i have a problem with some files that keep running and cant seem to find them or get rid of them.

i ran hijackthis and the problems are these two lines:

O4 - HKLM\..\Run: [fyyrndi] C:\Program Files\Common Files\System\grwwxgp.exe
O4 - HKLM\..\Run: [yvtcxhx] C:\Program Files\Common Files\Microsoft Shared\vnwbekj.exe

spybot dont work, and hijackthis said it fixed it but it didnt. it stays gone until i run any install exe of any kind.

any ideas? i find nothing about this except a ton of people are having the same problem. i have even put in new hard drives in both computers, and it came back on both. when it starts to run you cant run any kind of virus, spyware program. nor can you do the task manager to stop it.

i have a problem with some files that keep running and cant seem to find them or get rid of them.

i ran hijackthis and the problems are these two lines:

O4 - HKLM\..\Run: [fyyrndi] C:\Program Files\Common Files\System\grwwxgp.exe
O4 - HKLM\..\Run: [yvtcxhx] C:\Program Files\Common Files\Microsoft Shared\vnwbekj.exe

spybot dont work, and hijackthis said it fixed it but it didnt. it stays gone until i run any install exe of any kind.

any ideas? i find nothing about this except a ton of people are having the same problem. i have even put in new hard drives in both computers, and it came back on both. when it starts to run you cant run any kind of virus, spyware program. nor can you do the task manager to stop it.
First of all let me say this: Anytime you go online and you see a popup that says "Your computer may be infected, click here to do a scan" do NOT click ok. Click the X and close it. That is an attempt to install spyware or a virus on your computer.

You should also download and install the newest Spybot S&D. They have a total new program and adaware.

Does spybot report any spyware at all? Do you have the latest sig files?

i say this because I think I know what it is, but Spybot SHOULD report it, say it removed it, but it will be back.

Also you don't want to install any "tool bars"...

Also post the whole Hijackthis log

You should have at least two spyware scanners, and they should always be up to date.

Then you need a virus scanner too that is up to date. Do you have one? Virus scanners and even spyware scanners should get updates 2-3 times a week. You should do a manual update just to make sure you are getting them.

I need to know what they are reporting.

Also, try running spybot in safe mode. Also try hijackthis in safe mode

First of all let me say this: Anytime you go online and you see a popup that says "Your computer may be infected, click here to do a scan" do NOT click ok. Click the X and close it. That is an attempt to install spyware or a virus on your computer.

i never do


You should also download and install the newest Spybot S&D. They have a total new program and adaware.

thats what i used the new spybot


Does spybot report any spyware at all?

nothing

Do you have the latest sig files?

yes


i say this because I think I know what it is, but Spybot SHOULD report it, say it removed it, but it will be back.

this is whats stumping me, spybot has never picked it up

Also you don't want to install any "tool bars"...

no i dont use any of those, not on purpose, i have had in the past one or two install itself but right now i dont have any installed

Also post the whole Hijackthis log

i will post it in following post


You should have at least two spyware scanners, and they should always be up to date.

Then you need a virus scanner too that is up to date. Do you have one? Virus scanners and even spyware scanners should get updates 2-3 times a week. You should do a manual update just to make sure you are getting them.

I need to know what they are reporting.

yes and yes on all that. i have TheCleaner for my virus program and update it about everyother day or three


Also, try running spybot in safe mode. Also try hijackthis in safe mode

not that one i didnt think to try. will try it next.

ok this is the hijackthis file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:34 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ad Muncher\AdMunch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\vnwbekj.exe
C:\Program Files\Common Files\System\grwwxgp.exe
C:\Program Files\Trend Micro\HijackThis\Hijack.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [fyyrndi] C:\Program Files\Common Files\System\grwwxgp.exe
O4 - HKLM\..\Run: [yvtcxhx] C:\Program Files\Common Files\Microsoft Shared\vnwbekj.exe
O4 - Startup: AdMunch.lnk = C:\Program Files\Ad Muncher\AdMunch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=WB4G9472&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=WB4G9472&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=WB4G9472&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=WB4G9472&id=menu_ie_exclude
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=WB4G9472&id=menu_ie_report
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll


and thanks for your help.

i have a problem with some files that keep running and cant seem to find them or get rid of them.

i ran hijackthis and the problems are these two lines:

O4 - HKLM\..\Run: [fyyrndi] C:\Program Files\Common Files\System\grwwxgp.exe
O4 - HKLM\..\Run: [yvtcxhx] C:\Program Files\Common Files\Microsoft Shared\vnwbekj.exe

spybot dont work, and hijackthis said it fixed it but it didnt. it stays gone until i run any install exe of any kind.

any ideas? i find nothing about this except a ton of people are having the same problem. i have even put in new hard drives in both computers, and it came back on both. when it starts to run you cant run any kind of virus, spyware program. nor can you do the task manager to stop it.

