Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes & Windows Defender (not responding) on same folder so ran rkill


  • This topic is locked This topic is locked
15 replies to this topic

#1 mich2394

mich2394

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 16 January 2010 - 02:38 AM

Referred from here: http://www.bleepingcomputer.com/forums/t/287348/malwarebytes-windows-defender-freeze-on-files-in-same-folder/ ~ OB

Hi!

This 1st set of quoted text is what I had posted in the 'how did I get infected' forum. I do not know if is helpful so thought would copy it over just in case.

dds.txt and attachment below

In essence though malwarebytes freezes on a full scan at about one minute now. At first it stopped responding on one file (after 4 minutes) and then after running rkill it freezes on another file, same folder (after 1 minute) and so was directed to post here.

Windows Defender also stops responding on full scan at same first file folder malwarebytes first did.

QUOTE
from: http://www.bleepingcomputer.com/forums/t/287348/malwarebytes-windows-defender-freeze-on-files-in-same-folder/

I have vista sp1.

Tonight I tried to play a dvd in the pc as the dvd wasn't working on my dvd player. I never tried using the dvd player on the pc before and since it wasn't coming up in windows media I thought it may need a setting and I saw a dvd setting and while I'm very careful not to mess with things, this looked innocent, it said no region for dvd selected, so I chose united states.

The dvd did not play and then I noticed a 2nd dvd in the pack which said it was a digitized one. No clue what that was, but it had the same movie title, so I put that in, and got a message saying something about I can't watch this..something with legalities or licensing. I noticed it said blue ray, and then I realized that was why it wouldn't work in my player or the pc.

I had to use task manager to stop windows media as both of those dvd's caused the program to go into 'not responding' mode.

Windows defender then alerted me that some program was added which will autostart. The message vanished so quick I don't know what it was, but I did check the start up programs later and didn't find anything that seemed it could be a problem.

I then ran ccleaner which had normal stuff.

Then I ran a full scan of Malwarebytes.

Hours earlier I had run a quick scan of Malwarebytes and it ran fine and still does.

I have Malwarebytes 1.44; updated to database 3573; fingerprints loaded 178202 which was current a few hours ago.

On the full scan it stops at about 4 minutes into it on a file in program data\uninstall\(a lot of numbers in here)\setup.exe

I let it sit there a long time, until it said not responding then stopped the program using task manager.

I then ran a full scan of superantispyware which is current and up to date and that came back with no infections.

I then ran NIS2009 which came back no problems.

I then ran the file through virus total which came back with no results.

Then I ran malwarebytes full scan again, same problem.. freezes same place.

Then I ran windows defender which also froze in same folder but after the (number file portion) it was halted on a different sub folder.

I ran that through virus total as well, with no results or problems.

I ran malwarebytes one more time (I'm stubborn. lol) and still not getting past this file.




Then I was received help here at bleeping and told to run rkill which ran fine and I reran malwarebytes full scan.

This run it froze up on a different file, same folder: program data\symantec temporary files\nis09en.exe

Then I was directed to the:

QUOTE
Preparation Guide for use before posting about your potential Malware problem




Here is the DDS.txt file:



QUOTE
DDS (Ver_09-12-01.01) - NTFSx86
Run by michelle at 1:33:05.63 on Sat 01/16/2010
Internet Explorer: 8.0.6001.18865 BrowserJavaVersion: 1.6.0_17
Microsoft Windows Vista‚ššššž Home Premium 6.0.6001.1.1252.1.1033.18.3060.1704 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\explorer.exe
C:\Users\michelle\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080428
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.7.2.11\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [RtHDVCpl] "c:\windows\RtHDVCpl.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\michelle\appdata\roaming\micros~1\windows\startm~1\programs\startup\wkcalrem.lnk - c:\program files\microsoft works\WkCalRem.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.7.2.11\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\michelle\appdata\roaming\mozilla\firefox\profiles\t4nhf9kc.default\
FF - component: c:\users\michelle\appdata\roaming\mozilla\firefox\profiles\t4nhf9kc.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\users\michelle\appdata\roaming\move networks\plugins\npqmp071500000347.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1007020.00b\SymEFA.sys [2009-9-9 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1007020.00b\BHDrvx86.sys [2009-9-9 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1007020.00b\cchpx86.sys [2009-9-9 482432]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100112.001\IDSvix86.sys [2010-1-14 343088]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 74480]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.7.2.11\ccSvcHst.exe [2009-9-9 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-28 102448]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2008-9-8 115312]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-11-28 38224]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\nis\1007020.00b\symndisv.sys [2009-9-9 48688]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2010-01-13 04:55:30 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 04:55:30 156672 ----a-w- c:\windows\system32\t2embed.dll

==================== Find3M ====================

2010-01-15 13:48:16 1632 ----a-w- c:\users\michelle\appdata\roaming\wklnhst.dat
2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-11 08:03:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-09 13:22:34 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 13:20:16 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41:23 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-19 06:07:22 86016 ----a-w- c:\windows\inf\infstor.dat
2009-08-19 06:07:22 51200 ----a-w- c:\windows\inf\infpub.dat
2009-08-19 06:07:22 143360 ----a-w- c:\windows\inf\infstrng.dat
2008-07-01 21:39:44 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-14 18:35:11 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 1:33:41.56 ===============


Thank you Boopme for your help and directing me here with what to do.

Also thanks to you and anyone else who works on this problem here now as well.

Edited by Orange Blossom, 16 January 2010 - 10:12 PM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:25 PM

Posted 22 January 2010 - 04:10 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Elle
Can you hear it?It's all around!

Tomar ki man acch?
Yadi thak, tahal
Ki kshama kart paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 mich2394

mich2394
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 25 January 2010 - 08:11 AM

Hi and thanks for writing back!

Originally I posted here as both malwarebytes and windows defender were freezing on the same folder in program data and after running rkill and then running malwarebytes it again froze on a program data folder but a different one, so was directed to post here at that time.

After restart the next day I updated malwarebytes out of habit and did a full scan and it ran fine. I then read was not to install or uninstall anything until after you here at bleeping looked at my dds log. When I noticed the other day a response here asking for a new log, I then updated windows defender as well and that scan worked as well also, so I am not having the problem that triggered this thread.

Even though I am not having that problem any longer, would it be possible that you might still look at the dds log to see if there is anything wrong with the system?

I sure would appreciate it. I've been so concerned about what could possibly be wrong and even though the original problem is cleared I am concerned that there is something going on to have caused such a problem.

Due to winds in my area today, I may not be able to get back on for a time later on in the day.

Thank you and here is the dds log ran today:




QUOTE
DDS (Ver_09-12-01.01) - NTFSx86
Run by michelle at 7:39:43.50 on Mon 01/25/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_17
Microsoft Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.3060.2062 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Works\WkCalRem.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\system32\wuauclt.exe
C:\Users\michelle\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5080428
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.7.2.11\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.7.2.11\coIEPlg.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [RtHDVCpl] "c:\windows\RtHDVCpl.exe"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\michelle\appdata\roaming\micros~1\windows\startm~1\programs\startup\wkcalrem.lnk - c:\program files\microsoft works\WkCalRem.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.7.2.11\CoIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\michelle\appdata\roaming\mozilla\firefox\profiles\t4nhf9kc.default\
FF - component: c:\users\michelle\appdata\roaming\mozilla\firefox\profiles\t4nhf9kc.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\users\michelle\appdata\roaming\move networks\plugins\npqmp071500000347.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1007020.00b\SymEFA.sys [2009-9-9 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1007020.00b\BHDrvx86.sys [2009-9-9 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1007020.00b\cchpx86.sys [2009-9-9 482432]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100119.001\IDSvix86.sys [2010-1-19 343088]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 74480]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.7.2.11\ccSvcHst.exe [2009-9-9 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-28 102448]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2008-9-8 115312]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\nis\1007020.00b\symndisv.sys [2009-9-9 48688]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2010-01-13 04:55:30 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 04:55:30 156672 ----a-w- c:\windows\system32\t2embed.dll

==================== Find3M ====================

2010-01-22 15:22:36 1632 ----a-w- c:\users\michelle\appdata\roaming\wklnhst.dat
2010-01-14 16:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-11 08:03:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-09 13:22:34 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 13:20:16 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-10-29 09:41:23 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-19 06:07:22 86016 ----a-w- c:\windows\inf\infstor.dat
2009-08-19 06:07:22 51200 ----a-w- c:\windows\inf\infpub.dat
2009-08-19 06:07:22 143360 ----a-w- c:\windows\inf\infstrng.dat
2008-07-01 21:39:44 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-14 18:35:11 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 7:40:32.13 ===============





#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:25 PM

Posted 25 January 2010 - 12:53 PM

Hi,

your log is looking pretty fine, please run a scan with gmer as well:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

The folder Malwarebytes is freezing on belongs to your anti virus program. It may very well be the self protection mechanism of Norton that prevented the runs.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 mich2394

mich2394
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 26 January 2010 - 02:02 PM

Hi Myrti!

Thank you for helping me! When the scan stopped it didn't say finished or anything so I just waited a moment but looks like it ran all the way.

Here is the gmer log. Looks scary to me!! I sure hope it's normal looking to you! smile.gif

Thanks again for your help!


QUOTE
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-26 13:45:42
Windows 6.0.6001 Service Pack 1
Running: fveslxds.exe; Driver: C:\Users\michelle\AppData\Local\Temp\uwlcqkow.sys


---- System - GMER 1.0.15 ----

SSDT 88042048 ZwAlertResumeThread
SSDT 8805B140 ZwAlertThread
SSDT 88083B58 ZwAllocateVirtualMemory
SSDT 87F43B48 ZwAlpcConnectPort
SSDT 88090048 ZwAssignProcessToJobObject
SSDT 88090A00 ZwCreateMutant
SSDT 88095118 ZwCreateSymbolicLinkObject
SSDT 880AC850 ZwCreateThread
SSDT 88086048 ZwDebugActiveProcess
SSDT 88083D70 ZwDuplicateObject
SSDT 88083438 ZwFreeVirtualMemory
SSDT 88069438 ZwImpersonateAnonymousToken
SSDT 88054610 ZwImpersonateThread
SSDT 87F261A0 ZwLoadDriver
SSDT 880832D8 ZwMapViewOfSection
SSDT 88C40048 ZwOpenEvent
SSDT 880810D8 ZwOpenProcess
SSDT 87FFF110 ZwOpenProcessToken
SSDT 8807D048 ZwOpenSection
SSDT 88083EC0 ZwOpenThread
SSDT 88095008 ZwProtectVirtualMemory
SSDT 8813DD58 ZwResumeThread
SSDT 87FE2108 ZwSetContextThread
SSDT 88083100 ZwSetInformationProcess
SSDT 88085048 ZwSetSystemInformation
SSDT 880E8090 ZwSuspendProcess
SSDT 88058068 ZwSuspendThread
SSDT 87FFE118 ZwTerminateProcess
SSDT 88018068 ZwTerminateThread
SSDT 87FE7780 ZwUnmapViewOfSection
SSDT 880837C8 ZwWriteVirtualMemory
SSDT 880956E8 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 350 82AFC914 8 Bytes [48, 20, 04, 88, 40, B1, 05, ...]
.text ntkrnlpa.exe!KeSetTimerEx + 364 82AFC928 4 Bytes [58, 3B, 08, 88]
.text ntkrnlpa.exe!KeSetTimerEx + 370 82AFC934 4 Bytes [48, 3B, F4, 87]
.text ntkrnlpa.exe!KeSetTimerEx + 3C4 82AFC988 4 Bytes [48, 00, 09, 88]
.text ntkrnlpa.exe!KeSetTimerEx + 428 82AFC9EC 4 Bytes [00, 0A, 09, 88]
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Edited by mich2394, 26 January 2010 - 02:03 PM.


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:25 PM

Posted 27 January 2010 - 07:37 AM

Hi,

the log is clean as well. smile.gif I don't think there is an infection present on your PC. Just to be safe I would like you to urn an online scan with Eset as well:

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 mich2394

mich2394
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 28 January 2010 - 05:28 PM

Hi Myrti!

Eset scanned for about 15 minutes, scanning about 90,000 files and found no threats. I had scan archives selected as you had written to do. I was surprised it only scanned that many files as windows defender scans over 400,000 and malwarebytes over 190,000 at full scan.

But yayyyy on the clean Eset scan!!!

I wanted to tell you something that I thought of. Back in December, Malwarebytes caught trojan.fakealert on my system and quarantined it. I posted something here about a bsod about it at that time, but there was no replies as probably none was needed.

But after the quarantine was done, and restart and full scan and clean, I then took the file that the trojan.fakealert was found on and ran it through virustotal.

One scanner in the list, clamav found a result. I put the name of that result in google and got only two hits and neither were tech sites or anything I would trust to go into. I think one wasn't in english and neither looked safe at all.

So, I just deleted that folder which I had not used in a year. It was a program file.

I wish I saved that virustotal scan to know what the resultant virus or trojan or whatever it was called, but I didn't. I surely shouldn't have just deleted a program like that without coming here for help, but I can't recall why I did that at the time.

I don't know if this information is helpful to know but I thought I would post it in case it is.

Thank you so much for all your help Myrti! I sure appreciate it!

blessings,
michelle

Edited by mich2394, 29 January 2010 - 09:13 AM.


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:25 PM

Posted 29 January 2010 - 02:11 PM

Hi,

this may be because you have more than one partition, but only scanned the system drive. I read up on your trojan.fakealert, this may well have been a false positive. A legit file that was mistakenly identified as malicious. Since you do not use the program and have since uninstalled it, I think there is no damage done.

Since your log look clean, I woul like you to update java as a next step please.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 mich2394

mich2394
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 29 January 2010 - 08:33 PM

Hi!

Thank you for letting me know about the Java. Wow, I had no idea I missed out on that update. The step by step directions were awesome too!

Also, thank you for looking into the trojan fake alert. I appreciate you taking the time to do that, and glad to know it could very well have been a false positive.

After reading that, I had to laugh at myself thinking of the panic I was going through after running it through virustotal and all and the quick knee jerk reaction I had to just delete the program. hysterical.gif

Here are the files I've used for scanning and one other. Is it alright to delete them?

I have - DDS, rkill, rootrepeal, the gmer one, and then a settings.dat with zero kb which was created on my desktop when I was running one of those as well.

Thank you so much Myrti! thumbup.gif Breathing much better now! Oh wow, when I saw that rootkit scan result, how scary looking that was.. lol

ttys,
Michelle cold.gif



#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:25 PM

Posted 29 January 2010 - 08:37 PM

Hi,

yeah, rootkit scans nowadays usually look scary. That's because anti virus programs have to use the same or similar methods as rootkit to survive malware attacks. The entries you see in the gmer log are all caused by Norton.

Since everything is great now, all that is left to do is to remove the programs we used. And we actually have a tool for that too smile.gif

Read those last few lines, in order to keep your pc safe and clean:
Please do the following to clean up your PC:
  1. Delete the tools used during the disinfection:
    • Download OTC from the following mirrors and save it to your desktop:
    • Double click on
    • Push the large "Cleanup" button.
    • Allow your system to reboot.
  2. If OTC faild to remove all programs from your Desktop, please delete the rest manually.
  3. Disable and Enable System Restore.
    You can find instructions on how to disable and reenable system restore here:
    Windows ME System Restore Guide
    Windows XP System Restore Guide
    Windows Vista System Restore Guide

    Note: You should only do this once, not on a regular basis!
    You will not be able to restore computer to any earlier than today!

Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:Have a nice day
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 mich2394

mich2394
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 29 January 2010 - 10:24 PM

Hi!

I may have messed up the disable and turn back on system restore. I have windows vista.

I disabled fine.

But when I went to put it back on I think I messed up.

I put the check mark in the two drives, and it showed 'create a restore point'? I said yes, and gave it a name, it then took about 10 seconds which didn't seem a long time for making a restore point for the pc.

But then I read the directions again, and it didn't say to do it like that. It says put the check marks next to the drives and then hit apply. I hadn't done that, as I hit create instead.

So I don't know if it is on or not.

When I go in there it shows the 2 drives with check marks in them, the most recent restore point date and time I had done, but do you think it is on?

And don't you think 10 seconds to create a restore point for c drive and recovery drive d is sort of short?

I did search on google for how to know was on, but saw nothing showing.

Thanks!

Edited by mich2394, 29 January 2010 - 10:26 PM.


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:25 PM

Posted 29 January 2010 - 10:41 PM

Hi,

system restore does not make a full backup, it only backsup some essential files and settings. Hence it is not unusual for it to only take a very short time. It also only takes up a fraction of the space it is running a backup of.

System Restore needs to be running to be able to create a system restore point. Since you were able to create a restore point and it was still present when you checked again, I would think, that the service is running fine.


If you want to do a full backup of your system and files, I would suggest you take a look at the link for cobian backup I gave in my previous post.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 mich2394

mich2394
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 29 January 2010 - 11:28 PM

Oh wow, thank you Mryti! Phew!

Thank you again for all your help and care in all this and for all your help on the site to others as well.

You're so very kind! smile.gif

blessings and take care,
Michelle

Edited by mich2394, 29 January 2010 - 11:29 PM.


#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:25 PM

Posted 30 January 2010 - 09:11 AM

Hi,

you're very welcome! smile.gif

If you don't have any further questions, I'll close this topic.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 mich2394

mich2394
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 30 January 2010 - 09:49 AM

Hi!

You surely have cleared up everything for me on this problem I had! I can't think of any more questions on this. I feel so very relieved knowing things are okay and confident because you are so very thorough.

Thank you Myrti for everything! You're awesome! clapping.gif thumbup.gif thumbup2.gif






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users