Solved

Junk files dupilicate it self after been deleted

Posted on 2004-08-16
18
1,007 Views
Last Modified: 2010-04-11
Hi all,
       I've got a wired problem with my windows xp laptop. I found a lot of junk files in the c:\windows\download installation\ directory, stuff like birtney.exe or porn.exe. After I searched the file name I found 7 other directory contain the same content. So I delete all of them from each directory, but just this one directory c:\windows\pchealth\, the file will come back again immediately after I delete them which drive me crazy, any idea?

Thanks heaps
Yours Eric
0
Comment
Question by:ericpc
  • 5
  • 5
  • 4
  • +2
18 Comments
 
LVL 6

Expert Comment

by:parkerig
Comment Utility
Hi,
Best guess is youy have a virus or some malware.
There are many posts on this.

Here is just one of them.

http://www.experts-exchange.com/Security/Q_20901427.html?query=virus+spyware&topics=174

Cheers
Ian
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Hi ericpc,

Could also be very likely a virus that spreads through a file sharing network or tries to spread through shared folders.
Do an online virusscan like http://housecall.antivirus.com

Greetings,

LucF
0
 
LVL 7

Expert Comment

by:jimwasson
Comment Utility
Sounds like the system restore may be restoring these files after you delete them. Try turning off System Restore and then finding and deleting all those files again. Then you can turn System Restore back on again. Turning System Restore off will remove the old restore points that will have included these files.
0
 
LVL 7

Expert Comment

by:jimwasson
Comment Utility
"...the file will come back again immediately after I delete them..." -- I didn't catch the immediately in there. Sounds more like a Windows File Protection deal or, as parkerig and LucF said a hijacker or virus. By all means do the scanning and cleaning of anything that's found -- but turn off System Restore first to be sure.
0
 
LVL 15

Expert Comment

by:Cyber-Dude
Comment Utility
It looks like an addware... Just remove those clients using addaware software...

Download it and run it...

http://www.addaware.com

Cyber
0
 
LVL 15

Expert Comment

by:Cyber-Dude
Comment Utility
Wait... there is even a better software:
http://www.webattack.com/get/adaware.html

Get this one...

Cyber
0
 

Author Comment

by:ericpc
Comment Utility
I tried adware and spybot, no luck.
When I say ""...the file will come back again immediately after I delete them..." it means when I deleting them in one folder you can actually see them create themself again in the same folder.
0
 
LVL 6

Expert Comment

by:parkerig
Comment Utility
Hi,
I have had a similiar problem and the EE replies I got are on the following URL

http://www.experts-exchange.com/Operating_Systems/Q_21067201.html

Cheers
Ian
0
 

Author Comment

by:ericpc
Comment Utility
Thing's are getting worse guys.
All the junk files are coming back again, too the eight of the different directories.
Most of the file are stuff like "britney spears blow job.jpg.exe", "harry_potter.exe".
There is one directory looks pretty wired, "windows\PCHEALTH\Upload\",
it has all the junk files and also contain two folders, "Binaries" and " "Config". Inside "Binaries" it has all the junk files again, the interesting thing is, after I delete all the files in "Binaries", it create a file called "uploadm.exe".

I disabled the system restore, and I ran Norton Antivirus 2004 full system scan doesn't find anything.
Help please

EC
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
I see a lot of virusses etc using those kind of names, it looks like your computer has been compromized by a trojan not yet detected by the antivirus programs.

So what I suggest you to do, get yourself Hijackthis:
http://aumha.org/downloads/hijackthis.exe
Put it in it's own folder, not on the desktop or any temporary folder, something like "c:\hjt\hijackthis.exe" will do fine.
Run it, accept the first warning message (read it though so you know what hijackthis does)
Click "Scan" and then "Save log"
Post all the contents of the logfile here, including the headers etc. (if you're on a domain please edit out the domainname)

LucF
0
 
LVL 6

Expert Comment

by:parkerig
Comment Utility
If possible boot from an antivirus CD or floppy and do  a virus check from there.

Then boot into safemode
( run msconfig and choose boot tab and safemode ) or F8 on startup

Let us know how that goes

Ian
0
 
LVL 6

Expert Comment

by:parkerig
Comment Utility
Oops forgot to say do another virus check and spyware check - in safe mode

Ian
0
 
LVL 6

Expert Comment

by:parkerig
Comment Utility
Another post on various options

http://www.experts-exchange.com/Operating_Systems/Q_20995679.html?

MAKE SURE IF YOU ARE ON A NETWORK YOU DISCONNECT.
You maybe being "infected" by another machine ( internet or LAN or WAN etc )

Ian
0
 

Author Comment

by:ericpc
Comment Utility
Here is the logfile guys

Logfile of HijackThis v1.98.2
Scan saved at 4:55:35 PM, on 17/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\yacpower.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\program files\Telstra\Signup\tbpt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\hjt\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [YAMAHA AC-XG Power Utility] yacpower.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] C:\program files\Telstra\Signup\tbpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???????\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Telstra Usage Meter - {D4D7BC9D-5707-4494-B2F6-B362DB158664} - C:\Program Files\Telstra Usage Meter\UsgeMetr.htm
O9 - Extra 'Tools' menuitem: Telstra Usage Meter - {D4D7BC9D-5707-4494-B2F6-B362DB158664} - C:\Program Files\Telstra Usage Meter\UsgeMetr.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020124/qtinstall.info.apple.com/qt505/uk/win/QuickTimeInstaller.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mbau.mercedes-benz.com,vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mbau.mercedes-benz.com,vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mbau.mercedes-benz.com,vic.bigpond.net.au

0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 500 total points
Comment Utility
C:\WINDOWS\FVProtect.exe <= WORM_NETSKY.P
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.P

If you look at the technical details on that page and scroll down, you'll see that exactly those filenames are used.

LucF
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
0
 

Author Comment

by:ericpc
Comment Utility
Hi Lucf,

      Problem fixed, you are the real champion, thanks heaps.
      I just don't understand why those sick people develope this kind of trouble.

Yours EC
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Glad to help :)

>>I just don't understand why those sick people develope this kind of trouble.<<
Neither do I, but this one was made by someone that hates the creator of the bagle worm. You can't find a better removal tool for the bagle worm than the Netsky worm :o)

Take care,

LucF
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now