Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Not open for further replies.
1 - 16 of 16 Posts

519 Posts
Discussion Starter · #1 ·
I started out with this post concerning a subfolder within MSN folder under Program Files.
I should have posted it here instead.

It's my hope that someone here can help me figure out what's going on.

What I know..
1. Computer is xp home and runs just fine. All updates are installed.
2. No unusal spyware/malware found after running the usual programs...just tracking cookies.
3. Called MSN tech support, they said that that's not one of their folders. Run a virus scan.
4. Went to Trend and scanned with Housecall. The scan indicated the computer had Worm Klez.h
5. Downloaded and ran the Klexfix from Symantec. After it finished scanning it said NO Klez infection found. I thought that Housecall would generate a report of it's findings but that didn't happen. I could tell that it flagged the Klez in Documents and Setting but I couldn't see what
file it was pointing to. I looked at all the files in documents and setting...didn't see anything unusual. I don't believe that, whats happenning, is related to Klez but not positive.
Also confused by Symantec tool coming up clean.
6. Restore points have been deleted
7. Have not uninstalled MSN and reinstalled as suggested from referenced post above.

What's going on..
1. As soon (and not before) you sign the computer onto the net via dialup service provided by MSN
a folder is created under Program files/MSN called MSNCoreFiles.Promo. Then 79,068mb files
are created at a rate of 1 or 2 every 5 minutes or so. This continues as long as you're online.

2. ZoneAlarm doesn't flag anything unusual. There is just a tremendous amount of activity
going thru ZA. The meter bar is always active. Going from memory here...I remember that
one of the icons in the Programs Tab of ZA (near the top where it shows whats communicating)
think it could have been Generic host icon...there were I believe 3 of them showing but one
was constantly flashing.

I'm not sure what to do from here..

I didn't think to look at Task Manager for unusual activity until I left her place.
I'm home now and not sure when I'll get back to her pc.

How do I figure out whats doing this ?

The reason I was even working on her pc is she asked me to help install Verizon DSL service
which includes MSN. That's when I noticed the 22gb folder...
I didn't want to do anything with DSL until this issue was solved.

I'm including in this post 2 screenshots, one of the created folder and the other of the
files being created.
I can include a hijackthis log if requested but it looks clean except for weatherbug
which she wanted to keep.

This is beyond my understanding of how to proceed and need help.

Thank you in advance

7,525 Posts
It would take an incredible amount of time to download a file that size (80 MB) on dialup.

Let's have a look at what is loading under each process.
Go here and download StartDreck

Set it up like this:

Under 'Registry' - Select All registry options
Under 'System/Drivers' - Running Processes and List Modules
Click 'OK'. Now, back on the main screen, click the 'Save' button > Give it a name and click 'Save' > locate the file you just created and launch it.

This will show you all the dlls loaded under each running process. See if you can spot something which doesn't belong.

What happens if you mark that folder as Read only? They can undo that, but do they?

7,525 Posts
They could be just copying and then editing the next file. Could you resize those pictures or remove them please? They are causing a terrible scroll making it hard to read this thread. Thanks.

Could you post a Hijackthis log please?

519 Posts
Discussion Starter · #5 ·
I tried making the folder read only. It allowed me to but when I closed
the properties box and rechecked it again, the read only was removed again.
Let me just add...I can delete the folder with no problem..which I did several
times. It just recreates itself as soon as you touch the net.

I wanted to bring her pc with me here so I could test it over the weekend but
wasn't able to last night. I was going to hook it up to my router and bypass
the dialup and see what happens...If the folder doesn't get recreated with
broadband then maybe I should be looking closer at msn somehow.

I don't feel the files are being downloaded from the you said logic states
that would require alot of time.

I feel these files are being created from within the pc itself.
Only when online tho.

The hijackthis log I have is from before ZoneAlarm install but it is the
fairly current. The startdreck will have to wait until I get over there.

Logfile of HijackThis v1.99.0
Scan saved at 3:48:47 PM, on 1/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O23 - Service: AVSync Manager - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

7,525 Posts
Hi amthmi,

That's ugly. Would you also run a Startuplist when you get there with all the checkboxes marked? Have you looked at those tmp files in notepad?

I have a feeling this is going to be a long one.


519 Posts
Discussion Starter · #8 ·
Duh...I didn't think to try to open the tmp files.
I'll do the Startuplist also and anything else that might be suggested.
What's odd about this whole issue is there isn't any info on the net about it.
Only the one hit in google
In all your years doing this have you ever heard of such a thing happening ?
I haven't.... and the traffic thru ZoneAlarm was surprising. I'm not sure it was
net traffic either. I've never really taught myself very much about the communicating
end of the long as it worked I was happy.
I'd like to know what was going thru ZA.

I'm going to try and get the pc here soon...

As always thanks for your help Mosaic1

7,525 Posts
You're welcome. I have seen nothing like this. Especially on Dial up. I have seen Server Trojans set up on cable. But really? On Dial-up is makes no sense. Talk about slow. Once you get the files loaded under the various processes maybe you will have more information.

I see ICQ there too. It's all just guesses until you get over there. Good luck. I am subscribed to thie thread so will be notified when you answer.

519 Posts
Discussion Starter · #12 ·
She doesn't even know what ICQ is.
All she knows is MSN and AIM.
She never used Internet Explorer either (per se)...when I brought it up, it looked
like it was right out of the box.
Like I mentioned earlier I installed ZA while there yesterday...hoping it would
flag something unusual trying to connect. But it didn't.

7,525 Posts
I wonder where these entries came from?
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

Did someone else use the computer and install ICQ?

519 Posts
Discussion Starter · #14 ·
Hello again Mosaic1
I got back to my friends house this afternoon.
Let me just start out by saying that the problem has been resolved.
Let me also say that I still don't know what caused it in the first place.

My intentions last friday were to install verizon dsl and XP SP2 and that
was when I noticed the folder with the 22gb in it.

Before this issue was resolved I did run Startdreck, Startuplist and TCP View
both before and after going online. I have all 6 logs. I also looked inside the
large .tmp files that were created. I burned some of the .tmp files to cd because
I wanted to have a closer look at them later. I see very little wording and alot of
symbols and characters.

At the time I created these logs I didn't know that I would resolve this issue which was
purely by accident and with a hope and prayer. But it was.

What did it...

According to MSN tech support , in order to upgrade from MSN dialup to MSN dsl
provided by verizon I would need to uninstall MSN.
I went to her house today with the intention of doing just that so when they told me
that... I said...great lets do it. My hope and prayer was that the uninstall/reinstall would
solve the problem and it looks like it did.

After I finally got it all setup I checked, double checked and triple checked that the
promo folder nor any other folder didn't magically appear.

I advised her to keep an eye on the MSN folder for any strange folder appearing.
I also advised her to watch the hard drive space for large chunks being taken.
She wrote down it's current "used" size and said she would watch it.

So I really don't have a clue as to what caused this but it does appear to be solved.

Like I said earlier, I have all the logs just in case you wanted to see them. The only one
I've looked at so far is the TCP View log even though I'm not positive, it looked ok except
for one line in the log. That line I'll include here. ( I've xxxx their names for privacy)

svchost.exe:760 TCP

Looks like the advice given by WhitPhil in my referenced post at the beginning of this post
was good advice. But since it wasn't my computer and I wasn't sure how MSN works
I didn't want to do that at the time. I now have a much better understanding of how MSN
works. The migration from msn dialup to dsl was seamless. They keep all user preferences
and settings, emails etc...on their servers. Very little on the local hard drive.

Glad it wasn't as long an ordeal as both you and I thought.
Thanks Mo for your input

7,525 Posts
Hi amthmi,

Whoa. Talk about great! I wonder if something had altered the MSN files themselves.

WhitPhil. What can I say? He's a genius. He and Rog taught me a lot of what I know and still can amaze.

Apparently serves a lot of files. I am not sure if this is an updater for the AV or what exactly.

1 Posts

I have the same problem on my other laptop, have not been able to figure out what was eating my memory. Did all the virus scans, spyware, etc. came up clean too. I only can get dialup where I am at so no way to upgrade. This computer is fine, but the older one no memory, which about 6-8 months ago I had 27% free and it seemed like it went overnight. So all you did was uninstall msn and then reinstall it??? which version msn did you reload??? Any other things I should do to get my memory back??? I finally got disk cleanup to run and loaded SP2, so if I can get this solved I can move on. Any advice appreciated. Thanks, ladyipsc
1 - 16 of 16 Posts
Not open for further replies.