You will need to go through the process of turning off system restore, then enabling it again, in order to clean the restore points.
Do you notice anything in particular when you get re-infected?
Printable View
You will need to go through the process of turning off system restore, then enabling it again, in order to clean the restore points.
Do you notice anything in particular when you get re-infected?
no don't notice anything in particular. will post new clean mba-m scan.
what about just keeping system restore turned off? it hasn't done me a lot of good so far--often it can't fix what I want it to fix. I also have a good backup using Acronis. So do you think System Restore is more trouble than it's worth?
also: should I delete the various programs you've had me install, and just reinstall them when/if I need them? or just keep them on the computer?
thanks!
Malwarebytes' Anti-Malware 1.41
Database version: 3213
Windows 5.1.2600 Service Pack 3
11/22/2009 7:46:47 AM
mbam-log-2009-11-22 (07-46-47).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 305944
Time elapsed: 3 hour(s), 0 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
I turn system restore off myself because I have a backup already. The problem here though is that the pc appears to be getting re-infected and I do not think it is from the system restore, as we have already turned it off once.
Having said that, turn sys restore off and let's see how you go.
You may uninstall the programs I have suggested so far, although I would keep MBA-M.
Let's get rid of Combofix now that we are finished with it.
- Click START then RUN
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the /, it needs to be there.
- https://discussions.virtualdr.com/im.../2010/01/1.png
Combofix /u didn't do an uninstall, it ran the program. How do I uninstall? anyway here's the log it generated:
ComboFix 09-11-19.05 - Tenney Nathanson 11/22/2009 20:54.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.774 [GMT -7:00]
Running from: c:\documents and settings\Tenney Nathanson\Desktop\ComboFix.exe
Command switches used :: /u
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.
2009-11-23 00:50 . 2009-08-25 08:00 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091122.020\NAVENG.SYS
2009-11-23 00:50 . 2009-08-25 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091122.020\NAVENG32.DLL
2009-11-23 00:50 . 2009-08-25 08:00 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091122.020\NAVEX32A.DLL
2009-11-23 00:50 . 2009-08-25 08:00 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091122.020\NAVEX15.SYS
2009-11-23 00:50 . 2009-09-22 08:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091122.020\ECMSVR32.DLL
2009-11-23 00:50 . 2009-09-15 08:00 2747952 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091122.020\CCERASER.DLL
2009-11-23 00:50 . 2009-08-26 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091122.020\EECTRL.SYS
2009-11-23 00:50 . 2009-08-26 08:00 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091122.020\ERASER.SYS
2009-11-22 17:04 . 2009-08-22 08:26 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-11-13 01:44 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\Scxpx86.dll
2009-11-13 01:44 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSvix86.sys
2009-11-13 01:44 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSXpx86.sys
2009-11-13 01:44 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSxpx86.dll
2009-11-13 01:44 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSviA64.sys
2009-11-11 21:04 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091107.001\IDSXpx86.sys
2009-11-11 21:04 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091107.001\Scxpx86.dll
2009-11-11 21:04 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091107.001\IDSxpx86.dll
2009-11-11 21:04 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091107.001\IDSvix86.sys
2009-11-11 21:04 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091107.001\IDSviA64.sys
2009-11-11 19:44 . 2009-11-11 19:44 -------- d-----w- c:\documents and settings\Tenney Nathanson\Local Settings\Application Data\Amazon
2009-11-06 15:56 . 2009-10-13 17:20 669032 ----a-w- c:\documents and settings\Tenney Nathanson\Application Data\Microsoft\Internet Explorer\Quick Launch\autoruns.exe
2009-11-06 00:14 . 2009-11-06 00:14 -------- d-----w- c:\documents and settings\Tenney Nathanson\Application Data\Malwarebytes
2009-11-06 00:14 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 00:14 . 2009-11-06 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-06 00:14 . 2009-11-06 00:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 00:14 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-04 04:10 . 2009-11-04 04:10 152576 ----a-w- c:\documents and settings\Tenney Nathanson\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-02 04:55 . 2009-11-02 04:55 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-10-25 22:46 . 2009-10-25 22:46 6729728 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181625-18178.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 03:58 . 2009-05-17 18:28 -------- d-----w- c:\documents and settings\Tenney Nathanson\Application Data\CallingID
2009-11-22 21:05 . 2009-03-03 04:52 -------- d-----w- c:\program files\Cypherix PE
2009-11-22 20:21 . 2008-02-15 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-22 17:10 . 2009-03-31 07:19 256 ----a-w- c:\documents and settings\Tenney Nathanson\pool.bin
2009-11-22 17:02 . 2008-02-27 14:46 12 ----a-w- c:\windows\bthservsdp.dat
2009-11-17 03:56 . 2009-02-16 19:44 -------- d-----w- c:\program files\UnHackMe
2009-11-15 06:10 . 2009-09-21 07:08 -------- d-----w- c:\documents and settings\Tenney Nathanson\Application Data\SlimBrowser
2009-11-12 16:14 . 2009-05-17 18:25 -------- d-----w- c:\documents and settings\Tenney Nathanson\Application Data\comcasttb
2009-11-11 19:44 . 2008-06-13 04:52 -------- d-----w- c:\program files\Amazon
2009-11-11 06:11 . 2009-02-16 19:44 2 --shatr- c:\windows\winstart.bat
2009-11-04 04:12 . 2008-01-29 17:43 -------- d-----w- c:\program files\Java
2009-11-02 05:06 . 2008-10-13 23:54 -------- d-----w- c:\program files\iTunes
2009-11-02 05:04 . 2008-10-13 23:54 -------- d-----w- c:\program files\iPod
2009-10-27 00:56 . 2008-02-14 21:14 -------- d-----w- c:\documents and settings\Tenney Nathanson\Application Data\U3
2009-10-25 22:47 . 2008-02-18 03:23 -------- d-----w- c:\program files\Quicken
2009-10-25 22:43 . 2009-06-24 01:56 245760 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-10-23 21:03 . 2008-02-17 06:56 -------- d-----w- c:\documents and settings\Tenney Nathanson\Application Data\Apple Computer
2009-10-20 03:33 . 2008-04-06 06:01 139251 ----a-w- c:\windows\hpoins15.dat
2009-10-14 22:17 . 2008-01-28 23:24 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-11 11:17 . 2009-01-09 19:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 08:08 . 2009-10-06 08:07 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-28 19:51 . 2009-09-28 19:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\comcasttb
2009-09-28 19:42 . 2009-09-28 19:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Logitech
2009-09-11 14:18 . 2006-06-01 04:16 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 05:16 . 2009-06-09 18:52 2000000 ----atw- c:\windows\system32\HJSMEM.DAT
2009-09-04 21:03 . 2006-06-01 04:16 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2006-06-01 04:17 916480 ------w- c:\windows\system32\wininet.dll
2009-08-29 02:42 . 2009-03-17 16:17 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 02:42 . 2008-02-17 06:55 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:00 . 2006-06-01 04:17 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 18:29 . 2009-08-25 18:13 19521 ----a-w- c:\windows\hpqins13.dat
2009-08-25 18:17 . 2008-02-15 12:47 32768 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-08-25 18:17 . 2009-05-27 06:56 392320 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-08-25 18:17 . 2008-02-15 12:47 99776 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-04-01 05:47 . 2009-04-07 05:56 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-11-26 00:08 . 2008-08-21 02:03 61440 ----a-w- c:\program files\mozilla firefox\components\FFComm.dll
2009-10-30 17:48 . 2008-02-15 20:41 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-11_17.23.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-22 17:04 . 2009-11-22 17:04 16384 c:\windows\Temp\Perflib_Perfdata_38c.dat
+ 2009-11-22 17:04 . 2009-11-22 17:04 16384 c:\windows\Temp\Perflib_Perfdata_1c8.dat
+ 2009-11-22 17:04 . 2009-11-22 17:04 16384 c:\windows\Temp\Perflib_Perfdata_198.dat
+ 2008-01-28 23:16 . 2009-08-07 02:24 44768 c:\windows\system32\wups2.dll
+ 2006-06-01 04:30 . 2009-08-07 02:24 35552 c:\windows\system32\wups.dll
+ 2006-06-01 04:16 . 2009-11-22 20:08 73668 c:\windows\system32\perfc009.dat
+ 2006-06-01 04:30 . 2009-08-07 02:24 35552 c:\windows\system32\dllcache\wups.dll
