System Restore Help needed

[Peter S]

Alittle while ago the date on my computer was changed (kid not knowing what was going on??) the problems caused where horrendous. (50 years added)
I eventually sorted that out, but since then system restore no longer works.
Usually you get a calendar to select a restore point but all I get is a message stating no restore points for this date???? (no calendar showing at all!)
Does anyone know how to restore my system restore, or does it mean a reinstall of windows etc..

[Littlecoo]

If you don't mind starting system restore from afresh, you could try uninstalling/reinstalling the system restore component after deleteing/resetting it's cache (I hope you weren't relying on the restore points therein because this will delete them all...ouch!) I can't think of a better solution for this that doesn't require a lot of blood, sweat 'n tears. If your system is running ok at the moment this may be best and easiest option anyway...best of luck
oh btw...was this just in windows? or your BIOS? Hehehe...take away that Kid's administrative priveledges and asign him his own user profile

[Gary Richardson]

Could be caused by infected/corrupted files within System Restore.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to clean the restore points.

• Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
• Reboot.
  
• Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

If this doesn't work, your computer may be infected with Malware. Post a HJT log and I'll have a look at it and let you know.

Download Hijack This to a location on your computer where you can find it. We recommend you create a New Folder C:\Hijack This

It is important you unzip it into this folder for the following reasons.

• If you run it from its Zip File, the program cannot create backups, which may be needed if mistakes are made.
• If you put it in a Temp File, HJT and the backups may get deleted if we need to clear out your Temp Files as part of the cure.

Once it is located, Navigate to the folder using Windows Explorer or My Computer, and double click on HijackThis.exe..

• When its opened for the first time you'll get a startup screen.
  • Click on Don't show this frame again when I start Hijack This.
  • Now click on None of the above just start the program.
  • Before your first scan, we need to check the configuration.
    
    Click on the Config button in the bottom right hand corner and confirm the following are checked.
    • Make backups before fixing items.
    • Confirm fixing & ignoring of items (safe mode).
    • Include list of running processes in logfiles.
    The other items should be unchecked.
• Click the Back button to return to the Scan page.
  
• Click on the Scan button, and wait for the scan to finish (this may take some time depending on the number of items in your log).
  
• When finished the Scan button will turn to a Save Log button, click on this and save the log (by default to the same folder that HijackThis.exe is in).

To paste it into a Forum, do the following.

• Navigate to your Hijack This folder.
• Double click on the hijackthis.log file, a text document will now be open on your screen.
• Click on Edit/ Select All, then Edit/Copy.
• Open the Posting Screen on the Forum.
• Right click in the screen, and click on Paste. The text should now be in the message.
• Press Submit.

[Peter S]

Gary
Thanks for the quick response.
I tried reseting Restore to off then back to on, no luck there. I have not yet tried removing it from windows components (yet?).

I have done a virus check with my scanner and with Trend on line scanner nothing found?
I have got Adaware it found nothing but some tracking cookies.

Below should be the Hijack log for you.

Thnk you for your time on this

Peter

Logfile of HijackThis v1.99.1
Scan saved at 22:08:40, on 29/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\ctfmon.exe
F:\PopUp Killer\PopUpKiller.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
F:\Fine pix viewer\QuickDCF.exe
F:\Program Files\MS office\Office10\msoffice.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btinternet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by US
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - F:\ReGetDx\iebar.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [PopUpKiller] F:\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = F:\Fine pix viewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\MS office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\PROGRA~1\COMMON~1\REGETS~1\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\PROGRA~1\COMMON~1\REGETS~1\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - f:\program files\ms office\office\excel.exe
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O9 - Extra button: Microsoft® JavaScript® Console - {EC6DEC2D-3343-4A37-B527-520BCF3D16BD} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {EC6DEC2D-3343-4A37-B527-520BCF3D16BD} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com/
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/ado...nailFrame.html
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (FrontdoorFD Profile Manager Class) - https://internetbankingplus2.firstdi...rontdoorFD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120688334346
O18 - Protocol: stibo - {FFAD3420-6D61-44F6-BA25-293F17152D79} - C:\Program Files\Common Files\Stibo\RS_ProtocolHandler.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

[Swampy]

When's the last time you changed your PRAM battery? This battery maintains your clock while the computer is turned off. Usually Lithium and easy to locate inside your computer case. There are different voltages available so pull yours and check it before you replace it. You should then just be able to reset your time control panel and be running smooth again. There may be a few minor things that will get "lost" while you are without a battery such as mouse speed setting, screen resolution etc. but they are also easy enuf to restore through the control panels.

[Gary Richardson]

Hi Peter,

Sorry I'm a bit slow getting back to you, I got a bit tied up.

