remove corrupted backups

tomiso · November 2, 2012

I ve recently joined the site and had some difficulty using the search engine. On the plus site i ve read some interesting threads. Today I downloaded and used MBAM, removing 102 problems incl 2 exe files.

However I think the advice on one thread was to follow this up by making new backups of both files and system ( which I think i ve done) followed by removing/deleting the old corrupted backups (cannot find the original thread)

Going through Computer I get D(data) which has 26GB used and loads spare however all the sub files add up to approx 0 and clicking on D opens the sub files.

Some assistance with the next steps would be appreciated

Starbuck · November 2, 2012

Hi tomiso and welcome to FPCH.

However I think the advice on one thread was to follow this up by making new backups of both files and system

Are you reffering to clearing the old restore points and creating a new one?

Is this what you are reffering to:

Now you should set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

Click on Start... Control Panel... System and Maintenance... System
Click on System Protection in the left-hand task list.
Uncheck the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section.

When you uncheck a disk you will be presented with a screen.
You should click on the Turn System Protection Off button.
Click Apply and then OK.

Reboot your computer.

Now:
Click on Start... Control Panel... System and Maintenance... System
Click on System Protection in the left-hand task list.
Put a checkmark in the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section.
Click Apply and then OK.

Your System restore will now be active again... starting with a new restore point.

tomiso · November 2, 2012

Hi Starbuck

This looks like the very dab, thanks for quick reply, will try to repeat.

Tom

Starbuck · November 2, 2012

I downloaded and used MBAM, removing 102 problems incl 2 exe files.

To be honest, if i were you i'd post the MBAM report here and we'll advise you if any further action may be required.

It will all depend on what the 102 problems were!

Start Malwarebytes AntiMalware.

Click on the logs tab.

The logs are date stamped ... double click on the log that showed the infection items.

http://img.photobucket.com/albums/v708/starbuck50/new/mbamlog.png

It'll open in notepad.

Please copy/paste the report in your next reply.

Thanks

tomiso · November 2, 2012

hi Starbuck

will look out log next.

re prev peply i followed instructions , at unchecking boxes I have three options PQservice ???? disc C which was ticked and disc D. Neither D nor PQ were ticked. This was surprising as files backup was supposed to be saved to D.

After reboot while accessing system and maintenance the computer frose , but i chose normal start and finished.

I then checked disk usage disk C had fallen by 14Gb while disc D was unchanged.

What is PQservice disc?

What is the reduction in usage of disc C?

what is the 26 GB in disc D and how do I see it?

tomiso · November 2, 2012

hi starbuck

1st log

alwarebytes Anti-Malware (Trial) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.02.06

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

tom :: TOM-PC [administrator]

Protection: Enabled

02/11/2012 12:13:00

mbam-log-2012-11-02 (12-13-00).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 216957

Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 99

HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Typelib\{07B18EA0-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Interface\{07B18EAA-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Typelib\{0D26BC71-A633-4E71-AD31-EADC3A1B6A3A} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25E} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Typelib\{29D67D3C-509A-4544-903F-C8C1B8236554} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Interface\{2E3537FC-CF2F-4F56-AF54-5A6A3DD375CC} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Typelib\{3E720450-B472-4954-B7AA-33069EB53906} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Interface\{3E720451-B472-4954-B7AA-33069EB53906} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Typelib\{7473D290-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Interface\{7473D291-B7BB-4F24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Typelib\{8CA01F0E-987C-49C3-B852-2F1AC4A7094C} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Interface\{1093995A-BA37-41D2-836E-091067C4AD17} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Typelib\{8E6F1830-9607-4440-8530-13BE7C4B1D14} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Interface\{63D0ED2B-B45B-4458-8B3B-60C69BBBD83C} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Typelib\{C8CECDE3-1AE1-4C4A-AD82-6D5B00212144} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Interface\{17DE5E5E-BFE3-4E83-8E1F-8755795359EC} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Typelib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Interface\{3E1656ED-F60E-4597-B6AA-B6A58E171495} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Typelib\{E79DFBC0-5697-4FBD-94E5-5B2A9C7C1612} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Interface\{72EE7F04-15BD-4845-A005-D6711144D86A} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Typelib\{F42228FB-E84E-479E-B922-FBBD096E792C} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\Interface\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{9FF05104-B030-46FC-94B8-81276E4E27DF} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9FF05104-B030-46FC-94B8-81276E4E27DF} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9FF05104-B030-46FC-94B8-81276E4E27DF} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4D7B-9389-0F166788785A} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3E720452-B472-4954-B7AA-33069EB53906} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98D9753D-D73B-42D5-8C85-4469CDA897AB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E79DFBCA-5697-4fbd-94E5-5B2A9C7C1612} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProducts.DataControl (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProducts.DataControl.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProducts.HistoryKillerScheduler (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProducts.HistoryKillerScheduler.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProducts.HistorySwatterControlBar (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProducts.HistorySwatterControlBar.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProducts.HTMLMenu (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProducts.HTMLMenu.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProducts.HTMLMenu.2 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProducts.IECookiesManager (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProducts.IECookiesManager.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProducts.KillerObjManager (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProducts.KillerObjManager.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProducts.PopSwatterBarButton (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProducts.PopSwatterBarButton.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProducts.PopSwatterSettingsControl (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\FunWebProducts.PopSwatterSettingsControl.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearch.ChatSessionPlugin (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearch.ChatSessionPlugin.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearch.HTMLPanel (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearch.HTMLPanel.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearch.MultipleButton (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearch.MultipleButton.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearch.OutlookAddin (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearch.OutlookAddin.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearch.PseudoTransparentPlugin (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearch.PseudoTransparentPlugin.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearch.ThirdPartyInstaller (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearch.ThirdPartyInstaller.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearch.UrlAlertButton (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearch.UrlAlertButton.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearchToolBar.SettingsPlugin (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearchToolBar.SettingsPlugin.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearchToolBar.ToolbarPlugin (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearchToolBar.ToolbarPlugin.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\ScreenSaverControl.ScreenSaverInstaller (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\ScreenSaverControl.ScreenSaverInstaller.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\MyWebSearch (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\FocusInteractive (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Fun Web Products (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\MyWebSearch (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (PUP.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 4

HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Data: ©Ž±�#¥aI¶»�

äG\Ê -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources|f3PopularScreensavers (PUP.MyWebSearch) -> Data: C:\Program Files\MyWebSearch\bar\3.bin\F3SCRCTR.DLL -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform|FunWebProducts (PUP.MyWebSearch) -> Data: -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Windows\System32\f3PSSavr.scr (PUP.FunWebProducts) -> Quarantined and deleted successfully.

C:\Windows\System32\f3PSSavr.scr (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

tomiso · November 2, 2012

2nd log

2012/11/02 11:35:53 GMT TOM-PC tom MESSAGE Starting protection

2012/11/02 11:35:53 GMT TOM-PC tom MESSAGE Protection started successfully

2012/11/02 11:35:53 GMT TOM-PC tom MESSAGE Starting IP protection

2012/11/02 11:35:58 GMT TOM-PC tom MESSAGE IP Protection started successfully

2012/11/02 11:36:09 GMT TOM-PC tom MESSAGE Starting database refresh

2012/11/02 11:36:09 GMT TOM-PC tom MESSAGE Stopping IP protection

2012/11/02 11:36:09 GMT TOM-PC tom MESSAGE IP Protection stopped successfully

2012/11/02 11:36:12 GMT TOM-PC tom MESSAGE Database refreshed successfully

2012/11/02 11:36:12 GMT TOM-PC tom MESSAGE Starting IP protection

2012/11/02 11:36:17 GMT TOM-PC tom MESSAGE IP Protection started successfully

2012/11/02 11:42:28 GMT TOM-PC tom MESSAGE Executing scheduled update: Daily

2012/11/02 11:42:30 GMT TOM-PC tom MESSAGE Database already up-to-date

2012/11/02 12:31:51 GMT TOM-PC tom MESSAGE Starting protection

2012/11/02 12:31:51 GMT TOM-PC tom MESSAGE Protection started successfully

2012/11/02 12:31:51 GMT TOM-PC tom MESSAGE Starting IP protection

2012/11/02 12:31:54 GMT TOM-PC tom MESSAGE IP Protection started successfully

2012/11/02 19:51:59 GMT TOM-PC tom MESSAGE Starting protection

2012/11/02 19:51:59 GMT TOM-PC tom MESSAGE Protection started successfully

2012/11/02 19:51:59 GMT TOM-PC tom MESSAGE Starting IP protection

2012/11/02 19:52:06 GMT TOM-PC tom MESSAGE IP Protection started successfully

2012/11/02 19:58:39 GMT TOM-PC tom MESSAGE Starting protection

2012/11/02 19:58:39 GMT TOM-PC tom MESSAGE Protection started successfully

2012/11/02 19:58:39 GMT TOM-PC tom MESSAGE Starting IP protection

2012/11/02 19:58:48 GMT TOM-PC tom MESSAGE IP Protection started successfully

Starbuck · November 2, 2012

Hi tomiso

First off, nothing to really worry about in the MBAM report.

Basically MBAM just got rid of 'Web Search' for you.

This normally gets installed as a by product of another program and isn't normally installed with your permission.

That's why it's rated 'PUP' (potentially unwanted program)

MBAM is very good at cleaning this sort of thing.

I have three options PQservice ???? disc C which was ticked and disc D. Neither D nor PQ were ticked. This was surprising as files backup was supposed to be saved to D.

A PQservice drive is a partition found most often on netbook and laptop hard drives that contains the operating system and drivers.

and is used to restore laptops when they crash or shut down unexpectedly due to a low battery.

so this won't be ticked.

As for the D drive.... it depends on whether this is a seperate partition or as is normal, the CD/DVD drive.

If the D drive is the CD/DVD drive... then it won't be ticked.

Only the 'Local' drives will be backed by system restore.

When you say that you backup to the d drive, do you mean that you backup onto a disc?

I then checked disk usage disk C had fallen by 14Gb while disc D was unchanged.

If the C drive is the main drive and the D drive is the CD/DVD drive... this is to be expected.

You will have removed all the old restore points ( which can be quite a large amount depending on how much you allow for them) from The C drive and feed up the space.

As the CD/DVD drive isn't backed up ... there's nothing to remove.

I see from the report that you are running a 32bit system.

If you want us to look at the drives and the structure used on your system, just follow the step below.

Download ListParts to your Desktop.

Double click ListParts.exe to launch the program.
Press the Scan button.
When finished scanning it will make a log Result.txt on your Desktop.
Please post me the contents of the log in your next reply.

Edited November 3, 2012 by Starbuck

tomiso · November 4, 2012

hi starbuck

In prev post I meant that I could not see the used content of drive D on the hard disc. When using the Back up and restore screen it is stated on the screen that backup files will go to D. Earlier today I unticked the box on drive SQservices and left drives C and D ticked. After a file back up C had an addition 4Gb and i think D has added 1Gb

How do I view Contents of SQ and D drives, in the longer term I may wih to move the partition?

ListParts by Farbar Version: 30-10-2012

Ran by tom (administrator) on 04-11-2012 at 17:02:25

Windows Vista (X86)

Running From: C:\Users\tom\Desktop\ListParts.exe

Language: 0409

************************************************************

========================= Memory info ======================

Percentage of memory in use: 55%

Total physical RAM: 2046.83 MB

Available physical RAM: 909.18 MB

Total Pagefile: 5994.04 MB

Available Pagefile: 4163 MB

Total Virtual: 2047.88 MB

Available Virtual: 1965 MB

======================= Partitions =========================

1 Drive c: (ACER) (Fixed) (Total:101.86 GB) (Free:47.57 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: (DATA) (Fixed) (Total:111.43 GB) (Free:83.96 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 233 GB 10 GB

Disk 1 No Media 0 B 0 B

Disk 2 No Media 0 B 0 B

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Disk 5 No Media 0 B 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 OEM 10 GB 32 KB

Partition 2 Primary 102 GB 10 GB

Partition 3 Primary 111 GB 121 GB

======================================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0

Partition 2

Type : 06

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C ACER NTFS Partition 102 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D DATA NTFS Partition 111 GB Healthy

======================================================================================================

****** End Of

Looking fwd to your reply and thanks in advance.

