Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with Warm.Brontok, registry keys modified


  • Please log in to reply
3 replies to this topic

#1 busychild

busychild

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 18 November 2009 - 09:26 PM

Hello all,

I'm running XP pro SP3, Avira Antivir Premium( real time protection ) along with a-squared and malwarebytes( on demand scanners ). Yesterday I
was browsing through some wallpapers in a folder containing also the Brontok worm. Avira picked it but by the time I was able to send it to quarantine/delete it spread all over my system, starting its own processes and also modifying some registry keys. First thing that I noticed is I lost my dell wireless card utility. Then the rest of the programs running at that moment crashed an windows logged off. Immediately after I hard rebooted(the only way out), Avira started throwing all these warnings about malicious servicess/processes and files, i.e. winlogon.exe, services.exe, lsass.exe, smss.exe, eksplorasi.exe, sempalong.exe etc..
I gave it another try with a restart but the same crazy staff was happening. So I disabled system restore and booted XP into safe mode. I ran the a-squared scanner first but it was able to remove just couple of bad files, could not handle the rest. Then I started malwarebytes and ran a quick scan. About an year ago Malwarebytes saved my sisters system that got infected with vundo. There were 20 files, registry keys and processes found and supposedly fixed. I was like great, malwarebytes did it again!! I saved the log files(posted below) and exited.
I started XP normally and immediatelly windows explorer/my computer folder came up. There were no more Avire pop-ups, but I'm having some major issues and XP is now running kind of sluggish. Here's some of the problems I've encountered so far:

1. I'm getting random crashes with firefox and IE.
2. The "your system is running law on virtual memory" message popped three times in the taskbar already, causing a huge slow down in performance. I've never seen this since I've got this PC some 2.5 years ago.
3. Every time when I try a restart, windows closes all programs/processes, both the desktop icons and the taskbar disapear but then it just stalls right there with desktop wallpaper. The only way to shut it off is by pressing the on/off button.
4. Every time I start XP "my computer" window loads up.
5. I can't use the dell wireless card wlan utility, although it is on the "msconfig" start-up programs list. Even when I try to start it manually it is a no go.

Although MBAM did a nice job cleaning the infection there are still some bad instances left. Also it seems like the registry was modified in a way causing the system to act all "funky".
Is there any tests/scans that you guys would recommend? Any utilities that can fix/restore the broken reg keys?

Thanks.

edit:

mbam log:


Malwarebytes' Anti-Malware 1.41
Database version: 3192
Windows 5.1.2600 Service Pack 3 (Safe Mode)

11/17/2009 8:03:21 PM
mbam-log-2009-11-17 (20-03-21).txt

Scan type: Quick Scan
Objects scanned: 113777
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 20

Memory Processes Infected:
C:\Documents and Settings\Administrator\Local Settings\Application Data\winlogon.exe (Worm.Brontok) -> Unloaded process successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\services.exe (Worm.Brontok) -> Unloaded process successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\lsass.exe (Worm.Brontok) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tok-cirrhatus (Worm.Brontok) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bron-spizaetus (Worm.Brontok) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Worm.Brontok) -> Data: c:\windows\eksplorasi.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Administrator\Local Settings\Application Data\Bron.tok-12-17 (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEDi&VaNYa\Local Settings\Application Data\Bron.tok-12-17 (Worm.Brontok) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Application Data\winlogon.exe (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\services.exe (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\lsass.exe (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\smss.exe (Worm.Brontok) -> Quarantined and deleted successfully.
C:\WINDOWS\SHELLNEW\sempalong.exe (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Empty.pif (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEDi&VaNYa\Start Menu\Programs\Startup\Empty.pif (Worm.Brontok) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Administrator's Setting.scr (Worm.Brontok) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TEDi&VaNYa's Setting.scr (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\csrss.exe (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\inetinfo.exe (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEDi&VaNYa\Local Settings\Application Data\csrss.exe (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEDi&VaNYa\Local Settings\Application Data\inetinfo.exe (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEDi&VaNYa\Local Settings\Application Data\lsass.exe (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEDi&VaNYa\Local Settings\Application Data\services.exe (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEDi&VaNYa\Local Settings\Application Data\smss.exe (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEDi&VaNYa\Local Settings\Application Data\winlogon.exe (Worm.Brontok) -> Quarantined and deleted successfully.
C:\WINDOWS\eksplorasi.exe (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Templates\Brengkolang.com (Worm.Brontok) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEDi&VaNYa\Templates\Brengkolang.com (Worm.Brontok) -> Quarantined and deleted successfully.


............................................................................................................................................................

a-squared log:

a-squared Free - Version 4.5
Last update: 10/22/2009 6:32:54 PM

Scan settings:

Scan type: Smart Scan
Objects: Memory, Traces, Cookies, C:\WINDOWS\, C:\Program Files
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 11/17/2009 4:02:08 PM

[1044] C:\Documents and Settings\Administrator\Local Settings\Application Data\winlogon.exe detected: Email-Worm.Win32.Brontok!IK
[1116] C:\Documents and Settings\Administrator\Local Settings\Application Data\services.exe detected: Email-Worm.Win32.Brontok!IK
[1128] C:\Documents and Settings\Administrator\Local Settings\Application Data\lsass.exe detected: Email-Worm.Win32.Brontok!IK
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256312880875000 detected: Trace.TrackingCookie.cnt.tyxo.bg!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256312883281251 detected: Trace.TrackingCookie.count!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256321322203125 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256321324296877 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256321324312500 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256321329875000 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256321331718750 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256321331718752 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256321331718753 detected: Trace.TrackingCookie.about.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256321972375002 detected: Trace.TrackingCookie.www.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256321973187500 detected: Trace.TrackingCookie.www.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256321993390625 detected: Trace.TrackingCookie.stats1.clicktracks!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256321993390626 detected: Trace.TrackingCookie.stats1.clicktracks!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256321993390628 detected: Trace.TrackingCookie.stats1.clicktracks!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256321993390629 detected: Trace.TrackingCookie.stats1.clicktracks!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256322068109375 detected: Trace.TrackingCookie.www.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256423003156250 detected: Trace.TrackingCookie.www8.addfreestats.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256519727937500 detected: Trace.TrackingCookie.sales.liveperson.net!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256651350265628 detected: Trace.TrackingCookie.usatoday.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256651382015625 detected: Trace.TrackingCookie.usatoday.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256651383125000 detected: Trace.TrackingCookie.usatoday.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256651401562500 detected: Trace.TrackingCookie.usatoday.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256826259281251 detected: Trace.TrackingCookie.server2.bkvtrack!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256826259281252 detected: Trace.TrackingCookie.server2.bkvtrack!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256826259281253 detected: Trace.TrackingCookie.server2.bkvtrack!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256826259281254 detected: Trace.TrackingCookie.server2.bkvtrack!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1256924618531250 detected: Trace.TrackingCookie.www.buy!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1257008217796875 detected: Trace.TrackingCookie.server.iad.livepers!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1257008217875000 detected: Trace.TrackingCookie.www.buy!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1257008219937500 detected: Trace.TrackingCookie.server.iad.livepers!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1257008276796875 detected: Trace.TrackingCookie.www.buy!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1257210255859375 detected: Trace.TrackingCookie.aol.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1257219920062500 detected: Trace.TrackingCookie.server.iad.livepers!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1257222363453125 detected: Trace.TrackingCookie.server.iad.livepers!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1257314471312500 detected: Trace.TrackingCookie.www.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1257314471312501 detected: Trace.TrackingCookie.www.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1257314484687500 detected: Trace.TrackingCookie.www.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1257314541031250 detected: Trace.TrackingCookie.www.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1257556319265625 detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1257557213359375 detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1257825238984376 detected: Trace.TrackingCookie.ign.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1257825239265625 detected: Trace.TrackingCookie.ign.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1257825239265626 detected: Trace.TrackingCookie.ign.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1257893271078125 detected: Trace.TrackingCookie.www.3dstats.com!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1258371877718750 detected: Trace.TrackingCookie.www.buy!A2
C:\Documents and Settings\TEDi&VaNYa\Application Data\Mozilla\Firefox\Profiles\dpnpwccf.default\cookies.sqlite:1258405955625000 detected: Trace.TrackingCookie.m.webtrends.com!A2
C:\WINDOWS\eksplorasi.exe detected: Email-Worm.Win32.Brontok!IK
C:\WINDOWS\SHELLNEW\sempalong.exe detected: Email-Worm.Win32.Brontok!IK
C:\WINDOWS\system32\Administrator's Setting.scr detected: Email-Worm.Win32.Brontok!IK
C:\WINDOWS\system32\TEDi&VaNYa's Setting.scr detected: Email-Worm.Win32.Brontok!IK
C:\Program Files\AoA Audio Extractor\AoAAudioExtractor.exe detected: Virus.Win32.Trojan!IK
C:\Program Files\Unlocker\eBay_shortcuts_1016.exe detected: Adware.Win32.ADON!A2
C:\Program Files\videofixer\videofixer.exe detected: Virus.Win32.Agent.UHQ!IK

Scanned

Files: 164111
Traces: 382873
Cookies: 1800
Processes: 14

Found

Files: 7
Traces: 0
Cookies: 55
Processes: 3
Registry keys: 0

Edited by busychild, 18 November 2009 - 09:28 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:19 AM

Posted 18 November 2009 - 10:29 PM

Please download the Brontok Disinfection Tool and follow the instructions posted by Sophos.

When done, please download the Brontok Worm Removal Tool by sUBs and save it to your Desktop.
Disconnect the computer from the Internet and close all other programs.
Double-click CleanX-II.exe and follow the prompts.
The tool will begin scanning your machine. Because this worm names it's files randomly, there are a series of cross-checks/verification processes to ensure that the tool does not remove legitimate files. Depending on the size of your drives, this scan may take several minutes. Please be patient during this period & allow it to complete it's task.
Once the scan is complete it will provide a text log of the results. If the log shows any files remaining in the bottom portion under "POST RUN ANALYSIS" run the entire scan a second time.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Please download TFC by Old Timer and save it to your desktop.
alternate download link
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
how are we now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 busychild

busychild
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 19 November 2009 - 01:10 PM

boopme,

much better now :thumbsup: , thanks a ton!!

I followed your instructions:

1. I ran the Brontok Disinfection Tool( brontgui.com ). The only way to run it properly was to disable Avira before the scan. There was one registry key found and fixed. That seemed to have fixed problems # 3, #4 and #5 from the list in my original post right away. The dell wireless card wlan utility popped in the taskbar. Windows logs on/off normally like before, no more "my computer" window on start up. I'll keep an eye on the system running law on memory issue and both the firefox and IE crashes. So far everything looks fine. I made couple of screenshots after the cleaning was don

Posted Image


Posted Image



2. Downloaded and tried to execute Brontok Worm Removal Tool ( CleanX-II.exe ), but nothing happened. It opens a "dos like"/batch file window which stays on the screen for less than a second, disappears and then nothing happens. I gave it quite a few tries with no luck. Even a reboot did not make any difference so I moved on to step 3.

3. Scanned with MBAM in normal mode like you suggested. Here's the log:


Malwarebytes' Anti-Malware 1.41
Database version: 3196
Windows 5.1.2600 Service Pack 3

19.11.2009 г. 10:13:03
mbam-log-2009-11-19 (10-13-03).txt

Scan type: Quick Scan
Objects scanned: 114869
Time elapsed: 5 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


4. Downloaded and ran the TFC tool which deleted a bunch of junk files and folders. Then rebooted.


The system seems to be running stable now. There is couple of things that popped on the desktop when I switched to "show hidden files and folders". There is a Thumbs.db file and a %USERPROFILE% folder( Desktop\%USERPROFILE%\Local Settings\Application Data\Microsoft\Feeds Cache). I've never seen them before. Should I bother deleting them or just ignore them as they could be system protected files?


Thank you very, very much for all your help!!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:19 AM

Posted 19 November 2009 - 03:55 PM

Your decision on thmbs..it may be take a lot of your space see..<a href="http://www.pchell.com/support/thumbsdb.shtml" target="_blank" rel="nofollow">What is this thumbs.db file?[/url]
I look into numer 2. You look good now..

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Edited by boopme, 19 November 2009 - 04:00 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users