Author Topic: System restore not working. (Read 18951 times)

srtony1946 · « **on:** February 15, 2009, 11:08:32 AM »

My system restore Is not working, I have tried several restore points but it cannot restore to prevous dates. Any ideas?

Broni · « **Reply #1 on:** February 15, 2009, 11:53:28 AM »

Try Safe Mode.

srtony1946 · « **Reply #2 on:** February 15, 2009, 02:56:06 PM »

Ok I tried safe mode, No luck. Keep getting restoration incomplete for some reason.

evilfantasy · « **Reply #3 on:** February 15, 2009, 03:11:59 PM »

Try this.

Repair System Restore

Go to Start > Run and type notepad.exe then click OK

Copy and paste the text in the Quote box below to Notepad and save as fixme.reg to Your Desktop

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig"=dword:00000000
"DisableSR"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr]
"Type"=dword:00000002
"Start"=dword:00000000
"ErrorControl"=dword:00000001
"Tag"=dword:00000004
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,73,00,72,00,2e,00,73,00,79,00,73,\
  00,00,00
"DisplayName"="System Restore Filter Driver"
"Group"="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters]
"FirstRun"=dword:00000000
"DontBackup"=dword:00000000
"MachineGuid"="{EAAFAEEC-4AFE-42BE-83D9-C12FDD4942A6}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Enum]
"0"="Root\\LEGACY_SR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig"=dword:00000000

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows NT\SystemRestore]

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Accept any warnings.

You will have to wait and see if it works, you won't be able to tell until a restore point is created.

If that doesn't work it could be malware.

srtony1946 · « **Reply #4 on:** February 15, 2009, 05:12:20 PM »

ok, I did what you said, But now system restore Is not working at all. It will not even try to restore to a prevous date.

evilfantasy · « **Reply #5 on:** February 15, 2009, 05:36:18 PM »

Quote

You will have to wait and see if it works, you won't be able to tell until a restore point is created.

If that doesn't work it could be malware.

JJ 3000 · « **Reply #6 on:** February 15, 2009, 10:25:32 PM »

If you have Norton antivirus or any symantec programs installed on your computer, you will have to disable protection for Norton products in order for system restore to work.

Don't disable Norton. In options you should see something like "PROTECTION FOR NORTON PRODUCTS".

It's been a while since I had to do this so it may say something slightly different on the newer versions.

srtony1946 · « **Reply #7 on:** February 16, 2009, 01:35:58 PM »

ok a new restore point was created, still not working. when It ask for confirm restore point selection, click next it does nothing.

evilfantasy · « **Reply #8 on:** February 16, 2009, 01:40:19 PM »

Do a quick scan with MBAM please and post the log.

If you already have MBAM be sure to update it before running the scan.

Download Malwarebytes' Anti-Malware (MBAM)

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

srtony1946 · « **Reply #9 on:** February 16, 2009, 02:14:29 PM »

ok It found a trojan virus I tried to post it but message timed out, But what I donot understand is I ran malwarebytes yesterday and it found nothing.Heres the new logg...Malwarebytes' Anti-Malware 1.34
Database version: 1766
Windows 5.1.2600 Service Pack 3

2/16/2009 3:13:25 PM
mbam-log-2009-02-16 (15-13-25).txt

Scan type: Quick Scan
Objects scanned: 56489
Time elapsed: 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected) also could you look at this hijack this logg....Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:24 PM, on 2/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\Sniper.exe\Sniper.exe.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
O24 - Desktop Component 1: (no name) - http://mbox.personals.yahoo.com/mbox/mboxlist

--
End of file - 6753 bytes

srtony1946 · « **Reply #10 on:** February 16, 2009, 02:19:41 PM »

Also I tried to run system restore after I got rid of virus and it still will not work.

Broni · « **Reply #11 on:** February 16, 2009, 02:21:53 PM »

Quote

Scan type: Quick Scan

You need to run full scan.

srtony1946 · « **Reply #12 on:** February 16, 2009, 02:45:39 PM »

Full scann results....Malwarebytes' Anti-Malware 1.34
Database version: 1766
Windows 5.1.2600 Service Pack 3

2/16/2009 3:44:49 PM
mbam-log-2009-02-16 (15-44-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 105780
Time elapsed: 18 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

evilfantasy · « **Reply #13 on:** February 16, 2009, 02:54:24 PM »

Full scan only looks for orphaned keys. Doesn't find anything new the the quick scan won't see.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

srtony1946 · « **Reply #14 on:** February 16, 2009, 03:31:44 PM »

I am having problems with combo fix, I disabled anti virus, and spyware, downloaded to desktop and click on it , it said could not download all the files and reboot. But that did not help. I tried to delete it but it would not let me. and it was not in add and remove.

evilfantasy · « **Reply #15 on:** February 16, 2009, 03:50:12 PM »

Try renaming it to Combo-Fix and then run it.

srtony1946 · « **Reply #16 on:** February 16, 2009, 04:49:47 PM »

I disabled all virus protection and spyware that I could find, as well as Windows Firewall. I thought I had deleted Comodo Pro Firewall...did a search and got rid of all files, but it stills shows in Security that I have it and that it is enabled.

I downloaded ComboFix and renamed it to Combo-Fix, then ran it and I get the following message:

"Some files could not be created.
Please close all applications, reboot Windows and restart this installation".

After rebooting, tried running ComboFix again and I get the same message above. What am I doing wrong?

evilfantasy · « **Reply #17 on:** February 16, 2009, 04:54:44 PM »

Quote

I thought I had deleted Comodo Pro Firewall...did a search and got rid of all files, but it stills shows in Security that I have it and that it is enabled.

Comodo is notorious for that. It's gone but the Security Center still says it's there.

Delete ComboFix and also the C:\combofix folder, if it's there.

Download Lop S&D by Eric_71 and save it to your Desktop. Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. If needed see: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.

Double-click Lop S&D.exe
Choose the language by typing of the corresponding letter and press Enter
Click OK at the informative window
Type 1, to choose Option 1 (Search) then press Enter
Wait until the end of the scan
A report will be generated, post the contents of it in your next reply.

A copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt

srtony1946 · « **Reply #18 on:** February 16, 2009, 06:01:24 PM »

Before I post the lop report, I wanted to let you know that the trojan is in my boot files:

Trojan.Agent \boot.ini Malware bytes quarantined the file.

Here is the lop report:'

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel Pentium III processor )
BIOS : Phoenix - AwardBIOS v6.00PG
USER : Tony ( Administrator )
BOOT : Normal boot
Antivirus : ThreatFire 4.0.0.10 (Not Activated)
Firewall : COMODO Firewall Pro 3.0 (Activated)
C:\ (Local Disk) - NTFS - Total:465 Go (Free:430 Go)
D:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( Mon 02/16/2009|18:54 )

--------------------\\ Listing folders in APPLIC~1

[02/15/2009|03:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[08/04/2008|06:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Avira
[09/01/2008|08:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AVS4YOU
[09/30/2008|07:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> BigFishGamesCache
[10/20/2008|03:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Citrix
[09/29/2008|06:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Enkord
[06/06/2008|12:00] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Hewlett-Packard
[06/05/2008|10:03] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> HPSSUPPLY
[10/01/2008|01:42] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> MAGIX
[07/18/2008|12:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes
[01/07/2009|10:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> McAfee
[06/02/2008|06:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[09/29/2008|06:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> n7-89-o9-3r-4t-r9
[02/15/2009|11:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NOS
[09/16/2008|08:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> nView_Profiles
[07/03/2008|04:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> PC Tools
[08/18/2008|11:39] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> PCPitstop
[08/06/2008|05:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SiteAdvisor
[01/31/2009|01:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SpeedBit
[09/29/2008|07:39] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SUPERAntiSpyware.com
[11/09/2008|01:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Sync App Settings
[06/10/2008|09:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[06/14/2008|06:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Yahoo!
[01/01/2009|12:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Zylom

[05/27/2008|04:17] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[01/01/2009|09:00] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> GameTracker
[05/27/2008|04:17] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft
[02/15/2009|04:38] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> SACore
[12/02/2008|01:17] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Yahoo!

[05/31/2008|10:59] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

[02/15/2009|09:33] C:\DOCUME~1\Tony\APPLIC~1\<DIR> Adobe
[07/15/2008|02:34] C:\DOCUME~1\Tony\APPLIC~1\<DIR> Ahead
[09/01/2008|08:14] C:\DOCUME~1\Tony\APPLIC~1\<DIR> AVS4YOU
[12/31/2008|04:59] C:\DOCUME~1\Tony\APPLIC~1\<DIR> Chessmaster Challenge
[08/17/2008|10:37] C:\DOCUME~1\Tony\APPLIC~1\<DIR> Codessentials
[09/01/2008|08:14] C:\DOCUME~1\Tony\APPLIC~1\<DIR> DivX
[01/01/2009|08:37] C:\DOCUME~1\Tony\APPLIC~1\<DIR> Gaijin Ent
[09/29/2008|06:35] C:\DOCUME~1\Tony\APPLIC~1\<DIR> GameHouse
[08/12/2008|07:44] C:\DOCUME~1\Tony\APPLIC~1\<DIR> GlarySoft
[01/01/2009|12:46] C:\DOCUME~1\Tony\APPLIC~1\<DIR> Identities
[01/21/2009|05:45] C:\DOCUME~1\Tony\APPLIC~1\<DIR> IObit
[08/30/2008|10:58] C:\DOCUME~1\Tony\APPLIC~1\<DIR> IrfanView
[08/06/2008|08:41] C:\DOCUME~1\Tony\APPLIC~1\<DIR> Leadertech
[10/25/2008|12:55] C:\DOCUME~1\Tony\APPLIC~1\<DIR> LimeWire
[12/20/2008|02:13] C:\DOCUME~1\Tony\APPLIC~1\<DIR> Macromedia
[07/18/2008|12:36] C:\DOCUME~1\Tony\APPLIC~1\<DIR> Malwarebytes
[11/02/2008|11:36] C:\DOCUME~1\Tony\APPLIC~1\<DIR> Map Maker
[10/20/2008|03:10] C:\DOCUME~1\Tony\APPLIC~1\<DIR> McAfee
[07/06/2008|07:45] C:\DOCUME~1\Tony\APPLIC~1\<DIR> Microsoft
[11/01/2008|02:44] C:\DOCUME~1\Tony\APPLIC~1\<DIR> Move Networks
[09/30/2008|05:36] C:\DOCUME~1\Tony\APPLIC~1\<DIR> NetMedia Providers
[07/13/2008|10:29] C:\DOCUME~1\Tony\APPLIC~1\<DIR> OpenOffice.org2
[01/01/2009|10:50] C:\DOCUME~1\Tony\APPLIC~1\<DIR> PlayFirst
[09/30/2008|04:43] C:\DOCUME~1\Tony\APPLIC~1\<DIR> Publish Providers
[07/13/2008|09:54] C:\DOCUME~1\Tony\APPLIC~1\<DIR> RapidBackup 2
[05/29/2008|02:28] C:\DOCUME~1\Tony\APPLIC~1\<DIR> SecuROM
[09/30/2008|04:43] C:\DOCUME~1\Tony\APPLIC~1\<DIR> Sony
[12/31/2008|04:58] C:\DOCUME~1\Tony\APPLIC~1\<DIR> SpinTop
[06/11/2008|09:42] C:\DOCUME~1\Tony\APPLIC~1\<DIR> Sun
[09/29/2008|07:39] C:\DOCUME~1\Tony\APPLIC~1\<DIR> SUPERAntiSpyware.com
[10/19/2008|11:16] C:\DOCUME~1\Tony\APPLIC~1\<DIR> Thinking Minds Budiling Bytes
[01/25/2009|03:19] C:\DOCUME~1\Tony\APPLIC~1\<DIR> U3
[12/14/2008|05:00] C:\DOCUME~1\Tony\APPLIC~1\<DIR> Yahoo!
[01/01/2009|12:46] C:\DOCUME~1\Tony\APPLIC~1\<DIR> Zylom

--------------------\\ Scheduled Tasks located in C:\windows\Tasks

[02/08/2009 10:13 PM][--a------] C:\windows\tasks\SmartDefrag.job
[02/16/2009 05:52 PM][--ah-c---] C:\windows\tasks\SA.DAT
[02/28/2006 06:00 AM][-r-h-c---] C:\windows\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[11/14/2008|05:49] C:\Program Files\<DIR> Activision
[02/15/2009|04:38] C:\Program Files\<DIR> ACW
[02/16/2009|03:48] C:\Program Files\<DIR> Adobe
[12/13/2008|04:06] C:\Program Files\<DIR> AGEIA Technologies
[06/05/2008|09:43] C:\Program Files\<DIR> Avago-HP
[08/04/2008|04:56] C:\Program Files\<DIR> Avira
[07/06/2008|07:30] C:\Program Files\<DIR> CachemanXP
[12/27/2008|12:21] C:\Program Files\<DIR> CCleaner
[07/19/2008|12:09] C:\Program Files\<DIR> Chess
[11/22/2008|11:38] C:\Program Files\<DIR> Codemasters
[08/17/2008|10:37] C:\Program Files\<DIR> Codessentials
[02/15/2009|04:38] C:\Program Files\<DIR> Common Files
[01/31/2009|01:14] C:\Program Files\<DIR> DAP
[09/23/2008|04:41] C:\Program Files\<DIR> Free Hide Folder
[08/17/2008|08:34] C:\Program Files\<DIR> GameGain
[09/29/2008|06:35] C:\Program Files\<DIR> GameHouse
[06/05/2008|09:46] C:\Program Files\<DIR> HP
[01/22/2009|07:46] C:\Program Files\<DIR> InstallShield Installation Information
[02/15/2009|09:43] C:\Program Files\<DIR> Internet Explorer
[01/21/2009|05:45] C:\Program Files\<DIR> IObit
[08/25/2008|01:41] C:\Program Files\<DIR> IrfanView
[12/13/2008|04:21] C:\Program Files\<DIR> Java
[10/01/2008|02:01] C:\Program Files\<DIR> MAGIX
[02/15/2009|07:13] C:\Program Files\<DIR> Malwarebytes' Anti-Malware
[11/02/2008|11:36] C:\Program Files\<DIR> Map Maker
[01/07/2009|01:07] C:\Program Files\<DIR> McAfee
[08/14/2008|07:15] C:\Program Files\<DIR> Messenger
[07/06/2008|07:57] C:\Program Files\<DIR> Microsoft Bootvis
[10/19/2008|07:01] C:\Program Files\<DIR> Microsoft CAPICOM 2.1.0.2
[05/27/2008|04:18] C:\Program Files\<DIR> microsoft frontpage
[10/21/2008|09:49] C:\Program Files\<DIR> Microsoft Silverlight
[11/23/2008|05:06] C:\Program Files\<DIR> Microsoft Xbox 360 Accessories
[07/14/2008|12:03] C:\Program Files\<DIR> Moffsoft FreeCalc
[06/10/2008|10:32] C:\Program Files\<DIR> Movie Maker
[05/26/2008|10:28] C:\Program Files\<DIR> MSN
[09/30/2008|07:23] C:\Program Files\<DIR> MSN Games
[05/27/2008|04:14] C:\Program Files\<DIR> MSN Gaming Zone
[11/12/2008|04:22] C:\Program Files\<DIR> MSXML 4.0
[07/19/2008|10:29] C:\Program Files\<DIR> Nero
[06/10/2008|10:31] C:\Program Files\<DIR> NetMeeting
[02/15/2009|04:38] C:\Program Files\<DIR> NOS
[10/08/2008|04:50] C:\Program Files\<DIR> NVIDIA Corporation
[05/27/2008|04:14] C:\Program Files\<DIR> Online Services
[08/17/2008|10:49] C:\Program Files\<DIR> OpenOffice.org 2.4
[06/10/2008|10:30] C:\Program Files\<DIR> Outlook Express
[11/09/2008|04:16] C:\Program Files\<DIR> Paint.NET
[01/01/2009|10:49] C:\Program Files\<DIR> PlayFirst
[05/26/2008|10:07] C:\Program Files\<DIR> Realtek
[07/13/2008|09:05] C:\Program Files\<DIR> ReflexiveArcade
[12/21/2008|11:12] C:\Program Files\<DIR> Ricochet Infinity
[11/02/2008|12:10] C:\Program Files\<DIR> ScrollWall
[12/13/2008|04:25] C:\Program Files\<DIR> Secunia
[11/22/2008|10:24] C:\Program Files\<DIR> SEGA
[09/30/2008|05:50] C:\Program Files\<DIR> Sony
[09/30/2008|04:40] C:\Program Files\<DIR> Sony Setup
[01/11/2009|05:52] C:\Program Files\<DIR> SpeedBit Video Accelerator
[09/10/2008|10:07] C:\Program Files\<DIR> SpeedFan
[02/15/2009|07:13] C:\Program Files\<DIR> SpywareBlaster
[01/21/2009|05:46] C:\Program Files\<DIR> SUPERAntiSpyware
[05/28/2008|10:15] C:\Program Files\<DIR> SystemRequirementsLab
[11/26/2008|01:15] C:\Program Files\<DIR> ThreatFire
[05/30/2008|04:20] C:\Program Files\<DIR> Trend Micro
[01/01/2009|12:32] C:\Program Files\<DIR> Tropico Jong
[08/20/2008|01:16] C:\Program Files\<DIR> Tweak-XP Pro 4
[01/23/2009|11:13] C:\Program Files\<DIR> VideoLAN
[08/12/2008|07:50] C:\Program Files\<DIR> Windows Media Player
[06/10/2008|10:30] C:\Program Files\<DIR> Windows NT
[11/23/2008|03:08] C:\Program Files\<DIR> XBox 360 Controller for Windows Software
[05/27/2008|04:18] C:\Program Files\<DIR> xerox
[10/19/2008|06:54] C:\Program Files\<DIR> Yamicsoft

--------------------\\ Listing Folders in C:\Program Files\Common Files

[02/16/2009|03:48] C:\Program Files\Common Files\<DIR> Adobe
[02/15/2009|04:38] C:\Program Files\Common Files\<DIR> Adobe AIR
[07/19/2008|10:29] C:\Program Files\Common Files\<DIR> Ahead
[09/01/2008|08:17] C:\Program Files\Common Files\<DIR> AVSMedia
[05/27/2008|06:30] C:\Program Files\Common Files\<DIR> Cisco Systems
[08/10/2008|10:14] C:\Program Files\Common Files\<DIR> InstallShield
[07/27/2008|04:20] C:\Program Files\Common Files\<DIR> Java
[01/07/2009|10:15] C:\Program Files\Common Files\<DIR> McAfee
[08/17/2008|10:35] C:\Program Files\Common Files\<DIR> Microsoft Shared
[05/27/2008|04:16] C:\Program Files\Common Files\<DIR> MSSoap
[01/01/2009|08:36] C:\Program Files\Common Files\<DIR> Oberon Media
[05/26/2008|11:07] C:\Program Files\Common Files\<DIR> ODBC
[05/27/2008|04:16] C:\Program Files\Common Files\<DIR> Services
[05/26/2008|11:07] C:\Program Files\Common Files\<DIR> SpeechEngines
[06/10/2008|10:30] C:\Program Files\Common Files\<DIR> System
[12/13/2008|04:06] C:\Program Files\Common Files\<DIR> Wise Installation Wizard

--------------------\\ Process

( 40 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN

--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 18:56:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

No other infections found !

