TechSpot

System restore probs, am I still infected?

By daveki
Dec 6, 2009
Topic Status:
Not open for further replies.
  1. hi

    i followed ur 8 steps for removal after being infected with a virus and this seemed to stop the fake alerts i was getting, but wen i click on system restore imediately i get this message in a box "system restore is not able to protect you computer, please restart ur computer then run system restore again." i followed wat it said but keep getting the same....ive attatched my logs from my scans, hope you can help

    cheers
     

    Attached Files:

  2. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    You need to update the programs before scanning

    Please update Malwarebytes and run another Quick scan and provide the log

    Also, Bitdefender looks like it may have missed a few things too
    Please run an online scan with Eset: http://www.eset.com/onlinescan/
    But disable your installed Antivirus first

    Provide the new logs after doing so
     
  3. daveki

    daveki TS Rookie Topic Starter Posts: 18

    hi

    thanks....the malaware log was from a scan i did a couple of days ago when i was infected....the log from a scan i did today is attatched but found no threats. im just doing the online scan now and will attatch when complete.
     
  4. daveki

    daveki TS Rookie Topic Starter Posts: 18

    hi again

    scan is complete this is what it found and deleted. i will now reboot and try system restore.
     

    Attached Files:

  5. daveki

    daveki TS Rookie Topic Starter Posts: 18

    just tried system restore still doing the same as before....does that mean im still infected?
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    kimsland, do you mind if I intervene here?

    daveki, the main problem you are having is due to your Host files being hijacked: All of your searches are being sent to IP 82.98.231.89 which is for Cyber Technology BVBA/SPRL
    descr: Belgium
    country: NL

    They have noting to do with Microsoft in spite of microsoft.com entry.

    Much of the malware infection was found in files from oceans32 This is a legitimate file protection driver from Oreans Technology, that if disabled, will stop the correct operation of legitimate software. Unfortunately, this driver can also be installed by malware that is packed by it.

    Before proceeding any further, I would like you to do this:
    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\userinit.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
    Also scan these,

    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe


    Please attach that log to your next reply. The contents will determine what comes next.
    Are you in agreement kimsland?
     
  7. daveki

    daveki TS Rookie Topic Starter Posts: 18

    thanks bobbye

    ive scanned the files you requested and attatched the results!

    what did you mean by my searches are being sent to another ip address in belgium? and why would they do this?

    thanks for all your help!

    VirSCAN.org Scanned Report :
    Scanned time : 2009/12/06 17:55:25 (GMT)
    Scanner results: Scanners did not find malware!
    File Name : userinit.exe
    File Size : 26112 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : a93aee1928a9d7ce3e16d24ec7380f89
    SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
    Online report : http://virscan.org/report/478fbe1dbe65f783fb833eef2a555d65.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20091206090244 2009-12-06 4.31 -
    AhnLab V3 2009.12.06.01 2009.12.06 2009-12-06 0.95 -
    AntiVir 8.2.1.92 7.10.1.170 2009-12-05 0.38 -
    Antiy 2.0.18 20091204.3347676 2009-12-04 0.12 -
    Arcavir 2009 200912060734 2009-12-06 0.03 -
    Authentium 5.1.1 200912051639 2009-12-05 1.20 -
    AVAST! 4.7.4 091206-0 2009-12-06 0.01 -
    AVG 8.5.288 270.14.96/2548 2009-12-06 0.30 -
    BitDefender 7.81008.4699032 7.29329 2009-12-07 4.04 -
    CA (VET) 35.1.0 7158 2009-12-04 6.96 -
    ClamAV 0.95.2 10114 2009-12-05 0.01 -
    Comodo 3.13 3157 2009-12-06 0.91 -
    CP Secure 1.3.0.5 2009.12.04 2009-12-04 0.04 -
    Dr.Web 4.44.0.9170 2009.12.06 2009-12-06 7.45 -
    F-Prot 4.4.4.56 20091205 2009-12-05 1.19 -
    F-Secure 7.02.73807 2009.12.05.02 2009-12-05 0.15 -
    Fortinet 11.130- 11.130 2009-12-06 0.21 -
    GData 19.9192/19.608 20091206 2009-12-06 5.57 -
    ViRobot 20091204 2009.12.04 2009-12-04 0.41 -
    Ikarus T3.1.01.74 2009.12.06.74658 2009-12-06 4.16 -
    JiangMin 13.0.900 2009.12.02 2009-12-02 4.14 -
    Kaspersky 5.5.10 2009.12.06 2009-12-06 0.11 -
    KingSoft 2009.2.5.15 2009.12.6.18 2009-12-06 0.52 -
    McAfee 5.3.00 5824 2009-12-06 3.29 -
    Microsoft 1.5302 2009.12.06 2009-12-06 6.32 -
    Norman 6.01.09 6.01.00 2009-12-05 4.01 -
    Panda 9.05.01 2009.12.06 2009-12-06 1.76 -
    Trend Micro 9.000-1003 6.674.05 2009-12-06 0.03 -
    Quick Heal 10.00 2009.12.05 2009-12-05 1.25 -
    Rising 20.0 22.24.06.04 2009-12-06 0.96 -
    Sophos 3.02.0 4.48 2009-12-07 2.73 -
    Sunbelt 3.9.2381.2 5547 2009-12-06 1.83 -
    Symantec 1.3.0.24 20091206.005 2009-12-06 0.05 -
    nProtect 20091203.01 6487164 2009-12-03 3.64 -
    The Hacker 6.5.0.2 v00086 2009-12-05 0.74 -
    VBA32 3.12.12.0 20091202.2156 2009-12-02 2.28 -
    VirusBuster 4.5.11.10 10.115.1/2003653 2009-12-05 2.38 -



