File called Program showing up on C drive.
- Thread starter mlww2
- Start date
- Status
howard_hopkinso
Posts: 21,238 +17
Hello and welcome to Techspot.
You`re running an outdated version of HijackThis.
Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.
If after reading the above, you wish to clean your system, do the following.
Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.
Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.
Also, let me know the results of the AVG Antirootkit scan.
Regards Howard :wave: :wave:
This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You`re running an outdated version of HijackThis.
Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.
If after reading the above, you wish to clean your system, do the following.
Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.
Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.
Also, let me know the results of the AVG Antirootkit scan.
Regards Howard :wave: :wave:
This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Your system is still heavily infected.
You haven`t posted an AVG Antispyware log, please do so in your next reply.
Also, you haven`t renamed HijackThis_v2.exe as per the instructions. Please do so and post a fresh HJT log in your next reply.
Regards Howard
This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You haven`t posted an AVG Antispyware log, please do so in your next reply.
Also, you haven`t renamed HijackThis_v2.exe as per the instructions. Please do so and post a fresh HJT log in your next reply.
Regards Howard
This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
All the entries in your AVG Antispyware log say "no Action taken", this is because you didn`t tell AVG Antispyware to quarantine the results. See HERE for instructions.
Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
wnscpiit.exe
Narrator.exe
xpupdate.exe
qioiym.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O2 - BHO: (no name) - {3AC748A6-A43F-FAB3-1975-DE581D71F7EF} - C:\WINDOWS\system32\fmauja.dll (file missing)
O2 - BHO: (no name) - {66E2A914-4182-1E0C-F24E-6DE336E0FFBE} - C:\WINDOWS\system32\ayojvegd.dll
O2 - BHO: (no name) - {91387C4D-9B83-CF0A-F3DB-B4DEB5BA0AB3} - C:\WINDOWS\system32\hcrm.dll (file missing)
O4 - HKUS\S-1-5-19\..\Run: [mwaba] C:\WINDOWS\system32\qioiym.exe reg_run (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Key] C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\15.tmp (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\WINDOWS\system32\wnscpiit.exe
C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\15.tmp
C:\Windows\xpupdate.exe
C:\WINDOWS\system32\qioiym.exe
Narrator.exe<Search your system for this file, But don`t delete it. Instead, let me know exactly where it was found.
Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.
This is the filepath you need to enter into killbox.
C:\WINDOWS\system32\ayojvegd.dll
Once your system has rebooted, rehide your protected OS files.
Run the Ccleaner programme as per step9 of the instructions HERE.
Post a fresh HJT log as well as another AVG Antispyware log.
Regards Howard
This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
wnscpiit.exe
Narrator.exe
xpupdate.exe
qioiym.exe
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O2 - BHO: (no name) - {3AC748A6-A43F-FAB3-1975-DE581D71F7EF} - C:\WINDOWS\system32\fmauja.dll (file missing)
O2 - BHO: (no name) - {66E2A914-4182-1E0C-F24E-6DE336E0FFBE} - C:\WINDOWS\system32\ayojvegd.dll
O2 - BHO: (no name) - {91387C4D-9B83-CF0A-F3DB-B4DEB5BA0AB3} - C:\WINDOWS\system32\hcrm.dll (file missing)
O4 - HKUS\S-1-5-19\..\Run: [mwaba] C:\WINDOWS\system32\qioiym.exe reg_run (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Key] C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\15.tmp (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or directories(if there).
C:\WINDOWS\system32\wnscpiit.exe
C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\15.tmp
C:\Windows\xpupdate.exe
C:\WINDOWS\system32\qioiym.exe
Narrator.exe<Search your system for this file, But don`t delete it. Instead, let me know exactly where it was found.
Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.
This is the filepath you need to enter into killbox.
C:\WINDOWS\system32\ayojvegd.dll
Once your system has rebooted, rehide your protected OS files.
Run the Ccleaner programme as per step9 of the instructions HERE.
Post a fresh HJT log as well as another AVG Antispyware log.
Regards Howard
This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Ok I have run the directions provided by you Howard and have
again provided new reports from AVG antispy and HJK 2.0. For some
reason I can delete this file called "Program" and the problems will go
away for about a day. But its short lived as it always seems to come back.
I also found Narrator.exe in the following locations....
C:\Windows\System32
C:\Windows\Servicepackfiles\i386
again provided new reports from AVG antispy and HJK 2.0. For some
reason I can delete this file called "Program" and the problems will go
away for about a day. But its short lived as it always seems to come back.
I also found Narrator.exe in the following locations....
C:\Windows\System32
C:\Windows\Servicepackfiles\i386
howard_hopkinso
Posts: 21,238 +17
Delete all files in AVG Antispyware quarantine.
1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.
2. Download the attached avengerscript.txt and save it to your desktop
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by double clicking on its icon on your desktop.
Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.
Regards Howard
This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.
2. Download the attached avengerscript.txt and save it to your desktop
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by double clicking on its icon on your desktop.
Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.
Regards Howard
This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
howard_hopkinso
Posts: 21,238 +17
Ok, let`s try this then.
Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
xpupdate.exe
qioiym.exe
qioiym.exe reg_run
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O2 - BHO: (no name) - {64E7A013-1D83-1F09-F04E-6DE336E0FCBC} - C:\WINDOWS\system32\kriue.dll
O4 - HKUS\S-1-5-19\..\Run: [mwaba] C:\WINDOWS\system32\qioiym.exe reg_run (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Key] C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\15.tmp (User 'LOCAL SERVICE')
Click on the fix checked button.
Close HJT.
Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.
These are the filepaths you need to enter into killbox.
C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\15.tmp (User 'LOCAL SERVICE')
C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\15.tmp
C:\Windows\xpupdate.exe
C:\Windows\xpupdate.exe (User 'LOCAL SERVICE')
C:\WINDOWS\system32\qioiym.exe reg_run (User 'LOCAL SERVICE')
C:\WINDOWS\system32\qioiym.exe reg_run
C:\WINDOWS\system32\qioiym.exe
C:\WINDOWS\system32\kriue.dll
Once your system has rebooted, rehide your protected OS files.
Post a fresh HJT log.
Regards Howard
This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.
Click on the processes tab and end process for(if there).
xpupdate.exe
qioiym.exe
qioiym.exe reg_run
Close task manager.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O2 - BHO: (no name) - {64E7A013-1D83-1F09-F04E-6DE336E0FCBC} - C:\WINDOWS\system32\kriue.dll
O4 - HKUS\S-1-5-19\..\Run: [mwaba] C:\WINDOWS\system32\qioiym.exe reg_run (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Key] C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\15.tmp (User 'LOCAL SERVICE')
Click on the fix checked button.
Close HJT.
Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.
These are the filepaths you need to enter into killbox.
C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\15.tmp (User 'LOCAL SERVICE')
C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\15.tmp
C:\Windows\xpupdate.exe
C:\Windows\xpupdate.exe (User 'LOCAL SERVICE')
C:\WINDOWS\system32\qioiym.exe reg_run (User 'LOCAL SERVICE')
C:\WINDOWS\system32\qioiym.exe reg_run
C:\WINDOWS\system32\qioiym.exe
C:\WINDOWS\system32\kriue.dll
Once your system has rebooted, rehide your protected OS files.
Post a fresh HJT log.
Regards Howard
This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Hi Howard,
I have restarted into safe mode ran the HJT but these are not listed within the log to fix.
O2 - BHO: (no name) - {64E7A013-1D83-1F09-F04E-6DE336E0FCBC} - C:\WINDOWS\system32\kriue.dll
O4 - HKUS\S-1-5-19\..\Run: [mwaba] C:\WINDOWS\system32\qioiym.exe reg_run (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Key] C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\15.tmp (User 'LOCAL SERVICE')
I then run the killbox program as per your instruction copy and paste the file paths you provided. But It seems to not delete the files I am getting a message back after the countdown. I have provided the killbox log to show what I message I am getting. I also ran another HJT you can see that the same processes above are still running.
Perhaps I am not running the kilbox properly?
I have restarted into safe mode ran the HJT but these are not listed within the log to fix.
O2 - BHO: (no name) - {64E7A013-1D83-1F09-F04E-6DE336E0FCBC} - C:\WINDOWS\system32\kriue.dll
O4 - HKUS\S-1-5-19\..\Run: [mwaba] C:\WINDOWS\system32\qioiym.exe reg_run (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Key] C:\DOCUME~1\LOCALS~1\LOCALS~1\Temp\15.tmp (User 'LOCAL SERVICE')
I then run the killbox program as per your instruction copy and paste the file paths you provided. But It seems to not delete the files I am getting a message back after the countdown. I have provided the killbox log to show what I message I am getting. I also ran another HJT you can see that the same processes above are still running.
Perhaps I am not running the kilbox properly?
howard_hopkinso
Posts: 21,238 +17
Download the free Superantispyware programme. Install the programme and run the Updates.
Run SUPERAntiSpyware and click on Preferences, click on the tab: Scanning Control, click to check-mark everything under: Scanner Options. Click "Close". Now, click on Scan your Computer.... Check-mark hard drive(s). Enable Perform Complete Scan. Click "Next." It may take a while to scan your entire computer.
Post the Superantispyware log as well as a fresh HJT log.
Regards Howard
This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Run SUPERAntiSpyware and click on Preferences, click on the tab: Scanning Control, click to check-mark everything under: Scanner Options. Click "Close". Now, click on Scan your Computer.... Check-mark hard drive(s). Enable Perform Complete Scan. Click "Next." It may take a while to scan your entire computer.
Post the Superantispyware log as well as a fresh HJT log.
Regards Howard
This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Hi Howard,
Thanks for the link to the Superspyware. I ran the program and placed what
it found in the quarantine. It has resolved the main issue regarding the file called "Program" in the hidden files and folders. You have again helped when I might have just given up. As you requested I have provided the SuperSpyware scan and a new HJK scan. What would be the next steps you recommend?
Thanks
Thanks for the link to the Superspyware. I ran the program and placed what
it found in the quarantine. It has resolved the main issue regarding the file called "Program" in the hidden files and folders. You have again helped when I might have just given up. As you requested I have provided the SuperSpyware scan and a new HJK scan. What would be the next steps you recommend?
Thanks
howard_hopkinso
Posts: 21,238 +17
Go HERE and follow the instructions for removing Bravesentry.
Post a fresh HJT log after doing the above.
Regards Howard
This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Post a fresh HJT log after doing the above.
Regards Howard
This thread is for the use of mlww2 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
- Status
