[cait885]

hi- i've noticed some questionable files on my hard drive. a file called "thumbs.db" appears in all of my photo document file folders, and will reappear after "deleting it" through the recycling bin the next time i open that folder. they say that they are "hidden, compressed" files. also, i noticed some new files in my hard drive- called hiberfil.sys and pagefile.sys- can't remove them because it says they are currently being used by another program. these two files say that they are created on whatever day i look at them. lastly, there a hundred files of varying names like "$NtUninstallQ815021$" in my "windows" folder off of the hard drive folder in my computer. they say they are "hidden, compressed" too. i followed all the steps in the "start here" page, and have also done all of the scans in safe mode, but i'm still having these problems. any help would be greatly appreciated!! thanks! best, caitlin

[Advertisements]

hiberfil.sys and pagefile.sys <--- hiberfil is a file that is basically a snapshot of your machine right before it goes into hibernation (hibernation involves dumping ram and turning off the hd...this file needs to be accessed to come back out of hibernation) pagefile.sys is your page file...the file allocated to allow your computer to use the hd instead of ram when your ram is either full or too busy...the thumbs.db things are probably the files used to enable that snazy picture preview in windows explorer (when you open a folder with images...it shows a thumbnail image of the file)

$NtUninstallQ815021$<--- i'm not sure...but i think this is what is used to remove the set up files from windows update once it has been installed

[dsenette]

hiberfil.sys and pagefile.sys <--- hiberfil is a file that is basically a snapshot of your machine right before it goes into hibernation (hibernation involves dumping ram and turning off the hd...this file needs to be accessed to come back out of hibernation) pagefile.sys is your page file...the file allocated to allow your computer to use the hd instead of ram when your ram is either full or too busy...the thumbs.db things are probably the files used to enable that snazy picture preview in windows explorer (when you open a folder with images...it shows a thumbnail image of the file)

$NtUninstallQ815021$<--- i'm not sure...but i think this is what is used to remove the set up files from windows update once it has been installed

[cait885]

sorry it wasn't anything serious. thanks for your time!

[Justin]

Hello!

I just want to make sure that your issue is fixed before I close the topic.


Let me know

[cait885]

If you guys think all is well, then I'm sure it's fine... but that "thumbs.db" thing is bizarre- it's only in some groups of files in "my pictures"- some have it and some don't.

[Justin]

Please Click here!, and follow the recommendations in the guide.

Then downloadHijack This. Follow the instructions in step five of this guide, and reply here with your log.


Then ill take a look at your log and see if anything is there, sicne there is no harm in checking.

Edited by Jfcap, 01 September 2005 - 07:47 PM.

[cait885]

thanks! ...here she is:

Logfile of HijackThis v1.99.1
Scan saved at 10:15:17 PM, on 9/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\PHILIPS\PSADMM\DMM\bin\AutoLaunch.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\COMMON~1\PHILIP~1\USBCON~1.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Caitlin Elizabeth\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.bowd...escaped_unicode
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [/AutoLaunch] C:\Program Files\PHILIPS\PSADMM\DMM\bin\AutoLaunch.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

[Justin]

Hello!

Your log is clean! But lets double check to see if something shows up.

Please download Panda ActiveScan

Make sure you run this scan in Internet Explorer.

Accept default settings, and scan your computer.

Then save the log and post it in your next reply.

[dsenette]

thanks for picking this up justin

[Justin]

No problem dsenette,

I can fix it from the malware side, as long as there is nothing wrong with those files that were mentioned above

[dsenette]

i just kind of forgot to push it over there to you guys, since i recognized most of the files

[cait885]

again, thank you....




Incident Status Location

Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\alchem.inf
Adware:adware/gator No disinfected C:\WINDOWS\FT1_02_0_402_GEPFAH.EXE
Adware:adware/wupd No disinfected C:\PROGRAM FILES\Windows SyncroAd
Spyware:spyware/bargainbuddy No disinfected Windows Registry
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Adware:Adware/Twain-Tech No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP305\A0025141.inf
Spyware:Spyware/LocalNRD No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP305\A0025143.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\alchem.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\conscorr.inf

[Justin]

Hello!

FIrst, lets clear your restore points:

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb;en-us;310405

Then:

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\INF\alchem.inf
C:\WINDOWS\FT1_02_0_402_GEPFAH.EXE
C:\PROGRAM FILES\Windows SyncroAd
C:\WINDOWS\INF\alchem.inf
C:\WINDOWS\INF\conscorr.inf 

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot, then let me know how things are running.

[cait885]

hi again... ran killbot and deleted those files, but then ran the panda active scan again to make sure everything was clean... however, this was my log:

Incident Status Location

Adware:adware/ipinsight No disinfected C:\WINDOWS\alchem.ini
Spyware:spyware/bargainbuddy No disinfected Windows Registry
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Adware:Adware/IPInsight No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000035.inf
Adware:Adware/IPInsight No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000037.inf
what do you think the deal is?

-caitlin

[Justin]

Hello!

Most of the things in the panda scan are false positives.

Lets run Ewido and see if it will pick up the two things that are bad.

Please download ewido security suite it is a free version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Launch ewido, there should be an icon on your desktop, double-click it.
• The program will now open to the main screen.
• When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  
• You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido security suite.