Hi Guys,
I am having a small problem, when I start up my laptop, I get a 'Cannot locate Work.exe' message. I guess it is trying to start some virus that has now been deleted, but I still get this message every time I reboot.

I have obviously tried searching for the file & checked the StartUp list under MSCONFIG - but now I have given up!

I asked for help from one of the IT guys in the Office, but I think this one is beyond him as the old 'switch it off & switch it back on again' can never work for this problem!!

You may now be beginning to understand that I have an extremely basic understanding of my laptop - so if you can help please be gentle with me!!

I downloaded HijackThis, although I have no idea what to do with it. So, if you need this log - please explain exactly what I need to do (Idiot's Guide!!!).

Thanks in advance for any help you can give.

Cheers,

Gregg

Hi there and sorry for the delay, lets have a look at your system


To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the OTScanit folder and double-click on OTScanit.exe to start the program.
• Check the box that says Scan All User Accounts
• Check the Radio button for Rootkit check YES
• Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
• Under Additional Scans check the following:
  • Reg - BotCheck
    
  • File - Additional Folder Scans
    
  • File - Purity Scan
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Hi thanks for all your help!

How did I do?

http://www.mediafire.com/file/djyqmtntjma/OTScanIt.Txt


Let me know if I managed to get this wrong!!

Cheers,

Gregg

Hi there this should fix the problem. However, I notice that you have 3 antivirus programmes - AVG, Norton and Avast You will need to remove two of them

Your Host file needs resetting as well


Download the HostsXpert 4.2 - Hosts File Manager.

• Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
• Run HostsXpert 4.2 - Hosts File Manager from its new home
• Click on "File Handling".
• Click on "Restore MS Hosts File".
• Click OK on the Confirmation box.
• Click on "Make Read Only?"
• Click the X to exit the program.
• Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

THEN

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.



The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Hi,
This all appears to be going well, it required a reboot - and the good news is the problem seems to have gone!!!

2 icons appeared on the desktop after the reboot: ~WRL0002.tmp & ZbThumbnail.info

Can I safely delete these? They are not normal icons, can't remember are they some sort of Temp files?

Here is the log:

[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:work.exe deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\\Search Bar deleted successfully.
Registry key HKEY_USERS\1-5-21-376703062-3324774183-3156808329-1005\SOFTWARE\Microsoft\Internet Explorer\Main not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\morwillsearch.com\\* deleted successfully.
Registry key HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\morwillsearch.com not found.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Gregg\Local Settings\Temp\WCESLog.log scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Gregg\Local Settings\Temp\~DF4103.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Gregg\Local Settings\Temp\~DF468B.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.19.0 fix logfile created on 11102008_034832

Files moved on Reboot...
C:\Documents and Settings\Gregg\Local Settings\Temp\WCESLog.log moved successfully.
File C:\Documents and Settings\Gregg\Local Settings\Temp\~DF4103.tmp not found!
File C:\Documents and Settings\Gregg\Local Settings\Temp\~DF468B.tmp not found!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.


Regarding the AntiVirus - what do you recommend? I am pretty sure Norton came with the laptop (it was given to me by a Company) and I think it has now expired. I added the other 2 (all free versions) - I think that AVG is the only one running. Do you recommend keeping this one? Plus, what should I do with the other ones - totally remove them? If so how do I do it.

Many thanks again!

Gregg

That looked nice The new icons are hidden files that my tool reveals, we will hide them in a bit

OK uninstall tools

Norton Removal Tool
First ensure Norton is uninstalled from the control Panel and then run the tool to clear the residue

Avast Uninstal Utility
Same drill as Norton

NEXT

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so...Download and run this small programme and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
• Click Yes to confirm.
• Click OK.

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
• On the dialogue box that appears select Create a Restore Point
• Click NEXT
• Enter a name e.g. Clean
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
• In the Drop down box that appears select your main drive e.g. C
• Click OK
• The System will do some calculation and the display a dialogue box with TABS
• Select the More Options Tab.
• At the bottom will be a system restore box with a CLEANUP button click this
• Accept the Warning and select OK again, the program will close and you are done

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

That's brilliant! Thanks very much for all your help!

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.