Solved

Junk files dupilicate it self after been deleted

Posted on 2004-08-16
18
1,014 Views
Last Modified: 2010-04-11
Hi all,
       I've got a wired problem with my windows xp laptop. I found a lot of junk files in the c:\windows\download installation\ directory, stuff like birtney.exe or porn.exe. After I searched the file name I found 7 other directory contain the same content. So I delete all of them from each directory, but just this one directory c:\windows\pchealth\, the file will come back again immediately after I delete them which drive me crazy, any idea?

Thanks heaps
Yours Eric
0
Comment
Question by:ericpc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 4
  • +2
18 Comments
 
LVL 6

Expert Comment

by:parkerig
ID: 11807664
Hi,
Best guess is youy have a virus or some malware.
There are many posts on this.

Here is just one of them.

http://www.experts-exchange.com/Security/Q_20901427.html?query=virus+spyware&topics=174

Cheers
Ian
0
 
LVL 32

Expert Comment

by:LucF
ID: 11807728
Hi ericpc,

Could also be very likely a virus that spreads through a file sharing network or tries to spread through shared folders.
Do an online virusscan like http://housecall.antivirus.com

Greetings,

LucF
0
 
LVL 7

Expert Comment

by:jimwasson
ID: 11807761
Sounds like the system restore may be restoring these files after you delete them. Try turning off System Restore and then finding and deleting all those files again. Then you can turn System Restore back on again. Turning System Restore off will remove the old restore points that will have included these files.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 7

Expert Comment

by:jimwasson
ID: 11807897
"...the file will come back again immediately after I delete them..." -- I didn't catch the immediately in there. Sounds more like a Windows File Protection deal or, as parkerig and LucF said a hijacker or virus. By all means do the scanning and cleaning of anything that's found -- but turn off System Restore first to be sure.
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 11809971
It looks like an addware... Just remove those clients using addaware software...

Download it and run it...

http://www.addaware.com

Cyber
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 11810024
Wait... there is even a better software:
http://www.webattack.com/get/adaware.html

Get this one...

Cyber
0
 

Author Comment

by:ericpc
ID: 11816143
I tried adware and spybot, no luck.
When I say ""...the file will come back again immediately after I delete them..." it means when I deleting them in one folder you can actually see them create themself again in the same folder.
0
 
LVL 6

Expert Comment

by:parkerig
ID: 11816178
Hi,
I have had a similiar problem and the EE replies I got are on the following URL

http://www.experts-exchange.com/Operating_Systems/Q_21067201.html

Cheers
Ian
0
 

Author Comment

by:ericpc
ID: 11817304
Thing's are getting worse guys.
All the junk files are coming back again, too the eight of the different directories.
Most of the file are stuff like "britney spears blow job.jpg.exe", "harry_potter.exe".
There is one directory looks pretty wired, "windows\PCHEALTH\Upload\",
it has all the junk files and also contain two folders, "Binaries" and " "Config". Inside "Binaries" it has all the junk files again, the interesting thing is, after I delete all the files in "Binaries", it create a file called "uploadm.exe".

I disabled the system restore, and I ran Norton Antivirus 2004 full system scan doesn't find anything.
Help please

EC
0
 
LVL 32

Expert Comment

by:LucF
ID: 11817912
I see a lot of virusses etc using those kind of names, it looks like your computer has been compromized by a trojan not yet detected by the antivirus programs.

So what I suggest you to do, get yourself Hijackthis:
http://aumha.org/downloads/hijackthis.exe 
Put it in it's own folder, not on the desktop or any temporary folder, something like "c:\hjt\hijackthis.exe" will do fine.
Run it, accept the first warning message (read it though so you know what hijackthis does)
Click "Scan" and then "Save log"
Post all the contents of the logfile here, including the headers etc. (if you're on a domain please edit out the domainname)

LucF
0
 
LVL 6

Expert Comment

by:parkerig
ID: 11817925
If possible boot from an antivirus CD or floppy and do  a virus check from there.

Then boot into safemode
( run msconfig and choose boot tab and safemode ) or F8 on startup

Let us know how that goes

Ian
0
 
LVL 6

Expert Comment

by:parkerig
ID: 11817932
Oops forgot to say do another virus check and spyware check - in safe mode

Ian
0
 
LVL 6

Expert Comment

by:parkerig
ID: 11817949
Another post on various options

http://www.experts-exchange.com/Operating_Systems/Q_20995679.html?

MAKE SURE IF YOU ARE ON A NETWORK YOU DISCONNECT.
You maybe being "infected" by another machine ( internet or LAN or WAN etc )

Ian
0
 

Author Comment

by:ericpc
ID: 11818006
Here is the logfile guys

Logfile of HijackThis v1.98.2
Scan saved at 4:55:35 PM, on 17/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\yacpower.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\program files\Telstra\Signup\tbpt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\hjt\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [YAMAHA AC-XG Power Utility] yacpower.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] C:\program files\Telstra\Signup\tbpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???????\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Telstra Usage Meter - {D4D7BC9D-5707-4494-B2F6-B362DB158664} - C:\Program Files\Telstra Usage Meter\UsgeMetr.htm
O9 - Extra 'Tools' menuitem: Telstra Usage Meter - {D4D7BC9D-5707-4494-B2F6-B362DB158664} - C:\Program Files\Telstra Usage Meter\UsgeMetr.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020124/qtinstall.info.apple.com/qt505/uk/win/QuickTimeInstaller.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mbau.mercedes-benz.com,vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mbau.mercedes-benz.com,vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mbau.mercedes-benz.com,vic.bigpond.net.au

0
 
LVL 32

Accepted Solution

by:
LucF earned 500 total points
ID: 11818024
C:\WINDOWS\FVProtect.exe <= WORM_NETSKY.P
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.P

If you look at the technical details on that page and scroll down, you'll see that exactly those filenames are used.

LucF
0
 
LVL 32

Expert Comment

by:LucF
ID: 11818028
0
 

Author Comment

by:ericpc
ID: 11818928
Hi Lucf,

      Problem fixed, you are the real champion, thanks heaps.
      I just don't understand why those sick people develope this kind of trouble.

Yours EC
0
 
LVL 32

Expert Comment

by:LucF
ID: 11822128
Glad to help :)

>>I just don't understand why those sick people develope this kind of trouble.<<
Neither do I, but this one was made by someone that hates the creator of the bagle worm. You can't find a better removal tool for the bagle worm than the Netsky worm :o)

Take care,

LucF
0

Featured Post

Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question