Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

helping a friend, it's infected


  • This topic is locked This topic is locked
16 replies to this topic

#1 jerryc

jerryc

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 04 February 2009 - 10:53 PM

Hi
I'm helping a friend's cousin who has an old thinkpad. XP pro SP1, no antivirus when I got involved a few days ago. I have run scans and updates, it is now fully M'soft updated, and I have removed a bunch of stuff that Trend Housecall, Superantispyware and Malwarebytes found. However a Kaspersky online scan says there is
Trojan.HTML.Starter.a
and the comp clearly has something deep. It runs slow and has all the characteristics of having a nasty intrusion.
A trendhousecall removed several things but pointed to a registry entry for
InProcServer32
that it could not remove, nor its parent key, either in normal boot nor safemode.
I did some research on the ...starter.a but there is nothing with that exact title. Similar titles do not seem relevant, as this one does not appear in a search on the comp.
Help?!?!
Thx for any comments.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 07 February 2009 - 10:28 PM

When you say the computer "is now fully M'soft updated", does that mean it is now SP3?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 07 February 2009 - 10:41 PM

When you say the computer "is now fully M'soft updated", does that mean it is now SP3?



Yes. Does that lead you to any thoughts or comments?
I have run Kaspersky several times, it always finds the same thing, mentioned above. Nothing about it on the internet, but I am thinking the comp is so infected that it can't be trusted any more, so reinstall. But, there is no CD drive, just a floppy; they lost the swappable one. So it may all be moot.
Not often you get to use 'moot' but it seems to fit, eh?
Thx.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 07 February 2009 - 11:52 PM

Just that SP1 is no longer supported by Microsoft, so you're asking for trouble by not upgrading.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on drweb-cureit.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 20 February 2009 - 10:01 PM

[quote name='Budapest' date='Feb 7 2009, 11:52 PM' post='1126307']
Just that SP1 is no longer supported by Microsoft, so you're asking for trouble by not upgrading."

Just to be clear, the comp is fully up to date. That's what I thought I said in my post.

I have dl'd and run the program. Thank you.
The initial scan showed nothing. THe full scan stopped several times, needing input. I chose 'delete' or 'move' as the case may have been. It's now still scanning.
I hope it'll be done tomorrow and I can post the log.
Ah, it's just finished. Things seem a little different than suggested above.
1. There were viruses found.
2. there was no 'yes to all' that came up.
3. I chose the box 'cure' and then there was a menu, and I chose 'move incurable'.
4. It says it has deleted some of the viruses, and others are incurable so it is moving them. (wxbug.exe is one)
5. the progress bar at the bottom is almost all the way over but it hasn't moved in 15, now 20 mins. I saved the log; will wait for the program to finish and post the log. I have to go, will be back to it tomorrow or Mon.
Thanks!

Edited by jerryc, 20 February 2009 - 10:22 PM.


#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 21 February 2009 - 12:10 AM

When it is finished run a Quick Scan with Malwarebytes in Normal Mode.

Post the logs.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 23 February 2009 - 09:20 PM

THis is the Dr.Web result and the M'bam file; ran M'bam twice, once in safemode/full scan, once normal/quick scan. No difference. The trojan did not delete after any scan and is still there.
Dr.Web saved in Excel so I saved as a text file also.

777.htm\Script.1;C:\777.htm;VBS.Psyme.243;;
777.htm;C:\;Container contains infected objects;Moved.;
vbsys2.dll;C:\;Trojan.Click.966;Deleted.;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;Incurable.Moved.;
vbsys.dll_old;C:\WINDOWS\system32;Trojan.Click.966;Deleted.;


Malwarebytes' Anti-Malware 1.33
Database version: 1732
Windows 5.1.2600 Service Pack 3

2/23/2009 5:32:35 PM
mbam-log-2009-02-23 (17-32-35).txt

Scan type: Quick Scan
Objects scanned: 57389
Time elapsed: 13 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44a1-9f4543d34546} (Trojan.Clicker) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 23 February 2009 - 09:46 PM

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 24 February 2009 - 04:28 PM

THis finds 3 registry entries. The lower 2 entries are the same that I first mentioned, that will not delete either in normal or safemode. The first entry I am not sure if I saw it before or not.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/23/2009 at 09:21 PM

Application Version : 4.25.1012

Core Rules Database Version : 3772
Trace Rules Database Version: 1731

Scan type : Complete Scan
Total Scan Time : 01:26:48

Memory items scanned : 224
Memory threats detected : 0
Registry items scanned : 4744
Registry threats detected : 3
File items scanned : 46349
File threats detected : 0

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{54645654-2225-4455-44A1-9F4543D34546}
HKCR\CLSID\{54645654-2225-4455-44A1-9F4543D34546}
HKCR\CLSID\{54645654-2225-4455-44A1-9F4543D34546}\InProcServer32

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 24 February 2009 - 04:34 PM

Try this scan:

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 25 February 2009 - 03:56 PM

Try this scan:

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

==============================================

I ran that and this is what happened; I have deleted the American Airlines stuff. I don't know about the rest.
The comp runs much better, but still not as I'd expect; it's slow sometimes when bringing up some docs, and keystrokes don't appear immediately all the time.
I am not sure what to make of the AOL stuff. The owner uses that so I didn't want to take it off, but I can remove and reinstall perhaps. What do you suggest?



