Can someone please help me clean up spyware? Crunchie, Gerbil? Anyone? You all are so great! Thanks in advance for any advice!
Logfile of HijackThis v1.99.1
Scan saved at 7:43:10 PM, on 7/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\HiJackThis!\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184035090031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184034946421
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2F7ABB6-1354-4881-9F5B-831214CC8758}: NameServer = 205.171.3.65 205.171.2.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe
What a brazen come-on!! :)
K... a couple of things there, let's move em out.
Either: go Control panel > folder options OR: in an explorer window > tools>folder options; - then view tab, and press Show hidden files and folders.
Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe[/url] - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. (space after ipconfig). Type Exit.
FIX CHECKED ENTRIES....!!
Start Hijackthis, do a Scan Only and place checkmarks against all of the following, and then press Fix Checked:
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2F7ABB6-1354-4881-9F5B-831214CC8758}: NameServer = 205.171.3.65 205.171.2.65
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe
Good. Now go Start, run, type cmd and press Enter; type or paste into the window:
sc delete msupdate
- press Enter and close the window.
- browse to and delete c:\windows\system32\msvcrtd.exe
Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings (if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...). Select the Cleaner icon, press Run Cleaner.
(For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs .. Note that CCleaner is also a free registry cleaner. Explore all its options, but skip the prefetch folder cleaning option. That one is unnecessary because windows automatically dumps old unused entries anyway, they can do no harm, and further, if there is no prefetch entry for an app you wish to load then your sys will just be a lil bit slower loading it. And an entry will then be generated anyway.)
AVG - AS:
GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5 or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
- the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5;
- under Scanner/ Settings please set Recommended Actions to QUARANTINE, and run the complete system scan.
- press Apply all Actions and Save the log file.
Post the log file plus that from Fixwareout and a fresh Hijackthis log.
Well, I had to get your attention somehow! ;o). Thought the subject title might do the trick!
I just wanted to mention that I am a regular user of HiJackThis!, Spybot, and AdAware. I've been a member here since my own PC got infected quite some time ago. Crunchie helped me through that time. This is my son's PC and I haven't been able to keep tabs on it, seeing as he is living with his dad currently. He is here for a visit. Anyway, I try to stay up to date and stay familiar with what is on my PC. Which I feel is probably important. Thanks so much for your help so far!!
Ok, I have MSN dialup. When I rclick Network Connections and select properties, I only have an "Advanced" tab with Firewall options. How to obtain DNS servers automatically? Should I move on with the next steps or wait to thoroughly complete all steps?
Well, I moved on.
Next... Flushed DNS cache w/ cmd "ipconfig /flushdns".
Fixed checked entries on HiJackThis.
Did cmd "sc delete msupdate"
Browsed to and deleted c:\windows\system32\msvcrtd.exe
Dwnloaded and ran CCleaner.
Dwnloaded and ran AVG.
(I'm scared I got infected more while online dwnloading AVG.)
Here's the fresh Logs. (Gulp! Yikes!)
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:19:41 PM 7/11/2007
+ Scan result:
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0000224.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0000256.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0000411.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0001001.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0001858.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP2\A0002005.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP5\A0002757.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0002826.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0002871.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003428.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003681.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0004709.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005672.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005688.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0006688.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0007688.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0007863.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008019.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008468.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008469.exe -> Backdoor.Agent.alm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003468.exe -> Downloader.Small.evw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003654.exe -> Downloader.Small.evw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\1AHJDBXB\loadadv735[1].exe -> Dropper.Small.ayg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0000243.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0001004.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP1\A0001859.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP2\A0001916.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP2\A0002006.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP5\A0002758.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0002827.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0002872.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003443.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003683.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0004711.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005674.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005690.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0006690.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0007689.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0007865.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008295.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008365.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008647.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0008679.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0009677.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0009723.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0010021.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0012496.sys -> Rootkit.Agent.ex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003395.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003444.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003653.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0003678.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0004687.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0004712.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005669.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005675.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005685.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0005691.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0006685.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0006691.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0007685.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP6\A0007691.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0007837.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{364799B5-FD74-436F-9734-73FB5B8BBF9C}\RP7\A0007864.exe -> Trojan.Agent.aia : Cleaned with backup (quarantined).
::Report end::
>>>>Username "Owner" - 2007-07-11 19:04:44 [Fixwareout edited 2007/07/05]
»»»»»Prerun check
System was rebooted successfully.
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"lanmanwrk.exe"="C:\\WINDOWS\\System32\\lanmanwrk.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ttool"="C:\\WINDOWS\\9129837.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
Logfile of HijackThis v1.99.1
Scan saved at 9:28:40 PM, on 7/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\qmhoepkf.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJackThis!\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184036107828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184036016312
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)
Hi, heidi. Infection possibility while using AVG site: not likely, as long as you have Windows firewall ON.
And yikes! is right..... what a log. When this is over you are going to install an AV and a proper firewall, aren't you...? Right after you update to SP2... on dialup tho I think I would contact M$ and get the CD - it is only a $ or two to cover their basic costs. If you don't do those things their is every chance you will remain a regular visitor here.
Right, for now fix these entries with hijackthis:
O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing
Delete these files:
C:\WINDOWS\System32\qmhoepkf.exe
C:\WINDOWS\System32\lanmanwrk.exe
Run these lines:
sc delete MSDisk
sc delete MSWindows
System Restore Points Clearance:
==You MUST clear all your system restore points because some have been infected.... AVG may have cleaned them, but we cannot be sure it found everything. So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
==Run CCleaner again.
Do a Panda Online Scan:
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Post the contents of C:\vundofix.txt
==Change the name hijackthis.exe to imabunny.exe and post a fresh scan also.
Ok, This is getting tricky. Panda scan is STILL scanning. I think the infection is respreading itself as I'm online doing the above mentioned tasks. (not from AVG website)
Anyway. VundoFix found no infections.
I'm looking around through my different folders and I noticed quite a few ".com" files in my "Windows/System32" folder.
chcp.com
command.com
diskcomp.com
diskcopy.com
edit.com
format.com
graftable.com
graphics.com
kb16.com
loadfix.com
mode.com
more.com
tree.com
win.com
Are these supposed to be there. All modified at the same date and almost exact time.
Also these keep popping up in C:\
tuto.exe
d.exe
I keep deleting them. I know they are a problem.
AVG said it found Dropper.Small.ayg, rootkitagent, backdooragent, and trojan agent. it quaranteened them all, but then it kept saying it found it. So I clicked "Remove Finally" on them.
Now what should I do?
PandaScan is still at 75%. I'll post the log from that as soon as it finishes.
OK, this sucks!
Finally PandaScan finished updating and I chose to scan My Computer. It starts the scan, detects a virus, fixes it, proceeds to scan and then my browser disappears and I start the whole process over. This has happened 5 times now! I keep running CCleaner, Fixwareout, AVG, HiJackThis.
What should I do now?
::::Here is a log of HijackThis. Renamed "ImABunny":::::
Logfile of HijackThis v1.99.1
Scan saved at 2:59:22 PM, on 7/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJackThis!\ImABunny.exe
O2 - BHO: H - {B1FBF2E1-C164-4ebe-AB04-B839655CC927} - gyrpsy23.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184036107828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184036016312
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2F7ABB6-1354-4881-9F5B-831214CC8758}: NameServer = 205.171.3.65 205.171.2.65
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
::::FixWareOut Log::::
Username "Owner" - 2007-07-12 14:46:02 [Fixwareout edited 2007/07/05]
»»»»»Prerun check
System was rebooted successfully.
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
Oh, heidi... Right. For a start, hijackthis is only a reporting tool, it does not repair anything unless set to do so. The first group of files, the .com ones, are MSDOS files for when XP runs DOS in an emulation environment. But they should have an old date, maybe 2004? If it is recent then there is a trojan which attacks .com files in system32, and it runs under the name of d.exe :) - could be your variant, may not be. AVG AS should have found it, combofix may.
Your Fixwareout run failed, I see that it did not list one TCPip entry - it is targeted by some malware. Delete your tool, and get a fresh copy and try it:
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start ...
Empty the AVG quarantine bin: select all and delete. Oh, you did.
Get hold of and runCombofix:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
AVG AS - I am not convinced it is working properly - that result scan looks strange. I would uninstall it, dl a fresh copy, update it and try a fresh scan, but in Safe mode.
Then persist with Panda - you could run that in safe mode with Networking. It gets broken sometimes, but it is fixing things the while.
It may come down to accepting that you have a bad series of infections, saving important files to CD, DVD, and reinstalling after a format.
It may come down to accepting that you have a bad series of infections, saving important files to CD, DVD, and reinstalling after a format.
To be honest, I've already accepted it and I'd kinda rather just do that! (I almost did, but I just reinstalled windows instead)
But, will reformatting really take care of the problem completely? Any info you can give me about reformatting would be GREAT! The only info my son really wants to save is his ripped music (some of his cds are severely scratched, so he can't re-rip). But even then....the computer is all F'd up anyway. Half of the programs need reinstalled, some of them can't unistall or delete. There are double folders in c:/documents and settings (Admin.6024blah blah, Admin.1143, All Users, All Users.Windows, Default User, Default User.Windows, etc., etc.) because I reinstalled. I found a site describing how to remedy this problem by cut/paste folders into each other to consolidate, but I don't even want to bother. My son is here for 3 more weeks, and I'd like to get this computer fixed before he goes back to his dad's.
I'll just need to learn myself about reformatting, partitions, boot drives, etc. I don't fully grasp some aspects of these, yet. I thought I read somewhere that you can't reformat the drive windows boots from or something like that. I really appreciate your help. I will keep trying to run Panda. I'll try safe mode and keep you posted. Now HiJackThis keeps disappearing when I try to run it. AdAware and SpyBot still run.
Skip running fixwareout - log is fine from that aspect.. the O17 entry represents the DNS server that your ISP uses, and I should have been sharper on that, but at least the second run showed that a couple of trojan registry entries had been removed.
AVG found infections in several restore points, but those have all been removed now by that procedure of turning restore off/on.
Time to gve up on Panda, I think, for the time being. Try the two scans below and post any positive results. Do not use your computer while it scans.
But first, check for and delete :
C:\\WINDOWS\9129837.exe
C:\\WINDOWS\hide_evr2.sys
==blacklight beta from http://www.f-secure.com/blacklight/ -download is at foot of page. Install it, start, accept the agreement and Scan.
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....
If Kaspersky completes try another AVG AS scan.
[[Pretty much it is possible to invest too much time cleaning a machine. I'm keeping in mind that you are on dialup, but we should manage it. If you do decide to go with a clean start then we can show you pgms to write patterns on your HD to destroy all info, then guide you through reinstallation, sorting out a decent setup with multiple partitions if you so desire.
"I read somewhere that you can't reformat the drive windows boots from...." - no, you cannot, but you can do it from windows setup when you reinstall...or with free 3rd party tools.
Yes, first you would copy out your son's music though, and any other valuable documents or pictures.]]
If you do decide to go with a clean start then we can show you pgms to write patterns on your HD to destroy all info, then guide you through reinstallation, sorting out a decent setup with multiple partitions if you so desire.
Could ya please?
Looks like my only option at this point. Kids insisted on going on computer in between fixing it, (seeing as it was working a little.) I told 'em better not! All of a sudden, while mid-game, the computer restarted and is now stuck in infinite reboot pattern. I caught it in between one of the bootups and pressed F8. Tried to start in Safe Mode. Just kept restarting and restarting. So I pressed the off button and haven't tried to turn it on since. Nothing on it that is valuable. Can re-rip music, and game files........ Bah!
Thanks for all your help so far!
If you used your installation cd you could attempt a windows Repair [ignore the option to "repair using Recovery Console", just Enter to go past that into setup where it detects your OS and then suggests a Repair if possible]. That would give you the chance to pull off the music etc....
I was going to tell you - you had a rootkit-protected trojan [amongst others] which allowed others to totally control your pc... so in the end a reinstallation of XP is always the best option there. I gotta go to town right now, I or someone will give you a guide later today.
Heidi, if you would still like suggestions for reinstallation, pls post your HD size and whether you have only one HD....
Yes, only one hard drive. 40 gb. The computer is a Dell Dimension 2400.
Hi, Jeannie.... here are my suggestions considering your drive capacity and overall convenience, plus reliability through creation of a better environment for the windows OS. That last comes from installing Windows into its own partition and then removing all the temporary files to another partition, where their continual creation, deletion etc will not interfere with the OS. Windows likes to stretch out and arrange itself so that the bits you and it use most often are grouped and fast to reach - it does that automatically, and is more stable if the temp files, temporary internet files, cookies, histories, outlook express mail folders and so on are elsewhere. Currently a fully updated XPSP2 with a full driver cache [handy] and several restore points solidly occupies 4GB [well, mine does; it depends a bit on the software you install because that affects registry size] - you will need to include 1 1/2 times the size of your RAM for virtual memory [128MB > 200MB, 1/2 GB > 800MB...], plus room for several Restore points; All in I think 8GB is the minimum, pretty much, for that Windows partition. It leaves plenty of free space for it to arrange itself. If you do not wish to relocate the plethora of temporary files you should give it 2GB more, say 10GB. Mine is in 8GB.
Next you need a partition for the temporary stuff - emails from eg Outlook Express, temp inet files, cookies, firefox and opera caches and so on, plus the stuff you download [pgm files, pictures, silly stuff, music... you name it] - all the stuff you play with for a short time while you decide whether to keep or discard it. This does not need to be a big partition cos you move the good stuff out continually - mine is 6GB but rarely has more than 2GB of stuff in it. The advantage of this space being separate is that all this addition and deletion of short stay files and folders does not interfere with the OS or your keeper files by fragmenting them and thereby slowing your sys. Give it say, 5GB? 6GB if you wish to load a couple of game images to save CD wearntear.
Applications. Give them their own partition, put with them all the pgm installation files you download in a separate folder cos it saves downloading them again if you need them. Again I have given 6GB to this partition, but it contains atm only 2GB of pgm files and any downloaded installation files. I think I have a fair selection of pgms.... 4 or 5GB would be tons.
So, 8 +5 + 5 = 18GB, leaving you 22GB in a fourth partition for storing music, photos, and any other files you wish to hang onto for a fair while while you use them. Letters, financial records.... Of course, the really good stuff goes onto CD /DVD as well, doesn't it? Well, what do you think? I have a bigger primary HD so I have a few more partitions, but they are only a convenience and not really necessary - I could easily forgo the extra ones and use folders in their place. Four, I think, would be a good setup for your 40gig HD.
Try very hard to borrow someone's XPSP2 CD, cos you will be able to use it to install with your own numbers... to install XPSP1 and then update online would be almost impossible with dialup. SP2 is pretty vital but it is a huge download... 272MB!!
When you go into Setup set the size of the OS partition to 8GB and proceed with formatting it and then installing. We do the other partitions later, when windows is working. And then we can shift out those temporary files.... all I can say is that a setup like that works very well for me. And if anyone reads this and has other ideas, please post em.
Comments, Jeannie? It is your sys, after all....
Ok, So far this sounds good to me. I'll think of the partitions like a four drawer file cabinet.
So, one "drawer" for the OS.
One for Temp files.
One for Applications.
One for Music, Pics, and keeper files.
Now, a few ?s.
I'm a little confused about the Temp partition. How do you keep the Temp folders seperated from Windows OS partition? Won't Windows continually create the folders (in Windows) if they are not in the "Windows" folder?
What do you mean "Game Images"? Actual games, or actual Images? I don't get it.
And by "Applications" you mean programs? Like Paint, Video conversion programs, Anti-Spyware (HiJackThis, Spybot) Media Player, etc.? And games? My son has LOTs of games? That would be application too? (Duh!) Also, MSN. That would go under the Applications partition, but the email, temp MSN folders go in the Temp partition? Is this all correct so far?