[F:108][D:3]-> C:\DOCUME~1\Tony\LOCALS~1\Temp
[F:24][D:0]-> C:\DOCUME~1\Tony\Cookies
[F:261][D:4]-> C:\DOCUME~1\Tony\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Mon 02/16/2009|18:56 - Option : [1]

--------------------\\ Scan completed at 18:56:46

srtony1946 · « **Reply #19 on:** February 16, 2009, 06:21:35 PM »

PS: When booting the computer while in bios it says:

invalid boot.ini

evilfantasy · « **Reply #20 on:** February 16, 2009, 07:32:45 PM »

Yes that's very useful information

Download the MBR Rootkit Detector to your desktop.

Doubleclick mbr.exe and follow prompts.
A black DOS window will quickly appear then disappear.
When mbr.exe is finished it will create a log on your desktop.
Copy and paste contents of that log file to your next reply.

srtony1946 · « **Reply #21 on:** February 16, 2009, 07:40:53 PM »

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

evilfantasy · « **Reply #22 on:** February 16, 2009, 07:43:13 PM »

Not a rootkit.

Have you looked at the solution portion on this page? http://support.microsoft.com/kb/330184

Also this http://support.microsoft.com/kb/289022

srtony1946 · « **Reply #23 on:** February 16, 2009, 07:51:41 PM »

ok, My girlfriend suggested that I may have to do just that, Boot from the windows cd. So I will have to try it tomorrow as I have to go into work tonight. Will keep you updated, thanks for your help.

evilfantasy · « **Reply #24 on:** February 16, 2009, 07:56:58 PM »

I would like to see the MBAM entry that was reported. The logs save under the Logs tab in MBAM.

srtony1946 · « **Reply #25 on:** February 16, 2009, 08:45:52 PM »

It will not let me copy and paste, so I took a screenshot of the logg but it fills the whole message page, any ideas?

evilfantasy · « **Reply #26 on:** February 16, 2009, 08:50:06 PM »

Upload the file to File Dropper

Click Upload
Locate the file and double click it.
Copy the download link and post it back here.

srtony1946 · « **Reply #27 on:** February 17, 2009, 06:24:42 AM »

http://www.filedropper.com/malwarebyteslogs....<a href=http://www.filedropper.com/malwarebyteslogs.... not sure which one you needed so I pasted both. Man your the coolest dude on here, lol.

evilfantasy · « **Reply #28 on:** February 17, 2009, 10:50:22 AM »

I need the log itself. Double click on the log that has the infection and post it.

srtony1946 · « **Reply #29 on:** February 17, 2009, 12:23:22 PM »

The Infection was quarantined 2-16-09, there where several logs that day but this was the full scan log...Malwarebytes' Anti-Malware 1.34
Database version: 1766
Windows 5.1.2600 Service Pack 3

2/16/2009 3:44:49 PM
mbam-log-2009-02-16 (15-44-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 105780
Time elapsed: 18 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected) The quarantine tab has a reference number do you need that?(46658). none off the logs show an infection, I do not understand that. But this one did, on quick scan......Malwarebytes' Anti-Malware 1.34
Database version: 1766
Windows 5.1.2600 Service Pack 3

2/16/2009 3:02:20 PM
mbam-log-2009-02-16 (15-02-20).txt

Scan type: Quick Scan
Objects scanned: 44030
Time elapsed: 1 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\boot.ini (Trojan.Agent) -> Quarantined and deleted successfully.

evilfantasy · « **Reply #30 on:** February 17, 2009, 12:46:54 PM »

Yes that's what I needed.

Delete ComboFix and download a new copy and try running it again.

Link #1
Link #2

If it won't run:

Launch Task Manager by pressing Ctrl + Alt + Delete

End Process on these file names (if found)

- FindStr
- Vfind
- SED
- GREP
- or any file that has the extension *.cfexe

End each only once. Now try to run it again.

srtony1946 · « **Reply #31 on:** February 17, 2009, 01:07:58 PM »

Ok, followed your directions, found none of the processes running in task manager, still same problem as before with combofix.

evilfantasy · « **Reply #32 on:** February 17, 2009, 01:32:51 PM »

One more try.

Go to Start > Run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /killall

Press Enter and Combofix should begin to run.

evilfantasy · « **Reply #33 on:** February 17, 2009, 01:34:45 PM »

Also try booting into safe mode to run it.

srtony1946 · « **Reply #34 on:** February 17, 2009, 02:00:39 PM »

Combo fix IS working in safe mode, BUT It asked me.... strongly recommmend downloading WINDOWS RECOVERY CONSOLE. Said I needed to be hooked up to internet. How do I acess internet from safe mode?.

evilfantasy · « **Reply #35 on:** February 17, 2009, 02:12:53 PM »

You don't need the recovery console at this point. Just let it run.

srtony1946 · « **Reply #36 on:** February 17, 2009, 02:32:50 PM »

ok I ran combofix in safe mode It ran thru a checklist than gave me a log. I copy it but after I got out of the log a black sceen came up with safe mode In eack corner. I could not get out of this, so I had to manually turn my computer off. upon reboot I saw the boot.ini come up In my bios again.

evilfantasy · « **Reply #37 on:** February 17, 2009, 02:38:30 PM »

The log should be in c:\combofix.txt

srtony1946 · « **Reply #38 on:** February 17, 2009, 03:02:02 PM »

Got it.....ComboFix 09-02-15.01 - Tony 2009-02-17 15:18:52.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2570 [GMT -6:00]
Running from: c:\documents and settings\Tony\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
AV: ThreatFire *On-access scanning disabled* (Updated)
FW: COMODO Firewall Pro *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\windows\system32\dllcache\http.sys

.
((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.

2009-02-16 21:37 . 2009-02-16 21:37   151   --a------   c:\windows\PhotoSnapViewer.INI
2009-02-16 18:53 . 2009-02-16 18:56   <DIR>   d--------   C:\Lop SD
2009-02-15 21:45 . 2009-02-15 21:46   <DIR>   d--------   c:\windows\SxsCaPendDel
2009-02-15 21:45 . 2009-02-15 21:45   <DIR>   d--------   C:\6d804651361dc4891455f2209848
2009-02-15 21:39 . 2009-02-15 21:39   <DIR>   d--------   C:\a9b0b6c8bd9517ae9595
2009-02-15 21:38 . 2009-02-15 21:38   <DIR>   dr-h-----   C:\AHCache
2009-02-15 21:38 . 2009-02-15 21:38   <DIR>   d--------   C:\503216bf65161d6d75
2009-02-15 12:11 . 2009-02-15 16:38   <DIR>   d--------   c:\program files\ACW
2009-02-15 11:49 . 2009-02-15 16:38   <DIR>   d--------   c:\program files\Common Files\Adobe AIR
2009-01-31 13:12 . 2009-01-31 13:12   2,560   --a------   c:\windows\_MSRSTRT.EXE
2009-01-25 15:18 . 2009-01-25 15:19   <DIR>   d--------   c:\documents and settings\Tony\Application Data\U3
2009-01-23 23:13 . 2009-01-23 23:13   <DIR>   d--------   c:\program files\VideoLAN
2009-01-21 17:45 . 2009-02-17 14:26   <DIR>   d--------   c:\program files\IObit
2009-01-21 17:45 . 2009-02-17 14:26   <DIR>   d--------   c:\documents and settings\Tony\Application Data\IObit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-17 19:47   189,672   ----a-w   c:\windows\system32\PnkBstrB.exe
2009-02-17 19:47   138,584   -c--a-w   c:\windows\system32\drivers\PnkBstrK.sys
2009-02-16 21:48   ---------   d-----w   c:\program files\Common Files\Adobe
2009-02-15 22:38   ---------   d-----w   c:\program files\NOS
2009-02-15 22:38   ---------   d-----w   c:\documents and settings\LocalService\Application Data\SACore
2009-02-15 17:43   ---------   d-----w   c:\documents and settings\All Users\Application Data\NOS
2009-02-15 13:13   ---------   d-----w   c:\program files\SpywareBlaster
2009-02-15 13:13   ---------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-02-11 16:19   38,496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19   15,504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-02-11 02:46   70,968   ----a-w   c:\windows\system32\PnkBstrA.exe
2009-01-31 19:14   ---------   d-----w   c:\program files\DAP
2009-01-31 19:12   ---------   d-----w   c:\documents and settings\All Users\Application Data\SpeedBit
2009-01-23 01:46   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-01-21 23:46   ---------   d-----w   c:\program files\SUPERAntiSpyware
2009-01-11 23:52   ---------   d-----w   c:\program files\SpeedBit Video Accelerator
2009-01-07 19:07   ---------   d-----w   c:\program files\McAfee
2009-01-07 16:15   ---------   d-----w   c:\program files\Common Files\McAfee
2009-01-07 16:15   ---------   d-----w   c:\documents and settings\All Users\Application Data\McAfee
2009-01-02 02:37   ---------   d-----w   c:\documents and settings\Tony\Application Data\Gaijin Ent
2009-01-02 02:36   ---------   d-----w   c:\program files\Common Files\Oberon Media
2009-01-01 18:46   ---------   d-----w   c:\documents and settings\Tony\Application Data\Zylom
2009-01-01 18:46   ---------   d-----w   c:\documents and settings\All Users\Application Data\Zylom
2009-01-01 18:32   ---------   d-----w   c:\program files\Tropico Jong
2009-01-01 16:50   ---------   d-----w   c:\documents and settings\Tony\Application Data\PlayFirst
2009-01-01 16:49   ---------   d-----w   c:\program files\PlayFirst
2009-01-01 15:00   ---------   d-----w   c:\documents and settings\LocalService\Application Data\GameTracker
2008-12-31 22:59   ---------   d-----w   c:\documents and settings\Tony\Application Data\Chessmaster Challenge
2008-12-31 22:58   ---------   d-----w   c:\documents and settings\Tony\Application Data\SpinTop
2008-12-27 18:21   ---------   d-----w   c:\program files\CCleaner
2008-12-21 17:12   ---------   d-----w   c:\program files\Ricochet Infinity
2008-12-20 23:15   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-12-13 10:21   410,984   ----a-w   c:\windows\system32\deploytk.dll
2008-11-14 23:59   22,328   ----a-w   c:\documents and settings\Tony\Application Data\PnkBstrK.sys
2008-10-20 21:15   61,224   ----a-w   c:\documents and settings\Tony\GoToAssistDownloadHelper.exe
2004-09-28 02:00   26,240   -c--a-w   c:\windows\inf\RAMDSK.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-01-09 2262352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2008-11-17 263456]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-06-12 266497]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-31 13:54 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^Tony^Start Menu^Programs^Startup^Secunia PSI.lnk]
backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-11-12 14:54 13672448 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-11-12 14:54 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-13 04:21 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
--a------ 2007-09-26 18:05 734264 c:\program files\Microsoft Xbox 360 Accessories\XBoxStat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 17:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-11-12 14:54 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"nwiz"=nwiz.exe /install
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"hpbdfawep"=c:\program files\HP\Dfawep\bin\hpbdfawep.exe 1