Wow!

nothing shows in Google for those files. Heh heh heh, you already posted where I would send you for help!

any ideas? i find nothing about this except a ton of people are having the same problem. i have even put in new hard drives in both computers, and it came back on both. when it starts to run you cant run any kind of virus, spyware program. nor can you do the task manager to stop it. and msconfig closes out if you try to run it, as well as most any other type of program that would/could fix it.

If you open File Explorer, and right click on the files, does it give any more information? They are apparently virus or other malware files. Don't delete them just yet until you determine if they have hooks in other files or programs.

If you open File Explorer, and right click on the files, does it give any more information? They are apparently virus or other malware files. Don't delete them just yet until you determine if they have hooks in other files or programs.

thats just it, the files are nowhere to be found.

i build and repair computers, but have never run into this kind of problem, sigh

thats just it, the files are nowhere to be found.

i build and repair computers, but have never run into this kind of problem, sigh

You have me stumped, so again Majorgeeks is my advice. I have not looked in malware section for a while, but those who help out are excellent.

You have me stumped, so again Majorgeeks is my advice. I have not looked in malware section for a while, but those who help out are excellent.

yeah i have my question posted there too but so far no one seems to know. so i guess i will wait lol

SisBeezer, download a Linux Live disk like gnoppix and see if you can see the files with a linux file viewer. You may be able to delete them from the Linux side.

Nose around on MG and see what flavors are recommended.

SisBeezer, download a Linux Live disk like gnoppix and see if you can see the files with a linux file viewer. You may be able to delete them from the Linux side.

Nose around on MG and see what flavors are recommended.

i'm running windows XP, dont really want to do the linux thing yet. although i am considering just going linux on all my computers.

i have Ubuntu already and am about ready to just forget windows

i'm running windows XP, dont really want to do the linux thing yet. although i am considering just going linux on all my computers.

i have Ubuntu already and am about ready to just forget windows

No, I did not mean to change to Linux. You can view the filesystem using an Ubuntu Live disk. I was not sure of your level of use and know Gnoppix is easy to use. 7.10 will show the filesystem as "Windows" and you should then be able to browse/delete what is broken. Since it is a RAM disk, it will be a bit slower, but after reboot will not have affected your system.

(I am an Ubuntu user but I have an XP hard drive still accessable in my machine. MrsB has threatened me with bodily harm if I install Ubuntu on her machine! )

Well, before moving on you should run both the virus scanner and the spyware scanner in safe mode... Go with the spyware scanner first.

Also I would try an online virus scanner as the one you have might just be missing it (same with spybot)

Also shut down system restore first and shut down the internet connection...

BTW is this PC networked with other PCs or is it on a wireless network? And do you have a firewall running?

i have a problem with some files that keep running and cant seem to find them or get rid of them.

i ran hijackthis and the problems are these two lines:

O4 - HKLM\..\Run: [fyyrndi] C:\Program Files\Common Files\System\grwwxgp.exe
O4 - HKLM\..\Run: [yvtcxhx] C:\Program Files\Common Files\Microsoft Shared\vnwbekj.exe

spybot dont work, and hijackthis said it fixed it but it didnt. it stays gone until i run any install exe of any kind.

any ideas? i find nothing about this except a ton of people are having the same problem. i have even put in new hard drives in both computers, and it came back on both. when it starts to run you cant run any kind of virus, spyware program. nor can you do the task manager to stop it.
Try searching the system registry for those keys. Turn off system restore too before doing this. Run Hijack this in safe mode then try to remove those two entries again

This is weird. So when you go to the location where the files are supposed to be you don't see them? is "show all files" clicked?

If you can find the files you can send it to the virus scanner company maybe or to spybot.

Did you post that you found it on the internet in prefetch? Maybe send that file too

Check your shared folders and see if there are an increase in files there you did not place.

http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?IdVirus=177908&sind=0&sitepanda=particulares

found a program off the geeks site, called counterspy, it took care of the problem. was strange because i couldnt find the files anywhere but it found them right off. but weird part is, the folders it claimed they were in didnt even exsist. oh well. but thanks both of you for all your help!

found a program off the geeks site, called counterspy, it took care of the problem. was strange because i couldnt find the files anywhere but it found them right off. but weird part is, the folders it claimed they were in didnt even exsist. oh well. but thanks both of you for all your help!
what was the particular spyware called?

found a program off the geeks site, called counterspy, it took care of the problem. was strange because i couldnt find the files anywhere but it found them right off. but weird part is, the folders it claimed they were in didnt even exsist. oh well. but thanks both of you for all your help!

Tim and Jim Rock!
(I prefer the Linux section there myself!)

Glad that you found the solution for your problem.

what was the particular spyware called?

said it was a trojan but i dont remember what the name was, guess i should have written it down

Tim and Jim Rock!
(I prefer the Linux section there myself!)

Glad that you found the solution for your problem.

thanks. i may be in the linux section before long, i am so sick of windows, and refuse to go vista, so when its a force to upgrade i KNOW i will go linux


thanks both of you!

I have found sometimes if something weird like that shows up, if I just go delete all the cookies and other stuff on internet options. Most of that stuff goes away after that. Don't know if it will help you or not, but hope so! ( ^ :

said it was a trojan but i dont remember what the name was, guess i should have written it down



thanks. i may be in the linux section before long, i am so sick of windows, and refuse to go vista, so when its a force to upgrade i KNOW i will go linux


thanks both of you!
If you have logs I'd like to see what it found and removed. I had an idea of what it was, but I'd like to find out for sure.

If you have logs I'd like to see what it found and removed. I had an idea of what it was, but I'd like to find out for sure.

C:\Program Files\Common Files\System\grwwxgp.exe
C:\Program Files\Common Files\Microsoft Shared\vnwbekj.exe

are the two files it removed, and one other file that i dont remember the name. for some reason it wouldnt show the files, even with all files showing, and i had it search for hidden files and in zips and stuff. but i didnt save a log file and cant remember what the other file was called, it just said it was a trojan and it removed it.

C:\Program Files\Common Files\System\grwwxgp.exe
C:\Program Files\Common Files\Microsoft Shared\vnwbekj.exe

are the two files it removed, and one other file that i dont remember the name. for some reason it wouldnt show the files, even with all files showing, and i had it search for hidden files and in zips and stuff. but i didnt save a log file and cant remember what the other file was called, it just said it was a trojan and it removed it.
That's weird. Like when I use Spybot it does not just say "this is a trojan". but it gives the name

sorry it took me so long to get back with you. this is all i have on what it said, i forgot to save a log file

W32.Dotex Worm.Generic
more information... http://research.sunbelt-software.com/resources/detaildisplay.aspx?threatid=142603
Status: Deleted

Files detected
C:\Program Files\Common Files\Microsoft Shared\vnwbekj.exe
C:\Program Files\Common Files\System\grwwxgp.exe
C:\Program Files\meex.exe
D:\yvtcxhx.exe

sorry it took me so long to get back with you. this is all i have on what it said, i forgot to save a log file

W32.Dotex Worm.Generic
more information... http://research.sunbelt-software.com/resources/detaildisplay.aspx?threatid=142603
Status: Deleted

Files detected
C:\Program Files\Common Files\Microsoft Shared\vnwbekj.exe
C:\Program Files\Common Files\System\grwwxgp.exe
C:\Program Files\meex.exe
D:\yvtcxhx.exe
Do you have two hard drives or is one HD have more than one partition?

It's pretty new

W32.Dotex is a worm that copies itself to the root of all drives and downloads potentially malicious files on to the compromised computer. It also attempts to disable various antivirus programs.

Also called
W32/Webbew.worm is written in Delphi which spreads via removable drives. This worm is designed to silently download and execute malicious content from a remote server.

W32/Webbew.worm is written in Delphi which spreads via removable drives. This worm is designed to silently download and execute malicious content from a remote server.
When the executable is run on the victim machine, the worm copies itself to the following locations.
%Program Files%\bhbsdrx.inf (169 bytes) --> used to autorun the worm when the drive is accessed
%Program Files%\meex.exe (25,824 bytes ) -- > Copy of the worm
%Program Files%\Common Files\Microsoft Shared\pxpfern.exe (25,824 bytes) --> Copy of the worm
%Program Files%\Common Files\System\tnmgncd.exe (25,824 bytes ) --> Copy of the worm
The autorun.inf files are dropped into the root of every removable drive on the victim's system. This inf file facilitates to autorun the worm when the drive is accessed. The autorun.inf is currently detected as Generic!atr (http://vil.nai.com/vil/content/v_141387.htm).
The contents of the file will be similar to the following:
[AutoRun]
open=htocusa.exe
shell\open="opens"
shell\open\Command=htocusa.exe
shell\open\Default=1
shell\explore="Resource Management"
shell\explore\Command=htocusa.exe
This worm exists purely to download and run other remote files. The downloader is installed on the victim machine in a way that assists in masking its activity.

Removal -

Removal -

A combination of the latest DATs and the Engine (http://www.mcafee.com/apps/downloads/security_updates/dat.asp)will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

yeah i have two hard drives in each computer. it installed a file called _install.exe into every single folder on all four drives, ugh. but that program called counter spy seems to have taken care of it. (i hope)

it was strange that it would show back up after i took out the other hard drives and put in new ones.

not sure where it even came from because i go to few sites online anymore.

yeah i have two hard drives in each computer. it installed a file called _install.exe into every single folder on all four drives, ugh. but that program called counter spy seems to have taken care of it. (i hope)

it was strange that it would show back up after i took out the other hard drives and put in new ones.

not sure where it even came from because i go to few sites online anymore.
other removable drives? External? USB Key? Network drive?

other removable drives? External? USB Key? Network drive?

i have one 500 gig usb removable hard drive that i use for storage, but i ran scans on everything there and nothing was found on it.

SisBeezer, you should post what you have found on MG also in case someone else has this same problem.

They have a much bigger tech audience.

:boomm