Hi, Jeannie, yes, the four drawers is pretty close to the idea.
The Temp partition. Pretty much we will create in the temp partition the requisite folders/files that windows normally uses, and other pgms too, and then we will tell Windows about them by changing, for example, environmental variables and some registry settings. And windows will happily use the new folders/files as its own.
Applications.... yes, Paint, AV, AS, Outlook Express, infact any pgm that you install apart from windows... we just change a single setting and that will make hat partition the default location for any pgm you install.
Images..... most games insist on running from a CD when you play them. That is slow, tedious [you gotta find n then insert the CD...], damaging to the CD surface from accidental scratching.... So if I play a game often I use certain software [Alcohol 52% does me] to create an "image" of that CD on my HD [images are special copies that contain exactly what is on the CD and not just the information in its files..]; you install the game as per normal; to play all you do is click the image to "mount" it as a new drive.. the Alcohol software presents it to the OS as a CD drive, and it runs. And there is no waiting while an actual CD drive spins up... cos its on the HD. You can do it with most everything that is to be found on a CD, not just games, but in fact you only use it when the pgm insists on a CD being present [like many games].... I mean that you could [if you wished to be silly] create an image of a CD of music and play it, but no media player insists on running from the CD - all they want are the files of music. Etc.
Some piccies of my main drive:
This all sounds perfect to me! Although I'll probably opt to skip the game imaging bit. My son has lots of games and I think he'd rather keep the drive space than run games faster. And it may be a bit of work teaching him the partition deal, but it's way worth it!
Now, I went through the first couple of steps to create a partition (just to see what it was like), but I didn't actually create any. Didn't want to screw up. I followed the command prompt instructions in WinXP Help. cmmd>diskpart>selectdisk>etc. Like I said I didn't complete any steps, just wanted to see what it was like. It did confuse me a bit. It asked Primary Partition, Extended Partition or Logical Drive. Also, about offset? How do you know where to offset the partition?
And a question about SP2. I've heard about a lot of problems with Service Pack 2. And there are so many "horror stories" out there, and help sites on uninstalling it. I never bothered to install SP2 on MY pc or on my son's either. Why are there so many problems with it, and why is it so neccessary? (well, duh! I realize why it's probably so important.) But, why is it such a problem for some?
Well, Thanks again for all your help so far! What can PC geek wannabees like me do to repay the Real ones like you? (besides not have PC trouble) You guys do so much to help us! THANK YOU!!!!!!
~Heidi (not Jeannie, by the way) wink ;o)
Hello, Heidi. Fair enough about the game images... you can take up that idea at any time you like down the track, and just load a game image into your temporary partition in some folder. We'll ignore em now though.
SP2. M$ put a deal of effort into that patch, and if you surf the web it is pretty vital to have. It is all about improving security.... and they continually update their work. I have never had a problem with my pc.... so SP2 works for me. I strongly suggest you borrow a friend's XP-SP2 disc to use for installation if your key is a general, not limited type. Otherwise use your CD and key then get the SP2 CD from M$.
Skip using diskpart, use the formatting tool on the XP CD to create the first partition, the one for Windows itself; it will automatically create one of the right type [primary, and active], you get to choose FAT32 or NTFS - choose NTFS. Once again, it is about security, besides it was designed for XP. To install XP only one partition is necessary, we'll create the others later using XP.
Right. Disconnect from the web, change your BIOS setting to boot from CD and restart with the CD loaded; or more simply start up, hit F11 to set the one-time boot source to CD, load your CD ...
Let Windows Setup start, delete any partitions it finds, then in the unpartitioned space create one of the size you desire [8GB?, NTFS]. Full format it, not quick. Have your key handy and let installation run.
Don't load any apps yet, or create files, cos they will only have to be moved later on. Kindly, Setup will not even mention offsets.. :)
Can I break now? -it's late, and tomorrow I shall guide you thru partitioning with the XP disk management tool -it's easy as... Briefly, because of coding limitations in the master boot record [created when you made the first partition] you can only have four partitions cos that is all that code can record. But by making one [the last] an extended partition you can add any number of extra logical partitions [they daisychain from the extended partition and from each other - the extended partition tells the loader about the next, that one tells the loader about the next... and so on]. Simply, go for 3 primary plus one extended if you wish to leave some unallocated space on your HD for whatever; or if four, filling the HD is all you wish for, just make em all primary.
