Uh Oh...Problem in _restore...Help please?

Hello folks,
Sorry, but 'Problem Time' again! I am running Win XP Pro on a 2.1+ Athlon with 524Meg & 60 gig Hard drive.

My AVG 6.0 (updated 13/05/04 ) Resident Shield picks up on Win32/Hidrag virus when the system goes into power save mode. It identifies the location as
C:\System Volume Information\_restore{0020CE5C-D8FF-4F4B-8342-7FB9311B44DF}\RP27\A0005797.exe

It asks me to run the AVG Test but then it doesn't pick up on it.

B****y thing is blue screen crashing left right & centre too!

Anyone able to tell me what I need to do to fix this, please?

TIA

Klutz.

 

Hi Klutz
You need to disable system restore, reboot and then scan for viruses, once you are sure you are clean you can re-enable System restore

How to disable/enable System Restore
http://www.majorgeeks.com/vb/showthread.php?p=342176#post342176


Some info on that virus
http://www.viruslibrary.com/virusinfo/Win32.Hidrag.htm

 

Many thanks, General, for the prompt and concise reply.


Much appreciated.


Is it likely that this virus is causing the frequent blue screen STOP crashes?

TIA

Klutz

 

That we cant be sure about, the virus does attack and corrupt all EXE files it can find on your C: drive so yes this could cause the Blue screen behaviour, espicially if the BSODs are a recent event

First things first get that virus cleaned up and we can take it from there

If after cleaning the virus, you still expierence BSODs try to get as much information off the screen as possible as this can help locate and solve the problem, you could also check your event viewer for errors at the time of these crashes..
Start--Run--Type eventvwr.msc--ok

 

OK tried it....

Possibly from bad to worse!..........Disabled 'System Restore' OK.......Lost all restore points.

Rebooted.....Ran AVG 6.0........It didn't pick up anything!

Did a file search for svchost.exe & found it in 'System32'

It wouldn't let me delete it, but did let me change its name to 'svchosta'

Great.....Now it appears I have doubled my problem, as not only can I not delete the original file but also the new 'svchosta' I have created for myself.

I think I am getting deeper!

Klutz.

 

The General appears to be away atm, so...

Yes, you lost your restore points, but they were infected, so no loss there.

The svchost.exe associated with the virus would be in your C:\Windows folder, the one in C:\Windows\System32 is a valid windows file, so if you can't rename it back windows file protection has probably already replaced it. No biggie.

If there's not a svchost.exe in C:\Windows then that's a good thing, AVG may have already cleaned it from there. Do you have AVG updated to the latest definitions?

It wouldn't hurt to get a second opinion from this online scanner:
http://housecall.trendmicro.com

If they both don't find anything then I'd say you're clean. The next step is to wait for that BSOD to happen again and post the info displayed so we can figure that out.

Sound like a plan?


[Edit] Ok I just saw that you do have AVG updated. Good job

 

Ok Alan,

Thanks for your input. Much appreciated! :0)

I checked the C:\Windows folder.......No svchost.exe

I do have svchost & svchosta ( :0/ hmmmm) in \System32

AVG 6.0 ran again & picked up zero.

Did the Trend Housecall yesterday......It found 4 items in the Java file & zapped them. No reference to Hidrag from there though.

Do you reckon I am safe enough to re-enable system restore?

TIA

Klutz

 

Don't worry about that svchosta file, next time you reboot try Safe Mode (tap F8 while booting) and maybe you can delete it from there.

I'd try Housecall again before you enable System Restore, if it says you're clean then enable it and create a restore point for your peace of mind.

 

If housecall says youre clean hopefully that means you ARE clean. Another thing I'd recomend you do is to get the XP CD and do a "sfc /scannow" from the command prompt. That should overwrite any corrupted files that the virus created.

And the reason youve got 2 svhost files is that when you re-named it... it then wondered where the svhost file went and made a new one. Ahh yes, windows file protection.....

 

Very good suggestion, Goldy

Do that before you reboot Klutz.

 

Thanks very much for the help, Folks.......

This place is worth it's weight in chips...... ( Silicon...Gambling....Snacks.....Make your own choice! :0) )

Hmmm...OK, then...

Disk wasn't supplied with system..... :0(

Will that 'svchosta' I inadvisedly created in System32 do any harm if I leave it be? :0/

I have installed & run Reg First Aid & picked about 300 bad references. Hopefully that might sort the BSOD problem.......I'll let you know!

I ran HouseCall & it came up clean...

Should I re-enable System Restore now, do you think?

Thanks again for the help, Guys!

Klutz.

 

Well... if you re-enabled sys restore now, then did some reg-cleaning and other scanning etc... to get your machine back up to speed, you can always go back if one of those processes fails. Then i would make another restore point after youve optimised.

I really hate it when people dont supply at least the OEM cd with a system... grrrr...

 

OK...Many thanks for the help, Folks!

I got a 'Your System has recovered from a major fault', when I re-booted.

Klutz.

 

That'll happen after some BSODs. Thats quite normally really. Have you tried checking the event manager?
Run -> eventvwr.msc -> Ok.

Have a look in there for any red crossed with "Error" written next to them, and give us ones that you think might be relevant.

 

OK I have had a look in there......

There doesn't seem to be much in the way of errors listed since I , with a lot of help from my friends ;0) , managed to knock it back into some kind of decent shape.

It seems to be running a lot quicker again now :0)

More like when I first had it.

Can't see anything there that says.......'Hey I'm a big problem....Over here!!'

Thanks again,

I'll squawk if anything untoward rears it's head!

Klutz :0)

 

Hey..

I managed to delete that 'svchosta' file I inadvertantly created. I suppose after a reboot it wasn't using it so it let me delete it straight from Windows.

I thought I would let you know in case:

a) Another Klutz comes along with a similar problem.

or..

b) I forget & do it again............... & have to ask here! :0D

Thanks a Million, guys!

Klutz :0)

 

Thank you very much for the update !! I find that all too many problems here are left unresolved and the user finds the solution and neglets to post it.

Oh and congratz on the tuneup

 

Hi again, Folks!

Just had another BSOD :0(

DRIVER IRQL NOT LESS OR EQUAL

Any ideas, please?

TIA

Klutz.

 

Hi klutz
was there a driver listed with that BSOD at all?

cause that could be many things
http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prmd_stp_czgw.asp

ive evn seen that on a machine where the ram has gone bad

 

No, General, there wasn't...

Prior to our rescue attempts the usual error message was (IIRC)

IRQL NOT LESS THAN OR EQUAL

Which is of course, even less specific.

I am getting the full quota of memory read on boot up. (520 odd meg)

BTW On one of system analysis runs I found out that the memory on my GA-7VAX mother board is capped at one meg. How & why? :0/

TIA

Klutz.

 

i would suggest running a memory test to make sure its not failing espicially if you getting IRQL NOT LESS THAN OR EQUAL
get memtest here
http://www.majorgeeks.com/download4226.html

if you click on the authors name it will take you to his site with detailed instructions on how to use

 

Thanks very much, General.

I'll do that......

 

OK I ran one pass....

It came up error free :0)

Gotta be good news....Right?

Klutz.

 

Hmmm......

Another BSOD......

Not seen this error mesage before though.....

PAGE FAULT IN NON PAGED AREA

Anyone any further ideas, please?

Klutz