system restore is not able to create a restore point
Customer had some strange problems with one of his PCs
System Restore could not create or restore “restore points”.
And the internet was not working (it actually was working, but seemed intermittent)
Creating a restore point would result in the message: system restore is not able to create a restore point
Restoring from a restore point would just get to the “Confirm restore point selection, then pressing the NEXT button did nothing.
I tried disabling and enabling sys restore, but no luck.
I tried line 278 from kellys-korner-xp.com/xp_tweaks.htm, but no go.
At some point I also noticed that disk defragment also didn’t work… very strange symptoms
Next I tried sfc /scannow
That seemed to work… but after a few minutes, system restore stopped working again… curious!
I was starting to suspect that Spyware Doctor (paid version) might have been interfering somehow. It would occasionally say that an internet computer was trying to connect (which we blocked). The customer swore it was a great program (but I’ve had some difficulties with Spyware Doctor in the past).
Looking at Spyware Doctor closely, I noticed it would appear to do its normal update, but the status screen showed that it was several weeks since the last successful update.
I disabled Spyware Doctor, but that didn’t change things
But then telling an antivirus/antispyware to disable itself doesn’t always mean its really disabled.
So I totally uninstalled it… and installed antiVir, windows defender… but neither would update…
I then tried SuperAntiSpyware… and it also wouldn’t update.
I tried scanning with Superantispyware (even though it was out of date by a few weeks), and it detected a trojan infection.
The infected file was a backup from the customers main PC… So now I widened my work to the main PC as well.
In the end, both PCs were infected with trojans and rootkits.
I was able to fix the main PC, as it wasn’t showing any sign of being infected (so I could update antivir/defender/superantispyware and remove all nasties)
But the other PC had so many files on it, that the scan process was incredibly slow.
So in the end, I took it back to the office, scanned the HDD from my main PC (and removed some infections).
But that was still not enough to allow any updates.
In the end I downloaded the latest version of SAS, installed it, and it managed to clear up everything.
I must say that in cases like this, SuperAntiSpyware has a huge advantage over many of its competitors: Downloading the latest version also downloads the latest malware definitions.
Most other security software seems to be a few months out of date, and relies on the user to perform an update once the software is installed.
Thats crazy, as nowadays, a lot of malware targets security updates first, such that the anti-malware program is virtually useless unless it can do an update.
I had a similar case recently where the customers computer was showing all the signs of bad malware infestation. After removing 65 trojan files with superantispyware, I found that there’s a class of trojan which leaves regedit, Folder view options, and Taskbar disabled. You feel horribly powerless when none of those funcions is working. There seems no obvious way to restore them without a registry edit.
Fortunately there’s a neat little free utility called RRT (Remove Restrictions) at http://www.sergiwa.com which, with one click, restores those functions. Works like magic off a floppy if need be.
Maybe there’s another class of trojans which disables System Restore funcions. There might be a tool for restoring that, too.
Was there a virus on the computer that caused this to happen? If so, which virus?
Beau71: It was one of the countless Vundo variants.
Vundo seems to be a particularly “efficient” vehicle… its been around for a long time, yet it keeps evolving into nastier and more difficult to remove versions…
There must be hundreds of different Vundo variants out there :-O
have you ever run malwarebytes? great tool.
I had this same problem a few years ago. It also manifested itself with dual icons in the control panel. Very strange. I ended up wiping the hard drive and reloading everything from scratch.
No, MalwareBytes is not a great tool. It is no good at all for tough jobs like this one. FIrst of all, it requires to update itself and what if thetre is no net connection like this virus does?? AND.. this virus actually edits the registry to prevent certain executables.. the popular malware and anti-virus programs. Yep.. anything else will run… but the tools to fix this thing. Sure, there is internet connection in some cases… but the virus block access to the websites for anti-virus sites… like PCTOOLS.COM and MalwareBytes.. those websites are blocked along with umpteen others including windows update. For some reason Malwarebyte people didn’t think it would be good idea to publish a way to manually update it.. meaning let you download the update on another computer and thenupdate the installation on the target machine. So dont waste you time with malwarebytes. The one things I found that works is to download the windows Malicious Software Removal tool on another computer and bring it over and it does run… and cleans up the infection pretty darn good. But there is so much damage left behind. I tried the RRT mentioned earlier.. but it is garbage. I wasted my money on it..it is a scam.. won’t even run. It is disappointing none of the super geeks can tell us how to fix the WIndows Restore function.. it shouldn’t be hard to do once someone figures it out. But the main thing is.. the dud who said to try MalwareBytes is smoking something.. ain’t no good on this one folks…. and PCtools product sucks too and isn’t worth it.
Jaybird says:
“I tried the RRT mentioned earlier.. but it is garbage. I wasted my money on it..it is a scam.. won’t even run.”
Must be a different RRT to the one I have. It’s free, and while it doesn’t profess to succeed in all cases, it’s worked on the few occasions I’ve tried it. It should only be used after the infection has been removed, to clear up some of the mess left behind. If it won’t run, presumably the computer is still infected by self-replicating malware.
Malewarebytes is excellent for removing some of those difficult infections others won’t touch, provided of course you are aware of the limitations mentioned by Jaybird, which apply to practically all defences. Once the nasty is in, it puts a protective shell around itself by disabling database updates.
So, yes, I’d agree that all those anti programs have limitations. Nevertheless, they are very effective if used in the way in which they are intended, and should not be written off as garbage. They are best used by hooking the bad hard drive into another clean computer, then scanning.
Well I spent the last few hours trying to re-enable restore after AVG spotted some dodgy trojans just after a proggy install that didn’t seem to be working – I’d quit it. I followed all the stuff that’s been mentioned before from other places and it was only when I tried SUPERAntiSpyware that the problem was solved – I must admit I didn’t expect it to after a bunch of disappointments but it picked up 3 things the others didn’t, and now all seems well again. Oh and I was not able to download any antispyware software …(guess I wasn’t supposed to) – I grabbed ’em on another machine and moved ’em over but SAS did update online once installed.
Nice article anyway – saved me more angst 😉
Really good sharing this.