- 2008-10-15 23:18 . 2009-10-15 02:03 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2008-10-15 23:18 . 2009-11-22 15:40 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2008-01-28 23:29 . 2009-11-22 15:40 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-01-28 23:29 . 2009-10-15 02:07 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-01-28 23:29 . 2009-10-15 02:07 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-01-28 23:29 . 2009-11-22 15:40 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-01-28 23:29 . 2009-10-15 02:07 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-01-28 23:29 . 2009-11-22 15:40 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-01-28 23:29 . 2009-10-15 02:07 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-01-28 23:29 . 2009-11-22 15:40 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-01-28 23:29 . 2009-11-22 15:40 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-01-28 23:29 . 2009-10-15 02:07 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-01-28 23:29 . 2009-11-22 15:40 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-01-28 23:29 . 2009-10-15 02:07 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-01-28 23:29 . 2009-11-22 15:40 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-01-28 23:29 . 2009-10-15 02:07 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-06-01 04:16 . 2009-11-22 20:08 448376 c:\windows\system32\perfh009.dat
+ 2007-07-31 02:18 . 2009-08-07 02:23 215904 c:\windows\system32\muweb.dll
+ 2008-01-29 17:27 . 2009-08-07 02:23 274288 c:\windows\system32\mucltui.dll
+ 2006-05-31 21:23 . 2009-11-22 16:27 338648 c:\windows\system32\FNTCACHE.DAT
- 2006-05-31 21:23 . 2009-06-23 18:53 338648 c:\windows\system32\FNTCACHE.DAT
- 2008-01-28 23:29 . 2009-10-15 02:07 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-01-28 23:29 . 2009-11-22 15:40 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-01-28 23:29 . 2009-10-15 02:07 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-01-28 23:29 . 2009-11-22 15:40 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-01-28 23:29 . 2009-11-22 15:40 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-01-28 23:29 . 2009-10-15 02:07 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-01-28 23:29 . 2009-10-15 02:07 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-01-28 23:29 . 2009-11-22 15:40 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-01-28 23:29 . 2009-10-15 02:07 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-01-28 23:29 . 2009-11-22 15:40 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-01-28 23:29 . 2009-11-22 15:40 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-01-28 23:29 . 2009-10-15 02:07 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-11-22 15:44 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-22 15:44 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2009-11-22 16:50 . 2009-11-22 16:50 475136 c:\windows\ERDNT\11-22-2009\Users\00000002\UsrClass.dat
+ 2009-11-22 16:50 . 2005-10-20 19:02 163328 c:\windows\ERDNT\11-22-2009\ERDNT.EXE
+ 2006-06-01 04:17 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys
+ 2006-06-01 04:16 . 2009-10-22 09:19 5939712 c:\windows\system32\mshtml.dll
+ 2008-10-15 22:57 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
+ 2007-02-20 09:52 . 2009-10-22 09:19 5939712 c:\windows\system32\dllcache\mshtml.dll
+ 2009-08-18 19:58 . 2009-08-18 19:58 8301056 c:\windows\Installer\35e3ef7.msp
+ 2009-10-07 01:40 . 2009-10-07 01:40 7681024 c:\windows\Installer\35e3eee.msp
+ 2009-10-22 19:28 . 2009-10-22 19:28 5521408 c:\windows\Installer\35e3ed8.msp
+ 2009-10-22 19:46 . 2009-10-22 19:46 6821888 c:\windows\Installer\35e3ec2.msp
+ 2009-11-22 15:44 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
+ 2008-01-29 17:20 . 2009-11-05 17:36 26768832 c:\windows\system32\MRT.exe
+ 2009-11-22 16:50 . 2009-11-22 16:50 14020608 c:\windows\ERDNT\11-22-2009\Users\00000001\NTUSER.DAT
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-04-30 00:19 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-04-30 00:19 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-04-30 00:19 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-15 68856]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-30 30192]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-21 7581696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-02-13 282624]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-07-21 1519616]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\QWS3270 Secure\\QWS3287p.exe"=
"c:\\Program Files\\QWS3270 Secure\\QWS3270s.exe"=
"c:\\Program Files\\QWS3270 Secure\\lpd.exe"=
"c:\\Program Files\\QWS3270 Secure\\AutoUpdt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0305020.00B\SymEFA.sys [9/8/2009 8:19 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0305020.00B\BHDrvx86.sys [9/8/2009 8:19 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0305020.00B\cchpx86.sys [9/8/2009 8:19 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSXpx86.sys [11/12/2009 6:44 PM 329592]
R2 cypherixservice;Cypherix service;cypherixsrv.exe --> cypherixsrv.exe [?]
R2 cyphxdrv;cyphxdrv;c:\windows\system32\drivers\cyphxdrv.sys [3/2/2009 9:52 PM 100728]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe [9/8/2009 8:18 PM 117640]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [2/15/2008 1:16 PM 100728]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/19/2009 9:28 AM 102448]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/15/2008 1:41 PM 30192]
S3 JTVNCProxy_10.0;JTVNCProxy;c:\program files\Freedom Scientific\JAWS\10.0\JTVNCProxy.exe [6/9/2009 12:28 PM 16152]
S4 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [3/16/2009 2:37 PM 616408]
S4 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [9/2/2008 9:45 AM 18176]
S4 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [9/2/2008 9:45 AM 7680]
S4 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [9/2/2008 9:45 AM 23680]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder
2009-11-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]
2009-11-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-15 23:10]
2009-11-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3473810947-3136250097-2599601964-1007Core.job
- c:\documents and settings\Tenney Nathanson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 03:12]
2009-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3473810947-3136250097-2599601964-1007UA.job
- c:\documents and settings\Tenney Nathanson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 03:12]
2008-01-28 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 00:12]
2008-01-28 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 00:12]
2008-01-28 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 00:12]
2009-11-23 c:\windows\Tasks\User_Feed_Synchronization-{75E32A0D-FB27-4BA9-A1FD-2B5426F5BAE9}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{02818a03-790c-4dc1-b92b-85a79d635dfa} - c:\windows\system32\telenav-ie.htm
Trusted Zone: turbotax.com
DPF: {9C0B28E0-FCF4-40B5-ABD2-D223EA7AF839} - hxxp://my.telenav.com/mytn/MyTN.CAB
FF - ProfilePath - c:\documents and settings\Tenney Nathanson\Application Data\Mozilla\Firefox\Profiles\q7vpbbf6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?sourceid=navclient-ff
FF - prefs.js: keyword.URL - hxxp://errorpage.comcast.net/?cat=Web&con=dc&safe=on&q=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\Shim.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPInfotl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 21:09
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.5.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1552)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
- - - - - - - > 'lsass.exe'(1608)
c:\windows\system32\relog_ap.dll
- - - - - - - > 'explorer.exe'(4984)
c:\windows\system32\WININET.dll
c:\program files\CA\PPRT\bin\CACheck.dll
c:\program files\CA\PPRT\bin\CAHook.dll
c:\program files\CA\PPRT\bin\CAServer.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-22 21:13
ComboFix-quarantined-files.txt 2009-11-23 04:13
ComboFix2.txt 2009-11-20 06:16
ComboFix3.txt 2009-11-20 03:31
ComboFix4.txt 2009-11-11 17:31
Pre-Run: 43,073,294,336 bytes free
Post-Run: 43,231,219,712 bytes free
- - End Of File - - 76BDF5AB48A774D762C9C2203C337161
You uninstall it how I showed it in my last post.
I have never seen it run when the uninstall command has been used.
Try it again and see how you go :).
Make sure to copy it exactly as written.
Crunchie
It did it again, a couple times. The second time, I made sure to disable the Norton AV and Firewall BEFORE I ran the command, w same result. And I did a cut/paste on the command you sent me, just to be double sure I had it exactly right. Still, the Combofix runs and generates a new log rather than uninstalling.
?
thanks!
Tenney
Try it this way instead;
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
that worked, thanks!
I have System Restore off and everything is working great right now--much faster shut downs.
At some point I may experiment w turning System Restore back on and see what happens--or maybe not.
Are there other programs you had me install that should also be uninstalled?
thanks!
Tenney
Gmer, DDS, SystemLook and The Avenger can all go. Just check in Add/Remove first for them and uninstall, if there.
Safe surfing :).
Crunchie,
thanks. did not yet delete the other programs you list above (busy). Maybe just as well, since mba-m found a trojan in three places on my system today. ??? Here's the log. advice?
I'm thinking maybe delete the Kindle for the PC, which I never use anyway.
best,
Tenney
Malwarebytes' Anti-Malware 1.41
Database version: 3260
Windows 5.1.2600 Service Pack 3
11/30/2009 7:13:43 AM
mbam-log-2009-11-30 (07-13-43).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 309618
Time elapsed: 3 hour(s), 18 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\amazon kindle for pc (Trojan.Dropper) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\Amazon\Kindle For PC\uninstall.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tenney Nathanson\My Documents\KindleForPC-installer.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
I am not confident that Kindle is a trojan. It could be a false positive from Malwarebytes.
If you go to the Malwarebytes forums, you can report the false positive, if that is what it is.
Doing a Google search for kindle reveals no negatives that I could see.
Crunchie,
I silly problem, of my own making. CDs will not autoplay anymore. It's not Auto Play options, I'm pretty sure, but a disabled Auto Run. I foolishly took PC Mag's advice and ran a macro to disable autorun, but I'd like to re-enable it. I've gone through the recommended steps (changing the registry key value from "0" back to "1" and so on) but it still doesn't work. I'm wondering if there's some log I could send you that would allow you to figure out what's blocking auto run from running.
thanks, and best,
Tenney in Tucson
I mean "a" silly problem, though since I made the silly problem I guess, yeah, I the silly problem too. :)
Try this from kellyskorner.
http://www.kellys-korner-xp.com/regs...bleautorun.reg