Windows Prefetch folder

[Guest]

I strongly suspect that there are some files in the Prefetch folder that are
loading viruses/spyware onto my PC. I noticed another post that suggested
that the entire contents of the Prefetch folder could be deleted. This seems
a little extreme and I'm concerned that it would slow down the start up
(because the legitimate items in that folder are missing and XP would have to
re-establish those resources).
I was considering selectively deleting the files in that folder that I
suspect are threats.
BTW, I'm seeing these files in the Prefetch folder after running both Norton
AntiVirus scans and spyware scans (Microsoft beta software) which removed
threats that I think are related to the files in the Prefetch folder.
Is it adviseable to selectively remove files in the Prefetch folder? Will it
prevent the viruses/spyware from reappearing?
Any suggestions/advice would be much appreciated.

 

[MowGreen [MVP]]

FatherofFour,

The malware is *not* running from Prefetch. For a clear explanation of
how Prefetch functions please read this :
http://www.kellys-korner-xp.com/xp_p.htm#xp_prefetch
If you suspect that some of the Prefetch files are related to malware
then open Layout.ini ( it's located in the Prefetch folder and you will
need to enable show hidden system files to view it :
http://www.xtra.co.nz/help/0,,4155-1916458,00.html )
with Notepad and go over it to see where said malware is located.

Frankly, have never edited Layout.ini, and I would use it only as a
guide to locate any malware that may be present on the system.
Once you've determined that the system is clean then you could delete
all of the contents of Prefetch and allow it to rebuild itself. But,
since said malware is no longer present than Prefetch will rearrange
Layout.ini over time and remove the .pf files related to the malware.
Unless the system is loading numerous programs on boot then the boot
time should not be noticeably longer.

MowGreen [MVP 2004-2005]
===============
*-343-* FDNY
Never Forgotten
===============

 

[Guest]

MowGreen,

Thanks for the post.
I had a look at the layout.ini file but opted not to mess with it. I was
trying to clean up my daughter's PC which had not been maintained and was
riddled with viruses and spyware. With some persistence I seem to be turning
the corner on the mess through repeated spyware/virus scans as well as
eliminating some unwanted background processes.
One virus that was persisting (a PWsteal trojan) seemed to be embedded in a
file called crss.exe. That file was running in the background and I was
seeing it in the Prefetch file as well (leading me to mistakenly conclude
that it was running from there). For a while Norton was detecting the
crss.exe file as a virus threat but wasn't able to delete it. I managed to
block it from running in active processes and then deleted it from the
Windows/System32 folder. It hasn't shown up in active processes again but I'm
still getting Norton alerts for the PWsteal virus (which Norton is now
deleting). I'm not sure where that virus is coming from now but the frequency
of alerts had dropped off dramatically.
If you have any more thoughts based on the above info, I'd appreciate them.
Again, thanks for taking the time to respond to my first post - it did help
me to channel my efforts.

FatherofFour

FatherofFour,

The malware is *not* running from Prefetch. For a clear explanation of
how Prefetch functions please read this :
http://www.kellys-korner-xp.com/xp_p.htm#xp_prefetch
If you suspect that some of the Prefetch files are related to malware
then open Layout.ini ( it's located in the Prefetch folder and you will
need to enable show hidden system files to view it :
http://www.xtra.co.nz/help/0,,4155-1916458,00.html )
with Notepad and go over it to see where said malware is located.

Frankly, have never edited Layout.ini, and I would use it only as a
guide to locate any malware that may be present on the system.
Once you've determined that the system is clean then you could delete
all of the contents of Prefetch and allow it to rebuild itself. But,
since said malware is no longer present than Prefetch will rearrange
Layout.ini over time and remove the .pf files related to the malware.
Unless the system is loading numerous programs on boot then the boot
time should not be noticeably longer.

MowGreen [MVP 2004-2005]
===============
*-343-* FDNY
Never Forgotten
===============

I strongly suspect that there are some files in the Prefetch folder that are
loading viruses/spyware onto my PC. I noticed another post that suggested
that the entire contents of the Prefetch folder could be deleted. This seems
a little extreme and I'm concerned that it would slow down the start up
(because the legitimate items in that folder are missing and XP would have to
re-establish those resources).
I was considering selectively deleting the files in that folder that I
suspect are threats.
BTW, I'm seeing these files in the Prefetch folder after running both Norton
AntiVirus scans and spyware scans (Microsoft beta software) which removed
threats that I think are related to the files in the Prefetch folder.
Is it adviseable to selectively remove files in the Prefetch folder? Will it
prevent the viruses/spyware from reappearing?
Any suggestions/advice would be much appreciated.

 

[MowGreen [MVP]]

You're welcome. crss.exe is either a malware related file or a critical
legitimate system file. Are you saying that the legitimate system file
was infected or that the trojan dropped another copy of crss.exe onto
the system ?
Have a look at this tutorial written by a fellow MVP, Lawrence Abrams :
How to remove a Trojan, Virus, Worms, or other Malware
http://www.bleepingcomputer.com/startups/CRSS.exe-8505.html

You need to stop the trojan from loading and then kill it's Process.
A free, effective trojan remover is :
a-squared Free
http://www.emsisoft.com/en/software/free/

If you need further assistance removing it suggest you post to one of
these forums :
http://www.bleepingcomputer.com/forums/HijackThis_Logs_and_Analysis-f22.html
http://forum.aumha.org/viewforum.php?f=30&sid=31f93c5355925cfc2192b5c49d352100
http://spywarewarrior.com/viewforum.php?f=2&sid=3ce3e4c9a40b25268d1bac3189d22184
http://castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html

Read the guideline of the forum of your choice prior to posting.

MowGreen [MVP 2004-2005]
===============
*-343-* FDNY
Never Forgotten
===============

MowGreen,

Thanks for the post.
I had a look at the layout.ini file but opted not to mess with it. I was
trying to clean up my daughter's PC which had not been maintained and was
riddled with viruses and spyware. With some persistence I seem to be turning
the corner on the mess through repeated spyware/virus scans as well as
eliminating some unwanted background processes.
One virus that was persisting (a PWsteal trojan) seemed to be embedded in a
file called crss.exe. That file was running in the background and I was
seeing it in the Prefetch file as well (leading me to mistakenly conclude
that it was running from there). For a while Norton was detecting the
crss.exe file as a virus threat but wasn't able to delete it. I managed to
block it from running in active processes and then deleted it from the
Windows/System32 folder. It hasn't shown up in active processes again but I'm
still getting Norton alerts for the PWsteal virus (which Norton is now
deleting). I'm not sure where that virus is coming from now but the frequency
of alerts had dropped off dramatically.
If you have any more thoughts based on the above info, I'd appreciate them.
Again, thanks for taking the time to respond to my first post - it did help
me to channel my efforts.

FatherofFour

:

FatherofFour,

The malware is *not* running from Prefetch. For a clear explanation of
how Prefetch functions please read this :
http://www.kellys-korner-xp.com/xp_p.htm#xp_prefetch
If you suspect that some of the Prefetch files are related to malware
then open Layout.ini ( it's located in the Prefetch folder and you will
need to enable show hidden system files to view it :
http://www.xtra.co.nz/help/0,,4155-1916458,00.html )
with Notepad and go over it to see where said malware is located.

Frankly, have never edited Layout.ini, and I would use it only as a
guide to locate any malware that may be present on the system.
Once you've determined that the system is clean then you could delete
all of the contents of Prefetch and allow it to rebuild itself. But,
since said malware is no longer present than Prefetch will rearrange
Layout.ini over time and remove the .pf files related to the malware.
Unless the system is loading numerous programs on boot then the boot
time should not be noticeably longer.

MowGreen [MVP 2004-2005]
===============
*-343-* FDNY
Never Forgotten
===============


FatherofFour wrote:

I strongly suspect that there are some files in the Prefetch folder that are
loading viruses/spyware onto my PC. I noticed another post that suggested
that the entire contents of the Prefetch folder could be deleted. This seems
a little extreme and I'm concerned that it would slow down the start up
(because the legitimate items in that folder are missing and XP would have to
re-establish those resources).
I was considering selectively deleting the files in that folder that I
suspect are threats.
BTW, I'm seeing these files in the Prefetch folder after running both Norton
AntiVirus scans and spyware scans (Microsoft beta software) which removed
threats that I think are related to the files in the Prefetch folder.
Is it adviseable to selectively remove files in the Prefetch folder? Will it
prevent the viruses/spyware from reappearing?
Any suggestions/advice would be much appreciated.