010101.dat 250MB file - kazaa?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

DanteG

Thread Starter
Joined
Sep 19, 2003
Messages
7
Hi,

I have found this large file which is constatly on my PC, and I think it may be used by kazaa for caching files but I'm not sure. Does anyone know what it is and if it is safe to delete?

Thanks,

DG
 

DanteG

Thread Starter
Joined
Sep 19, 2003
Messages
7
Hi,

Yes, the file name is 010101.dat. Properties: Created 15 July 2003, Modified 15 July 2003, Size 269MB.

If you use Kazaa, do a search on your hard drive to see if you have the same file.

Thanks,

DG
 
Joined
Aug 1, 2002
Messages
5,531
Also - are you using regular Kazaa or Kazaalite ?

If you're using Kazaa then get rid of it and install Kazaalite. In case you haven't read the many related threads here Kazaa is full of junk spyware. Kazaalite is free of such impedients.
 

DanteG

Thread Starter
Joined
Sep 19, 2003
Messages
7
I used to use Kazaa but switched to Kazaa Lite a while back because of the Spyware. That link you gave me to computing.net was actually my thread - I asked on that forum a few weeks ago but no-one could tell me if it is definately a Kazaa file and whether it is ok to delete it. But thanks for looking for me anyway - I appreciate it.

DG
 
Joined
Jul 8, 2002
Messages
14,681
Kazaa uses .dat files to store partial downloads. Its probably a file your in the process of downloading.
 
Joined
May 20, 2003
Messages
116
brendandonhu is right. all DAT files from Kazzaa are files that never finished downloading. If you are in the process of downloading something named similar keep it. If you canceled a download a long time ago, that file is gonna sit there and take up space, so just trash it.
 
Joined
Aug 10, 2003
Messages
401
Hate to be the one that bears possibly bad tidings, but if this link is correct then you have been infected with a worm on the Kazaa network called: Win32/HLLP.Hantaner

http://www.rav.ro/virus/showvirus.php?v=140
Win32/HLLP.Hantaner is a new executable files infector, written in Borland Delphi 6 and compressed with the well known packer UPX. The virus body size is 24064 bytes.

Hantaner infects all kind of executables (DOS executables, PE executables, etc.) - actually any file with ".exe" extension, by shifting the original file content with the hole virus body. It also spreads using Kazaa P2P sharing network, by infecting executables shared by the victim's computer

The first time when is executed, Hantaner will read from the registry the path for the Internet Explorer download directory and for Kazaa shared files and download directory locations. Then it will create a list with all executable files from those folders by searching for all files with ".exe" extension. Note that the files already infected by the virus are ignored.
At this point, Hantaner will create a temporary file, in the Windows temporary folder, file with name that starts with "Joi" (from "Joiner"). This file is used to drop the original host file (that was appended at infection time) and then the file will be executed.
After this, Hantaner calls the infection routine. All executables found will be infected. In this process, the virus creates two more files in the Windows directory: "Hanta" and "010101.dat". Those files are deleted when the infection process ends.


Evilness: Potentially destructive (corrupts data while replicating)
go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

DanteG

Thread Starter
Joined
Sep 19, 2003
Messages
7
Ok, now I am really worried. I searched for the Hanta file, which I found in my Windows folder along with the 010101.dat file. I ran Hijack this! (the scan only lasted about a second, is that normal?) and here are the results of the log file:

Logfile of HijackThis v1.97.2
Scan saved at 13:24:28, on 20/09/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PDESK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RSRCMTR.EXE
C:\PROGRAM FILES\DIGIGUIDE\CLIENT01.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\KBDTRAY\KBDTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\EDONKEY2000\EDONKEY2000.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.hotsearchbox.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ign.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://cgi1.ebay.co.uk/aw-cgi/ebayISAPI.dll?MyeBayItemsBiddingOn&userid=sjigga&pass=default&first=N&dayssince=2&ssPageName=MerchOff"); (C:\Program Files\Netscape\Users\simon\prefs.js)
O2 - BHO: (no name) - {F8A53FBE-5846-11D2-A022-006097D2400E} - (no file)
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\PROGRAM FILES\REGETDX\IEBAR.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: DigiGuide (2).lnk = C:\Program Files\DigiGuide\client.exe
O4 - Startup: Resource Meter (2).lnk = C:\WINDOWS\RSRCMTR.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: IE Zoom &In - C:\PROGRAM FILES\IE ZOOMER\IE Zoom In.htm
O8 - Extra context menu item: IE Zoom O&ut - C:\PROGRAM FILES\IE ZOOMER\IE Zoom Out.htm
O8 - Extra context menu item: Open in IE &Zoomer - C:\PROGRAM FILES\IE ZOOMER\Open in IE Zoomer.htm
O8 - Extra context menu item: IE Zoomer Help... - C:\PROGRAM FILES\IE ZOOMER\IE Zoomer Help.htm
O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CC_All.htm
O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CC_Link.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .cryp: C:\PROGRA~1\INTERN~1\PLUGINS\Npcl32.dll
O12 - Plugin for .AVI: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .asx: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.fhm.com/girls/zoomify/download/zoomify138.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab
O16 - DPF: {3EDED642-E3C9-4E12-9883-9899820EEC3C} (DMPlayerX Control) - http://www.digimask.com/digimaskfun/pages/DMPlayerX.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

I dont have a clue to what any of this means, but I would really appreciate your advice. I won't be able to sleep now until I can get this worm removed.

Thanks,

DG
 
Joined
Aug 11, 2003
Messages
221
If you don't think you need it, you can delete it.

I think you should delete it because look:

When downloading in KaZaA or KaZaA Lite, the temporary download .DAT files are named something like

download107583173.dat

not

010101.dat
 

DanteG

Thread Starter
Joined
Sep 19, 2003
Messages
7
Hey Bluecast,

Thanks for the advice but Topkat has pointed out that this is a worm, so I want to remove it properly and safely. Also, Kazaa .dat files used for temp downloads are actually stored in your download folder, whereas the 010101.dat file is in my Windows folder.

I have posted that HijackThis! log file as he instructed and am awaiting further assistance from anyone kind enough to help.

DG
 
Joined
Jul 8, 2002
Messages
14,681
Deleting the 2 files you have mentioned and scanning with an update antivirus should be able to clear this up.
 

DanteG

Thread Starter
Joined
Sep 19, 2003
Messages
7
Do you think so? I am no expert, but is it not possible that this worm may have effected the registry or something like that?

Also, I have done a virus scan (Norton) and it was clean. Then I scanned the two files specifically and again it was clean. So Norton, for some reason, does not recognise this worm even with the latest virus definition update.

I just dont want to delete them thinking that the worm is gone, when in fact it still there. I prefer to wait a little longer to see if anyone has had experience with removing this particular worm. Otherwise I will reluctantly take your advice and have to delete them and see what happens.

Oh, and if anyone would be kind enough to comment on my HijackThis! log file report, it would be much appreciated as I have no idea what it means (no new problems I hope!).

Thanks,

DG
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top