Fighting virus(es)

Viruses and worms
1

Hello,
My brother brought me his computer to work on. it is full of viruses. It is a GatewayGT5432 running Vista. I tried to run Avast in boot scan mode, it would not let me. I then ran Avast in safe mode, it removed gfv.exe, xdr.exe, and go(10.htm.

His hard drive runs very fast and Avast gives a warning that it blocked windows/system32/ping.exe.

I finally got bootscan to run. The hard drive still runs fast while boot scan is running.
My computer knowledge: I am recently A+ certified, but lacking in the virus removal area.
Any help would be appreciated.
Thanks,
Lee

2

follow this guide and attach all logs ( not copy and paste )
http://forum.avast.com/index.php?topic=53253.0

lower left corner > additional options > attach

Essexboy will then help you tomorrow when he arrive…

3

Thanks,
After Avast boot scan finished, the computer restarted loaded to desktop, then error message popped up stating windows has recovered from an unexpected shut down , then BSOD. Sometimes it crashes just after Desktop loads.

I can start the computer and run as long as I do not click (or cancel) box “lool for solution”.
As soon as I try to attach ethernet cable, even in safe mode. BSOD.

I had to run Malwarebytes with out updates.
Malwarebytes’ Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7622

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19170

12/26/2011 9:10:03 PM
mbam-log-2011-12-26 (21-10-03).txt

Scan type: Quick scan
Objects scanned: 224058
Time elapsed: 12 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\Windows\System32\config\systemprofile\AppData\Roaming\Adobe\sp.DLL (TrojanProxy.Agent) → Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RegGenie (Spyware.Passwords) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sp (TrojanProxy.Agent) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AppDataLow\gvtl (Adware.GameVance) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved{96AFBE69-C3B0-4B00-8578-D933D2896EE2} (TrojanProxy.Agent) → Value: {96AFBE69-C3B0-4B00-8578-D933D2896EE2} → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) → Value: {96AFBE69-C3B0-4b00-8578-D933D2896EE2} → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Environment\AVAPP (Rogue.PersonalAntiVirus) → Value: AVAPP → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow*.securewebinfo.com (Trojan.Zlob) → Value: *.securewebinfo.com → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow*.safetyincludes.com (Trojan.Zlob) → Value: *.safetyincludes.com → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow*.securemanaging.com (Trojan.Zlob) → Value: *.securemanaging.com → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvc (TrojanProxy.Agent) → Value: netsvc → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\programdata\38289939 (Rogue.Multiple) → Quarantined and deleted successfully.
c:\program files\common files\uninstall\personalav (Rogue.PersonalAntiVirus) → Quarantined and deleted successfully.
c:\program files\personalav (Rogue.PersonalAntiVirus) → Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\personalav (Rogue.PersonalAntiVirus) → Quarantined and deleted successfully.

OTL files to follow

4

if possible you should update malwarebytes before scan

5

Hi could you copy the following programme to the infected system and then run it

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

THEN

If you can get on the net

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\afd /s
C:\Windows\assembly\tmp\U*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

6

Here is my otl and extra files.
While running Combofix a box popped up “You are infected with Rootkit.ZeroAccess it has inserted itself in the tcp/ip stack”
Combofix restarted the computer. I did not rerun Combofix after restart, nor did I find a Combofix.txt file.

How computer runs: The computer runs very slow. The Hard drive runs very fast every few seconds. I can now access the Internet am now able to change my homepage back to google. Under internet uptions Web Search is listed as default search and can not be changed. when I hoover over it with mouse it points to bearshare.com. Google shows as a search provider but can not be made default.

I have included the new malwarebytes log.

7

Hi it may well have cleared part of the infection - could you run aswMBR to check the partitions

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

8

OK just checked the log and Combofix did kill the main infection- I have some others to remove now to stop a re-infection

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\S-1-5-21-1635262794-2634499321-2085102805-1000\..\URLSearchHook: {91C18ED5-5E1C-4AE5-A148-A861DE8C8E16} - No CLSID value found IE - HKU\S-1-5-21-1635262794-2634499321-2085102805-1000\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (MediaBar) - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\PROGRA~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll File not found O3 - HKLM\..\Toolbar: (MediaBar) - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\PROGRA~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll File not found O3 - HKU\S-1-5-21-1635262794-2634499321-2085102805-1000\..\Toolbar\WebBrowser: (no name) - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No CLSID value found. O3 - HKU\S-1-5-21-1635262794-2634499321-2085102805-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. [2011/12/24 06:30:03 | 000,000,000 | ---- | M] () -- C:\ProgramData\ISc7AG0L.dat [2011/12/24 06:29:19 | 000,029,184 | ---- | M] () -- C:\Windows\System32\0EA0ntbq.com

:Files
ipconfig /flushdns /c
C:\Windows\tasks\At*.job

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

9

Thanks for the help Essexboy,
Question do you want me to run aswMBR prior to make the changes in the last post? Or does order not matter?
Thanks Again,
Lee

10

The order is irrelevant really ;D

But there should be noticable changes once the OTL fix is run

11

I have included the new otl files and the aswMBR logs.

aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
Run date: 2011-12-27 15:46:42

15:46:42.692 OS Version: Windows 6.0.6002 Service Pack 2
15:46:42.692 Number of processors: 2 586 0x4B02
15:46:42.708 ComputerName: VIRGIL-COMPUTER UserName: Kimberly
15:47:45.794 Initialize success
15:47:47.011 AVAST engine defs: 11112801
15:48:09.101 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\00000075
15:48:09.101 Disk 0 Vendor: Hitachi_ V54O Size: 305245MB BusType: 6
15:48:11.175 Disk 0 MBR read successfully
15:48:11.175 Disk 0 MBR scan
15:48:11.487 Disk 0 unknown MBR code
15:48:11.519 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 9954 MB offset 63
15:48:11.612 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 295289 MB offset 20386485
15:48:11.643 Disk 0 scanning sectors +625140400
15:48:11.862 Disk 0 scanning C:\Windows\system32\drivers
15:49:08.193 Service scanning
15:49:20.978 Modules scanning
15:50:08.012 Disk 0 trace - called modules:
15:50:08.043 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys dxgkrnl.sys nvlddmkm.sys
15:50:08.106 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x84fba968]
15:50:08.121 3 CLASSPNP.SYS[865a28b3] → nt!IofCallDriver → [0x846291d8]
15:50:08.121 5 acpi.sys[8060e6bc] → nt!IofCallDriver → \Device\00000075[0x84682a58]
15:50:09.822 AVAST engine scan C:\Windows
15:50:34.314 AVAST engine scan C:\Windows\system32
15:52:30.409 AVAST engine scan C:\Windows\system32\drivers
15:52:58.957 AVAST engine scan C:\Users\Kimberly
15:59:28.427 AVAST engine scan C:\ProgramData
16:01:04.413 Scan finished successfully
16:01:34.818 Disk 0 MBR has been saved successfully to “C:\Users\Kimberly\Desktop\MBR.dat”
16:01:34.818 The log file has been saved successfully to “C:\Users\Kimberly\Desktop\aswMBR.txt”
16:01:57.486 Disk 0 MBR has been saved successfully to “E:\MBR.dat”
16:01:57.502 The log file has been saved successfully to “E:\aswMBR.txt”

NEW OTL Log

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-1635262794-2634499321-2085102805-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{91C18ED5-5E1C-4AE5-A148-A861DE8C8E16} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{91C18ED5-5E1C-4AE5-A148-A861DE8C8E16}\ not found.
Registry value HKEY_USERS\S-1-5-21-1635262794-2634499321-2085102805-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{0974BA1E-64EC-11DE-B2A5-E43756D89593}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{0974BA1E-64EC-11DE-B2A5-E43756D89593}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{0974BA1E-64EC-11DE-B2A5-E43756D89593} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{0974BA1E-64EC-11DE-B2A5-E43756D89593}\ not found.
Registry value HKEY_USERS\S-1-5-21-1635262794-2634499321-2085102805-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-1635262794-2634499321-2085102805-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
C:\ProgramData\ISc7AG0L.dat moved successfully.
File C:\Windows\System32\0EA0ntbq.com not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Kimberly\Desktop\cmd.bat deleted successfully.
C:\Users\Kimberly\Desktop\cmd.txt deleted successfully.
C:\Windows\tasks\At1.job moved successfully.
C:\Windows\tasks\At10.job moved successfully.
C:\Windows\tasks\At11.job moved successfully.
C:\Windows\tasks\At12.job moved successfully.
C:\Windows\tasks\At13.job moved successfully.
C:\Windows\tasks\At14.job moved successfully.
C:\Windows\tasks\At15.job moved successfully.
C:\Windows\tasks\At16.job moved successfully.
C:\Windows\tasks\At17.job moved successfully.
C:\Windows\tasks\At18.job moved successfully.
C:\Windows\tasks\At19.job moved successfully.
C:\Windows\tasks\At2.job moved successfully.
C:\Windows\tasks\At20.job moved successfully.
C:\Windows\tasks\At21.job moved successfully.
C:\Windows\tasks\At22.job moved successfully.
C:\Windows\tasks\At23.job moved successfully.
C:\Windows\tasks\At24.job moved successfully.
C:\Windows\tasks\At25.job moved successfully.
C:\Windows\tasks\At26.job moved successfully.
C:\Windows\tasks\At27.job moved successfully.
C:\Windows\tasks\At28.job moved successfully.
C:\Windows\tasks\At29.job moved successfully.
C:\Windows\tasks\At3.job moved successfully.
C:\Windows\tasks\At30.job moved successfully.
C:\Windows\tasks\At31.job moved successfully.
C:\Windows\tasks\At32.job moved successfully.
C:\Windows\tasks\At33.job moved successfully.
C:\Windows\tasks\At34.job moved successfully.
C:\Windows\tasks\At35.job moved successfully.
C:\Windows\tasks\At36.job moved successfully.
C:\Windows\tasks\At37.job moved successfully.
C:\Windows\tasks\At38.job moved successfully.
C:\Windows\tasks\At39.job moved successfully.
C:\Windows\tasks\At4.job moved successfully.
C:\Windows\tasks\At40.job moved successfully.
C:\Windows\tasks\At41.job moved successfully.
C:\Windows\tasks\At42.job moved successfully.
C:\Windows\tasks\At43.job moved successfully.
C:\Windows\tasks\At44.job moved successfully.
C:\Windows\tasks\At45.job moved successfully.
C:\Windows\tasks\At46.job moved successfully.
C:\Windows\tasks\At47.job moved successfully.
C:\Windows\tasks\At48.job moved successfully.
C:\Windows\tasks\At5.job moved successfully.
C:\Windows\tasks\At6.job moved successfully.
C:\Windows\tasks\At7.job moved successfully.
C:\Windows\tasks\At8.job moved successfully.
C:\Windows\tasks\At9.job moved successfully.
========== COMMANDS ==========
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41044 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest
->Temp folder emptied: 131580 bytes
->Temporary Internet Files folder emptied: 240572 bytes

User: Kimberly
->Temp folder emptied: 147456 bytes
->Temporary Internet Files folder emptied: 329159424 bytes
->Java cache emptied: 3751186 bytes
->Flash cache emptied: 529768 bytes

User: pit stop
->Temp folder emptied: 262732 bytes
->Temporary Internet Files folder emptied: 4169932 bytes
->Flash cache emptied: 913 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 301397540 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 610.00 mb

OTL by OldTimer - Version 3.2.31.0 log created on 12272011_160639

Files\Folders moved on Reboot…
File\Folder C:\Windows\temp\logishrd\LVPrcInj03.dll not found!

Registry entries deleted on Reboot…

12

How is the computer behaving now ?

13

Better, yet still still getting a warning that a “program has corrupted your default web provider for IE…IE has reset your settings to original search providerWeb Search (search.bearshare.com)”

And unable to remove bearshare as default.

UPDATEDI went into safe mode and was able to remove websearch as default and rmove it from list.
Hard drive still running fast every few seconds

Thanks for your time and patience in removing these problems

14
893.76 Mb Total Physical Memory
For Vista it is not surprising that the hard drive is chuntering away, I would recommend at least 2Gb of RAM to run fairly smoothly

You can check out the RAM by using the crucial system scanner here http://www.crucial.com/systemscanner/

It will then give you a breakdown of the type and cost of RAM that the system can take

But, apart from that how is it behaving now ?

15

Not bad, not perfect, slow, but better, I need to see what is loading at startup. Hijack homepage is gone, error messages have stopped. Thanks Again for all the help.

As to the HD running fast, I misread the problem, after oopening the case I found it was the CPU fan speeding up and slowing down.
The HD drive was being accessed alot before and I associated the fan noise as the HD spinning.
I will suggest to my brother to add some RAM,
Thanks Again,
Lee

16

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

.

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe :wave:

17

I can not Thank You enough Essexboy, as soon as I am through cleaning another computer of dust I will run the clean up.

18

My pleasure ;D