As you can see in the Combofix log, the 2 entries you were concerned about were both deleted.
The following is based on the information I see in your original logs.Perhaps I wasn't clear: you should not be running other scans and/or deleting entries unless I instruct you to do so. Every time you do that. it changes the information on the logs I have to work with.
====================================
Your first logs here is dated> mbam-log-2012-04-02 (21-06-35).txt
Before starting here, you had gone a round with the Comodo tech. In spite of having continued rootkit problems, you still added new program from 3/14 through 4/1.
Please do not download, install, run or remove
anything else while I'm helping you unless I instruct you to do so.
I did not ask you to run Kaspersky.
=======================================
Please run this Custom CFScript:
[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code:
File::
c:\program files\CheckPoint\ZAForceField\AK\icsak.sys
C:\Program Files (x86)\Hide The IP
c:\windows\system32\drivers\Diskdump.sys
Folder::
C:\Program Files (x86)\BitTorrent
c:\users\Default\AppData\Local\temp
C:\TDSSKiller_Quarantine
c:\users\Guest
DDS::
uSearchURL,(Default) = hxxp://www.forumswatcher.com/search.htm
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.d ll
BHO: Logitech Flow Scroll: {e11db59d-5008-42ff-9069-535843bc0be1} - C:\Program Files\Logitech\FlowScroll\32-bit\LogiSmooth.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.d ll
BHO-X64: ZoneAlarm Toolbar Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.d ll
BHO-X64: ZoneAlarm Toolbar Registrar - No File
BHO-X64: Logitech Flow Scroll: {E11DB59D-5008-42ff-9069-535843BC0BE1} - C:\Program Files\Logitech\FlowScroll\32-bit\LogiSmooth.dll
TB-X64: ZoneAlarm Toolbar: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.d ll
C:\Program Files\CheckPoint
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
Clearjavacache::
Driver::
icsak
FCopy::
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
To properly uninstall a program:
1. If program has it's own uninstaller, use that- this is first choice.
2. If program does
not have an uninstaller, you use Add/Remove Programs
3. If program does not have an uninstaller or does not appear in Add/Remove, a program such as the Windows Installer Cleanup Utility can be used:
For any program that you uninstall, you must use Windows Explorer to access Computer> Local Drive(C)> Programs> Find the folder for the program and do a right click> Delete.
You are referring "uninstalled way back" But this was ony recently installed:
2012-03-25 01:55:21 -------- d-----w- C:\Program Files (x86)\Hide The IP
======================
What you don't know and should know about virus scanners:
1. If a virus scanner 'removes' an entry in the
Qoobox, the entry has already been removed and is not longer active in the system. The Qoobox is where Combofix sends the quarantined files.
2. If a virus scanner 'removes' an entry in the
System Volume, the entry has already been removed and is not longer active in the system. The System Volume is where the restore points are held. This will not infect the machine again
unless you do System Restore and choose that restore point. All old restore points are removed at the end of cleaning and a new, clean restore point is set.
3. A virus scanner does not read "locations" such as above and isn't 'removing anything.
Bottom line: If you ran Combofix and it quarantined files, then ran Eset or Kaspersky as you did, it will show the entry in the Qoobox and the scan won't be removing anything.
Do you understand?