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2008-07-03 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2008-07-03 39200]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
S2 AVEService;Avira AntiVir Premium MailGuard helper service;c:\program files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2008-08-04 41217]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-07 206096]
S2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2006-02-28 14336]
S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
S3 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [2008-07-06 243200]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-15 33752]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-11-18 7808]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2008-07-03 33056]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ff2abc2-eb25-11dd-8086-00044b15f8d9}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-09 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-01-14 13:15]

2009-02-09 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-01-21 17:45]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe

.
------- Supplementary Scan -------
.
Trusted Zone: tube8.com\www
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-17 15:19:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1123561945-1592454029-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6D57F757-F398-3A27-B800-878FEF5CF0DC}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hafijbhpgokecfdc"=hex:61,61,00,7c
"jafijbhpgokecfdcippe"=hex:63,61,65,67,65,6a,00,7c
"panfaelidjiinaohponpmiajmhpkljna"=hex:64,61,61,67,70,6d,6b,65,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(192)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2009-02-17 15:20:01
ComboFix-quarantined-files.txt 2009-02-17 21:19:58

Pre-Run: 462,205,263,872 bytes free
Post-Run: 462,217,445,376 bytes free

174   --- E O F ---   2009-02-11 19:26:00

evilfantasy · « **Reply #39 on:** February 17, 2009, 03:11:09 PM »

Do you have any idea what this might be?

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1123561945-1592454029-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6D57F757-F398-3A27-B800-878FEF5CF0DC}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hafijbhpgokecfdc"=hex:61,61,00,7c
"jafijbhpgokecfdcippe"=hex:63,61,65,67,65,6a,00,7c
"panfaelidjiinaohponpmiajmhpkljna"=hex:64,61,61,67,70,6d,6b,65,00,00

srtony1946 · « **Reply #40 on:** February 17, 2009, 03:25:58 PM »

No, How can we find out?

evilfantasy · « **Reply #41 on:** February 17, 2009, 03:33:39 PM »

I am fairly sure it's a malware file. It makes no sense and is just a bunch of random characters.

It's one of your Shell Extensions. Have you installed a custom Shell Extensions (right click menu maybe)?

srtony1946 · « **Reply #42 on:** February 17, 2009, 03:44:22 PM »

I am not sure, what do you mean by (rt clicl menu maybe?) I am not familar with shell extensions, I do not even know what they are, lol

evilfantasy · « **Reply #43 on:** February 17, 2009, 03:47:13 PM »

We can remove it but I'm not even sure what it is.

I think we should worry about the boot.ini file first. Are you still getting errors and if so what exactly does it say?

Do you have your Windows install CD?

evilfantasy · « **Reply #44 on:** February 17, 2009, 03:51:54 PM »

Also do this please.

Go to Start > Run and type maconfig then click OK.

Select the BOOT.INI tab and click Check All Boot Paths

What happens or what happens when you restart the computer?

srtony1946 · « **Reply #45 on:** February 17, 2009, 04:00:51 PM »

When I boot my computer I get this IN BIOS...Invalid boot-file boot.ini booting from C/windows. I have a windows CD. Did you mean msconfig in last post? I tried that but could not find boot. ini file.

evilfantasy · « **Reply #46 on:** February 17, 2009, 04:18:06 PM »

Get your Windows XP CD.

Look at this link to see how to repair your boot.ini file. http://tricks-collections.com/2008/12/how-to-repair-bootini-file-in-windows-xp/

srtony1946 · « **Reply #47 on:** February 17, 2009, 04:22:42 PM »

ok I will try this Tomorrow, I have to go into work. I will keep you posted.

evilfantasy · « **Reply #48 on:** February 17, 2009, 04:29:31 PM »

No problem.

srtony1946 · « **Reply #49 on:** February 18, 2009, 07:01:36 AM »

When I repair windows with xp cd, will It erase everything on my hardrive? should I back up files?

evilfantasy · « **Reply #50 on:** February 18, 2009, 09:40:10 AM »

No a repair is just that. Repairing damaged files.

srtony1946 · « **Reply #51 on:** February 18, 2009, 11:45:56 AM »

I am having problems with windows xp cd , when I get to the step where you have to type bootcfg/list It does nothing and I have to type exit to get out of it.

evilfantasy · « **Reply #52 on:** February 18, 2009, 12:05:03 PM »

You need a space between bootcfg and /list

srtony1946 · « **Reply #53 on:** February 18, 2009, 12:26:17 PM »

Ok the virus did not appear in bios, I think we got it YES!!!. But system restore still not working.

evilfantasy · « **Reply #54 on:** February 18, 2009, 12:55:14 PM »

OK let's see what might be hiding now.

Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:

Double-click on drweb-cureit.exe and then click Start
An information notice will appear, click OK.
This starts a short scan that will scan the files currently running in memory.
If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
If or when something is found, click the Yes button when it asks you if you want to cure it.

Once the short scan has finished, Click Settings > Change Settings
Under the Scanning tab UNcheck Heuristic analysis and click OK
Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
- Click Yes to all if it asks if you want to cure/move any file(s).
When the scan is done.
In the Dr.Web CureIt menu on top left, click File and choose Save report list.
Save the DrWeb.csv report to your Desktop.
Exit Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
Copy and paste that log in the next reply

[/list]

srtony1946 · « **Reply #55 on:** February 18, 2009, 12:59:36 PM »

Update..... I fixed system restore by doing this. rt clicked on my computer, properties, system restore tab, turn off system restore, ok, rebooted. Than turned system restore back on. Thanks for hanging in there for me and all your help evilfantasy,your awsome.

evilfantasy · « **Reply #56 on:** February 18, 2009, 01:03:00 PM »

Cool!!

You should probably run a virus check just to be safe. ComboFix found a few things so better safe than sorry.

srtony1946 · « **Reply #57 on:** February 18, 2009, 02:09:34 PM »

sens.dll;c:\windows\system32;Trojan.Starter.881;Cured.;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Tony\desktop\ComboFix.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Tony\desktop;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\Tony\desktop;Container contains infected objects;Moved.;
A0000013.dll;C:\System Volume Information\_restore{785D763D-1628-4541-9037-095F39857DB9}\RP2;Trojan.Starter.881;Cured.;
A0000014.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{785D763D-1628-4541-9037-095F39857DB9}\RP2\A0000014.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{785D763D-1628-4541-9037-095F39857DB9}\RP2;Archive contains infected objects;;
A0000014.exe;C:\System Volume Information\_restore{785D763D-1628-4541-9037-095F39857DB9}\RP2;Container contains infected objects;Moved.; DR WEB FOUND ANOTHER VIRUS!!.

evilfantasy · « **Reply #58 on:** February 18, 2009, 03:51:56 PM »

Looks like Dr Web cured your sens.dll file, which is a library that contains functions used for System Event Notification Service.

Download OTCleanIt.exe and save it to your Desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it yourself.

.
----------

Disable/Enable the System Restore Utility to flush old infected restore points

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.

Now re-enable System Restore

To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.

----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

----------

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Computer Hope Forum

News:

Author Topic: System restore not working. (Read 18951 times)

srtony1946

Broni

srtony1946

evilfantasy

srtony1946

evilfantasy

JJ 3000

srtony1946

evilfantasy

srtony1946

srtony1946

Broni

srtony1946

evilfantasy

srtony1946

evilfantasy

srtony1946

evilfantasy

srtony1946

srtony1946

evilfantasy

srtony1946

evilfantasy

srtony1946

evilfantasy

srtony1946

evilfantasy

srtony1946

evilfantasy

srtony1946

evilfantasy

srtony1946

evilfantasy

evilfantasy

srtony1946

evilfantasy

srtony1946

evilfantasy

srtony1946

evilfantasy

srtony1946

evilfantasy

srtony1946

evilfantasy

evilfantasy

srtony1946

evilfantasy

srtony1946

evilfantasy

srtony1946

evilfantasy

srtony1946

evilfantasy

srtony1946

evilfantasy

srtony1946

evilfantasy

srtony1946

evilfantasy