My bed is calling. Payment? Be nice to animals, and your folks.
I'll look forward to your advice on placing folders tweaking the registry, etc. Thanks again so much! You are such a busy helper! Helping all these people! Your so Gerbilicious!
~Heidi
Also, Why I ask about SP2, is because I'm having a hard time getting ahold of it. I was using my M-In-Law's pc for support (highspeed downloads, checking Daniweb, etc.) but now she's having trouble with her pc and wants me to fix it! AAAHhhh! What next?! Anyway, couldn't I just make the partitions and then download SP2 & updates in safe mode? Yes, very time consuming but..... I can't think of anything else. Looking forward to your advice. Thanks again! And Again and again and again............
~Heidi
I went through the steps you mentioned. I deleted a partition but it was only 31 MB and it was FAT32. The "c" drive is labled as partition1 and has 38131mb (can't remember precise number) free space. Didn't want to delete that one as it's the main one. Didn't know if I should or or could or not. Can't create new partition in the unallocated space cause it's too small (31 mb) to set up windows xp. What next?
I should've waited for you, Gerbsie!
Heidi, is that an OEM-type XP installation disk you have there? Or a Dell Recovery disk? Since you reinstalled before I'll assume it is the former ....
Dell put a diagnostics utility on your hard drive in a hidden partition. That 31MB partition you deleted was it. But no loss there, there's no need to go eek. Let's move on.
Set your BIOS to boot from CD drive. Restart with the CD in the drive, and you should enter Windows Setup for XP straight away. Delete that C: partition so that you see the HD as ALL unallocated space. Now make a new partition for XP, set it to 8000MB. Format it, fully, as NTFS. Agree, enter your key, and let it rip.
When it completes you may have to load some drivers for chipset, video, sound etc from another CD. Don't load the Dell applications.
And stop there for the time being. Or if you like, use XP to partition the rest of the drive unallocated space. Just go to Disk Management console and do what I wrote about before. It's dead easy to use.
Sp2. So your Mum has a fast connection, eh? Right, mum's are used to being used.... so dl this file from M$; we'll use it later to upgrade to SP2 : http://www.microsoft.com/downloads/details.aspx?FamilyId=049C9DBE-3B8E-4F30-8245-9E368D3CDB5A&displaylang=en
This gives you a file [266MB] which you can burn to a rewritable cd and load into your pc. Plus with it you can make your own XP SP2 CD later...
I think I have the Dell recovery CD. It says "OS Already Installed On Your Computer" "Reinstallation CD Microsoft Win XP Home Edition". And Dell at the bottom.
Yes Mom-In-Law has high speed. I use her for downloads, etc. But I think she has gotton a virus now too! Her husband's son is staying with them (outta prison) and is doing online dating junk. Now her PC is slooooooooowwww. and can't copy files! UUhhhhgggg! I did initially go there to dwnload SP2. Which I did and was elated. But then couldn't copy it to CD.
And What about updating SP2 while in safe mode? Terrible trouble, but wouldn't it work? And should I try to do that before creating more partitions? Or does it matter?
OK.
i couldn't wait. I now have four partitions.
c:/ OS 8GB
t:/ TEMP 5GB
p:/ PROGRAMS 10 GB
s:/ STORAGE 17GB
It's cool that you can label the volumes. I called them these so my son can try to remember better (his PC). He has no knowledge of these subjects, so he really doesn't understand how to control the System as well as I do. And he will be returning to his father's this weekend. Hence my urgency. (thanks again for all your help!)
I also installed the Graphics driver. I have stopped for now and await your "tweaking" advice. Oh, and also advice on SP2 still. Dwnload in safe mode? Or..... pretty much no other choices for now.
~Heidi
Heidi, I don't think that I would give pgms 10GB.. even if all that you ever used were written instead by M$ they could not bloat out that much.... I have all my dl'd installer files [60 plus of em..] in my pgm partition as well, driver updates, plus extra info like help files, other application resources... and I only have a total of 2GB in there [ have 6GB space total... but with 160GB on that drive i can spare the fat]. I'd set yours to 5GB max., 4 GB even. And I would stick with an alphabetic order of drive letters... the default lettering is fine and good.Windows will plug in an optical drive there somewhere... I would make the last partition a logical one also.. ie "inside" an extended partition - allows you to add drives later on. Well, you never know...
Rename Temp to anything but that, cos soo many files are called temp also. Shortstay, Transient... whatever. A pathname T:\temp\temp.tmp is laying in wait for you... :)
Okay. Moving stuff. First decide what you wish to move out of C: -
I would suggest from User take Application Data, Cookies, Favourites, My Documents, Recent [My Recent Documents];
from Local Settings I would take History, Temp, Templates, Temporary Internet Files, leaving behind the actual Local Settings directory.
I would also relocate Outlook Express mail folders, Opera cache and Firefox cache.
And tell the sys the new default applications path. I think that's about it. Deep breath, now....
Step one - build your desired directory structure on PAPER. I would go something like:
Temp (T:)
\Downloads **
\Scratch Pad **
\User Documents and Data **
\\Albert [heh] **
\\\My Documents
\\\User Data **
\\\\Application Data **
\\\\Cookies **
\\\\Favourites **
\\\\Firefox
\\\\History **
\\\\Opera Cache4
\\\\Outlook Express **
\\\\Recent
\\\\Temp **
\\\\Templates **
\\\\Temporary Internet Files **
-on paper, cos some of this stuff you Move to here, which will naturally move the folder also. But create now the ones that I have asterisked.
=Now the easy one first. In Programs drive make a folder Program Files [see now why I called my drive Applications?]so:
Programs (P:)
\Program Files
\\Common Files
Next, into reg, and change this key to your new pgm files and Common Files directories:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
"ProgramFilesDir"="p:\Program Files"
"CommonFilesDir"="p:\Program Files\Common Files"
Done. Now any new apps you install will load there. You could move some M$ pgm files over to it, but a lot of em complain, so it's really not worth it. OE does move [rclick and move], IE will not [it gets very confused, and will rebuild some of itself in the orig directory].
=My Documents. Rclick it in Explorer window left pane, properties, move. Expand destination, select Albert, Make New Folder - name it My Documents. Ok n out. Done.
=Temp and Tmp. [these are in C:\Windows...] - go control panel, system, advanced, environmental variables, in TOP user window select TEMP, Edit, change path to the new T:\User Documents and Data\Albert\User Data\Temp ;
Edit TMP to the same folder.. ie Temp - so combining them, there is no need for a TMP folder. OK n out. Done.
=Temp Inet Files. In an IE window, go Tools, Internet options, General, Settings, press Use Blank, change disk space to 32MB or less, Move folder, expand and select the new Temporary Internet Files, OK n out. Done.
=Cookies n History, Favourites n Application Data. The last step may have moved cookies, it may not have.. Change these reg settings:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Cookies"="T:\User Documents and Data\Albert\User Data\Cookies"
"History"="T:\User Documents and Data\Albert\User Data\History"
"Favourites"="T:\User Documents and Data\Albert\User Data\Favourites"
"AppData"="T:\User Documents and Data\Albert\User Data\Application Data"
"Recent"="T:\User Documents and Data\Albert\User Data\Recent" -this one is only found in Shell Folders key.
"Templates"="T:\User Documents and Data\Albert\User Data\Templates"
%USERPROFILE% is "C:\Documents and Settings\user" - you can change %US...% to whatever path.
=OE mail. OE: Open OE and click Tools| Options| Maintenance, then click the Store Folder button. Click the Change button and Browse to your new folder. Click OK to close each dialogue, and then close OE. When you open OE again it will automatically move the old store to the new location. Done.
Howzat?
Firefox n Opera are a bit special. Goggle "about:config" for Firefox, "Opera Cache4" for Opera.... you let Opera create the cach4 folder inside you Opera folder.
I have given one way of doing it. Some of those you could use Move, if they resist use TweakUI, or my method. Recent may jump back to where it was.. a funny one that.
Move any contents over to the new locations if you do not use Move to move the whole folder.
Say how it goes... I guess you will..:) Now if this works for you, save a hard copy of this note somewhere [a floppy?] cos if you ever do a Repair you wil have to reinstate this stuff... and get rid of newly created duplicates.
There are types of folks on chatrooms, the honest n open ones [you], the defensive ones who treat their online persona as themselves, and outright liars.... starting to feel like I'd know you in the street.. :)
NOTE*** Set Albert up as a user before you do all that stuff. *****
....looks a lot, doesn't it? But it's straightfwd, almost fun.
There are two imposter smileys in that lot, in place of genuine : )
You cn change settings to direct downloads to that folder, or just direct the first downloads there n the browsers will remember it.
Albert. Yeah....
SP2 - BURN that file!! to a CD, or a thumbdrive... whatever, it would be such a shame to dl the file fer two days on a dialup unny to have it clag on you...
Ok. I did change things around a bit. no more t:/ Temp.
I made it:
C:/ OS 8GB
E:/ ShortStay 5 GB
F:/ Application 6.99 GB
G:/ Long Stay (whatever GB left over) as a logical drive in an extended partition.
NOTE*** Set Albert up as a user before you do all that stuff. *****
You mean my son right? (Duh!) OK, we'll call him Albert. ;o) Whaddaya mean set him up as user? He is set up as owner. That's ok, right?
So under "c:/documents&settings" we have "All Users", "Default User" and "Owner(Albert)".
Do I need to take the folders (App Data, Cookies, Favorites, etc.) from each of these "users" and move 'em? Or Just Owner (albert)? And same for local settings? A bit confusing on this part.
About moving Programs. Should I move WindowsMediaPlayer, MovieMaker, or are those complainers?
Don't use Opera, Firefox. We have and use MSN for browsing and mail. So I just do the same for MSN as for Opera, etc?
Heidi, I get confused by Owner, User, Power User.... I only understand User and Admin....heh... I guess the Owner is just the bloke who entered his name during setup; he starts off as an Admin privileged ac, but can derate that to User as long as there is at least one Admin ac loaded.
So it's not Albert? We can go with Harold. When Harold is up n running, he should only be of User status, and use Run As if he needs to temporarily run as an Admin, or switch user if it is a more involved job. I mean, he got way blown outta the water before by junk, and it still applies that you fly higher if you are logged in as an Admin. Being a user does limit what trojans etc can do....
If Harold is going to be the only user, leave those other profiles alone [- these: "So under "c:/documents&settings" we have "All Users", "Default User""]. Unless he has secret- squirrel stuff anyone else could then use his login.. It is possible to fix things so that if a new account is made then all those changes I suggest are automatically applied, but it's not worth my effort [meaning I haven't done it for my machine - I can whip up those changes in minutes manually]. Default user defines where new directories will be made if another account is created, all users handles shares. Leave em be.
MSN, Moviemaker.....WMP.... Dunno bout MSN cos it is OFF on my machine , but those others do not create user files n histories as they run inside the pgm files folder, so no point moving them. OE does, so you move it, IE does, but won't move happily, so you just move its temp files - problem solved.
Lessee. Missed a point... under that block of reg changes i suggested, I should have said - it is only necessary to change an entry in Shell Folders if it is not present in User Shell Folders. But it won't matter - I haven't bothered figuring out a way to automatically apply all these changes to a new user profile.
When someone logs in the environmental variable %USERPROFILE% is set; I dunno how to even change that behaviour to what I want. So I walk around it.
Clock is ticking, woman. Get onto it... d:) You don't want to be doing this when you could be packing his cases.... Nice work on the reorg of the drives. Told you it wuz easy.
PS get him CCleaner.. set it up as I said earlier...
Changes have to be worth making.. I believe the ones above are it.
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.