Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

JRT can't delete


  • Please log in to reply
6 replies to this topic

#1 clivestart

clivestart

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 07 June 2016 - 05:42 AM

Hi there,

 

I got given this Windows 7 laptop to clean. After much cleanup, I am left with just one issue ;

 

File System: 2

Failed to delete: C:\Users\Alice Blake\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T75X4XQ0 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T75X4XQ0 (Temporary Internet Files Folder)

 

Registry: 0

 

I am not seeing any other signs of infection. Chrome was spawning popups that MalwareBytes Premium was stopping but I uninstalled Chrome and reinstalled. That stopped the popups. I have run HerdProtect, I have run Hitman Pro,

 

If I browse to that directory (C:\users\...\T75X4XQ0 there is a file externalSettings(1).js that I cannot delete because it is being used by another process. ADWCleaner says all is clean. MalwareBytes finds nothing. Only JRT finds these entries. I did just find three other folders in the Content.IE5 folder similarly named but could delete those (with RD /S).

 

I have tried booting to safe mode command only and going to both of the locations above and deleting everything, but that is not enough. It comes back.

 

Am I still infected? How can I get rid of this issue?

 

 

Thanks,

Clive



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:07 AM

Posted 07 June 2016 - 06:36 AM

Welcome to BC...

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Post the three lists mentioned below using CCleaner.

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.

 

Open CCleaner and click on Tools. Choose Uninstall. On that page you will see a list of programs installed on your computer and at the bottom right of that page you

will see a button when clicked will allow you to Copy and Paste that list in your next post. Please do that.

 

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

Edited by buddy215, 07 June 2016 - 06:40 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 clivestart

clivestart
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 10 June 2016 - 07:24 AM

Thank you.

 

Startup from CC:

Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes HKCU:Run Skype Skype Technologies S.A. "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
Yes HKLM:Run Adobe ARM Adobe Systems Incorporated "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Yes HKLM:Run APSDaemon Apple Inc. "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
Yes HKLM:Run BTMTrayAgent Microsoft Corporation rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
Yes HKLM:Run HotKeysCmds Intel Corporation C:\Windows\system32\hkcmd.exe
Yes HKLM:Run HP CoolSense Hewlett-Packard Development Company, L.P. C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe -byrunkey
Yes HKLM:Run HP Quick Launch Hewlett-Packard Development Company, L.P. C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
Yes HKLM:Run HPOSD Hewlett-Packard Development Company, L.P. C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
Yes HKLM:Run HPQuickWebProxy Hewlett-Packard Company "C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe"
Yes HKLM:Run IgfxTray Intel Corporation C:\Windows\system32\igfxtray.exe
Yes HKLM:Run iTunesHelper Apple Inc. "C:\Program Files\iTunes\iTunesHelper.exe"
Yes HKLM:Run NUSB3MON Renesas Electronics Corporation "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
Yes HKLM:Run Persistence Intel Corporation C:\Windows\system32\igfxpers.exe
Yes HKLM:Run QHSafeTray QIHU 360 SOFTWARE CO. LIMITED "C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe" /start
Yes HKLM:Run SetDefault Hewlett-Packard Development Company, L.P. C:\Program Files\Hewlett-Packard\HP LaunchBox\SetDefault.exe
Yes HKLM:Run StartCCC Advanced Micro Devices, Inc. "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
Yes HKLM:Run SynTPEnh Synaptics Incorporated %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
Yes HKLM:Run SysTrayApp IDT, Inc. C:\Program Files\IDT\WDM\sttray64.exe

 

Startup Scheduled:

Yes Task Adobe Flash Player Updater Adobe Systems Incorporated C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Yes Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes Task Registration Hewlett-Packard Company "C:\Program Files (x86)\Hewlett-Packard\HP Setup\RemEngine.exe" Registration ShowMessageTask2D

 

Installed:

360 Total Security 360 Security Center 6/06/2016 100 MB 8.6.0.1103
AccountService  13/10/2011  
Adobe Flash Player 21 ActiveX Adobe Systems Incorporated 22/05/2016 18.5 MB 21.0.0.242
Adobe Flash Player 21 NPAPI Adobe Systems Incorporated 4/06/2016 19.0 MB 21.0.0.242
Adobe Reader X (10.1.16) MUI Adobe Systems Incorporated 6/06/2016 482 MB 10.1.16
Adobe Shockwave Player 11.6 Adobe Systems, Inc. 19/03/2012  11.6.1.629
AMD Catalyst Install Manager Advanced Micro Devices, Inc. 18/03/2012 22.6 MB 3.0.838.0
Apple Application Support (32-bit) Apple Inc. 4/08/2015 96.0 MB 3.2
Apple Application Support (64-bit) Apple Inc. 4/08/2015 109 MB 3.2
Apple Mobile Device Support Apple Inc. 4/08/2015 27.9 MB 8.2.1.3
Apple Software Update Apple Inc. 9/04/2012 2.38 MB 2.1.3.127
AuthenTec WinBio FingerPrint Software AuthenTec, Inc. 18/03/2012 8.31 MB 3.2.2.1072
Bing Bar Microsoft Corporation 20/09/2013 456 KB 7.2.241.0
Blio K-NFB Reading Technology, Inc. 13/10/2011 38.1 MB 2.2.7922
Bonjour Apple Inc. 9/04/2012 2.00 MB 3.0.0.10
CCleaner Piriform 7/06/2016  5.18
CyberLink YouCam CyberLink Corp. 18/03/2012 217 MB 3.5.0.4422
Evernote v. 4.2.3 Evernote Corp. 13/10/2011 139 MB 4.2.3.22
Google Chrome Google Inc. 7/06/2016  51.0.2704.84
herdProtect Anti-Malware Scanner Reason Company Software Inc. 6/06/2016  1.0
HP 3D DriveGuard Hewlett-Packard Company 7/06/2016 7.01 MB 4.2.9.1
HP CoolSense Hewlett-Packard Company 19/02/2013 10.4 MB 2.10.51
HP Documentation Hewlett-Packard 13/10/2011 263 MB 1.1.1.0
HP Games WildTangent 14/10/2011  1.0.2.5
HP Launch Box Hewlett-Packard Company 17/07/2012 2.38 MB 1.1.5
HP On Screen Display Hewlett-Packard Company 13/10/2011 1.48 MB 1.3.5
HP Power Manager Hewlett-Packard Company 29/05/2012 3.67 MB 1.4.7
HP Quick Launch Hewlett-Packard Company 22/05/2012 7.24 MB 2.7.2
HP QuickWeb Hewlett-Packard Company 18/03/2012 3.35 MB 3.1.1.10066
HP Security Assistant Hewlett-Packard Company 24/04/2012 2.66 MB 3.0.4
HP Setup Hewlett-Packard Company 13/10/2011 118 MB 8.7.4751.3798
HP Setup Manager Hewlett-Packard Company 18/03/2012 8.30 MB 1.1.13476.3753
HP SimplePass 2012 Hewlett-Packard 18/03/2012 60.8 MB 5.3.1.7
HP Software Framework Hewlett-Packard Company 14/08/2012 4.71 MB 4.5.12.1
HP Support Assistant HP 6/03/2016 49.2 MB 8.2.8.25
HP Support Solutions Framework HP 6/03/2016 5.70 MB 12.4.18.7
IDT Audio IDT 29/10/2012  1.0.6418.0
Intel® Display Audio Driver Intel Corporation 19/03/2012  6.14.00.3074
Intel® Identity Protection Technology 1.2.22.0 Intel Corporation 8/05/2012 2.71 MB 1.2.22.0
Intel® Management Engine Components Intel Corporation 19/03/2012  7.0.0.1144
Intel® PROSet/Wireless for Bluetooth® + High Speed Intel Corporation 15/05/2012 5.29 MB 15.1.0.0096
Intel® PROSet/Wireless Software for Bluetooth® Technology Intel Corporation 18/03/2012 88.8 MB 1.1.0.0537
Intel® Rapid Storage Technology Intel Corporation 19/03/2012  10.6.2.1001
Intel® Smart Connect Technology 1.0 Intel 18/03/2012 2.77 MB 1.0.698.0
Intel® WiDi Intel Corporation 18/03/2012 139 MB 2.1.42.0
Intel® PROSet/Wireless WiFi Software Intel Corporation 15/05/2012 140 MB 15.01.0500.0903
iTunes Apple Inc. 4/08/2015 238 MB 12.2.1.16
Malwarebytes Anti-Malware version 2.2.1.1043 Malwarebytes 5/06/2016 66.8 MB 2.2.1.1043
Microsoft .NET Framework 4.5.2 Microsoft Corporation 7/06/2016 38.8 MB 4.5.51209
Microsoft Office 2010 Microsoft Corporation 12/09/2013 8.27 MB 14.0.4763.1000
Microsoft Silverlight Microsoft Corporation 7/06/2016 199 MB 5.1.41212.0
Microsoft SQL Server 2005 Compact Edition [ENU] Microsoft Corporation 13/10/2011 1.69 MB 3.1.0000
Microsoft Visual C++ 2005 Redistributable Microsoft Corporation 25/07/2012 298 KB 8.0.61001
Microsoft Visual C++ 2005 Redistributable (x64) Microsoft Corporation 18/03/2012 620 KB 8.0.61000
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 Microsoft Corporation 13/10/2011 788 KB 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 Microsoft Corporation 18/03/2012 784 KB 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 Microsoft Corporation 25/07/2012 788 KB 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Corporation 18/03/2012 588 KB 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Corporation 18/03/2012 592 KB 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Corporation 25/07/2012 600 KB 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 Microsoft Corporation 7/06/2016 17.5 MB 10.0.30319
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 Microsoft Corporation 7/06/2016 9.90 MB 10.0.30319
PlayReady PC Runtime x86 Microsoft Corporation 13/10/2011 1.65 MB 1.3.0
Realtek Ethernet Controller Driver Realtek 18/03/2012  7.46.610.2011
Realtek PCIE Card Reader Realtek Semiconductor Corp. 18/03/2012  6.1.7601.83
Renesas Electronics USB 3.0 Host Controller Driver Renesas Electronics Corporation 18/03/2012 821 KB 2.1.19.0
Skype Click to Call Skype Technologies S.A. 9/04/2012 10.6 MB 5.10.9560
Skype™ 7.0 Skype Technologies S.A. 8/06/2016 47.9 MB 7.0.102
Synaptics TouchPad Driver Synaptics Incorporated 19/03/2012 46.4 MB 15.3.16.1
VIP Access SDK (1.0.1.2) Symantec Inc. 19/03/2012  1.0.1.2
Windows Live Essentials Microsoft Corporation 13/10/2011  15.4.3538.0513
Windows Live Mesh ActiveX Control for Remote Connections Microsoft Corporation 13/10/2011 5.57 MB 15.4.5722.2

