Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Manually Restore Hosed Registry?


  • Please log in to reply
2 replies to this topic

#1 ontrack

ontrack

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 15 August 2008 - 12:18 PM

I've got a computer that seems to have been infected by something called "Antivirus 2008". I used combofix, hijackthis, cleanup! and sysclean. I beleive I have it cleaned off but it seems that the registry is all hosed up. All the restore points were deleted. I was able to undelete a couple of restore points (using GetDataBack for NTFS on a WinPE cd) but then the restore fails.

Symptoms at this point:

-Computer boots up and apears to load fine
-Desktop cleanup wizard is enabled. I try to disable it but it wont.
-Computer seems to reboot after everything is loaded from startup
-Can boot into safemode
-Nothing noteable in the event viewer
-No strange services

Windows XP Pro SP3
Norton 360 (useless)

Is there a way to manually copy the restore point back into the live system? I tried from the WinPE environment to copy the stuff from the restore point and renaming the files into the \windows\system32\config folder (such as SYSTEM and SOFTWARE (backed up the broke ones)) but that was a no go.

Thanks for any advice.

-Ontrack

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:09:48 PM

Posted 15 August 2008 - 01:47 PM

Did someone assit you with these tools on another forum or did you run them yourself? There is a good chance that you are still infected
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:09:48 PM

Posted 15 August 2008 - 06:37 PM

IME a manual system restore only works about 50% of the time - and that's when you have relatively recent points to use for it.

I agree with garmanma in thinking that you may still be infected. Once you're sure that the infection is gone, I'd suggest a repair install of Windows to fix the registry issues (it should leave your programs and files intact). http://support.microsoft.com/kb/917964
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users