PDA

View Full Version : Font folder - 1.19GB - bitmap files problem



Nath
01-11-2004, 09:42 PM
Gidday, I have been having problems with loosing hard drive space and have just discovered my windows font folder (98 SE) is huge - 1.19 GB. under properties it says there are 1278 files and 1 folder. Under explorer the folder within the font folder is called 1.image and contains 1046 bitmap images (.bmp). These are dated has being created everyday this year since june - ie, they seem to create a new bmp file everytime I use the computer or maybe the internet??
Something funny is definitely going on, I did a virus scan and no virus

Any ideas appreciated
cheers
Nath

Spacemannz
01-11-2004, 09:58 PM
It does sound like a worm .

I came across the same thing a few months ago, when I reformatted a PC.

It listed over 1000 pic files in some folder. I would go to start/run and type msconfig and see whats under the startup folder. Or go to start/run and type sysedit see if u notice any strange entries under any of the entries there.

I dont think bmp files should be under a font folder, or an image folder for that matter. What did u scan it for, for viruses??

Nath
01-11-2004, 10:08 PM
Gidday,

thanks for the quick reply. The only thing under startup to do with the windwos font folder is wintask - but what seems strange is I have two wintask under startup - one is ticked (selected) and one is not - could this be my problem?? I also went to sysedit - nothing seemed to stand out, but i wouldn't really no what was starnge entries anyway.

yes i did a scan for viruses

cheers
Nath

drb1
01-11-2004, 10:16 PM
A very unplesant thought, have you viewed any of said images?

D.

Spacemannz
01-11-2004, 10:20 PM
Ok. According to Google. Wintask.exe could be a keylogger (like Spyware).

Use Spybot or Adaware to scan / remove it.

Wintask.exe definition, relationships, removal:

wintask.exe definition

wintask.exe description: File wintask.exe is related to keylogger Donkey KeyLogger.

File wintask.exe removal: WARNING!!! File wintask.exe is related to keyloggers. This is serious violation of your privacy, your system is under security threat.

We advice you to scan your computer and eliminate possible threats.
download scanner and remover

Or this:

W32.Navidad.16896, which is a mass mailing worm.

http://securityresponse.symantec.com/avcenter/venc/data/w32.navidad.16896.html
is the site on what it does and what it is.

http://securityresponse.symantec.com/avcenter/venc/data/w32.navidad.fix.htm
is the fix tool for this worm.

I would say wintask.exe ISNT part of Windows. End its process in task manager.

Spacemannz
01-11-2004, 10:23 PM
Do a search at http://www.symantec.com for the worm i listed.

Greg S
01-11-2004, 10:26 PM
If it was me I'd delete the 1.image folder (but keep it in the recycle bin) and see what happens. But caution, I can't confirm that this may not mess something up). But that's what I'd try personally - I doubt there's any risk.

Nath
01-11-2004, 11:04 PM
Gidday, it does sound like the W32.Navidad.16896 worm, however I didn't get the following "Finally, the worm places a flower icon in the system tray of the taskbar" ???

I will disable wintask and delete the folder with all the pics in it and see what happens
I viewed the bmp images and basically they are random snapshots of my computer - ie, playing games, screensaver pics - I hope these pics haven't gone elsewhere??

thanks for the help
cheers
Nath

Spacemannz
01-11-2004, 11:12 PM
I would also go to start/run and type regedit. Search for wintask.exe. If anything comes up delete the entry. (if u havent yet)

No worries :-)

You could also try Spybot or Adaware, if u havent yet. See what both pick up.

These may just be 2 examples of what wintask.exe does / is part of. If u would like to see if there are anymore , either go to http://www.google.com or http://www.yahoo.com. Do a search for wintask.exe.

Greg S
01-11-2004, 11:16 PM
> I hope these pics haven't gone
> elsewhere??

Ouch - that sounds like a real possibility!

drb1
02-11-2004, 01:02 AM
> > I hope these pics haven't gone
> > elsewhere??
>
> Ouch - that sounds like a real possibility!
>

I wondered if it might be one of those nasties, that store offensive material on slave machines, and distribute it on command.

Were any of the images encoded?

D.

Susan B
02-11-2004, 09:10 AM
> I viewed the bmp images and basically they are random snapshots of my computer - ie, playing games, screensaver pics - I hope these pics haven't gone elsewhere??

They probably have. I hope none of the snapshots were of any of your passwords, particularly for banking sites. :-(

Do you have a third-party firewall? If so, you should have been alerted to any funny business going on with something trying to access the internet. That is often the only way you know that a trojan or keylogger is at work, as happened to me the other day.

Nath
02-11-2004, 11:49 AM
Gidday,

I viewed all the images and the only one with a password was for my paradise internet dial-up - which shows my username and the **** for the password. I deleted all the images and the folder they were in, but weren't able to keep in trash as it was 1GB of data. The images didn't seem encoded - how would I know??
I tried unselecting/disabling wintask.exe in startup but it doesn't work - stays selected when restarting the computer. I think there are 2 wintask.exe selected now?
I did a search for wintask.exe in regedit and there was nothing there.
Spybot came up with nothing as well (still need to try adware).

Is reformatting the hard drive the best way to get rid of the worm??

No I don't have a a firewall - what do you recommend??

thanks again
cheers
Nath

Nath
02-11-2004, 12:02 PM
Hi,

I saw on the internet norman anit-virus site has a remnav.com you can download to clean the registry - can I use this if I am not using norman anti-virus software. I wonder why AVG didn't detect anything??

cheers

Spacemannz
02-11-2004, 12:12 PM
Yup you can try that remnav file. See what happens.

Or go here http://vil.nai.com/VIL/STINGER/ ad get stinger. See if that picks anything up. Or try here http://housecall.trendmicro.com/ and do an online scan. See what it picks up.

Susan B
02-11-2004, 03:08 PM
> I tried unselecting/disabling wintask.exe in startup but it doesn't work - stays selected when restarting the computer. I think there are 2 wintask.exe selected now?
> I did a search for wintask.exe in regedit and there was nothing there.

Try giving HijackThis a run. You can find the link in the forum's Spyware FAQ as well as a link to a tutorial if you need it. You are strongly advised to read the instructions before using.

Basically, if you find wintask.exe in HijackThis put a tick next to it and get HJT to fix it. There may be other dodgy things in there as well but you will need to research everything with Google to see whether they are legitimate if you are not sure.

Another thing you can try is running a trojan cleaner which may turn up something.

> Is reformatting the hard drive the best way to get rid of the worm??

Only as a very last resort - you should be able to beat it with a little determination.

> No I don't have a a firewall - what do you recommend??

I currently use Outpost but Sygate and Kerio (the older version, 2.1.5) are other good ones, as is ZoneAlarm.

Spacemannz
02-11-2004, 03:19 PM
I would also try this out, Trojan remover. Its only for 30 days, (if u dont register it), BUT al least it SHOULD remove whatever is making these files.

As it scans files and also scans the registry for known worms/trojans/ some spyware/adware.

http://www.simplysup.com/tremover/

I would download the exe install file, then make sure its up to date then scan your registry. This is what fixed the previous PC that I fixed, that had over 1000 pics on the hdd.

Nath
02-11-2004, 08:20 PM
Gidday,

I think I have found what has infected my computer. I did an online scan with McAffee and Panda Activescan and both turned up a backdoor - E.E,common name Mosucker.L virus - I got Panda to remove it. It was located in C:\windows\fonts\_ Server.exe. I have checked my syst config utility under startup since removing the virus and the 2 wintask options are now deselected/not active - interesting!!

Since I had this backdoor trojan which allows remote access is my computer more susceptible to being hijacked from now on. I must get that firewall going.

I did try the tremover trojan remover but it didn't detect the mosucker and also AVG didn't detect this virus as well.

cheers and thanks for all the advice
Nath

Spacemannz
02-11-2004, 08:53 PM
Good something found the prob Nath!

Cant say Ive heard of that virus. BUT according to a google search, its a keylogger and a trojan. A trojan is different from a hijacker as in a browser hijacker.

When a trojan gets installed and whatever program makes use of it / it'll access the files on your system / your system, They'll do it while you're online. Without you knowing it.

And like any other trojan they can do whatever they want log in and most probably delete files as well.

Hmm Trojan remover has Mosucker, 1.1, 1.2, 2.1, 2.2 2.3 and 3 in its database. Duno why it didnt pick it up. Wonder if it'll only remove things unless it registered?? Oh well its gone thats the main thing!

wotz
02-11-2004, 09:00 PM
Now change your passwords - especially the bank.