OK, there's a few things on your log that need removing, but nothing that would be likely to cause the problems you have.

You'll have to disable Ad Aware's Adwatch, as it will replace anything you remove with HJT.
To Disable AdWatch

• Open AdAware SE.
• Go to AdWatch User Interface.
• Go to Tools and Preferences.
• At the bottom of the screen you will see 2 options Active and Automatic.
• Active: This will turn Ad-Watch On\Off without closing it.
• Automatic: Suspicious activity will be blocked automatically.
• Uncheck both options.

Similarly you'll have to turn of Spybot S&D Teatimer.
To disable Spybot S&D TeaTimer

• Run Spybot-S&D
• Go to the Mode menu, and make sure Advanced Mode is selected.
• On the left hand side, choose Tools -> Resident
• Uncheck Resident TeaTimer and OK any prompts.
• Restart your computer.

Download ATF Cleaner by Atribune and save it to your Desktop. (This is just a program for cleaning out your temp files).

Now run a scan with HJT, and check the following items for removal.

O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/ad...bnailFrame.html



Close all windows except for the HJT window, and click the Fix Checked button.

Exit out of HijackThis.

Next we need to delete your Temporary Files.

• Double click ATF-Cleaner.exe to run the program.
• Check the following boxes:
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Recycle Bin
  • Java Cache
• The rest are optional - if you want to remove the lot, check Select All.
• Now click Empty Selected.
• When you get the Done Cleaning message, click OK.
  
• If you use Firefox browser.
  • Click Firefox at the top and choose: Select All
  • If you would like to keep your saved passwords, please click No at the prompt.
  • Click the Empty Selected button.
• If you use Opera browser.
  • Click Opera at the top and choose: Select All
  • If you would like to keep your saved passwords, please click No at the prompt.
  • Click the Empty Selected button.

Reboot, please.

Please download ewido anti-malware it is a free version of the program.

• Install ewido anti-malware.
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Launch ewido, there should be a big orange e icon on your desktop, double-click it.
• The program will now open to the main screen.
• When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
• You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click Update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed
  the status bar at the bottom will display ("Update successful").

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

• Click on Scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Check make encrypted backups.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report.txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.

Now can you send me the Ewido log and a new HJT log please.

Don't forget to re-enable Adwatch and Teatimer.

Finally, just a bit of info. System Restore needs at least 200M of disk space, if this is not available, XP will shut off System Restore. So check your disk space, (I once ran a filter by error on a large image which created an enormous temp file that wasn't removed after the filter had run, caused havoc with my system before I realised what the problem was and deleted the file).

[Peter S]

Quote:

Finally, just a bit of info. System Restore needs at least 200M of disk space, if this is not available, XP will shut off System Restore. So check your disk space, (I once ran a filter by error on a large image which created an enormous temp file that wasn't removed after the filter had run, caused havoc with my system before I realised what the problem was and deleted the file).

Gary have sent you the logs in a PM.

BTW I have got way more than 200M of free disk space, so thats not my prob, also System Restore does not appear as a Windows component that can be removed and then reinstalled. I think it must be an intergral part of XP, and can only be disabled or enabled as part of the core system!!!

I think I may have to look for a different method to restore in future???

[Gary Richardson]

Hi Peter,

Don't appear to have any PMs at the moment. As the logs are likely to be long, they probably exceeded the PM limit, this may have caused problems.

Found this page at M$, which seems to relate to your problem. Any problems with it and I'll be glad to help.

http://support.microsoft.com/default...;EN-US;q313853

[Peter S]

Gary

Thanks for the link to MS that has solved my problem. I sholud have searched there mself but just did not think

Let me know if you do not recieve the logs and I will re send them seprately to you.

Once again Thanks

[Peter S]

Logfile of HijackThis v1.99.1
Scan saved at 21:39:01, on 30/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
F:\PopUp Killer\PopUpKiller.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\System32\dmadmin.exe
F:\Fine pix viewer\QuickDCF.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
F:\Program Files\MS office\Office10\msoffice.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\system32\wuauclt.exe
F:\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btinternet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by US
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - F:\ReGetDx\iebar.dll
O4 - HKLM\..\Run: [PopUpKiller] F:\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = F:\Fine pix viewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\MS office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\PROGRA~1\COMMON~1\REGETS~1\CC_Link.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\PROGRA~1\COMMON~1\REGETS~1\CC_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - f:\program files\ms office\office\excel.exe
O9 - Extra button: Microsoft® JavaScript® Console - {EC6DEC2D-3343-4A37-B527-520BCF3D16BD} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {EC6DEC2D-3343-4A37-B527-520BCF3D16BD} - C:\WINDOWS\System32\comdlg32.ocx (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com/
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (FrontdoorFD Profile Manager Class) - https://internetbankingplus2.firstdi...rontdoorFD.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120688334346
O18 - Protocol: stibo - {FFAD3420-6D61-44F6-BA25-293F17152D79} - C:\Program Files\Common Files\Stibo\RS_ProtocolHandler.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

