why do my Restore Points keep disappearing?

[sassofalco]

herd Protect - Log of 1st Scan - 2014-05-18

Log of first scan attached;

View attachment herdProtect 1st Scan_2014-5-18-11-36.txt

...advice from herdProtect window, is to do a further scan in 1 hour 15 minutes. Wilco.

 

[andrew129260]

Got your log

You have got quite some nasties there. Conduit came for a visit. None of the items I have found so far are known to mess with restore points though. But lets get you cleaned up first and move on then from there.

Remove the following items when you scan again with herdprotect. Click the entry, then choose action - remove:

1.)

File path: 		c:\users\tony\downloads\cbsidlm-tr1_9-networx-org2-10155904.exe
Publisher: 		
Signer: 		CBS Interactive
MD5: 			b7d4020819dc6b923e5fe9d88231dd08
SHA-1: 			600a0295369f89c300038d770e5e114f2e25a3af
Created: 		20/12/2012 21:58:02
Detections: 		4
Determination: 		Adware
			- Dr.Web as Adware.Downware.762 (Adware)
			- ESET NOD32 as Win32/DownloadAdmin (Undefined malware)
			- Rising Antivirus as PE:Malware.XPACK/RDM!5.1 (Ignore)
			- Reason Heuristics as Bundler.PPI.CBSInteractive.AA (Undefined malware)

2.)

File path: 		c:\program files (x86)\conduit\community alerts\alert.dll
Publisher: 		Conduit Ltd.
Signer: 		Conduit Ltd.
MD5: 			6796f6e449f90a543dc3345538acc46f
SHA-1: 			97bccd25561f44e9b13f05f6eef083c9ce9ba529
Created: 		23/06/2011 23:20:46
Detections: 		6
Determination: 		Adware
			- Boost by Reason as Adware.Alert.Conduit.F
			- VIPRE Antivirus as Conduit (Undefined malware)
			- Reason Heuristics as PUP.Alert.Conduit.F (Adware)
			- Malwarebytes as PUP.Optional.Conduit (Adware)
			- Panda Antivirus as PUP/Conduit.A (Adware)
			- ESET NOD32 as Win32/Toolbar.Conduit (Adware

3.) I also advise you to uninstall dvdvideosoft. I know that program, and while it is not technically malicious, they do track everything you do, and it uses opencandy. It is classified as spyware in the security community. If you use the software and are fine with it, you may choose to keep it. But I recommend using/finding another Utility that does the same thing.


4.) 1.) Download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool

• Vista/Windows 7/8 users right-click and select Run As Administrator.
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
• The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
• Copy and paste the contents of that logfile in your next reply.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

2.) Using AdwCleaner v3: Scan & Clean:

Double click on AdwCleaner.exe to run the tool again.
Click on the Scan button.
AdwCleaner will begin to scan your computer like it did before.
After the scan has finished...

This time click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
Copy and paste the contents of that logfile in your next reply.


3.) Please download Junkware Removal Tool to your desktop.

• Shutdown your antivirus to avoid any conflicts.
• Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next reply message
• When completed make sure to re-enable your antivirus

 

[sassofalco]

Thanks for all so far Andrew,

Currently, just started 2nd scan, and have noted all the above.

I'll wait-out until the 2nd finished, and post that log as well.

In the meantime, I'm logging off from here until the scan is done

View attachment herdProtect 2nd Scan_2014-5-18-13-5.txt

...done with 2nd scan

AdwClearer scan attached, however, I was not certain about the selection of Tabs,
before the scan. Should I have selected the 'Registry' Tab, before selecting 'Scan',
or does it not matter?

View attachment AdwCleaner[R0].txt

Similarly, I haven't a clue what I'm looking at in these logs

I've not done the second AdwCleaner scan, and will hold off until I get your commennts
and suggestions about this lot

 

[andrew129260]

Wow. adwcleaner found a lot.

Remove those items with the directions above. Basically hit scan then clean. The tabs do not matter. It selects everything by default.

1.) Herdprotect shows you did not remove those items I stated above. Do so now when the scan completes. Then restart the pc.

2.) Scan again with adwcleaner. Clean all threats found by adwcleaner. (Just click clean)

3.) Restart.

3.) I also advise you to uninstall dvdvideosoft. I know that program, and while it is not technically malicious, they do track everything you do, and it uses opencandy. It is classified as spyware in the security community. If you use the software and are fine with it, you may choose to keep it. But I recommend using/finding another Utility that does the same thing.

4.) Also in step 3 above, are you going to uninstall dvdvideosoft? Or are you deciding to keep it? Reason I ask is they seem to be the distributor of conduit now...since you got conduit from them.

 

[sassofalco]

Wow. adwcleaner found a lot.

Remove those items with the directions above. Basically hit scan then clean. The tabs do not matter. It selects everything by default.

1.) Herdprotect shows you did not remove those items I stated above. Do so now when the scan completes. Then restart the pc. As I understand your advice here - I run herdProtect again, and when complete, select the above two items at 1.) and 2.) Click the entry, then choose action - remove.

2.) Scan again with adwcleaner. Clean all threats found by adwcleaner. (Just click clean)

3.) Restart.

3.) I also advise you to uninstall dvdvideosoft. I know that program, and while it is not technically malicious, they do track everything you do, and it uses opencandy. It is classified as spyware in the security community. If you use the software and are fine with it, you may choose to keep it. But I recommend using/finding another Utility that does the same thing.

Used very rarely, then only Video-flip for files received from folks who haven't a clue which way is up on a VidCam! It's now a goner!

4.) Also in step 3 above, are you going to uninstall dvdvideosoft? Or are you deciding to keep it? Reason I ask is they seem to be the distributor of conduit now...since you got conduit from them.

NOT keeping! It came in it's own Folder with an Uninstall, so I ran that as Admin. Seems to be no visible evidence of it any more.

Thanks for your patience and advice Andrew ... I hope that my interpretation of your advice is correct.

Until I get confirmation, I will leave System Protection ON for my Drives, and go to OFF when I start the scanning and cleaning again. Is that a correct assumption?

 

[andrew129260]

No, keep system protection off! as I stated here:

**Let's disable system protection on all drives right now, as this will remove all restore points. Even the latest one that typically cannot be removed. Keep it disabled while we look at your machine. This way the malware (if it exists) has no where to go.....

We will turn it on once we are sure the malware is all gone. You have all the other stuff correct in your thinking except the above.

Yes, when you run herdprotect click the entry and then choose action remove.

I am glad you uninstalled dvdvideosoft.

Please follow post 24 exactly as instructed.

 

[sassofalco]

DO you not mean your advice at your Post #23?

 

[andrew129260]

DO you not mean your advice at your Post #23?

huh?


Yes do everything as instructed in post 22. Remove the items with herdprotect, and then restart. Then run adwlcleaner and clean threats. Then restart again. Like I stated again in post 24. Also please note what I said in post 26 about system protection.

 

[sassofalco]

System Protection is OFF until ALL is done to your advice

Is it in this window at scan finish that I click and remove?
If so, I presume that all in Adware/PUPs should be removed?

View attachment 318328

 

[andrew129260]

You are doing fine, no need to be embarrassed. When you finish with the other items, report back and let me know how it went. Post new logs after everything is cleared out so I can verify the infections are gone.

When you are up for it, here is another thing I would like you to do. Take your time when doing steps and do not feel rushed. If you have questions ask. Take one step at a time.


1.) Do a disk check using option 1:

http://www.sevenforums.com/tutorials/433-disk-check.html

2.) Please Run sfc /scan now using option 2 in this tutorial: SFC /SCANNOW Command - System File Checker

Please post back the results.

 

[sassofalco]

You are doing fine, no need to be embarrassed. When you finish with the other items, report back and let me know how it went. Post new logs after everything is cleared out so I can verify the infections are gone.

When you are up for it, here is another thing I would like you to do. Take your time when doing steps and do not feel rushed. If you have questions ask. Take one step at a time.


1.) Do a disk check using option 1:

http://www.sevenforums.com/tutorials/433-disk-check.html

2.) Please Run sfc /scan now using option 2 in this tutorial: SFC /SCANNOW Command - System File Checker

Please post back the results.

Results of herdProtect and AdwCleaner are here.

View attachment herdProtect # 3 Scan_2014-5-19-2-28.txt

View attachment AdwCleaner[S0].txt

It's now 2:47am here, and time for me to get some sleep :shock: but I will be back in the morning to continue with running the Junkware Removal Tool.

It took two scans of herdProtect to get rid of the Candy malware, but in the meantime, the Laptop is noticibly faster at the reboot - or is it just my imagination?

Thanks for all the help so far Andrew - I'd be lost without it, or your guidance

 

[andrew129260]

You are doing fine, no need to be embarrassed. When you finish with the other items, report back and let me know how it went. Post new logs after everything is cleared out so I can verify the infections are gone.

When you are up for it, here is another thing I would like you to do. Take your time when doing steps and do not feel rushed. If you have questions ask. Take one step at a time.


1.) Do a disk check using option 1:

http://www.sevenforums.com/tutorials/433-disk-check.html

2.) Please Run sfc /scan now using option 2 in this tutorial: SFC /SCANNOW Command - System File Checker

Please post back the results.

Results of herdProtect and AdwCleaner are here.

View attachment 318342

View attachment 318343

It's now 2:47am here, and time for me to get some sleep :shock: but I will be back in the morning to continue with running the Junkware Removal Tool.

It took two scans of herdProtect to get rid of the Candy malware, but in the meantime, the Laptop is noticibly faster at the reboot - or is it just my imagination?

Thanks for all the help so far Andrew - I'd be lost without it, or your guidance

1.) I doubt its your imagination, multiple things were removed. I am not surprised performance is noticeably better.

2.) You did good. Herdprotect and adwcleaner logs show you are all good now.

3.) If the junkware removal tool fails for any reason or you cannot get it to work, let me know.

4.) Once that is done, continue with the disk check and the sfc scan. I should have mentioned the disk check could have ran overnight.

5.) What antivirus software do you use? I can give you some tips depending on your answer. We want to help you avoid this stuff in the future.

When that disk check and sfc scan completes, we will move on to a couple more things, and then we should be good to go to test the restore points. But again, do not enable system protection until I say so. Thank you.

 

[sassofalco]

You have got quite some nasties there. Conduit came for a visit. None of the items I have found so far are known to mess with restore points though. But lets get you cleaned up first and move on then from there.


3.) Please download Junkware Removal Tool to your desktop.

• Shutdown your antivirus to avoid any conflicts.
• Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next reply message
• When completed make sure to re-enable your antivirus

Junkware Removal Tool - Results Log;

View attachment JRT.txt

...and so on to CHKDSK

 

[andrew129260]

Great job. keep going. jrt log looks good.

 

[Layback Bear]

Damn what a JRT log.

You two are gaining on this troubled computer.

 

[sassofalco]

The trouble is with the person sitting in front of the Laptop

Great job. keep going. jrt log looks good.

Damn what a JRT log.

You two are gaining on this troubled computer.

At Option Two - I did SFC/SCANNOW, which gave me a CBS.log too large to upload here :shock: . Is there another way to link to the file to allow reading by a third party?

The message on the Manage Attachments window, is;

CBS.log:
Your file of 4.72 MB bytes exceeds the forum's limit of 2.00 MB for this filetype.

...further, the last line on Shawns Tutorial concerns me. This Laptop Windows 7 is an OEM setup - I do not have either an installation, or rescue disk for it. :shock: :banghead:

The fact that I can't upload the CBS.log is a real hurdle. I do have a set of three (x3) DVD-R disks created on prompt when I first set-up the Laptop on 9 May 2011. But from my understanding, these are to be used as Recovery Disks to reset the Laptop to Acer Factory Default Settings. Does that make sense? From here on in, I'm lost in virtual space.

 

[andrew129260]

So I want to confirm something, it did find integrity violations?

And don't worry about not having an install disk. You will be surprised how easy getting that is.

 

[sassofalco]

I'm presuming that I scroll through the CBS.log and look for all the 'FAILED' or 'CORRUPT' entries?

I can do a series of Snip.jpg files for those if you want.

'Integrity' violations?

 

[andrew129260]

Ok, so you did the following:

You clicked rb: then typed cmd. You then right clicked on command prompt and ran it as administrator. You then typed sfc /scannow and hit enter. When it completed you either get one of 3 things:

Windows resource protection found no integrity violations.
It found corrupt files and successfully repaired them.
It was unable to fix some of the files, details are in cbs log.

So I am wondering which one you got?


Btw did desk check complete okay?

See here:

http://www.sevenforums.com/tutorials/96938-check-disk-chkdsk-read-event-viewer-log.html

 

[sassofalco]

Ok, so you did the following:

You clicked rb: then typed cmd. You then right clicked on command prompt and ran it as administrator. You then typed sfc /scannow and hit enter. When it completed you either get one of 3 things:

Windows resource protection found no integrity violations.
It found corrupt files and successfully repaired them.
It was unable to fix some of the files, details are in cbs log.

So I am wondering which one you got?


Btw did desk check complete okay?

See here:

http://www.sevenforums.com/tutorials/96938-check-disk-chkdsk-read-event-viewer-log.html

1. Message was; It was unable to fix some of the files, details in the cbs.log

2. Check Disk seemed to go well ... no hitches and while I was away from the laptop, it rebooted successfully

Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 19/05/2014 08:45:23
Event ID: 1001
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: Tony-PC
Description:


Checking file system on C:
The type of the file system is NTFS.
Volume label is Acer.


A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 3)...
384512 file records processed.

File verification completed.
3141 large file records processed.

0 bad file records processed.

0 EA records processed.

76 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 3)...
472684 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 3)...
384512 file SDs/SIDs processed.

Cleaning up 28 unused index entries from index $SII of file 0x9.
Cleaning up 28 unused index entries from index $SDH of file 0x9.
Cleaning up 28 unused security descriptors.
Security descriptor verification completed.
44087 data files processed.

CHKDSK is verifying Usn Journal...
34003000 USN bytes processed.

Usn Journal verification completed.
Windows has checked the file system and found no problems.

611883007 KB total disk space.
290212224 KB in 261038 files.
161000 KB in 44088 indexes.
16 KB in bad sectors.
506523 KB in use by the system.
65536 KB occupied by the log file.
321003244 KB available on disk.

4096 bytes in each allocation unit.
152970751 total allocation units on disk.
80250811 allocation units available on disk.

Internal Info:
00 de 05 00 f1 a7 04 00 97 50 08 00 00 00 00 00 .........P......
60 b8 00 00 4c 00 00 00 00 00 00 00 00 00 00 00 `...L...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
<EventID Qualifiers="16384">1001</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-05-18T22:45:23.000000000Z" />
<EventRecordID>192074</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Tony-PC</Computer>
<Security />
</System>
<EventData>
<Data>

Checking file system on C:
The type of the file system is NTFS.
Volume label is Acer.


A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 3)...
384512 file records processed.

File verification completed.
3141 large file records processed.

0 bad file records processed.

0 EA records processed.

76 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 3)...
472684 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 3)...
384512 file SDs/SIDs processed.

Cleaning up 28 unused index entries from index $SII of file 0x9.
Cleaning up 28 unused index entries from index $SDH of file 0x9.
Cleaning up 28 unused security descriptors.
Security descriptor verification completed.
44087 data files processed.

CHKDSK is verifying Usn Journal...
34003000 USN bytes processed.

Usn Journal verification completed.
Windows has checked the file system and found no problems.

611883007 KB total disk space.
290212224 KB in 261038 files.
161000 KB in 44088 indexes.
16 KB in bad sectors.
506523 KB in use by the system.
65536 KB occupied by the log file.
321003244 KB available on disk.

4096 bytes in each allocation unit.
152970751 total allocation units on disk.
80250811 allocation units available on disk.

Internal Info:
00 de 05 00 f1 a7 04 00 97 50 08 00 00 00 00 00 .........P......
60 b8 00 00 4c 00 00 00 00 00 00 00 00 00 00 00 `...L...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.
</Data>
</EventData>
</Event>