Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

system restore


  • Please log in to reply
16 replies to this topic

#1 hopkintonma

hopkintonma

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 07 January 2010 - 11:12 AM

I had a virus and wanted to restore my system to a previous state. When selecting the 'System Restore' option under the Accessories menu pulldowns, the reply is that "system restore has been turned off by group policy. To turn on system restore, contact your domain administrator." All users of the computer are listed as administrators in the administrator group. Also, when going to the Control Panel and double-clicking on System, I don't have a System Restore tab (which I thought I should). How do I enable the 'System Restore' capability?

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:29 PM

Posted 07 January 2010 - 12:42 PM

The Group Policy has been edited to deny you permission to control System Restore. Even any accounts with Administrator rights can be denied permission by group policy to do certain tasks. For more information on what Group Policy is:
http://en.wikipedia.org/wiki/Group_Policy

Group Policy is a set of rules which control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications and users' settings in an Active Directory environment. In other words, Group Policy in part controls what users can and can't do on a computer system.

It could well be that the infection you have or had has edited your system's Group Policy (GP) as someone had a similar question recently--that has yet to be resolved. One thing I can tell you is that even if you fix System Restore you won't be able to use it to return to a previous state because it has been turned off so your restore points are all gone.

We can try to fix SR but I need answers to some questions first.

1. Are you running XP Home or Pro?
2. Are you using any Norton or Symantec antivirus or security suite?

Also what was the name given to the virus/malware and are you sure it's gone?

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#3 hopkintonma

hopkintonma
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 07 January 2010 - 01:01 PM

I am running XP Pro. I have Webroot Anti-Virus and Webroot Anti-Spyware running and I also loaded a free version of AVG to try to find the virus. I have since uninstalled that. The virus is not gone (at least not completely) as I still have the browser redirect problem that I have seen in various forums/threads. I wanted to get my System Restore working before I tried the ComboFix solution that I saw advertised as fixing the problem.

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:29 PM

Posted 07 January 2010 - 01:46 PM

OK, try following the instructions on the following page:
http://www.theeldergeek.com/re-enable_system_restore.htm

If successful, you will have a new restore point when SR is re-enabled. Test SR by restoring to that Restore Point just to see if SR is functioning and please let us know the results either way.

It is good you want to get SR working again but please do not use Combofix on your own. The author only wants it used by malware removal specialists that work forums like BC's here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Any advertisement of Combofix is bogus and if you have gotten advice elsewhere about running it unsupervised it's misguided. I do admire the desire to handle this on your own, but there are many reasons for the restrictions of its use. For one thing, it may or may not fix the malware--today's malware morphs so quickly so that automatic removal tools get outdated quickly--and if you have what I think you do then it probably won't remove all elements anyway. It's very sophisticated and makes it a high risk that removing it could result in catastrophic failure--that even a working System Restore could not help you with. Also CF has many amazing capabilities, among them manual removal, that only people trained to use it are aware of--and if they run into problems they can contact the author to resolve it.

So please check your logs and let me know what name was given to the infection/s. I may have the time to guide you thru the use of combofix or whatever is necessary--but not in this subforum--with or without SR working. In the malware removal process, other backups are made if recovery is needed, but let's see if you can re-enbale SR in the normal way first.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#5 hopkintonma

hopkintonma
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 07 January 2010 - 02:11 PM

I will try the System Restore fix tonight; it is on my home PC. I actually found the ComboFix mentioned on a Google support forum page that referred to it as coming from the BleepingComputer site, which is how I ended up posting here. I will hold off on the ComboFix. I will check my Webroot log file tonight. I can't check the AVG as the program was uninstalled. I ended up doing my web browsing here as my home web browsing was compromised.

#6 hopkintonma

hopkintonma
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 07 January 2010 - 09:34 PM

I went through the procedure twice to no avail. I still have no System Restore tab in the System Properties pop-up box and I still have the Group Policy warning when I try to run it. When I clicked the Start button on the System Restore Service pop-up box, a message "Windows is attempting to start the following service . . . " followed by "System Restore Service service on Local Computer started and then stopped. . . ." So, I'm not sure if the service should have stayed on or if it was fine that it started and then stopped. Anyway, I appreciate the directions but they don't seem to have solved my missing System Restore.

