Link to home
Start Free TrialLog in
Avatar of ericpc
ericpc

asked on

Junk files dupilicate it self after been deleted

Hi all,
       I've got a wired problem with my windows xp laptop. I found a lot of junk files in the c:\windows\download installation\ directory, stuff like birtney.exe or porn.exe. After I searched the file name I found 7 other directory contain the same content. So I delete all of them from each directory, but just this one directory c:\windows\pchealth\, the file will come back again immediately after I delete them which drive me crazy, any idea?

Thanks heaps
Yours Eric
Avatar of parkerig
parkerig
Flag of New Zealand image

Hi,
Best guess is youy have a virus or some malware.
There are many posts on this.

Here is just one of them.

https://www.experts-exchange.com/questions/20901427/strun-exe-spyware-virus-trojan.html?query=virus+spyware&topics=174

Cheers
Ian
Avatar of Luc Franken
Hi ericpc,

Could also be very likely a virus that spreads through a file sharing network or tries to spread through shared folders.
Do an online virusscan like http://housecall.antivirus.com

Greetings,

LucF
Avatar of jimwasson
jimwasson

Sounds like the system restore may be restoring these files after you delete them. Try turning off System Restore and then finding and deleting all those files again. Then you can turn System Restore back on again. Turning System Restore off will remove the old restore points that will have included these files.
"...the file will come back again immediately after I delete them..." -- I didn't catch the immediately in there. Sounds more like a Windows File Protection deal or, as parkerig and LucF said a hijacker or virus. By all means do the scanning and cleaning of anything that's found -- but turn off System Restore first to be sure.
It looks like an addware... Just remove those clients using addaware software...

Download it and run it...

http://www.addaware.com

Cyber
Wait... there is even a better software:
http://www.webattack.com/get/adaware.html

Get this one...

Cyber
Avatar of ericpc

ASKER

I tried adware and spybot, no luck.
When I say ""...the file will come back again immediately after I delete them..." it means when I deleting them in one folder you can actually see them create themself again in the same folder.
Hi,
I have had a similiar problem and the EE replies I got are on the following URL

https://www.experts-exchange.com/questions/21067201/Disable-File-Restore-Files-Keep-Restoring-Auto-Restore-Windows-2000.html

Cheers
Ian
Avatar of ericpc

ASKER

Thing's are getting worse guys.
All the junk files are coming back again, too the eight of the different directories.
Most of the file are stuff like "britney spears blow job.jpg.exe", "harry_potter.exe".
There is one directory looks pretty wired, "windows\PCHEALTH\Upload\",
it has all the junk files and also contain two folders, "Binaries" and " "Config". Inside "Binaries" it has all the junk files again, the interesting thing is, after I delete all the files in "Binaries", it create a file called "uploadm.exe".

I disabled the system restore, and I ran Norton Antivirus 2004 full system scan doesn't find anything.
Help please

EC
I see a lot of virusses etc using those kind of names, it looks like your computer has been compromized by a trojan not yet detected by the antivirus programs.

So what I suggest you to do, get yourself Hijackthis:
http://aumha.org/downloads/hijackthis.exe 
Put it in it's own folder, not on the desktop or any temporary folder, something like "c:\hjt\hijackthis.exe" will do fine.
Run it, accept the first warning message (read it though so you know what hijackthis does)
Click "Scan" and then "Save log"
Post all the contents of the logfile here, including the headers etc. (if you're on a domain please edit out the domainname)

LucF
If possible boot from an antivirus CD or floppy and do  a virus check from there.

Then boot into safemode
( run msconfig and choose boot tab and safemode ) or F8 on startup

Let us know how that goes

Ian
Oops forgot to say do another virus check and spyware check - in safe mode

Ian
Another post on various options

https://www.experts-exchange.com/questions/20995679/Recurring-virus-XP-pro.html?

MAKE SURE IF YOU ARE ON A NETWORK YOU DISCONNECT.
You maybe being "infected" by another machine ( internet or LAN or WAN etc )

Ian
Avatar of ericpc

ASKER

Here is the logfile guys

Logfile of HijackThis v1.98.2
Scan saved at 4:55:35 PM, on 17/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\yacpower.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\program files\Telstra\Signup\tbpt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\hjt\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [YAMAHA AC-XG Power Utility] yacpower.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] C:\program files\Telstra\Signup\tbpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???????\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Telstra Usage Meter - {D4D7BC9D-5707-4494-B2F6-B362DB158664} - C:\Program Files\Telstra Usage Meter\UsgeMetr.htm
O9 - Extra 'Tools' menuitem: Telstra Usage Meter - {D4D7BC9D-5707-4494-B2F6-B362DB158664} - C:\Program Files\Telstra Usage Meter\UsgeMetr.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020124/qtinstall.info.apple.com/qt505/uk/win/QuickTimeInstaller.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mbau.mercedes-benz.com,vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mbau.mercedes-benz.com,vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mbau.mercedes-benz.com,vic.bigpond.net.au

ASKER CERTIFIED SOLUTION
Avatar of Luc Franken
Luc Franken
Flag of Netherlands image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ericpc

ASKER

Hi Lucf,

      Problem fixed, you are the real champion, thanks heaps.
      I just don't understand why those sick people develope this kind of trouble.

Yours EC
Glad to help :)

>>I just don't understand why those sick people develope this kind of trouble.<<
Neither do I, but this one was made by someone that hates the creator of the bagle worm. You can't find a better removal tool for the bagle worm than the Netsky worm :o)

Take care,

LucF