files hidden, desktop.ini in many folders?? HELP

[mabela]

I had no problem before i think. This just got happened about 4 days ago. When i found out that there are a lot of hidden

desktop.ini copies in lots of folders in My Documents, and that some of my MS Words Files are 'missing', which are

actually being hidden by something i dont know. I could only explored that they are still there in the folder, and that there are lots

of desktop.ini using 'Advanced System Optimizer'.

I use Mozilla Firefox 2.0.0.3 for browser and last nite when i wanted to browse some sites (one of them was www.download.com)

i saw that its transferring data from "i.d.com.com" or "img.com.com". And it never got directed to the site i wanted. Not to

mention that it took longer to get to the pages. Im using DAP and its not workin either now. I could only do downloads from

Firefox, and it took longer than usual.

Ive ran scans from all of my security softwares, AVG, Symantec, got nothing, and the others just got few spywares. I got them

quarantined and then deleted. But still the problems still go on.

An odd thing is when Xoftspy detected a pest named "Adware Remover" of Rogue AntiSpyware category. Though its been

quarantined and deleted, when i scanned again it seems to be copied over and over again. I suspect there might be something

that keeps copying it after its been deleted.

This morning i found that theres 2 notepad files: "rundll32.txt" and "playout.txt" in C:\ directory, not in any folder. I know the

normal rundll32 is an exe file located in C:\WINDOWS\system32\rundll32.exe. I quarantined them all in Symantec bc i got

suspicious.

Moreover the Windows Update hasnt been working well since a few weeks ago so i disabled it. It has always been showed that

theres update available but when i clicked for it to download, it wont work. Sometimes it shows theres update available, but when

i viewed, theres nothing in the list.

Thank u in advance to those whos willing to help me with this . I will be very grateful. Im looking forward to hearing ur

suggestions!

==========
System: Windows XP Professional v 2002 SP2 (but i swear they installed XP Home instead of Professional, i have no idea how

its a Prof Edition now??)

Mobile AMD Sempron
Processor 3000+
180 GHz, 192 MB RAM (actually its 256 MB)
SiS M760GX

Antivirus (both running for active protection):
- AVG Antivirus 7.5.448
- Symantec Antivirus Corporate Server 9.0.0.338

Antispyware:
- Spyware Doctor v 4.0.0.2613
- AVG Anti-Spyware 7.5
- eTrust PestPatrol v 5.0.0.0 --> running active protection
- XoftSpy v 4.22.0.10

Advanced System Optimizer & CCleaner

HijackThis (downloaded today)

 

[howard_hopkinso]

Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of mabela only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

Hi,

I did a google search for Xoftspy just to be sure, and found this site

Quote: "It appears that XoftSpy made the list due to the fact that it 'removes files but leaves many registry keys behind [and] exaggerates the risk of tracking cookies."

Elsewhere I found that it displays alot of false positives, meaning that it display innocent files which are harmless as being dangerous or a threat.
Read the reply to this review
You might wish to reconsider using this program.

 

[howard_hopkinso]

momok: If you look at the date of that review, you`ll see it was from 2004. In those days, Xoftspy did have problems, it was even on the rogue spyware list over at Spyware warrior. However, after lots of improvents from the company that makes Xoftspy, that is no longer the case and Xoftspy is now completely safe and trustworthy.

Regards Howard

This thread is for the use of mabela only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

Ah I see. Sorry for the wrong information! Thanks for correcting me. =)

 

[mabela]

Yikes! Now even AVG and Xoftspy cudnt be updated! ( I installed Norton Internet Security 2006 yesterday and uninstalled it again bc it cudnt be updated either, and just making my system slow. I put ZoneAlarm as firewall, and Spyware Doctor running for active protection and disable eTrust.

Sorry for not attaching the log previously, i was too distressed (now even more it seems : ( )

What should i do??

Well, yeah ive heard that about Xoftspy, but those are for the earlier versions. Recently its not being considered as rogue anymore .

Oh, and ive uninstalled Symantec too..not sure what to do..

 

[momok]

Hi,

Please visit this link http://virusscan.jotti.org/

Click the Browse... button and navigate to the following file:
C:\Program Files\DAP\DAPIEBar.dll
Click Open.
Also, do the same for:
C:\WINDOWS\system32\inetsrv\inetinfo.exe

Please let me know the results.

