Deleted files re-appear

Discussion in 'Malware Help (A Specialist Will Reply)' started by zippyshipping, Nov 21, 2006.

  1. zippyshipping

    zippyshipping Private E-2

    Kaspersky keeps finding 3 files over and over. It takes care of them but after re-boot they come back. I have downloaded Unlocker. I can rename, move and delete them all. But they all return on boot. I have also tried in safe mode to no avail.I know where the virus came from and deleted the program but it left these things and possibly more behind. I have ran all of the scans probably 3 or 4 times each. I even turned off system restore and did the removals but they still return. Maybe I did the restore thing wrong??? We previously had Mcafee but there were so many notifications constantly we just deleted it and instaled Kaspersky. How can we remove this thing? Should I post a Hijack log?
    Thank you so much.
     

    Attached Files:

    zippyshipping, Nov 21, 2006
    #1
  2. zippyshipping

    zippyshipping Private E-2

    Okay, I figured it couldn't hurt so I attatched the Hijack (analyse) log.
    Thanks again!
     

    Attached Files:

    zippyshipping, Nov 21, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to install HijackThis where we requested. You have it here:

    C:\Documents and Settings\Owner.Zippyshipping\My Documents\My Music\analyse.exe.exe

    That is exactly where we specify not to install it.

    You also need to run the Bitdefender and PandaActiveScan online scans and attach the logs as requested in step 6A.

    You also did not follow the directions in step 2 of the READ ME. You need to do this NOW!
     
    Last edited: Nov 22, 2006
    chaslang, Nov 22, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After completing what was in message # 3 continue with the below!

    Start by downloading a tools we will need - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

    C:\WINDOWS\system32\e0pnii5i6.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {2D8D855E-A5FF-45C0-98AF-57A23A102CAB} - (no file)
    O2 - BHO: (no name) - {5611DD9C-763A-43D2-9602-B8261A6FA048} - (no file)
    O2 - BHO: (no name) - {5FF8DA69-0B33-4952-881A-499BC8A3B1B1} - (no file)
    O2 - BHO: (no name) - {81A4D3A3-B601-4A50-8D83-379FAED7277F} - \
    O2 - BHO: (no name) - {A16AC1F4-BCA7-4401-B5F5-22240F78E776} - (no file)
    O2 - BHO: (no name) - {B9BA56FD-D7F8-4FF8-9629-68023DC0CB69} - (no file)
    O2 - BHO: (no name) - {EE925E18-6D8D-4C5D-910A-EEB60139D149} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ezRaH] C:\WINDOWS\system32\e0pnii5i6.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

    What is the below Clipboard program???? If you don't know, then fix it too!
    O4 - HKCU\..\Run: [clipboard.exe] C:\WINDOWS\system32\clipboard.exe

    O18 - Protocol: bw+0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: offline-8876480 - {8D4DA4B6-D484-46FA-8B92-73F0E0F00746} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    After clicking Fix, exit HJT.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32nrnqetwbz.exe
    C:\WINDOWS\system32hlvi6wkjc.exe
    C:\WINDOWS\system32ysjaevwx.exe
    C:\WINDOWS\system32\e0pnii5i6.exe
    C:\WINDOWS\system32\Installer.exe
    C:\WINDOWS\system32\nrnqetwbz.exe
    C:\WINDOWS\system32\w05053d7.dll
    C:\WINDOWS\system32\w0506bb5.dll
    C:\WINDOWS\system32\w050c425.dll
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Owner.Zippyshipping\Local Settings\Temp

    Now uninstall the below software:
    J2SE Runtime Environment 5.0 Update 2
    Viewpoint Media Player <---should have been uninstalled in step 0 of the READ ME

    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Nov 22, 2006
    #4
  5. zippyshipping

    zippyshipping Private E-2

    Thanks for the reply! I will go back and do as you have suggested. I'll post the logs as soon as I am done. I do want to thank you sincerely for giving your time to help others. It is MUCH appreciated!

    Mike
     
    zippyshipping, Nov 22, 2006
    #5
  6. zippyshipping

    zippyshipping Private E-2

    For some reason I could not get Bit Defendr to run. I finally got Panda to run after a few atempts but it locked up about half way through. We do not use IE so it may be my inexpierienc with it. Anyway here is the Panda report attatched of what it did find.
     

    Attached Files:

    zippyshipping, Nov 22, 2006
    #6
  7. zippyshipping

    zippyshipping Private E-2

    OK, I have attatched the new reports.
    Thanks again,
    Mike
     

    Attached Files:

    zippyshipping, Nov 22, 2006
    #7
  8. zippyshipping

    zippyshipping Private E-2

    C:\WINDOWS\system32hlvi6wkjc.exe
    C:\WINDOWS\system32ysjaevwx.exe
    Are the ones Kaspersky kept finding but could not delete.

    C:\WINDOWS\system32nrnqetwbz.exe Kept showing up in a box on shut down..

    What we are trying to fix is on our laptop. I am on the desktop right now. I'll see how it's running tomorrow and post back.

    You are awesome . How did you know from those files that those were the ones that were causing problems?
    I guess there were more that Kaspersky did not catch since you caught them and grouped them with the ones I KNEW were bad?
    Mike
     
    zippyshipping, Nov 23, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Experince is a great thing! ;)

    You missed one item. Fix the below with HJT to avoid having it clutter up your HJT log and your registry again:


    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

    You also need to have Pockey Killbox delete the below two files which now showed up! The are similar names but this time notice the \ after system32
    C:\WINDOWS\system32\hlvi6wkjc.exe
    C:\WINDOWS\system32\ysjaevwx.exe

    Then reboot and attach a new log from ShowNew and tell me how things are working.
     
    Last edited: Nov 23, 2006
    chaslang, Nov 23, 2006
    #9
  10. zippyshipping

    zippyshipping Private E-2

    Hello and Happy Thanksgiving. I hope all is well.
    I seem to be running normal again. I have attatched new files.
    About the Killbox file, can I delete the files stored inside that? All of the spyware/virus/malware files we have deleted are stored in that folder. Do just leave it alone or can I get rid of it all together?

    Thank you so much, again!

    Mike
     

    Attached Files:

    zippyshipping, Nov 23, 2006
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Your logs are clean! However before we get to our final steps, I need to ask about CounterSpy. Is CounterSpy the free trial version? If yes, uninstall it and keep Windows Defender. If CounterSpy is a paid version then keep it and uninstall Windows Defender.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    4. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    7. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    chaslang, Nov 24, 2006
    #11
  12. zippyshipping

    zippyshipping Private E-2

    We seem to be free of all virus/malware. Thank you so much for your help!!!
     
    zippyshipping, Nov 24, 2006
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Surf safely!
     
    chaslang, Nov 25, 2006
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds