TechSpot

File called Program showing up on C drive.

By mlww2
Mar 30, 2007
  1. I recently started having issues with a file called Program on the C:\ under the hidden files. I delete this file and the problems go away but the next day the file is back. I have posted the highjackthis log.

    Any help Howard?
     

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    You`re running an outdated version of HijackThis.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. mlww2

    mlww2 TS Rookie Topic Starter

    I have run the AVG antiroot kit and found no issues. I have run the updated hjk and added the log. I also included the combofix log as well. I noticed that it really became slow on the pc after running the combofix.

    Let me know what steps I should take next.

    Thanks!!
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system is still heavily infected.

    You haven`t posted an AVG Antispyware log, please do so in your next reply.

    Also, you haven`t renamed HijackThis_v2.exe as per the instructions. Please do so and post a fresh HJT log in your next reply.

    Regards Howard :)

    This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. mlww2

    mlww2 TS Rookie Topic Starter

    Hi Howard,

    I have renamed the Hijackthis to Analyzethis and provided the latest log. I also have included the AVG Antispyware report. You helped me out with
    the Spysheriff program a month or so ago. I thank you again for the help
    you provide on this forum.

    Thanks
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All the entries in your AVG Antispyware log say "no Action taken", this is because you didn`t tell AVG Antispyware to quarantine the results. See HERE for instructions.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    wnscpiit.exe
    Narrator.exe
    xpupdate.exe
    qioiym.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {3AC748A6-A43F-FAB3-1975-DE581D71F7EF} - C:\WINDOWS\system32\fmauja.dll (file missing)

    O2 - BHO: (no name) - {66E2A914-4182-1E0C-F24E-6DE336E0FFBE} - C:\WINDOWS\system32\ayojvegd.dll

    O2 - BHO: (no name) - {91387C4D-9B83-CF0A-F3DB-B4DEB5BA0AB3} - C:\WINDOWS\system32\hcrm.dll (file missing)

    O4 - HKUS\S-1-5-19\..\Run: [mwaba] C:\WINDOWS\system32\qioiym.exe reg_run (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-19\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-19\..\Run: [Key] C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\15.tmp (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\wnscpiit.exe
    C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\15.tmp
    C:\Windows\xpupdate.exe
    C:\WINDOWS\system32\qioiym.exe

    Narrator.exe<Search your system for this file, But don`t delete it. Instead, let me know exactly where it was found.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\system32\ayojvegd.dll

    Once your system has rebooted, rehide your protected OS files.

    Run the Ccleaner programme as per step9 of the instructions HERE.

    Post a fresh HJT log as well as another AVG Antispyware log.

    Regards Howard :)

    This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. mlww2

    mlww2 TS Rookie Topic Starter

    Ok I have run the directions provided by you Howard and have
    again provided new reports from AVG antispy and HJK 2.0. For some
    reason I can delete this file called "Program" and the problems will go
    away for about a day. But its short lived as it always seems to come back.

    I also found Narrator.exe in the following locations....

    C:\Windows\System32
    C:\Windows\Servicepackfiles\i386
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Delete all files in AVG Antispyware quarantine.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

    Regards Howard :)

    This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. mlww2

    mlww2 TS Rookie Topic Starter

    I have run the Avenger program but it failed to delete the files. I have included the latest HJK and avenger.txt
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, let`s try this then.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    xpupdate.exe
    qioiym.exe
    qioiym.exe reg_run

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {64E7A013-1D83-1F09-F04E-6DE336E0FCBC} - C:\WINDOWS\system32\kriue.dll

    O4 - HKUS\S-1-5-19\..\Run: [mwaba] C:\WINDOWS\system32\qioiym.exe reg_run (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-19\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-19\..\Run: [Key] C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\15.tmp (User 'LOCAL SERVICE')

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    These are the filepaths you need to enter into killbox.

    C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\15.tmp (User 'LOCAL SERVICE')
    C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\15.tmp
    C:\Windows\xpupdate.exe
    C:\Windows\xpupdate.exe (User 'LOCAL SERVICE')
    C:\WINDOWS\system32\qioiym.exe reg_run (User 'LOCAL SERVICE')
    C:\WINDOWS\system32\qioiym.exe reg_run
    C:\WINDOWS\system32\qioiym.exe
    C:\WINDOWS\system32\kriue.dll

    Once your system has rebooted, rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. mlww2

    mlww2 TS Rookie Topic Starter

    Hi Howard,

    I have restarted into safe mode ran the HJT but these are not listed within the log to fix.

    O2 - BHO: (no name) - {64E7A013-1D83-1F09-F04E-6DE336E0FCBC} - C:\WINDOWS\system32\kriue.dll

    O4 - HKUS\S-1-5-19\..\Run: [mwaba] C:\WINDOWS\system32\qioiym.exe reg_run (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-19\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'LOCAL SERVICE')

    O4 - HKUS\S-1-5-19\..\Run: [Key] C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\15.tmp (User 'LOCAL SERVICE')

    I then run the killbox program as per your instruction copy and paste the file paths you provided. But It seems to not delete the files I am getting a message back after the countdown. I have provided the killbox log to show what I message I am getting. I also ran another HJT you can see that the same processes above are still running.

    Perhaps I am not running the kilbox properly?
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the free Superantispyware programme. Install the programme and run the Updates.

    Run SUPERAntiSpyware and click on Preferences, click on the tab: Scanning Control, click to check-mark everything under: Scanner Options. Click "Close". Now, click on Scan your Computer.... Check-mark hard drive(s). Enable Perform Complete Scan. Click "Next." It may take a while to scan your entire computer.

    Post the Superantispyware log as well as a fresh HJT log.

    Regards Howard :)

    This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. mlww2

    mlww2 TS Rookie Topic Starter

    Hi Howard,

    Thanks for the link to the Superspyware. I ran the program and placed what
    it found in the quarantine. It has resolved the main issue regarding the file called "Program" in the hidden files and folders. You have again helped when I might have just given up. As you requested I have provided the SuperSpyware scan and a new HJK scan. What would be the next steps you recommend?

    Thanks
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Go HERE and follow the instructions for removing Bravesentry.

    Post a fresh HJT log after doing the above.

    Regards Howard :)

    This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...