Windows Three Files in System32 Directory...

I've had three random files in my system32 directory. I've deleted them several times and they just come back. I've run trojan/virus scanners and several spyware scanners. Nothing finds the files. I've erased them 'beyond recovery' and just manualy. BUT they alwase come back as a different name and come back into my startup. The three files are tapi3435h.exe kbdnec95570g.exe and iccvid232s.exe but as i said before they are random file names and alwase come back as different names . Has anyone ever experienced this and know how to get rid of it completly?

 

QUESTION 1:how do you know they are the same files?
QUESTION 2:why do you want them removed?
QUESTION 3:how do you know they arent windoze files?




to "fix" it i would try searching your reg for the first part of the file name and see what you come up with. however, make sure that you really want to get rid of them before you go digging arround

 

1)They are randomly generated file names..there are alwase three, and there alwase in the system32 folder.
2) I want them removed because they startup and use my memory?
3)I dont know..but i can pretty much bet there not? As i have deleted them and everything still worked, if not worked better?

I asked a question for people who could help. Sorry if this is rude, but those are some very stupid questions.

 

im just trying to make sure that your not some ubernewber messing arround with your OS. like i said id check the reg, id also run ad-aware (lavasoftusa.com) and spybot search and destroy. (sory don't have a url for spybot handy). those two combined are the most powerfull unwantedfile finders/deleters. and as annother measure id go run MSconfig to see what you come up with.

and i will still make a case of you not knowing that they are the same 3 files but the other two are logical

 

Like i said i've ran several spyware programs, including spybot, lavasoft adaware, and pestpatrol. (Including several Antivirus/Trojan programs).

Another point is that when i disable them in MSconfig and restart they dont come up. But say i restart once more they will be in msconfig once again and startup which is quite...annoying.

 

and your reg?

HKEY_LOCAL_MACHINE\software\Microsoft\windows\run

is where your startup should be but id also check

HKEY_LOCAL_MACHINE\software\Microsoft\windows\runOnce
and
HKEY_LOCAL_MACHINE\software\Microsoft\windows\runOnceExe

 

didnt even think about checking the registry for this. I'll give that a try. Thanks.

Edit: Actually i cant find any of those directories. Maybe since i just upgraded to SP2 a few hours ago it would be in a different spot?

 

You are infected with malware/spyware.

Several things to do.
1) Download Spybot - Search and Destroy(http://www.safer-networking.org/en/download/)
2) Download AdAware(http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button)
3) Download HiJackThis (http://www.download.com/3000-8022-10227353.html)

And here is the tricks. Install the apps on your machine and run the updates to get the most current definitions. Dont run the apps in regular Windows mode. You'll want to run them in SAFE MODE with the EXPLORER turned off (will explain that in a sec).

But after you have Spybot and AdAware installed and updated (Make a note of their installation locations and the .exe files that start them), run HiJack This, export it to a file and post up the contents of the HiJack log that is generated. I'll see if there is anything that I can point out to you on the fix.

After you do that, reboot your machine and put it in SAFE MODE (If this is XP, then hit the F8 key just after your BIOS POST is completed, just before the OS starts to load.

Load SAFE MODE only, no networking.

Once there, open up the task manager and MINIMZE it, do not CLOSE it. Open up AdAware, and minimize it. Re-open the Task Manager and look at the processses tab. Locate "Explorer", right click and say "End Task". This dumps the Windows Explorer and frees up any .dll files that it had locked in memory. MINIMIZE the TASK MANAGER.

Open Up the minimized AdAware, and have it run it's scan. After it completes, run it again. After the 2nd time, close it. Open up the minimized Task Manager, select "File - New Task (Run)" and type in the path to the Spybot application (as I noted above, make a note of the installation location), and start up Spybot. Run it on the machine twice.

Goal here is to have 0 items respond back to the scans. SAFEMODE with the EXPLORER process shut down is one of the most effective ways that I have found, in removing these pesky creatures.

Some of the newer Malware apps are really tricky in rebuilding themselves as you are very well aware of. I have more tricks that I have learned, but get that HiJack log posted up, and I'll gear the responses to that.

Good Luck!

 

Tech Dady had a good idea with the safe mode so try that first


the reg keys should be there no matter what SPs you have, try browsing arround and try to find the "run" folders and see whats in there.