Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix and Vista SP1 disagree on Windows Defender's enable/disable status


  • Please log in to reply
2 replies to this topic

#1 SanDiegan11

SanDiegan11

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 14 July 2009 - 10:48 PM

1. My two times of using ComboFix.exe (instructed by ESET based on a NOD32 Safe Mode Scan) were not successful. Both times only three stages were carried out and I got in ComboFix.txt the statement
"Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}."

In the first time I was ignorant of Windows Defender *enabled* because of its absence in the systray. The second time I first follow the instruction from http://www.mydigitallife.info/2008/02/22/h...ender-in-vista/ to disable it. I also changed the name of the file ComboFix.exe just in case this is needed. When I got the same complaint I immediately rechecked Windows Defender's status and I got the following window:

"Windows Defender is turned off. Windows Defender won't provide protection against harmful or potentially unwanted software and it won't send you alerts because it is off. To help protect your computer against harmful or potentially unwanted software, Turn on and open windows Defender."

2. I am not sure whether the ComboFix.txt being partially in Chinese would cause a problem later. My Vista Home Premium SP1 is an English version with Chinese chosen as a second language using Microsoft AppLocale. But this uninvited choice (or consideration) by ComboFix.exe to use partial Chinese may complicate later interpretation job. (I need to guess around the Chinese computer lingo myself.) Hope the layout of the report enables helpers to guess around some non-English too.

3. Now some background of my PC's problem. I have been observing strange things about my Vista SP1 for the past 2-3 weeks like slow down and window freezing such that I had to resort to use the power off button daily. Furthermore, may be a week ago I let an unknown driver to be installed (Ithought it was a ritual during one of the restarts).

-------------------------------------NOD32 Safe Mode Scan
ECLS Command-line scanner, version 4.0.437.0,
Scan completed at: 07/14/09 01:20:45
Scan time: 17550 sec (4:52:30)
Total: files - 188964, objects 1633554
Infected: files - 9, objects 14
Cleaned: files - 0, objects 0
-------------------------------------

MBAM and SAS have been silent on these infections but I haven't tried using them in Safe Mode scan either as ESET just suggested.

Thank you for reading this post. Any comments will be appreciated.

SanDiegan11

BC AdBot (Login to Remove)

 


#2 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 AM

Posted 14 July 2009 - 11:08 PM

Hello SanDiegan11
QUOTE(Papakid @ Mar 1 2009, 09:30 PM) *

Running ComboFix by yourself is like performing open heart surgery on yourself--the scalpel and other surgical tools that is ComboFix is meant to be wielded by a highly trained surgeon only in emergencies or dire circumstances. When the surgeon is thru s/he leaves the room. So combofix should be removed from a system once it has accomplished its job, unlike an AV that is there to protect you from future infections.

. . . CF does make some alterations to your system if you run it. Even if you had no malware removed and run the uninstall command, some things may be different now on your system. I can tell you that one thing is that all your restore points will be flushed out and a new one created. There is a good reason to do that when you have a severe infection--but if you aren't infected you might need those restore points.

Read and abide by the disclaimer people. It's there for a reason. Stick to running and protecting yourself with a good AV and firewall and an anti-malware scanner or two.

Please try this and post a log back to this thread http://www.malwarebytes.org/mbam.php

Thank you

D_N_M

#3 SanDiegan11

SanDiegan11
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 15 July 2009 - 09:58 AM

Hi, D_N_M ,

Thank you for your advice. I am not sure whether I interpreted your final instruction correctly. I ran a Safe Mode Full Scan of MBAM, and it gave me a clean bill of health (see below) like the earlier Full Scan run under Normal Mode, and its daily quick scans.

BTW, in between the last two MBAM full scans I manually allowed 3 Vista KB updates announced by MS yesterday. In between the two ComboFix runs several hours apart, there was a ComboFix update too. To a layman, it is puzzling to see the disagreement between ComboFix and Vista SP1 on Windows Defender's enable/disable status, and the disagreement between NOD32 and MBAM about my PC's health.

While NOD32 reported "Infected: files - 9, objects 14" after the Safe Mode Full Scan, some of them might be duplicates as the scan include an external drive which has 3 image backups (of the primary partition) and the July daily incremental file backup.

Regarding to your advice "Stick to running and protecting yourself with a good AV and firewall and an anti-malware scanner or two," the only thing I have not mentioned is that I do have a router as hardware Fire Wall. Just a few weeks ago I uninstalled Online Armor after only 3 months into a two-year subscription as it gave me more problems than its worth. So right now may be Windows Defender resumed its role of the software Firewall.

So it seems that you suggest me not to try ComboFix, but I was not Running ComboFix by myself as I was told by ESET to use it.

I have some wishful idea that the latest MS updates will solve all the confusing state (which might be of its own making).

Thank you for reading this post.

SanDiegan11

-----------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.38
Database version: 2412
Windows 6.0.6001 Service Pack 1

7/15/2009 6:42:57 AM
mbam-log-2009-07-15 (06-42-57).txt

Scan type: Full Scan (C:\|E:\|L:\|U:\|V:\|)
Objects scanned: 283883
Time elapsed: 44 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users