Can not delete files and folder from the computer

oekoeloe

Member
Hello,

I want to reinstall Google Chrome because it got corrupted. The thing is, it doesn't remember last session tabs.
And ofcourse, after uninstalling, I can't delete 2 files and 1 folder.
"C:\Users\Name\Appdata\Local\Google\Chrome\User Data\Default\"

\Old_Cache_000\
Last Session
Last Tabs

Here is what I tried to delete them:
1. Regular deleting. "Try again?" Error: 0x80070570
2. Delete in command prompt. Says: "Directory is not empty" or "Access Denied" even running as Admin.
3. Using a program called Unlocker. Doesn't work.
4. Safe mode: same as 1.
5. CCleaner: Including it to be cleaned did nothing to it.

What can I do now?

Thank you!
 

johnb35

Administrator
Staff member
Give me the exact folder locations and filenames and I can give you a combofix script to delete them.
 

oekoeloe

Member
Give me the exact folder locations and filenames and I can give you a combofix script to delete them.

"C:\Users\Michael\Appdata\Local\Google\Chrome\User Data\Default\old\Last Session"
"C:\Users\Michael\Appdata\Local\Google\Chrome\User Data\Default\Last Tabs"
"C:\Users\Michael\Appdata\Local\Google\Chrome\User Data\Default\old\"
(I did manage to rename this folder but not delete)
 

johnb35

Administrator
Staff member
At work right now but will give you a script to run this afternoon when I get home.
 

johnb35

Administrator
Staff member
Please download combofix from here and save it to your desktop.

http://www.bleepingcomputer.com/download/combofix/dl/12/


1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code:
Folder::

C:\Users\Michael\Appdata\Local\Google\Chrome\User Data\Default\old\Last Session
C:\Users\Michael\Appdata\Local\Google\Chrome\User Data\Default\Last Tabs
C:\Users\Michael\Appdata\Local\Google\Chrome\User Data\Default\old

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


CFScript-1.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.


Or you can replace that script with this one if you just want to delete the whole chrome folder.

Code:
Folder::

C:\Users\Michael\Appdata\Local\Google\Chrome
 

oekoeloe

Member
Thanks for the fix. I'm running it now and it got stuck at:
"Log is being prepared.
Don't start a new program untill ComboFix is done..."

The desktop is gone and only the background is there and the cmd ComboFix is running in. It's been like this for 15 minutes now.

Plus, I can't use the mouse anymore. Should I just unpower and reboot?

EDIT:
I rebooted and it didn't delete the folder and 2 files.

EDIT2:

I ran it again and it finished and I have a log. But, the files and folder are still there and unchanged.
 
Last edited:

oekoeloe

Member
Can you post the log? You may not have done the script right.

I did exactly as you told. Make the script with those lines. Then, drag it onto ComboFix.exe

ComboFix 13-08-15.03 - Michael 16-08-2013 14:16:46.2.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.31.1043.18.1975.958 [GMT 2:00]
Gestart vanuit: c:\users\Michael\Desktop\ComboFix.exe
gebruikte Opdracht switches :: c:\users\Michael\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Voorgaande Run -------
.
c:\windows\system32\frapsvid.dll
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2013-07-16 to 2013-08-16 ))))))))))))))))))))))))))))))
.
.
2013-08-16 12:27 . 2013-08-16 12:27 -------- d-----w- c:\users\Michael\AppData\Local\temp
2013-08-16 12:27 . 2013-08-16 12:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-14 10:13 . 2013-06-15 13:22 15872 ----a-w- c:\windows\system32\icaapi.dll
2013-08-14 10:13 . 2013-06-15 11:23 24064 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2013-08-14 10:13 . 2013-07-05 04:53 905664 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-08-14 10:13 . 2013-07-08 04:20 172544 ----a-w- c:\windows\system32\wintrust.dll
2013-08-14 10:13 . 2013-07-08 04:16 98304 ----a-w- c:\windows\system32\cryptnet.dll
2013-08-14 10:13 . 2013-07-08 04:16 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2013-08-14 10:13 . 2013-07-08 04:16 992768 ----a-w- c:\windows\system32\crypt32.dll
2013-08-14 10:13 . 2013-07-10 09:47 783360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-08-14 10:13 . 2013-07-17 19:41 2048 ----a-w- c:\windows\system32\tzres.dll
2013-08-14 10:13 . 2013-07-08 04:55 3603904 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-08-14 10:13 . 2013-07-08 04:55 3551680 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-08-14 10:13 . 2013-07-09 12:10 1205168 ----a-w- c:\windows\system32\ntdll.dll
2013-08-12 14:14 . 2013-08-12 14:14 3888 ----a-w- c:\windows\system32\drivers\NTHANDLE.SYS
2013-08-12 13:23 . 2013-08-12 13:28 -------- d-----w- c:\users\Michael\AppData\Local\SoftThinks
2013-08-12 13:21 . 2013-08-12 13:21 -------- d-----w- c:\users\Michael\AppData\Roaming\SampleView
2013-08-12 13:17 . 2007-03-19 13:03 241664 ----a-w- c:\windows\system32\HPEvents.dll
2013-08-12 13:17 . 2005-10-10 09:03 266240 ----a-w- c:\windows\system32\ShellvRTF64.dll
2013-08-12 13:17 . 2003-03-19 02:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2013-08-12 13:17 . 2002-09-20 18:42 122880 ----a-w- c:\windows\system32\ShellvRTF.dll
2013-08-12 12:43 . 2013-08-12 12:53 -------- d-----w- c:\program files\Belarc
2013-08-12 12:38 . 2013-08-12 12:54 -------- d-----w- c:\program files\VirtualCloneDrive
2013-08-12 12:35 . 2013-08-12 12:54 -------- d-----w- c:\program files\MagicISO
2013-08-12 10:18 . 2013-08-12 14:51 -------- d-----w- c:\program files\Google
2013-08-08 17:59 . 2013-08-14 10:29 -------- d-----w- c:\windows\system32\MRT
2013-08-08 14:05 . 2013-08-08 14:06 -------- d-----w- c:\program files\Core Temp
2013-08-08 14:02 . 2013-08-08 14:02 -------- d-----w- c:\programdata\APN
2013-08-05 17:56 . 2013-04-17 10:10 1069056 ----a-w- c:\windows\system32\DWrite.dll
2013-08-05 17:56 . 2013-04-17 10:10 798208 ----a-w- c:\windows\system32\FntCache.dll
2013-08-05 17:56 . 2013-04-17 11:28 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-08-05 17:56 . 2013-04-17 11:28 189952 ----a-w- c:\windows\system32\d3d10core.dll
2013-08-05 17:56 . 2013-04-17 10:33 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2013-08-05 17:56 . 2013-04-17 11:28 1029120 ----a-w- c:\windows\system32\d3d10.dll
2013-08-05 17:56 . 2013-04-17 11:28 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2013-08-05 17:56 . 2013-04-17 10:34 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2013-08-05 17:56 . 2013-04-17 10:14 683008 ----a-w- c:\windows\system32\d2d1.dll
2013-08-05 17:56 . 2013-05-08 04:04 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-08-05 17:56 . 2013-06-01 04:06 505344 ----a-w- c:\windows\system32\qedit.dll
2013-08-05 17:55 . 2013-04-24 04:00 41984 ----a-w- c:\windows\system32\certenc.dll
2013-08-05 17:55 . 2013-04-24 01:46 812544 ----a-w- c:\windows\system32\certutil.exe
2013-08-05 17:55 . 2013-05-02 04:04 443904 ----a-w- c:\windows\system32\win32spl.dll
2013-08-05 17:55 . 2013-05-02 04:03 37376 ----a-w- c:\windows\system32\printcom.dll
2013-08-05 17:55 . 2013-06-04 01:50 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-08-05 17:51 . 2013-04-17 12:30 24576 ----a-w- c:\windows\system32\cryptdlg.dll
2013-08-05 17:51 . 2013-04-09 03:51 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-16 12:06 . 2008-04-17 16:25 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2013-08-16 12:06 . 2011-01-02 15:56 58288 ----a-w- c:\windows\system32\rpcnet.dll
2013-08-15 08:31 . 2008-04-17 16:29 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2013-06-22 10:10 . 2012-04-11 10:36 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-22 10:10 . 2011-05-16 08:11 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-12 08:28 . 2012-07-12 08:28 2174976 ----a-w- c:\program files\Common Files\atimpenc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-15 293168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-04 1791272]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1314816]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-24 175128]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-24 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-24 153624]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-12-27 2054360]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-15 20:02 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-11-15 20:02 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2011-03-15 16:42 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
2011-01-12 06:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-04-15 20:42 70912 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-04-18 13:53 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2009-11-11 14:11 287800 ----a-r- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-18 18:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 12:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
S2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [2007-05-15 182576]
.
.
--- Andere Services/Drivers In Geheugen ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-12 14:51 1173456 ----a-w- c:\program files\Google\Chrome\Application\28.0.1500.95\Installer\chrmstp.exe
.
Inhoud van de 'Gedeelde Taken' map
.
2013-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-08-12 14:50]
.
2013-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-08-12 14:50]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nl_nl&c=83&bd=all&pf=cmnb
uInternet Settings,ProxyServer = 10.10.10.50:8080
IE: Append Link Target to Existing PDF
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS VERWIJDERD - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-08-16 14:27
Windows 6.0.6002 Service Pack 2 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
.
[HKEY_USERS\S-1-5-21-3535993027-2643320515-1217649130-1004\Software\SecuROM\License information*]
"datasecu"=hex:0d,2a,1b,32,14,9d,a6,69,e8,67,98,81,86,32,a6,c3,0a,c1,40,64,e5,
86,91,de,a0,00,f4,16,27,39,b0,8a,dd,dc,92,d4,3d,03,14,af,22,03,49,94,81,4d,\
"rkeysecu"=hex:c4,75,a9,69,82,d8,e7,b3,d4,93,e0,8a,47,90,24,50
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\ProgramData\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"PackageTag"=dword:00000000
"ProductBase"=dword:00000000
"ProductCode"="{85C70286-A56F-4834-BD24-B34EB76A93A2}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.0.468.0"
"UniqueId"="0004C8AB4EF9D729"
"ScannerBuild"=dword:00001dd3
"ScannerVersionId"=dword:000015fe
"ScannerVersion"="ready"
"FixId"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Voltooingstijd: 2013-08-16 14:32:07
ComboFix-quarantined-files.txt 2013-08-16 12:32
.
Pre-Run: 54.668.910.592 bytes beschikbaar
Post-Run: 54.589.497.344 bytes beschikbaar
.
- - End Of File - - 360D36AD900A0553B8010029183858D7
82967FD6D91A60516A81EEE17D859620
 

johnb35

Administrator
Staff member
Lets try it again, and we need to add some lines to it.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code:
Killall::

Folder::

C:\Users\Michael\Appdata\Local\Google\Chrome\User Data\Default\old
C:\Users\Michael\Appdata\Local\Google\Chrome\User Data\Default\Last Tabs



Reglock::

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


CFScript-1.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
 

oekoeloe

Member
The files and folder are still there




ComboFix 13-08-16.03 - Michael 17-08-2013 11:38:14.3.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.31.1043.18.1975.1213 [GMT 2:00]
Gestart vanuit: c:\users\Michael\Desktop\ComboFix.exe
gebruikte Opdracht switches :: c:\users\Michael\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Michael\Appdata\Local\Google\Chrome\User Data\Default\old . . . . konden niet verwijderd worden
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2013-07-17 to 2013-08-17 ))))))))))))))))))))))))))))))
.
.
2013-08-17 09:48 . 2013-08-17 09:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-14 10:13 . 2013-06-15 13:22 15872 ----a-w- c:\windows\system32\icaapi.dll
2013-08-14 10:13 . 2013-06-15 11:23 24064 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2013-08-14 10:13 . 2013-07-05 04:53 905664 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-08-14 10:13 . 2013-07-08 04:20 172544 ----a-w- c:\windows\system32\wintrust.dll
2013-08-14 10:13 . 2013-07-08 04:16 98304 ----a-w- c:\windows\system32\cryptnet.dll
2013-08-14 10:13 . 2013-07-08 04:16 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2013-08-14 10:13 . 2013-07-08 04:16 992768 ----a-w- c:\windows\system32\crypt32.dll
2013-08-14 10:13 . 2013-07-10 09:47 783360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-08-14 10:13 . 2013-07-17 19:41 2048 ----a-w- c:\windows\system32\tzres.dll
2013-08-14 10:13 . 2013-07-08 04:55 3603904 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-08-14 10:13 . 2013-07-08 04:55 3551680 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-08-14 10:13 . 2013-07-09 12:10 1205168 ----a-w- c:\windows\system32\ntdll.dll
2013-08-12 14:14 . 2013-08-12 14:14 3888 ----a-w- c:\windows\system32\drivers\NTHANDLE.SYS
2013-08-12 13:23 . 2013-08-12 13:28 -------- d-----w- c:\users\Michael\AppData\Local\SoftThinks
2013-08-12 13:21 . 2013-08-12 13:21 -------- d-----w- c:\users\Michael\AppData\Roaming\SampleView
2013-08-12 13:17 . 2007-03-19 13:03 241664 ----a-w- c:\windows\system32\HPEvents.dll
2013-08-12 13:17 . 2005-10-10 09:03 266240 ----a-w- c:\windows\system32\ShellvRTF64.dll
2013-08-12 13:17 . 2003-03-19 02:03 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2013-08-12 13:17 . 2002-09-20 18:42 122880 ----a-w- c:\windows\system32\ShellvRTF.dll
2013-08-12 12:43 . 2013-08-12 12:53 -------- d-----w- c:\program files\Belarc
2013-08-12 12:38 . 2013-08-12 12:54 -------- d-----w- c:\program files\VirtualCloneDrive
2013-08-12 12:35 . 2013-08-12 12:54 -------- d-----w- c:\program files\MagicISO
2013-08-12 10:18 . 2013-08-12 14:51 -------- d-----w- c:\program files\Google
2013-08-08 17:59 . 2013-08-14 10:29 -------- d-----w- c:\windows\system32\MRT
2013-08-08 14:05 . 2013-08-08 14:06 -------- d-----w- c:\program files\Core Temp
2013-08-08 14:02 . 2013-08-08 14:02 -------- d-----w- c:\programdata\APN
2013-08-05 17:56 . 2013-04-17 10:10 1069056 ----a-w- c:\windows\system32\DWrite.dll
2013-08-05 17:56 . 2013-04-17 10:10 798208 ----a-w- c:\windows\system32\FntCache.dll
2013-08-05 17:56 . 2013-04-17 11:28 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-08-05 17:56 . 2013-04-17 11:28 189952 ----a-w- c:\windows\system32\d3d10core.dll
2013-08-05 17:56 . 2013-04-17 10:33 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2013-08-05 17:56 . 2013-04-17 11:28 1029120 ----a-w- c:\windows\system32\d3d10.dll
2013-08-05 17:56 . 2013-04-17 11:28 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2013-08-05 17:56 . 2013-04-17 10:34 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2013-08-05 17:56 . 2013-04-17 10:14 683008 ----a-w- c:\windows\system32\d2d1.dll
2013-08-05 17:56 . 2013-05-08 04:04 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-08-05 17:56 . 2013-06-01 04:06 505344 ----a-w- c:\windows\system32\qedit.dll
2013-08-05 17:55 . 2013-04-24 04:00 41984 ----a-w- c:\windows\system32\certenc.dll
2013-08-05 17:55 . 2013-04-24 01:46 812544 ----a-w- c:\windows\system32\certutil.exe
2013-08-05 17:55 . 2013-05-02 04:04 443904 ----a-w- c:\windows\system32\win32spl.dll
2013-08-05 17:55 . 2013-05-02 04:03 37376 ----a-w- c:\windows\system32\printcom.dll
2013-08-05 17:55 . 2013-06-04 01:50 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-08-05 17:51 . 2013-04-17 12:30 24576 ----a-w- c:\windows\system32\cryptdlg.dll
2013-08-05 17:51 . 2013-04-09 03:51 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-17 09:50 . 2008-04-17 16:25 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2013-08-17 09:50 . 2011-01-02 15:56 58288 ----a-w- c:\windows\system32\rpcnet.dll
2013-08-15 08:31 . 2008-04-17 16:29 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2013-06-22 10:10 . 2012-04-11 10:36 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-22 10:10 . 2011-05-16 08:11 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-12 08:28 . 2012-07-12 08:28 2174976 ----a-w- c:\program files\Common Files\atimpenc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2007-05-15 293168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-04 1791272]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-04 1314816]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-03-24 175128]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-03-24 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-03-24 153624]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-12-27 2054360]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfPf]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfRd]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-15 20:02 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-11-15 20:02 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2011-03-15 16:42 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
2011-01-12 06:08 1523360 ----a-w- c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-04-15 20:42 70912 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-04-18 13:53 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2009-11-11 14:11 287800 ----a-r- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-18 18:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 12:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
S2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [2007-05-15 182576]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-12 14:51 1173456 ----a-w- c:\program files\Google\Chrome\Application\28.0.1500.95\Installer\chrmstp.exe
.
Inhoud van de 'Gedeelde Taken' map
.
2013-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-08-12 14:50]
.
2013-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-08-12 14:50]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=nl_nl&c=83&bd=all&pf=cmnb
uInternet Settings,ProxyServer = 10.10.10.50:8080
IE: Append Link Target to Existing PDF
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-08-17 11:52
Windows 6.0.6002 Service Pack 2 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
.
[HKEY_USERS\S-1-5-21-3535993027-2643320515-1217649130-1004\Software\SecuROM\License information*]
"datasecu"=hex:0d,2a,1b,32,14,9d,a6,69,e8,67,98,81,86,32,a6,c3,0a,c1,40,64,e5,
86,91,de,a0,00,f4,16,27,39,b0,8a,dd,dc,92,d4,3d,03,14,af,22,03,49,94,81,4d,\
"rkeysecu"=hex:c4,75,a9,69,82,d8,e7,b3,d4,93,e0,8a,47,90,24,50
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
@Denied: (2) (LocalSystem)
"AppDataDir"="c:\\ProgramData\\ESET\\ESET NOD32 Antivirus\\"
"DataDir"="ESET\\ESET NOD32 Antivirus\\"
"EditionName"=" "
"InstallDir"="c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\"
"LanguageId"=dword:00000409
"PackageTag"=dword:00000000
"ProductBase"=dword:00000000
"ProductCode"="{85C70286-A56F-4834-BD24-B34EB76A93A2}"
"ProductName"="ESET NOD32 Antivirus"
"ProductType"="eav"
"ProductVersion"="4.0.468.0"
"UniqueId"="0004C8AB4EF9D729"
"ScannerBuild"=dword:00001dd3
"ScannerVersionId"=dword:000015fe
"ScannerVersion"="ready"
"FixId"=dword:00000000
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\Hpservice.exe
c:\windows\system32\AEADISRV.EXE
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\rpcnet.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\conime.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
.
**************************************************************************
.
Voltooingstijd: 2013-08-17 11:57:33 - machine werd herstart
ComboFix-quarantined-files.txt 2013-08-17 09:57
ComboFix2.txt 2013-08-16 12:32
.
Pre-Run: 44.629.471.232 bytes beschikbaar
Post-Run: 44.593.532.928 bytes beschikbaar
.
- - End Of File - - D17AA1F5F8C3C4EEB4BAE59449659BD8
82967FD6D91A60516A81EEE17D859620
 

johnb35

Administrator
Staff member
Ok, then I can't explain why it won't delete. May have to boot to a linux live cd and delete the files from there.
 

oekoeloe

Member
Ok, then I can't explain why it won't delete. May have to boot to a linux live cd and delete the files from there.

Thanks for the help!
It got like that after getting the overheating shutdowns.
How do I get on linux, is there a (simple) tutorial on how to get it?
 

S.T.A.R.S.

banned
There are 2 easy ways for this:

WAY 1:

Open CMD and type:

chkdsk.exe C: /F /R /X /V

If asked to reboot,confirm and reboot.
Wait for the process to finish.
Once it is finished,locate those folders and delete them.If it doesn't work in NORMAL MODE then try to delete them from SAFE MODE.
This will fix errors on the drive.Errors on the drive can cause for data being unable to be deleted.Sometimes these errors on the drive can even cause weird things such as showing the that folders and files ARE there when they are actually NOT.It only graphically shows them,but they are not really on the disk anymore.


WAY 2:

First be sure that you have tryed WAY 1.If it did not work then do this.
Download LINUX UBUNTU iso image and burn it to the CD using programs designed to burn ISO images on blank CD disks such as PowerISO or ImgBurn.
Boot from that CD and load UBUNTU.DO NOT INSTALL IT.JUST LOAD IT FROM THE CD DIRECTLY.Usually you need to first choose the language.So choose ENGLISH and after that choose the option to load Ubuntu from the CD disk directly.Usually the option is called TRY UBUNTU WITHOUT ANY CHANGE TO YOUR COMPUTER.
Once the Ubuntu has been loaded,you will see the desktop.Now go to PLACES (upper left) and then go to COMPUTER.After that click the VIEW (upper left) button and after that click SHOW HIDDEN FILES AND FOLDERS.
After that go into your drive and after that locate those folders and files and delete them.Once you did that,close the window,open the TRASH (bottom right) and make sure that those files and folders are NOT moved to TRASH (usually when Ubuntu is loaded directly from the CD,the deleted data is deleted immediately and permanently.But you check that just in case and IF THERE IS something in TRASH,delete it ALSO)!





Cheers!
 

oekoeloe

Member
Got chkdsk.exe C: /F /R /X /V to work. After rebooting I was I able to delete the 2 files and folder. Thanks for everyone helping me out!
 
Last edited:
Top