Question about suspicious files winpatrol detected

[Dsmith148]

I opened up winpatrol today to check for updates,then went through the various tabs and found the following suspicious files(the links are to virustotal analysis for the files that i uploaded)....

https://www.virustotal.com/analisis...23b520358cfee4b0bb437c18cdf1ea9385-1262372389

https://www.virustotal.com/analisis...25fbb2aaeb25f91b86c44cb0ed0356453a-1262374152

https://www.virustotal.com/analisis...fb4e7cd4ca082672edcdd09791e5a74a4a-1262374268

https://www.virustotal.com/analisis...5effd6bc62ec382517ae23a7757a189ed7-1262373787

https://www.virustotal.com/analisis...9b6d25ed0ea017c4e068281cfa4d06341d-1262373963

https://www.virustotal.com/analisis...124bda0b8a190025f604357f8ec908fe97-1262374443

https://www.virustotal.com/analisis...54387738cbed299e9ace596de1d69ea083-1262374598

https://www.virustotal.com/analisis...85c1002d0bf43f7aef6693a5a41193d029-1262374827

https://www.virustotal.com/analisis...821f2b618fd3110d79c8213c7ec1abb4e6-1262374973

https://www.virustotal.com/analisis...940aa267624998f96e416356c8bf91f4b0-1262375364


https://www.virustotal.com/analisis...ccf3b91c3c174f3c8b117cd07ad55562b1-1262375512

https://www.virustotal.com/analisis...640a610514f09eb09c76706a71614a8f72-1262375628

According to the winpatrol hidden files tab they were first detected on 01/01/2010 12:20am and were last written to on 12/30/2009 3:24 and are type system.The recent tab lists the same first detected date and notes they are hidden and there is nothing under company.

I'm running my various security programs right now to see if anything is amiss.I have run avast and spybot s&d so far and have found nothing.On a possible related note,spybot found a registry entry for something called Fraud.MalwareDefender on the 23rd of last month.In my c://programdata/spybot-search & destroy/recovery directory is a FraudMalwareDefense zip archive dated 12/23/2009 7:17am file size 1KB.No idea if their related.

Anyway that's it for now.I'll let you know the results of my other scan results and if you need any more info,just tell me what you need and i'll try and provide it to you.Thank you for your assistance!

 

[jav]

Where were the files located?

EDIT: I see all of them are .tmp files.
Run CCleaner and clean temps and then run Windows Disk Cleanup
And check if you still have those files in winpatrol.
http://www.ccleaner.com/
http://www.sevenforums.com/tutorials/818-disk-cleanup-open-use.html

 

[BillPStudios]

DSmith,

It's not uncommon to see .tmp file listed as Hidden files. Hidden files are common which is why WinPatrol doesn't default to alerting you to every new hidden file.

If you right-click on the filename one of the WinPatrol options will be to View in Notepad. This might be helpful in finding out which program is creating these temp files.

btw... it was a great idea to use VirusTotal as a follow up to WinPatrol. I recommend it often.

Bill Pytlovany
BillP Studios

 

[Dsmith148]

I opened [email protected] and got a bunch of junk as follows below.no idea what it means....



€  OS/2þúÕ ˜ Ncmapó݁Y ü 2glyféã"ª ¬
*headbØC¨ 0 6hhea T $hmtx: Í ¤ loca‘͏
Ø
Êmaxp é 5 4 name¾8 è
postÿŸ 2 x
/ ¹
h
] 



/
9 þÇ
] ÿ\  9 ÈÊ   !

















 t # ( ÿ×ÿÞÿŒÿ$
‡ ] c %ÿÿÿÿÿÑÿØ 2 H ÿÿÿ¹ÿŽÿÀþk Ü  $ 1

ÿ²ÿv
´ ÿÿ  "   ª ÿÿÿÆÿ®ÿÚÿËÿ¾ÿëÿðÿ¬ÿ²ÿ¸ÿ ÿÏ ª ÿÿ  ( @

$ÿïÖÛ $














DÿÚÿ–ÿÅÿ–ÿhÿ*
? g | = ‰ ¨ ÿ-ÿùÿÇÿØÿÈÿÃÿçÿû
ÿÿ  F B ( @
ÿŸ
$ ÿu IÿÑÿÕ
b ¥ g f ‘ [ + ÿÿÿuÿ ( 0
ÿÿÿÏÿ¹ÿ¼ÿíÿÝÿ«ÿÂÿþ ' ( ™ þw  9 ÛÊ #

















