Trying to help a friend

[FD]

I might just install Eaz-fix 9.0 and call it a day!  Not exactly the right way out, but after disabling the Firewall and AV Software, trying it in Safe Mode I'm about to toss in the towel.

FD

[Hoov]

Have you run a chkdsk on the harddrive?  How about a defrag?

[1972vet]

The only thing Microsoft has to say about your error message number is detailed Here...but that only applies to the exchange server 2003. If that's what you have there, then this should ring the bell. Windows 7 is something entirely different.

Have you made any system changes on that thing relating to the page file or amount of disk space that system restore uses to create restore points?
Were there any system services that you may have tweaked? Stopped some, or perhaps changed the "startup type" on some? System restore needs only the volume shadow copy service but by default it is set to manual. You could try setting it to automatic.

Something else that you can check is installed software. There are some programs out there that will interfere with system restore, and for obvious reasons. Software such as Acronis true image for example. That program is one that wants complete control of the volume shadow copy service and related stuff that it needs. If you have something like this installed, it could account for your system error messages relating to system restore.

Do you have the service pack installed? If not, install it...if so, re-install it. No need to uninstall it first, just download a copy and install it directly over itself.

Other than these few suggestions, I'm drawing a blank...and if it were mine, I would consider a repair install.

[FD]

Hoov check disk is fine and the drive is defragmented.

1972Vet-  I'll have to check into it.

Thanks!

[FD]

I went back to my Virgin Image, system restore works.  I installed CCleaner, system restore works.  I install MSFT patches, use CCleaner system restore works.  There are more patches, since I can't DL them all at once, then at some point system restore stops working.

It might be one of the patches conflicting with CCleaner? Any CCleaner users notice this issue? Or is the problem with one of the MSFT patches?

FD

[Hoov]

I have been using Ccleaner a while and not noticed a problem. I know this is not a malware removal post, but could you use the instructions below and run DDS. I am going to try and duplicate the system as close as I can and see if I can use system restore.


We need to see some information about what is happening in your machine.  Please perform the following scan:

• Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • DDS.scr
    
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
• Notepad will open with the results.
• Please copy and paste both logs into your next response. You may need more than one response.
• Close the program window, and delete the program from your desktop.

Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet. 

Information on A/V control HERE

[FD]

This is everything from DDS.  I had to disable Comodo as it causing issues with running DDS.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by FD at 17:13:04 on 2012-05-01
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8086.6786 [GMT -4:00]
.
AV: COMODO Antivirus *Disabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: COMODO Defense+ *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
FW: COMODO Firewall *Disabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dell.com
uDefault_Page_URL = hxxp://www.dell.com
mWinlogon: Userinit=userinit.exe
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
TCP: Interfaces\{5F9E8382-59F6-42B1-BC8E-106BC8066647} : DhcpNameServer = 192.168.1.1 68.237.161.12
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
AppInit_DLLs: C:\Windows\SysWOW64\nvinit.dll  C:\Windows\SysWOW64\guard32.dll
BHO-X64: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64:     URLRedirectionBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
AppInit_DLLs-X64: C:\Windows\SysWOW64\nvinit.dll  C:\Windows\SysWOW64\guard32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 nvpciflt;nvpciflt;C:\Windows\system32\DRIVERS\nvpciflt.sys --> C:\Windows\system32\DRIVERS\nvpciflt.sys [?]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;C:\Windows\system32\DRIVERS\stdcfltn.sys --> C:\Windows\system32\DRIVERS\stdcfltn.sys [?]
R1 cmderd;COMODO Internet Security Eradication Driver;C:\Windows\system32\DRIVERS\cmderd.sys --> C:\Windows\system32\DRIVERS\cmderd.sys [?]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\system32\DRIVERS\cmdguard.sys --> C:\Windows\system32\DRIVERS\cmdguard.sys [?]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\system32\DRIVERS\cmdhlp.sys --> C:\Windows\system32\DRIVERS\cmdhlp.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2011-12-6 98208]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-12-15 2656280]
R3 Acceler;Accelerometer Service;C:\Windows\system32\DRIVERS\Accelern.sys --> C:\Windows\system32\DRIVERS\Accelern.sys [?]
R3 AVer7231_x64;AVerMedia 7231 capture service;C:\Windows\system32\DRIVERS\AVer7231_x64.sys --> C:\Windows\system32\DRIVERS\AVer7231_x64.sys [?]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETwNs64.sys --> C:\Windows\system32\DRIVERS\NETwNs64.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-5-1 253088]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-12-15 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-12-15 79360]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\XMBLicensing.exe [2011-12-15 79360]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-05-01 19:55:04   --------   d-----w-   C:\Windows\PCHEALTH
2012-05-01 19:52:52   --------   d-----w-   C:\Program Files (x86)\Microsoft Analysis Services
2012-05-01 19:52:40   --------   d-----w-   C:\Users\FD\AppData\Local\Microsoft Help
2012-05-01 19:08:30   --------   d-----w-   C:\Windows\SysWow64\Wat
2012-05-01 19:08:29   --------   d-----w-   C:\Windows\System32\Wat
2012-05-01 18:50:48   81408   ----a-w-   C:\Windows\System32\imagehlp.dll
2012-05-01 18:50:48   5120   ----a-w-   C:\Windows\SysWow64\wmi.dll
2012-05-01 18:50:48   5120   ----a-w-   C:\Windows\System32\wmi.dll
2012-05-01 18:50:48   23408   ----a-w-   C:\Windows\System32\drivers\fs_rec.sys
2012-05-01 18:50:48   220672   ----a-w-   C:\Windows\System32\wintrust.dll
2012-05-01 18:50:48   172544   ----a-w-   C:\Windows\SysWow64\wintrust.dll
2012-05-01 18:50:48   159232   ----a-w-   C:\Windows\SysWow64\imagehlp.dll
2012-05-01 18:48:44   723456   ----a-w-   C:\Windows\System32\EncDec.dll
2012-05-01 18:48:44   534528   ----a-w-   C:\Windows\SysWow64\EncDec.dll
2012-05-01 18:48:14   418464   ----a-w-   C:\Windows\SysWow64\FlashPlayerApp.exe
2012-05-01 18:47:10   1731920   ----a-w-   C:\Windows\System32\ntdll.dll
2012-05-01 18:47:10   1292080   ----a-w-   C:\Windows\SysWow64\ntdll.dll
2012-05-01 18:46:53   5561216   ----a-w-   C:\Windows\System32\ntoskrnl.exe
2012-05-01 18:46:53   3967872   ----a-w-   C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-01 18:46:53   3912576   ----a-w-   C:\Windows\SysWow64\ntoskrnl.exe
2012-05-01 18:46:47   77312   ----a-w-   C:\Windows\System32\packager.dll
2012-05-01 18:46:47   67072   ----a-w-   C:\Windows\SysWow64\packager.dll
.
==================== Find3M  ====================
.
2012-05-01 18:48:14   70304   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-11 21:13:41   43248   ----a-w-   C:\Windows\System32\drivers\cmdhlp.sys
2012-03-11 21:13:40   577824   ----a-w-   C:\Windows\System32\drivers\cmdGuard.sys
2012-03-11 21:13:38   22696   ----a-w-   C:\Windows\System32\drivers\cmderd.sys
2012-03-11 21:13:20   41200   ----a-w-   C:\Windows\System32\cmdcsr.dll
2012-03-11 21:13:18   301224   ----a-w-   C:\Windows\SysWow64\guard32.dll
2012-03-11 21:13:17   389840   ----a-w-   C:\Windows\System32\guard64.dll
2012-02-28 06:56:48   2311168   ----a-w-   C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56   1390080   ----a-w-   C:\Windows\System32\wininet.dll
2012-02-28 06:48:57   1493504   ----a-w-   C:\Windows\System32\inetcpl.cpl
2012-02-28 06:42:55   2382848   ----a-w-   C:\Windows\System32\mshtml.tlb
2012-02-28 01:18:55   1799168   ----a-w-   C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21   1427456   ----a-w-   C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07   1127424   ----a-w-   C:\Windows\SysWow64\wininet.dll
2012-02-28 01:03:16   2382848   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
2012-02-17 06:38:26   1031680   ----a-w-   C:\Windows\System32\rdpcore.dll
2012-02-17 05:34:22   826880   ----a-w-   C:\Windows\SysWow64\rdpcore.dll
2012-02-17 04:58:24   210944   ----a-w-   C:\Windows\System32\drivers\rdpwd.sys
2012-02-17 04:57:32   23552   ----a-w-   C:\Windows\System32\drivers\tdtcp.sys
2012-02-10 06:36:07   1544192   ----a-w-   C:\Windows\System32\DWrite.dll
2012-02-10 05:38:43   1077248   ----a-w-   C:\Windows\SysWow64\DWrite.dll
2012-02-03 04:34:34   3145728   ----a-w-   C:\Windows\System32\win32k.sys
.
============= FINISH: 17:13:23.83 ===============

[Hoov]

I probably won't get this replicated until tomorrow afternoon. I will work on it though and let you know what I find.

[FD]

Thanks,

I'll check after work tomorrow.  Is there anything I can look at/do that will aid in my Malware removal training?

FD

[Hoov]

Well I just finished trying to duplicate the problem, but even with everything running, and an extra Antivirus running as well (forgot I had it installed) I was able to do a system restore. There were no snags or problems. I am not sure what is going on.

[FD]

Does my DDS report indicate any Malware?

[Hoov]

No, but that doesn't mean there is not any installed. There are some java entries that seem to have lost their files.

[FD]

I removed Java through add remove programs.  I hate the fact that windows doesn't remove everything. Some people will probably disagree, but I can pluck them from the registry.  I do have an Image of the hard drive to the exact point we're at right now if things go bad, although I doubt that will happen.

[FD]

I went ahead with a fresh install, downloaded all the patches, but missed a driver which I had to later install.  Is going out of sequence with the driver installation going matter?

[FD]

Seems the problem with system restore not restoring from a restore point is coming from CCleaner.  I tested it after each program I installed, and as soon as I installed CCleaner system restore wouldn't work.  I removed CCleaner, and hope to find a good alternative.