Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP System Restore Fails After Trojan Removal


  • Please log in to reply
15 replies to this topic

#1 Theo7

Theo7

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 28 December 2015 - 04:28 PM

Dear All, 

after Avast removing TrojanDownloader:Win32/Wysotot.A from my system. I used a guide to help remove all traces. 

I used TDSSKiller, RKill, Malwarebytes AntiMalware, RogueKiller, HitmanPro, Emsisoft Emergency Kit and AdwCleaner.

After running AdwCleaner a restart was required, after which a report was going to be generated. When the system booted, many of my computer functions were gone and there was no report. 

I tried to Restore to one of the many System Restore Points I had generated, but System Restore was faling to run. 

I located and renamed a Wininit.ini file and manually restarted the System Restore Service. After performing the Restore I was told that no changes were made to my files. 

I tried to run System Restore in Safe Mode and using a Clean Boot, several times, without any different result. 

I would greatly appreciate any advice or ideas on how I could proceed with restoring my system to a functional state. 

I am running WindowsXP Pro SP3. 

Thank you for your time!



BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,437 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 28 December 2015 - 04:47 PM

Sometimes avast can prevent a System Restore. In avast settings make sure Self Protection is disabled. If disabling Self Protection does not work then uninstall avast and try System Restore.



#3 Theo7

Theo7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 28 December 2015 - 08:36 PM

Thank you very much JohnC_21. 
Indeed, Avast is reported to prevent System Restore. (I never knew)
Uninstalling Avast has been proven tricky as not even the dedicated uninstaller, suggested by Avast, worked in Safe Mode. It is the early hours of the morning here, so I will try this angle with other uninstallers tomorrow. I think I will try to find my OS discs to try a system fix too. (do not have any other ideas beyond that)



#4 JohnC_21

JohnC_21

  • Members
  • 24,437 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 28 December 2015 - 08:51 PM

Yes, avast can have issues uninstalling. You can try Revo Uninstaller Pro. This is a full 30 day trial. I am surprised avast's standalone uninstaller did not work. Did you use it in safe mode?



#5 Theo7

Theo7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 28 December 2015 - 10:07 PM

Again, thank you for the suggestion JohnC_21. Yes, I tried running avastclear.exe in safe mode, as per avast's instructions. Like in normal boot, an avast animation icon appears and nothing happens after that. (I doubled checked the file was the exact size and version, as available on avast's website, so not a corrupted download) I will try your suggestion first chance I get after some sleep. I appreciate it. 



#6 TheITGUI

TheITGUI

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 29 December 2015 - 09:12 AM

Real lesson here is two-fold. One is that you have to nuke it from orbit. It's the only way to be sure.

Secondly, you need to replace WSR. It never works. If it dead I think Microsoft would do a victory lap. Look into Rollback Rx Home Edition. It's free and will work a lot better for you, I am very certain of this!

Best of luck!



#7 Theo7

Theo7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 29 December 2015 - 02:07 PM

Thank you TheIOTGUI! As you can imagine I am all for trying different restore solutions in the future, however this still does not restore my device to a functional state.

JohnC_21 I was now able to uninstall all traces of Avast with Revo Uninstaller. Now curiously when I enable the System Restore Service and run it, the window pops up void.

So I think I now need to find a way to fix System Restore. The tricky part would be to do it, without losing my existing Restore Points.

Any ideas welcome!



#8 JohnC_21

JohnC_21

  • Members
  • 24,437 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 29 December 2015 - 02:24 PM

Is the Windows System Restore Window blank in Safe Mode? Avast also used System Restore for it's NG module but I don't know if that has been changed. 

 

If you create a new user, is System Restore available?

 

Edit: If the above does not work see this Microsoft kb article.

 

https://support.microsoft.com/en-us/kb/831430


Edited by JohnC_21, 29 December 2015 - 02:26 PM.


#9 Theo7

Theo7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 29 December 2015 - 02:38 PM

Yes I am afraid it is still blank in Safe Mode. I did try to create a new user but that window is blank too (apart from "back" "home"). 
Thank you very mucj for pointing me to the article. I will study it now.



#10 Theo7

Theo7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 29 December 2015 - 08:34 PM

Thank you JohnC_21, reregistering Jscripit.dll allowed me to create new users and make System Restore available. 

Avast came back from the dead and was discovered that Avast4 was removed but Avast5 was very much present. 

While avastclear (current official suggestion) did not work, I discovered an older version that did! (aswClear)

Unfortunately, still I cannot successfully Restore to any date.

Any further suggestions/ideas on possible fixes?



#11 JohnC_21

JohnC_21

  • Members
  • 24,437 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 29 December 2015 - 08:41 PM

When you try doing a System Restore does if give you an error? You may find a clue in Event Viewer.

 

The last resort option is to reinstall System Restore as shown here.  Other than that I am pretty much out of ideas. 

 

Edit: I do not know if this will delete your restore points.

 

Edit Edit: There is a way to manually do a System Restore using your Restore Points. See this page. It only replaces the registry so it is not a complete System Restore as what would be done through Windows. Do not delete the Hives as shown in step 6. Rename them with a .bak extension so you can revert if needed.


Edited by JohnC_21, 29 December 2015 - 08:48 PM.


#12 Theo7

Theo7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 30 December 2015 - 09:19 AM

Thank you for digging into this and I am sorry for my ambiguity. 

After System Restore and rebooting I get the following error

"Restoration Incomplete

Your computer cannot be restored to:
[Any]Date System Checkpoint

No changes have been made to your computer

To choose another restore point, restart System Restore.

To restart System Restore click Home"

This happens for any date, even with a Clean Boot.

Event Viewer Shows several errors but nothing I know to say it is directly linked with system restore. 

I am making a note of the manual system restore option, it is just that I cannot readily remove and encase the laptop workstation's hard drive. So maybe if all else fails... 

I am afraid that reinstalling System Restore would delete existing restore points. The idea is to repair the system. 

The only thing I can come up with now is trying to repair the windows installation. (I need to slipstream sata drivers for that)

Thank you for all your help and wishes for a good holiday!



#13 Theo7

Theo7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 30 December 2015 - 09:34 AM

Upon Rebooting I get 

"Microsoft Visual C++ Runtime Library
Runtime Error!

Program: C:\Program Files\Norton Ghost\Agent\VProSvc.exe

The Application has requested the Runtime to terminate in an unusual way."

So now I am thinking that maybe Norton Ghost is somehow conflicting with System Restore completing the restoration.



#14 JohnC_21

JohnC_21

  • Members
  • 24,437 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 30 December 2015 - 09:52 AM

That is a possibility. By Clean Boot I am assuming you mean using msconfig to disable non-microsoft services and startup items. 

 

What is Ghost used for on the computer? Is it for creating System Images? I think Macrium Reflect Free or Aoemi Backupper Standard Free would be better suited for that.



#15 Theo7

Theo7
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:50 PM

Posted 01 January 2016 - 07:33 PM

Happy New Year! 

So eventually by a Clean Boot that did not process System.ini and Win.ini, at some point a Restore was sucessful! (although I was unable to achieve the same again!)

Still, the system was messed up and had uninstall Avast yet again. I started troubleshooting issues, restarted the sound service that was down. Then starting firewall and networking services, failed with errors. (e.g. Error 1053)

Reading revealed that reinstalling Microsoft.NET Framework 1.1 Service Pack 1 should fix it...  Well it did not only fix this, but the rest of the system as well!
https://www.winhelp.us/non-destructive-reinstall-of-windows-xp.html
In the mean time, I found these articles helpful 

https://www.winhelp.us/troubleshooting-windows.html#sfc
https://www.winhelp.us/non-destructive-reinstall-of-windows-xp.html

I have now reinstalled Avast (know how to deal with it) and beefing up the layers of protection with Malwares Anti Exploit and AdBlockPlus. (already had Super Antispyware, Malwarebyes AntiMalware and Spybot)

I am using good old SygateFirewall in combination with the Windows one and wonder if there is a good reason to change it.

I will be looking into the System Image suits that you suggested.

Thank you for all your help JohnC_21 and all the best. I learned a lot through all this!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users