Please Help System Restore

  • Thread starter Thread starter ÐïÅßö¥ø§©
  • Start date Start date
Ð

ÐïÅßö¥ø§©

I was trying to remove the virdumonde spyware from my system. On the
Symantec site step 1 was to disable system restore. Done. Now I'm trying
to reenable it but it won't allow it. It says it encountered an error
trying to enable one or more drives, reboot and try again. Reboot didn't do
anything. I'm running XP Pro SP2. Does anyone know how to get it going
again?
 
I was trying to remove the virdumonde spyware from my system. On the
Symantec site step 1 was to disable system restore. Done. Now I'm trying
to reenable it but it won't allow it. It says it encountered an error
trying to enable one or more drives, reboot and try again. Reboot didn't do
anything. I'm running XP Pro SP2. Does anyone know how to get it going
again?
Click to expand...

Reinstall System Restore:
1. Click Start, Run, In the Run box, type "C:\windows\inf" without the quotes and press enter.
2. Look for SR.INF and RightClick on it, then select "Install"

Follow the prompts, Reboot, and System Restore will be ready to use.
NOTE: If it asks for the Windows CD, point it to C:\WINDOWS\ServicePackFiles\i386
NOTE: If it asks for "srframe.mmf", point it to C:\WINDOWS\system32\dllcache
 
ÐïÅßö¥ø§© said:
I was trying to remove the virdumonde spyware from my system. On the
Symantec site step 1 was to disable system restore. Done. Now I'm trying
to reenable it but it won't allow it. It says it encountered an error
trying to enable one or more drives, reboot and try again. Reboot didn't do
anything. I'm running XP Pro SP2. Does anyone know how to get it going
again?
Click to expand...

See MVP Bert Kinney's System Restore pages:
http://bertk.mvps.org/index.html


For future reference never repeat never repeat never disable System
Restore as part of the removal process for viruses or spyware. While
the restore archive may contain infected files these are totally
encapsulated there and cannot spread or reinfect the system unless and
until System Restore is actually used to set the system back to an
earlier, but still infected, time.

Once the infestation has been cleaned up and the system is operating
normally then it is prudent to purge the System Restore archive of the
restore points that contain infected files. However there is a safer
method of doing this. Rather than turning off System Restore you
should launch it and create a new manual restore point. Then run
Disk Cleanup and use the advanced options to delete all but the most
recent system restore point.

Disabling system restore, even for a short period, leaves you exposed
to avoidable risks. An usable system, even one that is infected with
virus or spyware, is generally preferable to one that is unusable.

Good luck

Ron Martell Duncan B.C. Canada
--
Microsoft MVP (1997 - 2006)
On-Line Help Computer Service
http://onlinehelp.bc.ca

"Anyone who thinks that they are too small to make a difference
has never been in bed with a mosquito."
 
Unk said:
Reinstall System Restore:
1. Click Start, Run, In the Run box, type "C:\windows\inf" without the
quotes and press enter.
2. Look for SR.INF and RightClick on it, then select "Install"

Follow the prompts, Reboot, and System Restore will be ready to use.
NOTE: If it asks for the Windows CD, point it to
C:\WINDOWS\ServicePackFiles\i386
NOTE: If it asks for "srframe.mmf", point it to
C:\WINDOWS\system32\dllcache
Click to expand...
I want to send a warm thank you to Symantec for advising the customer to
disable system restore as step 1 in removing this particular spyware. Not
only did their removal tool not work, the registry entries they specify for
manual removal are non-existent, and upon another scan the spyware is still
alive and well. And to make it even better system restore is still down.
I went to sr.inf and did install. It asked for sr.sys and I pointed to
the i386 folder. Then it asked for srclient.dll. I had to search for this
one and found 6 different ones. Five of them were retry looped and didn't
work, the one that did was in the ServicePackUninstall folder. It warned me
that the one currently used was newer than the one I was trying to replace
it with OK or Cancel. No real choice so I hit OK...Install Failed
message...returned to desktop.
Got 3 popups just while I was typing this message. Still infected and
no restore now. Looks like the next time a restore is needed it'll be
format time again. Good thing I partition.
No chance a chkdsk /r after booting from the disc will help huh?
 
|> I was trying to remove the virdumonde spyware from my system. On the
|>Symantec site step 1 was to disable system restore. Done. Now I'm trying
|>to reenable it but it won't allow it. It says it encountered an error
|>trying to enable one or more drives, reboot and try again. Reboot didn't do
|>anything. I'm running XP Pro SP2. Does anyone know how to get it going
|>again?

Read of your problem, Might think of using ERUNT
http://www.larshederer.homepage.t-online.de/erunt/

If not alone then as a backup to restore. ERUNT only saves the
registry entries. How to use:
http://www.pcug.org.au/~boesen/ERUNT/ERUNT.htm

Now as to your malware problem (canned response):

download and run Process Explorer
http://www.sysinternals.com/Utilities/ProcessExplorer.html

Double click on the process(s), reading it's image and command line
will tell you where to find them. stop the process and delete the
file/directory.

Run Regedit and search for the file name(s) deleting them as you find
them.

If you have questions of what a process is right click on the process
and select Google.
 
I want to send a warm thank you to Symantec for advising the customer to
disable system restore as step 1 in removing this particular spyware. Not
only did their removal tool not work, the registry entries they specify for
manual removal are non-existent, and upon another scan the spyware is still
alive and well. And to make it even better system restore is still down.
I went to sr.inf and did install. It asked for sr.sys and I pointed to
the i386 folder. Then it asked for srclient.dll. I had to search for this
one and found 6 different ones. Five of them were retry looped and didn't
work, the one that did was in the ServicePackUninstall folder. It warned me
that the one currently used was newer than the one I was trying to replace
it with OK or Cancel. No real choice so I hit OK...Install Failed
message...returned to desktop.
Got 3 popups just while I was typing this message. Still infected and
no restore now. Looks like the next time a restore is needed it'll be
format time again. Good thing I partition.
No chance a chkdsk /r after booting from the disc will help huh?
Click to expand...

An example of why Symantec products are fast becoming the most
uninstalled software in the history of computers.
 
Back
Top