[Peter S]

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 17:36:55, 30/05/2006
+ Report-Checksum: C130F5BB

+ Scan result:

:mozilla.47:C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\ca2vlwg6.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\ca2vlwg6.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\ca2vlwg6.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\ca2vlwg6.default\cookies-1.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\ca2vlwg6.default\cookies-1.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\ca2vlwg6.default\cookies-1.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\ca2vlwg6.default\cookies-1.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\ca2vlwg6.default\cookies-1.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\ca2vlwg6.default\cookies-1.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\ca2vlwg6.default\cookies-1.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\ca2vlwg6.default\cookies-1.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\ca2vlwg6.default\cookies-1.txt -> TrackingCookie.Yadro : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\ca2vlwg6.default\cookies-1.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.173:C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\ca2vlwg6.default\cookies-1.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.211:C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\ca2vlwg6.default\cookies-1.txt -> TrackingCookie.Googleadservices : Cleaned with backup
C:\System Volume Information\_restore{E586F1DC-746D-4864-A8B7-C2377D29433E}\RP4\A0001161.exe -> Adware.WinAD : Cleaned with backup


::Report End

[Peter S]

Gary you were right yet again the logs are too long for a PM so here they are.

Ta V much

[Gary Richardson]

Hi Peter,

Glad the fix at M$ worked for you.

Your logs look clean, is everything running OK now.

Below is a list of things to do to keep your system clean. (Its a canned speech I use at the HJT forums I advise on, a bit formal, pick out the bits that you haven't already done).

Quote:

Updating Windows and Internet Explorer

IMPORTANT: You need to update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you're running Microsoft Office, or any portion thereof, go to Microsoft's Office Update site and make sure you have at least all the critical updates installed. (Free at Microsoft Office Update).

Make your Internet Explorer more secure

• From within Internet Explorer click on Tools > Options > Security > Internet > Custom Level.
• Make sure these options are set as follows:
  • Download signed ActiveX controls to Prompt
  • Download unsigned ActiveX controls to Disable
  • Initialize and script ActiveX controls not marked as safe to Disable
  • Installation of desktop items to Prompt
  • Launching programs and files in an IFRAME to Prompt
  • Navigate sub-frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Press the Apply button and then the OK to exit the Internet Properties page.

The following are free programs that are designed to keep your computer clean. A brief description is included with each item, click on name to go to download site.

• Adaware SE Personal
  Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial
  
• Spybot S & D
  Spybot is a scanner like Adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and protection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
  To see how to set this up as well as more spybot features, see here
  
• SpywareBlaster
  Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes "kill bits" in the registry, so that certain activex controls can't install.
  If you don't know what activex controls are, see here
  
• IE Spyad
  It puts many bad webpages on your restricted zones LIST. This means that you can still view the "bad" webpages, but the webpages can't do certain things (such as use javascripts and cookies). Use IE Spyad for single account computers, and IE Spyad 2 for multi account computers.
  
• Hosts file:
  • Every version of windows has a hosts file as part of them.
  • In a very basic sense, they are used to locate webpages.
  • We can customize a hosts file so that it blocks certain webpages.
  • However, it can slow down certain computers.
  • This is why using a hosts file is optional!!
  • Make sure you read the instructions on how to install the hosts file, here.
• If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  • Click the start button (at the lower left hand corner of your screen)
  • Click run
  • In the dialog box, type services.msc
  • hit enter, then locate dns client
  • Highlight it, then double-click it.
  • On the dropdown box, change the setting from automatic to manual.
  • Click ok
    

• Use an Anti Virus Software - It's very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future. See this link for a LISTing of some, on line & their stand-alone anti virus programs:
  Computer Safety On line - LIST of free Anti virus programs
  
• Use a Firewall - I cannot stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
  See here to choose one.
  
• Site Advisor This is a utility that can be downloaded and installed. It loads an icon to the taskbar of your browser (versions for IE and Firefox), indicating the trustworthiness of the site you are on. Green for safe, Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site.

Just a final reminder for you.

• UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
• Run Spybot and Adaware regularly. (Once a week minimum)
• It is important that you visit http://www.windowsupdate.com regularly. This will ensure you always have the latest security updates installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.