Strange files showing up in Recycle bin

Hi DaveT50,

Welcome to Dell Community Malware Removal Forums,

Sorry for the delay in getting to you, I'm K27 and i will be reviewing your log for you.

Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.

Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.

Please DO NOT use this system for anything apart from visiting this forum and other sites I direct you too, as this will only make the cleanup process all the more diffecult.

Failure to reply in three (3) days will result in this topic being closed and I will remove it from my notifications, If you require more time then that is fine but please let me know.

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:

• Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:

• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Then Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

I then need to see some additional information about what is happening in your machine.
Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.com
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool.
• When done, DDS will open two (2) logs
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop.
• The instructions here ask you to attach the Attach.txt.
  
• Instead of attaching, please copy/past both logs into your next reply.

   

   

• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

Please copy/paste back the MBAM log and BOTH DDS logs for review.

Also, please tell me the names of the files that are appearing in the Recycle bin.

Thanks.

This topic is now marked Inactive.....

The fixes in this topic were written specifically for this user, following them may cause harm to your machine and render it a brick (useless)

If you are the original poster and would like further assistance please post a fresh HJT log and details of the problems you are having.

All other user's, please read THIS page and then please start a New Topic at the top of the Malware Removal Forum by clicking the button.

Ky sorry i hope this can be revived. here are the three logs

MBAM

Hi DaveT50

sorry i hope this can be revived. here are the three logs

No Problem.

Please post the DDS Attach.txt log, also, apart from the strange files in the recycle bin (was this a one off? Is it still happening?) are there any other issues with the system.

Thanks.

this is what she sent me for the Attach.txt file

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 10/29/2010 7:59:54 PM
System Uptime: 3/29/2011 1:11:33 PM (4 hours ago)
.
Motherboard: ASUSTeK Computer Inc.         |  | K50IJ    
Processor: Pentium(R) Dual-Core CPU       T4400  @ 2.20GHz | Socket 478 | 2200/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 283 GiB total, 248.741 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP152: 2/22/2011 6:38:49 PM - Windows Update
RP153: 2/24/2011 10:31:17 PM - Windows Update
RP154: 2/25/2011 11:20:30 AM - Installed Java(TM) 6 Update 24
RP155: 2/28/2011 10:25:39 AM - Windows Update
RP156: 3/3/2011 10:41:33 AM - Windows Update
RP157: 3/7/2011 10:42:08 AM - Windows Update
RP158: 3/8/2011 4:30:28 PM - Windows Update
RP159: 3/12/2011 10:31:50 AM - Windows Update
RP160: 3/15/2011 11:59:26 AM - Windows Update
RP161: 3/19/2011 11:45:00 AM - Windows Update
RP162: 3/22/2011 8:35:20 PM - Installed HiJackThis
RP163: 3/23/2011 11:29:18 AM - Windows Update
RP164: 3/23/2011 2:03:16 PM - Windows Update
RP165: 3/27/2011 1:36:10 PM - Windows Update
RP166: 3/29/2011 1:09:12 PM - Windows Update
.
==== Installed Programs ======================
.
Acrobat.com
Acronis True Image Home 2011
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.0.1)
Adobe Shockwave Player 11.5
AIM 7
Alcor Micro USB Card Reader
ASUS AI Recovery
ASUS AP Bank
ASUS CopyProtect
ASUS Data Security Manager
ASUS FancyStart
ASUS LifeFrame3
ASUS Live Update
ASUS MultiFrame
ASUS SmartLogon
ASUS Splendid Video Enhancement Technology
ASUS USB2.0 UVC VGA WebCam
ASUS Virtual Camera
ASUS_Screensaver
ATK Generic Function Service
ATK Hotkey
ATK Media
ATKOSD2
AutoSizer
Best Buy pc app
Brother MFL-Pro Suite MFC-255CW
Compatibility Pack for the 2007 Office system
ControlDeck
Coupon Printer for Windows
D3DX10
Download Updater (AOL LLC)
eReg
Google Earth
Google Update Helper
HiJackThis
Intel(R) Control Center
Intel(R) Graphics Media Accelerator Driver
Java Auto Updater
Java(TM) 6 Update 24
Junk Mail filter update
Malwarebytes' Anti-Malware
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft PowerPoint Viewer
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Works
Mozilla Firefox 4.0 (x86 en-US)
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Platform
Roxio Burn
Roxio Roxio Burn
Roxio Update Manager
ScanSoft PaperPort 11
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Skype Toolbars
Skype™ 5.1
TomTom HOME 2.7.6.2056
TomTom HOME Visual Studio Merge Modules
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VIA Platform Device Manager
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinFlash
Wireless Console 3
.
==== End Of File ===========================

The files seem to come randomly. She has many strange things that happen, like the desktop will not always appear the same, icon come and go and then a reboot will seem to fix them.

Hi Dave,

I see that she has Acronis installed, has she restored to an image before this started happening?

Also, I see that MSSE is left in the WMI but it does not seems to be active or even installed on the system, nor does any other type of Security.

Please find out if the files start with WML or the file extension is WML.

Go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• Click the "Show Results" button
• Then click the "Export to Text File" button and save the log to the desktop
• Copy and paste that log as a reply to this topic and also let me know how things are now.

Please post back the ESET report and then answers to above.

Thanks.

No we have not had to restore an image from Acronis. That is funny about MSSE as she is running that and runs a scan at least once a week. This is the only security we have installed on the system other then MBAM.

I will forward the instructins to her so we can walk through it and get back with the logs..

thanks a bunch.

Hi Dave,

My bad on the MSSE, there are a few drivers running on the system and one active startup entry, I must have over looked them, maybe my eyes are getting old. I still cannot see it in the add/remove programs list though, please have her check that it is listed there and then please have her run a full system scan with it as well as with the ESET scan.

Thanks.

Ok She ran the ESET scan but there is no option to make a log. To check I also ran the scan and she was correct. When its done it just gives you a screen that tells you the results. Her scan came up clean as well as her scan in MSSE.

I had her check and indeed MSSE shows up in her Program and features listing of installed programs.

Hi Dave,

I don't think this is malware related, if it was, one of these tools would have found something, the fact that the desktop is acting strange, I would be inclined to uninstall/reinstall the graphics drivers,

Also, I am going to need the full name of the a few of the files that are showing up in the bin, there could be a program that is set to automatically delete its backups once another so many have been made. Please ask her to provide the exact file name and more importantly, the exact file extension.

Thanks,.

she reported today that this file was in the recycle bin:

Hi,

Do she use Windows Live Messenger?

Please open the Recycle bin with the file inside and then drag the file to the desktop, this will restore the file from the bin to the desktop.

Then please upload me a file for an analyst, please go to THIS web page, once there please copy/paste the link to this thread in the dialogue box where it says Link to topic where this file was requested:.

Then please click the Browse button and then using the Windows Explorer box that opens, please navigate to WLM1E72.tmp file that was restored to the desktop..

Once you have located the file please click it once so it appears in the text box at the bottom of the Windows Explorer box and then click OK. Then please click the Send File button on the web page.

Thanks.

No we don't use live messenger perse.. but she does use window live mail. I will pass the instructions along to her and help her get the file to you. Thanks again for all your help.

Thanks :emotion-21:

No i think we have determined that the files only show up when she gets mails with pictures in them. She was not able to upload to the site nor send me the file for me to try but going on remote i looked at the file and it is just jpegs or such from emais with embedded pics in them