missing system restore tab

[Sumo Wrestler (or just ate too much)]

Hello everyone. I've been to google and the microsoft
web sites, and everything I've tried to fix this problem
hasn't worked.

I have WinXP Pro, and I've recently removed malware
from my PC. My System Restore tab is missing.

Editing the registry doesn't work because "HKLM\Software\
Policies\Microsoft\Windows NT\SystemRestore" does not exist.
(The SystemRestore key does not exist under Windows NT).

Using GEDIT.MSC and going into Computer Configuration/
Administrative Templates/System/System Restore reveals
that both Turn Off System Restore and Turn Off Configuration
are set to Not Configured.

Starting and stopping the System Restore service in the
Control Panel does not help, and, from within CMD.EXE,
NET START says that the System Restore Service is running.

Evidently rstrui.exe has something to do with System Restore,
but when I try to run rstrui.exe from within CMD.EXE the
file cannot be found.

What do I do to get the System Restore tab back?

 

[David H. Lipman]

From: "Sumo Wrestler (or just ate too much)" <[email protected]>

| Hello everyone. I've been to google and the microsoft
| web sites, and everything I've tried to fix this problem
| hasn't worked.
|
| I have WinXP Pro, and I've recently removed malware
| from my PC. My System Restore tab is missing.
|
| Editing the registry doesn't work because "HKLM\Software\
| Policies\Microsoft\Windows NT\SystemRestore" does not exist.
| (The SystemRestore key does not exist under Windows NT).
|
| Using GEDIT.MSC and going into Computer Configuration/
| Administrative Templates/System/System Restore reveals
| that both Turn Off System Restore and Turn Off Configuration
| are set to Not Configured.
|
| Starting and stopping the System Restore service in the
| Control Panel does not help, and, from within CMD.EXE,
| NET START says that the System Restore Service is running.
|
| Evidently rstrui.exe has something to do with System Restore,
| but when I try to run rstrui.exe from within CMD.EXE the
| file cannot be found.
|
| What do I do to get the System Restore tab back?

This may have been the side effect of a virus.

Download the following REG file (stored in a ZIP file).
http://www.ik-cs.com/programs/virtools/WinXP-Restore_Cache_Fix.zip

Extract WinXP-Restore_Cache_Fix.reg file to the desktop. Double-Click on the .REG file to
fix the system.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } 4 batch files, 6 Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend, Kasperski and McAfee Anti Virus Command Line
Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site. The choices are;
Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Sumo Wrestler (or just ate too much)]

From: "Sumo Wrestler (or just ate too much)" <[email protected]>

| I have WinXP Pro, and I've recently removed malware
| from my PC. My System Restore tab is missing.
[...]
Download the following REG file (stored in a ZIP file).
http://www.ik-cs.com/programs/virtools/WinXP-Restore_Cache_Fix.zip

Extract WinXP-Restore_Cache_Fix.reg file to the desktop. Double-Click on the .REG file to
fix the system.
[...]

Do I have to reboot afterward?

 

[Sumo Wrestler (or just ate too much)]

From: "Sumo Wrestler (or just ate too much)" <[email protected]>

| I have WinXP Pro, and I've recently removed malware
| from my PC. My System Restore tab is missing.
|

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

Thanks David for the link. I do suspect that the malware
stole my System Restore tab, and I downloaded multi_av.exe.

Earlier today, I checked my system with Spybot Search and
Destroy (found Simfraud-C, WinAntiSpyware2005), AdAware
(found Alexa), Avast! (found Win32-Trojano [I haven't
been able to find out what this does]), and AVG (found
nothing).

So it seems that I had a dirty little group on my system

Also, thanks for the reg file. I'm looking at it with a text
editor, and when I get the courage to install it I'll try it
out.

 

[David H. Lipman]

From: "Sumo Wrestler (or just ate too much)" <[email protected]>


| Thanks David for the link. I do suspect that the malware
| stole my System Restore tab, and I downloaded multi_av.exe.
|
| Earlier today, I checked my system with Spybot Search and
| Destroy (found Simfraud-C, WinAntiSpyware2005), AdAware
| (found Alexa), Avast! (found Win32-Trojano [I haven't
| been able to find out what this does]), and AVG (found
| nothing).
|
| So it seems that I had a dirty little group on my system
|
| Also, thanks for the reg file. I'm looking at it with a text
| editor, and when I get the courage to install it I'll try it
| out.

I wish you stated this earlier !

I have a SmitFraud Removal tool. It is very comprehensive.

I do suggest rebooting after you merge the WinXP-Restore_Cache_Fix.reg file.

After you run the following, you do NOT need to run the McAfee module in the Multi AV
Scanning Tool as it would be redundant.



Download SmitFraud.exe from the URL -- http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }

Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow FTP.EXE to go through your
FireWall to enable FTP.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat

{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the end
of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer). It
is suggested that you move the report out of c:\mcafee before performing another scan. It
would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.

 

[Sumo Wrestler (or just ate too much)]

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

What does SmitFraud.exe do?

 

[Sumo Wrestler (or just ate too much)]

Download SmitFraud.exe from the URL -- http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }

Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow FTP.EXE to go through your
FireWall to enable FTP.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat

{ or Double-click on 'Clean Link' in c:\mcafee }

I got this response:

:: This computer is going to shut down. Close all applications ...
:: The mcaffe files were not found. The system is shutting down
:: so that you can restart in normal mode and use ??? to download
:: the mcaffe files.
(paraphrased)

This happened both when I clicked on 'Clean Link' in c:\mcaffe
and when I choose the 'Sophos' option from the C:\AV-CLS\STARTMENU.BAT.

 

[David H. Lipman]

From: "Sumo Wrestler (or just ate too much)" <[email protected]>


| I got this response:
|
| :: This computer is going to shut down. Close all applications ...
| :: The mcaffe files were not found. The system is shutting down
| :: so that you can restart in normal mode and use ??? to download
| :: the mcaffe files.
| (paraphrased)
|
| This happened both when I clicked on 'Clean Link' in c:\mcaffe
| and when I choose the 'Sophos' option from the C:\AV-CLS\STARTMENU.BAT.

NOTE: You may have to disable your software FireWall or allow FTP.EXE to go through your
FireWall to enable FTP.EXE to download the needed McAfee related files.

SmitFraud.exe removes the SmitFraud Trojan and its side installations.