1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: MSN - 80mb files added to HD every 5 minutes

Discussion in 'Virus & Other Malware Removal' started by amthmi, Jan 29, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. amthmi

    amthmi Thread Starter

    Joined:
    Mar 23, 2002
    Messages:
    519
    I started out with this post concerning a subfolder within MSN folder under Program Files.
    http://forums.techguy.org/t324070.html
    I should have posted it here instead.

    It's my hope that someone here can help me figure out what's going on.

    What I know..
    1. Computer is xp home and runs just fine. All updates are installed.
    2. No unusal spyware/malware found after running the usual programs...just tracking cookies.
    3. Called MSN tech support, they said that that's not one of their folders. Run a virus scan.
    4. Went to Trend and scanned with Housecall. The scan indicated the computer had Worm Klez.h
    5. Downloaded and ran the Klexfix from Symantec. After it finished scanning it said NO Klez infection found. I thought that Housecall would generate a report of it's findings but that didn't happen. I could tell that it flagged the Klez in Documents and Setting but I couldn't see what
    file it was pointing to. I looked at all the files in documents and setting...didn't see anything unusual. I don't believe that, whats happenning, is related to Klez but not positive.
    Also confused by Symantec tool coming up clean.
    6. Restore points have been deleted
    7. Have not uninstalled MSN and reinstalled as suggested from referenced post above.

    What's going on..
    1. As soon (and not before) you sign the computer onto the net via dialup service provided by MSN
    a folder is created under Program files/MSN called MSNCoreFiles.Promo. Then 79,068mb files
    are created at a rate of 1 or 2 every 5 minutes or so. This continues as long as you're online.

    2. ZoneAlarm doesn't flag anything unusual. There is just a tremendous amount of activity
    going thru ZA. The meter bar is always active. Going from memory here...I remember that
    one of the icons in the Programs Tab of ZA (near the top where it shows whats communicating)
    think it could have been Generic host icon...there were I believe 3 of them showing but one
    was constantly flashing.

    I'm not sure what to do from here..

    I didn't think to look at Task Manager for unusual activity until I left her place.
    I'm home now and not sure when I'll get back to her pc.

    How do I figure out whats doing this ?

    The reason I was even working on her pc is she asked me to help install Verizon DSL service
    which includes MSN. That's when I noticed the 22gb folder...
    I didn't want to do anything with DSL until this issue was solved.

    I'm including in this post 2 screenshots, one of the created folder and the other of the
    files being created.
    I can include a hijackthis log if requested but it looks clean except for weatherbug
    which she wanted to keep.

    This is beyond my understanding of how to proceed and need help.

    Thank you in advance
     
  2. amthmi

    amthmi Thread Starter

    Joined:
    Mar 23, 2002
    Messages:
    519
    I thought I uploaded both files.
    Here's the second one
     
  3. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    It would take an incredible amount of time to download a file that size (80 MB) on dialup.

    Let's have a look at what is loading under each process.
    Go here and download StartDreck

    http://www.niksoft.at/download/startdreck.htm

    Set it up like this:

    Under 'Registry' - Select All registry options
    Under 'System/Drivers' - Running Processes and List Modules
    Click 'OK'. Now, back on the main screen, click the 'Save' button > Give it a name and click 'Save' > locate the file you just created and launch it.

    This will show you all the dlls loaded under each running process. See if you can spot something which doesn't belong.

    What happens if you mark that folder as Read only? They can undo that, but do they?
     
  4. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    They could be just copying and then editing the next file. Could you resize those pictures or remove them please? They are causing a terrible scroll making it hard to read this thread. Thanks.

    Could you post a Hijackthis log please?
     
  5. amthmi

    amthmi Thread Starter

    Joined:
    Mar 23, 2002
    Messages:
    519
    I tried making the folder read only. It allowed me to but when I closed
    the properties box and rechecked it again, the read only was removed again.
    Let me just add...I can delete the folder with no problem..which I did several
    times. It just recreates itself as soon as you touch the net.

    I wanted to bring her pc with me here so I could test it over the weekend but
    wasn't able to last night. I was going to hook it up to my router and bypass
    the dialup and see what happens...If the folder doesn't get recreated with
    broadband then maybe I should be looking closer at msn somehow.

    I don't feel the files are being downloaded from the net...as you said logic states
    that would require alot of time.

    I feel these files are being created from within the pc itself.
    Only when online tho.

    The hijackthis log I have is from before ZoneAlarm install but it is the
    fairly current. The startdreck will have to wait until I get over there.

    Logfile of HijackThis v1.99.0
    Scan saved at 3:48:47 PM, on 1/28/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wuauclt.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1105904741671
    O23 - Service: AVSync Manager - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  6. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    Hi amthmi,

    That's ugly. Would you also run a Startuplist when you get there with all the checkboxes marked? Have you looked at those tmp files in notepad?

    I have a feeling this is going to be a long one.

    Mo
     
  7. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    I see you are here. If you could connect when yo go over there and run the Logs while online, that would be good.
     
  8. amthmi

    amthmi Thread Starter

    Joined:
    Mar 23, 2002
    Messages:
    519
    Duh...I didn't think to try to open the tmp files.
    I'll do the Startuplist also and anything else that might be suggested.
    What's odd about this whole issue is there isn't any info on the net about it.
    Only the one hit in google
    In all your years doing this have you ever heard of such a thing happening ?
    I haven't.... and the traffic thru ZoneAlarm was surprising. I'm not sure it was
    net traffic either. I've never really taught myself very much about the communicating
    end of the net...as long as it worked I was happy.
    I'd like to know what was going thru ZA.

    I'm going to try and get the pc here soon...

    As always thanks for your help Mosaic1
     
  9. amthmi

    amthmi Thread Starter

    Joined:
    Mar 23, 2002
    Messages:
    519
    Ok I'll do that
    You think I should run 2 logs ?
    One online and one offline for comparison.
     
  10. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    You're welcome. I have seen nothing like this. Especially on Dial up. I have seen Server Trojans set up on cable. But really? On Dial-up is makes no sense. Talk about slow. Once you get the files loaded under the various processes maybe you will have more information.

    I see ICQ there too. It's all just guesses until you get over there. Good luck. I am subscribed to thie thread so will be notified when you answer.
     
  11. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    Two logs is a good idea.
     
  12. amthmi

    amthmi Thread Starter

    Joined:
    Mar 23, 2002
    Messages:
    519
    She doesn't even know what ICQ is.
    All she knows is MSN and AIM.
    She never used Internet Explorer either (per se)...when I brought it up, it looked
    like it was right out of the box.
    Like I mentioned earlier I installed ZA while there yesterday...hoping it would
    flag something unusual trying to connect. But it didn't.
     
  13. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    I wonder where these entries came from?
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe


    Did someone else use the computer and install ICQ?
     
  14. amthmi

    amthmi Thread Starter

    Joined:
    Mar 23, 2002
    Messages:
    519
    Hello again Mosaic1
    I got back to my friends house this afternoon.
    Let me just start out by saying that the problem has been resolved.
    Let me also say that I still don't know what caused it in the first place.

    My intentions last friday were to install verizon dsl and XP SP2 and that
    was when I noticed the corefiles.promo folder with the 22gb in it.

    Before this issue was resolved I did run Startdreck, Startuplist and TCP View
    both before and after going online. I have all 6 logs. I also looked inside the
    large .tmp files that were created. I burned some of the .tmp files to cd because
    I wanted to have a closer look at them later. I see very little wording and alot of
    symbols and characters.

    At the time I created these logs I didn't know that I would resolve this issue which was
    purely by accident and with a hope and prayer. But it was.

    What did it...

    According to MSN tech support , in order to upgrade from MSN dialup to MSN dsl
    provided by verizon I would need to uninstall MSN.
    I went to her house today with the intention of doing just that so when they told me
    that... I said...great lets do it. My hope and prayer was that the uninstall/reinstall would
    solve the problem and it looks like it did.

    After I finally got it all setup I checked, double checked and triple checked that the
    promo folder nor any other folder didn't magically appear.

    I advised her to keep an eye on the MSN folder for any strange folder appearing.
    I also advised her to watch the hard drive space for large chunks being taken.
    She wrote down it's current "used" size and said she would watch it.

    So I really don't have a clue as to what caused this but it does appear to be solved.

    Like I said earlier, I have all the logs just in case you wanted to see them. The only one
    I've looked at so far is the TCP View log even though I'm not positive, it looked ok except
    for one line in the log. That line I'll include here. ( I've xxxx their names for privacy)

    svchost.exe:760 TCP xxxxxxxxx:3151a202-232-140-29.deploy.akamaitechnologies.com:
    http ESTABLISHED

    Looks like the advice given by WhitPhil in my referenced post at the beginning of this post
    was good advice. But since it wasn't my computer and I wasn't sure how MSN works
    I didn't want to do that at the time. I now have a much better understanding of how MSN
    works. The migration from msn dialup to dsl was seamless. They keep all user preferences
    and settings, emails etc...on their servers. Very little on the local hard drive.

    Glad it wasn't as long an ordeal as both you and I thought.
    Thanks Mo for your input
     
  15. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    Hi amthmi,

    Whoa. Talk about great! I wonder if something had altered the MSN files themselves.

    WhitPhil. What can I say? He's a genius. He and Rog taught me a lot of what I know and still can amaze.

    Apparently akamaitechnologies.com serves a lot of files. I am not sure if this is an updater for the AV or what exactly.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/324602

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice