What might cause System Restore to fail (3 times)?

[Ken90630]

Hey, All,

Other than malware, can anyone think of a reason why 3 separate attempts to use System Restore would fail? We're talking 3 different dates, over a 2-month span, as restore points. Restoration appears to work, then the machine reboots and a "restoration failed" message comes up each time.

If it matters, the machine is a custom PC (built by me in 2005) with an Athlon XP2800, 1GB of Kingston RAM, a Seagate Barracuda HD, high-end ATI vid card (for its time), and just very basic software. Security is handled by NOD32 A-V and Spyware Doctor. The user is a friend and is not high-risk at all.

Without going into a long story, I have reason to suspect malware, but I could also be dealing with a "false positive" and thus no malware infection. But System Restore won't work at all (and yes, I'm trying with the Administrator account), so that's suspicious. Unless I'm missing something.

 

[bruceb]

System restore can get wacky at times. One way to fix it (so they say) is to Turn Off System Restore, then shut down. Restart and then renable it. System restore should then work from that point.

 

[tcsenter]

It should be noted that all System Restore points will be deleted.

 

[RebateMonger]

Have any standard XP services been turned off (either manually or by leaving them out of XP via NLite)?

 

[bruceb]

Yes, they would. But if system restore says it can't restore to a specific date or dates, then they don't work anyway.

 

[Ken90630]

bruceb and tcsenter:

Yeah, that's exactly what I ended up doing. I turned it off -- thinking (like bruceb says) what the heck, it doesn't work anyway -- rebooted and turned it back on. I then set a restore point, made a slight change to a Word Perfect document, and used SR. It worked.

Of course, I wasn't able to use it to get back to an older time, which is what I really needed it for.

What's bizarre is that NOD32 registered a hit on a file -- heuristically, I think, 'cuz the description says, "probably a variant of Win32/AgentTrojan" -- and it wasn't during a scan. It popped up while the machine was idle, which I suspect means it was something trying to run itself and NOD32 said, "Uh, no, I'm not allowing that." And -- get this -- when I look at the quarantined file, it's location is C:\System Volume Information\_restore{83951F40-5FEB .... (The rest of the string is a mile long, so I won't retype it here.) So maybe that crashed SR?

But when I try to navigate to C:\System Volume Information manually, there is no such folder (and yes, I have "show hidden folders' enabled within the View menu). So what the heck's goin' on here? Where is the System Restore folder typically located? Is that it -- C:\System Volume Infomation -- and if so, why can't I see that folder?

NOD32 'hit' on two files it didn't like, and both had the same "probably a variant of Win32/AgentTrojan" description, but they're in different file locations. And the file descriptions both have "WT" in their names, with "updater" in one of them, which leads me to think they're false postives on a Wild Tangent game update. Only prob with that is that while there were some WT games bundled with the ATI software for her video card, when I built her machine 3 1/2 years ago, the user says she's never played them and never plays games online. And the startup tab in msconfig showed no WT update service running at startup.

Any ideas?

PS: RebateMonger: No nLinte being used, and the only thing I might have turned off would have been Windows Messenger. I might have disabled that with services.msc -- I don't remember for certain. I also killed the GoogleToolbarNotifier that way, but that's not a standard Windows process.