I think these are the last 2 viruses found by Webroot:
Found Troj/Fortn-A: Troj/Fortn-A
Found App/Punkbust-B: App/Punkbust-B
AVG also found one virus before I uninstalled it but I don't remember what it was.

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:29 PM

Posted 09 January 2010 - 12:40 AM

My apologies for your long wait. I've been away from malware removal for a while and trying to bone up on the latest--even tho it doesn't seem Webroot has caught it, you probably have the fairly new and very complex and nasty malware that may have locked you out of System Restore so you may have to do the malware removal without it. As mentioned before other backups are made and malware removal specialists are trained to recover from any complications. Even so, you should consider that a reformat and reinstall of Windows may be easier and in any event I would advise you begin backing up your important data now if you haven't done so already.

Let's try another fix by editing the registry, but you may be locked out of that as well.

Open Notepad and copy the text in the quotebox below and paste it into Notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig"=-
"DisableSR"=-

Don't copy the word "quote" and make sure the top line is REGEDIT4 and that there is a blank line below that. Turn off word wrap in Notepad from the Format menu. Save the file and name it FixSRP.reg. Be sure to change the "Save as Type:" to All Files, then save it to your desktop. Now doubleclick on FixSRP.reg and allow it to merge with your registry.

Reboot and then go back and try to start the System Restore service again. If it won't stay started--which it needs to be running in order to work--then you won't have a SR tab in System Properties so you're still locked out.

Let me know, but at this point I suggest you follow all the relevant instructions in the following thread:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

When you have your logs ready to post come back here and post the link to your thread. If you have any questions or anything else to discuss, post that before posting the link as this thread will be closed as once you have your logs posted.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#8 OldGrumpyBastard

OldGrumpyBastard

  • Members
  • 781 posts
  • OFFLINE
  •  
  • Location:"Way South of 'da Bridge"
  • Local time:09:29 PM

Posted 09 January 2010 - 08:19 AM

Information from Trend Micro:

http://threatinfo.trendmicro.com/vinfo/vir...ES&VSect=Sn

You will probably do yourself a big favor and follow Papakids advice and follow the link for prepairing a HighJackThis log...This may just be the tip of the iceberg, IMO...
Does this look like an OldGrumpyBastard or what?

#9 joseibarra

joseibarra

  • Members
  • 1,305 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:09:29 PM

Posted 09 January 2010 - 08:20 AM

IMHO - when you see that started/stopped message trying to start the SR service, it is time to reinstall SR from the sr.inf file.

You can mess around trying to fix it for a long time and consume many otherwise productive time cycles.

I would run MBAM and SAS until they run clean, then just reinstall SR and be done with it.

Reinstalling System Restore will delete all existing Restore Points.

Click Start, Run and type %Windir%\INF or browse to c:\windows\inf

Locate the SR.INF file.

If you have configured Windows Explorer to hide known file extensions, the file may show up as just SR.
To see the file extensions for all file types on the Tools menu click Folder Options.

Click the View tab.

Clear the Hide extensions for known file types check box.

Right-click the SR.INF file, and then click Install

Windows will now attempt to reinstall System Restore, and may prompt you for the Windows installation source path.

The desired files are already installed on your system but the installation would like to use the XP installation CD which you may not have. While the install is waiting for a file, you can search for it and point the installation there or point the installation here:

%Windir%\ServicePackFiles

Or insert your slipstreamed Windows XP (matching the Service Pack level of your system).

System Restore core files will be reinstalled. Restart Windows when prompted.

Test SR by making a new RP, reboot, immediately restore the system using the new RP and be sure it works.

Get the service running again first and if it still won't launch, fix that next.

Resolve any remaining issues.

Edited by joseibarra, 09 January 2010 - 08:22 AM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#10 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:29 PM

Posted 09 January 2010 - 11:12 AM

IMHO - when you see that started/stopped message trying to start the SR service, it is time to reinstall SR from the sr.inf file.

