Yesterday I clicked some Google search results and got a page which was
obviously not what I wanted, but there was a popup with the usual junk
warning about "your system may be...etc". Usually I right click these
messages and choose 'close', but I inadvertently clicked the red X to close
it, and was bombarded with messages from Windows defender, firewall disabled
warning, and AVG free warnings about files. I shut down and rebooted to
safe mode, then proceeded to run Spybot S&D, AVG full scan, Windows
Defender, and after all this and some manual cleanup (and many found
spyware/trojans just from that minute or two it was on) ended up with clean
scans and all seemed OK.

One minor exception is that when the computer sits for a few minutes, the
broadband connection is lost and I get a message offering to fix it, which
it does. But it happens again after sitting. Virus and spyware scans all
remain fully clean. Other computers on the network are connected fine.

So I thought the best way would be to use system restore to restore to two
days ago, before the spyware bout. However, it failed, after rebooting
giving me a message that it "cannot be restored" to that date and to try a
different one (no further explanations). I disabled AVG free and tried that
and two other dates, as well as safe mode restores, and the same result.

It would be nice if there were some other explanation besides it "cannot be
restored", but there is none. A web search produces results for Norton AV
users, however I have no Norton anything except Ghost 2003.
Management/services shows system restore is running OK.

Any suggestions? I thought of disabling restore to get rid of all previous
points and start fresh, but if the connectivity issue continues I might kick
myself if I can't find a fix for that. Why would it fail and give no
explanation? I'm assuming the spyware must have done something to corrupt
the files, as it managed to disable the firewall (grumble grumble, for the
fact that it's even possible to do that!). Is there any way to get more
info out of the system restore to find out if it's failing because of
corrupted files or some other issue?

Thanks for any suggestions.

Gary

Dumb question: If you have Norton Ghost running, and assuming you do
incremental backups, why don't you just choose one of its latest restore
points and Restore that?

I think I've heard of arguements between Norton's GoBack and System
Restores, but not with Ghost, to my knowlege at least.
Since your System Restore Points are crapped, you would do well to turn
System Restore off and then back on: That will purge all the old System
Restore Points and start over again. That way you can't screw up inj a week
or so and revert to one of the corrupted points, should they start to work.

Inline:


Gary R. wrote:
> Yesterday I clicked some Google search results and got a page which
> was obviously not what I wanted, but there was a popup with the usual
> junk warning about "your system may be...etc". Usually I right click
> these messages and choose 'close', but I inadvertently clicked the
> red X to close it, and was bombarded with messages from Windows
> defender, firewall disabled warning, and AVG free warnings about
> files. I shut down and rebooted to safe mode, then proceeded to run
> Spybot S&D, AVG full scan, Windows Defender, and after all this and
> some manual cleanup (and many found spyware/trojans just from that
> minute or two it was on) ended up with clean scans and all seemed OK.

Did you update each of then before you did the scans? If not, update them
and run tham again; all of them.

>
> One minor exception is that when the computer sits for a few minutes,
> the broadband connection is lost and I get a message offering to fix
> it, which it does. But it happens again after sitting. Virus and
> spyware scans all remain fully clean. Other computers on the network
> are connected fine.

Sounds like file corruption somewhere; possibly multiple locations so one
fix isn't going to necessarily going to be all that's needed. It's not
unusual to fix one thing and either have it come back later or find
something else that borked.
>
> So I thought the best way would be to use system restore to restore
> to two days ago, before the spyware bout. However, it failed, after
> rebooting giving me a message that it "cannot be restored" to that
> date and to try a different one (no further explanations). I
> disabled AVG free and tried that and two other dates, as well as safe
> mode restores, and the same result.

Restore Points are trashed or the Restore mechanism is.
>
> It would be nice if there were some other explanation besides it
> "cannot be restored", but there is none. A web search produces
> results for Norton AV users, however I have no Norton anything except
> Ghost 2003. Management/services shows system restore is running OK.

Then WHY aren't you using Ghost to go back to an earlier time?!?
>
> Any suggestions? I thought of disabling restore to get rid of all
> previous points and start fresh,

You should do that. All they're doing right now is wasting space.

but if the connectivity issue
> continues I might kick myself if I can't find a fix for that. Why
> would it fail and give no explanation?

That's all the "explanation" it ever gives in my experience.

I'm assuming the spyware must
> have done something to corrupt the files, as it managed to disable
> the firewall (grumble grumble, for the fact that it's even possible
> to do that!). Is there any way to get more info out of the system
> restore to find out if it's failing because of corrupted files or
> some other issue?
>
> Thanks for any suggestions.
>
> Gary

Something below might help. Sorry, don't have the links or that's all I
would have posted:
How do I reinstall System Restore?



Warning: This will delete ALL existing restore points.



Go to Start - Run and type %Windir%\INF then press enter.



In Windows Explorer go to Tools - Folder Options - View Tab and uncheck
“Hide extensions for known file types”.



Find the sr.inf file, right click on it and select Install.



Or simply type or paste the following command into the Start - Run box and
press enter.



rundll32.exe advpack.dll,LaunchINFSection C:\Windows\Inf\sr.inf



If the Files Needed dialog box appears, click Browse and point to the i386
folder on the Windows XP CD or to the i386 folder on the hard drive, if it
exists, of for systems updated with the Service Pack 2 CD or Download from
Microsoft, browse to the C:\Windows\ServicePackFiles\i386 folder.




Troubleshoot System Restore “Restore Point Failures” in Windows XP



At any point during this troubleshoot procedure you feel
uncomfortable, help is a click away on the Microsoft Newsgroups and on the
AumHa Forums

If Real Player is installed on the system click HERE and update to the
latest version.

IBM Rescue and Recovery with Rapid Restore - Microsoft System Restore
"Restore Points" are not preserved or System Restore errors are logged in
Event Viewer.
System Restore's Restore Points are not saved in IBM Rapid Restore
Ultra's backup. When restoring using Rapid Restore Ultra, System Restore
will log an error message in the Windows Event Viewer and if you start
System Restore, any prior System Restore Points are not available.

For systems that have Norton 2006 applications installed click here.

For Systems shipped with a Recovery Partition, such as HP, Compaq and
Dell, to name a few, DO NOT let system restore monitor these partitions. See
Disable Monitored Drives.

Scan for Virus and Spyware infection.

If the system will not boot, here’s a list of Disaster Recovery Tools
within WindowsXP.

Make note of any error messages produced by System Restore or any low
Free Disk space warnings, exactly as they appear.

Use the Event Viewer to investigate System Restore service errors. To
do this, follow these steps:

Go to Start - Run and type eventvwr.msc and press enter.

In the left pane click on System.

Click the gray title “Source” at the top of the source name column in
the right pane to sort by source name, look for "sr" and "srservice."
Double-click each of these services, and evaluate the event description for
any indication of the cause of the problem. Make note of the Description,
EventID and Source of these Event Properties that show an Error or Warning.

If you would like assistance in examining the "sr" and "srservice"
events, double click on each event then, click on the button below the two
arrows in the upper right corner. This will copy the event information to
the clipboard. Paste the information for each event to a post in either the
AumHa Forums or to this Microsoft Newsgroup along with any other error
messages received. Please use a appropriate subject line (including “System
Restore”) when creating the post.

Install the latest Service Pack (SP) for WindowsXP. SP1 (fixes the
locked files issue) and SP2 include bug fixes for System Restore that may
fix the problem.

From Windows Update

Order WindowsXP Service Pack 2 on CD

Download WindowsXP from Microsoft - 272mb’s

Confirm that the “Task Scheduler” and “System Restore Service” are
running:

Click Start, click Run, and then type cmd /k net start then press
enter. Check to make sure that the Task Scheduler and System Restore
Services are running.

To start the “Task Scheduler” Service.

Go to Start - Run and type Services.msc then press enter.

Double click on “Task Scheduler”.

Set ‘Startup type’ to Automatic then press Start and Wait for the
Service Control progress indicator to close.

Do the same if the “System Restore Service” was missing. Close the
Services window.

Confirm and make note of the amount of the Free Disk Space on all of
the drives System Restore is monitoring.

To check for Free Disk Space go to Start - Run and type diskmgmt.msc
then press enter. Look at each drive System Restore is monitoring for free
space.

If the free space on any partition system restore is monitoring falls
below 50MB, System Restore will SUSPEND & PURGE all restore points to free
up disk space. You should have already receive a low free disk space message
by now. System Restore will resume monitoring when free disk space reaches
200MB’s.

In most cases it is not necessary to have System Restore monitor
Partitions/drives other than the one Windows is installed on. System Restore
does not monitor data files. Monitored File Extensions.

How to disable a monitored drive in System Restore.

Adjust the Disk Space Used by System Restore. By default System
Restore will use 12% disk space for most size drives. With larger drives the
data store can get quite large, which has been know to cause problems in
System Restore. Setting the data store to just under 1GB should be adequate.
Click here for more System Restore Health tips. Note: Reducing the data
store size will purge the oldest restore points on a FIFO (first in first
out) bases and leave as many recent restore points as the new size will
allow.

Test System Restore to confirm it is functioning correctly.

Create a new restore point named TEST.

Create a new folder on the desktop an name it TEST.

Now restore to the Test restore point.

You will receive a message if the restore was successful, and the Test
folder on the desktop will be gone.

The above test can also be performed in Safe Mode.

If this fails, that would indicate there is a corrupt restore point
and all restore points should be purged.

How to purge the System Restore Store.

To do so Turn off System Restore follow these steps:

Click Start, right-click My Computer, and then click Properties.

Click the System Restore tab.

Put a check next to ‘Turn off System Restore on all drives’, then
click OK.

Click Yes when you receive the prompt to the turn off System Restore.

Reboot the system.

Turn System Restore back on by following the previous steps and
uncheck ‘Turn off System Restore on all drives’. A new restore point will be
automatically created at that time.

As suggested earlier it is not necessary to have System Restore
monitor Partitions/drives that Windows is not installed on.

Test System Restore as previously described.

If System Restore fails at this point, reinstall System Restore.

If all else fails perform a Repair Install.











Home






Support








FeedbackFeedback (antispam email encoder used)








Site Map








Site Last updated


Sunday, June 11, 2006








Start Date 2/27/05



View My Stats













Copyright © 2005 - 2006 Bert Kinney





View an image of the Event Viewer utility
















Symantec Document ID:2005113009323013
Last Modified:12/01/2005

Message: "Restoration Incomplete . . . " when running Windows System
Restore

Situation:

You have installed a 2006 version of a Norton program, such as Norton
AntiVirus 2006, Norton Internet Security 2006, Norton Personal Firewall
2006, or Norton SystemWorks 2006. You run the Windows System Restore to
restore your computer to a previous point. When you do, you see the message:
"Restoration Incomplete. Your computer cannot be restored . . "

Solution:
To fix this problem, follow the steps in this section. You will
disable the Symantec Resource Protection feature, run Windows System Restore
again, and then turn on Symantec Resource Protection.

To turn off Symantec Resource Protection and run Windows System
Restore again

Start your Norton program.
Click Options.
If you see a menu, click Norton AntiVirus.
In the left pane, click Miscellaneous.
In the right pane, uncheck Turn protection on for my Symantec protect.
Click OK.
Run Windows System Restore again.
When the system is restored, go on to the next section.

To turn on Symantec Resource Protection
Start your Norton program.
Click Options.
If you see a menu, click Norton AntiVirus.
In the left pane, click Miscellaneous.
In the right pane, check Turn protection on for my Symantec protect.
Click OK.

You must repeat each of these procedures any time that you run Windows
System Restore.

Product(s): Norton AntiVirus 2006, Norton Internet Security 2006,
Norton SystemWorks 2006, SYMPROTECT
Operating System(s): Windows 2000, Windows XP
Date Created: 11/30/2005




















Home






Support








FeedbackFeedback (antispam email encoder used)








Site Map








Site Last updated


Sunday, June 11, 2006








Start Date 2/27/05



View My Stats













Copyright © 2005 - 2006 Bert Kinney





How do I Test System Restore’s functionality?