    VirSCAN.org Scanned Report :
    Scanned time : 2009/12/06 17:59:37 (GMT)
    Scanner results: Scanners did not find malware!
    File Name : explorer.exe
    File Size : 1033728 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 12896823fb95bfb3dc9b46bcaedc9923
    SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f
    Online report : http://virscan.org/report/6cb1385fdd78131422112f9550ac430d.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20091206090244 2009-12-06 9.77 -
    AhnLab V3 2009.12.06.01 2009.12.06 2009-12-06 1.09 -
    AntiVir 8.2.1.92 7.10.1.170 2009-12-05 0.47 -
    Antiy 2.0.18 20091204.3347676 2009-12-04 0.12 -
    Arcavir 2009 200912060734 2009-12-06 0.07 -
    Authentium 5.1.1 200912051639 2009-12-05 2.22 -
    AVAST! 4.7.4 091206-0 2009-12-06 0.05 -
    AVG 8.5.288 270.14.96/2548 2009-12-06 0.31 -
    BitDefender 7.81008.4699032 7.29329 2009-12-07 4.04 -
    CA (VET) 35.1.0 7158 2009-12-04 17.37 -
    ClamAV 0.95.2 10114 2009-12-05 0.22 -
    Comodo 3.13 3157 2009-12-06 0.96 -
    CP Secure 1.3.0.5 2009.12.04 2009-12-04 0.11 -
    Dr.Web 4.44.0.9170 2009.12.06 2009-12-06 7.66 -
    F-Prot 4.4.4.56 20091205 2009-12-05 2.22 -
    F-Secure 7.02.73807 2009.12.05.02 2009-12-05 8.77 -
    Fortinet 11.130- 11.130 2009-12-06 0.27 -
    GData 19.9192/19.608 20091206 2009-12-06 6.30 -
    ViRobot 20091204 2009.12.04 2009-12-04 0.44 -
    Ikarus T3.1.01.74 2009.12.06.74658 2009-12-06 4.18 -
    JiangMin 13.0.900 2009.12.02 2009-12-02 16.18 -
    Kaspersky 5.5.10 2009.12.06 2009-12-06 0.07 -
    KingSoft 2009.2.5.15 2009.12.6.18 2009-12-06 0.80 -
    McAfee 5.3.00 5824 2009-12-06 3.47 -
    Microsoft 1.5302 2009.12.06 2009-12-06 10.13 -
    Norman 6.01.09 6.01.00 2009-12-05 2.01 -
    Panda 9.05.01 2009.12.06 2009-12-06 10.71 -
    Trend Micro 9.000-1003 6.674.05 2009-12-06 0.04 -
    Quick Heal 10.00 2009.12.05 2009-12-05 1.89 -
    Rising 20.0 22.24.06.04 2009-12-06 0.58 -
    Sophos 3.02.0 4.48 2009-12-07 2.74 -
    Sunbelt 3.9.2381.2 5547 2009-12-06 3.73 -
    Symantec 1.3.0.24 20091206.005 2009-12-06 0.09 -
    nProtect 20091203.01 6487164 2009-12-03 4.77 -
    The Hacker 6.5.0.2 v00086 2009-12-05 0.75 -
    VBA32 3.12.12.0 20091202.2156 2009-12-02 2.52 -
    VirusBuster 4.5.11.10 10.115.1/2003653 2009-12-05 2.62 -




    VirSCAN.org Scanned Report :
    Scanned time : 2009/12/06 17:27:13 (GMT)
    Scanner results: Scanners did not find malware!
    File Name : svchost.exe
    File Size : 14336 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18
    SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667
    Online report : http://virscan.org/report/399cd3208fd60943834c6cb2db66e0a9.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20091206090244 2009-12-06 4.03 -
    AhnLab V3 2009.12.06.01 2009.12.06 2009-12-06 0.99 -
    AntiVir 8.2.1.92 7.10.1.170 2009-12-05 0.41 -
    Antiy 2.0.18 20091204.3347676 2009-12-04 0.12 -
    Arcavir 2009 200912060734 2009-12-06 0.03 -
    Authentium 5.1.1 200912051639 2009-12-05 1.20 -
    AVAST! 4.7.4 091206-0 2009-12-06 0.00 -
    AVG 8.5.288 270.14.96/2548 2009-12-06 0.31 -
    BitDefender 7.81008.4699032 7.29329 2009-12-07 4.02 -
    CA (VET) 35.1.0 7158 2009-12-04 8.14 -
    ClamAV 0.95.2 10114 2009-12-05 0.01 -
    Comodo 3.13 3157 2009-12-06 0.91 -
    CP Secure 1.3.0.5 2009.12.04 2009-12-04 0.04 -
    Dr.Web 4.44.0.9170 2009.12.06 2009-12-06 7.41 -
    F-Prot 4.4.4.56 20091205 2009-12-05 1.20 -
    F-Secure 7.02.73807 2009.12.05.02 2009-12-05 0.10 -
    Fortinet 11.130- 11.130 2009-12-06 0.19 -
    GData 19.9191/19.608 20091206 2009-12-06 6.12 -
    ViRobot 20091204 2009.12.04 2009-12-04 0.50 -
    Ikarus T3.1.01.74 2009.12.06.74658 2009-12-06 4.14 -
    JiangMin 13.0.900 2009.12.02 2009-12-02 4.19 -
    Kaspersky 5.5.10 2009.12.06 2009-12-06 0.07 -
    KingSoft 2009.2.5.15 2009.12.6.18 2009-12-06 0.52 -
    McAfee 5.3.00 5824 2009-12-06 3.27 -
    Microsoft 1.5302 2009.12.06 2009-12-06 6.57 -
    Norman 6.01.09 6.01.00 2009-12-05 4.00 -
    Panda 9.05.01 2009.12.06 2009-12-06 6.40 -
    Trend Micro 9.000-1003 6.674.05 2009-12-06 0.03 -
    Quick Heal 10.00 2009.12.05 2009-12-05 1.25 -
    Rising 20.0 22.24.06.04 2009-12-06 0.99 -
    Sophos 3.02.0 4.48 2009-12-07 2.70 -
    Sunbelt 3.9.2381.2 5546 2009-12-05 3.78 -
    Symantec 1.3.0.24 20091206.005 2009-12-06 0.05 -
    nProtect 20091203.01 6487164 2009-12-03 3.78 -
    The Hacker 6.5.0.2 v00086 2009-12-05 0.73 -
    VBA32 3.12.12.0 20091202.2156 2009-12-02 2.17 -
    VirusBuster 4.5.11.10 10.115.1/2003653 2009-12-05 2.37 -
     
  8. daveki

    daveki TS Rookie Topic Starter Posts: 18

    hi bobbye

    ive posted the results twice but got a message saying a moderator needs to check them first

    thanks for all your help
     
  9. daveki

    daveki TS Rookie Topic Starter Posts: 18

    i tried to pm you the results but wont let me do that either, how can i get help if my results cant be posted


    please help!

    thanks
     
  10. daveki

    daveki TS Rookie Topic Starter Posts: 18

    my results have been posted, can you please tell me where i go from here it will be much appreciated
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Not to worry Dave. The mods grumble if a post is too long. I got is all and am glad to say you do not have the malware I suspected- it would have required a reformat/reinstall right up front. So now we remove what you do have.

    Please do not attempt System Restore while we are cleaning. If the malware has gotten into any restore points and you happen to restore to that date, you will reinfect the system. I'll have you remove the old restore points when the system is clean and set a new, clean restore point.

    I mean that when you request a site, instead of taking you to that site, the malware takes you to a site in Belgium instead. Why? Because that's what some malware does!

    It appears that you have a pirated version of WinAVI Video Converter 8.0. It will have to re moved from the system to continue.

