Solved

Junk files dupilicate it self after been deleted

Posted on 2004-08-16
18
1,012 Views
Last Modified: 2010-04-11
Hi all,
       I've got a wired problem with my windows xp laptop. I found a lot of junk files in the c:\windows\download installation\ directory, stuff like birtney.exe or porn.exe. After I searched the file name I found 7 other directory contain the same content. So I delete all of them from each directory, but just this one directory c:\windows\pchealth\, the file will come back again immediately after I delete them which drive me crazy, any idea?

Thanks heaps
Yours Eric
0
Comment
Question by:ericpc
  • 5
  • 5
  • 4
  • +2
18 Comments
 
LVL 6

Expert Comment

by:parkerig
ID: 11807664
Hi,
Best guess is youy have a virus or some malware.
There are many posts on this.

Here is just one of them.

http://www.experts-exchange.com/Security/Q_20901427.html?query=virus+spyware&topics=174

Cheers
Ian
0
 
LVL 32

Expert Comment

by:LucF
ID: 11807728
Hi ericpc,

Could also be very likely a virus that spreads through a file sharing network or tries to spread through shared folders.
Do an online virusscan like http://housecall.antivirus.com

Greetings,

LucF
0
 
LVL 7

Expert Comment

by:jimwasson
ID: 11807761
Sounds like the system restore may be restoring these files after you delete them. Try turning off System Restore and then finding and deleting all those files again. Then you can turn System Restore back on again. Turning System Restore off will remove the old restore points that will have included these files.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 7

Expert Comment

by:jimwasson
ID: 11807897
"...the file will come back again immediately after I delete them..." -- I didn't catch the immediately in there. Sounds more like a Windows File Protection deal or, as parkerig and LucF said a hijacker or virus. By all means do the scanning and cleaning of anything that's found -- but turn off System Restore first to be sure.
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 11809971
It looks like an addware... Just remove those clients using addaware software...

Download it and run it...

http://www.addaware.com

Cyber
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 11810024
Wait... there is even a better software:
http://www.webattack.com/get/adaware.html

Get this one...

Cyber
0
 

Author Comment

by:ericpc
ID: 11816143
I tried adware and spybot, no luck.
When I say ""...the file will come back again immediately after I delete them..." it means when I deleting them in one folder you can actually see them create themself again in the same folder.
0
 
LVL 6

Expert Comment

by:parkerig
ID: 11816178
Hi,
I have had a similiar problem and the EE replies I got are on the following URL

http://www.experts-exchange.com/Operating_Systems/Q_21067201.html

Cheers
Ian
0
 

Author Comment

by:ericpc
ID: 11817304
Thing's are getting worse guys.
All the junk files are coming back again, too the eight of the different directories.
Most of the file are stuff like "britney spears blow job.jpg.exe", "harry_potter.exe".
There is one directory looks pretty wired, "windows\PCHEALTH\Upload\",
it has all the junk files and also contain two folders, "Binaries" and " "Config". Inside "Binaries" it has all the junk files again, the interesting thing is, after I delete all the files in "Binaries", it create a file called "uploadm.exe".

I disabled the system restore, and I ran Norton Antivirus 2004 full system scan doesn't find anything.
Help please

EC
0
 
LVL 32

Expert Comment

by:LucF
ID: 11817912
I see a lot of virusses etc using those kind of names, it looks like your computer has been compromized by a trojan not yet detected by the antivirus programs.

So what I suggest you to do, get yourself Hijackthis:
http://aumha.org/downloads/hijackthis.exe 
Put it in it's own folder, not on the desktop or any temporary folder, something like "c:\hjt\hijackthis.exe" will do fine.
Run it, accept the first warning message (read it though so you know what hijackthis does)
Click "Scan" and then "Save log"
Post all the contents of the logfile here, including the headers etc. (if you're on a domain please edit out the domainname)

LucF
0
 
LVL 6

Expert Comment

by:parkerig
ID: 11817925
If possible boot from an antivirus CD or floppy and do  a virus check from there.

Then boot into safemode
( run msconfig and choose boot tab and safemode ) or F8 on startup

Let us know how that goes

Ian
0
 
LVL 6

Expert Comment

by:parkerig
ID: 11817932
Oops forgot to say do another virus check and spyware check - in safe mode

Ian
0
 
LVL 6

Expert Comment

by:parkerig
ID: 11817949
Another post on various options

http://www.experts-exchange.com/Operating_Systems/Q_20995679.html?

MAKE SURE IF YOU ARE ON A NETWORK YOU DISCONNECT.
You maybe being "infected" by another machine ( internet or LAN or WAN etc )

Ian
0
 

Author Comment

by:ericpc
ID: 11818006
Here is the logfile guys

Logfile of HijackThis v1.98.2
Scan saved at 4:55:35 PM, on 17/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\yacpower.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\program files\Telstra\Signup\tbpt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\hjt\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [YAMAHA AC-XG Power Utility] yacpower.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] C:\program files\Telstra\Signup\tbpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???????\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Telstra Usage Meter - {D4D7BC9D-5707-4494-B2F6-B362DB158664} - C:\Program Files\Telstra Usage Meter\UsgeMetr.htm
O9 - Extra 'Tools' menuitem: Telstra Usage Meter - {D4D7BC9D-5707-4494-B2F6-B362DB158664} - C:\Program Files\Telstra Usage Meter\UsgeMetr.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020124/qtinstall.info.apple.com/qt505/uk/win/QuickTimeInstaller.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mbau.mercedes-benz.com,vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mbau.mercedes-benz.com,vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mbau.mercedes-benz.com,vic.bigpond.net.au

0
 
LVL 32

Accepted Solution

by:
LucF earned 500 total points
ID: 11818024
C:\WINDOWS\FVProtect.exe <= WORM_NETSKY.P
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.P

If you look at the technical details on that page and scroll down, you'll see that exactly those filenames are used.

LucF
0
 
LVL 32

Expert Comment

by:LucF
ID: 11818028
0
 

Author Comment

by:ericpc
ID: 11818928
Hi Lucf,

      Problem fixed, you are the real champion, thanks heaps.
      I just don't understand why those sick people develope this kind of trouble.

Yours EC
0
 
LVL 32

Expert Comment

by:LucF
ID: 11822128
Glad to help :)

>>I just don't understand why those sick people develope this kind of trouble.<<
Neither do I, but this one was made by someone that hates the creator of the bagle worm. You can't find a better removal tool for the bagle worm than the Netsky worm :o)

Take care,

LucF
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
md5 password 3 75
Disable Security Alert  popup in Winforms  embedded webbrowser. 1 57
User Level Security 6 47
Non admin needs to install programs 17 69
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question