Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Nulled files (corrupted files?)


  • Please log in to reply

#1
Trepp

Trepp

    Member

  • Member
  • PipPip
  • 11 posts
Some screens first. infected4.jpg infected3.jpg infected2.jpg

Not really sure what to do about this. The problem seems to be located in the recycle bin of the infected drive. It started out as me being unable to delete files on the infected drive and now folders are starting to look like that. They'll be fine one day and the next I look into them and I see that. Nothing in that folders exist, I can't scan the files with any virus software I've scanned my system with avast and avg as well as housecall. I did all the steps posted in the Before you post a hijack log topic.

I've scanned my harddrive for problems apparantly it's fine. The only thing I haven't done is run a virus check in safe mode. When I try to scan the d/recycled folder Avast shows a folder that doesn't exist and in it appear to be copies of all my other folders. I don't have a screen of it but I can get one if it'd help. I'm not really sure what's causing this.

I can't run scandisk or defrag the drive in question it says I ran out of system memory then again the drive is 160gb.

I think that's all. If there's anything I should include just let me know. I'm really out of my element here so I have no idea what's important information and what isn't.
  • 0

Advertisements


#2
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
Hi Trepp...

Interesting problem.... :tazz:

Please download and run HiJackThis. Save a log and attach it to your next post for me.

wannabe1
  • 0

#3
Trepp

Trepp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:44:01 AM, on 3/4/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\IRIVER\IHP100\IHPDETECT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.gamespy.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 218.152.153.172:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [iHP-100] C:\PROGRAM FILES\IRIVER\IHP100\IHPDETECT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .PDF: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://*.shackspace.com
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21....es/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/.../default/gf.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {226906C8-B910-11D3-82A3-0000F81A655B} (Mbayactx Control) - http://vs.messagebay...ns/mbayactx.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay10...ex/HMAtchmt.ocx
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab35645.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab34120.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/...ol.cab36107.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.1.2.76.cab
O16 - DPF: {11001001-A15C-11D4-97A4-0050BF0FBE67} (WildCannon Game Launcher Ver1.0 Class) - http://wildcannon.co...ameLauncher.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross...m/cabs/A18X.ocx
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab

there you go. Sorry about the delay I had to take a break from trying to fix my computer before I tried to eat my keyboard or something.
  • 0

#4
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
Hmmmm...Is your D: drive a partition on the 160 gig drive, a separate drive, or your CD-ROM drive?

Please download and run WinAudit and save an audit to your desktop. You will see three files...attach the one named "rightframe.html" to your next post.

wannabe1
  • 0

#5
Trepp

Trepp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
It's separate. The CD rom drive was E or something. It's D now though.

Sorry about the delay in my replies, I'm kind of stressed and trying to avoid the added frustration of diagnosing and fixng a computer problem. Attached File  rightframe.html   164KB   96 downloads

I really don't want to be the end of me. "So, what happened to this guy?" "Oh, his head just exploded while he was trying to fix his computer" "...you're a liar Jim"

Errr, yeah.
  • 0

#6
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
Are you currently using the Norton Protected Recycle Bin? If so, empty it.

Try running the scandisk and disk defragmenter from Safe Mode.

Would you mind translating a few of the folders and files from the image you posted? Say the first 5 Folders from top left and then the first 5 files from top left. That should give me some idea of what I am looking at. :tazz:

I was stationed near Korat, but that was many years ago...I'm afraid my Thai is a bit rusty.

wannabe1

Edited by wannabe1, 06 March 2006 - 01:04 AM.

  • 0

#7
Trepp

Trepp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Those files, they. None of my files are named that way normall I don't know thai. So I can't translate. Also the norton bin isn't actually installed, norton isn't installed and my recycle bin is empty.

Will 98 support the scandisk for a drive that big in safe mode?

Like I said I disconnected the affected drive. Drive C isn't having problems, I can run scandisk on that if you want, scandisk and defrag both work just fine on it.
  • 0

#8
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
Sorry...I recognized a couple of Thai symbols (letters) and just assumed that you may have been using Thai language support. (I only knew enough Thai to order from menus and cuss at the monkeys...no offense intended, dsenette.... :tazz: )

Just what were you using that drive for? Is D:\Zip the only file on the drive? Are there files on the drive you need to recover?

wannabe1
  • 0

#9
Trepp

Trepp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
It was a storage drive. 120gb of data stored on it. Or near enough. The files in Zip need recovering. a few others as well could use recovering like RvB (I had all the RvB episodes there, and it'd take a long time and a lot of work to download the previous seasons) and some other folders that weren't just backups of what was on C.
  • 0

#10
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
When you right click on one of these files and choose properties, what information is listed for the file? Do these files open as they are supposed to or are they corrupt?

If the OS will recognize the full size of the drive, scandisk should be able to scan it and the defrag operation should run on it as well. However, I wouldn't run either one of those untiil we figure out what is going on. Have you tried scanning the files individually will your AV application?

wannabe1
  • 0

#11
Trepp

Trepp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
the OS only recognizes about 140gb of the drive. In fact I had to check to see if it was 160gb and not 180. The manual that came with it says no I cannot expect to run scandisk or the defrag on the drive, not without a more recent version of windows anyway.

