Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System restore problem


  • Please log in to reply
17 replies to this topic

#1 q11

q11

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 06 November 2009 - 03:22 PM

Help please,

My laptop will not restore to earlier restore points. I've tried 2 different restore dates and the results are the same: "Incomplete Restoration."

Additionally, I have ran the following: Malwarebytes Anti-Malware, Bitdefinder and Kaspersky online scans. All scans resulted clean; however, I am concerned about what is contained in the wbemess log:

(Thu Nov 05 00:02:33 2009.10237218) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Thu Nov 05 00:04:28 2009.10351921) : Unable to register event source 'Service Control Manager' on server ''. Error code: 6B5
(Thu Nov 05 00:04:28 2009.10351937) : Event consumer provider is unable to instantiate event consumer NTEventLogEventConsumer="SCM Event Log Consumer": error code 0x80041001
(Thu Nov 05 00:04:28 2009.10352031) : Failed the first attempt to retrieve the sink to deliver an event to event consumer NTEventLogEventConsumer="SCM Event Log Consumer" with error code 80041001.
WMI will reload and retry.
(Thu Nov 05 07:23:13 2009.63531) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Thu Nov 05 07:23:13 2009.63531) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Thu Nov 05 07:23:13 2009.63531) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Thu Nov 05 07:23:13 2009.63531) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Thu Nov 05 07:23:13 2009.63531) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Thu Nov 05 07:23:13 2009.63531) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Thu Nov 05 07:23:13 2009.63531) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Thu Nov 05 07:23:13 2009.63531) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Thu Nov 05 07:23:13 2009.63531) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Thu Nov 05 07:23:13 2009.63531) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Thu Nov 05 07:23:18 2009.67671) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Thu Nov 05 07:23:25 2009.74703) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Thu Nov 05 07:46:35 2009.1465406) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Thu Nov 05 08:39:55 2009.4665296) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Thu Nov 05 09:18:00 2009.6949734) : NT Event Log Consumer: could not retrieve sid, 0x80041002

-------------------------------------------------------

What is the function of wbemess and is the computer trying to communicate? Is the laptop infected?
What should I do?

And why can't the computer system restore to another restore point? Are there any corrupted files?

Thanks in advance,

Q11

BC AdBot (Login to Remove)

 


#2 q11

q11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 06 November 2009 - 07:35 PM

Does anyone have any advice to the above restoration and wbemess problems?

Thanks,
q11

#3 joseibarra

joseibarra

  • Members
  • 1,257 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:09:23 AM

Posted 06 November 2009 - 10:21 PM

Does the message really read something like "Restoration Incomplete..." and does your attempt at restoring to an earlier date with SR look okay and you just see that message on a reboot? When do you see this message and what does it say exactly?

Do you now or have you ever had any Norton products installed? Norton products tend to protect themselves and can thwart SR - it looks good until you reboot and then you get the Restoration Incomplete message, but this can be fixed.

Some more details about the message and your system will help.

Click Start, Run and in the box enter:

msinfo32

Click OK, and when the System Summary info appears, click Edit, Select All, Copy and then paste
the information back here.

There will be some personal information (like System Name and User Name), and whatever appears to
be private information to you, just delete from the pasted information.

This will minimize back and forth Q&A and eliminate guesswork and assumptions.

I am not sure about the wbemess log file - I have similar messages in mine when I reboot and read that it is part of the Windows Management Instrumentation process. I don't have any known problems, so I never paid attention to it, and might not pay attention to it.

I don't think the messages are related to your SR issue though.

Not everything in a log file is an error - there are informational messages as well. It is curious though. Perhaps somebody else will know about that.

Edited by joseibarra, 07 November 2009 - 09:07 AM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#4 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:23 AM

Posted 07 November 2009 - 02:07 AM

I would just keep trying different restore points. I recently tried to restore my system to several different dates, with it telling me afterwards that it could not restore my system and that it made no changes to it, but I kept trying different dates and finally one worked.

#5 jsmart7

jsmart7

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 07 November 2009 - 11:09 AM

Check that your system restore settings is disabled or enabled. If disabled, then first enable it, and try. Otherwise you will need a repair installation. You can also try system restore at safemode, or at the last best config mode.

#6 q11

q11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 07 November 2009 - 02:18 PM

Hi All,

Thanks for the replies. I tried 5 different restore point dates (both at Normal and Safe Modes) and the same message appears: "Incomplete Restoration," the computer could not restore at the specific date, and to try a different restore date.

Below is the info requested re: msinfo32 I have also included a current Hijackthis log.

Any and all help is GREATLY appreciated,
q11

OS Name Microsoft Windows XP Home Edition
Version 5.1.2600 Service Pack 2 Build 2600
OS Manufacturer Microsoft Corporation
System Name YOUR-410587B6
System Manufacturer Hewlett-Packard
System Model HP Pavilion dv1000 (PR42A#ABA)
System Type X86-based PC
Processor x86 Family 6 Model 13 Stepping 6 GenuineIntel ~1695 Mhz
BIOS Version/Date Hewlett-Packard F.13, 12/17/2004
SMBIOS Version 2.31
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume1
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)"
Time Zone US Mountain Standard Time
Total Physical Memory 512.00 MB
Available Physical Memory 170.22 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 1.09 GB
Page File C:\pagefile.sys


Logfile of HijackThis v1.99.1
Scan saved at 11:45:35 AM, on 11/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4254E07D-1B18-446C-BA07-20A70E629F88} - C:\PROGRA~1\AEVITA~1\SAVEFL~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &AEVITA Save Flash - {33973600-925A-11D9-A1F6-9234C84D2622} - C:\PROGRA~1\AEVITA~1\SAVEFL~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AEVITA Save Flash - {0C4D904C-697B-4F51-B82F-D5D8D8D36405} - C:\PROGRA~1\AEVITA~1\SAVEFL~1.DLL
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {5ACAA414-FCF1-468F-9442-71A7B6D2079E} (CitrixActivator Control) - https://www.myswa.com/maestroap_if/CitrixActivator.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

#7 joseibarra

joseibarra

  • Members
  • 1,257 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:09:23 AM

Posted 07 November 2009 - 02:29 PM

So you do now or have had Norton installed...

See here how Norton can interfere with SR and what to do about it.

http://service1.symantec.com/SUPPORT/share...005113009323013

You may want to edit and remove the Hijackthis info from your last post since they go in a different forum here at BC. Leave the msinfo32 stuff.

Otherwise, you may find yourself "moved", and I think you are almost done.

BTW - you are behind in your XP Service Packs and your Hijackthis is an old version :thumbsup:

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#8 q11

q11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 07 November 2009 - 03:52 PM

joseibarra,

I deleted the Norton Anti-virus 2005 and tried System Restore, but it failed again. System restore goes through the whole proccess and the resultant message displays:

"Incomplete Restoration"

Your computer cannot be restore to: Saturday October 17, 2009
System Checkpoint

No changes have been made to your computer

----------------------------------

I am lost as to what to do next.

Thanks,
q11

#9 q11

q11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 07 November 2009 - 03:53 PM

How do I remove the Hijackthis log?

Thanks,
q11

#10 joseibarra

joseibarra

  • Members
  • 1,257 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:09:23 AM

Posted 07 November 2009 - 04:26 PM

You can edit any post you made and delete the HJ log, or you can attach it as a separate file. Maybe somebody else will spot something.

Do you see this SR message after you go through the entire SR process and only see it on reboot or is it before you reboot?

I would have thought Norton was the culprit at first, but if you are sure it is gone and rebooted and still no luck with SR, then I think Safe Mode would be next. Boot in Safe Mode, do your SR process, reboot normally. Here is good SR article from MS that suggests Safe Mode.

http://www.microsoft.com/windowsxp/using/h...ew_03may19.mspx

It may take considerable troubleshooting to try to get it to work on a normal boot, but it is suggested in a MS sponsored article and I have read some posts where SR will only work when run from Safe Mode. Can't hurt!

It is curious... I do not have this problem though.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#11 q11

q11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 07 November 2009 - 05:12 PM

I've tried several RS points in both Normal & Safe Modes. The RS goes thur the proccess completely with no hang ups or errors; however, the same message appears after every proccess.

I have in the past restored the computer to a past point successfully; it has been a while, though.

I do appreciate your help,
q11

#12 joseibarra

joseibarra

  • Members
  • 1,257 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:09:23 AM

Posted 07 November 2009 - 07:11 PM

I am still not sure exactly when you see the message.

Perhaps your RPs are all corrupted somehow - malicious software maybe. This can happen and you may have removed some malicious software in the past, but it lingers in your RPs. sometimes you just have to whack all your suspicious RPs and start fresh. They don't seem to want to work anyway.

Since none of them work and unless anybody else has a better idea you can delete them all, make a brand new one and make sure at least the SR mechanism works properly for the future.

You would right click My Computer, Properties, System Restore, check the box for Turn off System Restore on all drives (which will automatically delete all the RPs), turn SR back on, make a brand new RP for today (I would reboot at this point) and immediately restore and be sure everything looks good.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#13 q11

q11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 07 November 2009 - 07:35 PM

I see the message after the computer reboots itself from SR proccess.

Should I delete all RPs or can I create one first to see if it will work? How would I do that?

Thanks,
q11

#14 joseibarra

joseibarra

  • Members
  • 1,257 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:09:23 AM

Posted 07 November 2009 - 10:17 PM

You do not have to delete anything. When you turn off SR, all the old RPs will automatically be deleted, then turn SR back on, etc.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#15 q11

q11
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 08 November 2009 - 02:27 AM

Thanks joseibarra! I will do your recommendation in the morning.

If other members have any ideas I welcome them.

Thanks,
q11




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users