AdMiN@CoMcAsT[0]0]tXt

  • Thread starter Thread starter Timothy Daniels
  • Start date Start date
T

Timothy Daniels

My computer started crashing when doing web accesses,
and I find in my Temporary Internet Files a cookie 88 bytes
long with "cache name" of AdMiN@CoMcAsT[0]0]tXt,
where "0" is actually a narrow vertical rectangle.
("Admin" is my PC username and Comcast is my ISP.)
Windows Explorer shows a file icon with a file name
about 8 chars long - all undisplayable. And I can't delete it.
Is it a virus or worm? How can I get rid of it? (I haven't
opened it.)

*TimDaniels*
 
From: "Timothy Daniels" <[email protected]>

| My computer started crashing when doing web accesses,
| and I find in my Temporary Internet Files a cookie 88 bytes
| long with "cache name" of AdMiN@CoMcAsT[0]0]tXt,
| where "0" is actually a narrow vertical rectangle.
| ("Admin" is my PC username and Comcast is my ISP.)
| Windows Explorer shows a file icon with a file name
| about 8 chars long - all undisplayable. And I can't delete it.
| Is it a virus or worm? How can I get rid of it? (I haven't
| opened it.)
|
| *TimDaniels*


We are assuming it is an infector at the root of the problem...

Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

1) Download the Sysclean Front End utility ( SYSCLEAN_FE ) in "Procedure 1"
at the following URL, SYSCLEAN_FE automates the download and
execution process of the Trend Sysclean Package.
http://www.ik-cs.com/got-a-virus.htm

Direct URL:
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe

Execute; SYSCLEAN_FE.EXE
Choose; Unzip
Choose; Close

Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }

When you get to the Sysclean Front End menu, hit 'e' or '3' to exit.

2) Download and install Ad-aware SE (free personal version v1.05)
http://www.lavasoftusa.com/
3) Update Adaware with the latest definitions then exit the software.
4) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
5) Reboot your PC into Safe Mode and shutdown as many applications as possible
6) Using the Trend Sysclean and Ad-aware SE utilities, perform a Full Scan of your
platform and clean/delete any infectors found
7) Restart your PC and perform a "final" Full Scan of your platform using both Trend
Sysclean and Ad-aware SE
8) If you are using WinME or WinXP, re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
9) Reboot your PC.
10) If you are using WinME or WinXP, create a new Restore point

* * Please report back your results * *
 
David H. Lipman said:
From: "Timothy Daniels":

| My computer started crashing when doing web accesses,
| and I find in my Temporary Internet Files a cookie 88 bytes
| long with "cache name" of AdMiN@CoMcAsT[0]0]tXt,
| where "0" is actually a narrow vertical rectangle.
| ("Admin" is my PC username and Comcast is my ISP.)
| Windows Explorer shows a file icon with a file name
| about 8 chars long - all undisplayable. And I can't delete it.
| Is it a virus or worm? How can I get rid of it? (I haven't
| opened it.)
|
| *TimDaniels*


We are assuming it is an infector at the root of the problem...

Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

1) Download the Sysclean Front End utility ( SYSCLEAN_FE ) in "Procedure 1"
at the following URL, SYSCLEAN_FE automates the download and
execution process of the Trend Sysclean Package.
http://www.ik-cs.com/got-a-virus.htm

Direct URL:
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe

Execute; SYSCLEAN_FE.EXE
Choose; Unzip
Choose; Close

Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }

When you get to the Sysclean Front End menu, hit 'e' or '3' to exit.
Click to expand...


So what is supposed to have been accomplished by
this point such that the menu choice is to exit?


2) Download and install Ad-aware SE (free personal version v1.05)
http://www.lavasoftusa.com/
3) Update Adaware with the latest definitions then exit the software.
4) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
5) Reboot your PC into Safe Mode and shutdown as many applications
as possible
6) Using the Trend Sysclean and Ad-aware SE utilities, perform
a Full Scan of your platform and clean/delete any infectors found
Click to expand...


I ran the Ad-Aware SE, but nothing was found.

How does one "use the Trend Sysclean"? Where is it?

7) Restart your PC and perform a "final" Full Scan of your platform
using both Trend Sysclean and Ad-aware SE
8) If you are using WinME or WinXP, re-enable System Restore
Click to expand...


How does one "re-enable System Restore"?

When was it disables?

and re-apply any System Restore preferences, (e.g. HD
space to use suggested 400 ~ 600MB),
9) Reboot your PC.
10) If you are using WinME or WinXP, create a new
Restore point
Click to expand...


How does one "create a new Restore point"?


* * Please report back your results * *
Click to expand...


The cookie is still there and I still cannot delete it.


*TimDaiels*
 
From: "Timothy Daniels" <[email protected]>


|
| The cookie is still there and I still cannot delete it.
|
| *TimDaiels*


What is the OS ?

Do you have Comcast provided software loaded on your PC ?
 
David H. Lipman said:
From: "Timothy Daniels"
|
| The cookie is still there and I still cannot delete it.
|

What is the OS ?

Do you have Comcast provided software loaded on your PC ?
Click to expand...


The OS is Windows XP Pro.

I have no Comcast software installed that I know of
and I've never downloaded any software from
Comcast that I know of.

I suspect that "AdMiN" (similar to my account username
"Admin") and "CoMcAsT" (similar to "Comcast", my ISP)
were chosen to appear familiar and therefore legitimate.
The extension ("tXt") is similar to "txt", but for all I know,
the cookie is an executable file and it will execute if I try
to open it.

A full system scan by Norton Anti-Virus with the latest
updates (3hrs, 6min) reveals no viruses.

Yet this cookie with the invisible name remains in the
Temporary Internet Files folder, and I cannot delete it.
What permissions could I re-set to be allowed to
delete it?

*TimDaniels*
 
From: "Timothy Daniels" <[email protected]>

|>>
|>> The cookie is still there and I still cannot delete it.
|>>|
| The OS is Windows XP Pro.
|
| I have no Comcast software installed that I know of
| and I've never downloaded any software from
| Comcast that I know of.
|
| I suspect that "AdMiN" (similar to my account username
| "Admin") and "CoMcAsT" (similar to "Comcast", my ISP)
| were chosen to appear familiar and therefore legitimate.
| The extension ("tXt") is similar to "txt", but for all I know,
| the cookie is an executable file and it will execute if I try
| to open it.
|
| A full system scan by Norton Anti-Virus with the latest
| updates (3hrs, 6min) reveals no viruses.
|
| Yet this cookie with the invisible name remains in the
| Temporary Internet Files folder, and I cannot delete it.
| What permissions could I re-set to be allowed to
| delete it?
|
| *TimDaniels*

Do you have the Comcast logo as the logo in the yop right corner of Internet Explorer ?

Comcast has branded IE and distributes their software and I believe you have Comcast
software on your PC.

Cookies are not executable. Cookies can have their respective file handles open if the
program that creates and/or writes to it keeps it open. You would have to shutdown all
running applications to make sure that whatever program is keeping its file handles open
closes said file handle.

Cookies are the lest of your problems and isn't worth loosing sleep over.
 
David H. Lipman said:
:


|>>
|>> The cookie is still there and I still cannot delete it.
|>>
|
| The OS is Windows XP Pro.
|
| I have no Comcast software installed that I know of
| and I've never downloaded any software from
| Comcast that I know of.
|
| I suspect that "AdMiN" (similar to my account username
| "Admin") and "CoMcAsT" (similar to "Comcast", my ISP)
| were chosen to appear familiar and therefore legitimate.
| The extension ("tXt") is similar to "txt", but for all I know,
| the cookie is an executable file and it will execute if I try
| to open it.
|
| A full system scan by Norton Anti-Virus with the latest
| updates (3hrs, 6min) reveals no viruses.
|
| Yet this cookie with the invisible name remains in the
| Temporary Internet Files folder, and I cannot delete it.
| What permissions could I re-set to be allowed to
| delete it?
|
| *TimDaniels*

Do you have the Comcast logo as the logo in the yop right
corner of Internet Explorer ?

No.


Comcast has branded IE and distributes their software and
I believe you have Comcast software on your PC.
Click to expand...


My IE does not appear to be branded, and it has no
Comcast logo.

Cookies are not executable.
Click to expand...


This cookie is obviously non-standard, and why
would its last 3 characters be "tXt"? That second
character is an uppercase "x", making it appear
to be a .txt file to the unsuspicious and therefore
openable to the curious user. One of the viruses
described in print media about a year ago had
fake extensions that made them to appear not to
be executable files.

Cookies can have their respective file handles open if the
program that creates and/or writes to it keeps it open. You
would have to shutdown all running applications to make
sure that whatever program is keeping its file handles open
closes said file handle.

Cookies are the lest of your problems and isn't worth loosing
sleep over.
Click to expand...


Who said this was a legitimate cookie? Why is its
filename non-printable?

*TimDaniels*
 
From: "Timothy Daniels" <[email protected]>

|
|>>>>
|>>>> The cookie is still there and I still cannot delete it.
|>>>>|>>
|>> The OS is Windows XP Pro.
|>>
|>> I have no Comcast software installed that I know of
|>> and I've never downloaded any software from
|>> Comcast that I know of.
|>>
|>> I suspect that "AdMiN" (similar to my account username
|>> "Admin") and "CoMcAsT" (similar to "Comcast", my ISP)
|>> were chosen to appear familiar and therefore legitimate.
|>> The extension ("tXt") is similar to "txt", but for all I know,
|>> the cookie is an executable file and it will execute if I try
|>> to open it.
|>>
|>> A full system scan by Norton Anti-Virus with the latest
|>> updates (3hrs, 6min) reveals no viruses.
|>>
|>> Yet this cookie with the invisible name remains in the
|>> Temporary Internet Files folder, and I cannot delete it.
|>> What permissions could I re-set to be allowed to
|>> delete it?
|>>
|>> *TimDaniels*|
| No.
||
| My IE does not appear to be branded, and it has no
| Comcast logo.
||
| This cookie is obviously non-standard, and why
| would its last 3 characters be "tXt"? That second
| character is an uppercase "x", making it appear
| to be a .txt file to the unsuspicious and therefore
| openable to the curious user. One of the viruses
| described in print media about a year ago had
| fake extensions that made them to appear not to
| be executable files.
||
| Who said this was a legitimate cookie? Why is its
| filename non-printable?
|
| *TimDaniels*

So the file uses mixed case characters -- no big deal.

Have you run the Trend Sysclean utility yet ?

If you haven't here are the instructions again, specific to using Trend Sysclean...

Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

1) Download the following,,,

Trend Sysclean Method 1
---------------------------------------
Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\sysclean")

Download SYSCLEAN.COM and place it in that directory.
Download the signature files (pattern files) by obtaining the ZIP file.
For example; lpt524.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

Trend Sysclean Method 2
---------------------------------------
The utility SYSCLEAN_FE in "Procedure 1" at the following URL
http://www.ik-cs.com/got-a-virus.htm automates the download and execution process of the
Trend Sysclean Package.


2) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
3) Reboot your PC into Safe Mode then shutdown as many applications as possible.
4) Using the Trend Sysclean utility, perform a Full Scan of your platform and
clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform
6) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) Create a new Restore point
Start --> programs --> Accessories --> system tools --> System Restore

* * Please report back your results * *
 
David H. Lipman said:
From: "Timothy Daniels":
| Who said this was a legitimate cookie? Why is its
| filename non-printable?
|
| *TimDaniels*

So the file uses mixed case characters -- no big deal.
Click to expand...


I don't think you understand about the unprintable
characters. They form the file name. Windows Explorer
displays the file icon and beside it in Details View is
nothing. When right-cicking on the nothing, a blue band
about 12 characters long appears with nothing in it - it's
a high-lighted non-printable series of characters.

Only when I right-click and select Properties is the
"cache name" of AdMiN@CoMcAsT[0]0tXt listed
having a length of 88 bytes.

Have you run the Trend Sysclean utility yet ?
Click to expand...


I don't know. I followed the instructions you gave
and got to the Start Menu OK and exited as your
instructions said. It is not known to me whether
anything but installation routines actually ran.
The other scans took me more than 3 hours, so
I would have to alot that amount of time to do them
again.

If you haven't here are the instructions again, specific
to using Trend Sysclean...
Click to expand...


I'll try that again in a few hours as I need my (somewhat
flaky) computer for other stuff right now. I'll post the
results. Thanks for the continued attention.


*TimDaniels*
 
From: "Timothy Daniels" <[email protected]>

|>> Who said this was a legitimate cookie? Why is its
|>> filename non-printable?
|>>
|>> *TimDaniels*|
| I don't think you understand about the unprintable
| characters. They form the file name. Windows Explorer
| displays the file icon and beside it in Details View is
| nothing. When right-cicking on the nothing, a blue band
| about 12 characters long appears with nothing in it - it's
| a high-lighted non-printable series of characters.
|
| Only when I right-click and select Properties is the
| "cache name" of AdMiN@CoMcAsT[0]0tXt listed
| having a length of 88 bytes.
|



And what about viewing them in a WinXP Command Prompt ?
88bytes is nothing. Sounds about right for a cookie. Not for exploit, virus or other
malicious code. Even a Link File (.LNK) file is larger.

|
| I don't know. I followed the instructions you gave
| and got to the Start Menu OK and exited as your
| instructions said. It is not known to me whether
| anything but installation routines actually ran.
| The other scans took me more than 3 hours, so
| I would have to alot that amount of time to do them
| again.
||
| I'll try that again in a few hours as I need my (somewhat
| flaky) computer for other stuff right now. I'll post the
| results. Thanks for the continued attention.
|
| *TimDaniels*



I look for to the results. You could run SYSCLEAN.COM within the Trend Sysclean Front End
w/o rebooting into Safe Mode but IF there was something bad found, running in Safe Mode.
Sysclean will be more effective at removing it.
 
David H. Lipman said:
From: "Timothy Daniels":

|

|>>>>
|>>>> The cookie is still there and I still cannot delete it.
|>>>>
|>>
|>> The OS is Windows XP Pro.
|>>
|>> I have no Comcast software installed that I know of
|>> and I've never downloaded any software from
|>> Comcast that I know of.
|>>
|>> I suspect that "AdMiN" (similar to my account username
|>> "Admin") and "CoMcAsT" (similar to "Comcast", my ISP)
|>> were chosen to appear familiar and therefore legitimate.
|>> The extension ("tXt") is similar to "txt", but for all I know,
|>> the cookie is an executable file and it will execute if I try
|>> to open it.
|>>
|>> A full system scan by Norton Anti-Virus with the latest
|>> updates (3hrs, 6min) reveals no viruses.
|>>
|>> Yet this cookie with the invisible name remains in the
|>> Temporary Internet Files folder, and I cannot delete it.
|>> What permissions could I re-set to be allowed to
|>> delete it?
|>>
|>> *TimDaniels*
|
| No.
|
|
| My IE does not appear to be branded, and it has no
| Comcast logo.
|
|
| This cookie is obviously non-standard, and why
| would its last 3 characters be "tXt"? That second
| character is an uppercase "x", making it appear
| to be a .txt file to the unsuspicious and therefore
| openable to the curious user. One of the viruses
| described in print media about a year ago had
| fake extensions that made them to appear not to
| be executable files.
|
|
| Who said this was a legitimate cookie? Why is its
| filename non-printable?
|
| *TimDaniels*

So the file uses mixed case characters -- no big deal.

Have you run the Trend Sysclean utility yet ?

If you haven't here are the instructions again, specific to using Trend Sysclean...

Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

1) Download the following,,,

Trend Sysclean Method 1
---------------------------------------
Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\sysclean")

Download SYSCLEAN.COM and place it in that directory.
Download the signature files (pattern files) by obtaining the ZIP file.
For example; lpt524.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

Trend Sysclean Method 2
---------------------------------------
The utility SYSCLEAN_FE in "Procedure 1" at the following URL
http://www.ik-cs.com/got-a-virus.htm automates the download and execution process of the
Trend Sysclean Package.


2) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
3) Reboot your PC into Safe Mode then shutdown as many applications as possible.
4) Using the Trend Sysclean utility, perform a Full Scan of your
Click to expand...
platform and clean/delete any infectors found
5) Restart your PC and perform a "final" Full Scan of your platform
6) Re-enable System Restore and re-apply any System Restore
Click to expand...
preferences, (e.g. HD space to use suggested 400 ~ 600MB),
7) Reboot your PC.
8) Create a new Restore point
Start --> programs --> Accessories --> system tools --> System Restore

* * Please report back your results * *
Click to expand...


I've done the Sysclean from Trend Micro using Method 1 but
didn't do the Disable System Restore/Re-enable thing. The scan
(lasting about 3 hours) didn't find any viruses, although it did find a
bunch of file errors and it got Access Denied for a bunch of files.
The log is supplied here in-line. Do you see any clues?

---------------------------------------------------------------------------



/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2005-04-07, 01:16:15, Auto-clean mode specified.
2005-04-07, 01:16:15, Running scanner "C:\My Downloads\TrendMicro\TSC.BIN"...
2005-04-07, 01:17:06, Scanner "C:\My Downloads\TrendMicro\TSC.BIN" has finished running.
2005-04-07, 01:17:06, TSC Log:

Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows XP(Build 2600: Service Pack 2)

Start time : Thu Apr 07 2005 01:16:17

Load Damage Cleanup Template (DCT) "C:\My Downloads\TrendMicro\tsc.ptn" (version 575) [success]

Complete time : Thu Apr 07 2005 01:17:06
Execute pattern count(2330), Virus found count(0), Virus clean count(0), Clean failed count(0)

2005-04-07, 01:17:07, An error occurred while scanning file "C:\Documents and Settings\Admin\NTUSER.DAT": Access is denied.
2005-04-07, 01:17:07, An error occurred while scanning file "C:\Documents and Settings\Admin\ntuser.dat.LOG": Access is denied.
2005-04-07, 01:19:32, An error occurred while scanning file "C:\Documents and Settings\Admin\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-04-07, 01:19:32, An error occurred while scanning file "C:\Documents and Settings\Admin\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-04-07, 01:20:14, Could not set file for reading on "C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\7a436fe806e483969f48a894af2fe9a1_b44bbe5d-070c-4fdc-abb8-3fd74d208407": Access is denied.
2005-04-07, 01:21:10, An error occurred while scanning file "C:\Documents and Settings\LocalService\NTUSER.DAT": Access is denied.
2005-04-07, 01:21:10, An error occurred while scanning file "C:\Documents and Settings\LocalService\ntuser.dat.LOG": Access is
denied.
2005-04-07, 01:21:11, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-04-07, 01:21:11, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-04-07, 01:21:11, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Access is
denied.
2005-04-07, 01:21:11, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Access is
denied.
2005-04-07, 01:21:12, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-04-07, 01:21:12, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-04-07, 01:41:56, Could not set file for reading on "C:\RECYCLER\NPROTECT\NPROTECT.LOG": Access is denied.
2005-04-07, 01:41:57, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\ACRORD32.EXE-13285B88.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\ACRORD32INFO.EXE-013EA364.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\AD-AWARE.EXE-2ED3360E.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\ALG.EXE-0F138680.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\BRMFRSMG.EXE-20778BE4.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\CACLS.EXE-25504E4A.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\CCAPP.EXE-1207B2A5.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\CCLGVIEW.EXE-084E7031.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\CCPWDSVC.EXE-25BE6B86.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\CCREGVFY.EXE-08FB5B2E.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\CHARMAP.EXE-294D64C0.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\CONTROL.EXE-013DBFB5.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\CTFMON.EXE-0E17969B.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\DFRGNTFS.EXE-269967DF.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\DMADMIN.EXE-00BCB146.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\DMREMOTE.EXE-2F82CB90.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\DUMPREP.EXE-1B46F901.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\FXSCLNT.EXE-032F1FB6.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\FXSSVC.EXE-3B8F7819.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\HELP.EXE-085DD6F3.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\IPCONFIG.EXE-2395F30B.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\KIX32.EXE-22F7E367.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\Layout.ini": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGON.SCR-151EFAEA.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\LUALL.EXE-30AC8E48.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\LUCOMS~1.EXE-02DB5950.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\MMC.EXE-22FA564C.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\MMC.EXE-32E3CF55.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\MRT.EXE-0E91529F.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\MSHTA.EXE-331DF029.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\MSIMN.EXE-38BA891D.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\MSMSGS.EXE-2B6052DE.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\NAVW32.EXE-15E66405.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\NAVW32.EXE-286920DF.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\NMAIN.EXE-2BA406E0.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\NTVDM.EXE-1A10A423.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\NWIZ.EXE-2D0F9FBC.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\OSA.EXE-2CD63980.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\QTTASK.EXE-342507FB.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\RSMSINK.EXE-032F2BAB.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-13CC3015.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-147710F4.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2045F969.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-247FE6B9.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-268BFF96.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2C6555E8.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2CD85FD3.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-311943EE.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-34A1FC07.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-464BF094.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\SNDMON.EXE-0A6C21A2.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\SPYBOTSD.EXE-1344276B.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\SQLMANGR.EXE-0150BA62.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\SYMWSCNO.EXE-31BC23A5.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.COM-3965BBCF.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.EXE-10872692.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN_FE[1].EXE-25AEC378.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\TELNET.EXE-24182D40.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\TSC.BIN-355426D0.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\WGET.EXE-37E2283C.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\WINDOWS-KB890830-V1.2-ENU.EXE-08D6E2D7.pf": Access is
denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\WINWORD.EXE-29F5CB89.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIADAP.EXE-2DF425B2.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf": Access is denied.
2005-04-07, 01:48:56, Could not set file for reading on "C:\WINDOWS\Prefetch\WUPDMGR.EXE-2F30BEAB.pf": Access is denied.
2005-04-07, 01:51:58, An error occurred while scanning file "C:\WINDOWS\system32\config\default": Access is denied.
2005-04-07, 01:51:58, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Access is denied.
2005-04-07, 01:51:58, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Access is denied.
2005-04-07, 01:51:58, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Access is denied.
2005-04-07, 01:51:59, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Access is denied.
2005-04-07, 01:51:59, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Access is denied.
2005-04-07, 01:51:59, An error occurred while scanning file "C:\WINDOWS\system32\config\software": Access is denied.
2005-04-07, 01:51:59, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Access is denied.
2005-04-07, 01:51:59, An error occurred while scanning file "C:\WINDOWS\system32\config\system": Access is denied.
2005-04-07, 01:51:59, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Access is denied.
2005-04-07, 01:54:12, An error occurred while scanning file "C:\WINDOWS\Temp\Perflib_Perfdata_78c.dat": Access is denied.
2005-04-07, 01:54:19, Running scanner "C:\My Downloads\TrendMicro\VSCANTM.BIN"...
2005-04-07, 02:47:33, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 4/7/2005 01:54:19
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 546 (98506 Patterns) (2005/04/06) (254600)
Command Line: C:\My Downloads\TrendMicro\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.*
/P=C:\My Downloads\TrendMicro

63110 files have been read.
63110 files have been checked.
55410 files have been scanned.
71973 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 4/7/2005 02:47:33
---------*---------*---------*---------*---------*---------*---------*---------*
2005-04-07, 02:47:33, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 4/7/2005 01:54:19
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 546 (98506 Patterns) (2005/04/06) (254600)
Command Line: C:\My Downloads\TrendMicro\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.*
/P=C:\My Downloads\TrendMicro

63110 files have been read.
63110 files have been checked.
55410 files have been scanned.
71973 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 4/7/2005 02:47:33 53 minutes 13 seconds (3192.71 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-04-07, 02:47:33, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 4/7/2005 01:54:19
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 546 (98506 Patterns) (2005/04/06) (254600)
Command Line: C:\My Downloads\TrendMicro\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.*
/P=C:\My Downloads\TrendMicro

63110 files have been read.
63110 files have been checked.
55410 files have been scanned.
71973 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 4/7/2005 02:47:33 53 minutes 13 seconds (3192.71 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-04-07, 02:47:33, Scanner "C:\My Downloads\TrendMicro\VSCANTM.BIN" has finished running.
2005-04-07, 02:48:23, The user stopped the operation.



*TimDaniels*
 
From: "Timothy Daniels" <[email protected]>


|
| I've done the Sysclean from Trend Micro using Method 1 but
| didn't do the Disable System Restore/Re-enable thing. The scan
| (lasting about 3 hours) didn't find any viruses, although it did find a
| bunch of file errors and it got Access Denied for a bunch of files.
| The log is supplied here in-line. Do you see any clues?
|

< sysclean log snipped >

| --------------------------------------------------------------------------- |
| *TimDaniels*


Most are file handles that are open and thus can't be scanned. Other are files that you
will need to be logged in as ADMINISTRATOR or as a user with administrative rights.

As you noted, no infectors were found.
 
David H. Lipman said:
From: "Timothy Daniels" wrote:


|
| I've done the Sysclean from Trend Micro using Method 1 but
| didn't do the Disable System Restore/Re-enable thing. The scan
| (lasting about 3 hours) didn't find any viruses, although it did find a
| bunch of file errors and it got Access Denied for a bunch of files.
| The log is supplied here in-line. Do you see any clues?
|

< sysclean log snipped >

| --------------------------------------------------------------------------- |
| *TimDaniels*


Most are file handles that are open and thus can't be scanned.
Other are files that you will need to be logged in as
ADMINISTRATOR or as a user with administrative rights.

As you noted, no infectors were found.
Click to expand...


If by "infectors" you mean viruses and worms, yes, no infectors
were found by Trend Micro. Judging by the activity light on the
task bar at times when I've not made any requests, though,
*something* is transferring information over the Internet, and I'm
starting to suspect spyware. Oddly, for 2 days in a row, I wasn't
able to install Norton AV updates - about 8 seconds into the
installation (not downloading) of the updates, the PC would
freeze. Now the installation goes smoothly. The PC seems to
have "healed" itself. I'm still suspicious. And the undeleteable
"cookie" remains undeleteable.

*TimDaniels*
 
Back
Top