Don't know what it is: .ghost-ntfs-3g-00000000000000000009

As suggested in this thread, I wanted to check my system just to make sure, even though none of the scanners I’ve used are reporting anything as infected… Found a weird file named .ghost-ntfs-3g-00000000000000000009 under my user directory (just happened to see it, it wasn’t detected by Avast or MBAM or anything). I contacted Microsoft support a few days ago and without even looking at the file or anything, the tech said it was adware. He ran a HitManPro scan (I let him remotely access my computer, which I wouldn’t have done had I known all he was going to do was something I could’ve done myself)… and all it showed was two tracking cookies (kontera.com & ads.servebom.com), which were deleted I guess. I didn’t want to pay $90 for him to “fix it” since I didn’t believe him that it was necessary (well, mostly just didn’t want to pay $90).

FYI, I put the weird ghost file on a thumb drive and removed it from my computer. I don’t know if that was the right thing to do or not? Hopefully the logs will still show if there was/is an infection even though the file is no longer on my computer?

As for actual noticeable issues on my computer, I don’t think there are many that I physically see or encounter? Maybe it doesn’t matter since all the info you might need is probably in the logs I’m about to attach, but I also posted a bit of a backstory of something that happened with my recent Avast update, in case there’s a connection or anything: https://forum.avast.com/index.php?topic=169887.msg1221301#msg1221301. The only other strange thing I can think of is that when I start-up my computer, the desktop icons reload for some reason (they show like normal, then a few seconds later turn to white/default icons and then back to normal again). That has been happening for a long time, but I don’t know when exactly I got this weird “ghost-ntfs-3g” file so can’t say if the icon reload issue started at the same time or not.

Thank you in advance for checking these logs out to see what you think! Also, FYI, I see some stuff in the log about corruption in the file structure… sfc /scannow was showing corruption that couldn’t be fixed a few days ago (1st time I had ran sfc /scannow in over a year), but I figured out it was just because of a Windows Update that was showing false corruption. I applied a fix someone made for it from here, and then sfc /scannow was showing no corruption. However, the date for the corruption shown in the Addition.txt log says today’s date, so I don’t know if there’s new corruption now or what.

Maybe not related, but when I just visited a Microsoft support page located at https://www.microsoft.com/security/scanner/en-us/default.aspx, the page was all screwed up and flashing/moving, etc. This is the first website that has done something weird, do you think that is a symptom of some kind of infection? I took a screen capture video of it and uploaded to tinypic, hope that works (never used tinypic before and I always disable flash so I actually can’t see the video myself): http://tinypic.com/r/sz98ra/8

Hello

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

[*]Right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[]Wait patiently until the main console will appear, it may take a minute or two.
[
]In the main box please paste in the following script:

createsrpoint;
autoclean;
emptyalltemp;
bitsadmin /reset /allusers;b
ipconfig /flushdns;b

[*]Make sure that Scan All Users option is checked.
[*]Push Run Script and wait patiently. The scan may take a couple of minutes.
[*]When the scan completes, a zoek-results logfile should open in notepad.
[*]If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

Hello, thank you, argus! (Out of curiosity, after I ran that Zoek scan, even though I don’t know what it did, I went back to that same Microsoft page that was acting weird, and now it’s loading completely normal! That’s a good thing, but I hope it doesn’t mean I actually was infected with something this whole time.)

Here is the ZOEK log:

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Anonymous on Sun 06/07/2015 at 22:33:54.82.
Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Anonymous\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

6/7/2015 10:37:48 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\Program Files\HitmanPro deleted successfully
C:\PROGRA~3\Malwarebytes’ Anti-Malware (portable) deleted successfully
C:\Users\Anonymous\AppData\Roaming\DisplayTune deleted successfully
C:\Users\Anonymous\AppData\Roaming\IrfanView deleted successfully
C:\Users\Anonymous\AppData\Roaming\Malwarebytes deleted successfully
C:\Users\Anonymous\AppData\Local\CrashDumps deleted successfully

==== Deleting CLSID Registry Keys ======================

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== Batch Command(s) Run By Tool======================

==== Deleting Files \ Folders ======================

C:\PROGRA~3\Malwarebytes’ Anti-Malware (portable) not found
C:\PROGRA~3\Package Cache deleted
C:\Windows\wininit.ini deleted
C:\Windows\SysNative\config\systemprofile\Searches deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\Anonymous\AppData\Roaming\Mozilla\Firefox\Profiles\mcnkpyw4.default
user_pref(“browser.search.defaultenginename.US”, “Google”);

