BleepingComputer.com: Unable to turn on System Restore

I recently was assisted in removing malware/spyware from my computer. When I was instructed to turn off system restore and reset a new start point I found that System Restore was all ready Off and not monitoring and of my drives. I was unable to untick the box, receiving the following message:

"System Restore encountered an error trying to enable/disable one or more drives. Please restart your machine and try again."

I restarted 3 times and still could not change the setting.

I launched Super Anti Spyware and tried to fix the issue through that program but it was unsuccessful.

I then checked services.msc to see if it was set to automatic, and it was. When I clicked start I received the following message:

"The System Restore Service service on local computer started and then stopped. Some services top automatically if they have no waork to do, for example, the Perfomance Logs and Alerts service"

I only have my original Win XP CD with no service packs. I have updated to SP3 via Windows Update.

I have 2 hard drives: 1st is 160gig with over 80% free (Drive C) 2nd is 40gig partitioned into 2 20gig sectors (D & E) D has 20% free and E has 50% free.

Any assitance with this issue would be appreciated. I hope I have included enough info to get started.

Zaxdad

Try running this scan:

http://www.bleepingcomputer.com/forums/topic131299.html

Budapest, I have run the scan and the logs are below. I now do not have System Restore on a Tab in My Computer\properties. It is still in my start up menu and when I click it the following error is shown:

"System Restore is unable to protect your computer. Please restart your computer, and run System Restore again."

I have done this twice this message keeps occuring.

LOGS:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-11 08:39:02
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000045

scanning hidden files ...

C:\WINDOWS\Temp\SEP5.tmp 0 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


SDFix: Version 1.240
Run by Stuart

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-11 08:39:02
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000045

scanning hidden files ...

C:\WINDOWS\Temp\SEP5.tmp 0 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe:*:Enabled:LifeCam.exe"
"C:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe:*:Enabled:LifeEnC2.exe"
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe:*:Enabled:LifeExp.exe"
"C:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"="C:\\Program Files\\Microsoft LifeCam\\LifeTray.exe:*:Enabled:LifeTray.exe"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

Remaining Files :



Files with Hidden Attributes :

Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\File Scanner Library (Spybot - Search & Destroy)\advcheck.dll"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)\Tools.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\SDHelper (Spybot - Search & Destroy)\SDHelper.dll"
Thu 5 Mar 2009 2,260,480 A.SHR --- "C:\Program Files\TeaTimer (Spybot - Search & Destroy)\TeaTimer.exe"
Mon 4 May 2009 0 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv01.tmp"

Finished!

Thanks Zaxdad

Run scans with AVG and Spybot and let us know if anything is found.

You have an XP installation CD? Wow! That's pretty good!

Running an up to date MBAM won't hurt either:

Malwarebytes (MBAM): http://malwarebytes.org/

If the scanning doesn't resolve the issue, I am thinking to reinstall SR by locating the sr.inf file, right clicking, Install. Should be in the c:\windows\inf folder or search for it.

You may be prompted for a couple files along the way on reinstalling SR, so locate them on your HDD with a Search window, fill in the proper location to satisfy the install and continue until completed.

This will delete any RPs but if SR is/was turned off/on, you don't have any RPs anyway.

What a good opportunity to create an XP installation CD with a slip streamed SP3 already on it. Stow your original for a rainy day.

There is a good BC tutorial on the process here:

http://www.bleepingcomputer.com/tutorials/slipstreaming-windows-xp-to-create-bootable-cd/

Worked first time for me

Budapest, I ran both scans and they were both clear.

Thanks

Try the fix at Kelly's Korner.

Restore/Enable System Restore - Undo - #278 on the left.

Right click on it and save the .reg file to your desktop. Then, double click on the file icon (on your desktop) to merge it into your registry. You may need to reboot your computer for the changes to take affect.

With any fix like this you should create a new restore point and backup the registry first. For backing up the registry I like to use ERUNT.

Budapest, my System Restore is now monitoring all my drives. Guess all I need to do is manually set a Restore Point and create a Win XP SP3 Slipstream Installation Disk as suggested by joseibarra.

Thanks for you help.

I do have one other issue regarding Win XP. Should I start a new post?

Zaxdad

If it is not related it is probably better to start a new topic.

Good job!