System Restore SVC Not Available and Shortcuts Gone After Infection

By palouse · 16 replies
May 9, 2011
  1. (I want to restore shortcuts, regain System Restore function, fix unknown damage , AND avoid reinstalling applications.)

    Clicked on a Google link, it started installing a "system checker". Attempted Cntr-Alt-Del on IE session, but damage done. Avast was running, out of date by 8 days, XP Security Updates out of date 2 months, System Restore was running, but monitoring 4 partitions; 40Gb or better for each part; many Restore Points over last couple months. Spybot S&D disabled the day before. System: AMD, WinXP Pro SP3, IE7. Latest Acronis image is from last October.

    Damage Results:
    -All non-system files set to "Hidden", some also set to "Read Only",
    -Most Start Menu shortcuts gone inside application folders ("C:\Doc&Set\All Users\Startup\Programs\<prog>\shortcut")
    -Desktop settings changed to hide icons,
    -Desktop w/ no "Right Mouseclick" context menu,
    -Can't turn off/change System Restore (SR) in System Cntr Panel, ("Access is denied"); SR shown as "On" in Registry ("DisableSR"="0"),
    -Unable to Start SR in Services Cntr Panel ("Could not start the [SR] Service service on Local Computer. Error 5: Access is denied."),
    -EXE files seem to work if fired from C:/Program Files/...
    -No other errors in Event Log/System, or any other Event log.

    Ran TrendMicro HouseCall, Avast, SuperAntiSpyWr, MalwareBytes, Spybot. I attempted to find answers on internet. Ran Nirsoft's ShellXMgr. Restored functionality to Desktop. Desktop icons returned. "Un-hid" and "read any" every folder I could find. Tried Update of SP3 Security Patches, no joy. Tried to find way to force System Restore; attempted via Microsoft KB 307545, no joy. Attempted Install of sr.ini, resulting in new SVI and probable loss of Restore Points. Install of sr.ini will not work, "Access denied" when attempting to "copy" srclient.dll; more likely unable to write to target. Found, took first “8 steps” to fix.

    Boots fine, I can use most apps and IE. QuickStart, Desktop, working.

    Assuming some sort of security or link reset prevents SR from firing, and removed links to apps, causing ICONs to disappear. Assuming damage and instability I have not yet discovered. Assuming XP "Repair" likely to hose many apps worse than loss of shortcuts. Assuming SR will not be as worthless next time as it was this time.

    Logs follow:
  2. palouse

    palouse TS Rookie Topic Starter

    .text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP
  3. palouse

    palouse TS Rookie Topic Starter

    DDS (Ver_11-03-05.01) - NTFSx86
    Run by t at 16:48:37.98 on Mon 05/09/2011
    Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_22
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1487 [GMT -7:00]
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    ============== Running Processes ===============
  4. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.


    To solve the issue better...
    Download and run UnHide


    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip:
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.


    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it:
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

    Make sure, you re-enable your security programs, when you're done with Combofix.


    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  5. palouse

    palouse TS Rookie Topic Starter

    Unhide, Bootkit Remover, ComboFix, rkill

    Results of instructions:
    1) Unhide: Upon completion. System Restore fully functional with all Restore Points available. What a temptation to just take a shortcut...

    2) Bootkit Remover: It ran. Said it found something. (Did it clean the MBR copy?)

    3) ComboFix: Installed Recovery Console. Blue screened at about "step 29". "Plug&Play detected an error most likely caused by a faulty driver." Another temptation to just stop there. After reboot, reset Avast from "disable 1 hour" to "disable permanent". Second run of ComboFix completed without errors.

    4) rkill completed.

    Bootkit Remover:
    ComboFix 11-05-09.02 - t 05/09/2011 21:43:26.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1593 [GMT -7:00]
    Running from: c:\documents and settings\t\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
  6. palouse

    palouse TS Rookie Topic Starter

    more first instruction results

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    Rkill completed on 05/09/2011 at 21:59:05.
  7. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    I'm glad to hear good news :)

    Combofix log looks good as well.

    Any current issues?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:

    %systemroot%\*. /mp /s
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %PROGRAMFILES%\Common Files\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %USERPROFILE%\Favorites\*.url /x
    %ALLUSERSPROFILE%\*.dat /x
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %systemroot%\pchealth\helpctr\System\*.exe /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  8. palouse

    palouse TS Rookie Topic Starter

    OTL Response 1 of 3

    No current issues, other than Start/Programs is essentially useless until I re-stock the folders with shortcuts. Thank you for your help.

