Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
How can we delete a single chosen restore point without deleting all?
22 views
Skip to first unread message
Arlen Holder
Sep 28, 2020, 5:01:42 AM9/28/20
to
I can't believe I made the sophomoric mistake of installing DriverPack!
o (https://drp.su/en) <== don't install this!
You gotta admit it's sneaky of DriverPack to not only make themselves not
be in the add-remove-programs list but to _also_ add themselves as a
restore point that you can't easily just click on to summarily delete.
I can figure out how to manually delete driver pack, so this question is
more generic to restore points, than it is to a specific restore point.
If we want to delete a given restore point, how could we do that?
o How can we delete a single chosen restore point without deleting all?
--
On Usenet you can get good answers to the strangest questions sometimes.
o (https://drp.su/en) <== don't install this!
You gotta admit it's sneaky of DriverPack to not only make themselves not
be in the add-remove-programs list but to _also_ add themselves as a
restore point that you can't easily just click on to summarily delete.
I can figure out how to manually delete driver pack, so this question is
more generic to restore points, than it is to a specific restore point.
If we want to delete a given restore point, how could we do that?
o How can we delete a single chosen restore point without deleting all?
--
On Usenet you can get good answers to the strangest questions sometimes.
Arlen Holder
Sep 28, 2020, 5:51:29 AM9/28/20
to
On Mon, 28 Sep 2020 09:01:41 -0000 (UTC), Arlen Holder wrote:
> How can we delete a single chosen restore point without deleting all?
For example, here's what I tried, but failed:
> How can we delete a single chosen restore point without deleting all?
o <https://i.postimg.cc/NfKgqJWP/deleterestorepoint01.jpg>
Note that it's not intuitive that the Windows GUI gives completely
_different_ names & times than does the "vssadmin" command when used
for restore points.
o Win+R > systempropertiesprotection > [System Restore]
(_)Recommended restore
(o)Choose a different restore point
[Next]
Manually note the date, time, & description
o Date and Time = 9/26/2020 10:29:17 PM
o Description = Driver Booster : Standard Dual Channel PCI IDE Controller
o Type = Install
Important note: For whatever reason, those are NOT the description, and
times reported in the vssadmin command, even when run moments later!
Even so, I attempted to delete the _last_ restore point, whose time in the
vssadmin command was only a few seconds off from what is in the GUI.
o <https://i.postimg.cc/NfKgqJWP/deleterestorepoint01.jpg>
o Win+R > cmd {control+shift+enter}
vssadmin list shadows
vssadmin delete shadows /Shadow={5d53f007-fdcc-4a66-8c2f-0b12d08621f5}
That reported:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
No items found that satisfy the query.
Note that I copied exactly what the "Contents of shadow copy set ID" was.
o And yet, it failed.
All I want, in this case, is to delete the last restore point.
Arlen Holder
Sep 28, 2020, 6:39:31 AM9/28/20
to
On Mon, 28 Sep 2020 09:51:29 -0000 (UTC), Arlen Holder wrote:
> Even so, I attempted to delete the _last_ restore point, whose time in the
> vssadmin command was only a few seconds off from what is in the GUI.
> o <https://i.postimg.cc/NfKgqJWP/deleterestorepoint01.jpg>
>
> o Win+R > cmd {control+shift+enter}
> vssadmin list shadows
> vssadmin delete shadows /Shadow={5d53f007-fdcc-4a66-8c2f-0b12d08621f5}
SOLVED
> Even so, I attempted to delete the _last_ restore point, whose time in the
> vssadmin command was only a few seconds off from what is in the GUI.
> o <https://i.postimg.cc/NfKgqJWP/deleterestorepoint01.jpg>
>
> o Win+R > cmd {control+shift+enter}
> vssadmin list shadows
> vssadmin delete shadows /Shadow={5d53f007-fdcc-4a66-8c2f-0b12d08621f5}
There are _two_ of those squiggly-bracketed IDs for each restore point!
o <https://i.postimg.cc/NfKgqJWP/deleterestorepoint01.jpg>
o <https://i.postimg.cc/3Rv6dgr1/deleterestorepoint02.jpg>
o <https://i.postimg.cc/0NcmD3j2/deleterestorepoint03.jpg>
Roughly identify by time stamp or order the restore point to be deleted:
o Win+R > systempropertiesprotection > [System Restore]
(_)Recommended restore
(o)Choose a different restore point
[Next]
Manually note the date, time, & description
o Date and Time = 9/26/2020 10:29:17 PM
o Description = Driver Booster : Standard Dual Channel PCI IDE Controller
o Type = Install
Important note: For whatever reason, those are NOT the description and
(_)Recommended restore
(o)Choose a different restore point
[Next]
Manually note the date, time, & description
o Date and Time = 9/26/2020 10:29:17 PM
o Description = Driver Booster : Standard Dual Channel PCI IDE Controller
o Type = Install
times reported in the vssadmin command, even when run moments later!
o Win+R > cmd {control+shift+enter}
vssadmin list shadows
...
vssadmin list shadows
Contents of shadow copy set ID: {5d53f007-fdcc-4a66-8c2f-0b12d08621f5}
Contained 1 shadow copies at creation time: 9/26/2020 10:29:44 PM
Shadow Copy ID: {41e23906-ad53-4697-b51c-6d219224f753}
Original Volume: (C:)\\?\Volume{7a136a2d-0000-0000-0000-300300000000}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy13
Originating Machine: pcname
Service Machine: pcname
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: ClientAccessibleWriters
Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered
...
vssadmin delete shadows /Shadow={41e23906-ad53-4697-b51c-6d219224f753}
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
Successfully deleted 1 shadow copies.
Note that the vssadmin command doesn't list what's in the GUI,
so you kind of sort of have to guess a wee little bit on the ID.
o <https://i.postimg.cc/3Rv6dgr1/deleterestorepoint02.jpg>
Luckily, for me, the time stamps were only 27 seconds off, and,
luckily, it was the last restore point that I wanted to delete.
o <https://i.postimg.cc/0NcmD3j2/deleterestorepoint03.jpg>
See also:
o How to Delete System Restore Points in Windows 10
<https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html>
o How to Delete System Restore Points in Windows 10
<https://thegeekpage.com/delete-system-restore-points-in-windows-10/>
o Delete a System Restore Point in Windows 10
<https://winaero.com/delete-system-restore-point-windows-10/>
--
Usenet is a wonderful archive of useful real-world questions & solutions.
Arlen Holder
Sep 28, 2020, 10:23:15 AM9/28/20
to
On Mon, 28 Sep 2020 09:01:41 -0000 (UTC), Arlen Holder wrote:
> I can't believe I made the sophomoric mistake of installing DriverPack!
> o (https://drp.su/en) <== don't install this!
This might be a good starter for a tutorial on manual malware deletion!
> I can't believe I made the sophomoric mistake of installing DriverPack!
> o (https://drp.su/en) <== don't install this!
I think I've "mostly" maybe hopefully deleted the driverpack software.
a. I manually wiped out the last system restore point it created
b. I manually wiped out the registry keys (I think) it created
c. I manually wiped out the directories (I think) it created
As per these instructions:
o DriverPack - virus
<https://www.bleepingcomputer.com/forums/t/692661/driverpack-virus/>
o Driver Updaters: Digital Snake Oil, Part 2
<https://blog.malwarebytes.com/cybercrime/2015/06/driver-updaters-digital-snake-oil-part-2/>
o Never Download a Driver-Updating Utility; They're Worse Than Useless
<https://www.howtogeek.com/198758/never-download-a-driver-updating-utility-theyre-worse-than-useless/>
In summary, I wiped out the system restore point using these commands:
o Win+R > cmd {control+shift+enter}
vssadmin list shadows
vssadmin delete shadows /Shadow={41e23906-ad53-4697-b51c-6d219224f753}
vssadmin list shadows
I wiped out the DriverPack registry keys using these registry favorites:
o Favorites = Uninstall locations 1of4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\]
(which didn't seem to have any driverpack related keyvalue pairs)
o Favorites = Uninstall locations 2of4
[HKEY_CURRENT_USER\Software\]
Which had the following seemingly driverpack related keys:
Computer\HKEY_CURRENT_USER\SOFTWARE\drpsu
Computer\HKEY_CURRENT_USER\SOFTWARE\DRP
o Favorites = Uninstall locations 3of4
[HKEY_LOCAL_MACHINE\SOFTWARE\]
(which didn't seem to have any driverpack related keyvalue pairs)
o Favorites = Uninstall locations 4of4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\]
(which didn't seem to have any driverpack related keyvalue pairs)
I wiped out these two directories which (I think) are DriverPack created:
%appdata%\DriverPackCloud\
%appdata%\iDRPSu\
C:\Users\x\AppData\Local\Temp\DriverPack-20200926225216
And this directory seemed to contain (somehow) the driverpack installer:
%programfiles%\DIFX\01D44FC288378CAC\dpinst64.exe
Name: dpinst64.exe
Size: 686968 bytes (670 KiB)
SHA256: A1BC71AA06E133C76D05C2B0068C3FBA278DC2494CB47CE6065BBAC72893E857
And the tasks in the Windows task directory:
%windir%\Tasks\At1.job
Doublechecking in the Task Scheduler:
o Win+R > taskschd.msc /s
In addition, I ran a few scans:
o Spybot didn't find anything
But Malwarebytes found seven items I had manually missed!
o MalwareBytes <https://blog.malwarebytes.com/detections/pup-optional-driverpack/
-Log Details-
Objects Scanned: 277639
Threats Detected: 7
Registry Key: 2
PUP.Optional.DriverPack,
HKU\S-1-5-21-1978554282-384915032-812892281-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET
SETTINGS\ZONEMAP\DOMAINS\drp.su, No Action By User, 632, 472299, 1.0.30520,
, ame, , , PUP.Optional.DriverPack, HKLM\SOFTWARE\WOW6432NODE\DRPSU, No
Action By User, 632, 472300, 1.0.30520, , ame, , ,
Registry Value: 3
PUP.Optional.DriverPack.BITSRST,
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{78CE9FF6-3182-4B5A-AE5D-7CF5EA3EDF5C},
No Action By User, 5941, 820524, 1.0.30520, , ame, , ,
PUP.Optional.DriverPack.BITSRST,
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{A4BC7F29-AC10-416F-9BF0-5A53F8E82FD8},
No Action By User, 5941, 820531, 1.0.30520, , ame, , ,
PUP.Optional.DriverPack, HKLM\SOFTWARE\WOW6432NODE\DRPSU|CLIENTID, No
Action By User, 632, 472300, 1.0.30520, , ame, , ,
Folder: 1
PUP.Optional.DriverPack.BITSRST,
C:\USERS\%USERNAME%\APPDATA\LOCAL\TEMP\DriverPack-20200926225216, No Action
By User, 5941, 820525, 1.0.30520, , ame, , ,
File: 1
PUP.Optional.DriverPack.BITSRST,
C:\USERS\%USERNAME%\APPDATA\LOCAL\TEMP\DriverPack-20200926225216\drp.css,
No Action By User, 5941, 820525, 1.0.30520, , ame, ,
D576AACE1958756A57D402D546F1EC87,
F6D7D4DDC2991B52EB6FFC9404DABF853E60DA92EEABEC0F18F5C5736B16C0D0
In summary, these are some of the steps that one could use for malware
deletion when the normal methods don't work.
Paul
Sep 28, 2020, 5:00:12 PM9/28/20
to
Arlen Holder wrote:
> On Mon, 28 Sep 2020 09:01:41 -0000 (UTC), Arlen Holder wrote:
>
>> I can't believe I made the sophomoric mistake of installing DriverPack!
>> o (https://drp.su/en) <== don't install this!
>
> This might be a good starter for a tutorial on manual malware deletion!
Malware is supposed to attack all SR points. The Black Hats
> On Mon, 28 Sep 2020 09:01:41 -0000 (UTC), Arlen Holder wrote:
>
>> I can't believe I made the sophomoric mistake of installing DriverPack!
>> o (https://drp.su/en) <== don't install this!
>
> This might be a good starter for a tutorial on manual malware deletion!
are thorough. This is why your average AV product, one of
the first things it does, is switch off SR on you. To
flush the SR point.
Paul
Arlen Holder
Sep 28, 2020, 5:17:24 PM9/28/20
to
On Mon, 28 Sep 2020 17:00:05 -0400, Paul wrote:
>>> I can't believe I made the sophomoric mistake of installing DriverPack!
>>> o (https://drp.su/en) <== don't install this!
>>
>> This might be a good starter for a tutorial on manual malware deletion!
>
> Malware is supposed to attack all SR points. The Black Hats
> are thorough. This is why your average AV product, one of
> the first things it does, is switch off SR on you. To
> flush the SR point.
Hi Paul,
>>> I can't believe I made the sophomoric mistake of installing DriverPack!
>>> o (https://drp.su/en) <== don't install this!
>>
>> This might be a good starter for a tutorial on manual malware deletion!
>
> Malware is supposed to attack all SR points. The Black Hats
> are thorough. This is why your average AV product, one of
> the first things it does, is switch off SR on you. To
> flush the SR point.
For "true malware", probably... but this DriverPack isn't true malware.
o All the articles I cited said it was simply a PUP more so than malware.
That is, it didn't do anything it didn't say it would do.
o It was just obnoxious about doing it.
What it did do, was some "questionable" activities, such as:
o It didn't show up in the Add-Remove-Programs
o It didn't have an easily found installer (I never found it anyway)
o It put files in various places (as do many other programs)
o It put keys in various place in the registry (as do others)
o And, it created its own system restore point
While I wanted to delete only the last System Restore Point, when I
searched for how to do it, there was every option EXCEPT the last!
o You could delete all
o Or you could delete all but the last
But you couldn't easily delete just the last one.
Luckily, the vssadmin command allows you to delete any select one.
1. Identify in the GUI the "order" (if not the name & time)
2. Identify in vssadmin the "order" (if not the name & time)
3. Delete the offending system restore point in vssadmin
Works like a charm... if you know what I know now! :)
--
Knowedge of Windows is one thing... experience of Windows is another.
Arlen Holder
Dec 31, 2020, 2:42:56 PM12/31/20
to
On 30 Dec 2020 16:20:26 GMT, Frank Slootweg wrote:
> If the Restore Points are included in the SVI, then nearly all is
> Restore Points, because the 'Current Usage:' of the Restore Points is
> 12.35 GB (according to the System Protection tab of the System
> Properties control panel applet).
Hi Frank,
By way of providing another helpful datapoint, my RPs are about 16GB:
o Win+R > systempropertiesprotection > [Configure]
Unlike the trolls on Usenet, I don't bullshit (I prove what I claim):
o <https://i.postimg.cc/FKkC2YjZ/app06.jpg> ~16 GB restore point
In my case, that's only five restore points, which is odd, as I don't
remember deleting any, where I've noticed that whatever is labeled as:
o Windows Module Installer
is, perhaps, deleting all prior restore points (it may be one of my
cleaner programs, e.g., Revo, AdvancedUninstall, iOBit, ZSoft, etc.).
o Win+R > systempropertiesprotection > [System Restore] > [Next]
o [x]Show more restore points
Whatever "Windows Modules Installer" is I don't know though...
o <https://i.postimg.cc/hhFVQGJS/app07.jpg> Something deleted my RPs!
In summary, I'm glad you brought up this system restore point space
o As I just noticed "something" is auto-deleting my many restore points!
--
Posted to learn from others and to disseminate knowledge to all who care.
> If the Restore Points are included in the SVI, then nearly all is
> Restore Points, because the 'Current Usage:' of the Restore Points is
> 12.35 GB (according to the System Protection tab of the System
> Properties control panel applet).
Hi Frank,
By way of providing another helpful datapoint, my RPs are about 16GB:
o Win+R > systempropertiesprotection > [Configure]
Unlike the trolls on Usenet, I don't bullshit (I prove what I claim):
o <https://i.postimg.cc/FKkC2YjZ/app06.jpg> ~16 GB restore point
In my case, that's only five restore points, which is odd, as I don't
remember deleting any, where I've noticed that whatever is labeled as:
o Windows Module Installer
is, perhaps, deleting all prior restore points (it may be one of my
cleaner programs, e.g., Revo, AdvancedUninstall, iOBit, ZSoft, etc.).
o Win+R > systempropertiesprotection > [System Restore] > [Next]
o [x]Show more restore points
Whatever "Windows Modules Installer" is I don't know though...
o <https://i.postimg.cc/hhFVQGJS/app07.jpg> Something deleted my RPs!
In summary, I'm glad you brought up this system restore point space
o As I just noticed "something" is auto-deleting my many restore points!
--
Posted to learn from others and to disseminate knowledge to all who care.
0 new messages