Create a new restore point named TEST.

Create a new shortcut on the desktop and point it to My Computer or any
other file of your choice and name it TEST.

Now restore to the Test restore point.

The system will now reboot, and you will receive a message if the restore
was successful, and the Test shortcut on the desktop will be gone. If not,
follow these troubleshooting tips.



Note: This should be conducted on a regular basis. Once a month should do.
Or if the system has been subject to virus or malware/spyware infection but
only after the system has been fully cleaned.

"Gary R." <roberthaus******.com> wrote
> Yesterday I clicked some Google search results and got a page which was
> obviously not what I wanted, but there was a popup with the usual junk
> warning about "your system may be...etc". Usually I right click these
> messages and choose 'close', but I inadvertently clicked the red X to
> close it, and was bombarded with messages from Windows defender, firewall
> disabled warning, and AVG free warnings about files. I shut down and
> rebooted to safe mode, then proceeded to run Spybot S&D, AVG full scan,
> Windows Defender, and after all this and some manual cleanup (and many
> found spyware/trojans just from that minute or two it was on) ended up
> with clean scans and all seemed OK.
>
> One minor exception is that when the computer sits for a few minutes, the
> broadband connection is lost and I get a message offering to fix it, which
> it does. But it happens again after sitting. Virus and spyware scans all
> remain fully clean. Other computers on the network are connected fine.
>
> So I thought the best way would be to use system restore to restore to two
> days ago, before the spyware bout. However, it failed, after rebooting
> giving me a message that it "cannot be restored" to that date and to try a
> different one (no further explanations). I disabled AVG free and tried
> that and two other dates, as well as safe mode restores, and the same
> result.
>
> It would be nice if there were some other explanation besides it "cannot
> be restored", but there is none. A web search produces results for Norton
> AV users, however I have no Norton anything except Ghost 2003.
> Management/services shows system restore is running OK.
>
> Any suggestions? I thought of disabling restore to get rid of all
> previous points and start fresh, but if the connectivity issue continues I
> might kick myself if I can't find a fix for that. Why would it fail and
> give no explanation? I'm assuming the spyware must have done something to
> corrupt the files, as it managed to disable the firewall (grumble grumble,
> for the fact that it's even possible to do that!). Is there any way to
> get more info out of the system restore to find out if it's failing
> because of corrupted files or some other issue?

Take a look at the troubleshooting tips on MVP Bert Kinney's system restore
page.
http://bertk.mvps.org/html/srfail.html

As a side note, I also have system restore active. It is a useful tool, but
I suggest you look at disk imaging as another means to protect your system.
Acronis True Image Home, version 10 can create full, incremental or
differential, compressed images of drives or partitions. These can be saved
to an external hard drive. Restores can be done on a file, partition or
drive basis. Use ATI to regularly image the system, and then you have a
means to restore the complete system in cases such as this or where there is
hardware failure, like a drive dies. ATI also does file backup and drive
cloning.

External drives can be purchased pre assembled or you can easily put one
together for less money by installing a bare drive in an external drive
enclosure. Enclosures are in the $20 range. A 320 GB drive set up this was
can be done for under $100.

--
Rock [MS-MVP User/Shell]

Poprivet" <poprivet@devnull.spamcop.net> wrote in message
news:eAW069NkHHA.3816@TK2MSFTNGP02.phx.gbl...
> Dumb question: If you have Norton Ghost running, and assuming you do
> incremental backups, why don't you just choose one of its latest restore
> points and Restore that?

The Ghost was installed to make a hard-copy backup of the new system with
software and updates...and you're right, I could restore to that, but it's
been a while and I'd still have quite a bit of updating and installations to
do. I don't have Ghost set to constantly back up the system, but I do think
I'll make a more recent backup if this happens again. Thanks for the
suggestion.

I still don't know if the System Restore works, but I did find the culprit
for losing the connection, and it evaded Windows defender, the firewall,
Spybot S&D, and AVG antivirus, all current. For any interested, here's
what I found:

Looking at the log of the network troubleshooter, I did a search on 'tcp-ip
connect limit reached, which sounded suspicious and was the reason it gave
for the connection being lost. A cmd window with netstat -no typed in
yielded a process trying to connect and failing many times (which causes the
connection to be shut down for just that reason). The process was named
aspi66565.exe and originated in the system32 folder. In taskmgr, it was
identified as a Microsoft app for aspi management, but it is not. Checking
the file properties, I noted that it was created in the 2 minute window when
the spyware hit. I ended the process, deleted that and another similar
aspi....exe file, and did a registry search for any occurrences of that
file, which I got rid of.

Then I did another search for files created yesterday, and any of
consequence that were created in that 2-minute window I also deleted...there
were quite a few, and I left the AV's and Windows Defender's files alone.
Searched the registry for those files and found none, so maybe the AV etc.
had at least disabled them(?) After rebooting none of the files were
re-created, and the netstat command brings up just normal info (and the
phony aspi process is no longer there). The computer now stays connected.
I don't think I'll even try the system restore as I don't want to mess
anything up at this point, but I'll delete the old stuff and start fresh,
then give it a try (besides a more recent Ghost image). I do imagine that
the reason it wouldn't work is because of the spyware/trojan invasion.

Gary

"Rock" <Rock@nospam.net> wrote in message
news:%23e753XOkHHA.4516@TK2MSFTNGP03.phx.gbl...
> As a side note, I also have system restore active. It is a useful tool,
> but I suggest you look at disk imaging as another means to protect your
> system. Acronis True Image Home, version 10 can create full, incremental
> or differential, compressed images of drives or partitions. These can be
> saved to an external hard drive. Restores can be done on a file,
> partition or drive basis. Use ATI to regularly image the system, and then
> you have a means to restore the complete system in cases such as this or
> where there is hardware failure, like a drive dies. ATI also does file
> backup and drive cloning.
>
> External drives can be purchased pre assembled or you can easily put one
> together for less money by installing a bare drive in an external drive
> enclosure. Enclosures are in the $20 range. A 320 GB drive set up this
> was can be done for under $100.
>
> --
> Rock [MS-MVP User/Shell]

My backup strategy is from a few years back, when hard drives were a lot
smaller and not so cheap. As I said, I always do a Ghost backup once I have
the system and applications installed, working, and updated, but from there
have depended on system restore (and it's done very well overall since it
began with WinME).

But imaging 20-25 GB of a system drive uses so little space for
current-sized drives, that maybe it's time I revamped my backup strategy, to
not just photos and docs, to the whole system drive. I'll see if my Ghost
2003 does OK with that arrangement, if not maybe I'll try the Acronis you
mention, or the new Ghost 12 which surprisingly seems pretty good. Thanks
for the suggestions.

(incidentally, the system restore is now working, after having gotten rid of
the last of the aspi.... trojan files...and with today's update, AVG free
also recognizes them as bad guys...day late and a dollar short, I guess 8^)

Gary

"Gary R." <roberthaus******.com> wrote

<snip>

> My backup strategy is from a few years back, when hard drives were a lot
> smaller and not so cheap. As I said, I always do a Ghost backup once I
> have the system and applications installed, working, and updated, but from
> there have depended on system restore (and it's done very well overall
> since it began with WinME).
>
> But imaging 20-25 GB of a system drive uses so little space for
> current-sized drives, that maybe it's time I revamped my backup strategy,
> to not just photos and docs, to the whole system drive. I'll see if my
> Ghost 2003 does OK with that arrangement, if not maybe I'll try the
> Acronis you mention, or the new Ghost 12 which surprisingly seems pretty
> good. Thanks for the suggestions.
>
> (incidentally, the system restore is now working, after having gotten rid
> of the last of the aspi.... trojan files...and with today's update, AVG
> free also recognizes them as bad guys...day late and a dollar short, I
> guess 8^)

Gary, glad you got it fixed. Thanks for posting back.

--
Rock [MS-MVP User/Shell]