I cannot Restore XP after using eset2.7

Discussion in 'NOD32 version 2 Forum' started by mdidier573, Jan 2, 2007.

Thread Status:
Not open for further replies.
  1. mdidier573

    mdidier573 Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    8
    As soon I installed eset 2.7 this came up soon:

    1/1/2007 11:00:00 AM AMON file C:\System Volume Information\_restore{4468E795-142C-48E0-AE51-FBE0A0654E7E}\RP112\A0033708.exe probably a variant of Win32/Agent.NFM trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.
    12/31/2006 15:03:15 PM Kernel file C:\WINDOWS\repair\explorer.exe probably a variant of Win32/Agent.NFM trojan
    12/31/2006 15:02:56 PM Kernel file c:\windows\repair\explorer.exe probably a variant of Win32/Agent.NFM trojan

    I deleted this file along with another file: Time Module Object Name Threat Action User Information
    1/1/2007 19:45:27 PM AMON file C:\Program Files\eMule\Temp\067.part Win32/PSW.Small.BS trojan deleted (after the next restart) MIKE-82HDFHA1B8\Mike Event occurred at an attempt to access the file by the application: C:\Program Files\eMule\emule.exe. THEN
    Tonight I had a spontaneous reboot so I look into msconfig under "services"
    and noted alot of microsoft "services" were checked but also "stopped". I
    went back and saw the C:\System\VolumeInformation\_restore{4468E795-142C-48E0-AE51-FBE0A0654E7E}\RP112\A0033708.exe
    comment that had been deleted earlier so I tried System Restore but it would not rebuild even 7 days ago. XP seems ok but no restore capabilities are not good- did this software give me in fact a false positive or was it sabotaged already? Who knows- How do I get back to restore capabilities? Eset was notified but this is trial software so I am not sure what they will help with.
    Happy New Year + helppp
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I would make sure you have the latest virus signature, which as of writing is 1951 dated 01 Jan 07 (20070101).

    Then turn off system restore, reboot and then turn on system restore.

    Let us know how you go...

    Cheers :D
     
  3. DVD+R

    DVD+R Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    1,979
    Location:
    The Antipodes
    Hello mdidier573 :) That sucks! Unfortunately Windows System Restore is Notorious for failing just when you need it most, and again Unfortunately when this happens you have lost All your restore points from the beginning. Turning On System Restore will only Start a Restore Point from when you Again enable it,and the likelihood of it failing again is High! To turn Restore back on, Right Click on My Computer,Choose Properties, and click on the System Restore Tab,and Untick Turn Off System Restore, Windows will Again be monitoring the Restore function,and all installs etc.. but as I said, once it has failed, It almost certainly will do so again :(

    May I offer you a piece of Friendly Advice? :) I would consider purchasing Rollback Rx Professional from http://horizondatasys.com/169614.ihtml I highly recomend this, and I am using it now,and It has saved me once or twice already :D This is Similar to NortonGoBack, but is more highly Configurable,and has more features included :cool: One small drawback, which is not really an issue,is that your System may take an extra 30 seconds maximum to reboot, with Resore Rx installed. This is because it starts before Windows does, but this is minimal considering the Great Protection it gives :) Whatever method you Choose, Windows Restore or Rollback Rx I hope this has helped ;)
     
  4. mdidier573

    mdidier573 Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    8
    Time Module Object Name Threat Action User Information
    1/1/2007 19:45:27 PM AMON file C:\Program Files\eMule\Temp\067.part Win32/PSW.Small.BS trojan deleted (after the next restart) MIKE-82HDFHA1\Mike Event occurred at an attempt to access the file by the application: C:\Program Files\eMule\emule.exe.
    1/1/2007 12:36:14 PM IMON file hxxp://installare.net/e/t/ads_nl1.php?b=3020 probably a variant of HTML/Exploit.VMLFill trojan MIKE-82HDFHA1\Mike
    1/1/2007 12:36:06 PM IMON file hxxp://installare.net/e/t/ads_nl1.php?b=3020 probably a variant of HTML/Exploit.VMLFill trojan MIKE-82HDFHA1\Mike
    1/1/2007 11:00:00 AM AMON file C:\System Volume Information\_restore{4468E795-142C-48E0-AE51-FBE0A0654E7E}\RP112\A0033708.exe probably a variant of Win32/Agent.NFM trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.
    12/31/2006 15:03:15 PM Kernel file C:\WINDOWS\repair\explorer.exe probably a variant of Win32/Agent.NFM trojan
    12/31/2006 15:02:56 PM Kernel file c:\windows\repair\explorer.exe probably a variant of Win32/Agent.NFM trojan

    Eset decided windows had a virus in System Volume and needed to be disinfected as well I decided erringly it should clean the problem but it went farther funny thing is my restore does not work to an earlier time and shows zero files in that volume
    folder however they ARE there so it seems my restore engine is corrupted or
    missing something now-- it reboots OK-- and under msconfig many microsoft services are checked but not running so what got nixed that I can restore things back. I shut system restore off last nite to edit sysem volume folder and unhid folder but no luck.
     
    Last edited by a moderator: Jan 2, 2007
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    What number is your virus signature database?

    Cheers :D
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Please post an expanded screenshot of the NOD32 Information.

    Cheers :D
     

    Attached Files:

  7. mdidier573

    mdidier573 Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    8
    I forgot to thank DVD + R on his software suggestion. I cannot Ghost a thing
    and the problem I am having now could have been cured already with the many things out there but I HAVE heard there are caveats with some of these things that you restore from an image..wont mention any names but I have been researching...this one is new to me and comes recommended- hmmm. Does
    appear easy.
     
  8. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    You may have to re-install System Restore. It is a fairly painless process, but it will delete ALL existing restore points--but since you can't access them anyway, it seems to be a moot point.

    To re-install System Restore- Go to Start-Run and type
    %Windir%\INF then press Enter

    In Windows Explorer (My Computer) go to Tools-Folder Options -View Tab and uncheck "Hide extensions for known file types"

    Find the sr.inf file, right click on it and select Install

    If the Files Needed dialog box appears, click Browse and point to the i386 folder on Windows Xp CD or the i386 folder on the hard drive, if it exists, or for systems updated with Service pack 2 CD or downloaded from Microsoft, browse to the C\Windows\ServicePackFiles\i386 folder.
     
  9. mdidier573

    mdidier573 Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    8
    8687 on virus signatures
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    As requested, please post a screenshot like what I have provided, or click on "copy to clipboard" and paste here like this:

    NOD32 antivirus system information
    Virus signature database version: 1953 (20070102)
    Dated: Tuesday, 2 January 2007
    Virus signature database build: 8686

    Information on other scanner support parts
    Advanced heuristics module version: 1.043 (20061209)
    Advanced heuristics module build: 1131
    Internet filter version: 1.002 (20040708 )
    Internet filter build: 1013
    Archive support module version: 1.050 (20060926)
    Archive support module build version: 1176

    Information about installed components
    NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Base
    Version: 2.70.23
    NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Internet support
    Version: 2.70.23
    NOD32 for Windows NT/2000/XP/2003/Vista/x64 - Standard component
    Version: 2.70.23

    Operating system information
    Platform: Microsoft Windows XP
    Version: 5.1.2600 Service Pack 2
    Version of common control components: 5.82.2900
    RAM: 1016 MB
    Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz (1861 MHz)

    Blackspear.
     
  11. mdidier573

    mdidier573 Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    8
    If I turn off system restore, update virus scanner, reboot am I not
    using the system restore to boot up every time or is that some other
    function....I ponder the booting up with restore off...I thought well
    I cannot go back to an earlier date but it is or.. well.... picking up the
    last time it booted up OK or shut down scenario it picking that to use for the next bootup...is that not part of system restore?:doubt:
     
  12. mdidier573

    mdidier573 Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    8
    Trial version
    Days left: 27

    NOD32 antivirus system information
    Virus signature database version: 1953 (20070102)
    Dated: Tuesday, January 02, 2007
    Virus signature database build: 8687

    Information on other scanner support parts
    Advanced heuristics module version: 1.043 (20061209)
    Advanced heuristics module build: 1131
    Internet filter version: 1.002 (2004070:cool:
    Internet filter build: 1013
    Archive support module version: 1.050 (20060926)
    Archive support module build version: 1176

    Information about installed components
    NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Base
    Version: 2.70.23
    NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Internet support
    Version: 2.70.23
    NOD32 for Windows NT/2000/XP/2003/Vista/x64 - Standard component
    Version: 2.70.23

    Operating system information
    Platform: Microsoft Windows XP
    Version: 5.1.2600 Service Pack 2
    Version of common control components: 5.82.2900
    RAM: 768 MB
    Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz (2424 MHz)
     
  13. hartoch

    hartoch Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    28
    Location:
    queensland australia
    i have just finished updating nod32 to 2.7 and the followed painfully all the adjustments supplied by B S , checked my restore and all dates have been removed ran a test restore only took 10 mins and it seems that worked ok o_O
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi hartoch, welcome to Wilders.

    By design NOD32 does not effect this area at all.

    This would be expected.

    Cheers :D
     
  15. hartoch

    hartoch Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    28
    Location:
    queensland australia
    thanks B S happy new year joined today bazza o_O
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You are welcome.

    Cheers :D
     
  17. mdidier573

    mdidier573 Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    8
    Well it seems a rebuild of System Restore may be in order that Jayt suggested
    but is that it I am wondering..
     
  18. DVD+R

    DVD+R Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    1,979
    Location:
    The Antipodes
    OK! Theres much confussion running rampant in this post, Let me make things perfectly clear About Windows System Restore:

    1. Turning Off /Disabling System Restore Permanently Deletes ALL Restore Points
    2. Rebooting while Restore is Turned Off will Not use the System Restore to Bootup, As Windows No longer has to preload this function.
    3. Updating Virus Applications does not get implemented into a restore point, Virus Definitions have to be updated whether System Restore is on or Not, going back to a previous Restore point will only load the Virus Definitions for that time, you still have to update or you'll be behind with definitions, and your system will report they are out of date, or update Automatically regardless.
    4. Turning System Restore Back on Will create a New Set of Baseline Restore Points, from the time you turn it back on, All previous points are not recoverable.
    5. Unlike Third Party Restore Software such as Rollback Rx/RestoreIT/First Defense Etc.. Windows XP System Restore Does NOT! restore your complete hard drive including data, All That is Lost.
    6. Third Part Restore Software Has Seamless Integration with Anti Virus signature updates,and Windows Critical Updates.
    7. RollBack Rx is designed to protect both the user and PC from accidental user errors and day-zero attacks. Without restricting the users’ activities, RollBack Rx will transparently take system snapshots on a schedule that you configure for your system. If a virus, malware or even *BSoD occurs – You can restore your system up-to-the-minute of the system crash. With no data loss.

    Hope this Clarifies what Windows XP System Restore does and does not do,and The Advantages of a Third Party System Restore Software.



    Hope this clarifies what Windows XP System Restore will ,and will not do.
     
  19. mdidier573

    mdidier573 Registered Member

    Joined:
    Jan 2, 2007
    Posts:
    8
    That helped.......alot........:rolleyes: and I still would like to get my restore up and running first then I will look at your suggestion on software fix but hey this does not address all my microsoft stopped services:doubt:
     
  20. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
  21. DVD+R

    DVD+R Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    1,979
    Location:
    The Antipodes
    Sorry mdidier573;) Here are instructions to restart ALL recommended windows services,and the action to disable the ones NOT needed firstly go to this website http://www.theeldergeek.com/alerter.htm

    I have directed you to the First service we need to check to make it easier to find, to go to each service in turn click on the blue next.

    Ok We have the first service page which starts with Alerter Service.
    Now Click on Start/Run and in the run box type in services.msc The Services window will open on your desktop.expand this to maximize to full screen so you can see everything clearly.You can expand the Name and description, by dragging the sections to the left so you can read them more clearly. The Webpage displays the default,and the recommended settings for each service,Click through each one,and check it corresponds with the recommended setting.

    As an example only The First Setting Alerter Services by Default is set at Manual,as you can see in the Startup Type Tab in the Services Window,and The recommended Setting is Also Manual. If as an example this was not Set at recommended in your Services Window, you would double click On the Word in Alerter Services, Startup Type, and a window with a drop down box will appear, you would scroll down to manual,and click Apply.

    Then Click next to go to the next service in the List,and Change each setting to the recommended,and so on, till all changes have been made in that List.

    If you come across something that is Not in the List, For example NOD32 Kernel service, which is set to Automatic, Do not touch this.

    When you have completed the list, Close everything down,and reboot your computer. All your Windows Services will now be active again, Including System Restore.

    This is a painless and very simple proceedure, If you Follow all the recommendations.

    God Luck,and I'll check back a little latter to see how everything went :)
     
Thread Status:
Not open for further replies.