 s  - 

ÿÐÿÂÿ™ÿ$
£ ? j ?
ÿÌÿÉ - 6 

ÿ$ÿñÿýÿþÿòÿØÿÕÿ‹ ÿ$
’  " % ª ÿÒÿ¦ÿ¼ÿÇÿœÿêÿîÿ£ÿ½ÿîÿÅÿÅÿï 6 8 # ? (
ÿ
ÿù ÊÊ 















ÿ*ÿ³ÿþÿµÿ)ÿ> Ø W  V Â T  Y Ù
³ þM Ê þG
¹ þA
¿  ÿòH ' 3


















0ÿÿ ÿ6ÿüÿü
ÿþÿàÿªÿÏÿÍÿ®ÿÏÿÿ
= ] c ' 
ÿÿÿÙÿçÿÓÿã ÿH  Q w ? \ f , ÿÿÿBÿÛÿ×ÿßÿÞ
"  " .  tÿâÿÃÿç    ÿÝÿä
! F 6 = C 
      ÿÿÿÞÿî H J ÿÿ ÿÝÿÆÿ¸ÿÚÿ ÿïÿøÿùÿéÿæÿíÿäÿÿ ) (  6ÿójÊ  %















6 Æ   J - V a 'ÿÿ ÿÐÿŸÿ·ÿ¹ÿÀÿïÿþ ÿA
m ÿòÿÚÿÝÿÝÿÚÿò  & # # &  Ê ÿ ! % ÿþÿ®ÿ…ÿÁÿ¾ÿ‚ÿ®ÿÿ
+  ÿÇ
  : &
ÿÿÿÚÿÆÿáÿàÿÆÿÚÿÿ
& :  ÿóRÊ  %
















“ ÿòÿÚÿÝÿÝÿÚÿò  & # # &  ¿ÿA ÿþÿïÿÀÿ¹ÿ·ÿŸÿÐ ÿÿ ' a V - J   Æ
  : &
ÿÿÿÚÿÆÿáÿàÿÆÿÚÿÿ
& : þü 9 ÿæÿÕÿÿ
R ~ B ? { R  ÿÛÿß ü  ÿóZ  










Ý  2 /  -
¹ÿàÿoÿ¦ÿ¬ÿ}ÿµÿÿ
D z S š ŽÿÿÿBÿÿÿÑÿÙÿ¨ÿò ×ÿÓÿÉÿÿ   ÿ¬ÿ° ? y W L | I
ÿÿÿ\ÿh g % 1
ÿÿÿª  :
Ê  








ÿ: Æÿ: Æ ÿ:? ‹ ÿ= ýù
:
Ê 



: Æ ÿ:Ê ý6
6 R 












6 ¿   S ; / Q 1
ÿ:
ÿèÿÖÿåÿÎÿþ ÿ: ÿ¾ ' ( ÿÚÿ±ÿÅþœ
 . 7
ÿ×ÿÃþî  ÿóV  !











ÿôÿÛÿÛÿÛÿÛÿô
ÿÿ  % % % % ÿÿ Æ ÿÄÿ‚ÿŸÿŸÿ‚ÿÄ < ~ a a ~ <
  ; (
ÿÿÿØÿÅÿäÿäÿÅÿ×ÿÿ
) ;  ÿ·ÿ„ÿµÿÿ
L { I I { K
ÿÿÿµÿ…ÿ·
6
 










6 ¾   F 5   ÿòÿÝÿãÿÅÿÃ ÿ: ÿ* / 1 ÿøÿQ  
ÿµÿ*ÿ3
ÿò$ .

















bÿþÿëÿíÿçÿêÿÛÿÿ   a 3 3 G ÿÿÿ±ÿˆÿÀÿÂÿ‹ÿ³ÿý ½    %  ,  ÿÔÿ½ÿÿ›
 M p 6 9 r M 
p 

ÿðÿçÿõÿôÿüÿöÿòÿðÿñÿ½ÿÁÿ¹ÿ¯ÿà
$ P C ÿåÿíÿòÿÿ       N B A H ÿÿ
ÿäÿ¹ÿ¾
ÿù
Ž¥ 
















$ j ÿ– ÿÿ  %   ÿâÿ¿ÿàÿÕÿ°ÿËÿÿ ÿ¨ X Æ ÿ† ÿKÿÜÿß ÿj ÿú ÿÿ  C F ø z ž
6ÿóR 












RÿA ÿþÿåÿ*ÿÅÿÑÿ¯ÿÏÿÿ Æ ÿÿ  *  2  Æ B ÿÙÿØ & O ;
d þðÿÒÿÉÿÿÿþ ) =

/ ¹
h
] 



/
9 þÇ
] ÿ\                      o o o o o Ó Ó Ó Ó Ó Ó Ó Ó Ó Ó Ó
5
5
5
5
5
d
d
d
d
d
d
d
d
d
d
îUU¼



&&&77uÒÒÒƒÆ 
M
M
M
M
M
M
M
M
M
M
M
M
M
– /
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M ä 9
M
M
M
M  $
M
M
M
M
M
M
M
M
M
M ä 9
M
M
M
M Âÿù
M
M
M
M
M
M
M
M
M b ‡ 6
M ‡ u
M
M
M
: :
M
M
: :
M ‡ 6u
M
M
» 6= 
– ‡ 6
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
– /
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
ä 4 


›þ³  ÿùÿøÊ
ä  ÿœ 2
Þ
ô  ¼Š Š¼Š
Ý 2
 @ð ðÿØÿ. –Û 
~



 

  

$
  .  
 1     E    & S     y     [email protected] is a unique [email protected]1.0 Z @ R 7 C 7 . t m p R e g u l a r T h i s i s a u n i q u e I D Z @ R 7 C 7 . t m p 1 . 0 
 





ãâáàßÞÝÜÛÚÙØ×ÖÕÔÓÒÑÐÏÎÍÌËÊÉÈÇÆÅÄÃÂÁÀ¿¾½¼»º¹¸·¶µ´³²±°¯®*¬«ª©¨§¦¥¤£¢¡ Ÿžœ›š™˜—–•”“’‘ŽŒ‹Š‰ˆ‡†…„ƒ‚€~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"! 

 
Â
 Âð ð!ð"ð#ð$ð%ð&ð'ð(ð)ð*ð+ð,ð-ð.ð/ð0ð1ð2ð3ð4ð5ð6ð7ð8ð9ð:ð;ð<ð=ð>ð?ð@ðAðBðCðDðEðFðGðHðIðJðKðLðMðNðOðPðQðRðSðTðUðVðWðXðYðZð[ð\ð]ð^ð_ð`ðaðbðcðdðeðfðgðhðiðjðkðlðmðnðoðpðqðrðsðtðuðvðwðxðyðzð{ð|ð}ð~ðð€ðð‚ðƒð„ð…ð†ð‡ðˆð‰ðŠð‹ðŒððŽððð‘ð’ð“ð”ð•ð–ð—ð˜ð™ðšð›ðœððžðŸð ð¡ð¢ð£ð¤ð¥ð¦ð§ð¨ð©ðªð«ð¬ð*ð®ð¯ð°ð±ð²ð³ð´ðµð¶ð·ð¸ð¹ðºð»ð¼ð½ð¾ð¿ðÀðÁðÂðÃðÄðÅðÆðÇðÈðÉðÊðËðÌðÍðÎðÏðÐðÑðÒðÓðÔðÕðÖð×ðØðÙðÚðÛðÜðÝðÞðßðàðáðâðãðäðåðæðçðèðéðêðëðìðíðîðïðððñðòðóðôðõðöð÷ðøðùðúðûðüðýðþðÿÿÿ ð ð!ð"ð#ð$ð%ð&ð'ð(ð)ð*ð+ð,ð-ð.ð/ð0ð1ð2ð3ð4ð5ð6ð7ð8ð9ð:ð;ð<ð=ð>ð?ð@ðAðBðCðDðEðFðGðHðIðJðKðLðMðNðOðPðQðRðSðTðUðVðWðXðYðZð[ð\ð]ð^ð_ð`ðaðbðcðdðeðfðgðhðiðjðkðlðmðnðoðpðqðrðsðtðuðvðwðxðyðzð{ð|ð}ð~ðð€ðð‚ðƒð„ð…ð†ð‡ðˆð‰ðŠð‹ðŒððŽððð‘ð’ð“ð”ð•ð–ð—ð˜ð™ðšð›ðœððžðŸð ð¡ð¢ð£ð¤ð¥ð¦ð§ð¨ð©ðªð«ð¬ð*ð®ð¯ð°ð±ð²ð³ð´ðµð¶ð·ð¸ð¹ðºð»ð¼ð½ð¾ð¿ðÀðÁðÂðÃðÄðÅðÆðÇðÈðÉðÊðËðÌðÍðÎðÏðÐðÑðÒðÓðÔðÕðÖð×ðØðÙðÚðÛðÜðÝðÞðßðàðáðâðãðäðåðæðçðèðéðêðëðìðíðîðïðððñðòðóðôðõðöð÷ðøðùðúðûðüðýðþðÿÿÿäÂÀ¾¼º¸¶´²°®¬ª¨¦¤¢ žœš˜–”’ŽŒŠˆ†„‚€~|zxvtrpnljhfdb`^\ZXVTRPNLJHFDB@><:86420.,*(&$" 
 þüúøöôòðîìêèæäâàÞÜÚØÖÔÒÐÎÌÊÈÆÄÂÀ¾¼º¸¶´²°®¬ª¨¦¤¢ žœš˜–”’ŽŒŠˆ†„‚€~|zxvtrpnljhfdb`^\ZXVTRPNLJHFDB@><:86420.,*(&$" 


 

[Corrine]

There you go, Dsmith148, the developer of WinPatrol responded to your post! Welcome to Seven Forums, Bill!

Malware Defense is a Rogue. It wouldn't hurt to scan with an anti-malware software such as MBAM. My standard instructions follow:

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, be sure Quick scan is selected, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
  
  
• Click Remove Selected.

 

[Dsmith148]

I finished running avast,spybot s&d,threatfire,windows defender,malwarebytes,superantispyware,and a-squared free with all results negative.When i ran all my scanners on the 23rd last month only spybot found anything.It was a registry entry for fraud.malwaredefender and nothing else.I'll look for the files listed in the link corrine gave me and see if i find any of them.I'll return with any results.

 

[Dsmith148]

None of these files were found(i have the option checked in folder options to view hidden files) in the default or my own profile...

c:\Program Files\Malware Defense
c:\Program Files\Malware Defense\help.ico
c:\Program Files\Malware Defense\md.db
c:\Program Files\Malware Defense\mdefense.exe
c:\Program Files\Malware Defense\mdext.dll
c:\Program Files\Malware Defense\uninstall.exe
%UserProfile%\Desktop\Malware Defense Support.lnk
%UserProfile%\Desktop\Malware Defense.lnk

Don't have a start menu folder in the default or my profile....
%UserProfile%\Start Menu\Programs\Malware Defense
%UserProfile%\Start Menu\Programs\Malware Defense\Malware Defense Support.lnk
%UserProfile%\Start Menu\Programs\Malware Defense\Malware Defense.lnk
%UserProfile%\Start Menu\Programs\Malware Defense\Uninstall Malware Defense.lnk​

I'll go check my registry and see if the registry entries listed are found.

 

[Dsmith148]

Opened up my regedit and....

Didn't find this...
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SimpleShlExt

Found this registry item that was mentioned as part of the malware defender,but don't see anything...
HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
REG_SZ SimpleShlExt Class

-inprocserver32 has 2 items-1.(default) REG_SZ C:\program files(x86)\ati technologies\ati.ace\core-static\atiacm64.dll

2.threadingmodel REG_SZ Apartment

-progid REG_SZ catalyst context menu

-programmable REG_SZ (value not set)

-typelib REG_SZ {5E2121EE-0300-11DA4-8D3B444553540000}

-versionindependentprogid REG_SZ catalyst context menu

Didn't find these...
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SimpleShlExt
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Malware Defense"

 

[Corrine]

Dsmith148,

Based on your scans, it appears you do not have the rogue installed.

With WinPatrol, you can right-click the file and select "Explore Program Folder" and/or "Properties". I periodically have a etilqs_6KT6Gkn8JPCDK5thfAil hidden file in APPDATA\LOCAL\TEMP with zero bytes, which Bill told me is related to Firefox. I delete the file with WinPatrol. Should the file prove stubborn to delete, you can also right-click on the file and select "delete on reboot".

I love WinPatrol!

 

[hackerman1]

hi !

very nice to see Mr.Winpatrol here on sevenforums, welcome !

i really appreciate Winpatrol, i completely agree with Corinne, Winpatrol is a "must-have program".
i have used it for about a year on both Vista & W7, it works great together with the rest of my security. ↓↓↓↓↓

 

[Jacee]

DSmith,

It's not uncommon to see .tmp file listed as Hidden files. Hidden files are common which is why WinPatrol doesn't default to alerting you to every new hidden file.

If you right-click on the filename one of the WinPatrol options will be to View in Notepad. This might be helpful in finding out which program is creating these temp files.

btw... it was a great idea to use VirusTotal as a follow up to WinPatrol. I recommend it often.

Bill Pytlovany
BillP Studios

Hi BillP So nice to see you here!

 

[jav]

DSmith,

It's not uncommon to see .tmp file listed as Hidden files. Hidden files are common which is why WinPatrol doesn't default to alerting you to every new hidden file.

If you right-click on the filename one of the WinPatrol options will be to View in Notepad. This might be helpful in finding out which program is creating these temp files.

btw... it was a great idea to use VirusTotal as a follow up to WinPatrol. I recommend it often.

Bill Pytlovany
BillP Studios

Hi.
You know I amazed. Are you monitoring all forums?

Anyway, nice to see you here.

 

[Corrine]

Hi.
You know I amazed. Are you monitoring all forums?

Anyway, nice to see you here.

Scotty has an exceptional sense of smell and finds people needing help with WinPatrol.

 

[BillPStudios]

Thanks for the Welcome

Thank you all for the warm welcome. I can't believe how many of you are so active on so many forums.

You can thank who ever has the SevenForums Twitter account for making me aware of all the fun here. I don't get the time to scour the forums for WinPatrol questions but I did see a reference on Twitter about this thread so I figured I should stop by.

Thanks again,
Bill

 

[HammerHead]

WinPatrol

I'm test driving WinPatrol. Does it slow down a scan by MSE?

 

[jav]

I'm test driving WinPatrol. Does it slow down a scan by MSE?

It shouldn't...

 

[Corrine]

WinPatrol shouldn't slow down any processes. Many WinPatrol features have the option to set the time between Scotty's patrols. Scotty will patrol in "real time" for WinPatrol Plus subscribers. This means that if there is a change to a monitored feature, immediate notification will be provided. With the free version of WinPatrol, it is up to the user to set the time between patrols. Depending on your settings in Windows 7 for system tray, you will notice some "movement" by Scotty when he is on patrol.

 

[manhunter2826]

There you go, Dsmith148, the developer of WinPatrol responded to your post! Welcome to Seven Forums, Bill!

Malware Defense is a Rogue. It wouldn't hurt to scan with an anti-malware software such as MBAM. My standard instructions follow:

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, be sure Quick scan is selected, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
  
  
• Click Remove Selected.

Corinne, I'm always trying to learn here. Can I ask why the System Volume\restore should remain unchecked (as you suggested) even though MWBytes has detected malware in said folder. Sorry if it's a naive question.

 

[Corrine]

Of course you can ask. (Corrine considers whether she should answer the question . . . :devil

Ok, first a bit of a rant:

Much too frequently when a person has malware problems, the first solution offered is to clear System Restore. Let me assure you that is most definitely not a solution. The only way malware in System Restore can re-infect the computer is if the computer is restored to an infected point. That said, keep in mind that System Restore is not an endless repository. Old restore points are cycled out in favor of new restore points.

The reason, however, for not clearing System Restore is that should something go horribly wrong during the cleanup process, without a restore point, there may be no other option than a repair reinstall of the operating system. Certainly an infected restore point can be better in that case, particularly if the computer is an OEM install without a repair disk. Keep in mind that antivirus and anti-malware programs do occasionally have false/positives. Also, many people seem to be of the opinion that willy-nilly registry edits is the way to clean an infected computer.

Note to self: finish that draft blog post on System Restore.

Now to answer your question:

Note also, please, that I also recommended a Quick scan. In a Full scan, MBAM (and A/V programs) scans System Restore. If it does not completely clean the file, the user may not have a good restore point. At a minimum, they will be returned to the state prior to the restore, which could be defective due to a f/p or incorrect user action.

Both Marcin Kleczynski and Bruce Harrison (MBAM developers) recommend a Quick scan. The first step should be to clear temporary files. (I recommend ATF Cleaner by Microsoft MVP Atribune, from ATF-Cleaner.exe - www.atribune.org followed by a shutdown/restart prior to scanning.)

After the computer is clean, create a fresh restore point and then use Disk Cleanup to delete all but the most recent restore point.

• Click start, type Disk Cleanup in the search box
• Right-Click Disk Cleanup and select "Run as Administrator" and accept the UAC elevation prompt.
• Select the drive where Windows is installed (if you have more than one drive) and click "OK".
• When the scan completes, check/uncheck desired boxes.
• Next, please click the More Options tab at the top.
• Click the "Clean up..." button under the "System Restore and Shadow Copies" section at the bottom.
• Click Delete in response to the question "Are you sure you want to delete all but the most recent restore point?", click OK and answer Yes again.
• The disk clean up utility will remove the selected items. When it completes, please restart the computer to properly record the changes made to the hard disk.

Perhaps more than you asked. I hope this helps.

 

[manhunter2826]

Of course you can ask. (Corrine considers whether she
should answer the question . . . :devil

Lol.

Ok, first a bit of a rant:

Much too frequently when a person has malware problems, the first solution offered is to clear System Restore. Let me assure you that is most definitely not a solution. The only way malware in System Restore can re-infect the computer is if the computer is restored to an infected point. That said, keep in mind that System Restore is not an endless repository. Old restore points are cycled out in favor of new restore points.

The reason, however, for not clearing System Restore is that should something go horribly wrong during the cleanup process, without a restore point, there may be no other option than a repair reinstall of the operating system. Certainly an infected restore point can be better in that case, particularly if the computer is an OEM install without a repair disk. Keep in mind that antivirus and anti-malware programs do occasionally have false/positives. Also, many people seem to be of the opinion that willy-nilly registry edits is the way to clean an infected computer.

Note to self: finish that draft blog post on System Restore.

Interesting indeed. Something I was 'taught' (perhaps incorrectly) was that, prior to removing a virus/malware infection, it would be considered good practice to turn off system restore, remove the malicious files, and then turn back on system restore. I was then taught subsequently that, no, this did not matter and was incorrect practice.
Now to answer your question:

Note also, please, that I also recommended a Quick scan. In a Full scan, MBAM (and A/V programs) scans System Restore. If it does not completely clean the file, the user may not have a good restore point. At a minimum, they will be returned to the state prior to the restore, which could be defective due to a f/p or incorrect user action.

Both Marcin Kleczynski and Bruce Harrison (MBAM developers) recommend a Quick scan. The first step should be to clear temporary files. (I recommend ATF Cleaner by Microsoft MVP Atribune, from ATF-Cleaner.exe - www.atribune.org followed by a shutdown/restart prior to scanning.)

After the computer is clean, create a fresh restore point and then use Disk Cleanup to delete all but the most recent restore point.

• Click start, type Disk Cleanup in the search box
• Right-Click Disk Cleanup and select "Run as Administrator" and accept the UAC elevation prompt.
• Select the drive where Windows is installed (if you have more than one drive) and click "OK".
• When the scan completes, check/uncheck desired boxes.
• Next, please click the More Options tab at the top.
• Click the "Clean up..." button under the "System Restore and Shadow Copies" section at the bottom.
• Click Delete in response to the question "Are you sure you want to delete all but the most recent restore point?", click OK and answer Yes again.
• The disk clean up utility will remove the selected items. When it completes, please restart the computer to properly record the changes made to the hard disk.

Perhaps more than you asked. I hope this helps.

Once again, thanks for such a quick and detailed reply. Very kind