I have had to go back to using ADSL and in that time, some how some way, my wife's PC has gotten infested with something.

It keeps creating files with URL addresses in them. I do a system scan for the files, even searching hidden files, and they don't show up. I am pretty sure they are embedded in the system registry.

I have ran spybot, adware, hijack this, windows Antispyware, Nod32, AVG free edition, panda and trendmicro's online scanners... and no matter what I do, it keeps coming back.

One file in particular:

Yaemu.exe located in C:/Windows/system32

I cannot delete the file manually I get an access error, but hijack this supposedly fixes it.

But it doesn't.

And to beat everything, this is directly after a fresh clean install of XP. I wiped the entire hard drive because the computer suddenly started shutting itself down without notice and I was getting all kinds of .exe and .dll errors in the event viewer.

I've run memtest, did a defrag, checked the disk for errors... even now I am getting threat detections with Nod32. I have hence set it to automatically terminate the files and quarantine them prior to termination. For the next 999 minutes LOL

Whatever this is it's virulent and persistent... but so am I. I will defeat this cocksucker if it takes me the rest of my computing days. Eat shit spyware, adware, trojan and other viral makers of the internetting world!!!!

Now take a look at my screen capture:

damn things anyway....I know it would be a pain, but u might consider a low level format and remove the battery for a day just to be certain....she is hidding somewhere in mem or so it seems....could be nvram, hell, it's hard to say.:mad: ....it would piss me off!!!

did you try to restore the IE settings using the Windows Antispyware? you might have the search and host files changed, so everytime the PC connects you download the spyware again. I have seen very similar cases. After updating the scanners, I unplugged the internet, run scans in safe mode, in order to avoid the real time proteccion restoring files in the fly (I saw that too). Before going into safe mode, I also disable all startup items but the needed, since there was one more case where the spyware would load at the beggining and I could not get rid of it.
Finally, make sure none of the accounts in the PC have password. That is the main problem with the spyware cleaners, which cannot delete (or detect even sometimes) spyware in different accounts

did you try to restore the IE settings using the Windows Antispyware? you might have the search and host files changed, so everytime the PC connects you download the spyware again. I have seen very similar cases. After updating the scanners, I unplugged the internet, run scans in safe mode, in order to avoid the real time proteccion restoring files in the fly (I saw that too). Before going into safe mode, I also disable all startup items but the needed, since there was one more case where the spyware would load at the beggining and I could not get rid of it.
Finally, make sure none of the accounts in the PC have password. That is the main problem with the spyware cleaners, which cannot delete (or detect even sometimes) spyware in different accounts

Windows antispyware - Yep I ran the IE restore and put TZ has the home page and so on...

I went into safe mode, and manually deleted a file that no matter what I used was not being totally deleted.

C:\WINDOWS\SYSTEM\yaemu.exe

That file, regardless of the tool used, kept coming back, even when system restore was completely shut off.

Hijack this recognised it was a bad file, and attempted to delete it on several occassions but it just kept coming back.

In safemode, I was able to physically and manually remove the file, along with a dos shortcut with the same name.

So far NOD32 hasn't shown a single error... and that was 4 hours ago.

Some good info there Dehc. I will take it into consideration the next time I have these whorish spyware troubles. It's such an aggrevation... I don't see how normal users who know jack shit about PCs can fix these kinds of troubles.. ????

/Install MAC OS

j/k :p

When ever i get a file i cannot delete, i simply boot from a Windows 98 bootdisk into DOS and remove it that way.

Unless of course, it's a self replicating file, then you're ****ed :D

Try using one of the liinux distributions that you boot from CD. You can delete and move windows (NTFS) files in linux. I have done it so I can assure you that it works.

... I don't see how normal users who know jack shit about PCs can fix these kinds of troubles.. ????

That is why I hate all kinds of information sent to your computor without your permission.

Try using one of the liinux distributions that you boot from CD. You can delete and move windows (NTFS) files in linux. I have done it so I can assure you that it works.

That is a brilliant idea. The next time one of these demonic spyware/virus type programs infilitrate my systems, I will do just that.

You can also use a bootable WinXP like BartPE which will be more familiar. But if you just formatted and re-installed, why not do it again now and make sure you are patched up before you connect to anything?

Another technique you can use is to delete the file then create a dummy read-only file of the same name. Your problem is that the file is not the problem, something else is creating that file and it's the something else you need to find.

If you post a hijackthis log we can look through it together.
particularly look for this-
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\NNDQK.DLL

Good to have you back Curio

it's a long shot but you might want to keep this in mind:

this article explains the existence of alternate data streams in Microsoft Windows NTFS anddemonstrates how to create them by compromising a machine using the Metasploit Framework, and then use freeware tools to easily discover these hidden files.

http://www.securityfocus.com/infocus/1822

What are the main dangers associated with NTFS streams?
- Streams are only visible to specialised software such as TDS-3 that has the capability of enumerating streams from their parents.
- Public awareness of streams is exceptionally low, especially compared to the awareness of other file-hiding techniques such as hidden file attributes.
- Streams can not only attach themselves to files, they can also attach themselves to directories.
- Streams can't actually be deleted. The parent they're attached to must be deleted in order for the stream to be removed. However,
- Streams attached to the root directory of a drive, such as "C::MyStream" cannot be deleted.
- "Available Disk Space" as shown by programs such as Windows Explorer do not take into account disk space consumed by streams.
- A malicious program could continue writing to a stream, filling up the disk and make cleaning up very difficult.
- Streams, as they are essentially still files, can be executed.
- Executed streams do not have their filenames display correctly in Windows NT/2K/XP Task Manager, the utility commonly used to view running processes. For example, if the stream "c:\test.txt:mystream" was running, Task Manager would only show "test.txt".

http://www.diamondcs.com.au/index.php?page=archive&id=ntfs-streams

Since SP2 programs started from ntfs streams do show up in Task Manager with the notation
nicefile.txt:naughty.exe

Quick explanation of NTFS streams
NTFS supports Apple Macintosh type files for compatibilty which are composed of a resource fork and a data fork. These forks contain the file type in one bit and the data in another bit - these are the streams so you can blame Apple Macintosh for them.