System (K:) ?????

[Mokles]

Can someone help me discover what this System (K: ) is that's appeared on my PC? I can't say for definite when it appeared but I first noticed it about 4-6 weeks ago.

 

There are only 2 folders in it - ImageLayout and Recovery, and the Recovery one is empty. ImageLayout contains 5 files: Boot, EFI, Sources, WIMfiles & BOOTMGR.

 

It has a 5.37Gb capacity of which 4.41 is used.

 

My PC has been a bit sluggish recently and I don't know whether it's anything to do with this System K or a coincidence.

[Armageddon]

Hi Mokles going by the folders within system (K) I would surmise this is the windows recovery partition , as to why you can now see this , have you by chance changed folders and file options to show hidden files , as you have said the pc is sluggish so could you run the normal scans and post the logs so we can investigate further.

[Mokles]

Hi Armageddon,

 

If I have changed options to show hidden files, I don't know how or when.:confused:

 

When you say "run the normal scans", what exactly do you mean?

 

Thanks

[Armageddon]

Hi Mokles here are the scans I asked you to run , if you can post the logs with your next reply so our security guys can have a look

 

To help us to be able to assist you in quick and efficient way, we need to ask that you run the following programs as a minimum and post the reports as asked for.

 

If you have problems posting the reports ( if they are too big) feel free to add them as attachments.

 

The reports will give us a good starting point in recognizing any malware/problems with your system.

Also don't forget to inform us of anything you have already tried to remove the malware/problem.

 

Step 1

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
  
• Double-click on Download_mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
    

  [*]Then click Finish.

  [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

  [*]On the Scanner tab:

  • Make sure the "Perform Full Scan" option is selected.
    
  • Then click on the Scan button.
    

  [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

  [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.

  [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".

  [*]Click OK to close the message box and continue with the removal process.

  [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.

  [*]Make sure that everything is checked, and click Remove Selected.

  [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)

  [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

  [*]Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

 

 

Step 2

• Download OTL to your desktop.
  right click on the link and select 'Save Link/Target As'.
   
  if you have problems, try this download link:
  OTL
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Check the boxes beside LOP Check and Purity Check
  

.

 

.

http://img.photobucket.com/albums/v708/starbuck50/new/Otllatest.png

 

Now copy the lines in bold below.

 

DRIVES

netsvcs

msconfig

%SYSTEMDRIVE%\*.*

%systemroot%\system32\Spool\prtprocs\w32x86\*.dll

%systemroot%\*. /mp /s

%systemroot%\system32\*.dll /lockedfiles

%systemroot%\Tasks\*.job /lockedfiles

%systemroot%\system32\drivers\*.sys /lockedfiles

%systemroot%\system32\*.exe /lockedfiles

%systemroot%\System32\config\*.sav

%PROGRAMFILES%\*

%USERPROFILE%\..|smtmp;true;true;true /FP

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate\AU

hklm\software\clients\startmenuinternet|command /rs

hklm\software\clients\startmenuinternet|command /64 /rs

CREATERESTOREPOINT

• right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
   
  http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
  .
  
• Click the Run Scan button.
   
  http://img.photobucket.com/albums/v708/starbuck50/runscan.png
  
• Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.
  

Note:

Running the above script with OTL will :

turn on your system restore and set a new restore point (XP only)

set a new restore point (if system restore is turned on) Vista & Win7.

 

In your next reply, please submit:

MBAM scan report

Both reports from OTL

 

 

Whilst we are helping you, please don't run other programs/scans without our knowledge .... it only confuses things.

 

Thanks.

[Mokles]

Right, I've done those scans. Nothing showed up on the MBAM but I've attached the report anyway.

OTL.Txt

Extras.Txt

mbam-log-2012-10-15 (19-09-33).txt

[Armageddon]

Hi Mokles thanks for those reports , whilst we take a look at them i'd like you to down load and run list parts , then copy and paste the results please this will list all partitions including hidden ones and there uses.

 

• Download ListParts to your Desktop.
   
  

• Double click ListParts.exe to launch the program.
  
• Press the Scan button.
  
• When finished scanning it will make a log Result.txt on your Desktop.
  
• Please post me the contents of the log.
  

 

 

 

Dave

Edited October 15, 2012 by Starbuck

[Mokles]

Attached are the results of the ListParts scan.

Result.txt

[Armageddon]

Hi Mokles thanks for the Listpart results it does show that system (K) is your recovery partition , as to why you can see it I'll wait till the security guys have looked over the OTL logs , I can show you how to hide the system (K) so you no longer see it but since it's the recovery partition I need to know if you've created recovery DVD's first

[Mokles]

Hi,

 

Yes, I made one when I got the new Pc a couple of years ago.

 

Hiding System K isn't going to make a difference to the sluggishness is it?

[Armageddon]

Hi Mokles it's why I asked one of the Security guys to look over the reports see if anything points to the sluggishness , I'd like the ok from them before I show you how to hide System (K)

[Mokles]

Ok.:)

[Starbuck]

Hi Mokles,

 

When did you install the Virgin Media Security and the Rapport?

Rapport has been known to slowdown a lot of systems.

They say that it's compatible with all other types of security.... but this is not what we have found in the past.

There are a number of threads on this site where members have complained about it.

It creates so many entries in the reports.

As does Virgin Media Security.

Why they would mix BitDefender and Avg i have no idea.

It's a bit of a mix and match.

I certainly wouldn't use it.

 

As a test you could always uninstall Rapport and see if there is any difference.

It's easy enough to reinstall if no difference is noticed.

 

There are no visible signs of malware in the reports, but there are a few entries we can cleanup.

