Registry keys infected and system restore disabled

Hi,

I ran a malwarebytes scan on my son’s laptop and the results showed registry keys and values infected. I have attached the log. Malwarebytes seems to have corrected the entries. I ran another scan to make sure and no more malicious items were detected.
I am wondering if I need to do anything else. I ran an OTL scan and have attached the log. It shows that
system restore has been disabled.
I am trying to run a GMER scan but I get a blue screen after it runs and therefore no log is given.

Any help is greatly appreciated.

Thank you in advance

Malwarebytes log.

you could run superantispyware to get a second opion http://www.filehippo.com/download_superantispyware/.

lest wait for someone else to check that otl log up.

but if the computer runs fine after you cleaned it with malwarebytes you should be ok for now.

hopes this will do for you. good luck and welcome to the forum.

I notice from your MBAM log that it detected a lot of registry entries for avast 4.8, see image. For me that could well be a bunch of false positives.

However since I don’t use 4.8 any longer I can’t check this out are you using avast 4.8 currently ?
Or have you updated to avast 5.0 and if so how did you update (install over 4.8 or clean install of 5.0) ?

Hi,
Thank you for your reply.
Ι am using Avast 5.0.545.
If I remember correctly I upgraded but I am not 100% sure…

Looks like some registry keys weren’t completely removed then, though I don’t know why MBAM would consider them a security.hijack. Perhaps because there is no associated file or location, but to me that isn’t a security.hijack, rather redundant registry key.

I ran superantispyware and it showed nothing.
I can’t get GMER to work.
I run Malwarebytes scans very often and it’s never showed anything like this. However, I noticed something strange yesterday. The time on the computer clock was wrong.

Thanks again for your reply.

Did you try GMER in safe mode ?

Hi,
Thank you for your reply.

I am trying to run in safe mode. The scan takes over 2 hours to complete but there is no save button in this mode for some reason.
I tried with different user accounts. On one scan I was able to read root kit like presence and MBR behaviour or something like that…
I will try again and see if I can write down what it says.

After the scan the computer freezes and I can’t shut it down properly.

Thanks again.

With the MBR report you have one of two infections - lets see which

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hi,

Thank you for your help.

I have attached combofix fix file. I got a warning about Norton running but I know I uninstalled it when I installed Avast. I checked program files and I don’t see Norton installed. When I check the windows Security center it says that 2 antivirus programs are running but I can’t see where Norton is hiding.
Could it be a false alarm?

Norton is notorious for leaving remnants behind.

A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT
Or ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

OK that looked good what problems remain ?

Thank you for your reply.
I am glad to hear that.
I tried running gmer again on normal mode. It completed after a few hours but when I hit save it just froze and wouldn’t respond.
I don’t know if the log is necessary anymore but I’m just wondering why it’s not working. It worked a few weeks ago.
Are you able to see from the log what infection it was and how it got through?
I have installed Avast 5.0.545, Super antispyware and spyware blaster and malwarebytes free version and windows xp firewall.

Thanks again.

Thank you!

You’re welcome.

It was a generic trojan downloader that never got a good grip on your system

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Hi,
Thank you.
Here is the log attached.

Nice and clean - what problems remain ?

Hi,
Thank you. It’s working fine.
The only thing I suspect is that my son used his laptop to downloaded a game onto his flash drive. He then put the flash drive on my desktop. When I turned on the desktop Avast would not start. I had to reinstall.
I ran OTL and GMER on the desktop and attached the logs. Can you see anything suspicious here?

Thanks again.
:slight_smile: