Manually cleaning-up Windows XP?

October 11, 2009

Is it safe to delete these files?

C:\Documents and Settings\Administrator\NTUSER.DAT

C:\Documents and Settings\AdministratorNTUSER.DAT.LOG

Windows corrupt after Vundo removal?

September 22, 2009

Hi

i finally could remove the Vundo trojan using avast… now i guess im clear, nothing suspicious in the register or system32 or windows, etc…

BUT after i removed it, i said i need to repair windows (using the windows XP CD)… after the repair, some things began going weird:

1- i have no sound. At each boot, windows says it found a new hardware (the "Realtek High Definition Audio Device")… i got the driver for this on a CD, windows begins to install it and copy files, then says "installation of the device fails"…
2- i got an ATI Radeon X1950 pro which has a driver and a control software… the driver is OK, but then the control software (MOM.exe) takes much CPU time and so do csrss.exe and vsmon.exe (zonealarm)…
3- when browsing a CD, opening some folder then another etc… and then using the "Up" button to go to the parent folder, the path shown in the address bar goes like C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\CD Burning\setup where setup is the folder inside the CD… this problem doesnt show up when i browse into folders on my drives…

I dunno if these 3 problems have to do with Vundo being removed or with the windows repair (i think it’s the first time i do a repair since i got my computer 6 months ago)… or maybe the combination of both…

thank you for ur time reading what i wrote… any ideas are welcome.. the 3rd issue is very secondary as it doesnt affect anything im doing, so u may want to forget about it, but it also may give u a clue…

everything else looks normal.. no CPU time consumption, no suspicious processes, no viruses/worms found by either adaware or avast, browsers and other applications run normally…
I just tried to reinstall the CCC (catalyst control center of ATI), and when the installshield begins to copy files, at each step i get a dialog saying "incorrect command line parameters

windows installer V 2.00.2600.1106
Copyright 2000 Microsoft Corporation. All rght reserved.
Portion of this software are based in part on the work of the Independent JPEG group."

i can only click on an OK button, and i need to do that like a hundred times until the install shield completes (i keep pressing on the Enter button)…
about the CCC (MOM.exe): i have noticed that this process causes a consumption of the CPU time because it is being constantly restarted (like some other process keeps it from starting normally)… im saying this because the memory usage of MOM.exe keeps on swinging between something like 200 Kbytes and 8,000 Kbytes… at the same times, csrss, vsmon and also zclient use up to 60% off the CPU time until i kill the MOM process…

Really bad computer virus problem?

August 7, 2009

I thought I’d solved the problem but it turned out I hadn’t. I got a couple of trojan viruses on my computer the other day, even with NOD32 and Malwarebytes’ AntiMalware, Ad-aware, and Spybot Search and Destroy, which I know are all very good. I scanned with Malwarebytes,and it found two trojans. Here’s the log:

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I deleted the two trojans, so everything was working again (I wasn’t being redirected to other sites on the internet anymore). However, this morning, the same problem has come back. I’m assuming that there is a rootkit installed somewhere, but nothing can find it. I’ve also scanned with VundoFix and RogueRemover, which didn’t find anything either. I scanned with SmitFraudFix, and the log after that came up with a HUGE list of random websites, and then this (sorry for the long question):

Run from C:\Documents and Settings\User\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] – Windows_NT
The filesystem type is
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

”'(The list of lots of websites fits in here)”’

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri’s WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix

»»»»»»»»»»»»»»»»»»»»»»»» RK

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) – Packet Scheduler Miniport
DNS Server Search Order: 10.0.0.2

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A94E023C-3A73-4B59-B35B-7AB609AC87BD}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A94E023C-3A73-4B59-B35B-7AB609AC87BD}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A94E023C-3A73-4B59-B35B-7AB609AC87BD}: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.2
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.2

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

I’ve tried deleting what SmitFraudFix has found, but it doesn’t seem to work. If I do the scan again on SFF straight afterwards, it finds the same things, but doesn’t delete them.

So, what else is there to do? Haven’t I tried everything? Please don’t recommend programs like AVG, Norton, McAffee and Avast because they are not as good as the ones I am using, and are unlikely to find the rootkit if they better antiviruses can’t.

Thanks!

Disk Defrag Report— help me make some more space?!?!?!?

August 3, 2009

Disk Defrag Report— please advice on how to clean it up further?!?!?!? I have deleted ALL temporary internet files, done a disk cleanup, etc etc etc.

**********If youll notice there are tons of "129 8 MB \WINDOWS$hf_mig$\KB908531\SP2QFE\shell3… files that Id like to get rid of, and "windows software distribution" files that Id like to erase as well– Im trying to make more space on my computer because its running SUPER SUPER slow!!!

Volume (C:)
Volume size = 7.96 GB
Cluster size = 4 KB
Used space = 6.82 GB
Free space = 1.14 GB
Percent free space = 14 %

Volume fragmentation
Total fragmentation = 33 %
File fragmentation = 59 %
Free space fragmentation = 8 %

File fragmentation
Total files = 39,990
Average file size = 244 KB
Total fragmented files = 4,572
Total excess fragments = 69,258
Average fragments per file = 2.73

Pagefile fragmentation
Pagefile size = 1.17 GB
Total fragments = 9,962

Folder fragmentation
Total folders = 3,820
Fragmented folders = 9
Excess folder fragments = 291

Master File Table (MFT) fragmentation
Total MFT size = 59 MB
MFT record count = 44,064
Percent MFT in use = 73 %
Total MFT fragments = 10

————————————–…
Fragments File Size Most fragmented files
25,427 753 MB \Documents and Settings\Sara\My Documents\My Pictures\THE TAP\FULL_TAP.wmv
2,945 33 MB \Documents and Settings\Sara\Local Settings\Application Data\Adobe\Updater5\Install\reader8rdr-e…
311 1 KB \WINDOWS\system32\config\software.LOG
251 17 MB \WINDOWS\system32\MRT.exe
229 14 MB \Program Files\Microsoft Office\OFFICE1133\PUB60.CTG
185 12 MB \WINDOWS\PCHealth\HelpCtr\Database\HCdat…
167 242 MB \Documents and Settings\Sara\Application Data\Apple Computer\iTunes\iPhone Software Updates\iPhone1,1_2.0.2_5C1_Restore.ipsw
161 10 MB \WINDOWS\SoftwareDistribution\Download\d…
142 19 MB \System Volume Information\_restore{069BE4A9-4F17-461A-…
132 8 MB \WINDOWS\system32\spool\drivers\w32x86\h…
130 520 KB \WINDOWS\SoftwareDistribution\Download\d…
129 8 MB \WINDOWS\SoftwareDistribution\Download\d…
129 8 MB \WINDOWS$hf_mig$\KB943460\SP2QFE\shell3…
129 8 MB \WINDOWS$hf_mig$\KB928255\SP2QFE\shell3…
129 8 MB \WINDOWS$hf_mig$\KB921398\SP2GDR\shell3…
129 8 MB \WINDOWS$hf_mig$\KB908531\SP2QFE\shell3…
129 8 MB \WINDOWS$hf_mig$\KB900725\SP2QFE\shell3…
129 8 MB \WINDOWS$hf_mig$\KB908531\SP2GDR\shell3…
129 8 MB \WINDOWS$hf_mig$\KB921398\SP2QFE\shell3…
128 8 MB \WINDOWS\ServicePackFiles\i386\shell32.d…
123 8 MB \WINDOWS\repair\software
122 8 MB \Documents and Settings\All Users\Application Data\Spybot – Search & Destroy\Backups\regLocal.reg
121 8 MB \Program Files\Common Files\Microsoft Shared\Web Components\OWC11.DLL
96 6 MB \WINDOWS\system32\CatRoot\{F750E6C3-38EE…
96 6 MB \WINDOWS\SoftwareDistribution\Download\d…
93 13 MB \WINDOWS\SoftwareDistribution\Download\d…
90 6 MB \WINDOWS$hf_mig$\KB950759-IE7\SP2QFE\ie…
90 6 MB \WINDOWS\SoftwareDistribution\Download\e…
90 6 MB \WINDOWS$hf_mig$\KB953838-IE7\SP2QFE\ie…
90 6 MB \WINDOWS$hf_mig$\KB947864-IE7\SP2QFE\ie…