Jump to content

tried the instructions

jclaytona
 Share

Recommended Posts

jclaytona

jclaytona

Posted
Posted

printed the instructins from the forum topic "i'm infected-what do i do now" I had the windows XP security virus, ran malawarebytes quick and full scan and it seemed to go away. at that point realized that i had no menu of programs at start up and all my desktop icons were gone. got on the internet and kept getting redirected. i used it for a few days like this because i was tired of dealing with it, just copied and pasted the web addresses, still doing all of this. wanted to clean it up so i printed the instructions and started the process of defogging. i got through disabling the emulation drivers and moved on to downloading DDS, only one log came up. moved on to the GMER rootkit scanner and started to scan. the first time the it scanned for a little over an hour then stopped and the computer restarted on it's own. when it booted back up i received a pop up saying windows recovered from a serios problem. at that point i tried the scan again, walked away came back 2 hours later and was still scanning, walked away and retuerned to find that it had stopped and there was a problem with R66v.exe file. I shut it down and came here this morning, can you please help me. what do i do next? I have attached the 3 items i have on my desktop from starting this procedure, hope they help.

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi and welcome to Malwarebytes.

Please download Unhide.exe by Grinler and save it to your Desktop.

Run it, then restart your computer.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites
jclaytona

jclaytona

Posted
  • Author
Posted

Thank you very much for your help.

unhide was successful, i have my icons back.

At first I couldn't update malawarebytes so re-downloaded it and it seemed to be OK. Found 3 issues and deleted them.

Here is the MBAM log file:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6688

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

5/26/2011 7:32:38 PM

mbam-log-2011-05-26 (19-32-38).txt

Scan type: Quick scan

Objects scanned: 207962

Time elapsed: 12 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Malware Protection (Trojan.Agent) -> Value: Malware Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\all users.windows\application data\defender.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\james\local settings\Temp\5A.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

Here is the DDS file:

.

DDS (Ver_11-05-19.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.18702

Run by james at 19:37:35 on 2011-05-26

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1598 [GMT -4:00]

.

AV: Malware Defense *Enabled/Outdated* {28e00e3b-806e-4533-925c-f4c3d79514b9}

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\igfxsrvc.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\james\Desktop\1st try\dds.com

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.msnbc.com/

mStart Page = about:blank

uURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uURLSearchHooks: H - No File

mURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110124082348.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [Mouse Suite 98 Daemon] ICO.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"

mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\mb\mbam.exe" /runcleanupscript

mRunOnce: [Malwarebytes' Anti-Malware] c:\mb\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: igfxcui - igfxdev.dll

Notify: TPSvc - TPSvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-1-24 386840]

R1 BpCdrVsd;BpCdrVsd;c:\windows\system32\drivers\BPCDRVSD.SYS [2008-3-16 8736]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-1-24 84072]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-24 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-1-24 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-24 141792]

R3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [2008-3-16 4538]

R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [2008-3-16 9085]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-1-24 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-1-24 88544]

S1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [2008-3-16 62359]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-1 88176]

S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-24 271480]

S2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-1-24 271480]

S2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-1-24 171168]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]

S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [2008-3-16 5493]

S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [2008-3-16 19670]

S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [2008-3-16 96768]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-1-24 55840]

S3 cpuz132;cpuz132;\??\c:\docume~1\james\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\james\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664]

S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-1-24 152960]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-1-24 52104]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-1-24 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-1-24 84264]

S3 pelps2m;PS/2 Mouse Filter Driver;c:\windows\system32\drivers\pelps2m.sys [2008-1-10 18048]

.

=============== File Associations ===============

.

.scr=DWGTrueViewScriptFile

.

=============== Created Last 30 ================

.

2011-05-26 23:32:59 54016 ----a-w- c:\windows\system32\drivers\vmqv.sys

2011-05-26 23:17:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-24 20:07:28 -------- d-----w- c:\documents and settings\james\application data\GetRightToGo

2011-05-23 20:50:21 -------- d-----w- c:\documents and settings\all users.windows\application data\PC Tools

2011-05-14 21:34:41 -------- d-----w- c:\documents and settings\all users.windows\application data\STOPzilla!

.

==================== Find3M ====================

.

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 19:38:46.35 ===============

Thanks again.

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

I'm afraid I have bad news.

Your logs reveal an information stealing trojan.

I would counsel you to disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You will need to change your passwords, and all other sensitive information, but only once your system is deemed clean.

With that said, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites
jclaytona

jclaytona

Posted
  • Author
Posted

Hi,

I'm afraid I have bad news.

Your logs reveal an information stealing trojan.

I would counsel you to disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You will need to change your passwords, and all other sensitive information, but only once your system is deemed clean.

With that said, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Thank you again.

Generally, how bad of an info stealing virus is it?

Anyway, here are the logs you had requested.

ComboFix log:

ComboFix 11-05-29.01 - james 05/30/2011 11:28:52.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1623 [GMT -4:00]

Running from: c:\documents and settings\james\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Jame\System

c:\documents and settings\Jame\System\win_qs8.jqx

c:\documents and settings\Jame\WINDOWS

c:\documents and settings\james\Application Data\Adobe\plugs

c:\documents and settings\james\Application Data\Adobe\shed

c:\documents and settings\james\Application Data\Adobe\shed\thr1.chm

c:\documents and settings\Max\WINDOWS

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_SSHNAS

.

.

((((((((((((((((((((((((( Files Created from 2011-04-28 to 2011-05-30 )))))))))))))))))))))))))))))))

.

.

2011-05-24 20:07 . 2011-05-24 20:08 -------- d-----w- c:\documents and settings\james\Application Data\GetRightToGo

2011-05-23 20:50 . 2011-05-23 20:50 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools

2011-05-14 21:34 . 2011-05-15 12:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!

2011-05-14 01:47 . 2011-05-14 01:47 -------- d-----w- c:\documents and settings\james\Application Data\MSN6

2011-05-14 01:47 . 2011-05-14 01:47 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\MSN6

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-07 05:33 . 2008-01-10 23:27 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2001-08-23 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2001-08-23 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-14 68856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Mouse Suite 98 Daemon"="ICO.EXE" [2007-04-26 49152]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

.

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-11-25 1085440]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Taskman"=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]

2007-12-21 22:57 86016 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2008-11-06 17:33 41264 ----a-w- c:\program files\Common Files\aol\1237842951\ee\aolsoftware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]

2001-07-25 14:00 241714 ----a-w- c:\program files\Microsoft Money\System\Activation.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\aol\\1237842951\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.5\\waol.exe"=

"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

"c:\\Documents and Settings\\james\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

.

R1 BpCdrVsd;BpCdrVsd;c:\windows\system32\drivers\BPCDRVSD.SYS [3/16/2008 3:18 PM 8736]

R1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [3/16/2008 3:19 PM 62359]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [1/24/2011 9:23 AM 84072]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/1/2008 6:40 AM 88176]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [1/24/2011 9:22 AM 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [1/24/2011 9:22 AM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [1/24/2011 9:23 AM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/24/2011 9:23 AM 141792]

R3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [3/16/2008 3:19 PM 4538]

R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [3/16/2008 3:19 PM 9085]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [1/24/2011 9:23 AM 55840]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [1/24/2011 9:23 AM 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [1/24/2011 9:23 AM 88544]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/3/2010 11:01 PM 135664]

S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560]

S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [3/16/2008 3:19 PM 5493]

S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [3/16/2008 3:19 PM 19670]

S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [3/16/2008 3:19 PM 96768]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/3/2010 11:01 PM 135664]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [1/24/2011 9:23 AM 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/24/2011 9:23 AM 84264]

S3 pelps2m;PS/2 Mouse Filter Driver;c:\windows\system32\drivers\pelps2m.sys [1/10/2008 10:48 PM 18048]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

2011-05-30 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-09 19:51]

.

2011-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc051a6ee9b3c0.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-04 03:00]

.

2011-05-30 c:\windows\Tasks\SDMsgUpdate (TE).job

- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-09-17 11:29]

.

2011-05-30 c:\windows\Tasks\User_Feed_Synchronization-{FF9790FC-6E0C-49C7-9CF5-B50702C94121}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.msnbc.com/

mStart Page = about:blank

TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12

.

.

------- File Associations -------

.

.scr=DWGTrueViewScriptFile

.

- - - - ORPHANS REMOVED - - - -

.

Notify-TPSvc - TPSvc.dll

MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-30 11:54

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,13,06,bf,cc,7b,2d,47,b6,fb,ef,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,13,06,bf,cc,7b,2d,47,b6,fb,ef,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(912)

c:\windows\system32\WININET.dll

c:\progra~1\mcafee\SITEAD~1\saHook.dll

c:\windows\system32\AcSignIcon.dll

c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\AOL\ACS\AOLAcsd.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\crypserv.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Microsoft\BingBar\SeaPort.EXE

c:\windows\system32\UAService7.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\McAfee\SystemCore\mcshield.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\rundll32.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\windows\system32\ICO.EXE

c:\program files\Brother\Brmfcmon\BrMfcmon.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Java\Java Update\jucheck.exe

c:\progra~1\mcafee\msc\mcupdmgr.exe

c:\program files\Internet Explorer\IEXPLORE.EXE

c:\program files\Internet Explorer\IEXPLORE.EXE

.

**************************************************************************

.

Completion time: 2011-05-30 12:15:36 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-30 16:15

.

Pre-Run: 17,413,599,232 bytes free

Post-Run: 18,673,577,984 bytes free

.

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - F2F7F60C6DAAE774606FB1E615347278

And here is the DDS log:

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by james at 13:45:13 on 2011-05-30

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1378 [GMT -4:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\Microsoft\BingBar\SeaPort.EXE

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\ICO.EXE

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Java\Java Update\jucheck.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe

C:\Documents and Settings\james\Desktop\1st try\dds.com

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.msnbc.com/

mStart Page = about:blank

uURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

uURLSearchHooks: H - No File

mURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110124082348.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [Mouse Suite 98 Daemon] ICO.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

Thanks.

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Generally, how bad of an info stealing virus is it?

In reality, information stealing trojans are bad.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites
jclaytona

jclaytona

Posted
  • Author
Posted

In reality, information stealing trojans are bad.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Thanks again for your help.

It's really not any better. Still getting redirected, in fact previously when I did a search using Bing(I switched to after google) I could just copy and paste the search result address into the web address bar and go to a site that way. This time I typed in 'malawarebytes.org' 8 times before it finally went to your site. The main address bar was getting redirected, thats never happened before.

Also,I have McAfee and 'real time scanning will not stay on. I have an exclamation point over the 'M' shield in the task bar on the bottom right of the screen and when I click on it to see why, it pops open and tells me that real time scanning is off, so I click to turn it on and almost immediately it switches off.

I am unplugging the internet connection whenever I shut the computer down and I always am running in safe mode to do this work.

After the scan today using ESET it said that 12(I think) trojans were found and removed. I'm starting to think it is producing offspring in my computer.

Anyway, thanks for your help and I hope we can get this figured out.

Here are the logs you asked for.

ESET log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6522

# api_version=3.0.2

# EOSSerial=dab6add005a5584684675b6999d33aa5

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=false

# utc_time=2011-06-01 04:08:09

# local_time=2011-06-01 12:08:09 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=5121 16777190 100 75 9881859 19513822 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=114733

# found=13

# cleaned=13

# scan_time=7401

C:\Documents and Settings\james\James' Documents\My Music\black label\black label society (unplugged version).mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 65EA4F7A32C856603F60F29F2B80CFEC C

C:\Documents and Settings\Lara\My Documents\LimeWire\Saved\Gloria Estefan - You'll be mine (party time) - greatest hits.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 5B8091DF80CB38D956BC1D2723E5FFF0 C

C:\Documents and Settings\Lara\My Documents\LimeWire\Saved\hairspray [cd rip].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 0C6DCEA8A74AB98D9FF36882ED310CAD C

C:\Documents and Settings\Lara\My Documents\LimeWire\Saved\hard to handle (new remix).au a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 198AEF88256790CF18445C43CFFED274 C

C:\Documents and Settings\Lara\My Documents\LimeWire\Saved\NSync and Gloria Estafan - Music of My Heart.wma WMA/TrojanDownloader.Wimad.NAA trojan (cleaned by deleting - quarantined) F8240ECF37C3F1D3A15AA0EFD31323C7 C

C:\Documents and Settings\Lara\My Documents\LimeWire\Saved\party time gloria estefan extended version.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) CD37F1580BE3A9BE561A2D3712D19464 C

C:\Documents and Settings\Lara\My Documents\LimeWire\Saved\party time gloria estefan greatest hit 2009.wma WMA/TrojanDownloader.Wimad.NAD trojan (cleaned by deleting - quarantined) AEFF0ABAF96D4336264BB0C586E6319E C

C:\Documents and Settings\Lara\My Documents\LimeWire\Saved\party time gloria estefan.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) F08D1D989C49C0608EB16EF1475A3027 C

C:\Documents and Settings\Lara\My Documents\My Music\LARA SANSA\2.15.09\hairspray [cd rip].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 0C6DCEA8A74AB98D9FF36882ED310CAD C

C:\Documents and Settings\Lara\My Documents\My Music\LARA SANSA\New Folder\NSync and Gloria Estafan - Music of My Heart.wma WMA/TrojanDownloader.Wimad.NAA trojan (cleaned by deleting - quarantined) F8240ECF37C3F1D3A15AA0EFD31323C7 C

C:\System Volume Information\_restore{4D9994AD-508E-49F8-BEEC-9CC8F4AAEE0B}\RP102\A0024098.exe a variant of Win32/Kryptik.OCM trojan (cleaned by deleting - quarantined) 19115892716267925682C8FFE0B0AC3F C

C:\System Volume Information\_restore{4D9994AD-508E-49F8-BEEC-9CC8F4AAEE0B}\RP102\A0024164.exe a variant of Win32/Kryptik.OCM trojan (cleaned by deleting - quarantined) 61E4D572709A29B27D1FA174B827C99D C

C:\System Volume Information\_restore{4D9994AD-508E-49F8-BEEC-9CC8F4AAEE0B}\RP102\A0024186.exe a variant of Win32/Kryptik.OCM trojan (cleaned by deleting - quarantined) 19115892716267925682C8FFE0B0AC3F C

Security check log:

Results of screen317's Security Check version 0.99.12

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Disabled!

ESET Online Scanner v3

McAfee SecurityCenter

Antivirus out of date! (On Access scanning disabled!)

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 21

Java 6 Update 4

Java 6 Update 5

Out of date Java installed!

Adobe Flash Player 9 (Out of date Flash Player installed!)

Adobe Flash Player

Adobe Reader 9.1.1

Out of date Adobe Reader installed!

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Please see:

HijackThis Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

This goes for Limewire and anything else installed.

Link to post
Share on other sites
jclaytona

jclaytona

Posted
  • Author
Posted

Hi,

Please see:

HijackThis Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

This goes for Limewire and anything else installed.

Hi,

I understand about the use of illegal downloading. We had limewire and once we found out it was wrong, my wife and I stopped using it and it is no longer on our system. It hasn't been for years. I guess some of the music may still be on here somewhere, but limewire itself has been gone for a long time.

Nothing illegal is done with this computer and I really need your assistance here. I would really appreciate it if you would continue to help me out.

Thank you.

Nothing illlegal is done with this computer.

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

That's fine. Always better to clarify.

Delete this folder please:

C:\Documents and Settings\Lara\My Documents\LimeWire

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Java

Link to post
Share on other sites
jclaytona

jclaytona

Posted
  • Author
Posted

screen317, glad to hear from you.

I got through everything you had instructed. Just for your information though, when I first ran the uninstall of the combofix the computer shut down on its own.

I tried it again, it asked me to shut off mcafee, which I did. It then found a rootkit and attempted to disinfect it. The computer then asked to be rebooted and when it did it said that combofix was uninstalled. I left it at that, not sure what the hubbub about the rootkit was.

I did see this txt file on my desktop though, not sure when it got there but I'm pretty positive it came up after the combofix uninstall and the reboot. I remember when it was booting up that there was a window with 'C:' and a flashing cursor in it just like when combofix was getting ready to show its log after the original scan. It is named "catchme"

File "C:\WINDOWS\system32\drivers\volsnap.sys" added successfully

File list cleared

There are a few PTN files and a windows recovery- executable file in my desktop now as well.

Not sure what they mean either.

I then uninstalled the java, adobe reader and adobe flash player and the ESET. And reinstalled without an issue. I also, upated my mcafee.

I went on to the internet and tried a google search and clicked on a link about 10 seperate times and had no issues with the redirect.

The computer seems to be running well. I don't see any mcafee pop ups and the real time scanning is running.

Thanks, James

Link to post
Share on other sites
jclaytona

jclaytona

Posted
  • Author
Posted

Hi James,

Can you please grab a fresh copy of ComboFix, run it, and post its log? I'd like to be 100% sure before sending you on your way.

Hey Chris,

Thanks again. Since I last sent a reply eveything seems to be running great.

Here is the combofix log you asked for.

ComboFix 11-06-13.01 - james 06/14/2011 19:52:55.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1560 [GMT -4:00]

Running from: c:\documents and settings\james\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\james\Desktop\Windows XP Recovery.lnk

c:\documents and settings\james\Start Menu\Programs\Windows XP Recovery

c:\documents and settings\james\Start Menu\Programs\Windows XP Recovery\Uninstall Windows XP Recovery.lnk

c:\documents and settings\james\Start Menu\Programs\Windows XP Recovery\Windows XP Recovery.lnk

.

.

((((((((((((((((((((((((( Files Created from 2011-05-15 to 2011-06-15 )))))))))))))))))))))))))))))))

.

.

2011-06-14 00:32 . 2011-06-14 00:32 -------- d-----w- c:\documents and settings\Lara\Local Settings\Application Data\Temp

2011-06-10 22:44 . 2011-06-10 22:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-10 22:19 . 2011-06-10 22:19 -------- d-----w- c:\program files\Common Files\Java

2011-06-10 22:19 . 2011-06-10 22:18 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-24 20:07 . 2011-05-24 20:08 -------- d-----w- c:\documents and settings\james\Application Data\GetRightToGo

2011-05-23 20:50 . 2011-05-23 20:50 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-10 22:18 . 2010-08-30 10:50 472808 ----a-w- c:\windows\system32\deployJava1.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-14 68856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Mouse Suite 98 Daemon"="ICO.EXE" [2007-04-26 49152]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

.

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\

Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-11-25 1085440]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]

2007-12-21 22:57 86016 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2008-11-06 17:33 41264 ----a-w- c:\program files\Common Files\aol\1237842951\ee\aolsoftware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]

2001-07-25 14:00 241714 ----a-w- c:\program files\Microsoft Money\System\Activation.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\aol\\1237842951\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.5\\waol.exe"=

"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

"c:\\Documents and Settings\\james\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

.

R1 BpCdrVsd;BpCdrVsd;c:\windows\system32\drivers\BPCDRVSD.SYS [3/16/2008 3:18 PM 8736]

R1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [3/16/2008 3:19 PM 62359]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [1/24/2011 9:23 AM 84072]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/1/2008 6:40 AM 88176]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [1/24/2011 9:22 AM 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [1/24/2011 9:22 AM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [1/24/2011 9:23 AM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/24/2011 9:23 AM 141792]

R3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [3/16/2008 3:19 PM 4538]

R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [3/16/2008 3:19 PM 9085]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [1/24/2011 9:23 AM 55840]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [1/24/2011 9:23 AM 313288]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [1/24/2011 9:23 AM 88544]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/3/2010 11:01 PM 135664]

S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560]

S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [3/16/2008 3:19 PM 5493]

S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [3/16/2008 3:19 PM 19670]

S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [3/16/2008 3:19 PM 96768]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/3/2010 11:01 PM 135664]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [1/24/2011 9:23 AM 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/24/2011 9:23 AM 84264]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/23/2001 8:00 AM 14336]

S3 pelps2m;PS/2 Mouse Filter Driver;c:\windows\system32\drivers\pelps2m.sys [1/10/2008 10:48 PM 18048]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

2011-06-14 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-09 19:51]

.

2011-06-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc27bd564e79ac.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-04 03:00]

.

2011-06-14 c:\windows\Tasks\SDMsgUpdate (TE).job

- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-09-17 11:29]

.

2011-06-14 c:\windows\Tasks\User_Feed_Synchronization-{FF9790FC-6E0C-49C7-9CF5-B50702C94121}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.msnbc.com/

mStart Page = about:blank

TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12

.

.

------- File Associations -------

.

.scr=DWGTrueViewScriptFile

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-14 20:07

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,13,06,bf,cc,7b,2d,47,b6,fb,ef,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a1,13,06,bf,cc,7b,2d,47,b6,fb,ef,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1076)

c:\windows\system32\igfxdev.dll

.

Completion time: 2011-06-14 20:12:15

ComboFix-quarantined-files.txt 2011-06-15 00:12

ComboFix2.txt 2011-05-30 16:15

.

Pre-Run: 22,043,348,992 bytes free

Post-Run: 22,214,537,216 bytes free

.

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - 37C55E2095D0F8AEDEA0E22843CAE8DB

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Great!

Let's check for any leftovers.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites
  • 2 weeks later...
jclaytona

jclaytona

Posted
  • Author
Posted

Hey Chris,

Sorry for the delay, I was out of town for a while.

Just so you know, the computer seems to be running great.

Here are the logs you have requested:

ESET log;

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=dab6add005a5584684675b6999d33aa5

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=false

# utc_time=2011-06-28 03:09:16

# local_time=2011-06-27 11:09:16 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=5121 16777177 100 75 12162964 21794927 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=111582

# found=0

# cleaned=0

SECURITY CHECK log;

Results of screen317's Security Check version 0.99.17

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Online Scanner v3

McAfee SecurityCenter

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 26

Adobe Flash Player

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

Thanks again, you were absolutely an enormous help.

James

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Adobe Flash Player

Restart your computer.

Get the latest version of Adobe Flash Player.

Let me know what issues remain.

-screen317

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Next, please run the PCPitstop Full Tests here (NOT the PCMatic scan or any other scan; simply register with the box on the left and you will be taken to the Full Tests/Overdrive Test). When the tests are complete, a results page will pop up. Copy and paste the URL of the Results screen and post it here for me.

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi James,

Not surprised that things are running slow. Your hardware is very old.

PCPitStop noted several things that you can do to improve the shape your computer is in.

Pay particular attention to these items:

• Delete Temporary Files:

Please download CCleaner and save it to your desktop.

  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Please do NOT run a scan yet!

Now, open CCleaner:

  • Click the "Windows" tab.
  • Select the following:
    • Check everything under the "Internet Explorer" section.
    • Check everything under the "Windows Explorer" section.
    • Check everything under the "System" section.
    • Check ONLY "Old Prefetch data" under the "Advanced" section.

    [*]Then, click the "Applications" tab:

    • CHECK everything there.

    [*]Next, click the "Options" button in the left pane, then click the "Advanced" button:

    • CHECK : "Only delete files in Windows Temp folders older than 48 hours".

    [*]Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.

    [*]When done, please exit CCleaner.

CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

• Reduce System Restore space (Drive C):

Right click My Computer and click Properties. Select the System Restore tab, and move the slider to 3%. You're pretty much wasting disk space otherwise.

Also take the time to take a look at the other tips PCPitStop reported. I've just highlighted some of the more important ones.

Link to post
Share on other sites
  • 3 weeks later...
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.