Posts by gerbil

Your drive is corrupting its NTFS file system records, the Master File Table.
Security data stream and attribute record are part of the file system metadata, the first codes who can deal how with a file, the second is how it is displayed etc. Pretty much, if the MFT ever becomes irrecoverable ALL your files are irrevocably lost. To all but the most expensive recovery work.
2000. Middle-aged to senior. Get your data off, reformat that partition and see how it performs with new and non-sensitive stuff.

Ooo... "Use Advanced Editor" is the button just below the box you type your post into.
Maybe 3" below these words, a tad to the right... :)

Screen shots are welcome... see allowable file formats by choosing Use Advanced Editor. If the format you need is not ther, then zip your file.
Boot.ini is on D: along with the system? Then your boot.ini should look like this:
[boot loader]
timeout=4
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows ...whatever.." /noexecute=optin /fastdetect

More or less. But further, because your boot.ini is on D: then so must be the boot file ntldr and ntdetect.com. And D: must be the drive marked Active, not C:
[BIOS reads the MBR of the booting hdd, notes which drive is Active, loads the MBR code into memory and hands control to it. The code goes to the Active drive, loads its boot sector code into memory. That loads ntldr which in turn reads boot.ini. And so on.
So if your boot.ini is in D; then D: must be active. Boot.ini says where the system files are.]
But anyway, post what you have.

You could try to find the name of that hidden driver; its presence may be concealed by the driver loading and executing some code as a system thread, and then removing itself; that way its details [name etc] cannot be read. I wonder....you could try to show it up - you can make a change in reg to show hidden drivers in Dev Mgr [remains until you reverse it], or a change to the environment inside a cmd shell [dies with the closing of that shell].
1)System Properties, paste in as an environment variable name:
devmngr_show_nonpresent_devices ; value of 1. [that adds it into Session Manager key in reg].
Or 2) In a cmd window enter:
set devmngr_show_nonpresent_devices=1 -then start Dev Mgr from inside that shell with..
devmgmt.msc
Inside Dev Mgr under View tab check Show hidden devices. Hidden [deliberately] or non-loaded [no device present on sys] drivers are shown greyed out. I doubt if it will reveal anything though.
When you find a suspect driver investigate it thoroughly - you don't want to delete a crypted firewall or SCSI driver.
You could delete C:\Qoobox and contents.

!!!!!!!!!!!Hidden driver: 00000102
Loaded from:
Address: 0x86F2328A
Size: 3446 bytes

This entry is a worry. And I don't know what to do about it. Do IceSword or RKRevealer show anything? You might try posting that piece plus the Hooks section and serf_conf log over at Sysinternals Malware board - it's …

Expensive. It should be good. Free are Restoration.exe and Recuva. The first can run from a floppy disk or flashdrive which saves you installing and possibly overwriting some data. Download them to another machine [using a browser writes a lot of data to a hdd].

Good stuff. Now to get the file here. Because it is a text file I have no qualms about opening it if it is attached, so choose "Use Advanced Editor" button. Click Manage Attachments, use Choose to browse to your file on your sys, then press Upload. When that completes just Submit Reply. [the whole file will be sent, scroll bar use depends only upon how I choose to display it; I will not see your scroll bars].
And you don't have to help, it's just nice if you are able, that's all.

Yep, we need more information.
fixmbr is a command found only in the Recovery Console [R for Reapir with RC during Setup on your installation cd]. It is not what you want, try bootconfig in the RC.
What is the drive/partition with your XP system files?
What is the drive/partition with your boot files?
Give us a copy of your current boot.ini

A group of students in USA used the uni lab facilities of one of their professor fathers to analyse hamburger chain beef patties. 5 - 18% muscle tissue [what you would call meat, normally], plus connective tissue [tendons, ligaments], much organ tissue [you could hope for just liver heart lungs kidleys etc], fat, water and some parasite cysts. Colours and fillers [grain based], of course.
Here in Aust. the two big US chains ran for a while ads showing prime beef yearlings in paddocks. As if. You get 12yold cow remains in hamburger.
You get what you pay for. You don't pay much.

His work is supreme... of the four you mention, I have yet to see Ponyo.
I love the artwork [all hand-drawn/painted, not a computer graphic anywhere]; Disney or the modern tech artists cannot hold a candle to Miyazaki's works. They involve me, transport me, "simple" stories of magic and rightness.
I was starting to think I was alone.
Right, those tools, before you run them close off all other applications. Makes looking over the results easier.

That is possibly a bit heavy handed of BiDefender. The files it detected as malware etc were all files of AVG's PC Tuneup, as you can see. You will have to reinstall that pgm. IT is legit, I hope....
It looks like that wraps it up, your sys seems good to go. Cheers.

Hi, to post that BiDefender log...click the Detected Problems tab > select "Click here to export" the scan report.
Change the Save as type to Text (Tab Delimited) (*.txt), enter a filename and save. ATTACH the log via Advanced Post button.

Been watching Howl's Moving Castle by Miyazaki.... a sublime anime, as are all by him... Anyway...
The serf_conf log... it originates from libserf, a language, it allows the client to make HTTP requests. I don't know if the config log that iexplore built is where it's been or where it's going, the former I guess. I'm out of my depth.
Something is directing IE, and it is still hidden. You might try another rootkit scan or three, one I like is Rootkit Unhooker [they had a very public and enduring slanging match with GMER & other AR software authors, but now are involved with M$...check Help About.. :)]. Get it, and any other you like from here: http://www.antirootkit.com/software/index.htm
I suggest...
R Unhooker -from this site is an earlier version than one I have... you need the author's site, or http://www.rootkit.com/newsread.php?newsid=902
R Revealer.
IceSword.
R Unhooker... as with IceSword, check each tab; RU scans run automatically except for Files & Hooks. Look for unknown hooks. Generally a rootkit's presence will be well indicated. Don't be surpised by SPTD software you may have throwing up alerts eg Alcohol.

Aww... I hope we can do it a lot faster than that.
Here's another way to force an uninstaller to use the install.log: use explorer to navigate to the program's folder where the install.log an uninstaller exe exist... in Yahoo Mess case it would be unwise.exe..., lclick the install.log and drag it onto unwise.exe, release it there. Unwise.exe should start with the log already in its mind.

Much better. You might run these, the first is a general, configurable cleaner; next choose one of the online scanners.
Firstly, get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to Open and Run from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
Run CCleaner in any other Accounts.
Lastly, run one of these:
==Pandasoftware ActiveScan using IE or Firefox from http://www.pandasecurity.com/activescan/index/
==Bitdefender Online Scan using IE only: http://www.bitdefender.com/scanner/online/free.html
- post the results, please.

PP, I didn't touch this thread further because Combofix has gotten away from me... but this file is sus?
c:\windows\aventura.exe

The ACMRU key records Most Recent Used uses of the Search Assistant [eg, you search for a file with Search in Explorer, the detail is recorded there. But it does not have to be user searches that get entered there, as shown by this one: iexplore.exe http;//clickport.org /ac.php?aid=5&cid=direct2
There may be four subkeys:
- 5001: terms used for Internet Search Assistant
- 5603: terms used for files and folders search
- 5604: terms used in a word search
- 5647: terms used in the other computers or people search
The actual entries there are of no harm, merely system record keeping. You can delete them safely [the 001..003 names]. But you might wonder from where that one originated. I cannot raise the site, nor the findclean.org site. Google is of no help, except it turns up this page:http://www.threatexpert.com/report.aspx?md5=927f2c1b6c8d732a7ba55a5969393ed3 with another connection attempt to clickport.org amongst other suspect sites.
This instance of iexplore: iexplore.exe SC0DEF:3016 CREDAT:79873 -those codes show that it is a child process of an iexplore.exe frame process with a PID of 3016 in this case, the code defines their relationshp so that they know each other.
It is IE8 at play. Process Explorer will give you the actual command line which opened iexplore.exe.
Keep hunting... there is something there, and it is bad.

"there is a selection Remove user settings and include objects in virus vault. do I check both?" Yes, you should.
TDSSKiller required a restart at some stage to remove a found rootkit. No other action is required by you for that. You may have already restarted.
AVG PC Tuneup 2011 - you may leave that on your sys, it is unrelated to the AV service.

Cool, bizarre, and thanks.
==Download tdsskiller from this link, save it to your desktop:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe -you may need to download it to a clean computer and then transfer it to the desktop using a USB flash drive.
Start TDSSKiller via this command, NOT the icon:
"%userprofile%\desktop\tdsskiller.exe" -l C:\tdssrpt.txt <==paste this into Start, Run...
- click Scan. If TDSSKiller finds a rootkit and prompts a Cure then press Continue [a reboot may be required]; press Continue also on Skip prompt. Do not delete or quarantine any files.
Post the log from C:\.

You must choose between AVG and Symantec. Running two active AV services is less than a bad idea. You are paying for Symantec, and recently they have been getting much better reviews with their new software, I'd keep that one and uninstall AVG. That may not be easy, you might require the uninstall tool from their site. I suggest you use it anyway.
You can remove any of those toolbars from Add/Remove Pgms [Google, Wisdom].
JAVA Update:
Download JavaRa: http://sourceforge.net/projects/javara/files/javara/JavaRa/JavaRa.zip/download ; Unzip, and dclick JavaRa.exe. In the box that pops press Search for Update [select Using jucheck.exe]; when updating completes then press Remove Older Versions.
Update, and rerun MBAM, post that log.

:) . I had an idea, posted about it, then tested it. And removed my post...
I think your malware post has it covered... I was considering that maybe his reg shell entry had been switched from explorer.exe to iexplore.exe. Windows will load, but you cannot get explorer to present the desktop; starting it just opens an explorer window, and that did not fir his symptoms. MBAM or hijackthis should show up the culprit.
One can somewhat duplicate his symptoms by opening an explorer window to some application folder and then dragging, say, procmon.exe into an IE window - the "download this file" box opens with Run, Save etc. If I then press Save it will copy the file procmon.exe from the app folder to the [in this case] desktop. If I instead press Run it actually does start an instance of Procmon.exe.
Somewhere IE has been switched for explorer...

Hi, bizarre, as a first step, if you still have that MBAM scan result page active, ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected. They are all bad entries.
MBAM will pop a fresh log for you. If MBAM has been closed, redo the quick scan and Remove Selected.
Then....
Download gmer.zip from http://www.majorgeeks.com/GMER_d5198.html ...or the exe from http://www.gmer.net/download.php
-dclick on gmer.zip and unzip the file to its own folder or to your desktop.
==Download DDS by sUBs and save it to your Desktop. http://download.bleepingcomputer.com/sUBs/dds.scr
Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

-disconnect from the Internet and close all running programs.
-dclick Gmer.exe to start it; wait for the intial scan to complete [a few seconds]. Press the Copy button, open Notepad and paste into it.
-place checkmarks ONLY at IAT/EAT, Devices, Modules, Processes, Threads; click the Scan button and wait for the scan to finish (do not use your computer during the scan).
-again press the Copy button, paste into that Notepad.
Paste both the DDS.txt and the DDS Attach.txt into your post for assistance, along with the GMER logs and that MBAM log.
Most likely a moderator will then move your thread over to Virus and Spyware Forum.

.

Ah, yes, but you don't need the registered version of DD. All that does [which is a help to some, I guess] is download and then run the installer package automatically. The free version will download the file for you, you just have to run it yourself which is easy as can be.
Rik, give siw.exe a shot.

Whoops, I spun the earth the wrong way... it's only late arvo in Vancouver. Newfies are blowing out the candles, though...

You were only a 66-yold pre-geezer when this thread opened.. :)
But anyway.... you can use free "brute-force" uninstallers which search your sys for any known linked references/files [both revo uninstaller and perfect uninstaller have working free trials], or you can do this:

Yahoo Messenger. The problem here is that the uninstaller unwise.exe cannot see the install.log even if it is present in the same folder. Browse in Explorer to \Program Files\Yahoo!\Messenger\unwise.exe;
-go Start, Run, and enter cmd -the command window should open
-lclick that file unwise.exe and drag inot the command window.
-click inside the cmd window; to the line that is there, backspace to remove the ", then add: /installl.log" so that you have something like...
C:\Documents and Settings\Geezer>"...\Program Files\Yahoo!\Messenger\unwise.exe /install.log"
-press Enter. That should uninstall Messenger.

Spybot: Simply delete the application folder, Program Files\Spybot - Search & Destroy\ and all its contents.
-next use Search to find files with Spybot in their name in documents and Settings folder, delete those files.
-there is only one registry entry, you can ignore it cos it will be quite harmless remaining there.
No.3: -give us a hint....

Caper is abed. Drag your driver zip file into Desktop\drivers, then rclick it and select : extract to here.
You driver files will be unzipped, most likely into a subsidiary folder to \drivers.
Rclick Setup.exe.

A new hdd is quite cheap, your friend is lucky... try to get any precious data off the dud drive now.

:). Looks like Combofix took great issue with your USB mobile connection software [beats me why the software created an inf folder in All Users, instead of using the %windir%\inf folder]. And that old 7Zip file .
It doesn't think much of Eminem, either. I'm with Combofix, right there. Is/was it actually a playable mp3?
The deleted firefox extensions, all two sets of them, are baddies; I notice that Greatis [anti-rootkit folk] have identified some such files linked to your rogue lsass.exe infection.
This one should be genuine, though - c:\windows\system32\BSTIeprintctl1.dll? You would have to check its properties to see if it was a legal version.
What is in this folder : c:\windows\system32\5A5219D94A374A9E0854CB0F563363AE ?
There are several registry keys to unlock, but I'll wait for PP's thoughts on what combofix has done. Any files wrongly deleted can be reinstated from its vault. Else you just reinstall...

What were you trying to start to get this msg... "Windows setup cannot find the EULA"? Windows does not require EULA.txt to start, nor does the RC. Windows Setup does... you don't want to be running that just yet... you want to bypass that and start the Recovery Console: choose the repair or recover option by pressing R [Enter takes you to Install or Repair installation... you don't want that].
As for the msg, all i could find of any sense regarding it was this: http://support.microsoft.com/default.aspx?scid=kb;en-us;326673 - perhaps it is not relevent here, though.
Anyway, your latest problem of not booting even to safe mode was not caused by deleting your user profile.
If you cannot get the Recovery Console to start there is this method of creating a bootable floppy and using that to run chkdsk:
http://download.fyxm.net/Avira-NTFS4DOS-78905.html
http://www.softpedia.com/get/System/Hard-Disk-Utils/Avira-NTFS4DOS-Personal.shtml
Dl to a working sys, run it to install, it will automatically want to build a bootable floppy [which contains chkdsk.exe [cmd line tool] and chkdskg.exe [gui tool].
Boot from the floppy, run chkdsk.
Good luck. If chkdsk doesn get your sys up, I think you are gazing at a Repair. Yuck.
Way back at the top..."I have tried pinging yahoo.com to test with no packets lost etc so there is an internet connection but I cannot get through whatever is blocking the display of web pages." ... that problem, which is dim history, most likely …

I use IE6... but only when I must. [Some routers etc will not load config files correctly with FF or Opera!!, some M$ sites only accept IE still ]. It's fine. For IE6 there is a download of repair files for IE installations, IEFix 1.6; I don't know IE8, and am happy to accept Judy's guidance on that.Anyway, back to your point... something is calling IE, try to find that. I'd try ProcMon, run it as a boot monitor and then search for iexplore.exe calls.

You need a bootable medium with chkdsk. One such simple self-installer to floppy is NTFS4DOS. It's originally an Avira utility. Search for it; the original [vsn 1.8 or 1.9] will install to a sys, and when run will create a bootable floppy with chkdsk.exe on it. Other reworked free offerings on the web will create a cd iso or USB flashdrive bootable version. You choose. Boot from the created medium and run chkdsk.
Oh, what the heck, here [both are good, create a floppy]:
http://download.fyxm.net/Avira-NTFS4DOS-78905.html
http://files.extremeoverclocking.com/file.php?f=180

Or copy them into the parent folder in the order in which you wish them, one by one, and then use Date Created column to order them. Copying one by one will give them ordered creation time stamps.

Yow. Those files that Unlocker could not remove sure had some protection cast upon them, I imagine that would have been from that rogue lsass.exe or C:\WINDOWS\dmdskmgrwow.exe.
Please delete these files:

c:\documents and settings\owner\ezrjfdslvv.tmp
c:\windows\system32\mll_mtf3.dll
and folders...
c:\windows\system32\5A5219D94A374A9E0854CB0F563363AE
c:\windows\system32\582933403

To remove Spybot cleanly the easiest way is to reinstall it over the top of the old, then uninstall.
I would uninstall Adaware also... it once was good, seems not so now. Well, it did not save you from this attack.
Whenever GMER crashes it is usually because of malware killing it deliberately to protect itself. So your sys is sus. Still. Often the process of cleaning involves removing layers of protection files.
So now get a fresh copy of GMER and try it again. And if it will not run cleanly try again but in Safe Mode.
MBAM. I like clean runs.. repeat the quick scan.

I would find it a nuisance! You might try repairing IE8. Go Start, Run, paste or type in...
%windir%\inf
Locate ie.inf, rclick it, and choose Install. You may need your installation cd if the requisite i386 files are not on hdd.

You could have saved 9.95 if you had listened to the chaps above. And Driver Detective is free. But you got the job done, and sometimes life is easier if you can ignore the internals of these pesty machines.

Stellios, just direct the Hardware Wizard to where you saved that zipped file. It will uncompress and run it.

Hello, aventura, the others are in bed, or should be....
Firstly, get Unlocker:
==This is a general purpose force-deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, which is cool.
To use,, browse to the file to delete, rclick it, choose Unlocker, remove any hooks with Unlock...choose Delete, and delete it.
Use Unlocker on these files:

C:\WINDOWS\dmdskmgrwow.exe
C:\WINDOWS\system32\mp4sdecd32.dll
C:\WINDOWS\system32\WMVXENCD32.exe
C:\WINDOWS\system32\msftedit32.exe
C:\WINDOWS\system32\autodisc32.dll
C:\Documents and Settings\Owner\Application Data\SysWin\lsass.exe

Start hijackthis, scan only, place checkmarks against these entries and fix them:
O2 - BHO: (no name) - {0144DFBA-5F69-4C56-974E-131BE52F7C7a} - C:\WINDOWS\system32\autodisc32.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: e0ffeca9 - {C858D373-E0AA-855B-641D-A1F979D2E544} - C:\WINDOWS\system32\mp4sdecd32.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [dmdskmgrwow.exe] C:\WINDOWS\dmdskmgrwow.exe
O4 - HKLM\..\Run: [dmdskmgrwow.exe] C:\WINDOWS\dmdskmgrwow.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\mp4sdecd32.dll
Restart your sys, try GMER and MBAM now.

When this is over, you might dump Sygate as recommended by PP n Judy, perhaps get Comodo or similar. McAfee failed you, perhaps try Avast Free. It has the advantage of being active against some non-virus malwares.

That should do it.. the other way is to note where you saved the file and let the Hardware Wizard deal with it - it will ask where it is...

Whoa!! I was so wrong with this bit:
"You can ignore the Action tab: just open EV, rclick Application, in the context menu that appears choose Save Log File as..., select a destination, type in a filename [any will do], AND give it type .txt.
eg filename of MyEVlog.txt"
-if you follow that course the text file is a mess! For a human-readable log, you must do this [what I recommended in the first place]:
Open EV, expand Application by lclicking it in the LHS, then go Action tab, Export List, type in some filename with type .txt [the default type], eg filename = MyEVlog.txt"
Sorry about the added confusion, EagleE.

I did not realise you didn't have an installation cd. With another computer you could have downloaded and burnt to cd this RC: the console runs from the cd; I know it works. Unzip the file to get the iso and then BURN THE IMAGE.
http://www.thecomputerparamedic.com/files/rc.iso
http://www.webtree.ca/windowsxp/tools/bootdiscs/xp_rec_con.zip

:)... I do have patience... I must pick up your skill level as we go along, and adjust to it.
"Now when I darken it, I can not remember the terminology, I right click it, and can past or copy, in this case Export the file, the file I am talking about is application, and in this case I get my Documents but that file will not transfer or copy in the file name box below."
Ok, bit by bit...
"Now when I darken it" = select, with a lclick.
In many applications when one selects a file to "Save as" it automatically enters its, or some other, name in that filename box; Event Viwer will not do that. I don't know why; some difference in its programming. So just type in a name, make sure the file-type is .txt.
If you cannot actually type into that filename box then that is another problem altogether...
[even when a filanme is automatically entered into that filename box in other applications, you still, always, have the option of editing it].
I think there is some other faulty aspect in the rclick and Action menus of Event Viewer, but we can ignore those; it should work one way or another.
You can ignore the Action tab: just open EV, rclick Application, in the context menu that appears choose Save Log File as..., select a destination, type in a filename [any will do], AND give it …

Yes, Syncback will do it.. synchronize files in different drives or folders. There is no native XP function to do it automatically.
To get Syncback to synchronize files every few minutes or whatever time interval you wish, you must make the profile and then place that profile into a Group Profile, which permits short periodic sychronization, instead of daily etc. It works with filters which enable selection of a single file or group of, directories etc.
Free.

