?
Solved

Restore Points Being Deleted !

Posted on 2009-02-23
22
Medium Priority
?
545 Views
Last Modified: 2012-05-06
Something is happening... Constantly all my restore points INCLUDING those that I set myself are being deleted when my computer reboots.. I have Windows XP SP2  and use  SuperAntiSpyware resident and VIPRE.  I also have other anti-spyware.   SuperAntiSpyware support said it does NOT do this.     Please help me resolve problem that is causing my restore points to go.

Computer dealer said that the HardDrive or Virus are possibilities but I am coming out clean with VIPRE and SAS .. so....

0
Comment
Question by:4ubest
  • 10
  • 10
  • 2
22 Comments
 
LVL 30

Expert Comment

by:flubbster
ID: 23711432
Check the available disk space. XP will delete the restore points if the drive is running out of space.

All check setting in the Disk Cleanup utility. It has a check for deleting restort points. Make sure it is not selected.
0
 

Author Comment

by:4ubest
ID: 23711666
Plenty of space so that is not an issue.. Disk Cleanup Utility  cannot see where check is for deleting restore points as it always asks me if I want to..
0
 
LVL 30

Assisted Solution

by:flubbster
flubbster earned 160 total points
ID: 23711706
Verify that ALL monitored drives/partitions have enough space. If ANY of them do not, then the restore points will be deleted automatically to make room.

Here is an excellent page for missing restore points:
http://bertk.mvps.org/html/missingrps.html

Also, you can look at event viewer for any messages related to the restore service. This will help:

http://bertk.mvps.org/html/source.html
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 

Author Comment

by:4ubest
ID: 23711889
Thanks  but none of these apply except Unistall IS components but I never had that problem before since 2002 so I did not choose that option..  ..
0
 
LVL 27

Accepted Solution

by:
Jonvee earned 1840 total points
ID: 23713180
Even though the machine appears clean, i recommend downloading, then updating Malwarebytes' Anti-Malware:
http://www.malwarebytes.org/mbam.php
When updated, reboot into Safe Mode by selecting F8 at bootup & run a scan.
Full instructions are available, if you require.

If you'd like to run another virus scan, these two are excellent>

"Trend Micro's FREE online virus scanner":            
http://housecall.trendmicro.com/uk/

Kaspersky free online virus scanner, which is a good way to find out if you have any viruses or spyware without having to uninstall your existing antivirus software>
http://www.kaspersky.co.uk/virusscanner


When you're pretty sure the computer is clean, take a look at this link (to turn on System Restore) to at least see if it's been enabled>
http://www.pchell.com/virus/systemrestore.shtml

If ok, one option could be>
"The System Restore Utility May Be Suspended on a System Drive Even Though There Is Enough Disk Space":
http://support.microsoft.com/kb/299904/

Failing that, you could try this repair>
http://windowsxp.mvps.org/repairsr.htm

0
 
LVL 27

Expert Comment

by:Jonvee
ID: 23713432
Incidently have you tried deleting all restore points which will automatically include viruses which may be backed up there.  Then turn System Restore on again, and recreate a new Restore point:
http://www.pchell.com/virus/systemrestore.shtml

This previous question may help although MS KB309531 appears unavailable at this time>
"System Restore cannot successfully restore to a point":
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q__23205649.html

Further help>
http://wiki.answers.com/Q/How_do_you_delete_the_virus_on_C_System_Volume_Information_restore_EXE

If still unresolved you may find apppropriate information in this link >>
About System Restore:
http://www.pcug.org.au/16bits(catalogue)/16b2006/PCUG16b200603/system_restore.htm
0
 

Author Comment

by:4ubest
ID: 23713510
Hi,, I also have Malwarebytes and that too on the latest quick scan was clean. I ran Trend AV free and it found nothing.. As far as deleting all the restore points that was done automatically for me except for the last time which could have viruses in it although I have not had a virus since computer was rebuilt in Jan.  Perhaps there is one that VIPRE and others are not detecting ???
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 23713593
>Perhaps there is one that VIPRE and others are not detecting ?<
It's quite possible, because there is no one virus scanner that can guarantee detecting & removing every known infection.
Another possibility although probably less likely, is a rootkit.
0
 

Author Comment

by:4ubest
ID: 23713692
I also ran bitdefender free awhile back but it too found nothing so I will try that as well but first Kaspersky..
0
 

Author Comment

by:4ubest
ID: 23714159
using the Kaspersky  in critical area scan it found... mejiyolo.dll.tmp      How is it removed ?    I am now scanning the rest of C..
0
 
LVL 27

Assisted Solution

by:Jonvee
Jonvee earned 1840 total points
ID: 23714402
> mejiyolo.dll.tmp <
You could install and run Trend HijackThis 2.02 to see if it will spot & then remove the nasty:
http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html

Create a folder where you would like the HijackThis file to reside and run it from there, not from the Desktop or a temporary folder.
Run the scan & save the logfile.  Then click the "Attach Code Snippet" box, paste the logfile into the "Code Snippet" page and then it can be analysed.  


But in all probability you'll need to run Combofix to remove the infection(s).
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running, and remember to re-enable them later, upon completion.

Before using ComboFix it may be necessary to rename it before saving it to your desktop.  If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick (or equivalent).  Rename it and connect to the problematic machine.

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins.  Just let it run.

Incidently Combofix works well in normal mode or safe mode, but first try the former please.
0
 

Author Comment

by:4ubest
ID: 23717415
Hijack this log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:22 PM, on 2/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
Y:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\TechSmith\Jing\Jing.exe
Y:\Program Files\Innovative Solutions\Advanced Uninstaller PRO - Version 9\monitor.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
G:\EUDORA~1.0\Eudora.exe
Y:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\PPKent\Desktop\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\~~ahijackthis\HiJackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=10168&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=10168&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=10168&gct=&gc=1&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - Y:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - Y:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - Y:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "Y:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] Y:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe
O4 - HKCU\..\Run: [Advanced Uninstaller PRO Installation Monitor] "Y:\Program Files\Innovative Solutions\Advanced Uninstaller PRO - Version 9\monitor.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] Y:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - Y:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - Y:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O16 - DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} (iolo.ProductDetector) - http://www.iolo.com/app/ocx/UpgradeVerify.cab
O20 - Winlogon Notify: !SASWinLogon - Y:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
 
--
End of file - 8822 bytes

Open in new window

0
 

Author Comment

by:4ubest
ID: 23717516
Combofix log
ComboFix 09-02-21.01 - PPKent 2009-02-23 20:25:31.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.3583.2986 [GMT -5:00]
Running from: c:\documents and settings\PPKent\Desktop\ComboFix.exe
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated)
FW: ActiveArmor Firewall *enabled*
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\IE4 Error Log.txt
c:\windows\wiaserviv.log
O:\D.COM
R:\D.COM
 
----- BITS: Possible infected sites -----
 
hxxp://www.hhdsoftware.com
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
-------\Service_seneka
 
 
(((((((((((((((((((((((((   Files Created from 2009-01-24 to 2009-02-24  )))))))))))))))))))))))))))))))
.
 
2009-02-23 20:04 . 2009-02-23 20:04	<DIR>	d--------	C:\!!hijackthis
2009-02-23 09:17 . 2009-02-23 09:17	<DIR>	d--------	c:\windows\[u]0[/u]E6ED660498C42F79EF4FB0C96DFC01A.TMP
2009-02-20 08:36 . 2009-02-20 08:42	6,790,436,864	--a------	C:\[u]0[/u]22009eudoraDrive G and MCI Flat Drive Y newer.bkf
2009-02-16 11:28 . 2009-02-18 09:05	<DIR>	d--------	c:\program files\K-Lite Codec Pack
2009-02-16 11:28 . 2002-07-07 17:14	1,294,336	--a------	c:\windows\system32\vorbis.acm
2009-02-16 11:28 . 2008-09-24 13:41	839,680	--a------	c:\windows\system32\lameACM.acm
2009-02-16 11:28 . 2001-02-24 20:19	287,744	--a------	c:\windows\system32\divxa32.acm
2009-02-16 11:28 . 2006-10-18 13:05	232,448	--a------	c:\windows\system32\mp3fhg.acm
2009-02-16 11:28 . 2007-09-20 19:52	118,784	--a------	c:\windows\system32\ac3acm.acm
2009-02-16 11:28 . 2008-10-03 07:30	414	--a------	c:\windows\system32\lame_acm.xml
2009-02-16 10:59 . 2009-02-16 10:59	<DIR>	d--------	c:\program files\AVS4YOU
2009-02-16 10:59 . 2009-02-16 10:59	<DIR>	d--------	c:\documents and settings\PPKent\Application Data\AVS4YOU
2009-02-16 10:59 . 2009-02-16 10:59	<DIR>	d--------	c:\documents and settings\All Users\Application Data\AVS4YOU
2009-02-16 10:58 . 2009-02-16 10:59	<DIR>	d--------	c:\program files\Common Files\AVSMedia
2009-02-16 10:58 . 2002-01-05 15:48	974,848	--a------	c:\windows\system32\mfc70.dll
2009-02-16 10:58 . 2002-01-05 14:40	487,424	--a------	c:\windows\system32\msvcp70.dll
2009-02-16 10:58 . 2002-01-05 02:37	344,064	--a------	c:\windows\system32\msvcr70.dll
2009-02-16 10:58 . 2003-05-21 12:50	24,576	--a------	c:\windows\system32\msxml3a.dll
2009-02-13 17:47 . 2009-02-13 17:47	<DIR>	d--------	c:\documents and settings\PPKent\Application Data\InstallShield Installation Information
2009-02-13 17:08 . 2009-02-13 17:08	<DIR>	d--------	c:\windows\system32\AGEIA
2009-02-13 17:08 . 2009-02-13 17:08	<DIR>	d--------	c:\program files\AGEIA Technologies
2009-02-13 14:44 . 2009-02-13 14:45	<DIR>	d--------	C:\[u]0[/u]21309apyramdair
2009-02-13 13:00 . 2009-02-13 13:00	<DIR>	d--------	c:\program files\DIFX
2009-02-13 12:50 . 2009-02-13 12:50	<DIR>	d--------	c:\documents and settings\All Users\Application Data\nView_Profiles
2009-02-13 12:49 . 2009-02-13 12:49	<DIR>	d--------	c:\documents and settings\All Users\Application Data\NVIDIA
2009-02-10 09:44 . 2009-02-10 09:44	<DIR>	d--------	c:\program files\AskSearch
2009-02-03 14:59 . 2009-02-03 14:59	<DIR>	d--------	c:\documents and settings\PPKent\Application Data\Scooter Software
2009-02-03 09:31 . 2009-02-03 09:31	<DIR>	d--------	c:\documents and settings\PPKent\Application Data\Ulead Systems
2009-02-03 09:29 . 2009-02-03 09:30	<DIR>	d--------	c:\program files\Common Files\Ulead Systems
2009-02-03 09:29 . 2009-02-03 09:30	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Ulead Systems
2009-02-03 09:25 . 2009-02-03 09:25	<DIR>	d--------	c:\windows\Downloaded Installations
2009-02-02 07:24 . 2009-02-08 07:48	3,452	--ahs----	c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-02-02 07:24 . 2009-02-08 07:48	88	-r-hs----	c:\documents and settings\All Users\Application Data\1F80204B4F.sys
2009-02-02 07:23 . 2009-02-02 07:23	<DIR>	d--------	c:\program files\Common Files\Protexis
2009-02-02 07:23 . 2009-02-02 07:23	<DIR>	d--------	c:\program files\Common Files\Corel
2009-02-02 07:23 . 2009-02-02 07:24	<DIR>	d--------	c:\documents and settings\PPKent\Application Data\Corel
2009-02-02 07:23 . 2009-02-02 07:23	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Corel
2009-02-02 07:21 . 2009-02-02 07:21	<DIR>	d--------	c:\program files\Corel
2009-02-02 07:11 . 2009-02-02 07:11	51,124	--ah-----	c:\windows\system32\mlfcache.dat
2009-02-01 14:14 . 2009-02-01 14:14	<DIR>	d--------	c:\program files\Apple Software Update
2009-02-01 14:14 . 2009-02-01 14:14	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Apple
2009-01-30 09:55 . 2009-01-30 09:55	<DIR>	d--------	c:\documents and settings\PPKent\Application Data\DeskView
2009-01-29 11:11 . 2009-01-29 11:11	<DIR>	d--------	c:\documents and settings\PPKent\Application Data\NCH Software
2009-01-29 11:09 . 2009-01-29 11:11	<DIR>	d--------	c:\program files\NCH Software
2009-01-29 11:09 . 2009-01-29 11:09	<DIR>	d--------	c:\documents and settings\All Users\Application Data\NCH Software
2009-01-27 11:46 . 2009-01-28 05:39	<DIR>	d--------	c:\documents and settings\PPKent\Application Data\Nvu
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 14:02	---------	d-----w	c:\program files\Common Files\Wise Installation Wizard
2009-02-11 15:19	38,496	----a-w	c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19	15,504	----a-w	c:\windows\system32\drivers\mbam.sys
2009-02-10 01:28	---------	d-----w	c:\program files\TC Web Conferencing
2009-02-05 14:13	---------	d-----w	c:\documents and settings\PPKent\Application Data\Key Metric Software
2009-02-03 14:30	---------	d--h--w	c:\program files\InstallShield Installation Information
2009-02-01 19:14	---------	d-----w	c:\documents and settings\PPKent\Application Data\Apple Computer
2009-01-25 01:32	---------	d-----w	c:\documents and settings\PPKent\Application Data\ZoomBrowser EX
2009-01-20 18:04	---------	d-----w	c:\program files\Raxco
2009-01-20 18:04	---------	d-----w	c:\documents and settings\All Users\Application Data\Raxco
2009-01-18 13:10	---------	d-----w	c:\documents and settings\PPKent\Application Data\Desktopicon
2009-01-17 00:12	---------	d-----w	c:\program files\Hunting Unlimited 2009
2009-01-17 00:12	---------	d-----w	c:\documents and settings\All Users\Application Data\Trymedia
2009-01-17 00:03	---------	d-----w	c:\program files\Gigabyte
2009-01-15 12:42	516,096	----a-w	c:\windows\iwexec.exe
2009-01-15 01:11	---------	d-----w	c:\program files\Opera
2009-01-13 00:14	---------	d-----w	c:\program files\TechSmith
2009-01-13 00:14	---------	d-----w	c:\program files\Common Files\TechSmith Shared
2009-01-13 00:14	---------	d-----w	c:\documents and settings\All Users\Application Data\TechSmith
2009-01-09 20:02	---------	d-----w	c:\documents and settings\PPKent\Application Data\Media Player Classic
2009-01-09 19:52	---------	d-----w	c:\program files\Ashampoo
2009-01-09 15:49	71,184	----a-w	c:\windows\system32\drivers\DefragFs.sys
2009-01-09 01:27	---------	d-----w	c:\program files\Mythicsoft
2009-01-08 22:42	---------	d-----w	c:\documents and settings\PPKent\Application Data\Canon
2009-01-07 18:42	---------	dc-h--w	c:\documents and settings\All Users\Application Data\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-01-07 18:42	---------	d-----w	c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-07 18:41	---------	dc-h--w	c:\documents and settings\All Users\Application Data\{752EA1EF-1744-4EC4-BC85-85F7632FCEFB}
2009-01-07 18:41	---------	d-----w	c:\program files\Common Files\Key Metric Software
2009-01-07 18:41	---------	d-----w	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-07 18:41	---------	d-----w	c:\documents and settings\All Users\Application Data\PCPitstop
2009-01-07 18:36	---------	d-----w	c:\program files\Common Files\ArcSoft
2009-01-05 20:17	4,501	----a-w	c:\windows\gdrv.sys
2009-01-05 03:37	---------	d-----w	c:\program files\NVIDIA Corporation
2009-01-03 14:29	---------	d-----w	c:\documents and settings\PPKent\Application Data\Panasonic
2009-01-03 14:01	---------	d-----w	c:\program files\ISL
2009-01-03 13:59	---------	d-----w	c:\program files\Panasonic
2009-01-03 13:30	---------	d-----w	c:\documents and settings\PPKent\Application Data\SCATE
2009-01-03 13:30	---------	d-----w	c:\documents and settings\All Users\Application Data\SCATE
2009-01-03 11:27	---------	d-----w	c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-12-31 23:17	---------	d-----w	c:\documents and settings\PPKent\Application Data\Any Video Converter
2008-12-31 20:25	---------	d-----w	c:\documents and settings\PPKent\Application Data\Ashampoo
2008-12-28 19:56	---------	d-----w	c:\documents and settings\PPKent\Application Data\Systweak
2008-12-28 01:34	---------	d-----w	c:\documents and settings\PPKent\Application Data\SUPERAntiSpyware.com
2008-12-27 20:06	---------	d-----w	c:\program files\Java
2008-12-27 14:25	---------	d-----w	c:\documents and settings\PPKent\Application Data\Malwarebytes
2008-12-27 14:25	---------	d-----w	c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 03:45	---------	d-----w	c:\documents and settings\PPKent\Application Data\iolo
2008-12-27 03:45	---------	d-----w	c:\documents and settings\All Users\Application Data\iolo
2008-12-27 03:16	---------	d-----w	c:\program files\Common Files\Download Manager
2008-12-27 02:43	---------	d-----w	c:\program files\SpyZooka
2008-12-27 02:28	---------	d-----w	c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-27 00:38	---------	d-----w	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-26 19:17	---------	dc----w	c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2008-12-24 01:39	---------	d-----w	c:\documents and settings\PPKent\Application Data\Uniblue
2008-12-24 00:41	---------	d-----w	c:\documents and settings\All Users\Application Data\PIXELA
2008-12-24 00:34	---------	d-----w	c:\program files\Canon
2008-12-24 00:32	---------	d-----w	c:\program files\Common Files\Canon
2008-12-24 00:22	---------	d-----w	c:\documents and settings\PPKent\Application Data\ArcSoft
2008-12-24 00:15	---------	d-----w	c:\program files\Common Files\ScanSoft Shared
2008-12-24 00:15	---------	d-----w	c:\documents and settings\PPKent\Application Data\ScanSoft
2008-12-24 00:15	---------	d-----w	c:\documents and settings\All Users\Application Data\SSScanWizard
2008-12-24 00:15	---------	d-----w	c:\documents and settings\All Users\Application Data\SSScanAppDataDir
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="y:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-20 1830128]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2009-01-06 2495752]
"Advanced Uninstaller PRO Installation Monitor"="y:\program files\Innovative Solutions\Advanced Uninstaller PRO - Version 9\monitor.exe" [2008-10-31 1153936]
"Uniblue RegistryBooster 2"="y:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-10-22 1885464]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2008-10-28 955688]
"QuickTime Task"="y:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-10-22 86016]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-10-22 7700480]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-06-06 64256]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
 
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "g:\eudorapro 3.0\EuShlExt.dll" [2005-11-14 86016]
"{D468BCE5-D18E-49A4-8EA7-34BD583659D5}"= "c:\progra~1\SpyZooka\spyguard.dll" [2005-05-07 173568]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "y:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-31 05:07 356352 y:\program files\SUPERAntiSpyware\SASWINLO.DLL
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux3"= wdmaud.sys
 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	PDBoot.exe\[u]0[/u]autocheck autochk *
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer 3 SE Camera Monitor for SD.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer 3 SE Camera Monitor for SD.lnk
backup=c:\windows\pss\ImageMixer 3 SE Camera Monitor for SD.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk
backup=c:\windows\pss\LUMIX Simple Viewer.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Snagit 9.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Snagit 9.lnk
backup=c:\windows\pss\Snagit 9.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^PPKent^Start Menu^Programs^Startup^Product Registration.lnk]
backup=c:\windows\pss\Product Registration.lnkStartup
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBB36X Configure]
-r------- 2006-06-02 03:46 385024 c:\windows\system32\JMRaidTool.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVRaidService]
--a------ 2006-04-07 10:37 135168 c:\windows\system32\nvraidservice.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
-ra------ 2003-07-07 10:29 729088 f:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 f:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyZooka]
--a------ 2008-08-15 19:20 60408 c:\program files\SpyZooka\SpyZookaLdr.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
--a------ 2007-10-22 08:58 1885464 y:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
--a------ 2008-08-26 11:48 2019624 f:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\WINDOWS\\system32\\nvsvc32.exe"=
"H:8\\Program Files\\Raxco\\PerfectDisk2008\\PD91Agent.exe"=
"c:\\Program Files\\Common Files\\Logitech\\KhalShared\\KHALMNPR.exe"=
"H:8\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"q:\\Program Files\\Unreal Tournament 3 Demo\\Binaries\\UT3Demo.exe"=
 
R1 SASDIFSV;SASDIFSV;y:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;y:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-12-27 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-12-27 202928]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-12-27 69168]
R3 hhdusbh;USB Monitor Filter Driver;c:\windows\system32\drivers\hhdusbh.sys [2008-12-30 35968]
R3 SASENUM;SASENUM;y:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [2008-10-28 886056]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25f721b3-dcf7-11dd-a0ea-0016e6858a5a}]
\Shell\AutoRun\command - S:\LaunchU3.exe
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25f721b4-dcf7-11dd-a0ea-0016e6858a5a}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\m.exe /s
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7d61d736-cb77-11dd-a066-0016e6858a5a}]
\Shell\AutoRun\command - B:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder
 
2009-02-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
 
2009-02-24 c:\windows\Tasks\GlaryInitialize.job
- c:\local disk (y)\Glary Utilities\initialize.exe [2009-01-10 17:02]
 
2009-02-24 c:\windows\Tasks\XoftSpySE 2.job
- y:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 14:44]
.
- - - - ORPHANS REMOVED - - - -
 
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-Logitech Hardware Abstraction Layer - KHALMNPR.EXE
MSConfigStartUp-dotNetInstallerBoot - c:\docume~1\PPKent\LOCALS~1\Temp\RarSFX0\Ignite_Home.exe
 
 
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://yahoo.com
mStart Page = hxxp://yahoo.com
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10168&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - f:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} - hxxp://www.iolo.com/app/ocx/UpgradeVerify.cab
FF - ProfilePath - c:\documents and settings\PPKent\Application Data\Mozilla\Firefox\Profiles\fiytr45r.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - plugin: y:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: y:\program files\Mozilla Firefox\plugins\nppsynth.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: y:\program files\QuickTime\Plugins\npqtplugin7.dll
 
---- FIREFOX POLICIES ----
ÿFF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: content.notify.backoffcount - 5
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: browser.cache.memory.capacity - 65536.
 
**************************************************************************
 
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 20:29:58
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ... 
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
 
[HKEY_USERS\S-1-5-21-839522115-152049171-2147200963-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
- - - - - - - > 'winlogon.exe'(940)
y:\program files\SUPERAntiSpyware\SASWINLO.DLL
 
- - - - - - - > 'lsass.exe'(996)
c:\windows\system32\nvappfilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Raxco\PerfectDisk10\PDAgent.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-23 20:30:52 - machine was rebooted [PPKent]
ComboFix-quarantined-files.txt  2009-02-24 01:30:50
ComboFix2.txt  2008-12-27 19:39:17
 
Pre-Run: 346,827,358,208 bytes free
Post-Run: 347,080,310,784 bytes free
 
320	--- E O F ---	2008-12-12 19:15:11

Open in new window

0
 
LVL 27

Expert Comment

by:Jonvee
ID: 23719194
HijackThis results:
This entry may well be your IE local page, i'm still checking >
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

These three entries can be "Fixed" but they may well regenerate.  Caused possibly by a Trojan downloader >
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=10168&gct=&gc=1&q=

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=10168&gct=&gc=1&q=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=10168&gct=&gc=1&q=%s

From your ComboFix results there have been a number of "other deletions", which is good ... will continue systematically analysing these entries & get back to you later in the day ..

As the System Restore was not working previously(constant loss of restore points), nothing would be lost if you disabled SR, then re-enabled it, thus removing any ~possible~ infection within it's folder.   Then recreate a new restore point, & monitor the machine.
0
 

Author Comment

by:4ubest
ID: 23720119
turned off system restore but before I did I checked and all the points again were deleted.. Turned it back on.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 23725136
Apologies for delay .. from your ComboFix log, there's an entry here that's a problem >
 C:\[u]0[/u]21309apyramdair

Also not yet sure about this one>
c:\documents and settings\PPKent\Application Data\NCH Software

So there appears to be an infection still which may well be the trojan(vundo).  If it is, Housecall will find and remove it>>  
Trend Micro's FREE online virus scanner":
http://housecall.trendmicro.com/uk/

Failing that, try VundoFix 7.0.6 >>
http://www.softpedia.com/get/Antivirus/VundoFix.shtml
To use VundoFix follow the instructions written below:
<quote>
· Please download VundoFix.exe to your desktop.
· Double-click VundoFix.exe to run it.
· Put a check next to Run VundoFix as a task.
· You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
· When VundoFix re-opens, click the Scan for Vundo button.
· Once it's done scanning, click the Remove Vundo button.
· You will receive a prompt asking if you want to remove the files, click YES
· Once you click yes, your desktop will go blank as it starts removing Vundo.
· When completed, it will prompt that it will shutdown your computer, click OK.
· Turn your computer back on.
<unquote>

0
 
LVL 27

Expert Comment

by:Jonvee
ID: 23725426
Have re-read your comments & note that you ran Trend AV free and it found nothing.
0
 

Author Comment

by:4ubest
ID: 23726095
Yes and the Kaspersky full scan  only found files that I had in my archives and essentially nothing on the OS Drive or associated files..Also the  pyramdair file is a folder of jpgs

http://screencast.com/t/0IMfUQmej

0
 
LVL 27

Assisted Solution

by:Jonvee
Jonvee earned 1840 total points
ID: 23726395
>   C:\[u]0[/u]21309apyramdair  <
i agree with you, it looks like a false positive.

.. and this Combo entry is also ok >>
c:\documents and settings\PPKent\Application Data\NCH Software

Right now the HJT and Combo logs appear clean, and i'm left contemplating ...
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 23726502
Wondering if it could be a corrupted file that can be handled by the System File Checker ...
Start>Run       .. and then type SFC /scannow
http://www.updatexp.com/scannow-sfc.html
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 23726700
Another possible cause perhaps >
"The System Restore Utility May Be Suspended on a System Drive Even Though There Is Enough Disk Space":
http://support.microsoft.com/kb/299904/

Or if you have a corrupted SR file, you could try this reinstall >
http://windowsxp.mvps.org/repairsr.htm
0
 

Author Comment

by:4ubest
ID: 23765771
Restore points are still here after 3 days now..  certainly not a space issue.. I cannot run SFC at all as files are missing..
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
Monitor input from a computer is usually nothing special.  In this instance it prevented anyone from using the computer.  This was a preconfiguration that didn't work.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Suggested Courses

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question