Saturday, January 3, 2015
SharePoint Server 2013 client machine is infected with CTB locker virus.
Issue: System Restore failed while restoring Windows 8.1 after infected by Virus.
Background: My windows 8.1 client machine for SharePoint server 2013 was infected by a Virus called CTB locker virus.
More details for the virus can be found here: http://securelist.com/analysis/publications/64608/a-new-generation-of-ransomware.
My machine was very slow and when I tried to do anything such as open the SharePoint sites form 8.1 client machine.
I was not sure how my client was infected, AV virus was installed and fully updated. *Still it’s a point of question, will come it later, right now let’s discus about the restore issue, that how did I recovered my machine.
All system and configuration files were fully decrypted and damaged.
Every time you tried to restart the machine, all the Memory was occupied by an unknown program i.e. Eamnraem Vireti Dtudaa 2021. (Not sure what it was).
In all I can my machine was totally screwed and even after all possible way of removing the machine to remove the software I had only one choice to restore it from last known system restore.
My fate, was not good though, both my system restore was damaged and thrown below error:
System Restore dialed to extract the file. The restore point was damaged or was deleted during restore
Another error message from another restore point was:
System Restore failed while copying the registry from restore point.
An unspecified error occurred during System Restore, (0x80070571).
I did tried to remove the virus using the malware bytes and some other online software, but there was no go.
Updated Antivirus and then scan with that, but Virus has infected AV also.
Tried to boot the machine in safe mode and then tried restore, same issue.
Tried to recover the machine form 'Repair your Computer’ no luck.
Tried luck with the steps given in the http://support.microsoft.com/kb/2695585, no luck.
By reading in some forums online, I found, Automatic Updates will delete all Restore Points (which means that you cannot go back if the update goes bad . . .). Perhaps one of those updates corrupted our restore points.
Which is anyways was very disappointing.
The above forum has also outlined restoring registry manually, which I did not prefer.
Tried running Run sfc /scannow and chkdsk /f /r as outlined in the here:
http://www.thewindowsclub.com/system-restore-not-working-windows, but again no luck.
Finally I gave up and had to rebuild my machine to the current version with fresh install from Windows 8.1 set-up.
You can also install from any previous system image if you have one.
My machine is working like a charm now.
On the recovering you files and stopping this virus to spread, my research s still ongoing. I will keep you posted on the findings.
If you have any suggestions to prevent this from future, please drop comments in the comment box below.
Applied to: Windows 8.1, SharePoint server 2013.