15 replies to this topic

[crakmonky]

Hello,

so i started noticing that gig's of my hard drive space where disappearing, a friend came and took a look and figured out that my temp internet files folder is saving files for no reason, and i mean 15+ gigs worth in less then a week. we deleted them and its back in about the same time. we have no clue what is doing it. It is apearing in folders in this location C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K4YALZLQ it had multiple foldes here last time but only 1 this time.

here is the log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:10:52 PM, on 10/22/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\BitTorrent\BitTorrent.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_265.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_265.exe
C:\Users\Don\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - (no file)
R3 - URLSearchHook: (no name) - {00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O3 - Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\Windows\is-5PVSE.exe" /REG /REGSVRMODE
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_265_Plugin.exe -update plugin
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-287366592-1088419429-22457005-1010\..\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe (User 'Onyx')
O4 - S-1-5-21-287366592-1088419429-22457005-1010 Startup: OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe (User 'Onyx')
O4 - S-1-5-21-287366592-1088419429-22457005-1010 User Startup: OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe (User 'Onyx')
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

If more info is needed let me know

thanks for your time.

[shelf life]

hi crakmonky,

I believe the location is used by IE to cache internet content. Do they delete when you reboot your machine? 15Gb in a weeks time does seem like a lot. Do you have settings in IE to delete content when you close the browser? Please post a DDS log.
Download it to your desktop
Double Click to run
Save both reports to your desktop
Copy/paste the reports in your reply

[crakmonky]

shelflife thanks for response, as i dont use IE it confuses me. my friend told me it was the temp spot for IE to but i never use it. Here are the logs u requested. . DDS (Ver_11-03-05.01) - NTFS_AMD64 Run by Don at 17:54:08.94 on Mon 10/22/2012 Internet Explorer: 9.0.8112.16421 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4096.943 [GMT -6:00] . SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin C:\Program Files\NVIDIA Corporation\Display\nvtray.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe C:\Windows\system32\nvvsvc.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe C:\Program Files\NVIDIA Corporation\Display\nvtray.exe C:\Windows\System32\StikyNot.exe C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin C:\Program Files (x86)\BitTorrent\BitTorrent.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_265.exe C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_265.exe "C:\Windows\SysWOW64\svchost.exe" -k LocalServiceDns C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\Don\Downloads\dds.scr C:\Windows\system32\conhost.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.yahoo.com/ uURLSearchHooks: H - No File uURLSearchHooks: H - No File mWinlogon: Userinit=userinit.exe, BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - No File BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File TB: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_265_Plugin.exe -update plugin mRunOnce: [InnoSetupRegFile.0000000001] "C:\Windows\is-5PVSE.exe" /REG /REGSVRMODE StartupFolder: C:\Users\Don\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe mPolicies-explorer: NoActiveDesktop = 1 (0x1) mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableLUA = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) mPolicies-system: PromptOnSecureDesktop = 0 (0x0) IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll LSP: mswsock.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll TB-X64: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File Hosts: 127.0.0.1 www.spywareinfo.com . ================= FIREFOX =================== . FF - ProfilePath - C:\Users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\x0o6heu7.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://us.mg5.mail.yahoo.com/neo/launch?.rand=fu1tjv4i5005u FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=2&q= FF - prefs.js: network.proxy.gopher - FF - prefs.js: network.proxy.gopher_port - 0 FF - prefs.js: network.proxy.type - 0 FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll FF - plugin: C:\Users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\x0o6heu7.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\plugins\np-mswmp.dll FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_4_402_265.dll . ============= SERVICES / DRIVERS =============== . R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\System32\drivers\dtsoftbus01.sys [2012-1-18 279616] R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904] R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-10-2 399432] R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-29 676936] R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248] R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2012-7-29 25928] R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-12-9 2253120] S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-7-12 1153368] S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-10 115168] S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-12-18 59392] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-12-7 1255736] . =============== Created Last 30 ================ . 2012-10-21 08:40:25 -------- d-sh--w- C:\$RECYCLE.BIN 2012-10-19 03:52:21 96224 ----a-w- C:\Program Files (x86)\Mozilla Firefox\webapprt-stub.exe 2012-10-19 03:52:21 157272 ----a-w- C:\Program Files (x86)\Mozilla Firefox\webapp-uninstaller.exe 2012-10-13 05:47:54 69000 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{30CC757C-DA8A-4DC5-9466-96BC8455097E}\offreg.dll 2012-10-13 04:29:07 -------- d-----w- C:\Users\Don\AppData\Roaming\Auslogics 2012-10-13 04:29:02 -------- d-----w- C:\Program Files (x86)\Auslogics 2012-10-13 04:21:42 -------- d-----w- C:\Program Files\CCleaner 2012-10-12 11:03:50 9308616 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{30CC757C-DA8A-4DC5-9466-96BC8455097E}\mpengine.dll 2012-10-01 20:55:10 89944 -c--a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\b659ca81cda01703\DSETUP.dll 2012-10-01 20:55:10 537432 -c--a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\b659ca81cda01703\DXSETUP.exe 2012-10-01 20:55:10 1801048 -c--a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\b659ca81cda01703\dsetup32.dll 2012-10-01 20:55:07 94040 -c--a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\749abc81cda01702\DSETUP.dll 2012-10-01 20:55:07 525656 -c--a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\749abc81cda01702\DXSETUP.exe 2012-10-01 20:55:07 1691480 -c--a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\749abc81cda01702\dsetup32.dll . ==================== Find3M ==================== . 2012-09-07 23:04:46 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys 2012-08-21 20:19:16 73416 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 2012-08-21 20:19:16 696520 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe . ============= FINISH: 17:55:40.18 =============== second log . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_11-03-05.01) . Microsoft Windows 7 Home Premium Boot Device: \Device\HarddiskVolume1 Install Date: 12/6/2011 8:24:16 PM System Uptime: 10/16/2012 3:14:38 PM (146 hours ago) . Motherboard: Gigabyte Technology Co., Ltd. | | M61P-S3 Processor: AMD Athlon™ 64 X2 Dual Core Processor 3800+ | Socket M2 | 2000/200mhz . ==== Disk Partitions ========================= . A: is Removable C: is FIXED (NTFS) - 153 GiB total, 30.848 GiB free. D: is CDROM (UDF) E: is CDROM () F: is CDROM () . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . RP283: 10/18/2012 5:20:57 PM - Windows Defender Checkpoint RP285: 10/19/2012 6:11:59 PM - Windows Defender Checkpoint RP287: 10/20/2012 10:49:55 PM - Windows Defender Checkpoint RP289: 10/22/2012 2:37:06 AM - Windows Defender Checkpoint . ==== Installed Programs ====================== . Adobe Flash Player 11 ActiveX Adobe Flash Player 11 Plugin Adobe Shockwave Player 11.6 Auslogics Disk Defrag BitTorrent Combined Community Codec Pack 2011-11-11 D&D 3.5 DM Tools v0.43.2 DAEMON Tools Lite Far Cry (Patch 1.4) Malwarebytes Anti-Malware version 1.65.0.1400 Medieval Masters Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Mozilla Firefox 16.0.1 (x86 en-US) Mozilla Maintenance Service Neverwinter Nights Neverwinter Nights 2 Notepad++ NVIDIA PhysX NVIDIA Stereoscopic 3D Driver OpenOffice.org 3.3 Pando Media Booster PhotoPad Image Editor PhotoStage Slideshow Producer Pidgin Samsung PC Studio 3 USB Driver Installer Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405) Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827) Spybot - Search & Destroy Update for Microsoft .NET Framework 4 Client Profile (KB2468871) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) xrecode II 1.0.0.185 Yahoo! Software Update . ==== Event Viewer Messages From Past Week ======== . 10/21/2012 10:19:00 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891 10/21/2012 10:19:00 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891 10/17/2012 4:38:41 AM, Error: Schannel [36888] - The following fatal alert was generated: 10. The internal error state is 10. 10/16/2012 3:17:09 PM, Error: Service Control Manager [7034] - The NVIDIA Update Service Daemon service terminated unexpectedly. It has done this 1 time(s). 10/16/2012 3:15:00 PM, Error: Service Control Manager [7003] - The SBSD Security Center Service service depends the following service: wscsvc. This service might not be installed. 10/16/2012 3:15:00 PM, Error: Service Control Manager [7001] - The IPsec Policy Agent service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied. 10/16/2012 3:14:58 PM, Error: Service Control Manager [7023] - The Base Filtering Engine service terminated with the following error: Access is denied. 10/16/2012 3:14:58 PM, Error: Service Control Manager [7001] - The Windows Firewall service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied. 10/16/2012 3:14:58 PM, Error: Service Control Manager [7001] - The IKE and AuthIP IPsec Keying Modules service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied. . ==== End Of File ===========================

[shelf life]

Before we go any further, I dont recognize a antivirus app in your logs. I see Windows Defender, Malwarebytes and Spybot, none of these are antivirus. I wouldnt be without one on a Windows OS. Several options, all free versions, download, install, update and do a full scan with one of them.

Avast
Panda Cloud AV
AVG
Avira
MS Security Essentials

[crakmonky]

ok so i ran a scan with AVAST and it took over 18 hours , partialy my fault and it didnt finish cause i stopped it after it scaning the same folder for 5 hours sitting at %92. it found a few things what next cause i cant delette that folder it has over 800,000 files and it takes way to long.

[shelf life]

How long have you been with out AV? Really, you shouldn't be on the internet without AV or antimalware for that matter, which you have.

Was the folder Avast choked on here: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files.

i cant delette that folder it has over 800,000 files

Is this the same folder you mentioned before that seems to get GB's of data in it here:

and i mean 15+ gigs worth in less then a week. we deleted them and its back in about the same time.

If this is the case, its the same folder do this:
Boot your machine into Safe Mode, to reach safe mode you would tap the f8 key during a computer restart, from the options menu chose the first option: Safe mode,
log into your usual account. Navigate to the folder and delete the files.
You might select/delete in batches rather than all of them at once.
Still in safe mode, Disconnect your machine from the internet by turning off your modem or router if you have one, reboot computer normally. After boot up try scanning with Avast again without a internet connection. See how it goes.

[crakmonky]

ok will disconnect tonight and run it. and yes i have been a while without antivirus. my brother told me malwerebytes and spybot where good enough, OH and when i updated a month ago my windows firewall went down and i cant seem to get it back up. tried reinstalling reg files and all. and thank you very much.

[shelf life]

Just as a check after you boot back up normally bring up task manager by clicking on the ctrl-alt-delete keys at once. I believe you can also do it in W7 by right clicking on the task bar > start task manager. In any case Windows task manager should open. Under the process tab make sure your torrent client isnt in the list (BitTorrent.exe). If it is click on it then select > end task. Normally when its running you would see the icon down by the clock. Theres malware out there that will hide the icon, set up new files and start your client at every boot. One explanation for the huge amount of files is that your unknowingly sharing files with your torrent client. A guess really on my part right now. You can also remove BitTorrent via the add/remove programs panel.

[crakmonky]

ok files all cleared out and AVAST fully ran, what would you like me to do now? and thanks avast has worked great. ok its not the problem with bit torrent its off and no icon.

Edited by crakmonky, 26 October 2012 - 12:23 AM.

[shelf life]

Did AVAST quarantine any files? So you didnt see bittorent.exe listed in task manager? What about the temp folder, are files starting to reappear?

[crakmonky]

avast put more then 10 things in the chest over 3 runs. yes no bittorrent problem like u said and so far nothing but it was like that for 2 days after i deleted it all last time so im going to give it a couple more days k. thank you very much i do think its gone but i just want to be sure. this forum has been of great help when 3 of my comp tech buddies couldn't figure it out.for some reason i seem to collect viruses on mine and others computers even if im careful.

[shelf life]

Looks like AVAST may have taken care of it. Post back if the files start to build up again. Some tips for you:

10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.

No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes, media players, browser plugins and add-ons. More and more third party applications are being targeted. Not sure if you are using the latest version of software? Check their version status and get the updates here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks.

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Vista and Windows 7 and 8 attempt to address.

8) Install and understand the *limitations* of a software firewall.

9) The why and how to secure your browser for safer surfing.

10) Warez, cracks, keygens etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will also encounter malware. A file can be named anything, be nothing but malware or have malware bundled in it.
Do you really trust the source?

More info/tips with pictures in links below.

Happy Safe Surfing.

[crakmonky]

thanks and i think its gone. the tips are great but i dont have a fire wall. the one that is part of windows dropped the last time i updated windows and i have no clue why. I've gone to the windows forums and they are of no help as the are to complicated for me to understand, I just cant read code well enough to understand. I also tried replacing the registry and that did nothing. any help or direction would be wonderful. if i need to ill start another thread.

[shelf life]

Go to start and type in the search box msconfig. Under the service tab make sure all the listed services have check marks next to them. If not, click to add a check mark then reboot your machine. After the reboot go to start> control panel >system and security>Windows firewall, on the left: turn firewall on or off.
If that fails to turn it on download and run this MS fix it solution then try turning the firewall on after running the fix.

[crakmonky]

Ok so the first solution wasn't an option and the second couldn't fix it. im stumped but its all good ill just have to be extra careful. if u think of anything else id be happy to try it. thanks again for all the help.