Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying to remove viruses, not letting me run antispyware software


  • Please log in to reply
7 replies to this topic

#1 jdpitt05

jdpitt05

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 18 November 2009 - 12:01 PM

So I have a friends laptop, it is running Windows Vista. It was originally getting a critical error message (will restart in 60 seconds) upon entering windows and would reboot in an endless loop. I was able to get avg to run a full scan in safe mode that got rid of some viruses. And that stopped the error message. I also looked in event viewer and saw sdra64 errors so I googled around. I took some advice I saw on a webpage that said to do this:

Now navigate down this path:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

There will be a registry key in there called userinit. Its data will look like this:

C:\Windows\System32\Userinit.exe,C:\Windows\System32sdra64.exe,

Now what you need to do is remove the second bit I have highlighted in red(C:\Windows\System32sdra64.exe,)


When I go back to registry that second line of sdra.exe is gone and isnt rewriting itself there like some said it would.

Now I can boot into Windows and everything seems fine, but something is still there. I've tried to run adaware, spybot, hijackthis, malwarebytes and they all stop when I try to scan or wont start at all. I've tried running these in normal and safemode. From doing alot of googling and reading I think Combofix may be needed to get rid of this, though not sure. Thank you for helping. Sorry if not providing all info, if anything is needed please request.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:46 PM

Posted 18 November 2009 - 12:05 PM

Hello... run this first ,then MBAm, then SAS... see below.

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way.

Please download TFC by Old Timer and save it to your desktop.
alternate download link
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 jdpitt05

jdpitt05
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 18 November 2009 - 03:20 PM

Hello thank you for the help. I did everything you said without a problem and here are the log file results.

MBAM LOG RESULTS

Malwarebytes' Anti-Malware 1.41
Database version: 3193
Windows 6.0.6002 Service Pack 2

11/18/2009 1:26:42 PM
mbam-log-2009-11-18 (13-26-42).txt

Scan type: Quick Scan
Objects scanned: 93575
Time elapsed: 11 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 4
Registry Data Items Infected: 9
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b45a4b16-23f2-41ad-f4e4-00aac39c0004} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00e5b12 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Windows\System32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\cngaudit.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Windows\System32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\Windows\System32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\user\AppData\Local\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\user\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\user\AppData\Local\Temp\habnf88jkefh87ifiks.tmp (Trojan.Agent) -> Quarantined and deleted successfully.


SUPERANTISPYWARE LOG RESULTS

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/18/2009 at 03:04 PM

Application Version : 4.30.1004

Core Rules Database Version : 4287
Trace Rules Database Version: 2160

Scan type : Complete Scan
Total Scan Time : 01:16:59

Memory items scanned : 795
Memory threats detected : 0
Registry items scanned : 7320
Registry threats detected : 1
File items scanned : 32876
File threats detected : 83

Adware.Tracking Cookie
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@theclickcheck[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@admarketplace[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@stopzilla[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@ad.103092804[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@ad.adserverplus[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@overture[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@www.stopzilla[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@bridge1.admarketplace[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ad2.doublepimp[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@teengrowth[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@primetrafficsite[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@discountbeautycenter[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@www.googleadservices[6].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@www.pornhub[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ads.bridgetrack[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@videoegg.adbureau[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@www.discountbeautycenter[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@edge.ru4[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@adserver.adtechus[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ad.yieldmanager[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ads.songlyrics[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@tribalfusion[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@serving-sys[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@serving.adsrevenue.clicksor[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@revsci[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@nextag[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@pornhub[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@dc.tremormedia[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@overture[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ads.pointroll[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@hitbox[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ru4[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@www.crackle[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@track.platinum-giveaways[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@tracking.waterfrontmedia[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@youporn[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@pool2.teenmassacre[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@imrworldwide[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@countrymeadows[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@www.bleepshocking[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@sexinfo101[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@mediaplex[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@doubleclick[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@crackle[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@myaccount.verizonwireless[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@specificmedia[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@atdmt[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@www.toseeka[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@azjmp[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@www.socialtrack[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ad.bodybuilding[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@adv.dmv[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@www.liveperson[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@hearstmagazines.112.2o7[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@porn[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@www.hrsaccount[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@femalefirst.co[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ads.associatedcontent[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@media.legacy[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@webstats.aetna[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ads.adap[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@pluckit.demandmedia[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@liveperson[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@webstats.aetna[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@apmebf[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@fastclick[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@harpo.122.2o7[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@toseeka[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@bs.serving-sys[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@www.discountdesignereyeglasses[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@clickbank[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@www.femalefirst.co[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ads.cheapflights[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@adserving.autotrader[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@am.sexinfo101[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@bleepshocking[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@lfstmedia[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@media.photobucket[2].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@nutritionist.edu-degreefind[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@oasc10.247realmedia[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@richmedia.yahoo[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@samsclubus.pnimedia[1].txt
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@track.bestbuy[1].txt

Trojan.Agent/Gen
HKU\S-1-5-21-1366139551-818623635-1125340765-1000\Software\MailBlocker

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:46 PM

Posted 18 November 2009 - 05:01 PM

Well this looks very good. Running welll now?

Just a note on that backdoor Bot.

A backdoor Trojan can allow an attacker to
gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning
messages displayed by some anti-virus and security programs.

I would advise you to disconnect this PC from the Internet, and then go to
a known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online
banking financial transactions, shopping, credit cards, or sensitive
personal information. It is also wise to contact your financial institutions
to apprise them of your situation.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 jdpitt05

jdpitt05
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 18 November 2009 - 06:46 PM

Hey everything seems to be working well now. Thank you very much for the help. Though the system feels sluggish. CPU usage in task manager jumps all over from like 10 %to 40-55% real fast. I'm not trying to disable some unneeded startup programs and looking over the services running.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:46 PM

Posted 18 November 2009 - 07:21 PM

Ok that's a good idea. Some things will be slower for a few days as we've removed a lot of temp and coolie files. That should come back in a day or so as you revisit your favorite haunts,

Have you run a system Deframentation lately?

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 jdpitt05

jdpitt05
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 18 November 2009 - 07:49 PM

Ok thanks, ran the cleanup and will defrag. Thanks for all the help.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:46 PM

Posted 18 November 2009 - 08:31 PM

You're most welcome,as new malware is getting stronger and harder to remove, please take a moment to read quietman7's excellent prevention tips in post 6 here
Click >>>> Tips to protect yourself against malware:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users