I considered recommending a reinstall of SR but the reg fix would be much quicker and if it doesn't work, then it is likely a reinstall would fail as well as long as the malware is still present and/or the permissions to alter that reg key is denied.

You can mess around trying to fix it for a long time and consume many otherwise productive time cycles.

I would run MBAM and SAS until they run clean, then just reinstall SR and be done with it.

I agree, get rid of the malware first, then look to repair SR. That is why I recommended a quick fix and if that doesn't work go to malware removal forum. It seems to me trying to reinstall SR before removing the malware would be a bigger waste of time. hopkintonma may want to try running MBAM and SAS but it is doubtful that will remove the malware I suspect is there--a rootkit installed to the Master Boot Record that won't be detected by most AV's. The logs will give an idea--and proof--of what is actually present and tools like CF can deal with it and even unlock the registry and help with other repairs.

Altho running SAS is not a bad idea at all. After removing what it finds, you can go to the Repairs section and have it try to fix policy restrictions and the SR service. I just never see this section used and don't know how well it works.

But the bottom line is that the folks at auhma.org, who have a whole forum dedicated to System Restore, don't try to fix SR if there is any hint that an infection is involved and will refer people to their own malware removal forum. Aumha's SR forum is recommended by Bert Kinney, the recognized expert on System Restore.
http://bertk.mvps.org/html/srfail.html
Following are examples of auhma's policy:
http://aumha.net/viewtopic.php?f=54&t=41979
http://aumha.net/viewtopic.php?f=54&t=42609
http://aumha.net/viewtopic.php?f=54&t=42916

Reinstalling System Restore will delete all existing Restore Points.

True, but in hopkintonma's case, with SR already off, there are no Restore Points there to delete.

Information from Trend Micro:

http://threatinfo.trendmicro.com/vinfo/vir...ES&VSect=Sn

You will probably do yourself a big favor and follow Papakids advice and follow the link for prepairing a HighJackThis log...This may just be the tip of the iceberg, IMO...

Thanks, OGB--yes, it does look like the tip of an iceberg. Byte Verify sounds worse than it usually is, not really an infection but a vulnerability, but is still an indication that an infection may have gotten in thru the vulnerability in a really old version of Java. It can be fixed by installing the latest version of Sun's Java runtime environment, deleting all old versions and using CCleaner to clear the Java cache--for some reason CCleaner does a better job at this than other methods/software. Getting Java updated is also standard procedure in the malware removal forums so another reason to go there.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#11 OldGrumpyBastard

OldGrumpyBastard

  • Members
  • 781 posts
  • OFFLINE
  •  
  • Location:"Way South of 'da Bridge"
  • Local time:09:29 PM

Posted 09 January 2010 - 12:19 PM

Papakid,

I agree with you completely about old versions of Java as I have experienced similar problems with Java in the past. That being said, great care should be used with running CCleaner (I know I'm being a little paranoid here) but I have seen instances where running it improperly could cause more harm than good ie: resulting in a very expensive door stop. I have used it in the past (but very carefully going over the descriptions of every item that it found to correct and made a decision on whether or not to let it clean them one by one)...a more noviced user may not be that patient.

By running HighJackThis the O/P will have a log that will show you what version of Java (as you well know) along with all of the BHO's and other processes that may be running (that shouldn't be running)...That is the route that I would take as I am sure that you would also...
Does this look like an OldGrumpyBastard or what?

#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:29 PM

Posted 09 January 2010 - 01:24 PM

OGB,
Yes, I agree about CCleaner--what you describe can happen when the registry Issues section is used. The cleanup of junk files like browser cache is usually pretty safe, altho they give the option to clean up some things that really aren't necessary or that you might need later--like Wipe Free Space and Windows debug logs. For quick cleanup of normal Java and browser cache I like ATF Cleaner by Attribune, which is mostly what is used in the malware removal forum. But there are a couple of things that CCleaner does that ATF doesn't that causes me to recommend CCleaner in certain circumstances:

1. The old Java cache that can result in the detection of Java Byte Verify. I am a little sketchy on the details ATM, but I have some notes documenting what I am about to say somewhere. Version 4 something of Sun's Java stored its cache in a different folder than later versions. Even with the older versions uninstalled, that cache folder would remain on someone's system. So a person could get a detection of byte verifiy or similar and using ATF Cleaner or even the newer version of Sun Java's interface to clean out the Java cache doesn't touch that old folder. CCleaner will get rid of it tho. It may also deal with the cache of the old Microsoft Java Virtual Machine cache but I don't know that for sure.

2. Index.dat. CCleaner will delete the buggy Index.dat file from the Internet Explorer cache and other Windows history folders (when the system is rebooted)--ATF Cleaner and many other junk file cleaners won't.

By running HighJackThis the O/P will have a log that will show you what version of Java (as you well know) along with all of the BHO's and other processes that may be running (that shouldn't be running)...That is the route that I would take as I am sure that you would also...

Just FYI, other enumeration programs are used now that have even more detailed information. HJT is still useful but the malware authors know what areas of the registry it looks in and uses other areas to avoid detection. For example it won't see rootkits because most kernal level rootkits are basically drivers that aren't listed in the services console. Also a normal scan with HJT will show you if the current version of Java is outdated, but it won't show if and how many older versions of Java are installed--DDS and some of the other newer enumerating programs will.

But the point remains that such logs are good solid evidence that takes much of the guesswork out of the malware analysis and removal process.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#13 OldGrumpyBastard

OldGrumpyBastard

  • Members
  • 781 posts
  • OFFLINE
  •  
  • Location:"Way South of 'da Bridge"
  • Local time:09:29 PM

Posted 09 January 2010 - 02:05 PM

That is the problem with novice usage (cleaning the registry)....A lot of the problems with that tool is just that....Letting it remove what it wants is not always a good practice....selecting what you want it to clean is entirely different as you suggest...Not all users are as knowlegable about what to save and what to get rid of so they just remove everything...and that was my point....I knew that my original response was going to open up a can of worms!!!It always does when CCleaner comes up...

For the same reason unsupervised usage of ComboFix causes more bad issues than good...You need to have a really sound knowledge of what you are trying to accomplish before you plunge in...

Edited by OldGrumpyBastard, 09 January 2010 - 02:08 PM.

Does this look like an OldGrumpyBastard or what?

#14 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:29 PM

Posted 10 January 2010 - 10:33 AM

No can of worms, unless there is a bit of a misunderstanding involved. I am not a fanboy of CCleaner and so use it grudgingly. I agree completely with what you've expressed about newbie usage. In fact, when Ccleaner first came out it was being used a lot by some helpers in the malware removal forum. I posted in a staff forum questioning whether it should be used because of the Issues tab and how some newbies won't know to be cautious with it. If used in malware removal forum, it should be with specific instructions. I was called rediculous for that. :thumbsup:

Perhaps I was a bit lax in an earlier post--my apologies for that. I didn't intend to instruct anyone to use CCleaner--instead the intent was to give an overview of how to clear a java byte verify detection. Even tho I'm not a CCleaner fan, I don't blanket condemn it either. When I do ask people to use it I tell them to leave the Issues section alone and which other categories to clean up. Plus CCleaner has removed the Issues tab (that used to be next to the junk files tabs) and put that function in the sidebar so it is not as easy for newbies and the uninformed to mistake it for something that should always be used. On the other hand, they keep adding irritating functions like wipe free space and a System Restore manager that are mostly uselss and can cause problems.

So it's a mixed feelings kind of thing for me. One other thing on the positive side it that, if you have a computer with multiple user accounts (like me), you can set CCleaner to clear IE's cache, including the index.dat, from each account while logged into just one account.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#15 hopkintonma

hopkintonma
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 14 January 2010 - 10:50 AM

I think I'm going to go with the reformat and reinstall option once I save any files I want. Any advice on how to avoid copying anything virus related when I save some files?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users