Author |
Message |
S|y Cat B|ue
Spammer Hopeful
Joined: Wed May 12, 2004 11:00 pm Posts: 470 Location: My fro's ZipCode is 069.42
|
Odd file annoying me
I honestly doubt anyone has seen these files before because I have gone throught google search and nothing came up:
wkwgww.exe
hnhihh.exe
They seem to be brother files because of the way the names are set (w for the 1,3,5,6 places h for the 1,3,5,6 places). I have never seen these before and all the updated spyware, adware, virus removal can spot it as a threat. What they actually cause is right at the startup, the programs start to work and use up about over 60 percent of the cpu. I see the hourglass spin constantly at the start up. So I open windows task manager to see these guys that I have never heard of be working on my computer.
Here's the kicker. Because my scan/removal programs don't see it as a problem, I looked for the files my self. Locations were here:
C:/WINDOWS/system32/wkwgww.exe
C:/Documents and Settings/All Users/StartMenu/Programs/Startup/hnhihh.exe
I look at the properties of both of them and they have different creation dates but I think those were when they were made, not downloaded. No information came with them so I know they are not important Microsoft files and such. So I find wkwgww.exe and delete it. But it says access denied. Decided to try and delete hnhihh.exe and it actually deleted. Then for some reason, in a matter of seconds, it pops up in the Startup folder again. WTF mate?
I start the registry editor and search for those same files. I have renamed all of them, then deleted them. Thought is was over. Load up my computer the next day and I see my little hourglass spinning and see those files still on my computer.
The reason why I wanted to post this is because I wanted to know if there is any way I cant disable certain programs. Right now I have SpySweeper and I have set a sheild on hnhihh.exe and it alerts me that it tries to load up and asks me to delete it. I do, and it pops back up in 3 seconds. I need to find a way other than deletion that I can disable certain files. Please help.
ShittyKitty.
_________________
I am 61% addicted to Counterstrike.
|
Mon Feb 21, 2005 12:09 pm |
|
|
Rent-A-Cop
[n00b] Member
Joined: Sat May 01, 2004 11:00 pm Posts: 553 Location: Dubuque, Iowa
|
Have you tryed booting in safe mode and working from there?
_________________
|
Mon Feb 21, 2005 7:20 pm |
|
|
S|y Cat B|ue
Spammer Hopeful
Joined: Wed May 12, 2004 11:00 pm Posts: 470 Location: My fro's ZipCode is 069.42
|
I tried it and started in safe mode with command prompt. I found the files and deleted them then ran through the registry again and deleted their files as well. It seemed to work, but only for a day. Today the thing is back on my comp. I am gonna try it all again and disconnect my internet to see if that is what is causing it now.
_________________
I am 61% addicted to Counterstrike.
|
Tue Feb 22, 2005 12:15 pm |
|
|
HHB
[n00b] Member
Joined: Thu Apr 29, 2004 11:00 pm Posts: 774 Location: Virgina Beach
|
too much porn
_________________ B1zzle FO Shizzle
|
Tue Feb 22, 2005 1:52 pm |
|
|
S|y Cat B|ue
Spammer Hopeful
Joined: Wed May 12, 2004 11:00 pm Posts: 470 Location: My fro's ZipCode is 069.42
|
Pfft. For one thing there is no such thing as 'too much porn'.
They were little rbots and junk but everytime I get rid of them they come back. So i don't think anything will help now except the 'F' word (format, for all you F*CKING wierdos).
_________________
I am 61% addicted to Counterstrike.
|
Wed Feb 23, 2005 3:12 pm |
|
|
Gman
[HNIC] Stзamroller ω
Joined: Sun Apr 25, 2004 11:00 pm Posts: 13453
|
Holdup! delete the file from c:/windows/system32/dllcache/
and THEN delete it from system32.
see if you can do that.
_________________ I hate to advocate drugs, alcohol, violence, or insanity to anyone, but they've always worked for me. -- Hunter S Thompson
|
Wed Feb 23, 2005 10:01 pm |
|
|
S|y Cat B|ue
Spammer Hopeful
Joined: Wed May 12, 2004 11:00 pm Posts: 470 Location: My fro's ZipCode is 069.42
|
My problem isn't not being able to delete it now, because I know I can delete the file. I just need to know if there is some way I can have it on my computer but disabled from ever working. Everytime I delete it, it comes back on my computer within minutes even when I haven't done anything at all. So all I need to do is stop it from regenerating ya know?
_________________
I am 61% addicted to Counterstrike.
|
Thu Feb 24, 2005 2:58 pm |
|
|
Gman
[HNIC] Stзamroller ω
Joined: Sun Apr 25, 2004 11:00 pm Posts: 13453
|
create a blank text document and rename it to the desired filename (make sure you get the extension correct, too).
right click the icon and copy it
go to your system32 folder, delete the exe, and hit ctrl+v instantly after you hit yes to delete it. it should put the new (blank, invalid) exe there, so it should satisfy your computer's lust for the file's presence without the file really being there.
_________________ I hate to advocate drugs, alcohol, violence, or insanity to anyone, but they've always worked for me. -- Hunter S Thompson
|
Thu Feb 24, 2005 10:23 pm |
|
|
S|y Cat B|ue
Spammer Hopeful
Joined: Wed May 12, 2004 11:00 pm Posts: 470 Location: My fro's ZipCode is 069.42
|
It would be as if I just renamed it though, wouldn't it just copy itself again? Well w/e, Imma run through the deleting process once again and try that out.
_________________
I am 61% addicted to Counterstrike.
|
Fri Feb 25, 2005 4:29 pm |
|
|
MesscanBandito
[n00b] Member
Joined: Fri Jun 11, 2004 11:00 pm Posts: 961
|
What if you make it read only?
_________________ What can the harvest hope for, if not the care of the reaper man?
|
Fri Feb 25, 2005 5:00 pm |
|
|
S|y Cat B|ue
Spammer Hopeful
Joined: Wed May 12, 2004 11:00 pm Posts: 470 Location: My fro's ZipCode is 069.42
|
Yeah Gwoman, I tried it today and no such luck. Making it read-only didn't make a difference either. I found out it is like some Narrator worm or some shit like that that attacks svhost.exe on the comps. Don't worry about it anymore, ill just have to back up and F it.
_________________
I am 61% addicted to Counterstrike.
|
Sat Feb 26, 2005 12:24 am |
|
|
Gman
[HNIC] Stзamroller ω
Joined: Sun Apr 25, 2004 11:00 pm Posts: 13453
|
Do a virus scan.
Google "pandasoftware activescan"
It's an excellent, free, online virus scanner. Try and fix problems before you F*CKIN' format.
_________________ I hate to advocate drugs, alcohol, violence, or insanity to anyone, but they've always worked for me. -- Hunter S Thompson
|
Sat Feb 26, 2005 12:59 pm |
|
|
oreX
n00bfest Retired Ancient, Senior Admin
Joined: Thu Jul 15, 2004 11:00 pm Posts: 2260 Location: Your Moms PANTS !
|
_________________
|
Sat Feb 26, 2005 1:19 pm |
|
|
Spyda
Game Server Admin
Joined: Thu Apr 29, 2004 11:00 pm Posts: 5606 Location: Yo mama's room, Bitch!
|
LOL almost the exact same thing...
_________________icemaN: i was droppin wards like they were turds
|
Sat Feb 26, 2005 2:09 pm |
|
|
S|y Cat B|ue
Spammer Hopeful
Joined: Wed May 12, 2004 11:00 pm Posts: 470 Location: My fro's ZipCode is 069.42
|
Yeah retard, it is the same thing because that is my thread! I am getting different opinions here bro, why else would it be exactly the same spyda?
Well I ran the TrendMicro scan again and the malware is called TROJ_NARRATOR.A (as in the other forum posted) Today I just ran through the procedures again and lets see if it is done now.
_________________
I am 61% addicted to Counterstrike.
|
Sun Feb 27, 2005 12:23 pm |
|
|
|