    Please reopen Hijackthis to 'do system scan only.' Check each of the following, if present:

    O1 - Hosts: 82.98.231.89 browser-security.microsoft.com
    O1 - Hosts: 82.98.231.89 best-click-scanner.info
    O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com
    O1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com
    O1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com
    O1 - Hosts: 82.98.231.89 onlinenotifyq.net
    O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com
    O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com
    O4 - HKLM\..\Run: [msav] C:\WINDOWS\system32\~TM5F.TMP
    O4 - HKUS\S-1-5-19\..\Run: [fezoworepa] Rundll32.exe "C:\WINDOWS\system32\jopuhaya.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [fezoworepa] Rundll32.exe "C:\WINDOWS\system32\jopuhaya.dll",s (User 'NETWORK SERVICE')


    Close all Windows except HJT and click on "Fix Checked."

    You also have malware called Spyware.Passwords. It is running and still active:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Access Windows Explorer: Right click on Start> Explore:

    • * First go up to Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'hide system and protected files'> Apply> OK
      *Continue by checking My Computer> Local Drive- usually C> Click on Windows> then System 32
      * Look for TM5F.TMP> do a right click> Delete.

    Go back and hide the files and folders.
    Empty the Recycle Bin Close.

    Some entries cannot be remove using HijackThis, so please do the following:

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Attach new Combofix report to new reply.
    Rescan with HijackThis and attach new log.

    NOTE: I recommend that you change all of your passwords and monittor any online financial transactions you have.


    Remind me to tell you how to get control of the tracking Cookies.
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Dave, your thread is only 8 hours old. This is a busy forum. Please have patience. I was preparing my reply above when you said to 'hurry up'.
     
  13. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Not to mention > We don't need 4 email replies from you in a row (as you have quadruple posted !)

    Yes it is a bad time when you are infected and you just want it solved right now
    But the members here are supplying their support freely at a rate that is way faster than most other online boards (actually I think we are the fastest)

    Instead of replying to yourself use EDIT to add to your post if your post is still the last post in the Topic (presently not)
     
  14. daveki

    daveki TS Rookie Topic Starter Posts: 18

    hi bobbye and kimsland

    im sorry for seeming so impatient and rude i appreciate all your help and advice and cannot thank you enough. i followed ur instuctions and cudnot find any of the
    01 entries on hijackthis....found all the 04 entries though and deleted these as instructed, everything went smoothly and i will attatch the logs and await ur replies patiently....once again thanks so very much for all your help

    dave:grinthumb

    forgot i need to remind you to tell me how to get control of the tracking cookies, thanks again
     

    Attached Files:

  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You did not address this:
    You are also using a hacking tool DHCP Sniffer.

    I'm going to ask someone else for help in reviewing the logs. I do not support either of the above..
     
  16. daveki

    daveki TS Rookie Topic Starter Posts: 18

    hi bobbye

    im sorry, i did remove winavi convertor and will move dhcp sniffer as i use neither of these programs, sorry for not addressing these...please continue i appreciate the help

    dave
     
  17. daveki

    daveki TS Rookie Topic Starter Posts: 18

    hi guys

    im sorry for having these 2 programs and i think ive deleted every trace of these off my system, to be honest the winavi 8.0 ive never used and the dhcp sniffer i didnt even know what that was, i had a friend from work a couple of years ago who modded modems, he asked me to run this program and give him the results, i adnt a clue what it was for or what it did just thought i was doing him a favour as i am not clued up on what he was doing...please continue with your help as i am very grateful for the help so far and am definately not into hacking...

    sorry if ive offended you in any way having these programs!

    i await ur response eagerly

    dave:(
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Dave, it wasn't an offense- we just don't support pirated programs.

    I'd like you to run Combofix again- please delete the previous report for this on your desktop, then run it again. Include new report in next reply. Here are directions again:
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Then rescan with HijackThis and include that log also.
     
  19. daveki

    daveki TS Rookie Topic Starter Posts: 18

    hi bobbye

    did the two scans as requested the log files are attatched

    thanks once again!
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, looks good. But I'd like you to delete the Eset logs you currently have and scan again:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    I'd like to make sure the system isn't hiding anything. Please include the log in next reply. If that's clean we'll check system restore-not yet though.

    Here's some System Restore troubleshooting that you can read and check:

    Q.What should I do if System Restore does not work?
    A.Try these steps if System Restore does not appear to work:

    1.Ensure the System Restore service is running. For more information, see: How can I verify that the System Restore services are running on my machine? (see site)

    2.Verify that you have enough free space on all your drives as required by System Restore. If the free space on any partition system restore is monitoring falls below 50 MB, System Restore will suspend and purge out all restore points to free up disk space. It will automatically reactivate when 200 MB+ free space is available. For more information, see How the System Restore Tool Handles Hard-Disk Space Usage. (see site)

    3.Examine event logs for any system restore-related errors that could help you identify the problem.

    http://www.microsoft.com/technet/prodtechnol/winxppro/plan/faqsrwxp.mspx
     
  21. daveki

    daveki TS Rookie Topic Starter Posts: 18

    hi bobbye

    i did the online scan and have attatched the log!
    in an earlier post you also told me to remind you how to get control of the tracking cookies.

    thanks for all your help

    dave
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    About the Tracking Cookies (thank): this needs to be done on accounts for both 'dave' and 'lee':

    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    Now you can remove the cleaning tools and old restore points:


    Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Remove all of the tools we used and the files and folders they created
    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.


    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    More details and screenshots for Disk Cleanup in Windows Vista can be found here.

    The system will set new restore points once in about every 24 hours if the computer is on. You can also set your own any time you want. Wait a few days, then set a restore point for the day before. Next day, try restoring to that date to make sure it's working okay.

    Let me know if I can be of further help.
     
  23. daveki

    daveki TS Rookie Topic Starter Posts: 18

    hi bobbye

    i followed your instructions cleaned all the files and folders used then had to reboot
    then i started to create a new restore point as you said by Go to Start > All Programs > Accessories > System Tools and click "System Restore". at this point as before i get this message "system restore is not able to protect your computer, please restart your computer then run system restore again" why would this be the case? i thought it should run ok now, wat could be the reason for this?

    thanks for all ur help

    dave
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    System Restore Troubleshoot: Go through this please:

    Q.What should I do if System Restore does not work?
    A.Try these steps if System Restore does not appear to work:

    1.Ensure the System Restore service is running. For more information, see: How can I verify that the System Restore services are running on my machine? (see site)

    2.Verify that you have enough free space on all your drives as required by System Restore. If the free space on any partition system restore is monitoring falls below 50 MB, System Restore will suspend and purge out all restore points to free up disk space. It will automatically reactivate when 200 MB+ free space is available. For more information, see How the System Restore Tool Handles Hard-Disk Space Usage. (see site)

    3.Examine event logs for any system restore-related errors that could help you identify the problem.

    Start> Run> type in eventvwr

    Do this on each the System and the Applications logs:
    [1]. Click to open the log>
    [2]. Look for the Error>
    [3] .Right click on the Error> Properties>
    [4]. Click on Copy button, top right, below the down arrow >
    [5]. Paste here (Ctrl V)
    [6].NOTES
    • You can ignore Warnings and Information Events.
    • If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
    • You don't need to include the lines of code in the box below the Description, if any.
    • Please do not copy the entire Event log.

    Errors are time coded.

    http://www.microsoft.com/technet/prodtechnol/winxppro/plan/faqsrwxp.mspx


    Try this and see what you get:
    Boot into Safe Mode: Start> Run> cmd> type in:
    C:\Windows\system32\Restore\rstrui.exe

    which is the Restore program, it will prompt with Create vs Restore and you can pick
    a Restore point.
    __________________
     
  25. daveki

    daveki TS Rookie Topic Starter Posts: 18

    hi bobbye

    her is my errors from the event log not sure what they mean, could do with your view if possible:

    Application log:

    Event Type: Error
    Event Source: Intel(R) AMT
    Event Category: UNS
    Event ID: 2002
    Date: 19/12/2009
    Time: 23:33:04
    User: N/A
    Computer: DAVESLAPTOP
    Description:
    [UNS] Failed to subscribe to local Intel(R) AMT.

    Event Type: Error
    Event Source: LMS
    Event Category: None
    Event ID: 2
    Date: 19/12/2009
    Time: 23:33:01
    User: NT AUTHORITY\SYSTEM
    Computer: DAVESLAPTOP
    Description:
    LMS Service cannot connect to HECI driver

    system:

    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7026
    Date: 19/12/2009
    Time: 23:33:07
    User: N/A
    Computer: DAVESLAPTOP
    Description:
    The following boot-start or system-start driver(s) failed to load:
    Beep

    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7026
    Date: 19/12/2009
    Time: 22:44:41
    User: N/A
    Computer: DAVESLAPTOP
    Description:
    The following boot-start or system-start driver(s) failed to load:
    Beep

    im going to try booting into safemode as you said and will be report back with the results

    thanks once again! much appreciated

    dave

    hi bobbye

    i tried in safemode like you suggested and still received the same message as before"system restore is not able to protect your computer, please restart your computer then run system restore again" have u any ideas whats causing this?

    dave
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.