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
wrc@avast.com”=“C:\Program Files\AVAST Software\Avast\WebRep\FF” [06/04/2015 03:53 PM]

==== Firefox Extensions ======================

ProfilePath: C:\Users\Anonymous\AppData\Roaming\Mozilla\Firefox\Profiles\mcnkpyw4.default

  • Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF

AppDir: C:\Program Files (x86)\Mozilla Firefox

  • Default - %AppDir%\browser\extensions{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

==== Chromium Look ======================

Google Chrome Version: 43.0.2357.81

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[03/11/2015 03:17 AM]

Bookmark Manager - Anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik
Avast Online Security - Anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki
Chrome Hotword Shared Module - Anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg

==== Chromium Startpages ======================

C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default\Preferences
Changed":false},“declarativeWebRequest”:{“onRequest”:false}},“incognito_content_settings”:,“incognito_preferences”:{},“install_time”:“13071979711022795”,“lastpingday”:“13078134001044154”,“location”:1,“manifest”:{“app”:{“launch”:{“container”:“tab”,“web_url”:“https://mail.google.com/mail/ca"},“urls”:[“*://mail.google.com/mail/ca”]},“current_locale”:“en_US”,“default_locale”:“en”,“description”:"Fast, searchable email with less spam.”,“icons”:{“128”:“128.png”},“key”:“MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCuGglK43iAz3J9BEYK/Mz6ZhloIMMDqQSAaf3vJt4eHbTbSDsu4WdQ9dQDRcKlg8nwQdePBt0C3PSUBtiSNSS37Z3qEGfS7LCju3h6pI1Yr9MQtxw+jUa7kXXIS09VV73pEFUT/F7c6Qe8L5ZxgAcBvXBh1Fie63qb02I9XQ/CQIDAQAB”,“manifest_version”:2,“name”:“Gmail”,“options_page”:“https://mail.google.com/mail/ca/#settings",“permissions”:[“notifications”],“update_url”:“http://clients2.google.com/service/update2/crx”,“version”:“8.1”},“page_ordinal”:“n”,“path”:“pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0”,“preferences”:{},“regular_only_preferences”:{},“state”:1,“was_installed_by_default”:true,“was_installed_by_oem”:false}}},“pinned_tabs”:[],“protection”:{“macs”:{“browser”:{“show_home_button”:“9DD8462EAECB76E1A1FEF1E1069C396A3C5893F7C69888AE0ACFDA001B737C44”},“default_search_provider”:{“keyword”:“400E58247C48840E1F6F8A19CBDD149FAFB64A4A5F6BDE6BF9940DC31576FB79”,“name”:“273FA948E9716312AD2F54E0F8BA6E8BE2DE54720CDFFA4F15F4C48EC14F17AB”,“search_url”:“45372E9DF287B767D610C29B5A32466838BBC6E26C7036C7BCBB6BB09064B535”},“default_search_provider_data”:{“template_url_data”:“436B5DAEA67ED7A2A01E030B50E35F8FD4234718889349926DE34FB2E12BC9A0”},“extensions”:{“settings”:{“ahfgeienlihckogmohjhadlkjgocpleb”:“B3C1200DFC3A24DC6CBF3C01A3CDAB1C3B5490314EA49DF843401D059086056C”,“aohghmighlieiainnegkcijnfilokake”:“D38E1595E756C528E0E1D52E6C687B03FE1CF25CECD33FD0068C70BBCFDAA691”,“apdfllckaahabafndbhieahigkjlhalf”:“65DAA5B0E57A8E86663D986C68A35FE0EE74F0DFF90CD583FB407BED4E710F50”,“bepbmhgboaologfdajaanbcjmnhjmhfn”:“BD6370281F9D6568E2A4B933884A478B675F92B3565BB04D13F092AD6B72BEA3”,“blpcfgokakmgnkcojhhkbfbldkacnbeo”:“318851589A3EBA46972A02F3B2B6E2561F09EB7581400E1037A6283C42D4EE04”,“coobgpohoikkiipiblmjeljniedjpjpf”:“73EC9ECDD31B33B2E537C8CAD5A7FD81A7FB5610799082B9EC0BB29EA4E95444”,“dnhpdliibojhegemfjheidglijccjfmc”:“47671E1686EAB87AC04660080AD95314191EFB6EAC6D2C16703E3B09E88980A9”,“eemcgdkfndhakfknompkggombfjjjeno”:“01FA6293E5B8E8352A0ACB567143BA82CCBD31ECBE2DFD15EA838E8774353EFE”,“ennkphjdgehloodpbhlhldgbnhmacadg”:“0B4602C45BBAFFDB43E12267AB344BFA4A52F205BCC0ECC383E0B2D2DB84C4DE”,“eofcbnmajmjmplflapaojjnihcjkigck”:“692A22D989E1B2DD0848D3310D00222145603E29EB79F64F64B1AB5FC914C4FB”,“gfdkimpbcpahaombhbimeihdjnejgicl”:“E87E0D3145DEB39E9AB8016A18DC58D0239EFFF9598F50CCDFB8B7D1B204E94D”,“gmlllbghnfkpflemihljekbapjopfjik”:“E99CEB80325CA5919055C6E26220A0749CF4EBF6E7DEDF48032623C8F5340600”,“gomekmidlodglbbmalcneegieacbdmki”:“E03C0D761CFC72B3AC0AEC833FA9DCE3DFE3B601092914F58A0643E7C7030CDF”,“kmendfapggjehodndflmmgagdbamhnfd”:“F3EFE9E3ADB1BB19CB8AE8F7348CA23AA407E9B42568B8D8DE344FCF7BEA3E21”,“lccekmodgklaepjeofjdjpbminllajkg”:“0D3FE0B1278BE371BDE2D527106F93831E28418BA9A6A8BF51706BE022030A7B”,“mfehgcgbbipciphmccgaenjidiccnmng”:“2BC04354ECD247811257AD1D61207236CEDE0AEF4F9CDC60485FB6CD35ECC546”,“mgndgikekgjfcpckkfioiadnlibdjbkf”:“E18CD186AD1D5F0E93847E62B99F237774B6B56E9983E0C1E7107E1F436386B2”,“mhjfbmdgcfjbbpaeojofohoefgiehjai”:“9D90CE4254C7451E9B2C9331E4F30B63810B6F4B4D2784C2141185F4B99134D2”,“nbpagnldghgfoolbancepceaanlmhfmd”:“1877B430D0C6F165A7B4A012769F2D8DB589799419C059BBF59DDAB4DF05928B”,“neajdppkdcdipfabeoofebfddakdcjhd”:“8334EDF39375E7000018737E14D0EE4BCB9E33324CA633B53FCA3277842F439B”,“nkeimhogjdpnpccoofpliimaahmaaome”:“17BD18BC6295CCF241D90ADAFD7085593D39C531BDE3C38B6C05DA48FD34DAA9”,“nmmhkkegccagdldgiimedpiccmgmieda”:“9A8B8687C0ED83FCD7E57AE8C9FE2166B88936A6227ACD6D5350A5A733612A59”,“pafkbggdmjlpgkdkcbjmhmfcdpncadgh”:“A049A4BF279C8E92CF910CC763D340877B48978CD24159351109006E8AE247E3”,“pjkljhegncpnkpknbcohdijeoejaedia”:“DACA85A3694C8F895745FA36E6F58AF5D57E7E86904B83FDB3D5F6AD7AEA7334”}},“google”:{“services”:{“last_username”:“31AA2661F934AF187B195297B04A722FB235FD6BE3C41C3929BE845DF338244F”,“username”:“CFF10CDF2BC5D1CD797C27B5062208B4AC1DF34349D8E5DB8BAE74727670C6B5”}},“homepage”:“47A16F18C7EE2A9E813838F0E633D806DEE4981DADDA3035FA7D49CC85AE9759”,“homepage_is_newtabpage”:“B1852F30465154FCEC2615AD6DC035F9DC7C75EDE4EDFE4908095FB8B6C012EF”,“pinned_tabs”:“6530A5937246D557B71DD6E1F71C4CD9417BFA8BAB4003D6A68843429D117E09”,“prefs”:{“preference_reset_time”:“2EBC197CBDFA93E71291F8427D85448685FE36715A58006E1B82DF772981BE92”},“profile”:{“reset_prompt_memento”:“6BEAF058D9C70B915EBC2276285646620EB6B0500FB578A8D515A4DDF23C0ED0”},“safebrowsing”:{“incidents_sent”:“8C3DDCB9C3C4FAB3080890A97AD2BF7361F6E94E1AD9727B03E714F37719CD24”},“search_provider_overrides”:“38805F7C9D43CB8F39A1D2900E33161AF607FC1AC8D16B4C363ECCCEFDC22569”,“session”:{“restore_on_startup”:“B194FFD09F8BDDA2EB3498C9BFBA3ECF316AA58E86F1485F062CDF4658BDD20A”,“startup_urls”:“8FD92742EEB6ABA9409617DE556A6C87B4EFDDA2D621D09F4CF0748AA1EA7C8D”},“software_reporter”:{“prompt_reason”:“8A06D8B3F6B6C3FF76727E7ED0B0FBF557F0250CB321231797661C1681924F64”,“prompt_seed”:“7C6AF604AA204582B651E96B324053BDD32BDD77E2B592CEA606AA33DDCF9A68”,“prompt_version”:“C248AFE8834A195CC1FF1EDB3074EC1EB5B3E35B4D252BD80871081558631715”},“sync”:{“remaining_rollback_tries”:“9687BA28AE5DCDFA47C016770E6793103C9C6FCDE008F31A5E359125604393CA”}},“super_mac”:“9B4F96ACBEB67766088A669C22787051731D24AF159A97E375F6E0F732E67CBB”},“session”:{“restore_on_startup”:5,“startup_urls”:[“http://www.sciencedirect.com/science/article/pii/0041010187902443”,“http://www.americanarachnology.org/JoA_free/JoA_v38_n3/arac-38-03-530.pdf”,“http://research.amnh.org/iz/spiders/catalog/TRACHELIDAE.html”,“http://bugguide.net/node/view/933213”]},“sync”:{"remaining_rollback_tries”:0}}

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Search Page”=“http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“http://go.microsoft.com/fwlink/?LinkId=69157

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
“DefaultScope”=“{0633EE93-D776-472f-A0FF-E1416B8B2E3A}”
{012E1000-F331-11DB-8314-0800200C9A66} Google Url=“http://www.google.com/search?q={searchTerms}
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url=“http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
{F9641C53-3959-4B3B-AEAA-0828E170359D} Unknown Url=“Not_Found”

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-3836965969-56342752-2157042032-1001\Software\Microsoft\Internet Explorer\SearchScopes{F9641C53-3959-4B3B-AEAA-0828E170359D} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes{F9641C53-3959-4B3B-AEAA-0828E170359D} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{F9641C53-3959-4B3B-AEAA-0828E170359D} deleted successfully

==== Deleting CLSID Registry Values ======================

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Anonymous\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Anonymous\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

C:\Users\Anonymous\AppData\Local\Mozilla\Firefox\Profiles\mcnkpyw4.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=23 folders=19 91957497 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Anonymous\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\Anonymous\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:$RECYCLE.BIN successfully emptied

==== EOF on Sun 06/07/2015 at 22:57:32.09 ======================

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[B] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/B]
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

Not sure which is preferable for you guys, an attachment or just pasting the log as text. I attached it this time…
Thanks again for helping me with this!

Re-run zoek and run this script:

C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default\Preferences;f
createsrpoint;
autoclean;
emptyalltemp;

Post its content into your next reply.

Zoek is currently running still, but it occurred to me when I saw your last instructions that I had changed my name in all the previous logs to “Anonymous” instead of what it really is. For your most recent script instructions, I replaced “Anonymous” with my true name/username.

Would the name change have created any problems with the previous FixLog I used? I forgot to check if there were any instances of the username in the text. I hope I didn’t mess things up by trying to hide my real name.

“C:\Users[b]Anonymous[/b]\AppData\Local\Google\Chrome\User Data\Default\Preferences” => File/Folder not found.

Yes it is problem. Stop zoek. Return the real nikname here:

C:\Users[b]Anonymous[/b]\AppData\Local\Google\Chrome\User Data\Default\Preferences

Your problem is was the Chrome.

Copy here the complete line

C:\Users\[b]Anonymous[/b]\AppData\Local\Google\Chrome\User Data\Default\Preferences

Oops, sorry about that! This is my first time, I didn’t realize I was making a mistake. Lesson learned. :slight_smile:

I ran again your original FixList and put my real username in it. Attached is the new FixLog.txt.

Did it work that time?

Very good, is everything ok now?

It’s hard to tell because the only symptoms I had found so far were the Microsoft webpage not loading correctly, and then I saw a mystery file on my user directory that was named .ghost-ntfs-3g-00000000000000000009. The desktop icons continue to reload after start-up, but I don’t know if that is related to this or some separate issue.

The Microsoft website loads great now, so something is definitely fixed!

But as for the .ghost-ntfs-3g-00000000000000000009 file, before I posted my thread here, I removed it onto a thumb drive, so it was no longer on my computer when I ran these scans and so I can’t tell if that problem was fixed. I still don’t even know what the file is or where it came from, very strange. Do you know what that file is? Was that the problem and the FixList got rid of the remnants of it that were left on my computer after I removed that file? Do you think it was something bad (adware/malware, etc) and it was good to remove the file?

Sorry for so many questions… I’m just very curious what happened.

Thank you again for your help!

Oh, and also, my Avast and MBAM did not catch anything or alert me of anything being infected… I just stumbled across the mystery file while I was looking through folders on my computer.

It is a legitimate files, is not malware. 82 mb not possible :slight_smile:

82051072 _____ C:\Windows\system32\config.ghost-ntfs-3g-00000000000000000001
19660800 _____ C:\Windows\system32\config.ghost-ntfs-3g-00000000000000000003

The following will implement some post-cleanup procedures:

Download DelFix by Xplode and save it to your desktop.

[*]Run the tool by right click on the
http://www.imgdumper.nl/uploads6/51a5ce45267c1/51a5ce45263de-delfix.png
icon and Run as administrator option.
[*]Make sure that these ones are checked:

[]Remove disinfection tools
[
]Purge system restore
[*]Reset system settings

[*]Push Run and wait until the tool completes his work.
All tools we used should be gone. Tool will create an report for you (C:[B]DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Right click to My Comp / properties. Click System Protection, click System C: > Configure.
Reduce to 6% apply/ok and reboot laptop. Unnecessarily takes up so much space on the disk. Laptop will work fast

Ok, thank you! Great news. :slight_smile:

And I ran the DelFix and reduced system protection to 6%.

Have you heard of those types of files - .ghost-ntfs-3g-00000000000000000009 ? I can’t find anything online about what those files do, but if you have seen them on other systems before too and they are normal, then I will stop worrying. I have owned this computer for about 3 years but I never saw that file under my user directory until a few months ago, so thought it was weird.

So you said my issue was with Chrome? Was it bad settings, or some kind of infection, or? Did those logs show?

Did the scans we did test for adware too? That is what the Microsoft tech told me a ghost-ntsf-3g file was, but I don’t know if he was just trying to sell me their $90 support service or if it was true? He didn’t even look at the file or ask me anything about it. He just ran HitManPro and all it found was two tracking cookies, but he still said I had adware and needed to pay to have it fixed. (I didn’t.)

One other thing I remember I’ve had for a really long time is that lots of websites in Chrome all have unsecured connection warnings. Is that normal? Here’s a screen shot of an example right now, while looking at this thread: http://i.imgur.com/fm3zOQy.png It was like that before and after the fix as well.

See the logs, no one it does not removed.

https://forums.malwarebytes.org/index.php?/topic/150613-topic-closed/
http://forums.techguy.org/virus-other-malware-removal/1131599-i-think-i-have-virus.html
http://www.geekstogo.com/forum/topic/345839-im-pretty-certain-i-have-a-virus-but-a-lot-of-anti-virus-programs-arent-discovering-any/

So you said my issue was with Chrome? Was it bad settings, or some kind of infection, or? Did those logs show?

Preferences file is had problem.

Did the scans we did test for adware too?

Yes, zoek.

Microsoft tech told me a ghost-ntsf-3g file was, but I don't know if he was just trying to sell me their $90 support service or if it was true? He didn't even look at the file or ask me anything about it. He just ran HitManPro and all it found was two tracking cookies, but he still said I had adware and needed to pay to have it fixed.

HitManPro is average program, they are trying to cheat you, and take your money.

Okay, thanks! I appreciate your help. :slight_smile:

Glad we could help.

The following will implement some post-cleanup procedures:

Download DelFix by Xplode and save it to your desktop.

[*]Run the tool by right click on the
http://www.imgdumper.nl/uploads6/51a5ce45267c1/51a5ce45263de-delfix.png
icon and Run as administrator option.
[*]Make sure that these ones are checked:

[]Remove disinfection tools
[
]Purge system restore
[*]Reset system settings

[*]Push Run and wait until the tool completes his work.
All tools we used should be gone. Tool will create an report for you (C:[B]DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.