 

Double click on OTL to run it.

Copy the lines in the codebox below. (make sure that :Otl is on the first line )

:Otl
DRV - (StarOpen) --  File not found
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
MsConfig - StartUpReg: AppleSyncNotifier - hkey= - key= -  File not found
MsConfig - StartUpReg: LXCQCATS - hkey= - key= -  File not found
MsConfig - StartUpReg: MyTomTomSA.exe - hkey= - key= -  File not found
MsConfig - StartUpReg: TomTomHOME.exe - hkey= - key= -  File not found

:Files
ipconfig /flushdns /c

:commands
[emptytemp]
[purity]
[RESETHOSTS]

• Return to OTL,
  
• right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
   
  http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
   
  
• Click the red Run Fix button.
   
  http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png
   
  
• OTL will reboot your system once the fix has completed.
  
• After the reboot, you may need to double click OTL to launch the program and retrieve the log.

 

Copy and paste the contents of the OTL log that comes up after the fix in your next reply.

 

if you lose the report, there will be a copy here:

C:\_OTL\MovedFiles

 

Thanks.

[Mokles]

Hi Starbuck,

 

I've done that and here is the log.

 

All processes killed

========== OTL ==========

Service StarOpen stopped successfully!

Service StarOpen deleted successfully!

File File not found not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\AppleSyncNotifier\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\LXCQCATS\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\MyTomTomSA.exe\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\TomTomHOME.exe\ deleted successfully.

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\Moira\Desktop\cmd.bat deleted successfully.

C:\Users\Moira\Desktop\cmd.txt deleted successfully.

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: All Users

 

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 56468 bytes

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

 

User: Guest

->Temp folder emptied: 70602081 bytes

->Temporary Internet Files folder emptied: 69610765 bytes

->FireFox cache emptied: 75147593 bytes

->Flash cache emptied: 506 bytes

 

User: Jeff

->Temp folder emptied: 178113065 bytes

->Temporary Internet Files folder emptied: 36816984 bytes

->FireFox cache emptied: 74737427 bytes

->Apple Safari cache emptied: 4406272 bytes

->Flash cache emptied: 56996 bytes

 

User: LocalService

 

User: Matthew

 

User: Moira

->Temp folder emptied: 438792227 bytes

->Temporary Internet Files folder emptied: 41355581 bytes

->FireFox cache emptied: 747896502 bytes

->Apple Safari cache emptied: 0 bytes

->Flash cache emptied: 133957 bytes

 

User: NetworkService

 

User: Public

 

User: Ryan

 

User: User

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 281624757 bytes

RecycleBin emptied: 0 bytes

 

Total Files Cleaned = 1,926.00 mb

 

C:\Windows\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

 

OTL by OldTimer - Version 3.2.69.0 log created on 10162012_224227

 

Files\Folders moved on Reboot...

C:\Windows\temp\ZKT{0853FE3C-5C7A-4041-B15C-F039B8100AA0}.tmp moved successfully.

 

PendingFileRenameOperations files...

 

Registry entries deleted on Reboot...

 

 

 

 

 

 

I've had Virgin Media Security as long as I've had the PC and I think Rapport for that long too. I may try uninstalling Rapport as you suggest.

 

Thanks.

[Starbuck]

Hi Mokles

 

Total Files Cleaned = 1,926.00 mb

Your temp files certainly needed a good clear out. :)

 

I may try uninstalling Rapport as you suggest.

Like i said earlier, if it doesn't make any difference it's easy to reinstall.

[Mokles]

Hi and thanks. :)

 

I'm going to see how it goes before I uninstall Rapport, as so far this morning it does seem better.

 

I would still like to hide system K though.

[Armageddon]

Hi Mokles heres how to hide (K)[h=1]How to Hide or Dismount a Partition in Windows[/h]

When you hide (dismount) a partition in Windows (any version), the setting you made is remembered until you manually unhide (mount) that partition. The partition will be invisible to all the user accounts defined on that operating system and will continue to exist with its content intact. If you have other operating systems installed on the same computer, for which the partition is not hidden, the user accounts defined on those operating systems will be able to use the partition.

[h=1]Hiding (Dismounting) the Partition from Disk Management[/h]First, you need to open Disk Management or Computer Management and access the Disk Management section. We showed how to do this, in an older tutorial: How to Manage Your Disks using the Disk Management Utility.

There you can see a list with all the partitions existing in your computer.

http://www.7tutorials.com/files/img/disk_mng_hide_part/hp1.png

Right click on the partition you want to hide (dismount) and select "Change Drive Letter and Paths".

http://www.7tutorials.com/files/img/disk_mng_hide_part/hp2.png

In the "Change Drive Letter and Paths" window, click on the Remove button.

http://www.7tutorials.com/files/img/disk_mng_hide_part/hp3.png

You are asked to confirm the removal of the drive letter. Click Yes.

http://www.7tutorials.com/files/img/disk_mng_hide_part/hp4.png

NOTE: If there are open applications using files from the partition, you are warned that the drive is in use. Make sure you close all the applications that might be using files from that partition and then click Yes, to continue the drive letter removal operation.

http://www.7tutorials.com/files/img/disk_mng_hide_part/hp5.png

The partition is now hidden (dismounted) and it is no longer accessible from the operating system you are currently using. Windows will remember the setting you just made, at each login and the partition will never be available to users, unless you choose to unhide (mount) it.

 

Hope this helps

 

Dave

 

 

 

 

[Mokles]

Thanks - that worked fine. I think I've identified one of the causes of the sluggishness. It seems to begin when my daily back up starts. I'm sure it never used to be like this - any ideas?:confused: