Scans (quick and full) stop at different times

[ickier]

I've already asked this through email and have basically been told I don't know what I'm talking about and my situation is impossible, but:

Full scans can at times take shorter than quick scans and both full and quick scans stop at different times.

Example: I just ran a full scan that took only 59 seconds. I ran a quick scan after that took 7 minutes.

The same quick scan right after took longer and the quick scan took a shorter amount of time.

Something is going on. Could somebody consider helping out?

[shadowwar]

Can you post logs for these scans please? It should be impossible but lets take a look. What antivirus are you running?

[ickier]

Can you post logs for these scans please? It should be impossible but lets take a look. What antivirus are you running?

I run Zone Alarm only. I wasn't sure how you wanted the logs so I attached them as files.

I notice when running the Quick scan that's when it looks at users' temporary internet files etc., and Full scan it skips right past them.

Clearly you can see Full scan took 47 seconds 156305 files and the Quick scan took 5 min 43 seconds 174072 files. Odd.

Now running the same two scans right behind the first two produces different numbers. Also odd.

Full scan 156263 files in 43 seconds and Quick scan 174033 files in 6 min 13 seconds.

mbam-log-2011-02-21 (09-18-16).txt

mbam-log-2011-02-21 (09-24-27).txt

mbam-log-2011-02-21 (09-27-05).txt

mbam-log-2011-02-21 (09-33-43).txt

[shadowwar]

Ok i am going to have the manager or support contact you. As far as the scans taking quicker on the same boot session after running a scan again. This is do to disk caching and is perfectly normal. The scan time issues you are having arent though.

[AdvancedSetup]

Hello ickier,

I reviewed your Help Desk ticket and the technician replied to ask more information but never heard back from you so they closed the ticket.

Please go ahead and run the following scans for me and post back the logs.

STEP 00

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /R | SHUTDOWN /R /T 30

STEP 01

Please use TFC to clear temporary files:

Run TFC by OldTimer to clear temporary files:

• Please download TFC from here or here and save it to your desktop.
  
• Close any open programs and Internet browsers.
  
• Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  
• Please be patient as clearing out temp files may take a while.
  
• Once it completes you may be prompted to restart your computer, please do so.
  
• Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.
  

STEP 02

Restart the computer first

Please create a BOOTLOG

• Delete the following file if it exists. C:\Windows\ntbtlog.txt
  
• Restart the computer and press F8 when Windows starts booting. This will bring up the startup options.
  
• Select "Enable Boot Logging" option and press enter.
  
• Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  
• This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
  
• The file should not be very big, if it is then go back and delete the file and try again
  
• Now that the file is smaller you should be able to either post or attach it on your next reply

[ickier]

Step 00

Done. System rebooted quickly after completeing, didn't get a chance to read the results. AT one point though I did see "The volume is clean".

Step 01

Done. Removed 886mb. Nice.

Step 02

Done. File attached.

Step 03

Done. Not liking some of the entries where it says file can't be found. File attached.

Step 04

Done. Files attached.

ntbtlog.txt

AutoRuns.zip

DDS.txt

Attach.txt

[AdvancedSetup]

Please download and run the following scanner from Kaspersky and post back the logs.

If it asks to reboot please do so.

[AdvancedSetup]

Did you get a chance to run this yet?

[AdvancedSetup]

Please post an update so that I know you're still here otherwise I'll go ahead and close this topic soon.

[ickier]

Please post an update so that I know you're still here otherwise I'll go ahead and close this topic soon.

I'm sorry for the delay.

Nothing detected. One locked file though.

Believe it to be Daemon Tools virtual drive emulation.

Should I run Defogger and disable it?

TDSSKiller.2.4.18.0_26.02.2011_19.01.19_log.txt

[AdvancedSetup]

Please download the SPTD standalone installer from Duplex Secure.

Execute and choose to uninstall it at least temporarily.

Then run the following scanner.

1. Download ComboFix from below:
   Combofix download
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   You can get help on disabling your protection programs here
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   The Recovery Console was successfully installed.
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   ---------------------------------------------------------------------------------------------

[ickier]

I ran SPTD standalone installer and uninstalled.

First question, how do I get it back when we're done?

Defogger at least lets you disable and re-enable. Does this program?

I ran combofix. My log is attached.

I am a little troubled as it deleted a legit program. How do I get that back?

Do you see anything?

log.txt

[ickier]

Do you want any of the other logs created by combofix?

[AdvancedSetup]

No this log should be fine for now.

Don't worry, we can easily put back that driver when we're done.

Please run the following. If Combofix asks to update when you run it please allow it to.

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

Driver::
mrtRate
sptd
File::
c:\windows\system32\Drivers\sptd.sys
RegNull::
[HKEY_USERS\S-1-5-21-1606980848-1958367476-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BEE670E6-3627-52A6-8530-017E8C1C439D}*]
RegLock::
[HKEY_USERS\S-1-5-21-1606980848-1958367476-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_USERS\S-1-5-21-1606980848-1958367476-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BEE670E6-3627-52A6-8530-017E8C1C439D}*]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

[ickier]

OK, done.

Combofix asked to update - I allowed it.

Here's the resulting log file.

[ickier]

OK, done.

Combofix asked to update - I allowed it.

Here's the resulting log file.

(I forgot to mention...the first time I ran combofix, I got an error saying pev.exe failed, did I want to send a report. I did not. Once closed, combofix ran. Anything to be worried about? It did NOT do it when I just ran for the second time with the script file.)

log2.txt

[AdvancedSetup]

Okay now please temporarily disable ZoneAlarm and launch MBAM and check for Updates. Then run a Quick Scan and see how it works and post back the log.

Then reboot the computer and again temporarily disable ZoneAlarm and launch MBAM and run a Full Scan and post back that log as well.

Thanks

[ickier]

OK, quick scan actually took a shorter amount of time than it did when the topic started, but note about 100,000 less files.

161881 in 4 minutes 39 seconds.

Log is attached. Nothing detected.

I think we're back on track as I am an hour into the full scan (nothing detected yet) but I can't keep my eyes open.

I'll let it finish scanning and post back tomorrow.

Before we close this, after looking at the full scan log, can I 1. get an explanation on what we did and 2. help get the quarantined files back?

mbam-log-2011-03-01 (21-26-12).txt

[AdvancedSetup]

Please go ahead and remove Combofix now.

Click on START - RUN and type in combofix.exe /uninstall

Then let it remove itself.

We removed all the temporary files which alone should help to improve scan times.

We ran a disk check which almost certainly did fix things

We removed the SPTD driver which I think may possibly have been infected. I would not remove it from Quarantine. Since you now have the installer you can simply run the installer again and re-install the SPTD driver.

Re-enable your ZoneAlarm. If it is only a firewall and not the full Anti-Virus product then I highly suggest you obtain an Anti-Virus application and install it and keep it up to date.

At this time unless you have any other questions or issues we should be done here.

[ickier]

3 hours and 6 minutes. Wow. I was doing stuff while the scan was taking place n the background.

Yes, I think we are done. Thank you for the attention to my issue and the help to fix it.

I figured out how to move stuff from the Quarantine folder - the batch rename program.

Here's the full scan log just for the heck of it. (nothing found)

mbam-log-2011-03-02 (22-00-15).txt

[ickier]

3 hours and 6 minutes. Wow. I was doing stuff while the scan was taking place n the background.

Yes, I think we are done. Thank you for the attention to my issue and the help to fix it.

I figured out how to move stuff from the Quarantine folder - the batch rename program.

Here's the full scan log just for the heck of it. (nothing found)

What about the registry items that were reported locked? Do they need to be locked back up or is it OK?

[AdvancedSetup]

The locked file was the SPTD driver that I had you remove. By reinstalling the driver it will put back a clean copy.

We should be done and your computer should be okay now.

Cheers