Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something Is Eating Up My Hard Drive!


  • Please log in to reply
9 replies to this topic

#1 apeddle

apeddle

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 15 October 2007 - 12:43 AM

I have done all the scans on my computer that this site recomended. I have also deleted pretty much everything off my computer that isnt needed, and still I end up this morning with the same amount of space, after removing some very large files and programs. I just cant figure this out.

Also, I read in the preperation guide that windows XP shouldent have SP 2. Well, I found out about that after I had already downloaded that i shouldent have. My friend tried to remove it off HER computer and it crashed her computer so I never did remove it. Is there anything I can do in that respect?

So the major problem is I have 8.47 GB of storage on my hard drive, and am left now with 124 MB of available. I have been constantly removing programs over the last month or two, becuase the space has been quickly going down. I hope you can help me somehow.

the log is pasted below. Its also attached.

_______________________________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:04:04 AM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\YOP\secstat.exe
C:\Documents and Settings\Angela\Local Settings\Temporary Internet Files\Content.IE5\G1A74LIV\stinger[1].exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.inbox.com/search/ie.aspx?tb_id=70001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.inbox.com/support/sa_customize.aspx?TbId=70001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customi.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Yahoo!\NAV\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - (no file)
O3 - Toolbar: (no name) - {EE9DD090-902D-4623-9360-FB7D8666202B} - (no file)
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'Default user')
O4 - Startup: High-Speed Connection Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {9B7E79AC-A646-4e45-A70F-1B3981FE370E} - file://C:\Program Files\iGive_Shopping_Window\iGivesShoppingWindow\iGivetShoppingWindow\igivC0.htm (file missing) (HKCU)
O15 - Trusted Zone: http://*.bravenet.com
O15 - Trusted Zone: *.Scouting.org
O15 - Trusted Zone: http://www.yahoo.ca
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...w.viewpoint.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146488755186
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartphotocentre.ca/activex/PCAXSetup.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex...upv2.0.0.10.cab?
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.scn-chat.com/includes/MSNChat45.cab
O20 - Winlogon Notify: ccftil - ccftil.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 7803 bytes

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 October 2007 - 01:59 PM

Hi apeddle and Welcome to the Bleeping Computer!

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 apeddle

apeddle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 17 October 2007 - 04:30 PM

Here is the HiJack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:50, on 2007-10-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\secstat.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\vfind.cfexe
C:\ComboFix\mtee.cfexe
C:\WINDOWS\system32\findstr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.inbox.com/search/ie.aspx?tb_id=70001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.inbox.com/support/sa_customize.aspx?TbId=70001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customi.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Yahoo!\NAV\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - (no file)
O3 - Toolbar: (no name) - {EE9DD090-902D-4623-9360-FB7D8666202B} - (no file)
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'Default user')
O4 - Startup: High-Speed Connection Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {9B7E79AC-A646-4e45-A70F-1B3981FE370E} - file://C:\Program Files\iGive_Shopping_Window\iGivesShoppingWindow\iGivetShoppingWindow\igivC0.htm (file missing) (HKCU)
O15 - Trusted Zone: http://*.bravenet.com
O15 - Trusted Zone: *.Scouting.org
O15 - Trusted Zone: http://www.yahoo.ca
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...w.viewpoint.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146488755186
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartphotocentre.ca/activex/PCAXSetup.cab?
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/activex...upv2.0.0.10.cab?
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://www.scn-chat.com/includes/MSNChat45.cab
O20 - Winlogon Notify: ccftil - ccftil.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 7863 bytes


This is the combo fix file

ComboFix 07-10-17.8@ - Angela 2007-10-17 18:40:54.3 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\Angela\Local Settings\Temporary Internet Files\Content.IE5\3PMB8DYR\ComboFix[1].exe
.

((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.

2007-10-15 03:02 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-14 20:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-14 18:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-12 00:55 <DIR> d-------- C:\Documents and Settings\Angela\Application Data\Uniblue
2007-10-10 09:40 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-09 17:19 <DIR> d-------- C:\Documents and Settings\Angela\.housecall6.6
2007-10-07 18:26 <DIR> d-------- C:\Program Files\Java
2007-10-07 18:21 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-07 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2007-10-05 18:56 <DIR> d-------- C:\Program Files\HP RecordNow
2007-09-23 19:02 89,600 --a------ C:\SIGNER.DLL
2007-09-23 18:59 45,056 --a------ C:\MAKECERT.EXE
2007-09-23 18:57 69,632 --a------ C:\SELFCERT.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-16 01:38 --------- d--h--r C:\Documents and Settings\Angela\Application Data\yahoo!
2007-10-15 01:45 --------- d-----w C:\Program Files\MSECACHE
2007-10-14 21:43 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-10-14 21:39 --------- d-----w C:\Program Files\WS_FTP Pro
2007-10-14 17:38 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-13 13:00 --------- d-----w C:\Program Files\Google
2007-10-12 11:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-10 00:16 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-10 00:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-05 21:07 --------- d-----w C:\Program Files\Viewpoint
2007-10-05 21:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-05 20:58 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-05 20:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-05 19:21 --------- d-----w C:\Program Files\Inbox
2007-09-18 18:31 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-09-18 18:31 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-09-18 18:31 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-18 18:31 10,676 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-09-18 18:31 --------- d-----w C:\Program Files\Symantec
2007-09-15 16:53 --------- d-----w C:\Documents and Settings\Angela\Application Data\Share-to-Web Upload Folder
2007-09-02 23:54 --------- d-----w C:\Program Files\Yahoo!
2007-09-02 23:04 --------- d-----w C:\Program Files\R-Wipe&Clean
2007-09-02 14:57 --------- d-----w C:\Documents and Settings\Angela\Application Data\R-Wipe&Clean
2007-08-27 19:43 97,672 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-08-27 19:43 537,992 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-08-27 19:43 31,624 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-08-27 19:43 28,040 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-08-27 19:43 23,944 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-08-27 19:43 189,320 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-08-27 19:43 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-08-27 19:43 12,680 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 21:49 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 21:49 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 21:49 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 21:49 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 21:49 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 21:49 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 21:49 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 21:49 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 21:49 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 21:48 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-03 22:07 209,528 -c--a-w C:\Documents and Settings\Angela\Application Data\GDIPFONTCACHEV1.DAT
2006-10-27 23:09 53,248 -csha-w C:\Program Files\Thumbs.db
2006-08-10 18:40 14,336 -csha-w C:\Program Files\Common Files\Thumbs.db
2001-08-23 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2004-08-04 04:26:48 50,688 --sh--w C:\WINDOWS\twain_32.dll
2004-08-04 04:26:44 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
2004-08-04 04:26:44 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 04:26:44 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
2004-08-04 04:26:44 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
2007-05-17 11:28:05 549,376 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 04:26:46 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 04:26:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( snapshot@2007-10-14_19.18.30.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-14 21:45:34 210,190 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-10-17 12:41:17 210,195 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2007-10-05 12:37:31 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-04-02 16:51:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-08-31 17:01]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"DJSNetCN"=C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ccftil]
ccftil.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
???

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SHS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
C:\WINDOWS\vsnpstd3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

R3 als4k;AOpen AW200/AS9200 Sound Driver (WDM);C:\WINDOWS\system32\drivers\als4000.sys
R3 ALS4KMF;ALS4KMF;C:\WINDOWS\system32\drivers\mf.sys
R3 alsgame;Gameport for AOpen AW200/AS9200;C:\WINDOWS\system32\drivers\alsgame.sys
R3 perm2;perm2;C:\WINDOWS\system32\DRIVERS\perm2.sys
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe -k p2psvc

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 22:44:47 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Angela.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 18:52:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-17 18:56:27
C:\ComboFix2.txt ... 2007-10-14 20:18
C:\ComboFix3.txt ... 2007-10-14 19:22
.
--- E O F ---



I also wanted to know if there is any way I can remove SP2. Someone told me that XP should have SP2 on their computer, that it causes problems. Any ideas?

Thank you!
Angela

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 October 2007 - 05:54 PM

Interesting,I dont see much of anything in there but I do need you to tell me about this PC.

Whats it used for,how old is it,is it networked or accessed remotely....stuff like that.

Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customi.../search/ie.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O9 - Extra button: (no name) - {9B7E79AC-A646-4e45-A70F-1B3981FE370E} - file://C:\Program Files\iGive_Shopping_Window\iGivesShoppingWindow\iGivetShoppingWindow\igivC0.htm (file missing) (HKCU)

O15 - Trusted Zone: http://*.bravenet.com

O20 - Winlogon Notify: ccftil - ccftil.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Right-Click Here and Click "Save As" to download DelDomains.inf to your desktop.

Right Click DelDomains.inf on your desktop and select "Install"

It will perform a silent process--> Give it a few seconds to run.


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#5 apeddle

apeddle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 18 October 2007 - 06:57 PM

I did the scan on HijackThis andcheck the ones off you said and clicked fix. Thats done. I ran DelDomains.inf, but nothing happened?? I guess nothing is suppose to happen if its a silent process. I'm not able to run F-secure because it needs 500 mb of free space, but i only have 94.5 mb left on my computer. I have now removed EVERYTHING from my computer, except the necessary things, or things that I have no idea of what they are. I've attached a clip of my add/remove page. If you see anything there I dont need (SP2?), please let me know!

My computer isvery old. I bought it second hand about 4 years ago, but when I got it it had windows 95 on it. It was upgraded to window XP. It had a SCZY hard drive when I first got it, but the hard drive was replaced about 2 years ago.

I mainly use it for photography, web design, and internet activities (games, chat, etc.). I'm not sure what you mean by networked or accessed remotly?

I did a PC Pitstop scan and this is the info I got from that! I dont know what most of it means.
----------------------------------------------------------------------------------------------------------------
Description Drive C
Partition format NTFS
Cluster size 4 KB
Drive label No Label
Size 8675 MB
Free space 89 MB (1%)
Junk files 18 MB (0%)
System Restore Space 1041 MB (12%)
Data fragmentation 76%
File fragmentation 5%
Uncached speed 4 MB/s (30%)

Description Your Results
Brand/Model HP Kayak
Type Desktop
Serial Number Not available
BIOS PhoenixBIOS 4.0 Release 6.0.Z 01/22/99

Description Your Results
Brand/Model Intel Pentium II
Nominal Clock Speed 450 MHz
Measured Clock Speed 450 MHz
CPU Load 0%
Speed Rating 1250 (103% of 181 similar)

Description Your Results
Bandwidth Down 162 Kbits/sec
Bandwidth Up Not tested
Average Ping 101 ms
Ping Loss 0%
TCP Receive Window (default)
External IP Address 205.251.101.20
Internal IP Address 205.251.101.20
Browser MSIE 6.0; YPC 3.2.0; SV1; .NET CLR 1.1.4322
IE current cache 18 MB
IE max cache 200 MB

Description Your Results
Common Name Windows XP Pro SP2
Full Version Windows XP Pro SP2
First Install Thu Jan 6 2005
Free Resources 90%
Fonts Installed 545
Windows Scripting Version 5.6.0.8820
PCPitstop Version 179
CPU Load 0%



Name Vendor Complete File Name (it says the blue optional and the green are required)
Speech Microsoft Corporation C:\WINDOWS\system32\ctfmon.exe
HP software update Hewlett-Packard Development Company, L.P. C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
SBC Yahoo! Online Protection Yahoo! Inc. C:\PROGRA~1\Yahoo!\YOP\yop.exe
Debugger Microsoft Corporation C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
MSN Messenger Microsoft Corporation C:\Program Files\Messenger\msmsgs.exe
Microsoft Message Queue Microsoft Corporation C:\WINDOWS\System32\mqtgsvc.exe

Yahoo Messager Yahoo!, Inc. C:\PROGRA~1\Yahoo!\browser\ycommon.exe
Symantec Licensing Detect Symantec Corporation C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
Norton Security Console Symantec Corporation C:\Program Files\Common Files\Symantec Shared ... \NSCSRVCE.EXE
Symantec products Symantec Corporation C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Symantec products Symantec Corporation C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Live Update Symantec Corporation C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
Norton Antivirus Symantec Corporation C:\Program Files\Yahoo!\NAV\navapsvc.exe
IIS Microsoft Corporation C:\WINDOWS\System32\inetsrv\inetinfo.exe
Print spooler Microsoft Corporation C:\WINDOWS\system32\spoolsv.exe
Windows Update Microsoft Corporation C:\WINDOWS\system32\wuauclt.exe
Status Helper Symantec Corporation C:\PROGRA~1\Yahoo!\YOP\secstat.exe
Symantec Common Symantec Corporation C:\Program Files\Common Files\Symantec Shared ... \symlcsvc.exe
Norton Internet Security Symantec Corporation C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
Symantec Common Symantec Corporation C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Symantec Common Symantec Corporation C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
Norton Internet Security Symantec Corporation C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
Internet Explorer Microsoft Corporation C:\Program Files\internet explorer\iexplore.exe
Windows Explorer Microsoft Corporation C:\WINDOWS\Explorer.EXE
Message Queue Server Microsoft Corporation C:\WINDOWS\System32\mqsvc.exe
Local Security Authority Microsoft Corporation C:\WINDOWS\system32\lsass.exe
Service control process Microsoft Corporation C:\WINDOWS\system32\services.exe
Service host process Microsoft Corporation C:\WINDOWS\system32\svchost.exe


Setting name Value
Video acceleration disabled No
Paging of kernel disabled Yes
Screen saver running during tests No
NOIDE key found in registry No
Running 32-bit code on 64-bit Windows No
System Restore disabled No
Large System Cache enabled No
Has batteries No
Hibernate enabled No
HIBERFIL.SYS present No
Hibernate policy in use No
Sleep/Resume policy in use No
Running on battery power No

Description Your Results IE Restricted Zone Permissions
Run ActiveX controls and plug-ins
Download signed ActiveX controls
Script ActiveX controls marked safe for scripting
Allow cookies that are stored on your computer
Active scripting enabled
Drag and drop or copy and paste files
Software channel permissions enabled
Userdata persistence enabled

Attached Files


Edited by apeddle, 18 October 2007 - 07:01 PM.


#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 October 2007 - 10:03 PM

Looks like you barely have a full cylinder on the Hardrive,I wasnt aware it was so small as it is or as old as it is.

I have an machine of similar specs which is about 10 years old,the setup is not all that different but I do understand the lack of space.

Tell me about the Symantec product you have,is it bought and paid for?

#7 apeddle

apeddle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 19 October 2007 - 06:37 AM

Hum! Im not to sure about computer talk, so i'm not sure what a cylinder is. Its just funny how it was working wonderful for so long, and then all of a sudden the space dropped (im at 61MB today). Very quickly. I've had to remove EVERY program from my computer. Did you take a look at my add/remove shot?

As for the Symantec program, I'm guessing thats the Norton Protection? It actually come's along with my ISP (Rogers Yahoo). I've been thinking of removing it, but am scared to death about a virus getting to my computer. And I cant afford to actually BUY virus protection.

This computer has been WONDERFUL!! I had all my photo editing programs on it. Lots of space to store and download photos and music. Now, even after removing everything, i have nothing. So frustrating as it's putting my small business on hold, and I dont have enough to buy a new one.

Sorry to babble on.

Angela

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 19 October 2007 - 09:06 AM

Dunno why this didnt dawn on me in the first place---> System Restore Space 1041 MB (12%)

Definatly need to clear out System Restore and make its settings for storing restore points to a minimum.

Here is a link to help with disabling System Restore
http://support.microsoft.com/kb/310405

Now when you get to step 2

In the System Properties dialog box, click the System Restore tab


Here you will notice a slider tab that controls the amount of space system restore is allowed...you may have to click on settings button before you see the slider,depending on your setup.

I think 12% is max and I have all mine set to 6% or less..usually a little over a third of full capacity.

Take the time to disable system restore and reboot the machine,then renable it and set the amount allowed to no more than 6% and see of this doesnt restore the missing space.

Now,read below first and if you decide to go with the free antivirus I suggest,then wait til all thats done before disabling system restore or you will need to do it all over again after uninstalling Norton and installing new AV.


As for Symantec Antivirus....bah....get the free version of Antivir,is what I have on all my home machines now.

free-av.com will get you to the main site,look for the free presonal home version.

Be sure to download the Antivir setup file first,then proceed to disconnect from the internet and remove Norton from add\remove then install Antivir,when you reboot,reconnect the internet before restart and you should get prompted to update...from there,you should be good to go.

#9 apeddle

apeddle
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:24 PM

Posted 19 October 2007 - 04:43 PM

Well holy crap!! I removed my Norton, restarted it and it immideatly shot up to 3.41 GB. Thats 40% FREE SPACE!! YAY!! I guess I shouldent be too excited. I have that space, but still dont know what was eating up my space, so I might not have all of that for long. So, im going to disable my local connection while i dont have antivirus on here, and do a defragment. I have an extremely defragemented screen. LOL! You should see it. Its gonna take a while. Someone mentioned to me about compressing C Drive. Is that a good idea? And again, I want to ask about SP2. Is there any way to remove it? Someone told me I shouldent have it on my computer with XP.

Is there any more awesome ideas you have? This is great.

OK, im gonna turn off the connection and defragement.

Angela

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 19 October 2007 - 05:05 PM

Lets make sure I say this right.....You need every update Microsoft deems necessary for your computer.

These are all mostly security related and its your only source for a firewall at this point.

Antivir should not take up near as much space as Norton did and uses half the resources.

System Restore looks like it was eating up a ton of space on this system,space isnt something you have alot to spare.

Get on with your housecleaning and get System Restore all settled in with about 6% allowed and see how the system does.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users