System Restore Fails - Only Works In Safe Mode

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by momofbaby949597, Mar 10, 2007.

  1. momofbaby949597

    momofbaby949597 Private E-2

    Hi everyone. My computer is causing me trouble. My system restore fails everytime I use it although if I get into safe mode it works fine. I know this is not suppose to be that way. Also when I try to get into safe mode sometimes I have to reboot the computer a couple times because my keyboard fails to operate to put in the password. I went through the read & run me guide and I'm including my scans.
     

    Attached Files:

  2. momofbaby949597

    momofbaby949597 Private E-2

    Here's the others.
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  4. momofbaby949597

    momofbaby949597 Private E-2

    Thanks Chaslang for responding. I ran the rustbfix.exe. It did not find the Rustock.b Rootkit. It only gave me one log which I've attached.
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let's be sure about that! Please run this AVG Anti-Rootkit and attach a log from it.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After attaching the log from AVG AntiRootkit, do the below too.

    Uninstall the below old versions of software:
    Java 2 Runtime Environment, SE v1.4.2_03

    Also delete the below folder:
    C:\Documents and Settings\Tracy Raczak\Local Settings\Application Data\Viewpoint

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now let's run an additional scanning tool:
    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now attach the below new logs and tell me how the above steps went.
    1. ComboFix log
    2. GetRunKey
    3. ShowNew
    4. HJT
    Make sure you tell me how things are working now!

    Is there a reason why you did not attach the log from PandaActiveScan?
     
  7. momofbaby949597

    momofbaby949597 Private E-2

    OK Sorry it took me so long to get back to you and thank you again for your time!

    Anyway, I

    1. ran the AVG Anti rootkit and it found nothing. I'd send the log you asked for but I didn't see where it saved a log.

    2. Uninstalled Java 2 Runtime Environment, SE v1.4.2_03 and deleted C:\Documents and Settings\Tracy Raczak\Local Settings\Application Data\Viewpoint

    3. I did the FixME.reg

    4. I did the combofix.exe

    Attached are the new logs. I will try to post the PandaActive Scan again if I can but it says that it is already attached to another post I made about the portscan issue.
     

    Attached Files:

  8. momofbaby949597

    momofbaby949597 Private E-2

    Here's the HJT log.
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    How are things working? Are you having any malware problems?
     
  10. momofbaby949597

    momofbaby949597 Private E-2

    If you want to know if my system restore works...I haven't tried it yet because I was waiting to hear back from you. Do you want me to see if it works?
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! First do the below! Your problem with System Restore may not be malware.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0\bin\jusched.exe
    O4 - Startup: PowerReg Scheduler.exe

    After clicking Fix, exit HJT.

    You can now delete the below files on your Desktop!
    avgarkt-beta-1.1.0.29.exe"
    ComboFix.exe"
    fixME.reg"
    rustbfix.exe"

    Also delete the below folder:
    C:\Program Files\Common Files\Viewpoint

    Now attach the below new logs and tell me how the above steps went.

    1. ShowNew
    2. HJT


    Make sure you tell me how things are working now!
     
  12. momofbaby949597

    momofbaby949597 Private E-2

    Ok I ran the Hihackthis and had it fix the lines you told me. I removed the files from my desktop and I deleted the viewpoint folder. Here are my logs.
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean. If you are not having any other malware problems, it is time to do our final steps given below. When you get to step 8 will may know more about system restore.
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
  14. momofbaby949597

    momofbaby949597 Private E-2

    Ok Its good to know I'm clean. Is it possible to use the system restore now just to see if it works?
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you follow all of the steps given in my previous message including step 8? If so, did step 8 work without any error messages.

    If it did you should only have one restore point from the last reboot of today.
     
  16. momofbaby949597

    momofbaby949597 Private E-2

    Yes I did all your steps and I only have one restore point. Does that mean I have to wait till like say tomorrow when I have another restore point to see if it works? Cause if it still doesn't work will you throw me over to the software people to help fix it?
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes and yes! ;) But when you tried to use it previously how far did you get before you realized it was not working.
     
  18. momofbaby949597

    momofbaby949597 Private E-2

    I would get all the way till the computer rebooted and it would give me the error that my system cannot be restored to that point. I tried that on all the restore points and all give me the same error message. I could however restore in safe mode.
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Give it another try after another reboot and see what happens. If you get an error message, you should write down the EXACT error message to give to the people in the Software Forum.
     
  20. momofbaby949597

    momofbaby949597 Private E-2

    Chasling, I have two other accounts on this computer for my kids. Could the problem be in their accounts? Do those need to be looked at separately?
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not for your System Restore problems! Did you actually already verify that you still have problems? Did you get an error message?

    As far as malware checking is concerned, yes each account must be checked separately. You don't need to re-reun BitDefender and PandaActive on the other accounts though. Only the other tools would need to be run.
     
  22. momofbaby949597

    momofbaby949597 Private E-2

    I'm going to wait until tomorrow morning to see if the system restore will work. I would like to see if my 13 year olds account is fine but I will also work on that tomorrow. My troubles began a few weeks ago when the 13 year old was on the computer. I started getting portscan warnings from my Norton. I realized too after a few days when I tried a system restore to solve my issue that it gave me the error and wouldn't restore the computer back to any of the old restore points. When I posted here then about the portscans I got a few responses but no step by step instructions that I understood to solve the issue. I thank you again for your help and your step by step instructions. Hope to see you here again tomorrow.
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Let me know your results with System Restore but you may have to work them in the Software Forum if it still fails to work.
     
  24. momofbaby949597

    momofbaby949597 Private E-2

    Chaslang..HELP!!! After my last message I got off the computer last night. Got back on this morning to see if you had responded. Shut it back down to go to work and now as I try to get on I can only get on in Safe Mode and that is running really SLOOOOOOOOW! The computer hangs up at the Windows XP screen. I'm at a lose of what to do now!!!! I will do nothing until I hear from you.
     
  25. momofbaby949597

    momofbaby949597 Private E-2

    Chaslang I'm back with bigger problems!
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What has been done on the PC since around message #22?

    Did you experiment with System Restore?

    You may be looking at a reinstall or possibly a repair. It is possible that some how your registry was corrupted and that it is the reason for your boot up problems.

    Have you tried logging into different user accounts in normal boot mode?

    Since your PC was clean at message #13, I don't believe your problems are due to malware. That is unless, old restore point were never removed and you restored to a point in time where your PC was infected.
     
  27. momofbaby949597

    momofbaby949597 Private E-2

    No I did not play around with the system restore since I still only have the restore point that was created after we went through my logs. The only thing that was done on the computer before I had problems was I printed something for work from Microsoft Publisher. I'm starting to agree that my problems are with the Operating System and not malware. Can anyone here help me with that?
     
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Have you tried to do a System Restore to that single point now? If not, give it a try and see if it helps (or if System Restore even works at all).
     
  29. momofbaby949597

    momofbaby949597 Private E-2

    I'm back. I booted up the computer and I can now get onto my account although it is extremely slow. I also get the following alert:

    NotifyAlert.exe-Common Language Runtime Debugging Service
    Application has generated an exception that could not be handled.
    Process id = 0xb0(176)
    Thread id = 0xbc(188
    Click OK to terminate application
    Click Cancel to debug the application

    When I clicked Cancel I got another Alert:

    NothifyAlert.exe - No debugger found
    Registered JIT debugger is not available. An attempt to launch a JIT debugger with the following command resulted in error code of 0x2(2). Please check computer settings
    cordbg.exe !a 0xb0
    Click on Retry to have the process wait while attaching a debugger manually
    Click on Cancel to abort the JIT debug request

    I tried to restore from safe mode. It went through the restore motions and rebooted the computer on its own. But when I got back into my account I got the following message:

    Restoration Incomplete
    Your computer cannot be restored to: Sunday, March 11, 2007 System Checkpoint
    No changes have been made to your computer. To choose another restore point, restart System Restore.

    Is any of this making sense? If it is my operating system I'd like to try a repair before I have to do a reinstall.
     
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    None of this is malware related so you will have to continue in the Software Forum. I do suggest that you have HJT fix the below two unnecessary items from Dell which may remove the problems with notify-alert.


    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe


    You may also want to see the below since Norton could be the cause of your problem with System Restore:

    http://service1.symantec.com/SUPPORT/sharedtech.nsf/pfdocs/2005113009323013
     
  31. momofbaby949597

    momofbaby949597 Private E-2

    I have no idea what went on yesterday morning with the computer but as the day progressed it seems to be back to where we left it after checking the logs. I think I'm going to remove my Norton since I feel these issues began with giving me portscan issues from my modem. You gave some steps to removing Norton to Amandalynn on another post:

    "Norton can often be just as bad as malware to get removed. Here is what I would suggest:
    Reboot just before doing the below but DO NOT run anything other than these steps
    shut down all other applications (every thing in the tray ...etc) including antispyware tools
    goto add/remove programs and uninstall all Symantec and Norton software
    reboot and take a quick peak at your HJT log for anything left over from Symantec or Norton.
    if there are left overs run this: Norton Removal Tool (SymNRT)
    then reboot and check another HJT log. If you still have things from Symantec or Norton you may need help from us to remove because often times they are services which must be stopped and disabled before they can be deleted."

    My only question would be is what would you suggest I use to replace it?
     
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What I gave you in message # 13 in the How to Protect yourself from malware! link are our suggestions.

    You should download (but not install) the tools you plan on using before you uninstall Norton. Then uninstall Norton while not connected to the internet. Once it is completely removed (and make sure you look at your HJT log and even look at the uninstall list at the end of a ShowNew log for Symantec and Norton items) then you can install your new tools (like AVG Free and ZoneAlarm are two good choices for antivirus and firewall). Once your protection is back in place, you can reconnect to the internet.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds