Help !!! System Restore

[Chip]

I have been running malware, virus, register cleans, etc and after I ran all
these programs, I wanted to do a new System Restore. I clicked on
Accessories, System Tools, System Restore and nothing happened. I did it
several times and it doesn't seem like it's there.

BTW I also changed some settings in msconfig, but didn't change any
Microsoft settings.

Any help? Thanks !!!

 

[DL]

'registry cleans'
Probably says it all

Run the system file checker - see win help

 

[Don Phillipson]

I have been running malware, virus, register cleans, etc and after I ran all
these programs, I wanted to do a new System Restore. I clicked on
Accessories, System Tools, System Restore and nothing happened. I did it
several times and it doesn't seem like it's there.

Some 3d-party malware shields disable MS System Restore
(see archives of this newsgroup.) There are workarounds
for some such software but not all.

 

[Jim]

I have been running malware, virus, register cleans, etc and after I ran all
these programs, I wanted to do a new System Restore. I clicked on
Accessories, System Tools, System Restore and nothing happened. I did it
several times and it doesn't seem like it's there.

BTW I also changed some settings in msconfig, but didn't change any
Microsoft settings.

Any help? Thanks !!!

Norton will also knock system restore out .

 

[Jose]

I have been running malware, virus, register cleans, etc and after I ran all
these programs, I wanted to do a new System Restore.  I clicked on
Accessories, System Tools, System Restore and nothing happened.  I did it
several times and it doesn't seem like it's there.

BTW I also changed some settings in msconfig, but didn't change any
Microsoft settings.  

Any help?     Thanks !!!

Start here to figure out what it isn't:

Download, install, update and do a full scan with these free malware
detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

They can be uninstalled later if desired.



Then, you can determine if the shortcut or the program is broken and
react accordingly.

When you click the SR shortcut it runs: %SystemRoot%\system32\restore
\rstrui.exe

So, click Start, Run and paste that command in the box, click OK and
see what happens.

"Nothing happens" as a description won't get you too far (unless
nothing really happens). Please try to do better if possible.

A fairly common and generally easy to fix SR issue after a malware
attack is an empty white box where SR should be.

 

[Tim Meddick]

Check that the 'System Restore Service' is active (started) and that it's 'start-up
type' is set to 'Automatic'

Check this by starting "Local Services" on your 'Administrative Tools' menu on the
'Start Menu' or type the following into the "Run" box on the 'Start menu' :

mmc.exe c:\windows\system32\services.msc

Down the list to the 'System Restore Service', and double-click on it to bring up
it's properties.

Also, it may be worth checking that both the executable (.exe) file is present, and
that the shortcut to it you tried to use is correctly pointing to it.

The 'System Restore' program is location is : c:\windows\system32\restore\rstrui.exe

==

Cheers, Tim Meddick, Peckham, London.

 

[Chip]

Here is a better description of the problem: I go to Start, Accessories,
System Tools, and System Restore. The name 'System Restore' is there, but I
double-click on it and it does nothing.

I checked to see if the path was there and I followed it through. The icon
you suggested is still there, but I click on the .exe program and nothing
happens. Just seems like nothing is there except the icon.

Thanks.

 

[Ken Blake, MVP]

I have been running malware, virus,

Running malware and viruses is a very bad thing to do. What you should
run is *anti*-malware and *anti*-virus programs. <g>

Assuming that you meant *anti*-malware and *anti*-virus programs,
please tell exactly which ones you ran.

Did those programs find any malware on your system?

register cleans, etc

Leaving aside any attempt at humor, as in the first paragraph above,
this *is* a very bad thing to do. Registry cleaning programs are *all*
snake oil. Cleaning of the registry isn't needed and is dangerous.
Leave the registry alone and don't use any registry cleaner. Despite
what many people think, and what vendors of registry cleaning software
try to convince you of, having unused registry entries doesn't really
hurt you.

The risk of a serious problem caused by a registry cleaner erroneously
removing an entry you need is far greater than any potential benefit
it may have.

Read http://www.edbott.com/weblog/archives/000643.html

and after I ran all
these programs, I wanted to do a new System Restore.

Why? Doing so doesn't seem to mesh with running the other programs.
Are you having a problem? System Restore should only be run when you
are having a problem that you expect to respond to going back a few
days with System Restore.

I clicked on
Accessories, System Tools, System Restore and nothing happened. I did it
several times and it doesn't seem like it's there.

Do you run Norton Anti-virus. If so, that's likely the reason.

BTW I also changed some settings in msconfig, but didn't change any
Microsoft settings.

Exactly what did you change? Why?

 

[Steve Winograd [MS-MVP]]

Norton will also knock system restore out .

I don't know of any Norton product that prevents System Restore from
creating a restore point. If you do, please give us details.

Some Norton products have a feature called "Norton Product Tamper
Protection" that you have to disable before restoring your computer to
a previous time. Details here:

http://service1.symantec.com/SUPPORT/sharedtech.nsf/pfdocs/2005113009323013
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Desktop Experience)

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

 

[PA Bear [MS MVP]]

There is a very good chance that you are seeing the effects of a hijackware
infection!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums as well.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

 

[Chip]

I noted your humor...and you are correct.

I did not run Norton. I have ESET anti-virus. I ran Ad-aware and
Malwarebytes and they found nothing.

The reason I wanted to go to System Restore was to set a new restore point
as of now - after everything is working faster and CPU performance is great.

In msconfig I unchecked most of the Startup programs and a few of the
Services, but I did not touch any of the Windows services.

As I said, I have even taken the path to actual .exe program in System32
and nothing happens when I double-click it.

 

[PA Bear [MS MVP]]

PS: If you think your Registry needs to be "cleaned" or "repaired," read
http://aumha.net/viewtopic.php?t=28099 and draw your own conclusions.

There is a very good chance that you are seeing the effects of a
hijackware
infection!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection'
scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums as well.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

I have been running malware, virus, register cleans, etc and after I ran
all
these programs, I wanted to do a new System Restore. I clicked on
Accessories, System Tools, System Restore and nothing happened. I did it
several times and it doesn't seem like it's there.

BTW I also changed some settings in msconfig, but didn't change any
Microsoft settings.

Any help? Thanks !!!

 

[Jose]

I noted your humor...and you are correct.

I did not run Norton.  I have ESET anti-virus.  I ran Ad-aware and
Malwarebytes and they found nothing.

The reason I wanted to go to System Restore was to set a new restore point
as of now - after everything is working faster and CPU performance is great.

In  msconfig  I unchecked most of the Startup programs and a few of the
Services, but I did not touch any of the Windows services.

As I said, I have even taken the path to actual  .exe   program in System32
and nothing happens when I double-click it.

On Fri, 7 Aug 2009 08:21:01 -0700, Chip

Running malware and viruses is a very bad thing to do. What you should
run is *anti*-malware and *anti*-virus programs. <g>

Assuming that you meant *anti*-malware and *anti*-virus programs,
please tell exactly which ones you ran.

Did those programs find any malware on your system?

Leaving aside any attempt at humor, as in the first paragraph above,
this *is* a very bad thing to do. Registry cleaning programs are *all*
snake oil. Cleaning of the registry isn't needed and is dangerous.
Leave the registry alone and don't use any registry cleaner. Despite
what many people think, and what vendors of registry cleaning software
try to convince you of, having unused registry entries doesn't really
hurt you.

The risk of a serious problem caused by a registry cleaner erroneously
removing an entry you need is far greater than any potential benefit
it may have.

Why? Doing so doesn't seem to mesh with running the other programs.
Are you having a problem? System Restore should only be run when you
are having a problem that you expect to respond to going back a few
days with System Restore.

Do you run Norton Anti-virus. If so, that's likely the reason.

Exactly what did you change? Why?

If c:\windows\system32\restore\rstrui.exe will not run, COPY (not
rename) it to something else - chip09.exe or something like that and
then see if chip09.exe will launch when double clicked, a Start, Run,
or from a command window. This does not change the shortcut of
course.

If chip09.exe launches SR, you are still infected and rstrui.exe is
not being allowed to run.

If chip09.exe does not launch, the executable may be compromised so
search for another copy of rstrui.exe on your system and copy it into
c:\windows\system32\restore. Try again. Copy and try chip09.exe (it
must run in that folder).

Likely spots are:

c:\windows\servicepackfiles\i386
c:\windows\system32\dllcache

 

[Chip]

I have looked in all the locations you mentioned - didn't find any such
file. Can I get it from another PC? Should I repair Windows?

I noted your humor...and you are correct.

I did not run Norton. I have ESET anti-virus. I ran Ad-aware and
Malwarebytes and they found nothing.

The reason I wanted to go to System Restore was to set a new restore point
as of now - after everything is working faster and CPU performance is great.

In msconfig I unchecked most of the Startup programs and a few of the
Services, but I did not touch any of the Windows services.

As I said, I have even taken the path to actual .exe program in System32
and nothing happens when I double-click it.

@discussions.microsoft.com> wrote:

I have been running malware, virus,

Running malware and viruses is a very bad thing to do. What you should
run is *anti*-malware and *anti*-virus programs. <g>

Assuming that you meant *anti*-malware and *anti*-virus programs,
please tell exactly which ones you ran.

Did those programs find any malware on your system?

register cleans, etc

Leaving aside any attempt at humor, as in the first paragraph above,
this *is* a very bad thing to do. Registry cleaning programs are *all*
snake oil. Cleaning of the registry isn't needed and is dangerous.
Leave the registry alone and don't use any registry cleaner. Despite
what many people think, and what vendors of registry cleaning software
try to convince you of, having unused registry entries doesn't really
hurt you.

The risk of a serious problem caused by a registry cleaner erroneously
removing an entry you need is far greater than any potential benefit
it may have.

and after I ran all
these programs, I wanted to do a new System Restore.

Why? Doing so doesn't seem to mesh with running the other programs.
Are you having a problem? System Restore should only be run when you
are having a problem that you expect to respond to going back a few
days with System Restore.

I clicked on
Accessories, System Tools, System Restore and nothing happened. I did it
several times and it doesn't seem like it's there.

Do you run Norton Anti-virus. If so, that's likely the reason.

BTW I also changed some settings in msconfig, but didn't change any
Microsoft settings.

Exactly what did you change? Why?

If c:\windows\system32\restore\rstrui.exe will not run, COPY (not
rename) it to something else - chip09.exe or something like that and
then see if chip09.exe will launch when double clicked, a Start, Run,
or from a command window. This does not change the shortcut of
course.

If chip09.exe launches SR, you are still infected and rstrui.exe is
not being allowed to run.

If chip09.exe does not launch, the executable may be compromised so
search for another copy of rstrui.exe on your system and copy it into
c:\windows\system32\restore. Try again. Copy and try chip09.exe (it
must run in that folder).

Likely spots are:

c:\windows\servicepackfiles\i386
c:\windows\system32\dllcache

 

[Tim Meddick]

Jose,
I concur with your logic to test the file integrity of "rstrui.exe" by
copying and renaming.

However, it is not amongst the files covered by Windows Files Protection and so would
not appear in the folder :

c:\windows\system32\dllcache

....But, could be copied (expanded) from the i386 folder on the XP installation cd-rom
(no extra service packs installed) :


expand x:\i386\rstrui.ex_ c:\windows\system32\restore\rstrui.exe


(where [x:] is replaced for your cd/dvd drive letter)

....or copied (directly) from the i386 folder within c:\windows\ServicePackFiles
folder (if a service pack has been installed after the original installation) :


copy c:\windows\ServicePackFiles\i386\rstrui.exe c:\windows\system32\restore


....then rename it from there.

==

Cheers, Tim Meddick, Peckham, London.




On Aug 7, 2:55 pm,

 

[Newsgroup Honesty]

Chip wrote:
| I have been running malware, virus, register cleans, etc and after I
| ran all these programs, I wanted to do a new System Restore. I
| clicked on Accessories, System Tools, System Restore and nothing
| happened. I did it several times and it doesn't seem like it's there.
|
| BTW I also changed some settings in msconfig, but didn't change any
| Microsoft settings.
|
| Any help? Thanks !!!

Jim wrote:
| Norton will also knock system restore out.

Steve Winograd [MS-MVP] wrote:
| I don't know of any Norton product that prevents System Restore from
| creating a restore point. If you do, please give us details.
|
| Some Norton products have a feature called "Norton Product Tamper
| Protection" that you have to disable before restoring your computer to
| a previous time. Details here:
|
|
http://service1.symantec.com/SUPPORT/sharedtech.nsf/pfdocs/2005113009323013


Would the following web page,
http://bertk.mvps.org/html/symantecdoc1.html, be something worth looking
at in reference to Symantec and System Restore issues?

--
Newsgroup Honesty
(e-mail address removed)

* People who are brutally honest get more
satisfaction out of the brutality than
out of the honesty. *
--

 

[BillW50]

In Steve Winograd [MS-MVP] typed on Fri, 07 Aug 2009 12:41:36 -0600:

I don't know of any Norton product that prevents System Restore from
creating a restore point. If you do, please give us details.

Hahaha, you are a gas Steve! You just started to use computers I see.
Well here is a tip, point your browser to http://www.google.com and
enter 'Norton System Restore problems' and see over 900,000 hits.

 

[Jose]

Jose,
        I concur with your logic to test the file integrity of "rstrui.exe" by
copying and renaming.

However, it is not amongst the files covered by Windows Files Protection and so would
not appear in the folder :

c:\windows\system32\dllcache

...But, could be copied (expanded) from the i386 folder on the XP installation cd-rom
(no extra service packs installed) :

expand x:\i386\rstrui.ex_ c:\windows\system32\restore\rstrui.exe

(where [x:] is replaced for your cd/dvd drive letter)

...or copied (directly) from the i386 folder within c:\windows\ServicePackFiles
folder (if a service pack has been installed after the original installation) :

copy c:\windows\ServicePackFiles\i386\rstrui.exe c:\windows\system32\restore

...then rename it from there.

==

Cheers,    Tim Meddick,    Peckham, London.    


On Aug 7, 2:55 pm,

If c:\windows\system32\restore\rstrui.exe will not run, COPY (not
rename) it to something else - chip09.exe or something like that and
then see if chip09.exe will launch when double clicked, a Start, Run,
or from a command window.  This does not change the shortcut of
course.

If chip09.exe launches SR, you are still infected and rstrui.exe is
not being allowed to run.

If chip09.exe does not launch, the executable may be compromised so
search for another copy of rstrui.exe on your system and copy it into
c:\windows\system32\restore.  Try again.  Copy and try chip09.exe (it
must run in that folder).

Likely spots are:

c:\windows\servicepackfiles\i386
c:\windows\system32\dllcache

Acknowledged. Likely is the operative word!

It is here on my computer, but not on another - huh... It is for sure
in the servicepackfiles\i386 on all computers I checked.

Before embarking on more time consuming methods, you know my goal is
just to determine if the rstrui.exe is not allowed to run by name
alone or if the executable has been compromised. It must run from the
restore folder of course.

Troubleshooting time for this operation should be very quick and based
on the results, next steps taken.

If the OP has an XP CD, it can be expanded as you indicated. OPs
rarely seem to have this luxury, so I propose options that will not
require it. Expanding will result of course in rstrui.exe which still
may not run because of the name and then copying to a different name
will still need to be done.

Copying rstrui from another PC of the same type would achieve the same
results, but more efficient methods should be tried first.

Your:

copy c:\windows\ServicePackFiles\i386\rstrui.exe c:\windows
\system32\restore
....then rename it from there.

is indeed an efficient method. Shades of regedit not launching
(nothing happens!) but a copy works just fine, easy to fix.

The OP has also not reported any results from running chip09.exe
either.

The association to Norton is a different issue all together. In the
Norton scenario, SR at least launches, SR is executed but the says
restoration is incomplete... I have not read where Norton prevents SR
from launching or creating a new RP.

Here it sounds like SR doesn't even launch, so for the moment, I am
ruling out at least that particular Norton anomaly (which the OP also
says is not installed) - it is not the same symptom and it is not this
problem - provided the problem is being reported accurately...

 

[Jose]

Jose,
        I concur with your logic to test the file integrity of "rstrui.exe" by
copying and renaming.

However, it is not amongst the files covered by Windows Files Protection and so would
not appear in the folder :

c:\windows\system32\dllcache

...But, could be copied (expanded) from the i386 folder on the XP installation cd-rom
(no extra service packs installed) :

expand x:\i386\rstrui.ex_ c:\windows\system32\restore\rstrui.exe

(where [x:] is replaced for your cd/dvd drive letter)

...or copied (directly) from the i386 folder within c:\windows\ServicePackFiles
folder (if a service pack has been installed after the original installation) :

copy c:\windows\ServicePackFiles\i386\rstrui.exe c:\windows\system32\restore

...then rename it from there.

==

Cheers,    Tim Meddick,    Peckham, London.    

Well, here is something...

I found rstrui.exe on my computer in c:\windows\system32\dllcache but
not on a fairly new one. WTH?

My computer has 400+ executables in c:\windows\system32\dllcache, the
other only had 28.

I have run sfc /scannow on my computer in the past (just to test it)
but never on the new one. I ran sfc /scannow on the new computer and
now the c:\windows\system32\dllcache folders match for executables -
including rstrui.exe - not there before.

According to a sort of old-by-date MS article http://www.microsoft.com/whdc/archive/wfp.mspx
covering 2000 and XP:

All SYS, DLL, EXE, and OCX files that ship on the Windows CD are
protected. True Type fonts--Micross.ttf, Tahoma.ttf, and Tahomabd.ttf--
are also protected.

What do you see on your system for executables in c:\windows
\system32\dllcache and have you ever run sfc /scannow on it?

 

[Peter Foldes]

BillW50

Gas or no gas Steve's answer was correct. Norton does not stop system restore points
to be created . It only stops them from being accessed. Read and understand the
issue correctly before saying what you said along with the other answers in this
thread.

http://bertk.mvps.org/html/srfail.html
http://service1.symantec.com/SUPPORT/sharedtech.nsf/pfdocs/2005113009323013



--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

In Steve Winograd [MS-MVP] typed on Fri, 07 Aug 2009 12:41:36 -0600:

I don't know of any Norton product that prevents System Restore from
creating a restore point. If you do, please give us details.

Hahaha, you are a gas Steve! You just started to use computers I see.
Well here is a tip, point your browser to http://www.google.com and
enter 'Norton System Restore problems' and see over 900,000 hits.