System Restore - major problem

[teckneeculler]

W7 Ultimate 64-bit installed on 1-year-old Apacer 250GB SSD.

Every few days or so, I set a Restore Point. This normally takes about 15 seconds. I ordered one just now and went for a coffee. When I came back about 15 minutes later, the System Restore app was still running.

Odd, I thought.

Button pushes wouldn't stop it so I did Crtl\Alt\Del and stopped it that way.

Tried to set another Restore Point but all the app buttons were greyed out and only returned after I rebooted. So I opened System Restore, intending to revert to the last Restore point, but was told that the system wasn't running and there were no Restore Points anyway!

(Incidentally, I'd had SR limited to about 30GB. But my Apacer 250GB SSD C: drive has plenty of space - 87GB used with 135GB free)

After a few more fruitless attempts I went into Services and changed Volume Shadow Copy from Manual to Auto and did the same with Microsoft Volume Shadow Copy Provider, Windows Installer and a couple of others that I'd read about, along with all their dependencies. Still no joy.

I went into Event Viewer and found that the Volume Shadow Copier had been throwing up an error every 24 hrs since 11th January 2017. Which reminded me that, months ago, I'd set Task Scheduler to run System Restore at midnight.

So I went into Task Scheduler and removed the entry. Rebooted but still no System Restore.

Without going into details, I tried another dozen or so 'fixes' I found here and on other boards, but nothing has changed.

Oh, and I ran the 'vssadmin list writers' command and that found no errors in the 11 or so listed writers.

Plus I've done a full virus check, ran Malwarebytes (full version) twice with no errors, downloaded and ran adwcleaner and rkill with no errors.

I've run sfc /scannow and chkdsk /r twice each. I tried setting an SRP in Safe Mode but the program won't run at all in Safe.

And it couldn't have been a Windows update that caused the problem because Updates has been disabled for eight months.

So I'm kinda stymied. Short of a Windows reinstall I can't think of anything else to do.

Any fresh ideas, guys?

Later: Thought I'd try creating a Restore Point in Safe Mode one more time, so in msconfig I checked 'Start in Safe Mode' and walked away for a while. When I came back, the screen was showing the "Failure configuring Windows updates. Reverting changes. Do not turn off your computer" continuous loop message. And this when I don't even have Windows Updates turned on!

I'm starting to think it's either an as-yet-unknown bug or my SSD C: drive has developed faults.

 

[MeOnMine]

Hi, I would be running a RootKit scanner if I were you.
Kaspersky TDSSKiller.exe is my recommendation.
Virus can and will stop restore points from working.
An added piece of advice.
Don't use restore or Windows backup.
Notoriously unreliable.
Learn Image technologies, Macrium Reflect Free is always recommended here.

Good Luck

 

[ICIT2LOL]

I agree mate with Meonmine and there are some more you can try if you like from this listing
Best Free Rootkit Scanner and Remover | Gizmo's Freeware there are soem pretty heavy weight ones in there and as I don't know how comfortable you are using that sort of software.

 

[Layback Bear]

What anti virus program do you use?

Please list all security programs you have installed.

Do you have any programs by IObit?

Jack

 

[teckneeculler]

Thanks guys. Yeah, I'd better run some heavier stuff.

I have a full version of Malwarebytes and ran that several times, but it came up clean. However, if this actually is a bug, it's possible that it's a recent one and might take a while for the fixes to catch up.

I ran RKill and Adwcleaner but they found nil. I'll try TDSSKiller, MeOnMine - used it a few times over the years on customer's machines. Re System Restore, I know that it seems to have an unreliable reputation but I've used it for over 20 years without a problem. Plus, I've taught many customers how to use it and it's got them out of holes. Imaging I think is a PIA. Installed several brands from time to time but never had any success with recovery. I think the best value of apps like Acronis TI (which I just dumped) is the reassurance factor.

Actually, just backing up and restoring the registry is easy and fast. But every now and then you just have to do a reinstall, and I think that's where I'm heading.

Anyway, I'll try a few more bug-fixes first. If I find anything I'll come back.

Oh, and Jack - no, I'm not running any IObit software. Is there a problem with some of their stuff?

 

[teckneeculler]

Heads-up: TDSSKiller found nothing. ComboFix stalled because it couldn't set a Restore Point. Which is kind of ironic

 

[ICIT2LOL]

Have you tried the GMER (it's in the link I posted) yet tecknee it is fairly heavy weight as you may know and it has found nasties on my machines before - not very often I will admit because things have never been that desperate.

 

[teckneeculler]

Thanks. Yep, just ran GMER and I'm not sure if what it found is actually a problem.

There was only one entry under the 'Rootkit/Malware' tab:

Type - Thread
Name - C:\Windows\SysWOW64\ntdll.dll[3132:3428]
Value - 0000000000fbe72

Windows Properties show the file to be a Microsoft file, 1.25MB, dated 10Feb16 which is about when I installed W7 last.

Thing that makes me skeptical is that my wife's PC has an identical file. Similar date, I built hers about the same time.

What do you think?

Later: The same file is in my several laptops, too. But none of them are having problems with System Restore.

 

[MeOnMine]

Just change the name of the file and see.
If no change put the name back,

 

[ICIT2LOL]

Just change the name of the file and see.
If no change put the name back,

Worth a try.

 

[teckneeculler]

Hmm. Getting a bit complicated. Says I need permission from 'Trusted Installer'. And changing permissions for Admins and Users is also blocked. Guess I could do it in DOS, but I might just add the task to my list of fixes and try it later.

BTW, there's an 'ntdll.dll.mui' file, which is probably the installer. GMER didn't mention that one. But if it is the installer, and I rename the child file, mightn't the installer try to rebuild it?