 

I ran the Eset online scanner and it found nothing.

 

 

 

 


 



#4 buddy215

buddy215

  • Moderator
  • 13,396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:07 AM

Posted 10 June 2016 - 07:58 AM

Suggest Disabling these Windows Startups: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes HKCU:Run Skype Skype Technologies S.A. "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
Yes HKLM:Run Adobe ARM Adobe Systems Incorporated "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Yes HKLM:Run APSDaemon Apple Inc. "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

Yes HKLM:Run HP Quick Launch Hewlett-Packard Development Company, L.P. C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe

Yes HKLM:Run IgfxTray Intel Corporation C:\Windows\system32\igfxtray.exe
Yes HKLM:Run iTunesHelper Apple Inc. "C:\Program Files\iTunes\iTunesHelper.exe"

Yes HKLM:Run QHSafeTray QIHU 360 SOFTWARE CO. LIMITED "C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe" /start

Yes HKLM:Run SetDefault Hewlett-Packard Development Company, L.P. C:\Program Files\Hewlett-Packard\HP LaunchBox\SetDefault.exe

Yes HKLM:Run StartCCC Advanced Micro Devices, Inc. "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

 

Disable these Scheduled Tasks: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)

Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
Yes Task Registration Hewlett-Packard Company "C:\Program Files (x86)\Hewlett-Packard\HP Setup\RemEngine.exe" Registration ShowMessageTask2D

 

Uninstall these programs:

360 Total Security 360 Security Center 6/06/2016 100 MB 8.6.0.1103 (if you have a problem uninstalling try using Download Revo Uninstaller Freeware in Advanced Mode)

Bing Bar Microsoft Corporation 20/09/2013 456 KB 7.2.241.0

Bonjour Apple Inc. 9/04/2012 2.00 MB 3.0.0.10

herdProtect Anti-Malware Scanner Reason Company Software Inc. 6/06/2016  1.0

HP Games WildTangent 14/10/2011  1.0.2.5

Skype Click to Call Skype Technologies S.A. 9/04/2012 10.6 MB 5.10.9560

Windows Live Essentials Microsoft Corporation 13/10/2011  15.4.3538.0513
Windows Live Mesh ActiveX Control for Remote Connections Microsoft Corporation 13/10/2011 5.57 MB 15.4.5722.2


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 clivestart

clivestart
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 10 June 2016 - 09:24 PM

Thanks again. You are asking me to uninstall all AV product. Is that wise? As far as I can tell, Live is not used for mail but is it wise to remove it?



#6 clivestart

clivestart
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 10 June 2016 - 10:56 PM

I disabled everything you asked me to disable except for "Yes HKLM:Run QHSafeTray QIHU 360 SOFTWARE CO. LIMITED "C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe" /start" which it would not let me disable. I did not uninstall anything. I rebooted and ran JRT again, and this time is said it deleted everything. I reran it again and there was nothing found. I had only installed 360 and Herdprotcet after finding I could not get that ;last registry entry cleaned. I plan to removed them and install ESET Smart Security and a licensed version of MalwareBytes Premium. Thanks for your help.  



#7 buddy215

buddy215

  • Moderator
  • 13,396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:07 AM

Posted 11 June 2016 - 06:51 AM

The two Windows live entries are no longer supported by Microsoft.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users