones that came with your system. If your computer still doesn't work properly after that, you should probably just talk to IBM support directly because installing a non-IBM version of Vista most likely won't help.
posted by burnmp3s at 6:53 AM on May 20, 2009


I believe (but could be wrong) that Thinkvantage Restore to Factory Setttings basically reimages the drive from a hidden partition. If I'm right, then you can be pretty confident that your laptop is cured.

mustard seeds, after you ran Restore to Factory Settings what state was the computer in? Were any of your files still there? How about bookmarks, wallpaper and other settings? Was it essentially exactly the same as when you turned it on for the first time?
posted by Busy Old Fool at 8:33 PM on May 20, 2009


Response by poster: Overdue update: I chose the "restore to factory settings" option and I've been happy since then. Thanks for your help, everybody!
posted by mustard seeds at 4:54 PM on July 2, 2009


« Older Help me organize my to-do list when every task is...   |   Should non-hemophilic women with a factor VII... Newer »
This thread is closed to new comments.