    The results of the OTL execution follow, as 2 log files.

    OTL logfile created on: 5/10/2011 6:37:56 PM - Run 1
  9. palouse

    palouse TS Rookie Topic Starter

    OTL Response 2 of 3

    < %ProgramFiles%\Messenger\*.* >
  10. palouse

    palouse TS Rookie Topic Starter

    OTL Response 3 of 3

    < End of report >
  11. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    What exactly is missing?


    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
      O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found.
      O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
      O3 - HKU\S-1-5-21-1177238915-1682526488-725345543-1004\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
      O3 - HKU\S-1-5-21-1177238915-1682526488-725345543-1004\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
      O3 - HKU\S-1-5-21-1177238915-1682526488-725345543-1004\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
      O15 - HKU\S-1-5-21-1177238915-1682526488-725345543-1004\..Trusted Domains: ([]msn in My Computer)
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (Reg Error: Key error.)
      [2010/10/30 01:55:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\t\Application Data\Uniblue
      @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ED24AC45
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
      "DisableMonitoring" = -
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.


    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  12. palouse

    palouse TS Rookie Topic Starter

    Eset scan

    What is missing are the link files (shortcuts) from Start/Programs folders. All of the files are missing under C:\Docs&Set\All Users\Start Menu\Programs\<various applications>. Refer to following URL for a screen shot; example is MS Office Tools. Applications are still present, registered, and functional, just no convenient Start Menu shortcuts.

    I suppose it could have been a disk error, but the odds are remote. I read a blurb on internet about what happens to a shortcut when it is "hidden", that it may be removed by the system; which I can't confirm or find the article again. I assume that the links were moved or deleted, and I could not find files with Modified Date at the time of problem to indicate a move. (From previous infections, adware moved executables to another directory to avoid "file delete" detection by security software, replace them with adware files of same name.) Recycle was emptied before I could check for shortcuts.
    Screen shot of Windows Explorer and Start

    OBTW, the monitoring of non-OS drives will stop after we finish here, and new clean data backup and image taken.

    All processes killed
    ========== OTL ==========
  13. Broni

    Broni Malware Annihilator Posts: 54,262   +383

  14. palouse

    palouse TS Rookie Topic Starter


    Thank you for your help.

    I came across these suggestions in previous research. I tested or ran all again. Unfortunately, the issue is not with the Group Policies blocking the .../All Users/Start Menu/Programs/... directory. The actual shortcut files are missing from each application's Program folder, as in the following example:

    - C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth\<null> .

    My question: Is it possible to "regenerate" the shortcuts with a utility, or do I need to cut-n-paste every application's .exe file shortcut back into the application's "All Users/Start Menu/Programs/" folder?

    Creating .exe shortcuts, then cut-n-paste is a lot of manual work. However, as part of a project last year, I put the install's image from last October on the "G:" drive. From G:\D&S\All Users\Start Menu\Programs\*, I could cut-n-paste most of the shortcuts that were available prior to last Saturday's C: drive infection.

    Shortcuts in C:\D&S\t\Start Menu\Programs and "Default User" were not deleted.

    FINALLY, Did the shortcuts get deleted by the infection, or because files were hidden by the infection, and the system deleted the "orphaned" shortcuts?
  15. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    You may try to give it a shot.

    There is really no way to establish that.

    Now, onto final steps....

    1. Update your Java version here:

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.


    Update Adobe Reader

    You can download it from
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.


    Update Firefox to the latest 4.0 version.


    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      C:\Program Files\OGPlanet\CABAL Online\launcher\gateway\imgrepository.dll 
      E:\backup 10-10-10\backup 10-10-10.rar 
      G:\Program Files\OGPlanet\CABAL Online\launcher\gateway\imgrepository.dll
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.


    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!:

    12. Please, let me know, how your computer is doing.
  16. palouse

    palouse TS Rookie Topic Starter


    Thank you for your help. Cut and paste of shortcut Programs file from G:\...\All Users worked well enough. I will update OS. I deleted the .rar file.

    OTL logs:

    All processes killed
    ========== OTL ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    File\Folder C:\Program Files\OGPlanet\CABAL Online\launcher\gateway\imgrepository.dll not found.
    G:\Program Files\OGPlanet\CABAL Online\launcher\gateway\imgrepository.dll moved successfully.
    ========== COMMANDS ==========


    Registry entries deleted on Reboot...
  17. Broni

    Broni Malware Annihilator Posts: 54,262   +383

    Yes!! [​IMG]
    Good luck and stay safe :)
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...