Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Restore problems after rootkit virus issues


  • This topic is locked This topic is locked
14 replies to this topic

#1 wiggy

wiggy

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 22 January 2009 - 02:09 PM

Hi All. I'm hoping someone has some ideas for me........below is a recap of my issue:

Got infected with some malware including, but not limited to a google hijacker.
I was going to use System Restore to get back to a pre-infection state, but the utility would never advance with the 'NEXT' button after selecting a restore point.
After a couple of system reboots, all of my restore points were removed.
Read through the forums and tutorials and ran Malwarebytes and SUPERAnti, which cleaned up the offending malware issues.
System Restore still is not creating restore points and I cannot create one manually.
I get a dialogue box that states "System restore is not able to create a restore point. Please restart the computer, and then run System Restore again." That obviously doesn't work....
I have attempted to reinstall the utility by using the sr.inf install procedures outlined in bertk.mvps.com instructions, but this has not fixed the Restore problem.


Not sure if this is even the right forum, but I don't think it is a malware issue any longer, so I'm trying here first. Any assistance would be greatly appreciated!! thanks.

BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,265 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:07:18 AM

Posted 22 January 2009 - 03:04 PM

Have you tried to run Last Known Good Configuration?

When the computer is starting repeatedly tap the F8 key, this should take you to the Windows Advanced Options Menu, once this opens click on Last Known Good Configuration (your most recent settings that worked).

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 wiggy

wiggy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 22 January 2009 - 03:08 PM

Have you tried to run Last Known Good Configuration?

When the computer is starting repeatedly tap the F8 key, this should take you to the Windows Advanced Options Menu, once this opens click on Last Known Good Configuration (your most recent settings that worked).


dc3, I did this yesterday, when the restore points were still available, but the utility wouldn't progress to the point of actually launching the restore. I have not done so, since the restore points completely disappeared. I can certainly give it a shot.

#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,265 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:07:18 AM

Posted 22 January 2009 - 03:15 PM

The Last Known Good Configuration is not the same as System Restore.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 wiggy

wiggy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 22 January 2009 - 03:32 PM

correct. I wasn't clear...when I was trying to address my System Restore issues, I did a Last Known Good Config boot.

I just did a new one (first one since removing the malware), and the system restore still gives me the same dialogue about not being able to create a restore point.

Thanks for spending some of your time on this dc3.

#6 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,265 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:07:18 AM

Posted 22 January 2009 - 03:38 PM

Try running sfc.exe.

How to Use SFC.EXE to Repair System Files



Guide Overview

The purpose of this guide is to teach you how to use the System File Checker (SFC) to examine and repair corrupt operating system files.

In doing this, the SFC tool may replace some of your files that were updated by Windows Update. The only way to check this (and to update any of the files) is by visiting Windows Update and allowing it to check your system for updates and update as needed.

References

Description of Windows XP and Windows Server 2003 System File Checker (Sfc.exe)

Microsoft Windows XP - Repair overview


Instructions

1. Locate your Windows XP installation CD. If you don't have one, you'll need to locate a directory on your system that's named"i386" (without the quotes). This directory may be on a hidden partition on your hard drive.

2. Go to Start, then to Run, and type in "SFC.EXE /SCANNOW" (without the quotes - and with a space between the SFC.EXE and the /SCANNOW). Then press Enter. (For VISTA, go to Start and type in the above information, then go to the top of the box and right click on SFC.EXE /SCANNOW and select "Run As Administrator")

3. The program may (or it may not) ask you for your Windows XP installation CD - please insert it at the prompt. If it doesn't ask you for the CD this means that it wasn't necessary to replace any files.

4. In the event the the system asks you for the CD, you must visit Windows Update immediately after the scan is completed (Please note that there won't be any confirmation dialog - the program will just exit without telling you anything).

5. If this doesn't repair the problem with your system other troubleshooting procedures are required.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#7 wiggy

wiggy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 22 January 2009 - 03:54 PM

I do not have the installation CD. How do I locate and procede via the "i386" directory? I'm not even sure where to look for/locate the directory.....

#8 I.T. Works

I.T. Works

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 22 January 2009 - 07:20 PM

As for using the i386 directory, run the sfc and if it asks you for a cd, type "C:\i386" in the path bar and hit Retry or Ok. If that doesn't work, you might be able to use "C:\Windows\Options\Cabs".

Also, just double-check that System Restore is actually being allowed to monitor the drives. It's under the System icon in the Control Panel. You'll see a System Restore tab. Make sure that monitoring isn't turned off. I'm assuming you are running XP here?
-Nelson

#9 wiggy

wiggy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 22 January 2009 - 10:55 PM

As for using the i386 directory, run the sfc and if it asks you for a cd, type "C:\i386" in the path bar and hit Retry or Ok. If that doesn't work, you might be able to use "C:\Windows\Options\Cabs".

Also, just double-check that System Restore is actually being allowed to monitor the drives. It's under the System icon in the Control Panel. You'll see a System Restore tab. Make sure that monitoring isn't turned off. I'm assuming you are running XP here?



Thanks for chiming in...feeling a little stuck here.

Unfortunately, I don't get the option to direct to a drive or file. The Windows File Protection window pops up with the following: "Files that are required for Windows to run properly must be copied to the DLL Cach. Insert your Windows XP Professional Service Pack 2 CD now."

My only options are [retry] [more information] and [cancel]. My only option out of the loop is just to cancel it out.

#10 hamluis

hamluis

    Moderator


  • Moderator
  • 55,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:09:18 AM

Posted 23 January 2009 - 09:39 AM

System manufacturer and model?

Without a Microsoft XP install CD...a user is lacking various tools by which problems can be overcome. The two primary tools lacking would be the ability to run sfc /scannow...and the ability to do a repair install of XP (which leaves programs installed and data files intact).

Without those two tools, the options for repairing a system...are limited somewhat.

Louis

#11 wiggy

wiggy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 23 January 2009 - 12:07 PM

HP/Compaq 6910p

XP Pro 2002 SP2


As I alluded to in the OP, I was (am) having issues with a rootkit.seneka virus. The surface symptom of this is that it is hijacking my google result links.

Q-could this virus corruption in the registry be affecting my System Restore? If they are directly relate, I do have an issue open in the HJT forum and maybe I should just pursue it within that issue??

#12 hamluis

hamluis

    Moderator


  • Moderator
  • 55,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:09:18 AM

Posted 23 January 2009 - 12:44 PM

Actually...if you have an open HJT log, are you not supposed to take all suggestions, advice from them...as long as that log is open?

If you are talking about two different systems then that would not apply, of course.

Louis

#13 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,265 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:07:18 AM

Posted 23 January 2009 - 01:01 PM

You posted a second HJT Log today, because you have this log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#14 wiggy

wiggy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 23 January 2009 - 02:35 PM

You posted a second HJT Log today, because you have this log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.


Thank you dc3. This is what I thought should occur, just wanted to make sure.

I'll continue working with the HJT group, since that issue has been reopened.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:18 AM

Posted 23 January 2009 - 02:41 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Post in this thread when you haven't received an answer in five days.".

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users