Site Statistics
 
Threads: 4,062
Posts: 17,767
Members: 3,097
Users Online: 7
Newest Member: ronjohnson715


Go Back   PC101 > Computer Related Forums > PC Security
Reload this Page Problem - [SOLVED] Weird jpg file

PC Security A place to discuss new threats, firewalls, virus scanners, and all other aspects of keeping your computer secure from threats. Learn how to stop spyware... hackers ... identity thieves... and more!


Reply
 
LinkBack Thread Tools Display Modes
Old 02-26-2007, 08:43 PM   #1
Professor
 
racknrail's Avatar
 
Join Date: Feb 2007
Location: an island in the pacific
Posts: 199
Rep Power: 2 racknrail will become famous soon enough
Send a message via Skype™ to racknrail
Problem - [SOLVED] Weird jpg file
Hi folks,

I am trying to help my next door neighbor with her computer. Her son has downloaded a strange .jpg file with a very long nasty porn name. It starts with T-211392-young teen...etc etc.jpg. I have enabled windows to show the file extention and it does say it's a .jpg.

So far...I have tried booting into safemode and deleting it from there without success. I tried a little app called moveonboot, which failed. I have tried burying it deep into sub folders, not that that had any hopes, but anyways, you get the hint. I also tried various online virus scanners, like Housecall, which crashed, and bitdefender, which came up with a virus. It was the Netsky.D@mm virus, so I tried a couple of removal tools, which came up negative.

Any suggestions would be very much appreciated.
racknrail is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Old 02-26-2007, 09:33 PM   #2
Head Mistress
 
Lyte's Avatar
 
Join Date: Oct 2005
Location: Good ol' U.S. of A
Posts: 3,470
Rep Power: 7 Lyte is on a distinguished road
Send a message via MSN to Lyte Send a message via Yahoo to Lyte Send a message via Skype™ to Lyte
Have you tried any of the free Spyware / Adware that's out there...

Free Software

I like these three...

Ad-aware - http://www.lavasoft.de/software/adaware/
SpyBot Search & Destroy - http://spybot.safer-networking.de/
SpywareBlaster - http://www.javacoolsoftware.com/spywareblaster.html

What's the full name of the file??

Have you tried renaming it and then deleting it?

Lyte
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
Lyte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Old 02-26-2007, 09:49 PM   #3
Professor
 
racknrail's Avatar
 
Join Date: Feb 2007
Location: an island in the pacific
Posts: 199
Rep Power: 2 racknrail will become famous soon enough
Send a message via Skype™ to racknrail
Quote:
Originally Posted by Lyte View Post
Have you tried any of the free Spyware / Adware that's out there...

Free Software

I like these three...

Ad-aware - http://www.lavasoft.de/software/adaware/
SpyBot Search & Destroy - http://spybot.safer-networking.de/
SpywareBlaster - http://www.javacoolsoftware.com/spywareblaster.html

What's the full name of the file??

Have you tried renaming it and then deleting it?

Lyte
I have tried both ad-aware and spybot. They did not remove the file. I am unable to rename the file. The name of the file is very long and has a lot of nasty words that I did not wish to post. I did put the beginning of the name in my first post. "T-211392-young teen....jpg"
racknrail is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Old 02-26-2007, 09:59 PM   #4
Head Mistress
 
Lyte's Avatar
 
Join Date: Oct 2005
Location: Good ol' U.S. of A
Posts: 3,470
Rep Power: 7 Lyte is on a distinguished road
Send a message via MSN to Lyte Send a message via Yahoo to Lyte Send a message via Skype™ to Lyte
Hmmm... I Googled "T-211392-young teen" and nothing came up. Usually if something is a well known malware you'll find the offending file name somewhere else on the internet.

The swift answer would be to send you to either GeekstoGo or MalwareRemoval. Both are very good sites to for getting rid of malware. I'm still learning my way around it.

The more interesting option would have you post a HJT here and we could research it together.

A third option would be for you to go to one of the two sites I've recommended and then share the thread URL so we can watch the clean up process! That would be cool too!

Lyte
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
Last edited by Lyte; 02-26-2007 at 10:02 PM.
Lyte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Old 02-26-2007, 10:02 PM   #5
Professor
 
racknrail's Avatar
 
Join Date: Feb 2007
Location: an island in the pacific
Posts: 199
Rep Power: 2 racknrail will become famous soon enough
Send a message via Skype™ to racknrail
Quote:
Originally Posted by Lyte View Post
Hmmm... I Googled "T-211392-young teen" and nothing came up. Usually if something is a well known malware you'll find the offending file name somewhere else on the internet.

The swift answer would be to send you to either GeekstoGo or MalwareRemoval. Both are very good sites to for getting rid of malware. I'm still learning my way around it.

The more interesting option would have you post a HJT here and we could research it together.

A third option would be for you to the two sites I've recommended and then share the thread URL so we can watch the clean up process! That would be cool too!

Lyte
Thanks for the links. I will post what I learn.
racknrail is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Old 02-26-2007, 10:06 PM   #6
Head Mistress
 
Lyte's Avatar
 
Join Date: Oct 2005
Location: Good ol' U.S. of A
Posts: 3,470
Rep Power: 7 Lyte is on a distinguished road
Send a message via MSN to Lyte Send a message via Yahoo to Lyte Send a message via Skype™ to Lyte
Quote:
Originally Posted by racknrail View Post
Thanks for the links. I will post what I learn.
Kewl! I'd be very interested to know what this pesky thing is and learn how to get rid of it!

Lyte
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
Lyte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Old 02-26-2007, 11:08 PM   #7
Professor
 
racknrail's Avatar
 
Join Date: Feb 2007
Location: an island in the pacific
Posts: 199
Rep Power: 2 racknrail will become famous soon enough
Send a message via Skype™ to racknrail
Okay...I just got back from her place. I emailed myself the hjt log. Here it is, I hope someone can help. I have seen files like this years ago floating around on Kazaa, but those were not nearly as nasty and deleted in safemode without trouble.

Logfile of HijackThis v1.99.1
Scan saved at 7:10:10 PM, on 2/26/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\system32\LXSUPMON.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Shaw Secure\Common\FSLAUNCHER1.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Princess\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.shaw.ca/start/enca/addons/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://start.shaw.ca/start/enca/addons/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.shaw.ca/start/enca/addons/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca/start/enca/addons/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca/start/enca/addons/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Exif Initializer Ver.1.0] C:\Program Files\FUJIFILM\Exif Initializer Ver.1.0\EXIFINIT.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\updateloader.exe /notify
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Shaw Secure\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Shaw Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/u...lorer1_8us.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://bikerprincess.spaces.msn.com/...d/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123206703154
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1123282761270
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/def...jolauncher.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab55579.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/def...utLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...pv2.0.0.9.cab?
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ,gv.shawcable.net,gv.shawcable.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ,gv.shawcable.net,gv.shawcable.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ,gv.shawcable.net,gv.shawcable.net
O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - BackWeb Technologies Inc. - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVI C~1.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
racknrail is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Old 02-26-2007, 11:33 PM   #8
Head Mistress
 
Lyte's Avatar
 
Join Date: Oct 2005
Location: Good ol' U.S. of A
Posts: 3,470
Rep Power: 7 Lyte is on a distinguished road
Send a message via MSN to Lyte Send a message via Yahoo to Lyte Send a message via Skype™ to Lyte
Okay, at first blush I see this...

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab

Pop the DF780F87-FF2B-4DF8-92D0-73DB16A1543A into Castle Cops ActiveX search box. They give it an "X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"

And missing files aren't always a good thing...

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)File Missing

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)File Missing

O10 - Broken Internet access because of LSP provider 'winsflt.dll' missingWinsock Hijacker

I've not peeped everything else yet but these are the first ones I'd consider removing.

Lyte
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
Last edited by Lyte; 02-26-2007 at 11:48 PM.
Lyte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Old 02-27-2007, 11:04 PM   #9
Professor
 
racknrail's Avatar
 
Join Date: Feb 2007
Location: an island in the pacific
Posts: 199
Rep Power: 2 racknrail will become famous soon enough
Send a message via Skype™ to racknrail
Problem solved.

I tried google with a few different phases this time, and came up with "how to delete a long .jpeg" as my successful entry. That led me to this URL, which was the first google link, btw. So the thread brought me to this little app called, DelinvFile 2.03. Problem solved.

Thank you to all for your interests in this thread.
racknrail is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Old 02-27-2007, 11:06 PM   #10
Head Mistress
 
Lyte's Avatar
 
Join Date: Oct 2005
Location: Good ol' U.S. of A
Posts: 3,470
Rep Power: 7 Lyte is on a distinguished road
Send a message via MSN to Lyte Send a message via Yahoo to Lyte Send a message via Skype™ to Lyte
Excellent! Glad you got it worked out!

Lyte
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
Lyte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Old 02-27-2007, 11:11 PM   #11
Professor
 
racknrail's Avatar
 
Join Date: Feb 2007
Location: an island in the pacific
Posts: 199
Rep Power: 2 racknrail will become famous soon enough
Send a message via Skype™ to racknrail
Problem Solved
Quote:
Originally Posted by Lyte View Post
Excellent! Glad you got it worked out!

Lyte
Google rocks for damn sure. I am persistant. Big points with the neighbor lady...
racknrail is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

« U.S. 'threatened' alleged NASA hacker, defense says | Symantec sizes up security in Windows Vista »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -5. The time now is 01:50 AM.

Powered by vBulletin Version 3.7.0
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.2.0 RC5


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30