[Stephane]

Now THIS was interresting!

I got into the Recovery Console (which got me furhter than the Command Shell)

From the Recovery Consol, I was able to delete the "Windows\Y" file and change the hidden attributes (I remoded the H attribute) and rename the other files (Windows\0, 4,6,8,9 and S).

Then I rebooted.
The renamed files were there, which I then deleted and strangely enough, the files Windows\S at 1.3 Gig and Windows\Y at 1.0 Gig had re-appeared.

I then rebooted.
Now, all files are back to where they were, they have a s h for attributes and they are all 1.3 Gig in size exept Windows\6 which is now 1.0 Gig (like the Y file before).

[Advertisements]

There is a way to remove the System File Protection with the registry, but I think it's a very risky thing to disable. If you want to try then here's how.

Click "Start", "Run", and type regedit click "OK". Now browse to here:

+HKEY_LOCAL_MACHINE
+Software
+Microsoft
+Windows NT
+CurrentVersion
+Winlogon

Now highlight "Winlogon" by clicking on it once. On the right side of the screen scroll down to SFCDisable and double click on it. Change the Value Data from 0 to 1. Close the registry editor. Reboot the computer and try to delete the files now. After successful deletion click start, run, type regedit again and browse back to the same place and change the Value Data of SFCDisable back to zero. Close regedit and reboot the computer. Please be extremely careful editing the registry since one minor change to the wrong thing can cause catastrophic results. If you do not feel comfortable editing the registry by hand then let us know and we'll figure something else out.

-=jonnyrotten=-

[-=jonnyrotten=-]

There is a way to remove the System File Protection with the registry, but I think it's a very risky thing to disable. If you want to try then here's how.

Click "Start", "Run", and type regedit click "OK". Now browse to here:

+HKEY_LOCAL_MACHINE
+Software
+Microsoft
+Windows NT
+CurrentVersion
+Winlogon

Now highlight "Winlogon" by clicking on it once. On the right side of the screen scroll down to SFCDisable and double click on it. Change the Value Data from 0 to 1. Close the registry editor. Reboot the computer and try to delete the files now. After successful deletion click start, run, type regedit again and browse back to the same place and change the Value Data of SFCDisable back to zero. Close regedit and reboot the computer. Please be extremely careful editing the registry since one minor change to the wrong thing can cause catastrophic results. If you do not feel comfortable editing the registry by hand then let us know and we'll figure something else out.

-=jonnyrotten=-

[admin]

I'd hold off on Jonny's recommendation for now. Let's see if we can figure out what's recreating those files.

Download this utility (DLLCompare): http://www.geekstogo...=download&id=38

Click to run, click the Run Locate.com button, next click the Compare button. When finished click the Make a log... button, and reply here with the contents of the log.

[Stephane]

Well, I tried Jonny's suggestion I could not delete the files because they are in use.

I even tried, while SFCDisable still 1 to delete again from the recovery consol and whenI rebooted, all files were back again.

So here's the log from DLLCompare...

C:\WINDOWS\SYSTEM32\msexcl35.dll Thu 1999-09-09 21:06:38 A.S.. 252 688 246,77 K
C:\WINDOWS\SYSTEM32\msjet35.dll Tue 1999-09-28 20:42:48 A.S.. 1 050 896 1,00 M
C:\WINDOWS\SYSTEM32\msjint35.dll Thu 1999-06-10 8:34:04 A.S.. 123 664 120,77 K
C:\WINDOWS\SYSTEM32\msjter35.dll Thu 1999-06-10 8:34:04 A.S.. 24 848 24,27 K
C:\WINDOWS\SYSTEM32\msltus35.dll Thu 1999-09-09 21:06:38 A.S.. 168 720 164,77 K
C:\WINDOWS\SYSTEM32\mspdox35.dll Mon 1999-06-07 17:59:34 A.S.. 250 128 244,27 K
C:\WINDOWS\SYSTEM32\msrd2x35.dll Sun 1999-04-25 16:00:00 A.S.. 252 176 246,27 K
C:\WINDOWS\SYSTEM32\msrepl35.dll Wed 1999-08-25 13:57:26 A.S.. 415 504 405,77 K
C:\WINDOWS\SYSTEM32\mstext35.dll Thu 1999-09-30 18:21:24 A.S.. 166 672 162,77 K
C:\WINDOWS\SYSTEM32\msxbse35.dll Sun 1999-04-25 16:00:00 A.S.. 287 504 280,77 K
C:\WINDOWS\SYSTEM32\vbar332.dll Sun 1999-04-25 16:00:00 A.S.. 368 912 360,27 K
________________________________________________

1 433 items found: 1 433 files (11 H/S), 0 directories.
Total of file sizes: 315 172 667 bytes 300,57 M

Administrator Account = True

AppInit_DLLs value = apitrap.dll (not hidden)
--------------------End log---------------------

[admin]

I don't expect to find anything, but can we take a look at your HijackThis log?

Link

[admin]

Have you run a Disk Check?

[Stephane]

I tried multiple check disk and a few defrag (I was actually wondering for a while if these files were not temp or cache file from the defrag).

What can you make out of the DLLCompare log?

And here's the Hijack log:

Logfile of HijackThis v1.99.0
Scan saved at 15:57:19, on 2005-01-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
D:\quick time 6\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\CsinsmNT.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
D:\Mozilla\FireFox\firefox.exe
D:\Office XP\Office10\WINWORD.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
D:\Mozilla\Thunderbird\thunderbird.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Hijack This\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\USERINIT.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Acrobat\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {F195A1A9-4033-4E5B-B85C-848C3E31A83A} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Acrobat\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - D:\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [ALiUSBfix] C:\WINDOWS\System32\ALiUSB20.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\quick time 6\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Omnipage] D:\OmniPageSE\opware32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.LNK = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CsinsmNT.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Office XP\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\FRONTP~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Retired Tech]

Have you got a Norton Protected Recycle Bin

[Stephane]

I do have Norton Protected Recycle Bin, but I empty it just about everyday

[admin]

What can you make out of the DLLCompare log?

I was looking for a rogue DLL that may be responsible. There was nothing suspicious. As suspected, your HJT log is all clear too. The only ap I'm not familiar with is TextAloud. I'm sure it's legit, but is there a chance it could store it's speech libraries on the C: drive?

[Stephane]

TextAloud is one of my gfreatest program.
It takes any text file and reads it with a computerized voice (they are at the leading edge of voice simulation technology)
http://www.nextup.com/

It is totally legit and it should behave like any other program.
However, at this point anything is possible and deserves to be looked at.

Do you have a suggestion at what to look for to eliminate that possibility?

[admin]

Do you have a suggestion at what to look for to eliminate that possibility?

Well it's a long shot, but you could try uninstalling the program to see if the files are still there. If so, just reinstall it.

I'm thinking there may be some type of corruption in your file system's MFT (Master File Table). I would think a disk check would discover that, but I'm not a hard drive expert. Are you using NTFS?

[Stephane]

<Are you using NTFS?>

Yep!

I also have this omnipage thing. I removed it a while ago and it doens't show in explorer but it does in the hijack log.... I wonder? Omnipage shouldn't be that big, but textAloud is a big program. It is 2 Gig on my D drive, but I am not sure what it does running when I haven't started it......???

I'm gonna try a few things.

[admin]

Omnipage is loading something at startup. If you want to remove it, just tick this line in Hijack This and remove it:
O4 - HKLM\..\Run: [Omnipage] D:\OmniPageSE\opware32.exe

Optionally, remove this folder D:\OmniPageSE.

[Stephane]

Well, it had to happen!
I was trying some stuff from Norton clean sweep.
I tried to uninstall some left overs from Mozzila suit. I use Foxilla and thunderbird so I uninstalled Mozzila some time ago.

I tought that it was taking a long time and started getting that feeling that something was going wrong, so I tried to stop the application... that didn't work, so I rebooted.

Now all Symantec is gone, my toolbars, every bit of Microsoft programs, Firefox, Thunderbird, my desktop image, most icons and I haven't looked at the rest. This is exactly what I could not afford timewise.

So what do I do now?

Do I reformat my C drive and reinstall over 50 programs or is there something I can restore? (all I found in the trash box was some music I trashed this afternoon).

Help!