Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot DISABLE System Restore


  • This topic is locked This topic is locked
5 replies to this topic

#1 RayS

RayS

  • Malware Response Team
  • 2,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:50 AM

Posted 02 June 2010 - 03:53 AM

To All,

Running WinXP Pro SP3.

The long message below tells you how I got to this point, but the most recent problem is that I get the following when I try to DISABLE System Restore, ",,,error trying to enable/disable one or more drives. Reboot and try again". Needless to say, I have tried rebooting multiple times. The Registry tweak at http://www.kellys-korner-xp.com/xp_tweaks.htm on line 278 called, "Restore/Enable system restore" is no help. This is a new problem that started tonight.


On May 15th, I unintentionally allowed an EXE file to download, and then mistakenly launched it. WinPatrol alerted me right away that a BHO was trying to install on one of my browsers. MSIE v8.0 and Firefox v3.6.3 were both running, and I didn't notice which browser was being targeted. I denied access to the BHO via WinPatrol but a different WinPatrol warning popped up immediately. I quickly deleted the EXE file, but the damage had already been done.

I ran scans with AVG Free and Malwarebytes. the following were found:

1886083054.EXE Trojan horse SHEUR3.WHA Process name BSQMCL.EXE all in \Local Settings\Temp

Win32\ALVREON Trojan generic17.cafo

Also identified Windows\Temp\00003a18 and Windows\Temp\00007392

Also suspicious in Startup Programs RHQQF in C:\Program Files\Windows Services\SVCHOST.EXE and an un-named MSIE helper in C:\Windows\System32\JE126U3.DLL This same DLL is listed as an entry in the Registry in HKLM\Software... (I can give you the exact key location if you need it).

I allowed AVG Free and Malwarebytes to quarantine these threats. Then I deleted the quarantined items and rebooted.

A short time later, AVG Resident Shield quarantined Windows\system32\msihost.exe labeled as Trojan SHEUR3XZ0 and www1.cosmosave1.com threat analysis type 1007

I deleted the quarantined items and rebooted.

The next day, AVG said the following accessed file is infected and it said "Threat was blocked": www1.zoneofsafe29-pr.net/?
The process name was Svchost.exe and Process ID was 1280.

During another whole system scan with both AVG Free and Malwarebytes, MBAM quarantined the following Registry Key: HKEY_Current.USER\Software\fouked-U

I deleted the quarantined items, disabled System Restore, and rebooted into Safe Mode.

While in Safe Mode, during another whole system scan, MBAM quarantined the following:
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\explorer\IDSTRF and it identified the vendor as malware.trace

On May 18, I consulted several sources including this forum. Then I disabled System Restore I ran TFC.EXE (temporary file cleaner) and installed SUPERAntiSpyware Free and, in Safe Mode, ran a whole system scan. SAS quarantined TROJAN/AGENT/Gen-FakeAV

I deleted that threat, and PC appeared to run normally until May 19 SAS quarantined the same trojan.

A second SAS scan on 5/19 quarantined TROJAN/AGENT/Gen-FakeAlert

A third SAS whole system scan on 5/19 quarantined TROJAN.Dropper/sys-NV

In all cases, I deleted quarantined items.

Subsequent scans on 5/19 using SAS, MBAM, and AVG found nothing.

On 5/23 while the PC was idle with both browsers open to well-known astronomy websites, AVG Resident Shield said it had blocked www2.userguardzz1.com? in Svchost.exe Process ID was 1280.

Again, I ran TFC.EXE in Safe Mode with System Restore OFF. I ran all three scanners again but they found nothing.

All appeared normal until 5/29 when AVG Resident Shield blocked VIP-1127.com Threat name is Exploit Neosploit Toolkit (Type 1109) in Windows Explorer Process ID is 4572

All three scanners still find nothing.

On June 1, with both browsers running but idle, WinPatrol said Microsoft Bookmark Manager wanted to install itself. I denied access, but the pop-up kept returning. I closed both browsers, but Bookmark Manager pop-up continued. I ran TFC.EXE again but after re-boot, I have lost all internet connectivity on that PC. (I'm using a different PC now.)

Device Manager says NVIDIA nForce Networking Controller is working normally, but in DOS Mode, IPCONFIG cannot see the router. When I try IPCONFIG /renew it returns error, "RPC server unavailable". The monitor light on the network adapter card is steady green, and I swapped the cable from PC to router with a cable that had been running normally. Two other desktop PCs are connected to the router by Ethernet cable. A laptop is connected wirelessly. Those computers have normal internet connections.

I just rebooted the sick PC into Safe Mode and ran TFC.EXE again. I then rebooted into Safe Mode and ran MBAM and SAS on the whole PC again, but, this time, I did not close System Restore. SAS quarantined the following: Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{17A0D303-F1F7-4B27-ADB1-E577D7A89A15}\RP1\A0000040.DLL

I deleted the threat, and rebooted normally. The PC still has no connectivity.

I used WinPatrol v17.0.2010 to examine all the IE Helpers. I found an un-named helper at HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar. I deleted that helper and rebooted but no joy.

I doubt this is a hardware problem because I had perfect connectivity right up until I rebooted for the first time tonight. Three other PCs are still connected to each other via the LAN, and they have good internet connections.

What do you recommend as my next step?

Thanks for your help,

RayS

I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,111 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:50 AM

Posted 02 June 2010 - 08:13 PM

Hello,

You've got a bad one aboard that requires specialized tools to remove. Please follow the instructions in ==>This Guide<== starting at Step 6.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to try to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#3 RayS

RayS
  • Topic Starter

  • Malware Response Team
  • 2,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:50 AM

Posted 03 June 2010 - 05:19 AM

Hello OB

Thanks for your quick reply.

I followed all the instructions in your guide through step 8, but at the completion of the GMER scan, when I pressed the Save button, no screen opened to allow me to say where to save. Instead, I saw the hourglass which is still onscreen. It took over six hours to complete the scan, so I'm reluctant to abort GMER.

The scan produced twenty lines of output. I copied some of it by hand, and will post that.

If I do abort and press the copy button maybe I can paste the next scan results into notepad. I'm not sure what 'bump" means, but if I post partial results now and follow with a completed scan later, will that be considered a bump?

Thanks again,

RayS

I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,111 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:50 AM

Posted 03 June 2010 - 12:55 PM

If you manage to get a complete log, go ahead and post it and I'll merge it to the original topic. However, if you can't get the log, don't worry about it.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#5 RayS

RayS
  • Topic Starter

  • Malware Response Team
  • 2,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:50 AM

Posted 03 June 2010 - 02:47 PM

Hi Orange Blossom,

Thanks for offering to merge scan results to my topic.

Please tell me what "bumping" means. If I post a reply to my own original request for help on the Virus Log forum, is that considered a bump?

I ran the GMER scan again. After another six hours, the scan completed with 20 lines of output. This time I pressed the "Copy" button instead of "Save". I was able to paste the result into Notepad, but the PC froze up again before I could save the file. Not even Task Manager would launch.

I didn't write down any of the output this time, but after the first scan, the GMER log showed 20 lines of text labeled as follows:

.rsc (1 instance)
.TEXT (5 instances)
Attached D... (2 instances)
Device (1 instance)
Attached D... (3 instances)
REG (5 instances)
File (2 instances)

Here is some of the GMER log that I copied by hand:

c:\windows\system32\drivers\DMIO.SYS
c:\windows\system32\drivers\ATAPI.SYS
c:\windows\system32\drivers\nv4_mini.sys
c:\windows\system32\drivers\searchindexer.exe[2220]kernel32.dll\writefile
c:\windows\explorer.exe[3180]ntdll.dll!ntprotectvirtualmemory
c:\windows\explorer.exe[3180]ntdll.dll!writevirtualmemory
c:\windows\explorer.exe[3180]ntdll,dll!kiuserexceptionsdispatcher

I already reported these partial results with my initial post on the Virus Log forum.

BTW, after cycling the power OFF/ON, the PC appears to boot up normally with limited functionality. For example, Windows Explorer can navigate through my files and folders, and applications like Notepad operate normally. I still cannot turn off System Restore, and the PC does not see my router when I execute IPCONFIG in the DOS screen.

Thanks again

RayS

I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,111 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:50 AM

Posted 03 June 2010 - 06:19 PM

Bumping a post means self-responding to your topic. There are various kinds of bumps. Some posts add additional information that was left out of the original post. Others are posted simply to bring the topic to the "top" of the topic list. It is the latter that we don't want happening.

I see that you posted that handwritten portion in your other topic. At this point, please don't bother running GMER again.

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/321254/access-to-router-blocked-system-restore-inop/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users