PDA

View Full Version : Spyware not removable??



pctek
16-06-2005, 07:45 PM
While doing a spyware check I came across this folder under Program Files:

vpurptw
It contains these files:

cnml.exe
fyqchsbn.dll
fyqchsbn.exe
nbshcqyf.exe
profile.dat

None of it shows up in any of the checkers I have run, inc Hijackthis. There WAS stuff but it all cleaned out. I only noticed this as I was going through the drive and cleaning out temp files, cookies etc.
It will not allow delete even in safe mode.
They look suspect to me and the f and n files are running in processes. PC seems ok at present but I don't like it and would like to be able to remove them

Any ideas? Google didn't bring up anything I could find.

Overdrive_5000
16-06-2005, 07:53 PM
If you wish to delete the files give Move on boot a go it can be downloaded here (http://www.softwarepatch.com/software/moveonboot.html) :thumbs:

Metla
16-06-2005, 08:17 PM
Hijackthis has a moveonboot tool as well, its buried a couple of menu's into the program.The only advantage the proper moveonboot tool has is you can drag files into it.

pctek
16-06-2005, 08:24 PM
But Hijackthis doesn't even see them.

FoxyMX
16-06-2005, 08:49 PM
This is a nasty one and quite tricky to remove completely because of the different files it hides everywhere.

Download KillBox (http://www.bleepingcomputer.com/files/killbox.php).

Run KillBox and paste The FIRST ONE of these lines into the box, select delete on reboot then press the red X button, say yes to the prompt but no to reboot now.

Continue to paste the lines in in turn and follow the above procedure every time.

C:\PROGRAM FILES\vpurptw\cnml.exe
C:\PROGRAM FILES\vpurptw\fyqchsbn.dll
C:\PROGRAM FILES\vpurptw\fyqchsbn.exe
C:\PROGRAM FILES\vpurptw\nbshcqyf.exe
C:\PROGRA~1\vpurptw\profile.dat

Then on KillBox's top bar press Tools and then empty temp files and follow those prompts and say yes to everything.

Reboot.

Delete the folder you found:

C:\PROGRAM Files\vpurptw

Then go to C:\windows\temp and select EVERYTHING and delete it all and then do the same for C:\temp.

Delete all the Temporary Internet Files, History and Cookies in Internet Options.

You may also find that the Hosts file has been changed to divert you to all sorts of other sites so make sure you check in there.

There will likely be other files buried elsewhere in Windows/System and other places. HijackThis might reveal them so you might like to post a log for examination.

Metla
16-06-2005, 09:10 PM
But Hijackthis doesn't even see them.

Ya, I was referring to a delete on boot tool that is part of Hijackthis but seperate from that scan and display part of the program.

It just opens a text box and you can enter in the names of any files you want deleted on next boot.

FoxyMX
17-06-2005, 11:33 PM
So.... how did you get on with removing these pests?

mark c
18-06-2005, 01:36 AM
yeah pctek I'd like to know what happened too. That's how I (and I guess lots of others) learn about things here. :p :o ;) :xmouth: :D

pctek
18-06-2005, 10:19 AM
Haven't yet. lady took it home to see how she gets on. I had already cleaned out temp folders, cookies etc etc.
It did not appear to be active, but it was annoying me I couldn't remove that last folder and contents. All scans with everything were clean.

I did tell her I had posted here and would get back to her with removal instructions if any were suggested so looks like I'll be going over there today and trying Foxys program.
I forgot about those kind of tools....

I had removed everything Hijackthis found as well and installed SPywareblaster and enabled everything, hosts is ok.
She had a LOT of different spywares. Not helped by the fact that she had downloaded a heap of them herself, various toolbar helpers, online casino stuff and kazaa. And Imesh. And some lovely porn that launched in your face on startup.
Apparently her sisters PC is the same so I'll have that joy to do too.

pctek
18-06-2005, 10:22 AM
Ya, I was referring to a delete on boot tool that is part of Hijackthis but seperate from that scan and display part of the program.

It just opens a text box and you can enter in the names of any files you want deleted on next boot.
Where do I find that? Or how I should say? I looked but couldn't see it.

Metla
18-06-2005, 12:08 PM
http://sal.neoburn.net/imagef1/files/hijack.jpg

pctek
18-06-2005, 01:53 PM
http://www.sal.neoburn.net/imagef1/files/Image1.jpg

Aha, thats why I couldn't find it. I shall go download the newer version now.
Thanks - was starting to think I must be blonde.
BTW nice clear red arrows. :D

Cicero
18-06-2005, 02:35 PM
http://www.sal.neoburn.net/imagef1/files/Image1.jpg

Aha, thats why I couldn't find it. I shall go download the newer version now.
Thanks - was starting to think I must be blonde.
BTW nice clear red arrows. :D
How does one get the arrows?Seems clever stuff.!

Overdrive_5000
18-06-2005, 04:47 PM
You can just draw them in with Paint or a similar prog

Cicero
18-06-2005, 06:01 PM
You can just draw them in with Paint or a similar prog

What a cunning stunt.