locked
Recovering after ransomware, restored backup but computer unstable RRS feed

  • Question

  • Restored from backup but computer is not stable, doesn't open most programs, end task doesn't show any overwhelming processes but its like it can't open anything. Used Symantec System Recovery server edition. Any idea?
    Thursday, May 21, 2020 5:06 AM

All replies

  • Hello one of my clients servers got infected with ransomware. We had backup using Symantec/Veritas System Recovery server edition. I started the recovery process and it showed hours needed to restore but after running about 7 hours or so it finished and booted to windows. I could login and see everything but programs don't seem to open. Like I click on start menu, but the programs don't click, or if I click something on desktop it doesn't open but I can see it on task manager. Please advice? Veritas technical support is simply awful and pointless, I solved some of the problems without their help which they didn't have answer for about their software. Maybe someone here has some experience.
    Thursday, May 21, 2020 4:06 AM
  • Hi,

    If possible, it is recommended to restore system from another available backup if possible.

    If system is not stable after system restore, we can try some general system repair method, such as:
    1. Admin permission to run SFC.EXE and check the result.
    2. Create new user account which as admin permission and log on system using new account, it would be helpful to identify whether it is user profile relate problem.
    3. Restart system in Clean Boot whit all 3rd party process disabled, to identify whether it is 3rd party process relate problem.
    4. Restart system in Safe Mode to identify whether it is driver relate problem.
    5. Check current resources usage and event viewer for relate event, it may provide more helpful information.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 21, 2020 8:03 AM
  • Hi,

    If possible, it is recommended to restore system from another available backup if possible.

    If system is not stable after system restore, we can try some general system repair method, such as:
    1. Admin permission to run SFC.EXE and check the result.
    2. Create new user account which as admin permission and log on system using new account, it would be helpful to identify whether it is user profile relate problem.
    3. Restart system in Clean Boot whit all 3rd party process disabled, to identify whether it is 3rd party process relate problem.
    4. Restart system in Safe Mode to identify whether it is driver relate problem.
    5. Check current resources usage and event viewer for relate event, it may provide more helpful information.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact  

    Thanks for response. I restored to prior restore point/date. Strangely it's less problems and all programs seem to open but Exchange doesn't seem to work. Microsoft Information Store and other related services seem to not start and are stuck on "Starting" state. Any idea?

    Does this sound like backup media is damaged or the backup program didn't restore properly?

    I don't think any third party programs are causing it as nothing changed meaning no programs were added at the time. I tried running sfc but it says "There is a system repair pending which requires reboot to complete. Restart Windows and run sfc again." I'm not sure what that's about? I don't think I started any repairs, possibly something from backup program?
    Friday, May 22, 2020 4:57 AM
  • Hi,

    If possible, it is recommended to restore system from another available backup if possible.

    If system is not stable after system restore, we can try some general system repair method, such as:
    1. Admin permission to run SFC.EXE and check the result.
    2. Create new user account which as admin permission and log on system using new account, it would be helpful to identify whether it is user profile relate problem.
    3. Restart system in Clean Boot whit all 3rd party process disabled, to identify whether it is 3rd party process relate problem.
    4. Restart system in Safe Mode to identify whether it is driver relate problem.
    5. Check current resources usage and event viewer for relate event, it may provide more helpful information.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thanks for response. I restored to prior restore point/date. Strangely it's less problems and all programs seem to open but Exchange doesn't seem to work. Microsoft Information Store and other related services seem to not start and are stuck on "Starting" state. Any idea?

    Does this sound like backup media is damaged or the backup program didn't restore properly?

    I don't think any third party programs are causing it as nothing changed meaning no programs were added at the time. I tried running sfc but it says "There is a system repair pending which requires reboot to complete. Restart Windows and run sfc again." I'm not sure what that's about? I don't think I started any repairs, possibly something from backup program?
    Friday, May 22, 2020 5:18 AM
  • Hi,

    It may causing specific problem (such as application not function and etc.) if backup file is crashing/damaged. 

    Have you tried the SFC.exe?

    About the starting status service, try to change its startup type to delay start, or, manually re-start it to check the result. If it fails, we can check Event Viewer for detail error about this failure. 

    About the Exchange, what is the problem? Please provide more detail description about it.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 22, 2020 8:36 AM
  • Hi,

    It may causing specific problem (such as application not function and etc.) if backup file is crashing/damaged. 

    Have you tried the SFC.exe?

    About the starting status service, try to change its startup type to delay start, or, manually re-start it to check the result. If it fails, we can check Event Viewer for detail error about this failure. 

    About the Exchange, what is the problem? Please provide more detail description about it.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Trying the scan now, had to restart to do it a prior wait for some copying files to finish.

    Yeah but my point is it's baremetal restore and we had no issues before or during those dates, I removing startup items though.

    I can't update the settings on services because its constantly restarting them, I can't click on properties.

    Event log is showing as such:

    The Microsoft Exchange Information Store service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.

    and:

    The description for Event ID 7024 from source Service Control Manager cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event: 

    Microsoft Exchange Information Store
    %%2415

    The resource loader failed to find MUI file


    and:

    The Microsoft Exchange Transport service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.


    and:

    The Microsoft Exchange Throttling service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.
    Friday, May 22, 2020 4:36 PM
  • Application part of event viewer is showing as such:

    Process MSEXCHANGEADTOPOLOGYSERVICE.EXE (PID=3064). Topology discovery failed, error 0x80040931 (LDAP_INVALID_CREDENTIALS). Look up the Lightweight Directory Access Protocol (LDAP) error code specified in the event description. To do this, use Microsoft Knowledge Base article 218185, "Microsoft LDAP Error Codes." Use the information in that article to learn more about the cause and resolution to this error. Use the Ping or PathPing command-line tools to test network connectivity to local domain controllers.

    and:

    Product: Microsoft Exchange Server - Update 'Update Rollup 30 for Exchange Server 2010 Service Pack 3 (KB4536989) 14.3.496.0' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

    Basically seems like Exchange is messed up for whatever reason. 
    Friday, May 22, 2020 4:37 PM
  • Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Windows\system32>sfc /scannow

    Beginning system scan.  This process will take some time.

    Beginning verification phase of system scan.
    Verification 100% complete.

    Windows Resource Protection did not find any integrity violations.

    C:\Windows\system32>

    So sfc seems like good.
    Friday, May 22, 2020 4:43 PM