Windows XP System Restore

[ggalv]

Right now, I am thinking of "maybe" doing a system restore to August 15,
which is before I got this: Trojan Horse Dropper.Agent.JOC in AVG Anti-Virus.
I have been doing some research and I am not sure if its a "false positve"
and restore the file OR if its an actual virus and delelte the file from the
vault.

If I do a system restore to August 15 (which is pre SP3) do you know
approximately how long would it take?

THANKS.

 

[ggalv]

Yes, that restore point is available. Actually, I really didn't use my
computer for about two weeks or so. I am a little hesitant to doing a
restore to that date because if takes something like 2 hours or so, then I
feel there is the possibility of something going wrong. Does that make sense?

Right now that "knlwrap.exe" its in the Vault of AVG. Is there a way to
scan it with an online anti virus software while in the Vault? THANKS

 

[Mick Murphy]

If you do a System Restore to pre-SP3, SP3 will be removed.

 

[Unknown]

Never heard of a restore taking two hours.

Yes, that restore point is available. Actually, I really didn't use my
computer for about two weeks or so. I am a little hesitant to doing a
restore to that date because if takes something like 2 hours or so, then I
feel there is the possibility of something going wrong. Does that make
sense?

Right now that "knlwrap.exe" its in the Vault of AVG. Is there a way to
scan it with an online anti virus software while in the Vault? THANKS

 

[Lem]

Yes, that restore point is available. Actually, I really didn't use my
computer for about two weeks or so. I am a little hesitant to doing a
restore to that date because if takes something like 2 hours or so, then I
feel there is the possibility of something going wrong. Does that make sense?

Right now that "knlwrap.exe" its in the Vault of AVG. Is there a way to
scan it with an online anti virus software while in the Vault? THANKS

What is the actual name of the "infected" file? Why do you think it's a
false positive or want to restore the file? Have you been experiencing
any strange behavior since AVG "cleaned" this file?

The simplest way to re-scan the file, either by an online scanner or
another local a/v application is to just use AVG to restore it. As long
as you don't actually let it *run*, it won't do anything to you just
sitting there.

You should also be able to point an online scanner at it even if it's in
the AVG vault. Different a/v apps deal differently with "quarantining"
infected files. Some put them in zip files and others rename them,
keeping the actual name and path in some database. I don't know where
AVG keeps its "vault". Try looking in "Documents and Settings\All
Users\Application Data\AVG" or something similar.


--
Lem -- MS-MVP

To the moon and back with 2K words of RAM and 36K words of ROM.
http://en.wikipedia.org/wiki/Apollo_Guidance_Computer
http://history.nasa.gov/afj/compessay.htm

 

[ggalv]

I did a restore on my other xp system, which did not have sp3 installed yet.
Basically I was trying to see if going back to August 11th would resolve some
of my advertisements showing the "The Page Cannot Be Displayed" instead of
the advertisement being displayed - BUT that is another story.

When I did the restore it renamed and also kept the origiinal files:
mscms.dll to mscms(2).dll, es.dll to es(2).dll, shlwapi.dll to
shlwapi(2).dll, urlmon.dll to urlmon(2).dll and wininet.dll to
wininet(2).dll. So basically I have two files of each with different names.
Do you know why would the files be renamed? Wouldn't there be some confusion
with having for example mscms.dll and mscms(2).dll files? Which one is being
used?

Also, I did a restore to August 11th, this took about 25 minutes. After my
computer was restored I though I would turn off my other computer and
restored the computer again to August 11th BUT this time it took about an
hour and twenty minutes. The computer was sucesfully restored both times. Do
you know why would the second restore take much longer? THANKS

 

[Daave]

Is the location C:\WINDOWS\system32 by any chance?

Check the properties of these .dll files. Are the ones with the (2)s
older files? If so, System Restore merely restored those old files.
Since the newer versions of those files all have the original names, the
newly restored older versions of these files get the (2)s added to their
names (since they're in the same folder and you can't have identical
file names in the same foder). I'm sure the older .dlls are safe to
delete.

But if I were you, I would just undo the System Restore(s) (which never
should have been done in the first place) -- especially if you made
significant changes (like installing programs or updates).

 

[ggalv]

Yes, the files are in C:\Windows\system32. I checked all the files and yes
the ones with (2) after them are older files.

So you think I should undo the System Restore? How do I undo Both System
Restores that I did today? THANKS

 

[ggalv]

Today - In system restore, I went to "Undo Last Restoration" and the the
system successfully reversed the Restore Operation that I performed at 5:55
yesterday (which was to August 11th). Then I tried to undo the first system
Restore that I did at 5:15 yesterday (which was to August 11th) that was not
an option. The only avaialable Restoration to Undo was the one I performed
today.

So, I tried to Restore my Computer To September 05, 2008 - System
Checkpoint, which was the day before I restored my computer twice to August
11th.

However I got a "Restoration Incomplete" when the computer booted up. It
said that the computer cannot be restored to Friday, September 05, 2008.
That No Changes Have Been Made To Your System. I had the option to Restart
System Restore by Pressing "Home". But I just pressed "OK" - And The
computer seems to be working fine.

Also I noticed that when I go to System Restore, only the month of September
is Available for restoration points (when I try to go back to August - It
does not go back).

Do you know why did I get the "Restoration Incomplete"? Should I try
Restore to September 05, 2008 (Which was the day before I did the two system
restores to August 11th, BUT I got a "Restoration Incomplete" already?

Really Appreciate Your Help.

 

[PA Bear [MS MVP]]

[Please stop beginning new thread about your problems!]

Your machine is still infected! System Restore won't fix the problem, even
if it were working.

 

[ggalv]

This System Restore question is for what happened in my "other" computer. I
don't think its right to say that my system is infected. One of my systems
did hav the Trojan Horse Dropper.Agent.JOC - But it was a false positive. I
am just trying my best to work with what I see and some support from you
guys. I am not trying to inconenience anyone. I really appreciate getting
advice from you guys.

[Please stop beginning new thread about your problems!]

Your machine is still infected! System Restore won't fix the problem, even
if it were working.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

Today - In system restore, I went to "Undo Last Restoration" and the the
system successfully reversed the Restore Operation that I performed at
5:55
yesterday (which was to August 11th). Then I tried to undo the first
system
Restore that I did at 5:15 yesterday (which was to August 11th) that was
not
an option. The only avaialable Restoration to Undo was the one I
performed
today.

So, I tried to Restore my Computer To September 05, 2008 - System
Checkpoint, which was the day before I restored my computer twice to
August
11th.

However I got a "Restoration Incomplete" when the computer booted up. It
said that the computer cannot be restored to Friday, September 05, 2008.
That No Changes Have Been Made To Your System. I had the option to
Restart
System Restore by Pressing "Home". But I just pressed "OK" - And The
computer seems to be working fine.

Also I noticed that when I go to System Restore, only the month of
September
is Available for restoration points (when I try to go back to August - It
does not go back).

Do you know why did I get the "Restoration Incomplete"? Should I try
Restore to September 05, 2008 (Which was the day before I did the two
system
restores to August 11th, BUT I got a "Restoration Incomplete" already?

Really Appreciate Your Help.

 

[Daave]

Today - In system restore, I went to "Undo Last Restoration" and the
the
system successfully reversed the Restore Operation that I performed at
5:55
yesterday (which was to August 11th). Then I tried to undo the first
system
Restore that I did at 5:15 yesterday (which was to August 11th) that
was not
an option. The only avaialable Restoration to Undo was the one I
performed
today.

So, I tried to Restore my Computer To September 05, 2008 - System
Checkpoint, which was the day before I restored my computer twice to
August
11th.

If you had successfully restoed Windows back to how it was September 6.
you really should have just left it alone. But instead you tried to go
*backwards* to September 5!

Just leave well enough alone!

However I got a "Restoration Incomplete" when the computer booted up.
It
said that the computer cannot be restored to Friday, September 05,
2008.
That No Changes Have Been Made To Your System. I had the option to
Restart
System Restore by Pressing "Home". But I just pressed "OK" - And The
computer seems to be working fine.

Good. Leave it that way!

Also I noticed that when I go to System Restore, only the month of
September
is Available for restoration points (when I try to go back to August -
It
does not go back).

Don't worry about it.

 

[ggalv]

I just want to say that I really appreciate your time and advice.

Yesterday (September 6th) I did two restorations to August 11th, and I was
trying to undo both. The first one I did it by doing the Undo Last
Restoration. The Undo Last Restoration is not available for the other one,
so that is why I tried to Restore to September 5th - I thought by doing that
it would serve the same purpose as undoing my two restores to August 11th.

My main concer is if I should try once more to restore my system to Sep 5th
(which was before I restored my computer to August 11th twice) OR If I should
keep what I have right now (which I did an "Undo Last Restoration" of one of
the Restores to August 11th BUT There was an "Restoration Incomplete" when I
tried to restore to September 5th AND I got the following message "the
computer cannot be restored to Friday, September 05, 2008. No Changes Have
Been Made To Your System"). Should I assume in my current state my system is
stable because "No Changes were Made To My System" BUT "The Restoration Was
Incomplete" kind of bugs me.

Thanks for your help.

 

[Daave]

Once more...

Although you had restored Windows back to August 11 *for no good
reason*, at least you have *successfully* restored Windows back to where
it was yesterday (September 6).

Don't do anything else. (There is *no logical reason* to go back
earlier -- even to the 5th.)

And stop worrying about it!

 

[ggalv]

Daave, PROMISE these will be my last questions for this topic, I just want to
get some clarification and knowledge. And promise I will not be worry about
this anymore.

1. Yesterday, I did a Restoration at 5:15 to August 11th, I then did
another restoration at 5:55 to August 11th again. Today, I did an "Undo my
last restoration". So my system is restored to how it was before 5:15 -
meaning that my system is currently similiar to August 11th, instead of
yesterday (Sep 6th).

2. In Sept 06, my system restore has the following: 5:55 PM Restore
Operation and then 5:15 PM Restore Operation. If I wanted to undo both
Restorations that I did yesterday, I should have "Restored my computer to an
earlier time" and selected 5:15 PM Restore Operation. Is that right? Does
the computer get restored to before the 5:15 Restore Operation occured or
after?

3. When I go the "Restoration Incomplete" when the computer booted up, it
said that No Changes Have Been Made To Your System"). Howver, during the
Restore Process (which took about 1 hour), I am sure files were being
renamed, copied, moved etc. So is my system the same as it was prior to the
Restoration Attemp - meaning nothing was modifed and all that stuff that was
going on for about an hour never really happened?

THANKS FOR ALL YOUR HELP.

 

[Daave]

Daave, PROMISE these will be my last questions for this topic, I just
want to get some clarification and knowledge. And promise I will not
be worry about this anymore.

1. Yesterday, I did a Restoration at 5:15 to August 11th, I then did
another restoration at 5:55 to August 11th again. Today, I did an
"Undo my last restoration". So my system is restored to how it was
before 5:15 - meaning that my system is currently similiar to August
11th, instead of yesterday (Sep 6th).

2. In Sept 06, my system restore has the following: 5:55 PM Restore
Operation and then 5:15 PM Restore Operation. If I wanted to undo
both Restorations that I did yesterday, I should have "Restored my
computer to an earlier time" and selected 5:15 PM Restore Operation.
Is that right? Does the computer get restored to before the 5:15
Restore Operation occured or after?

3. When I go the "Restoration Incomplete" when the computer booted
up, it said that No Changes Have Been Made To Your System"). Howver,
during the Restore Process (which took about 1 hour), I am sure files
were being renamed, copied, moved etc. So is my system the same as
it was prior to the Restoration Attemp - meaning nothing was modifed
and all that stuff that was going on for about an hour never really
happened?

Since I can't see your PC, there is no way of knowing for sure. But it
sounds like you are back to that point.

THANKS FOR ALL YOUR HELP.

YW. (Now stop worrying!)

 

[Plato]

Right now, I am thinking of "maybe" doing a system restore to August 15,
which is before I got this: Trojan Horse Dropper.Agent.JOC in AVG Anti-Virus.
I have been doing some research and I am not sure if its a "false positve"
and restore the file OR if its an actual virus and delelte the file from the
vault.

Personally, I never save any "virus/trojan" to a "vault". Why save a
nasty???

 

[Daave]

Personally, I never save any "virus/trojan" to a "vault". Why save a
nasty???

You're assuming that *every* file that is identified as a trojan *is* a
trojan. That is a faulty assumption. If you have been following ggalv's
other thread, you would have seen that it has been confirmed that the
file he is referring to -- knlwrap.exe -- is *not* Trojan Horse
Dropper.Agent.JOC, even though AVG initially identified it as such. It
was a false positive. Saving this file to AVG's vault was the wise thing
to do. If ggalv ever needs this program, it will not have been deleted.