Very Low Free Disc Space.

[jontye]

Starbuck, This OTL log opened when the laptop restarted, so I presume it's the correct one.

Regards Jontye.

 

All processes killed

========== OTL ==========

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\ deleted successfully.

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{4FBACD73-F67C-42AE-B46A-03960AFE3DFB} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4FBACD73-F67C-42AE-B46A-03960AFE3DFB}\ not found.

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}\ not found.

Folder C:\ProgramData\ShoppingChip\ not found.

C:\ProgramData\92b0c55cfad394f4 folder moved successfully.

Folder C:\Program Files\ShoppingChip\ not found.

C:\Users\John\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\hecgaagphfglfafllaigbknfblfhbbni\1.1 folder moved successfully.

C:\Users\John\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\hecgaagphfglfafllaigbknfblfhbbni folder moved successfully.

C:\Users\John\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\gamkofkinkpkbehlcnejljdoddjkmmmd\1.1 folder moved successfully.

C:\Users\John\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\gamkofkinkpkbehlcnejljdoddjkmmmd folder moved successfully.

C:\Users\John\AppData\Local\Comodo\Dragon\User Data\Default\Extensions folder moved successfully.

C:\Users\John\AppData\Local\Comodo\Dragon\User Data\Default folder moved successfully.

C:\Users\John\AppData\Local\Comodo\Dragon\User Data folder moved successfully.

C:\Users\John\AppData\Local\Comodo\Dragon folder moved successfully.

C:\Users\John\AppData\Local\Comodo folder moved successfully.

File C:\Windows\tasks\couponsupport-S-649636217.job not found.

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: Administrator

 

User: All Users

 

User: ASPNET

 

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: Default User

 

User: Guest

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: John

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 48826954 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 0 bytes

->Google Chrome cache emptied: 0 bytes

->Flash cache emptied: 683 bytes

 

User: Public

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 2588 bytes

RecycleBin emptied: 0 bytes

 

Total Files Cleaned = 47.00 mb

 

 

OTL by OldTimer - Version 3.2.69.0 log created on 01162014_221627

Files\Folders moved on Reboot...

C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W4Z5PXEQ\hub[1].htm moved successfully.

C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W4Z5PXEQ\like[1].htm moved successfully.

C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W4Z5PXEQ\sh143[1].htm moved successfully.

C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q203E9FS\137fe397a87[1] moved successfully.

C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q203E9FS\MTP_ySUJH_bn48VBG8sNSoM1ygXM8I716iU3CHRQUAk[1].eot moved successfully.

C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q203E9FS\page4[1].htm moved successfully.

C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q203E9FS\tweet_button.1387492107[1].htm moved successfully.

C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ENA6JTND\DXI1ORHCpsQm3Vp6mXoaTYM1ygXM8I716iU3CHRQUAk[1].eot moved successfully.

C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ENA6JTND\RjgO7rYTmqiVp7vzi-Q5UfY6323mHUZFJMgTvxaG2iE[1].eot moved successfully.

C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ENA6JTND\xd_arbiter[1].htm moved successfully.

C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1VVEWYBQ\hub[1].htm moved successfully.

C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1VVEWYBQ\pinit017[1].htm moved successfully.

C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1VVEWYBQ\xd_arbiter[2].htm moved successfully.

C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.

C:\Users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

[Starbuck]

Hi jontye

 

so I presume it's the correct one.

Yes, thanks.

 

Looks good now.

I think it's safe to say that the infections you picked up were carried over from the image you used.

Obviously that image isn't safe to use again.

 

I'll finish off the cleaning process and hand you back to Ken and Nev.

They may have further instructions regarding the image.

 

Step 1

Restart MBAM.

Click on the Quarantine tab

 

http://img.photobucket.com/albums/v708/starbuck50/malwqua_zps3f437f52.png

 

If there are items in quarantine.....

Make sure everything is selected and then click Delete All.

Close MBAM.

 

 

Step 2

Double click on AdwCleaner.exe to run the tool again.

• Click on the Uninstall button.
  
• Click Yes when asked are you sure you want to uninstall.
  
• Both AdwCleaner.exe, its folder and all logs will be removed.

 

JRT can now be removed also.

 

 

Step 3

• Please right-click on OTL to run it.
  
• You should see a CleanUp! button, press that button,
   
  http://img.photobucket.com/albums/v708/starbuck50/cleanupbutton.png
   
  
• This will cleanup an assortment of tools used during malware removal, plus itself

 

Note:

MBAM will not be removed if installed.

 

 

Step 4

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

 

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
  
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  
• Then go to Start > Run and type: Cleanmgr
  
• Click "OK".
  
• Select the drive for cleaning then click OK (usually 'C' drive)
  
• Click the "More Options" Tab.
  
• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

[KenB]

...........finish off the cleaning process and hand you back to Ken and Nev.

Thanks Starbuck :)

 

jontye

 

As starbuck says - the problems that you experienced were transferred to your new hard drive from the old one.

You produced a clone ( direct copy ) -not an image ( which is like a huge zip file )

 

There is nothing left to do on the new hard drive if Starbuck has completed his work :)

 

I would be inclined to format the old hard drive and use it for extra storeage.

