files hidden, desktop.ini in many folders?? HELP

By mabela
Apr 9, 2007
Topic Status:
Not open for further replies.
  1. I had no problem before i think. This just got happened about 4 days ago. When i found out that there are a lot of hidden

    desktop.ini copies in lots of folders in My Documents, and that some of my MS Words Files are 'missing', which are

    actually being hidden by something i dont know. I could only explored that they are still there in the folder, and that there are lots

    of desktop.ini using 'Advanced System Optimizer'.

    I use Mozilla Firefox 2.0.0.3 for browser and last nite when i wanted to browse some sites (one of them was www.download.com)

    i saw that its transferring data from "i.d.com.com" or "img.com.com". And it never got directed to the site i wanted. Not to

    mention that it took longer to get to the pages. Im using DAP and its not workin either now. I could only do downloads from

    Firefox, and it took longer than usual.

    Ive ran scans from all of my security softwares, AVG, Symantec, got nothing, and the others just got few spywares. I got them

    quarantined and then deleted. But still the problems still go on.

    An odd thing is when Xoftspy detected a pest named "Adware Remover" of Rogue AntiSpyware category. Though its been

    quarantined and deleted, when i scanned again it seems to be copied over and over again. I suspect there might be something

    that keeps copying it after its been deleted.

    This morning i found that theres 2 notepad files: "rundll32.txt" and "playout.txt" in C:\ directory, not in any folder. I know the

    normal rundll32 is an exe file located in C:\WINDOWS\system32\rundll32.exe. I quarantined them all in Symantec bc i got

    suspicious.

    Moreover the Windows Update hasnt been working well since a few weeks ago so i disabled it. It has always been showed that

    theres update available but when i clicked for it to download, it wont work. Sometimes it shows theres update available, but when

    i viewed, theres nothing in the list.

    Thank u in advance to those whos willing to help me with this :). I will be very grateful. Im looking forward to hearing ur

    suggestions!

    ==========
    System: Windows XP Professional v 2002 SP2 (but i swear they installed XP Home instead of Professional, i have no idea how

    its a Prof Edition now??)


    Mobile AMD Sempron
    Processor 3000+
    180 GHz, 192 MB RAM (actually its 256 MB)
    SiS M760GX

    Antivirus (both running for active protection):
    - AVG Antivirus 7.5.448
    - Symantec Antivirus Corporate Server 9.0.0.338

    Antispyware:
    - Spyware Doctor v 4.0.0.2613
    - AVG Anti-Spyware 7.5
    - eTrust PestPatrol v 5.0.0.0 --> running active protection
    - XoftSpy v 4.22.0.10

    Advanced System Optimizer & CCleaner

    HijackThis (downloaded today)
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Hello and welcome to Techspot.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of mabela only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. momok

    momok Newcomer, in training Posts: 2,272

    Hi,

    I did a google search for Xoftspy just to be sure, and found this site

    Quote: "It appears that XoftSpy made the list due to the fact that it 'removes files but leaves many registry keys behind [and] exaggerates the risk of tracking cookies."

    Elsewhere I found that it displays alot of false positives, meaning that it display innocent files which are harmless as being dangerous or a threat.
    Read the reply to this review
    You might wish to reconsider using this program.
  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    momok: If you look at the date of that review, you`ll see it was from 2004. In those days, Xoftspy did have problems, it was even on the rogue spyware list over at Spyware warrior. However, after lots of improvents from the company that makes Xoftspy, that is no longer the case and Xoftspy is now completely safe and trustworthy.

    Regards Howard :)

    This thread is for the use of mabela only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. momok

    momok Newcomer, in training Posts: 2,272

    Ah I see. Sorry for the wrong information! Thanks for correcting me. =)
  6. mabela

    mabela Newcomer, in training Topic Starter

    Yikes! Now even AVG and Xoftspy cudnt be updated! :'(( I installed Norton Internet Security 2006 yesterday and uninstalled it again bc it cudnt be updated either, and just making my system slow. I put ZoneAlarm as firewall, and Spyware Doctor running for active protection and disable eTrust.

    Sorry for not attaching the log previously, i was too distressed (now even more it seems : ( )

    What should i do??

    Well, yeah ive heard that about Xoftspy, but those are for the earlier versions. Recently its not being considered as rogue anymore :).

    Oh, and ive uninstalled Symantec too..not sure what to do..
  7. momok

    momok Newcomer, in training Posts: 2,272

    Hi,

    Please visit this link http://virusscan.jotti.org/

    Click the Browse... button and navigate to the following file:
    C:\Program Files\DAP\DAPIEBar.dll
    Click Open.
    Also, do the same for:
    C:\WINDOWS\system32\inetsrv\inetinfo.exe

    Please let me know the results.
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    The inetinfo.exe is perfectly safe and belongs to Microsoft Internet Information Services http://www.neuber.com/taskmanager/process/inetinfo.exe.html Path is normally: C:\\Winnt\\System32\\Inetsrv\\inetinfo.exe (http://www.microsoft.com/technet/archive/iis4/reskit/iis40rg/iisrkapc.mspx?mfr=true)

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Go HERE and follow the instructions for Symantec/Norton removal.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    DAP
    eTrust PestPatrol