Mmm...this "the MFT is 75% in use even... " could be because of temp file or other large directory deletions following, say, an SP3 upgrade? The MFT grows with the added files, does not shrink as they are deleted, even though the MFT record space is freed, so now files only use 75% of that old total..
I've almost convinced myself. Wonder what free software does an MFT defrag? XP is supposed to be able, but will only if there is enough free space in one block on the drive to copy the MFT metadata files to. MyDefrag?

Nope.. it's not that.. I find that the MFT Zone does not subtract from available space, cos it IS available space, just reserved unless required by the file system. So.

:)... not too many.
You could use the Recovery Console from your cd to delete those two files I show at bottom of my first post. While in the RC it would not hurt to rewrite the MBR code [in case it has a rootkit] with the command ..
fixmbr
A bad memory reference means bad coding, likely in some part of the malware. It must be being loaded in Safe Mode.... not much else you can do with the RC, though, because the whole of the malware is a mystery.
If you can finally get into safe mode you can create a new user there and copy all your document and setting into it from the old account [they don't get deleted when you delete the account].
Say if you make it to Safe Mode.
Files to delete:
c:\docume~1\shaunt~1\locals~1\temp\ohtuesewy\hfawwyduerb.exe [delete everything inside this folder, \ohtuesewy]
c:\windows\system32\config\systemprofile\ntqog.exe

I'm idly wondering if recently your MFT has not grabbed another 12.5% from the MFT Zone. Your drive is only 15GB; Windows and the few basic services, file systems and windows apps that I cannot move out of my C: occupy 23,000+ files on my 8GB system partition. The C: MFT is 75% full. So if the C: is your only drive with apps and data then perhaps your MFT has incremented in size. What does the Defragmenter report indicate [you don't have to defrag, just analyse and then Save the rpt for easy reading in notepad]?
Another thing, if XP by itself increments the MFT Zone size [to 25% of total drive space] is it reflected in this key value?
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Filesystem]
"NtfsMftZoneReservation"
If unset, or with a zero value [as set by user either directly in reg or via fsutil] it indicates the MFT Zone is at the standard 12.5% of total drive space.
I don't know about the recurrent attribute error, though.
Just wondering, is all... because my Defrag report figures confuse me as to my MFT size - with 25,700 entries the MFT is 75% in use even though only 33Mb in size. 12.5% of 8GB is 1GB.

A bit of fun.. :)
True, it does not have to be a picture, any file will do. You can, for example, hide a compressed txt file in another txt file:
copy /b viztext.txt+hiddentext.rar
-the second is appended to the first. But on opening viztext.txt you will see the RAR gibberish, so it's not exactly hidden, the gibberish being tagged as RAR. Your picture idea is best.

Hi, nemesis, it looks like you may have a rootkit... and a few unhidden malware files to boot.
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --dclick in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF. Repeat in other User profiles.
==Download tdsskiller from this link, save it to your desktop:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe -you may need to download it to a clean computer and then transfer it to the desktop using a USB flash drive.
Start TDSSKiller via this command, NOT the icon:
"%userprofile%\desktop\tdsskiller.exe" -l C:\tdssrpt.txt -paste this into Start, Run...
- click Scan. If TDSSKiller finds a rootkit and prompts a Cure then press Continue [a reboot may be required]; press continue also on Skip prompt. Do not delete or quarantine any files.
Post the log from C:\.
HiJackThis:
You have a choice of versions, installable program or stand-alone executable; in action they are fundamentally identical; on their own they make no alterations, merely scan vulnerable locations and report.

i] -download installable hijackthis: http://www.majorgeeks.com/download5554.html or http://www.filehippo.com/download_hijackthis/
-dclick that .msi file to install Hijackthis as a program.
Else...
ii] - download the executable file from: http://www.bleepingcomputer.com/files/hijackthis.php
- unzip if …

Okay, thanks. Undergone a name-change, or done its job and been removed?

Wondering what this one is, also:
2011-01-08 14:10:54 88 --sh--r- c:\windows\system32\AD53B5037A.sys
DDS has it in 3M, but not CF.... something to do with divx? - it appeared on the sys at close to that time...
And this one is still there..
S3: gel90xne.sys

[just trying not to get way out of touch, or step too often on your's an PP's toes, crunchie.. :)]

As you say, either one is good, both may be less than.
I think Combofix will sort him out. I try to avoid it cos I don't like the system resets it does; those services could be removed manually and I be that would expose other files to scans. You wanna do the work?