why do my Restore Points keep disappearing?

andrew129260 said:

You are doing fine, no need to be embarrassed. When you finish with the other items, report back and let me know how it went. Post new logs after everything is cleared out so I can verify the infections are gone.

When you are up for it, here is another thing I would like you to do. Take your time when doing steps and do not feel rushed. If you have questions ask. Take one step at a time.


1.) Do a disk check using option 1:

Disk Check

2.) Please Run sfc /scan now using option 2 in this tutorial: SFC /SCANNOW Command - System File Checker

Please post back the results.

Results of herdProtect and AdwCleaner are here.

herdProtect # 3 Scan_2014-5-19-2-28.txt

AdwCleaner[S0].txt

It's now 2:47am here, and time for me to get some sleep but I will be back in the morning to continue with running the Junkware Removal Tool.

It took two scans of herdProtect to get rid of the Candy malware, but in the meantime, the Laptop is noticibly faster at the reboot - or is it just my imagination?

Thanks for all the help so far Andrew - I'd be lost without it, or your guidance

andrew129260 said:

You have got quite some nasties there. Conduit came for a visit. None of the items I have found so far are known to mess with restore points though. But lets get you cleaned up first and move on then from there.


3.) Please download Junkware Removal Tool to your desktop.

• Shutdown your antivirus to avoid any conflicts.
• Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next reply message
• When completed make sure to re-enable your antivirus

Junkware Removal Tool - Results Log;

JRT.txt

...and so on to CHKDSK

andrew129260 said:

Great job. keep going. jrt log looks good.

Layback Bear said:

Damn what a JRT log.

You two are gaining on this troubled computer.

At Option Two - I did SFC/SCANNOW, which gave me a CBS.log too large to upload here . Is there another way to link to the file to allow reading by a third party?

The message on the Manage Attachments window, is;

CBS.log:
Your file of 4.72 MB bytes exceeds the forum's limit of 2.00 MB for this filetype.

...further, the last line on Shawns Tutorial concerns me. This Laptop Windows 7 is an OEM setup - I do not have either an installation, or rescue disk for it.

The fact that I can't upload the CBS.log is a real hurdle. I do have a set of three (x3) DVD-R disks created on prompt when I first set-up the Laptop on 9 May 2011. But from my understanding, these are to be used as Recovery Disks to reset the Laptop to Acer Factory Default Settings. Does that make sense? From here on in, I'm lost in virtual space.

I'm presuming that I scroll through the CBS.log and look for all the 'FAILED' or 'CORRUPT' entries?

I can do a series of Snip.jpg files for those if you want.

'Integrity' violations?

andrew129260 said:

Ok, so you did the following:

You clicked then typed cmd. You then right clicked on command prompt and ran it as administrator. You then typed sfc /scannow and hit enter. When it completed you either get one of 3 things:

Windows resource protection found no integrity violations.
It found corrupt files and successfully repaired them.
It was unable to fix some of the files, details are in cbs log.

So I am wondering which one you got?


Btw did desk check complete okay?

See here:

Check Disk (chkdsk) - Read Event Viewer Log

1. Message was; It was unable to fix some of the files, details in the cbs.log

2. Check Disk seemed to go well ... no hitches and while I was away from the laptop, it rebooted successfully

Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 19/05/2014 08:45:23
Event ID: 1001
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: Tony-PC
Description:


Checking file system on C:
The type of the file system is NTFS.
Volume label is Acer.


A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 3)...
384512 file records processed.

File verification completed.
3141 large file records processed.

0 bad file records processed.

0 EA records processed.

76 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 3)...
472684 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 3)...
384512 file SDs/SIDs processed.

Cleaning up 28 unused index entries from index $SII of file 0x9.
Cleaning up 28 unused index entries from index $SDH of file 0x9.
Cleaning up 28 unused security descriptors.
Security descriptor verification completed.
44087 data files processed.

CHKDSK is verifying Usn Journal...
34003000 USN bytes processed.

Usn Journal verification completed.
Windows has checked the file system and found no problems.

611883007 KB total disk space.
290212224 KB in 261038 files.
161000 KB in 44088 indexes.
16 KB in bad sectors.
506523 KB in use by the system.
65536 KB occupied by the log file.
321003244 KB available on disk.

4096 bytes in each allocation unit.
152970751 total allocation units on disk.
80250811 allocation units available on disk.

Internal Info:
00 de 05 00 f1 a7 04 00 97 50 08 00 00 00 00 00 .........P......
60 b8 00 00 4c 00 00 00 00 00 00 00 00 00 00 00 `...L...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
<EventID Qualifiers="16384">1001</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-05-18T22:45:23.000000000Z" />
<EventRecordID>192074</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Tony-PC</Computer>
<Security />
</System>
<EventData>
<Data>

Checking file system on C:
The type of the file system is NTFS.
Volume label is Acer.


A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 3)...
384512 file records processed.

File verification completed.
3141 large file records processed.

0 bad file records processed.

0 EA records processed.

76 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 3)...
472684 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 3)...
384512 file SDs/SIDs processed.

Cleaning up 28 unused index entries from index $SII of file 0x9.
Cleaning up 28 unused index entries from index $SDH of file 0x9.
Cleaning up 28 unused security descriptors.
Security descriptor verification completed.
44087 data files processed.

CHKDSK is verifying Usn Journal...
34003000 USN bytes processed.

Usn Journal verification completed.
Windows has checked the file system and found no problems.

611883007 KB total disk space.
290212224 KB in 261038 files.
161000 KB in 44088 indexes.
16 KB in bad sectors.
506523 KB in use by the system.
65536 KB occupied by the log file.
321003244 KB available on disk.

4096 bytes in each allocation unit.
152970751 total allocation units on disk.
80250811 allocation units available on disk.

Internal Info:
00 de 05 00 f1 a7 04 00 97 50 08 00 00 00 00 00 .........P......
60 b8 00 00 4c 00 00 00 00 00 00 00 00 00 00 00 `...L...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.
</Data>
</EventData>
</Event>