 

[howard_hopkinso]

The inetinfo.exe is perfectly safe and belongs to Microsoft Internet Information Services http://www.neuber.com/taskmanager/process/inetinfo.exe.html Path is normally: C:\\Winnt\\System32\\Inetsrv\\inetinfo.exe (http://www.microsoft.com/technet/archive/iis4/reskit/iis40rg/iisrkapc.mspx?mfr=true)

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Go HERE and follow the instructions for Symantec/Norton removal.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

DAP
eTrust PestPatrol

Close control panel.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = 152.118.24.10:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ui.*; *.hotspot.ui.ac.id;152.118.*

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRA~1\DAP\DAPIEBar.dll

O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\eTrust PestPatrol\PPActiveDetection.exe"

O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O17 - HKLM\System\CCS\Services\Tcpip\..\{31BFE113-872E-4DEB-9765-935BAB89D8AE}: NameServer = 202.93.224.2,202.93.224.3

O17 - HKLM\System\CS1\Services\Tcpip\..\{31BFE113-872E-4DEB-9765-935BAB89D8AE}: NameServer = 202.93.224.2,202.93.224.3

O17 - HKLM\System\CS2\Services\Tcpip\..\{31BFE113-872E-4DEB-9765-935BAB89D8AE}: NameServer = 202.93.224.2,202.93.224.3

Only fix the above 017 entires is they don`t belong to your ISP.

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\DAP<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post Combofix, AVG Antispyware and a fresh HJT log.

Regards Howard

This thread is for the use of mabela only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

I see. I was a little unsure when I saw differing opinions on it in google. =)

btw, regarding these 2 entries,

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = 152.118.24.10:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ui.*; *.hotspot.ui.ac.id;152.118.*

I checked smartwhois and found it belonging to University of Indonesia.
The O17 entries appear to be part of a list of ip blocks allocated and assigned directly by RIRs to ISPs and other large companies in the country of Indonesia

I presume it would be safe if Mabela indeed resides in Indonesia and studied in that school?

 

[mabela]

Ok, but may I know why would i have to uninstall eTrust? About those ISPs, those are trusted i can guarantee.

Momok? Its safe here

 

[howard_hopkinso]

The reason I advised you to uninstall Etrust, is due to the fact you already have too many security programmes running and it will just slow down your system. Once we`ve got your system clean, you can always reinstall it if you want to.

Please post the requested log files.

Regards Howard

This thread is for the use of mabela only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

ah.. I guessed so. =)

I presume Howard recommended you to uninstall eTrust because you simply do not need it. =)
You have spyware doctor, AVG antispyware and Xoftspy on your system. On top of that you have zonealarm for a firewall and two antivirus programs. All of that running simultaneously could seriously hog your system resources.
Also, running two antivirus programs is not recommended as it can cause conflicts etc.
I suggest you uninstall one of them too. Choice lies on you.

 

[howard_hopkinso]

Quite right momok.

mabela: In my haste, I forgot to mention you should uninstall that Symantec/Norton crapware. Go and read this post HERE and follow the instructions. Post the requested logfiles once you`re done.

Regards Howard

This thread is for the use of mabela only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[mabela]

Heres the Combofix, AVG Antispyware, and fresh HJT as u asked . I downloaded Adware SE Personal yay! download is working again !

Oh, i am not running all of those security softwares. I only run AVG Antivirus, eTrust, and ZoneAlarm. The rest i just use them to scan, and not have them running. I dont run Spyware Doctor bc it tooks soooo long to start and consumes a lot of CPU and memory, that it hogs the system, i reckon.

Howard, i decided not to uninstall DAP bc its working again. Is it ok? Or maybe i still have to uninstall it for other reasons?

Those hidden desktop.ini files in lots of folders still exist . Several of my MS Word files are still being hidden too. Whats causing this??

Thanks for suggesting about that Symantec crapwares! its a PITA and i hated it actually.

The AVG Antirootkit result was "Nothing Found".

Yesterday when i did the scanning in Safe Mode, its a bit odd i guess. Bc none of the security softwares found anything. Its a bit odd, bc usually there exist small threats like ad cookies. But yday nothing found. Is this a symptom of any crap families? (worms/trojan/virus?)


PS: Momok that black hairball is sooo cute!

 

[momok]

Hi,

I notice that your system is still infected with a virus and possibly some other malware.

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Run a full system scan with your AVG Antivirus. Heal any infections and save a report log.

Reboot into normal mode and rehide your protected OS files.

Also, I would like you to visit this link http://virusscan.jotti.org/

Click the Browse... button and navigate to the following file:
C:\WINDOWS\flashax.exe
Click Open
Also, do the same for:
C:\WINDOWS\impborl.dll
C:\WINDOWS\winsdold.sys

Please let me know the results.

Thereafter, please post a fresh HJT, AVG Antivirus and Combofix log from normal mode as an attachment into this thread.
Hopefully this will do the trick, meanwhile I'll be searching for other ways to remove these infections.


PS. Thanks =) And that's called a momok. haha..

Regards,
Your friendly Momok =)

 

[starrkiller]

about the desktop.ini, it is a file that defines the presentation of a folder, if it has a background, and stuff like that. its supposed to be there.