The files don't exist. As for properties, nothing exists. No creation date, nothing. I've tried two different anti virus programs neither will scan them but the root of the problem appears to be in a non existent file in my recycled folder on the affected drive. There was not actually a bin on that drive at first, then one popped up and next thing I knew I couldn't delete files on the drive and then I found the corrupted files.

My old antivirus (avast, I use avg now and I think I'll switch back to avast) showed me something interesting. I'll do the work now and get you some screens.

I disconnected the bad drive, so anytime you want to know more about the files or need me to interact with them in any way it is a bit of a hassle.

The files don't even have proper extensions, and well I get errors when I try to open them. I'll show you some of those messages as well. I disconnected the hard drive because it was starting to spread even faster. Files were getting damaged right under my nose and I didn't, didn't want to lose drive C.

It's my main and a lot of the most important data is on it. So before I reconnect the D drive and check the properties, I need to know if it's absolutely necessary and I'd like you to think of everything you might need so I can get all the information in one go then.

In the meantime I won't fiddle with anything. I'd also like to describe more of what was going on, and how it started, everything I noticed (which is either a fair bit or almost nothing, I can't tell this early)

As for the error message in one of the above attached files, it's from when I try to delete the file.

The size of the files is completely wrong, they don't exist as far as anything on my computer is concerned, and they can't be touched at all. The file size as well comes up all wrong. anything from -170 gbs to in excess of 220gbs.

I think the root of the problem is in a folder in my recycled bin that never existed. There are several files and a corrupted folder, unlike the other stuff I can't actually see these files, the only evidence is an error list avast spits up whenever it tried to interect with D:\recycled. Inside the folder, are other folders, each one has the name of a normal folder on the drive one I put there.

In short, it has a list of every main folder on the drive tucked inside a folder that doesn't exist.

I feel I should state again that there never actually was an instance of the recycled folder on D. Everything went into the recycled bin on C. Then when troubles started the recycled bin on D popped up. I was deleting files that had no information in them or were otherwise incomplete (they were all from torrents that I had started and couldn't get any seeds for, or ones that people stopped seeding before I was done downloading) none of these files showed signs of corruption and in the past doing that hadn't done anything, but I did download a certain rar archive of this game, I got a bit of data and around then the trouble started. It probably has nothing to do with it, but I can't say I fully trust the site I downloaded it from so who knows.

Also, when I started getting the error message for the files. I took to rightclicking them and selecting delete again to get them out of the recycled bin. I have no idea if that helped further the problem or not.

I'd like to restate that I have scanned my computer for viruses with four different programs. Two online and two off. Housecall and panda. then avast (on thorough mode, this took hours) followed by avg, three times with avg actually. Two for the whole computer then once for just the infected drive. I'm going to go ahead and say I think avast is by far the superior program. I'm just not very satisfied with avg and I'll be reinstalling avast soon.

So, yeah I think that's it actually. I can't think of anything else. Sorry for the wall of text, normally I edit these things to cut down their size a little make them more reasonable. I hope it's at least sort of coherent. If there's any unclear parts just, point them out and I'll try to reword it to be readable.
  • 0

#12
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
Good news bad news time.

Good news is: If you know what files you want to delete, they can most likely be removed by Move On Boot. This application will remove the files before windows starts and is able to lock them.

The bad news is: Whatever is writing these files is doing so from the Root Directory (C:) and is most likely malware. Why it chose to write to the D: drive, I don't know...unless that's where you downloaded the infected file to.

If I were you, and I were sure which files I wanted to delete, I would use Move on Boot and delete them. Then get a topic going in the Malware Forum to get things cleaned up. I give you the "If I were you..." suggestion as this problem appears to be very rare. I have basically come up empty in researching it.

Here's an odd bit...You don't speak Thai, yet Thai language support has been installed on the machine (I found it in the WinAudit). What's unusual is that this is the only language pack installed and also happens to be the language used by the mystery files. Coincedence? I doubt it.

wannabe1
  • 0

#13
Trepp

Trepp

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Actually. I might have installed thai support myself. I installed several support languages and deleted most of them (chinese and japanese) but I remember leaving one just because I couldn't be arsed (yeah I know logic)

I had to have downloaded the infected file to D. And so far I've had no more troubles since the D drive is uninstalled. Nothing seems, amiss yet. I'm going to download avast, do a scan and see if anything comes up. So far I have no problems deleting things on C (decided to try that real first since it was the first bad sign I noticed last time) I think C is safe. I'll take your advice though. I had a topic on the malware forum about this but was hardly satisfied with the help I was recieving.

Also, about the move on boot thing. Avast has a similar function, it never works. Maybe this will but I'm not sure that's going to be the answer to my problem.

I hate to say it, but it seems possible that my only hope is reformatting the drive.
  • 0

#14
wannabe1

wannabe1

    Tech Staff

  • Technician
  • 16,645 posts
Try the Move On Boot...it's a pretty effective little application.

If the Move On Boot should fail for some reason...then I would suggest pulling the data you want off that drive and format it.

As you recover files from the D: drive, scan each one with Avast when you move it to the C:. Once you have all the files you need, use Disk Management to format the D:.

I'd sure like to know what's in those mystery files....
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP