Author Topic: System restore not working. (Read 17414 times)

evilfantasy · « **Reply #30 on:** February 17, 2009, 12:46:54 PM »

Yes that's what I needed.

Delete ComboFix and download a new copy and try running it again.

Link #1
Link #2

If it won't run:

Launch Task Manager by pressing Ctrl + Alt + Delete

End Process on these file names (if found)

- FindStr
- Vfind
- SED
- GREP
- or any file that has the extension *.cfexe

End each only once. Now try to run it again.

srtony1946 · « **Reply #31 on:** February 17, 2009, 01:07:58 PM »

Ok, followed your directions, found none of the processes running in task manager, still same problem as before with combofix.

evilfantasy · « **Reply #32 on:** February 17, 2009, 01:32:51 PM »

One more try.

Go to Start > Run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /killall

Press Enter and Combofix should begin to run.

evilfantasy · « **Reply #33 on:** February 17, 2009, 01:34:45 PM »

Also try booting into safe mode to run it.

srtony1946 · « **Reply #34 on:** February 17, 2009, 02:00:39 PM »

Combo fix IS working in safe mode, BUT It asked me.... strongly recommmend downloading WINDOWS RECOVERY CONSOLE. Said I needed to be hooked up to internet. How do I acess internet from safe mode?.

evilfantasy · « **Reply #35 on:** February 17, 2009, 02:12:53 PM »

You don't need the recovery console at this point. Just let it run.

srtony1946 · « **Reply #36 on:** February 17, 2009, 02:32:50 PM »

ok I ran combofix in safe mode It ran thru a checklist than gave me a log. I copy it but after I got out of the log a black sceen came up with safe mode In eack corner. I could not get out of this, so I had to manually turn my computer off. upon reboot I saw the boot.ini come up In my bios again.

evilfantasy · « **Reply #37 on:** February 17, 2009, 02:38:30 PM »

The log should be in c:\combofix.txt

srtony1946 · « **Reply #38 on:** February 17, 2009, 03:02:02 PM »

Got it.....ComboFix 09-02-15.01 - Tony 2009-02-17 15:18:52.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2570 [GMT -6:00]
Running from: c:\documents and settings\Tony\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
AV: ThreatFire *On-access scanning disabled* (Updated)
FW: COMODO Firewall Pro *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\windows\system32\dllcache\http.sys

.
((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.

2009-02-16 21:37 . 2009-02-16 21:37   151   --a------   c:\windows\PhotoSnapViewer.INI
2009-02-16 18:53 . 2009-02-16 18:56   <DIR>   d--------   C:\Lop SD
2009-02-15 21:45 . 2009-02-15 21:46   <DIR>   d--------   c:\windows\SxsCaPendDel
2009-02-15 21:45 . 2009-02-15 21:45   <DIR>   d--------   C:\6d804651361dc4891455f2209848
2009-02-15 21:39 . 2009-02-15 21:39   <DIR>   d--------   C:\a9b0b6c8bd9517ae9595
2009-02-15 21:38 . 2009-02-15 21:38   <DIR>   dr-h-----   C:\AHCache
2009-02-15 21:38 . 2009-02-15 21:38   <DIR>   d--------   C:\503216bf65161d6d75
2009-02-15 12:11 . 2009-02-15 16:38   <DIR>   d--------   c:\program files\ACW
2009-02-15 11:49 . 2009-02-15 16:38   <DIR>   d--------   c:\program files\Common Files\Adobe AIR
2009-01-31 13:12 . 2009-01-31 13:12   2,560   --a------   c:\windows\_MSRSTRT.EXE
2009-01-25 15:18 . 2009-01-25 15:19   <DIR>   d--------   c:\documents and settings\Tony\Application Data\U3
2009-01-23 23:13 . 2009-01-23 23:13   <DIR>   d--------   c:\program files\VideoLAN
2009-01-21 17:45 . 2009-02-17 14:26   <DIR>   d--------   c:\program files\IObit
2009-01-21 17:45 . 2009-02-17 14:26   <DIR>   d--------   c:\documents and settings\Tony\Application Data\IObit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-17 19:47   189,672   ----a-w   c:\windows\system32\PnkBstrB.exe
2009-02-17 19:47   138,584   -c--a-w   c:\windows\system32\drivers\PnkBstrK.sys
2009-02-16 21:48   ---------   d-----w   c:\program files\Common Files\Adobe
2009-02-15 22:38   ---------   d-----w   c:\program files\NOS
2009-02-15 22:38   ---------   d-----w   c:\documents and settings\LocalService\Application Data\SACore
2009-02-15 17:43   ---------   d-----w   c:\documents and settings\All Users\Application Data\NOS
2009-02-15 13:13   ---------   d-----w   c:\program files\SpywareBlaster
2009-02-15 13:13   ---------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-02-11 16:19   38,496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 16:19   15,504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-02-11 02:46   70,968   ----a-w   c:\windows\system32\PnkBstrA.exe
2009-01-31 19:14   ---------   d-----w   c:\program files\DAP
2009-01-31 19:12   ---------   d-----w   c:\documents and settings\All Users\Application Data\SpeedBit
2009-01-23 01:46   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-01-21 23:46   ---------   d-----w   c:\program files\SUPERAntiSpyware
2009-01-11 23:52   ---------   d-----w   c:\program files\SpeedBit Video Accelerator
2009-01-07 19:07   ---------   d-----w   c:\program files\McAfee
2009-01-07 16:15   ---------   d-----w   c:\program files\Common Files\McAfee
2009-01-07 16:15   ---------   d-----w   c:\documents and settings\All Users\Application Data\McAfee
2009-01-02 02:37   ---------   d-----w   c:\documents and settings\Tony\Application Data\Gaijin Ent
2009-01-02 02:36   ---------   d-----w   c:\program files\Common Files\Oberon Media
2009-01-01 18:46   ---------   d-----w   c:\documents and settings\Tony\Application Data\Zylom
2009-01-01 18:46   ---------   d-----w   c:\documents and settings\All Users\Application Data\Zylom
2009-01-01 18:32   ---------   d-----w   c:\program files\Tropico Jong
2009-01-01 16:50   ---------   d-----w   c:\documents and settings\Tony\Application Data\PlayFirst
2009-01-01 16:49   ---------   d-----w   c:\program files\PlayFirst
2009-01-01 15:00   ---------   d-----w   c:\documents and settings\LocalService\Application Data\GameTracker
2008-12-31 22:59   ---------   d-----w   c:\documents and settings\Tony\Application Data\Chessmaster Challenge
2008-12-31 22:58   ---------   d-----w   c:\documents and settings\Tony\Application Data\SpinTop
2008-12-27 18:21   ---------   d-----w   c:\program files\CCleaner
2008-12-21 17:12   ---------   d-----w   c:\program files\Ricochet Infinity
2008-12-20 23:15   826,368   ----a-w   c:\windows\system32\wininet.dll
2008-12-13 10:21   410,984   ----a-w   c:\windows\system32\deploytk.dll
2008-11-14 23:59   22,328   ----a-w   c:\documents and settings\Tony\Application Data\PnkBstrK.sys
2008-10-20 21:15   61,224   ----a-w   c:\documents and settings\Tony\GoToAssistDownloadHelper.exe
2004-09-28 02:00   26,240   -c--a-w   c:\windows\inf\RAMDSK.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-01-09 2262352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2008-11-17 263456]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [2008-06-12 266497]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-31 13:54 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^Tony^Start Menu^Programs^Startup^Secunia PSI.lnk]
backup=c:\windows\pss\Secunia PSI.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-11-12 14:54 13672448 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-11-12 14:54 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-12-13 04:21 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
--a------ 2007-09-26 18:05 734264 c:\program files\Microsoft Xbox 360 Accessories\XBoxStat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 17:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-11-12 14:54 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"nwiz"=nwiz.exe /install
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"hpbdfawep"=c:\program files\HP\Dfawep\bin\hpbdfawep.exe 1

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2008-07-03 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2008-07-03 39200]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
S2 AVEService;Avira AntiVir Premium MailGuard helper service;c:\program files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2008-08-04 41217]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-07 206096]
S2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2006-02-28 14336]
S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
S3 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [2008-07-06 243200]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-15 33752]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-11-18 7808]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2008-07-03 33056]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ff2abc2-eb25-11dd-8086-00044b15f8d9}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-09 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-01-14 13:15]

2009-02-09 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-01-21 17:45]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe

.
------- Supplementary Scan -------
.
Trusted Zone: tube8.com\www
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-17 15:19:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1123561945-1592454029-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6D57F757-F398-3A27-B800-878FEF5CF0DC}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hafijbhpgokecfdc"=hex:61,61,00,7c
"jafijbhpgokecfdcippe"=hex:63,61,65,67,65,6a,00,7c
"panfaelidjiinaohponpmiajmhpkljna"=hex:64,61,61,67,70,6d,6b,65,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(192)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2009-02-17 15:20:01
ComboFix-quarantined-files.txt 2009-02-17 21:19:58

Pre-Run: 462,205,263,872 bytes free
Post-Run: 462,217,445,376 bytes free

174   --- E O F ---   2009-02-11 19:26:00

evilfantasy · « **Reply #39 on:** February 17, 2009, 03:11:09 PM »

Do you have any idea what this might be?

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1123561945-1592454029-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6D57F757-F398-3A27-B800-878FEF5CF0DC}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hafijbhpgokecfdc"=hex:61,61,00,7c
"jafijbhpgokecfdcippe"=hex:63,61,65,67,65,6a,00,7c
"panfaelidjiinaohponpmiajmhpkljna"=hex:64,61,61,67,70,6d,6b,65,00,00

srtony1946 · « **Reply #40 on:** February 17, 2009, 03:25:58 PM »

No, How can we find out?

evilfantasy · « **Reply #41 on:** February 17, 2009, 03:33:39 PM »

I am fairly sure it's a malware file. It makes no sense and is just a bunch of random characters.

It's one of your Shell Extensions. Have you installed a custom Shell Extensions (right click menu maybe)?

srtony1946 · « **Reply #42 on:** February 17, 2009, 03:44:22 PM »

I am not sure, what do you mean by (rt clicl menu maybe?) I am not familar with shell extensions, I do not even know what they are, lol

evilfantasy · « **Reply #43 on:** February 17, 2009, 03:47:13 PM »

We can remove it but I'm not even sure what it is.

I think we should worry about the boot.ini file first. Are you still getting errors and if so what exactly does it say?

Do you have your Windows install CD?

evilfantasy · « **Reply #44 on:** February 17, 2009, 03:51:54 PM »

Also do this please.

Go to Start > Run and type maconfig then click OK.

Select the BOOT.INI tab and click Check All Boot Paths

What happens or what happens when you restart the computer?

Computer Hope Forum

News:

Author Topic: System restore not working. (Read 17414 times)

evilfantasy

Re: System restore not working.

srtony1946

Re: System restore not working.

evilfantasy

Re: System restore not working.

evilfantasy

Re: System restore not working.

srtony1946

Re: System restore not working.

evilfantasy

Re: System restore not working.

srtony1946

Re: System restore not working.

evilfantasy

Re: System restore not working.

srtony1946

Re: System restore not working.

evilfantasy

Re: System restore not working.

srtony1946

Re: System restore not working.

evilfantasy

Re: System restore not working.

srtony1946

Re: System restore not working.

evilfantasy

Re: System restore not working.

evilfantasy

Re: System restore not working.