I have another problem with accessing BBc iplayer /flash/long scripts but as my original querie has been solved i'll open another thread.

tom

Starbuck · November 5, 2012

How do I view Contents of SQ and D drives, in the longer term I may wih to move the partition?

To be honest, these partitions are best left alone.

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

This is obviously the PQservice drive and is set as 'Hidden' so the data can't be accidentally removed.

Disk: 0
Partition 2
Type : 06
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C ACER NTFS Partition 102 GB Healthy System (partition with boot components)

Your main drive (C drive)

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D DATA NTFS Partition 111 GB Healthy

Your D drive:

Is not set as active, so probably contains the data (programs etc) that was installed on the system when it was bought.

Always handy if you ever need to reinstall the system at some point.

Obviously this drive doesn't need to be activated for the system restore.

I'd like you to do an ESET OnlineScan

You may find it beneficial to close your resident AV program before running the scan.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer.
  Save it to your desktop.
- Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
[*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
[*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
[*]Accept any security warnings from your browser.
[*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
[*] Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
[*]Click the Start button.
[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
[*]When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
[*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan.
Include the contents of this report in your next reply.
[*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
[*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Note:

It's been found that on some systems the Eset's Online Scan fails during the database download ( around 20% )

To prevent this happening:

When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):

Enable Anti-Stealth technology

http://img.photobucket.com/albums/v708/starbuck50/eset.png

tomiso · November 5, 2012

Hi Starbuck

When I ran eset it detected Windows Defender which was/is turned off.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=53251

During the run it identified 2 threats? in Win 32

Almost 50% of my hard drive is hidden or not active. Is moving the partition very difficult/ dangerous .

How do I view drive D?

I thought it was good practise to save restore point in a seperate drive?

Tom

Starbuck · November 6, 2012

Hi Tom

During the run it identified 2 threats? in Win 32

What threats did it find?

Was a report generated here:

C:\Program Files\ESET\ESET Online Scanner\log.txt

Almost 50% of my hard drive is hidden or not active. Is moving the partition very difficult/ dangerous .

It shouldn't be too bad as you are using Vista..... but there is always a danger that things could go wrong.

Maybe you would be better off transferring some of the space allocated to the D partition and adding it to your C partition.

This way you keep the D partition with the backed up data and still gain more free space on your C partition.

We can advise you on how to accomplish this.

I thought it was good practise to save restore point in a seperate drive?

It's good practise to keep your backups on a separate drive .... meaning an external drive, USB stick etc.

Restore points are better off on the main drive.

This way they are easier for the OS to find if needed.

Don't forget.... Although they are called the C drive and the D drive, they are really partitions of your main Hard drive.

So if the hard drive was to fail..... both partitions would go as well.

Do you see what i mean?

I kept all the old hard drives from my older systems.

Then bought an enclosure and fitted one of the hard drives in to the enclosure so that it worked like an external backup storage area.

I then take an image of my whole system once a week and store it on this external backup.

If i ever have a problem i can restore an image of the whole system and be back up and running in no time.

If you have a spare hard drive, we can explain this as well.

How do I view drive D?

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

It's not showing as being hidden, so you should be able to access it from:

Start >> Computer

It should be showing as 'Local Disc D'

Right click on this and select 'Explore'.

Let me know about those threats found and when we've finished we can sort out any partition swapping or back up info for you.

tomiso · November 9, 2012

Hi Tom
hi Starbuck

What threats did it find?
Was a report generated here:
C:\Program Files\ESET\ESET Online Scanner\log.txt

see above for log.txt report. during the run some threat report/list was made which started as win 32 but I didn,t look too close as I expected a full txt report. In the event I think some windows stuff was seen as a threat as my windows icon on the toolbar disappeared, however it reappeared after I restarted. The only other Txt type file that i've located is a list of 5 NQF and NDF files but the copy function is greyed out. It does not look as if any threats were identifyed eset quick scan

Maybe you would be better off transferring some of the space allocated to the D partition and adding it to your C partition.

Sounds good.

It's good practise to keep your backups on a separate drive .... meaning an external drive, USB stick etc

Understood.

If you have a spare hard drive, we can explain this as well.

Not at present but I think I can source one and would be interested.

Start >> Computer
It should be showing as 'Local Disc D'
Right click on this and select 'Explore'.

I tried to explain this earlier, selecting explore brings up 5 sub folders with a total of say 12kb compared to 26 MB used in Drive D.

Tom

Edited November 9, 2012 by tomiso

Starbuck · November 10, 2012

Hi Tom,

Let's take a closer look at this and see if anything gets thrown up.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1

Link 2

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

This is an example, you may rename ComboFix to anything you want.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
For more information read:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Then:

Double click on Combo-Fix.exe & follow the prompts.

Vista/Win7 users should right click on the icon and select Run as Administrator.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If running Vista/Win7, you will not see the recovery console screens as they are Win XP related
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

http://img.photobucket.com/albums/v708/starbuck50/cf1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks

tomiso · November 11, 2012

Hi Starbuck

as requested ComboFix.txt

ComboFix 12-11-09.02 - tom 11/11/2012 10:29:37.1.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2047.903 [GMT 0:00]

Running from: c:\users\tom\Desktop\Com-boFix.exe

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\programdata\AMMYY

c:\programdata\AMMYY\hr

c:\programdata\AMMYY\settings.bin

c:\users\tom\AppData\Local\.#

c:\users\tom\AppData\Local\.#\MBX@1210@1B31E58.###

c:\users\tom\AppData\Local\.#\MBX@1210@1B31F18.###

c:\users\tom\AppData\Local\.#\MBX@1210@1B31F38.###

c:\users\tom\AppData\Local\.#\MBX@166C@1BD1E58.###

c:\users\tom\AppData\Local\.#\MBX@166C@1BD1F18.###

c:\users\tom\AppData\Local\.#\MBX@166C@1BD1F38.###

c:\users\tom\AppData\Local\.#\MBX@19E0@1961E58.###

c:\users\tom\AppData\Local\.#\MBX@19E0@1961F18.###

c:\users\tom\AppData\Local\.#\MBX@19E0@1961F38.###

.

((((((((((((((((((((((((( Files Created from 2012-10-11 to 2012-11-11 )))))))))))))))))))))))))))))))

.

2012-11-05 22:18 . 2012-11-05 22:18 -------- d-----w- c:\program files\ESET

2012-11-04 20:55 . 2012-11-04 20:55 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-11-04 20:55 . 2012-11-04 20:55 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-11-02 11:35 . 2012-11-02 11:35 -------- d-----w- c:\users\tom\AppData\Roaming\Malwarebytes

2012-11-02 11:35 . 2012-11-02 11:35 -------- d-----w- c:\programdata\Malwarebytes

2012-11-02 11:35 . 2012-11-02 11:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-11-02 11:35 . 2012-09-29 19:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-11-02 07:45 . 2012-10-17 01:32 6918632 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4832C1F6-E0B2-4DA8-A596-4CFE6CF7C23A}\mpengine.dll

2012-11-01 00:20 . 2012-09-20 04:35 181344 ----a-w- c:\windows\system32\drivers\ssudmdm.sys

2012-11-01 00:20 . 2012-09-20 04:35 83168 ----a-w- c:\windows\system32\drivers\ssudbus.sys

2012-11-01 00:16 . 2012-11-01 00:16 -------- d-----w- c:\program files\MarkAny

2012-11-01 00:16 . 2012-09-26 20:57 319456 ----a-w- c:\windows\system32\DIFxAPI.dll

2012-11-01 00:16 . 2012-09-26 20:57 821824 ----a-w- c:\windows\system32\dgderapi.dll

2012-11-01 00:16 . 2012-09-26 20:57 20032 ----a-w- c:\windows\system32\drivers\dgderdrv.sys

2012-10-31 13:42 . 2012-10-31 13:42 -------- d-----w- c:\users\tom\AppData\Local\FixItCenter

2012-10-31 13:33 . 2012-10-31 13:33 -------- d-----w- c:\windows\MATS

2012-10-31 13:33 . 2012-10-31 13:33 -------- d-----w- c:\program files\Microsoft Fix it Center

2012-10-29 22:14 . 2012-10-29 22:14 -------- d-----w- c:\users\tom\AppData\Local\ElevatedDiagnostics

2012-10-29 18:15 . 2012-10-29 18:15 -------- d-----w- c:\program files\MyFree Codec

2012-10-29 18:13 . 2012-10-29 18:13 -------- d-----w- C:\Temp

2012-10-29 17:34 . 2012-10-29 17:34 -------- d-----w- c:\program files\CCleaner

2012-10-29 17:20 . 2012-10-29 22:03 -------- d-----w- c:\users\tom\AppData\Local\LogMeIn Rescue Applet

2012-10-28 16:03 . 2012-10-28 16:03 -------- d-----w- c:\users\tom\AppData\Local\Samsung

2012-10-28 16:03 . 2012-11-01 00:21 -------- d-----w- c:\users\tom\AppData\Roaming\Samsung

2012-10-28 15:58 . 2012-09-26 20:57 4659712 ----a-w- c:\windows\system32\Redemption.dll

2012-10-28 15:56 . 2012-11-01 00:19 -------- d-----w- c:\program files\Samsung

2012-10-28 15:56 . 2012-11-01 00:15 -------- d-----w- c:\programdata\Samsung

2012-10-28 15:48 . 2012-10-28 15:48 -------- d-----w- c:\users\tom\AppData\Local\Downloaded Installations

2012-10-19 09:45 . 2012-10-19 09:45 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-10-19 09:45 . 2012-10-19 09:45 -------- d-----w- c:\program files\Java

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-10-30 22:51 . 2011-03-15 21:53 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-10-30 22:51 . 2009-11-13 13:53 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2012-10-30 22:51 . 2009-11-13 13:53 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2012-10-30 22:51 . 2009-11-13 13:52 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys

2012-10-30 22:51 . 2009-11-13 13:52 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2012-10-30 22:51 . 2009-11-13 13:52 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2012-10-30 22:51 . 2011-03-15 21:52 41224 ----a-w- c:\windows\avastSS.scr

2012-10-30 22:50 . 2009-11-13 13:52 227648 ----a-w- c:\windows\system32\aswBoot.exe

2012-10-19 09:45 . 2012-07-02 05:40 821736 ----a-w- c:\windows\system32\npDeployJava1.dll

2012-10-19 09:45 . 2011-05-22 11:43 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-09-26 20:57 . 2012-09-26 20:57 90112 ----a-w- c:\windows\MAMCityDownload.ocx

2012-09-26 20:57 . 2012-09-26 20:57 330240 ----a-w- c:\windows\MASetupCaller.dll

2012-09-26 20:57 . 2012-09-26 20:57 30568 ----a-w- c:\windows\MusiccityDownload.exe

2012-09-26 20:57 . 2012-09-26 20:57 974848 ----a-w- c:\windows\system32\cis-2.4.dll

2012-09-26 20:57 . 2012-09-26 20:57 81920 ----a-w- c:\windows\system32\issacapi_bs-2.3.dll

2012-09-26 20:57 . 2012-09-26 20:57 65536 ----a-w- c:\windows\system32\issacapi_pe-2.3.dll

2012-09-26 20:57 . 2012-09-26 20:57 57344 ----a-w- c:\windows\system32\MTXSYNCICON.dll

2012-09-26 20:57 . 2012-09-26 20:57 57344 ----a-w- c:\windows\system32\MK_Lyric.dll

2012-09-26 20:57 . 2012-09-26 20:57 57344 ----a-w- c:\windows\system32\issacapi_se-2.3.dll

2012-09-26 20:57 . 2012-09-26 20:57 569344 ----a-w- c:\windows\system32\muzdecode.ax

2012-09-26 20:57 . 2012-09-26 20:57 491520 ----a-w- c:\windows\system32\muzapp.dll

2012-09-26 20:57 . 2012-09-26 20:57 49152 ----a-w- c:\windows\system32\MaJGUILib.dll

2012-09-26 20:57 . 2012-09-26 20:57 45320 ----a-w- c:\windows\system32\MAMACExtract.dll

2012-09-26 20:57 . 2012-09-26 20:57 45056 ----a-w- c:\windows\system32\MaXMLProto.dll

2012-09-26 20:57 . 2012-09-26 20:57 45056 ----a-w- c:\windows\system32\MACXMLProto.dll

2012-09-26 20:57 . 2012-09-26 20:57 40960 ----a-w- c:\windows\system32\MTTELECHIP.dll

2012-09-26 20:57 . 2012-09-26 20:57 352256 ----a-w- c:\windows\system32\MSLUR71.dll

2012-09-26 20:57 . 2012-09-26 20:57 258048 ----a-w- c:\windows\system32\muzoggsp.ax

2012-09-26 20:57 . 2012-09-26 20:57 245760 ----a-w- c:\windows\system32\MSCLib.dll

2012-09-26 20:57 . 2012-09-26 20:57 24576 ----a-w- c:\windows\system32\MASetupCleaner.exe

2012-09-26 20:57 . 2012-09-26 20:57 200704 ----a-w- c:\windows\system32\muzwmts.dll

2012-09-26 20:57 . 2012-09-26 20:57 172032 ----a-w- c:\windows\system32\muzapp.exe

2012-09-26 20:57 . 2012-09-26 20:57 155648 ----a-w- c:\windows\system32\MSFLib.dll

2012-09-26 20:57 . 2012-09-26 20:57 143360 ----a-w- c:\windows\system32\3DAudio.ax

2012-09-26 20:57 . 2012-09-26 20:57 135168 ----a-w- c:\windows\system32\muzaf1.dll

2012-09-26 20:57 . 2012-09-26 20:57 131072 ----a-w- c:\windows\system32\muzmpgsp.ax

2012-09-26 20:57 . 2012-09-26 20:57 122880 ----a-w- c:\windows\system32\muzeffect.ax

2012-09-26 20:57 . 2012-09-26 20:57 118784 ----a-w- c:\windows\system32\MaDRM.dll

2012-09-26 20:57 . 2012-09-26 20:57 110592 ----a-w- c:\windows\system32\muzmp4sp.ax

2012-09-13 13:28 . 2012-10-10 11:15 2048 ----a-w- c:\windows\system32\tzres.dll

2012-08-29 11:27 . 2012-10-10 11:15 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-08-29 11:27 . 2012-10-10 11:15 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-08-24 15:53 . 2012-10-10 11:15 172544 ----a-w- c:\windows\system32\wintrust.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{b9b97401-98e1-4942-930d-c36652dab7f2}"= "c:\program files\TranslatorBar_5\tbTran.dll" [2010-10-18 3908192]

.

[HKEY_CLASSES_ROOT\clsid\{b9b97401-98e1-4942-930d-c36652dab7f2}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]

"{b9b97401-98e1-4942-930d-c36652dab7f2}"= "c:\program files\TranslatorBar_5\tbTran.dll" [2010-10-18 3908192]

.

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

.

[HKEY_CLASSES_ROOT\clsid\{b9b97401-98e1-4942-930d-c36652dab7f2}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{B9B97401-98E1-4942-930D-C36652DAB7F2}"= "c:\program files\TranslatorBar_5\tbTran.dll" [2010-10-18 3908192]

.

[HKEY_CLASSES_ROOT\clsid\{b9b97401-98e1-4942-930d-c36652dab7f2}]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-10-30 22:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"KiesPreload"="c:\program files\Samsung\Kies\Kies.exe" [2012-10-11 966072]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skytel"="Skytel.exe" [2007-06-15 1826816]

"RtHDVCpl"="RtHDVCpl.exe" [2007-06-20 4493312]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]

"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2012-10-11 309688]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2009-1-6 303104]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

VPro530.lnk - c:\windows\VPro530.exe [2008-12-5 155648]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk

backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Empowering Technology Monitor]

2007-05-31 23:35 326440 ----a-w- c:\acer\Empowering Technology\SysMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]

2007-05-22 22:49 151552 ----a-w- c:\acer\AcerTour\Reminder.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-07-11 19:00 919008 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]

2007-04-25 23:33 457216 ----a-w- c:\acer\Empowering Technology\eDataSecurity\eDSLoader.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PAC7302_Monitor]

2006-11-03 11:01 319488 ----a-w- c:\windows\Pixart\Pac7302\Monitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMMediaSharing]

2007-06-22 01:33 204908 ----a-w- c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Philips Intelligent Agent]

2008-02-21 17:19 613792 ----a-w- c:\program files\Philips\Intelligent Agent\Philips Intelligent Agent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]

2006-09-19 09:07 827392 ----a-w- c:\windows\vsnpstd3.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]

2007-06-11 06:06 901120 ----a-w- c:\program files\Thomson\SpeedTouch USB\DRAGDIAG.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2012-07-03 08:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarReg_PopUp]

2006-11-06 04:48 57344 ----a-w- c:\acer\WR_PopUp\WarReg_PopUp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

R4 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [x]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - RapportIaso

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Contents of the 'Scheduled Tasks' folder

.

2012-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 01:51]

.

2012-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 01:51]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.bbc.co.uk/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://en.uk.acer.yahoo.com

uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html

Trusted Zone: download.com

TCP: DhcpNameServer = 192.168.0.1

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-Adobe Flash Player ActiveX - c:\windows\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe

AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe

AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe

AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe

AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe

AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe

AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe

AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe

AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe

AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe

AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe

AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-11-11 10:39

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Completion time: 2012-11-11 10:42:10

ComboFix-quarantined-files.txt 2012-11-11 10:42

.

Pre-Run: 39,765,663,744 bytes free

Post-Run: 39,707,385,856 bytes free

.

- - End Of File - - 65CBF071C51D30809C739B9423EFF02F

tomiso · November 11, 2012

Hi Starbuck

When running Combo there was no mention of M W Recovery Console. I,ve had a look in -Start Seach- and my machine (windows Vista home premium)

only identtifys txt docs under 'microsoft windows recovery console'

Should I be visiting the microsoft site for a download??

Tom

Starbuck · November 11, 2012

Hi Tom,

When running Combo there was no mention of M W Recovery Console. I,ve had a look in -Start Seach- and my machine (windows Vista home premium)
only identtifys txt docs under 'microsoft windows recovery console'
Should I be visiting the microsoft site for a download??

It's ok, you can forget about the Recovery Console.

It's something that is related to Win XP.

You probably missed it in my combofix post:

If running Vista/Win7, you will not see the recovery console screens as they are Win XP related

Nice to see that Combofix cleaned up a few things for us.

We'll sort out a couple of locked files .... nothing else showing.

Close any open browsers.

Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.

Copy the text below in the code box by highlighting all the text and pressing Ctrl+C

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

Go to the Notepad window and click Edit >> Paste

Then click File >> Save

Name the file "CFScript.txt" (including the quotes)

Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop

Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon

as below.

http://i275.photobucket.com/albums/jj285/Bleeping/Combofix/cf.gif

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

Post the new combofix.txt that's produced.

Once everything is clean and running ok, i'll get one of the other Mods to run through the procedure for transfering some space from the D drive to the C drive for you.

tomiso · November 11, 2012

Hi there

keep getting a message that ''CFScript.txt'' is incorrectly spelled. Had a problem when I first started, forgot the quote marks corrected it to ''CFScript.txt''.txt Subsequently deleted all and started again but still incorrectly spelled.

Tom

Starbuck · November 11, 2012

That's really odd, never had that happen before.

Try copying and pasteing the line below and use that as the title...... see if it makes a difference.

"CFScript.txt"

tomiso · November 12, 2012

hi Starbuck

That was a strange one, but it worked

ComboFix 12-11-12.02 - tom 12/11/2012 10:27:55.2.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2047.1041 [GMT 0:00]

Running from: c:\users\tom\Desktop\Com-boFix.exe

Command switches used :: c:\users\tom\Desktop\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((( Files Created from 2012-10-12 to 2012-11-12 )))))))))))))))))))))))))))))))

.

2012-11-12 10:36 . 2012-11-12 10:37 -------- d-----w- c:\users\tom\AppData\Local\temp

2012-11-12 10:36 . 2012-11-12 10:36 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-11-12 10:36 . 2012-11-12 10:36 -------- d-----w- c:\users\Default\AppData\Local\temp