SDFix: Version 1.240
Run by Administrator on Tue 02/24/2009 at 08:28 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 20:41:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\American Airlines DealFinder\\American_Airlines_DealFinder.exe"="C:\\Program Files\\American Airlines DealFinder\\American_Airlines_DealFinder.exe"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\American Airlines DealFinder\\American_Airlines_DealFinder.exe"="C:\\Program Files\\American Airlines DealFinder\\American_Airlines_DealFinder.exe"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Fri 15 Aug 2003 49,237 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Fri 15 Aug 2003 36,953 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Fri 15 Aug 2003 40,960 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Wed 29 Dec 2004 233,554 A..H. --- "C:\Program Files\America Online 9.0\waol.exe"
Fri 7 May 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0a\aolphx.exe"
Fri 7 May 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0a\aoltray.exe"
Fri 7 May 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0a\RBM.exe"
Sun 14 Aug 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 4 May 2008 40,448 ...H. --- "C:\Documents and Settings\lilyE\Desktop\~WRL2235.tmp"
Mon 17 Sep 2007 24,064 ...H. --- "C:\Documents and Settings\lilyE\My Documents\~WRL1958.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\080070f6461c8001578e5e4cd4bb024b\BIT3A.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a7407b49e4a15c0b9a45c0426de5360\BIT40.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\109fef93c24da62cf8f31668d6ba9060\BIT3F.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1fb659e25c21839251d560da33cbcfad\BIT30.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\28b254fb1d3df181eb61de1dab1aaf98\BIT51.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2d7809720343ee9223ce4d88d99bf3c2\BIT2B.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\32e99364da67a7850c38a7a4e067a1ed\BIT46.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4596f4b9d8a4b5253ee760a58a45bcfb\BIT48.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\495213e4cb2a90b1fa5505a5fab8e00b\BIT32.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da652794a86c37dbd177bef9d\BIT36.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4cc8107fde988bba1481bb736cc96c29\BIT4B.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\512e19b377bd5d52a1e190ecbd7a83eb\BIT44.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\63be32bacbd73459f1f4fbd657823ecc\BIT2D.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\694301dbfd149d8645046cbc0b1067e8\BIT42.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6f0fd10fc234123bcdf54ebca4b84cbd\BIT4E.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7b94d041c29d0b8d724c97ae0005e71b\BIT45.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\837a8691e43011f909e4b3e192fe1437\BIT33.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8b20f1a9610d239c2680847de8fa139a\BIT37.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\991c7708c8e096fa51cffd95c6a96fc2\BIT50.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a1958c12079db3dbba3db562fc08c81b\BIT4C.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a4eec31189780c76a955690dc00fbe64\BIT41.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\adc42e4e6905251cac80b18a8dccd42a\BIT39.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\aebb83db003f77a45671fd2c1557da38\BIT3C.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c23140ab2b4cffaee396a230df8b1229\BIT3B.tmp"
Fri 28 Jul 2006 151,088 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c9cdbfcd49200c55d94bb81819c80f2b\BIT3E.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d037d9bbbbdf880e477c3840b38c3180\BIT34.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d20fc1765c1d2a8e6c26cf77036ce48f\BIT4D.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\da70638ee8e6f6c7eff37e755cd6f449\BIT43.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e3c3121982c8a4d0c1605cfbcb9bb7c8\BIT35.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\edc9e523d8678897d85b5ee0ef1bbf7a\BIT4F.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f941c900a413f153861a4032214a1aec\BIT3D.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\021bbe9f2a0e31da1414f03ea6d62389\download\BIT59.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\05dc5f0b39a115d1962503e7297cdba7\download\BIT5A.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1e0d5826a4592cc6d08a9c51de1deab1\download\BIT5D.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\962449eaea2a809dd7a3a95c81a023bd\download\BIT57.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3ba2a040ecf3ac2cd2da399851bda00\download\BIT5C.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b54528191e99a817679c5ba3ee641572\download\BIT5B.tmp"
Fri 30 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f040a43a7788e207ef67f26bf9f0471f\download\BIT61.tmp"

Finished!

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 25 February 2009 - 04:53 PM

Those AOL files are not necessarily bad, the scan was just highlighting the fact that they have hidden attributes.

Maybe you could try some general housekeeping such as running chkdsk and defragging.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 25 February 2009 - 05:23 PM

Ok I'll do that in a little while. I'm also going to go back and see if those registry entries are still there, I forgot to look after the scan.
What do you think of all those Jan 30 software distribution files? I think that was the day I got the comp and started on this. I only deleted TIF files which took over 3 hrs, the comp ran so slowly. I had to select and delete a small group of files at a time, it wouldn't do folders.

#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:41 AM

Posted 25 February 2009 - 05:29 PM

I believe that the C:\WINDOWS\SoftwareDistribution\Download folder is used by Microsoft Automatic Updates, so maybe some updates were installed on that day.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#15 jerryc

jerryc
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 25 February 2009 - 10:44 PM

Those registry entries are still there, still won't delete.

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{54645654-2225-4455-44A1-9F4543D34546}
HKCR\CLSID\{54645654-2225-4455-44A1-9F4543D34546}
HKCR\CLSID\{54645654-2225-4455-44A1-9F4543D34546}\InProcServer32


The comp does run better but is clearly still slow and acting oddly, such as taking a long time to close a window or just scrolling down, it doesn't move, doesn't move, then it jumps.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users