Hi, just a few days ago I notice many unknown files were generated suddenly in one of my drives (D:\). Some of my existing files were also renamed to some strange name, example "Bootlog.txt" to "Blotllg.txt", "IO.sys" to "Il.sxs" "portfolio.htm" to "portfolio.h4-" ... etc. A strange folder was also created "Fhn@ld~0" contain MANY strange subfolders and files in it. I check the properties of these folders and files and notice the size are up to 210GB! But in actual fact, the size are all 0Bytes. The date created for all these files seems to be random too (12/9/39, 1/16/43 ..) Another folder was also created "Rdcxcled" which I suspect it's the Recycled folder. Inside this folder are all the files in this drive. I try to delete all these unknown folder but in vain. Try scanning using anti-virus but having errors scanning as well. Does anyone know what kind of virus behind this and any way to get rid of it? My OS is installed in my C:\ drive, the infected drive (D:) is just for storing some personal files. Thanks a lot.

Hello Sepgirl, Description made on your computer don't seem to be the result of a virus, but better the use of a program like Incredimail, which is basically made to create funny email.. in fact this program is a big "spyware" used by a company to make pronostic about your computer uses and preferences...this program generate many folders and subfolders which takes consequents HD places... I would suggest you download the following program AdAware 6.0 you find at www.lavasoftusa.com, it will give you a real information about all the cookies "spywares" polluting your computer and system..... remember as well to never install any unknown program you found into the net, mentioning a little gadget that's seems to be wonderful....

Hi sepgirl, Let's have a look..Go here and download, unzip and run StartupList. It will create a log file of everything that loads when you boot the machine, Copy that log and paste it in a reply. StartupList

Imp: Thanks for your advice. I not sure if it's a virus or not. I have installed and run "AdAware 6.0", it did generated a long list of objects recognized, should I delete them? Tom41: Here's the long list of log file generated ================================================== StartupList report, 3/23/03, 11:11:02 PM StartupList version: 1.52 Started from : C:\WINDOWS\TEMP\STARTUPLIST.exe Detected: Windows 98 SE (Win9x 4.10.2222A) Detected: Internet Explorer v5.00 SP2 (5.00.3314.2100) * Using default options ================================================== Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\WINDOWS\SM56HLPR.exe C:\WINDOWS\LOADQM.exe C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.exe C:\WINDOWS\SYSTEM\QTTASK.exe C:\WINDOWS\SYSTEM\DDHELP.exe C:\PROGRAM FILES\EFFICIENT NETWORKS\SPEEDSTREAM DSL\SPDSTRM.exe C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.exe C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\WINDOWS\SYSTEM\RNAAPP.exe C:\WINDOWS\SYSTEM\TAPISRV.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe C:\WINDOWS\SYSTEM\MDM.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe C:\WINDOWS\SYSTEM\PSTORES.exe C:\PROGRAM FILES\WINAMP\WINAMP.exe C:\PROGRAM FILES\WINZIP\WINZIP32.exe C:\WINDOWS\TEMP\STARTUPLIST.exe --------------------- Listing of startup folders: Shell folders Startup: [C:\WINDOWS\Start Menu\Programs\StartUp] Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe --------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ScanRegistry = c:\windows\scanregw.exe /autorun TaskMonitor = c:\windows\taskmon.exe SystemTray = SysTray.exe SM56ACL = sm56hlpr.exe MyCometCursor = C:\PROGRA~1\COMET\MYCOME~1.exe -quiet OEMCleanup = C:\WINDOWS\OPTIONS\OEMRESET.exe LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme Microsoft WebServer = C:\Program Files\WebSvr\System\svctrl /init LoadQM = loadqm.exe AdaptecDirectCD = "c:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" QuickTime Task = C:\WINDOWS\SYSTEM\QTTASK.exe Trickler = "c:\windows\temp\webpdp_fsg_1050.exe" DSL Monitor = C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.exe NAV Agent = c:\PROGRA~1\NORTON~1\NAVAPW32.exe RegShave = C:\Progra~1\REGSHAVE\REGSHAVE.exe /autorun --------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg --------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AOL Instant Messenger (TM) = C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl --------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=Explorer.exe SCRNSAVE.EXE= drivers=mmsystem.dll power.drv --------------------- C:\WINDOWS\WININIT.INI listing: (Created 23/3/2003, 23:9:14) [Rename] NUL=c:\program files\comet\install\temp\csres.dat NUL=c:\program files\comet\install\temp\update.js NUL=c:\program files\comet\install\temp\comutil.dll NUL=c:\program files\comet\install\temp\csinst.dll NUL=c:\program files\comet\install\temp\csapputil.dll NUL=c:\program files\comet\install\temp\csutil.dll NUL=c:\program files\comet\install\temp\fileutil.dll NUL=c:\program files\comet\install\temp\csbrange.dll NUL=c:\program files\comet\install\temp\comet.exe NUL=c:\program files\comet\install\temp\skinui.dll NUL=c:\program files\comet\install\temp\csietb.dll NUL=c:\program files\comet\install\temp\cseng.dll NUL=c:\program files\comet\install\temp\csctx.dll NUL=c:\program files\comet\install\temp\cscore.dll NUL=c:\program files\comet\install\temp\csbho.dll NUL=c:\program files\comet\install\temp\csband.dll NUL=c:\windows\gatorplugin.log NUL=c:\windows\cookies\sepgirl@www.commission-junction[2].txt NUL=c:\windows\cookies\sepgirl@fastclick[2].txt NUL=c:\windows\cookies\anyuser@counter2.hitslink[2].txt NUL=c:\windows\cookies\sepgirl@hg1.hitbox[2].txt NUL=c:\windows\cookies\anyuser@linksynergy[1].txt NUL=c:\windows\cookies\sepgirl@servedby.advertising[2].txt NUL=c:\windows\cookies\anyuser@hg1.hitbox[2].txt NUL=c:\windows\cookies\sepgirl@bravenet[1].txt NUL=c:\windows\cookies\sepgirl@banserv.internetfuel[2].txt NUL=c:\windows\cookies\sepgirl@adserv.internetfuel[1].txt NUL=c:\windows\cookies\sepgirl@valueclick[1].txt NUL=c:\windows\cookies\sepgirl@data.coremetrics[2].txt NUL=c:\windows\cookies\sepgirl@linksynergy[1].txt NUL=c:\windows\cookies\anyuser@metriweb[1].txt NUL=c:\windows\cookies\sepgirl@xupiter[1].txt NUL=c:\windows\cookies\sepgirl@adserv.gamerszone[1].txt NUL=c:\windows\cookies\sepgirl@valueclick.ne[1].txt NUL=c:\windows\cookies\sepgirl@www.qksrv[2].txt NUL=c:\windows\cookies\anyuser@fortunecity[1].txt NUL=c:\windows\cookies\sepgirl@ads.valuead[2].txt NUL=c:\windows\cookies\sepgirl@advertising[1].txt NUL=c:\windows\cookies\sepgirl@bluestreak[1].txt NUL=c:\windows\cookies\sepgirl@ehg-sonyelec.hitbox[2].txt NUL=c:\windows\cookies\sepgirl@ehg-sonyny.hitbox[2].txt NUL=c:\windows\cookies\sepgirl@ehg-ubisoft.hitbox[2].txt NUL=c:\windows\cookies\sepgirl@gorillaads.valuead[1].txt NUL=c:\windows\cookies\sepgirl@servedby.valuead[1].txt NUL=c:\windows\cookies\sepgirl@fortunecity[2].txt NUL=c:\windows\cookies\sepgirl@x10[1].txt NUL=c:\windows\cookies\sepgirl@mediaplex[1].txt NUL=c:\windows\cookies\anyuser@valueclick.ne[1].txt NUL=c:\windows\cookies\anyuser@mediaplex[2].txt NUL=c:\windows\cookies\anyuser@adtech[2].txt NUL=c:\windows\cookies\sepgirl@z1.adserver[1].txt NUL=c:\windows\cookies\anyuser@counter.hitslink[2].txt NUL=c:\windows\cookies\sepgirl@ehg.hitbox[2].txt NUL=c:\windows\cookies\anyuser@hotlog[1].txt NUL=c:\windows\cookies\anyuser@spylog[1].txt NUL=c:\windows\cookies\anyuser@hitbox[1].txt NUL=c:\windows\cookies\anyuser@ehg-nokiafin.hitbox[2].txt NUL=c:\windows\cookies\anyuser@hc2.humanclick[2].txt NUL=c:\windows\cookies\sepgirl@ehg-intel.hitbox[2].txt NUL=c:\windows\cookies\sepgirl@ads.specificpop[1].txt NUL=c:\windows\cookies\sepgirl@hc2.humanclick[2].txt NUL=c:\windows\cookies\sepgirl@w131.hitbox[2].txt NUL=c:\windows\cookies\sepgirl@hotlog[1].txt NUL=c:\windows\cookies\sepgirl@spylog[1].txt NUL=c:\windows\cookies\sepgirl@bfast[2].txt NUL=c:\windows\cookies\sepgirl@atdmt[2].txt NUL=c:\windows\cookies\sepgirl@adtech[2].txt NUL=c:\windows\cookies\sepgirl@metriweb[1].txt NUL=c:\windows\cookies\anyuser@servedby.advertising[1].txt NUL=c:\windows\cookies\sepgirl@statse.webtrendslive[1].txt NUL=c:\windows\cookies\sepgirl@centrport[1].txt NUL=c:\windows\cookies\sepgirl@servedfor.valuead[1].txt NUL=c:\windows\cookies\anyuser@ehg-siebel.hitbox[2].txt NUL=c:\windows\cookies\sepgirl@hitbox[2].txt NUL=c:\windows\cookies\sepgirl@fastclick[1].txt NUL=c:\windows\cookies\sepgirl@targetnet[1].txt NUL=c:\windows\cookies\sepgirl@weborama[1].txt NUL=c:\windows\cookies\anyuser@pub16.bravenet[1].txt NUL=c:\windows\cookies\anyuser@www.commission-junction[2].txt NUL=c:\windows\cookies\anyuser@z1.adserver[2].txt NUL=c:\windows\cookies\anyuser@ads.specificpop[1].txt NUL=c:\windows\cookies\anyuser@pub6.bravenet[1].txt NUL=c:\windows\cookies\anyuser@t1.adserver[2].txt NUL=c:\windows\cookies\sepgirl@ehg-oreilly.hitbox[2].txt NUL=c:\windows\cookies\sepgirl@gator[2].txt NUL=c:\windows\cookies\sepgirl@pub48.bravenet[1].txt NUL=c:\windows\cookies\anyuser@servedfor.valuead[1].txt NUL=c:\windows\cookies\anyuser@w114.hitbox[1].txt NUL=c:\windows\cookies\anyuser@servedby.valuead[1].txt NUL=c:\windows\cookies\anyuser@adserver2.creative[1].txt NUL=c:\windows\cookies\anyuser@statse.webtrendslive[1].txt NUL=c:\windows\cookies\anyuser@ads.valuead[1].txt NUL=c:\windows\cookies\anyuser@ehg-intel.hitbox[2].txt NUL=c:\windows\cookies\anyuser@valueclick[3].txt NUL=c:\windows\cookies\anyuser@data.coremetrics[1].txt NUL=c:\windows\cookies\anyuser@ehg-dig.hitbox[2].txt NUL=c:\windows\cookies\anyuser@ehg-sonyny.hitbox[2].txt NUL=c:\windows\cookies\anyuser@adserv.internetfuel[1].txt NUL=c:\windows\cookies\sepgirl@adserver.singnet.com[1].txt NUL=c:\windows\cookies\anyuser@bfast[2].txt NUL=c:\windows\cookies\anyuser@valueclick[2].txt NUL=c:\windows\cookies\anyuser@bravenet[2].txt NUL=c:\windows\cookies\anyuser@ehg-ubisoft.hitbox[2].txt NUL=c:\windows\cookies\anyuser@phg.hitbox[2].txt NUL=c:\windows\cookies\anyuser@w115.hitbox[2].txt NUL=c:\windows\cookies\anyuser@webpdp.gator[1].txt NUL=c:\windows\cookies\anyuser@tradedoubler[1].txt NUL=c:\windows\cookies\anyuser@www.tradedoubler[1].txt NUL=c:\windows\cookies\anyuser@ehg.hitbox[1].txt NUL=c:\windows\cookies\anyuser@weborama[1].txt NUL=c:\windows\cookies\anyuser@ehg-espn.hitbox[2].txt NUL=c:\windows\cookies\anyuser@www.qksrv[2].txt NUL=c:\windows\cookies\anyuser@ad.pro-advertising[2].txt NUL=c:\windows\cookies\anyuser@adserver.news.com[2].txt NUL=c:\windows\cookies\anyuser@fastclick[2].txt NUL=c:\windows\cookies\anyuser@adserver.sportingodds[2].txt NUL=c:\windows\cookies\anyuser@targetnet[2].txt NUL=c:\windows\cookies\anyuser@advertising[1].txt NUL=c:\windows\cookies\anyuser@ehg-idg.hitbox[2].txt NUL=c:\windows\cookies\anyuser@adviva[2].txt NUL=c:\windows\cookies\sepgirl@doubleclick[1].txt NUL=c:\windows\cookies\anyuser@w131.hitbox[1].txt NUL=c:\windows\cookies\anyuser@w121.hitbox[1].txt NUL=c:\windows\cookies\anyuser@w104.hitbox[1].txt NUL=c:\windows\cookies\anyuser@centrport[1].txt NUL=c:\windows\cookies\anyuser@adserver[1].txt NUL=c:\windows\cookies\anyuser@atdmt[2].txt NUL=c:\windows\cookies\anyuser@gator[1].txt NUL=c:\windows\cookies\default@counter.hitslink[1].txt NUL=c:\windows\cookies\default@focusin.ads.targetnet[2].txt NUL=c:\windows\cookies\default@mediaplex[2].txt NUL=c:\windows\cookies\default@fastclick[2].txt NUL=c:\windows\cookies\default@x10[2].txt NUL=c:\windows\cookies\default@adserv.internetfuel[2].txt NUL=c:\windows\cookies\default@hotlog[2].txt NUL=c:\windows\cookies\default@w116.hitbox[2].txt NUL=c:\windows\cookies\default@servedby.advertising[2].txt NUL=c:\windows\cookies\anyuser@bannerbank[1].txt NUL=c:\windows\cookies\default@w131.hitbox[1].txt NUL=c:\windows\cookies\default@hg1.hitbox[2].txt NUL=c:\windows\cookies\default@rd.advertising[2].txt NUL=c:\windows\cookies\anyuser@w128.hitbox[1].txt NUL=c:\windows\cookies\default@advertising[1].txt NUL=c:\windows\cookies\anyuser@bluestreak[1].txt NUL=c:\windows\cookies\anyuser@adserver.singnet.com[1].txt NUL=c:\windows\cookies\default@admonitor[2].txt NUL=c:\windows\cookies\default@atdmt[2].txt NUL=c:\windows\cookies\default@fortunecity[1].txt NUL=c:\windows\cookies\default@focalink[1].txt NUL=c:\windows\cookies\default@valueclick[1].txt NUL=c:\windows\cookies\default@hitbox[2].txt NUL=c:\windows\cookies\anyuser@doubleclick[1].txt NUL=c:\windows\cookies\default@ehg.hitbox[2].txt NUL=c:\windows\cookies\default@fortunecity[3].txt NUL=c:\windows\cookies\default@targetnet[1].txt NUL=c:\windows\cookies\default@bannerbank[1].txt NUL=c:\windows\cookies\default@spylog[2].txt NUL=c:\windows\cookies\default@w115.hitbox[2].txt NUL=c:\windows\cookies\default@adserver[1].txt NUL=c:\windows\cookies\default@ehg-dig.hitbox[2].txt NUL=c:\windows\cookies\default@centrport[1].txt NUL=c:\windows\cookies\default@adserver.singnet.com[2].txt NUL=c:\windows\cookies\default@www.commission-junction[2].txt NUL=c:\windows\cookies\default@bfast[2].txt NUL=c:\windows\cookies\default@www.qksrv[1].txt NUL=c:\windows\cookies\default@flycast[2].txt NUL=c:\windows\cookies\default@valueclick.ne[1].txt NUL=c:\windows\cookies\default@spylog[1].txt NUL=c:\windows\cookies\default@doubleclick[1].txt NUL=c:\windows\downloaded program files\iegator.inf NUL=c:\windows\downloaded program files\iegator.dll NUL=c:\windows\system\comet.dll --------------------- C:\AUTOEXEC.BAT listing: set path=c:\windows;c:\windows\COMMAND;C:\BITWARE\;C:\PROGRA~1\ULTRAE~1;%PATH%;C:\JDK1.3.0_02\BIN; SET PATH=c:\Perl\bin\;%PATH% --------------------- Enumerating Browser Helper Objects: (no name) - C:\WINDOWS\SYSTEM\COMET.DLL - {1678F7E1-C422-11D0-AD7D-00400515CAAA} NAV Helper - c:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872} CSBrBHO - C:\PROGRAM FILES\COMET\INSTALL\TEMP\BRBHO12A.DLL - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} --------------------- Enumerating Task Scheduler jobs: Norton AntiVirus - Scan my computer.job --------------------- Enumerating Download Program Files: [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab [CometCursor Class] InProcServer32 = C:\WINDOWS\SYSTEM\COMET.DLL CODEBASE = http://files.cometsystems.com/cometcursor/comet.cab [Shockwave ActiveX Control] InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab [QuickTime Object] InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab [DetectMN] InProcServer32 = C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\DETECTMN.DLL CODEBASE = http://www.musicnotes.com/download/npmusicn.cab [Autodesk MapGuide ActiveX Control] InProcServer32 = C:\PROGRAM FILES\AUTODESK\MAPGUIDE VIEWER\MGAXCTRL.DLL CODEBASE = http://www.can.com.sg/mwf/mgaxctrl.cab [Update Class] InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37631.2766435185 [MidRadioCtrl Class] InProcServer32 = C:\PROGRAM FILES\YAMAHA\MIDRADIO PLAYER\MIDRADIO.OCX CODEBASE = http://adweb.music-eclub.com/php/adweb.php3?aid=143&arg=win%2Fmrinst.cab&ptx=mratdl [Cult3D ActiveX Player] InProcServer32 = C:\WINDOWS\SYSTEM\CULT3D\IECULT.DLL CODEBASE = http://www.cult3d.com/download/cult.cab --------------------- Enumerating ShellServiceObjectDelayLoad items: WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL --------------------- End of report, 15,543 bytes Report generated in 0.601 seconds

Hi sepgirl, I don't see any signs of a virus, just lots of spyware. Run AdAware and remove everything it finds.

MyCometCursor Trickler gator I've read of these three on the security forum. See....Spybot Search & Destroy. NB some programs will not run without spyware http://security.kolla.de/