Consider creating an image of the new hard drive - just in case.

[jontye]

Hi Ken, So how do I go about formatting the old hard drive and creating an image of the new hard drive.

Regards Jontye

[jontye]

Thanks once again Starbuck,

[KenB]

Hi

 

If the hard drive is compatible with the enclosure - put it in and connect up to the USB port.

The drive should show up in Computer.

Go to Disk Management again ( Start > diskmgmt.msc )

Right click on the external drive ..........it should give you the option to "format" here.

The file system that you should select ( if prompted ) is NTFS.

 

Before you format make sure that there is nothing on the drive that you want as you will not be able to retrieve it once the drive is formatted.

[jontye]

Hi Ken, The formatting has been completed.

Jontye.

[KenB]

You can use this as you would a memory stick.

 

===================

 

I will let Nev talk you through the imaging as the M-Reflect software I used was older than when Nev used it.

 

The tutorial I wrote is here - click here

 

You will need to produce a rescue CD - this is explained in the second tutorial - click here

 

Things may be a little different with the newer software.

[Plastic Nev]

Hi, although the software is newer, there hasn't been much changed in the way you use it, so Kens Tutorial should see you through OK.

I will only add that for the rescue disk that should be made and kept safe, I do recommend making the Windows PE environment disk, it does take longer to do than the Linux disk, but is worth the time taken as it is a better disk and easier to follow the instructions which come with it, if and when it is needed.

 

Nev.

[jontye]

Hi Ken, Just tried to download 'Macrium Reflect' via your tutorial page and got zapped by, Mobogenie, Mysearch Dial, Pdf Reader, Update for Pdf Reader and Wajam which all downloaded and installed onto my system, I did not switch off any of my security and followed the download instructions. I've uninstalled them all from the control panel but Mysearch Dial opened up as my home page on IE. I have changed this back to the original page. But I think that it is still somewhere in my system. Help !!!

[KenB]

Hi jontye

 

Sorry to hear that.

I have just downloaded the reflectdl.exe file and scanned it - nothing.

 

I can only assume that the problems arise when this .exe file is run.

 

Download MBAM from here - click here - update it - run it.

( The FREE version )

Let MBAM delete everything it finds.

 

It will produce a log. Copy this please and post it here.

[jontye]

Hi Ken, Already have MBAM from my dealings with Starbuck, updated it, result of the scan here :-

 

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2014.01.19.05

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

John :: JOHN-PC [administrator]

19/01/2014 18:31:28

MBAM-log-2014-01-19 (18-46-54).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 238885

Time elapsed: 9 minute(s), 43 second(s)Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 1

C:\Users\John\AppData\Roaming\newnext.me\nengine.dll (PUP.Optional.NextLive.A) -> No action taken.

Registry Keys Detected: 8

HKCR\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17} (PUP.Optional.Wajam.A) -> No action taken.

HKCR\CLSID\{D40753C7-8A59-4C1F-BE88-C300F4624D5B} (PUP.Optional.MySearchDial.A) -> No action taken.

HKCR\TypeLib\{C292AD0A-C11F-479B-B8DB-743E72D283B0} (PUP.Optional.MySearchDial.A) -> No action taken.

HKCR\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6} (PUP.Optional.DynConIE.A) -> No action taken.

HKCU\Software\Google\Chrome\Extensions\pflphaooapbgpeakohlggbpidpppgdff (PUP.Optional.MySearchDial.A) -> No action taken.

HKCU\Software\InstallCore\1I1T1Q1S (PUP.Optional.InstallCore.A) -> No action taken.

HKCU\SOFTWARE\INSTALLCORE (PUP.Optional.InstallCore.A) -> No action taken.

HKLM\SOFTWARE\Google\Chrome\Extensions\pflphaooapbgpeakohlggbpidpppgdff (PUP.Optional.MySearchDial.A) -> No action taken.

Registry Values Detected: 2

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NextLive (PUP.Optional.NextLive.A) -> Data: C:\Windows\system32\rundll32.exe "C:\Users\John\AppData\Roaming\newnext.me\nengine.dll",EntryPoint -m l -> No action taken.

HKCU\Software\InstallCore|tb (PUP.Optional.InstallCore.A) -> Data: 0H1L1J1L1S1R1N -> No action taken.

Registry Data Items Detected: 1

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (PUP.Optional.MySearchDial.A) -> Bad: (http://start.mysearchdial.com/?f=1&a=dsites0101&cd=2XzuyEtN2Y1L1QzutDtDtCzy0D0BtD0FtC0BzyyDyB0AyDyCtN0D0Tzu0SyByDtDtN1L2XzutBtFtBtFtCyDtFtCyDzytBtN1L1CzutDzytDtCtG1T&cr=1706276910&ir=) Good: (http://www.google.com) -> No action taken.

Folders Detected: 2

C:\Users\John\AppData\Roaming\newnext.me (PUP.Optional.NextLive.A) -> No action taken.

C:\Users\John\AppData\Roaming\newnext.me\cache (PUP.Optional.NextLive.A) -> No action taken.

Files Detected: 9

C:\Users\John\AppData\Local\Temp\is357113909\109620883_stp\Mysearchdial.exe (PUP.Optional.MySearchDial.A) -> No action taken.

C:\Users\John\AppData\Local\Temp\is357113909\109620976_stp\wajam_download.exe (PUP.Optional.Wajam) -> No action taken.

C:\Users\John\Local Settings\Temporary Internet Files\Content.IE5\4T1Z8F2H\InstallConverter_TSV428JXR.exe (PUP.Optional.Conduit.A) -> No action taken.

C:\Users\John\Local Settings\Temporary Internet Files\Content.IE5\4T1Z8F2H\wajam_install[1].exe (PUP.Optional.Wajam) -> No action taken.

C:\Users\John\AppData\Local\mysearchdial-speeddial.crx (PUP.Optional.MySearchDial.A) -> No action taken.

C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pflphaooapbgpeakohlggbpidpppgdff_0.localstorage (PUP.Optional.FunMoods.A) -> No action taken.

C:\Users\John\AppData\Roaming\newnext.me\nengine.dll (PUP.Optional.NextLive.A) -> No action taken.

C:\Users\John\AppData\Roaming\newnext.me\nengine.cookie (PUP.Optional.NextLive.A) -> No action taken.

C:\Users\John\AppData\Roaming\newnext.me\cache\spark.bin (PUP.Optional.NextLive.A) -> No action taken.

(end)

[Starbuck]

I can only assume that the problems arise when this .exe file is run.

No, the problem isn't with the reflect exe file.

I've just added the program to my Win8 system:

 

Malwarebytes Anti-Malware 1.75.0.1300

http://www.malwarebytes.org

 

Database version: v2014.01.19.05

 

Windows 8 x86 NTFS

Internet Explorer 11.0.9431.228

Peter :: STARBUCK-TEST [administrator]

 

19/01/2014 19:27:06

mbam-log-2014-01-19 (19-27-06).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 219413

Time elapsed: 5 minute(s), 1 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

 

Install was clean.

That said..... this program needs checking out before we recommend it.

Download page says..... 2.19Mb download:

http://imagizer.imageshack.us/v2/800x600q90/513/jsoy.png

 

Actual is...396.1Mb :

http://imagizer.imageshack.us/v2/800x600q90/46/d1or.png

 

Seems a slight discrepancy there.

[KenB]

Hi Starbuck

 

Download page says..... 2.19Mb download:

The reflectdl.exe file is in fact 2.19Mb after I downloaded it.

 

This, as far as I understand, controls the downloading of the selected / correct option for the individual machine.

click here

 

Basically there are 2 downloads.

[Starbuck]

I just went with all the default options ( you know.... just keep clicking 'next' and 'OK' :) ) and that was what it gave me.

[Plastic Nev]

It's a typical download manager with the first download, a lot of software vendors are using them now. You download the manager, hence the small file, the manager installs itself, then in turn downloads the main high file sized software.

Rather strange though where all those PUP's came from for Jontye.

 

Nev.

[jontye]

Hi Nev, Ken & Starbuck, I've downloaded the Macriam Reflect programme via the Major Geek link which I used earlier in the thread, and it seems to have worked without any problems. Is it advisable to scan again with MBAM.

Jontye.

[KenB]

Is it advisable to scan again with MBAM.

It will not do any harm - and it will give you peace of mind :)

[Plastic Nev]

Might be a silly question here, but the original version of Macrium Reflect you first downloaded to make the clone, unless you uninstalled it, should still be on the system. Is it?

 

If it is, now you have installed a newer version, it would probably be best to find and uninstall the earlier version then there is no chance of confusion arising from it.

 

Nev.

[jontye]

Hi Nev, I uninstalled the original download of Macrium Reflect. Thanks for the warning.

Jontye

[KenB]

Hi

Have you managed to create an image of your drive ?

Don't forget the Rescue Disk.

[jontye]

Hi Ken, I have created an 'Image' on the drive and completed the Rescue Disk, I had a problem with the Rescue Disk in so much as it would not write onto a cd-r disc, which was brand new, so I've bought some cd-rw disc's this afternoon and at the second attempt suceeded in writing the Rescue Disk. How I can I check that the disc has tranferred the information correctly.

Jontye.

[KenB]

Sorry jontye - we seem to have missed your last post :(

 

Is your system OK now?

 

You should have had an option to "Verify" the image - did you do this ?

[jontye]

Hi Ken, Bit of a late reply to your last post on 31/1/14, I've been away.

My system is working fine thank you, I can't recall seeing an option to 'Verify' the image, I assume that this is what is needed, to make sure everything backed up correctly.

How can I do this now.

Way back through my posts I mentioned being unable to download/install a version of MS Money, I solved the promblem and when I can lay my hands on the notes I made I will post the information.

Regards Jontye.

[KenB]

I can't recall seeing an option to 'Verify' the image,.....How can I do this now.

I'm not sure that this is an option after the image has been saved.

I will ask Nev to see if he has an answer to this one :)