    Close control panel.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings,ProxyServer = 152.118.24.10:8080

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ui.*; *.hotspot.ui.ac.id;152.118.*

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRA~1\DAP\DAPIEBar.dll

    O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\eTrust PestPatrol\PPActiveDetection.exe"

    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm

    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm

    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

    O9 - Extra button: (no name) - AutorunsDisabled - (no file)

    O17 - HKLM\System\CCS\Services\Tcpip\..\{31BFE113-872E-4DEB-9765-935BAB89D8AE}: NameServer = 202.93.224.2,202.93.224.3

    O17 - HKLM\System\CS1\Services\Tcpip\..\{31BFE113-872E-4DEB-9765-935BAB89D8AE}: NameServer = 202.93.224.2,202.93.224.3

    O17 - HKLM\System\CS2\Services\Tcpip\..\{31BFE113-872E-4DEB-9765-935BAB89D8AE}: NameServer = 202.93.224.2,202.93.224.3

    Only fix the above 017 entires is they don`t belong to your ISP.

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\DAP<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post Combofix, AVG Antispyware and a fresh HJT log.

    Regards Howard :)

    This thread is for the use of mabela only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. momok

    momok Newcomer, in training Posts: 2,272

    I see. I was a little unsure when I saw differing opinions on it in google. =)

    btw, regarding these 2 entries,

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings,ProxyServer = 152.118.24.10:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ui.*; *.hotspot.ui.ac.id;152.118.*

    I checked smartwhois and found it belonging to University of Indonesia.
    The O17 entries appear to be part of a list of ip blocks allocated and assigned directly by RIRs to ISPs and other large companies in the country of Indonesia

    I presume it would be safe if Mabela indeed resides in Indonesia and studied in that school?
  10. mabela

    mabela Newcomer, in training Topic Starter

    Ok, but may I know why would i have to uninstall eTrust? About those ISPs, those are trusted i can guarantee.

    Momok? Its safe here :)
  11. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    The reason I advised you to uninstall Etrust, is due to the fact you already have too many security programmes running and it will just slow down your system. Once we`ve got your system clean, you can always reinstall it if you want to.

    Please post the requested log files.

    Regards Howard :)

    This thread is for the use of mabela only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. momok

    momok Newcomer, in training Posts: 2,272

    ah.. I guessed so. =)

    I presume Howard recommended you to uninstall eTrust because you simply do not need it. =)
    You have spyware doctor, AVG antispyware and Xoftspy on your system. On top of that you have zonealarm for a firewall and two antivirus programs. All of that running simultaneously could seriously hog your system resources.
    Also, running two antivirus programs is not recommended as it can cause conflicts etc.
    I suggest you uninstall one of them too. Choice lies on you.
  13. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Quite right momok.

    mabela: In my haste, I forgot to mention you should uninstall that Symantec/Norton crapware. Go and read this post HERE and follow the instructions. Post the requested logfiles once you`re done.

    Regards Howard :)

    This thread is for the use of mabela only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  14. mabela

    mabela Newcomer, in training Topic Starter

    Heres the Combofix, AVG Antispyware, and fresh HJT as u asked :). I downloaded Adware SE Personal yay! download is working again :D!

    Oh, i am not running all of those security softwares. I only run AVG Antivirus, eTrust, and ZoneAlarm. The rest i just use them to scan, and not have them running. I dont run Spyware Doctor bc it tooks soooo long to start and consumes a lot of CPU and memory, that it hogs the system, i reckon.

    Howard, i decided not to uninstall DAP bc its working again. Is it ok? Or maybe i still have to uninstall it for other reasons?

    Those hidden desktop.ini files in lots of folders still exist :(. Several of my MS Word files are still being hidden too. Whats causing this??

    Thanks for suggesting about that Symantec crapwares! :D its a PITA and i hated it actually.

    The AVG Antirootkit result was "Nothing Found".

    Yesterday when i did the scanning in Safe Mode, its a bit odd i guess. Bc none of the security softwares found anything. Its a bit odd, bc usually there exist small threats like ad cookies. But yday nothing found. Is this a symptom of any crap families? (worms/trojan/virus?)


    PS: Momok that black hairball is sooo cute!
  15. momok

    momok Newcomer, in training Posts: 2,272

    Hi,

    I notice that your system is still infected with a virus and possibly some other malware.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Run a full system scan with your AVG Antivirus. Heal any infections and save a report log.

    Reboot into normal mode and rehide your protected OS files.

    Also, I would like you to visit this link http://virusscan.jotti.org/

    Click the Browse... button and navigate to the following file:
    C:\WINDOWS\flashax.exe
    Click Open
    Also, do the same for:
    C:\WINDOWS\impborl.dll
    C:\WINDOWS\winsdold.sys


    Please let me know the results.

    Thereafter, please post a fresh HJT, AVG Antivirus and Combofix log from normal mode as an attachment into this thread.
    Hopefully this will do the trick, meanwhile I'll be searching for other ways to remove these infections.


    PS. Thanks =) And that's called a momok. haha..


    Regards,
    Your friendly Momok =)
  16. starrkiller

    starrkiller Newcomer, in training Posts: 34

    about the desktop.ini, it is a file that defines the presentation of a folder, if it has a background, and stuff like that. its supposed to be there.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.