Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Undeletable file


  • Please log in to reply
11 replies to this topic

#1 banlu

banlu

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 16 March 2012 - 04:04 AM

hello there!

Today i noticed my system running slow at times so i checked the processes running and found this process i've never seen "d8h9yzvvpp.exe" , i tried google but came out no result so i checked up with hijackthis and found it in this location "C:\Users\(my username)\" i then tried to delete the file but a pop up say " You need permission to perform this action " i have tried changing the permission following the methods in google but it still wouldn't change say "Unable to change new owner , Accesse denied" , tried to use hijackthis to delete the file on reboot but the same pop up appear that i don't have permission

So i went through registry and search the name "d8h9yzvvpp" , it was found and i tried to delete but again , there is a pop up saying "Can not delete : Error while deleting key" it was found in several places like "HKLM\System\ControlSet001\Enum\Root\Legacy_xxxx\" , "HKLM\System\CurrentControlSet\Enum\Root\Legacy_xxxx\" , etc., I've tried to use "Spybot search and destroy" but there's no result so far and still the file is here

I would like to ask any guru here if anyone knows a way to get rid of this thing please , im not sure how i got it as im just doing stuff normally in this past few days

thank you!

PS. i've tried using Kaspersky virus removal tool , it detects the file but fails to delete .. (safemode)

Edited by hamluis, 18 March 2012 - 10:33 AM.
Moved from Win 7 to Am I Infected.


BC AdBot (Login to Remove)

 


#2 Guest_Xircal_*

Guest_Xircal_*

  • Guests
  • OFFLINE
  •  

Posted 16 March 2012 - 04:57 AM

Download Process Explorer from here: http://technet.microsoft.com/en-us/sysinternals/bb896653

When you run it, find the process in the list and then right click it and go to "Properties". From there, you can isolate where it originates from and its current location etc. So for example, in the screenshot, I right clicked WMI to get more info.

It may be a legitimate system file which has been renamed for some reason or other. I'd advise you not to try and delete it until you've established where it's come from and where it belongs.

You can always kill the process by clicking the Processes tab, then right click it and choose "End Process".

Attached Files



#3 banlu

banlu
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 16 March 2012 - 05:48 AM

thank you very much for reply

i followed ur advise and the file appears to be from what it is at , c:\users\[my username]\ , there i attached the screenshot

in the screenshot i tried to kill process but still get access denied , same as killing process from taskmanager , hijackthis , non is able to kill it

Posted Image

and heres the screenshot when trying to delete

Posted Image

what is this thing ??

#4 Guest_Xircal_*

Guest_Xircal_*

  • Guests
  • OFFLINE
  •  

Posted 16 March 2012 - 06:20 AM

It does seem a bit odd. In Process Explorer, click "View" and then click "Show Lower Pane" which will split the GUI in half like you see in my screenshot. If you then click the mysterious file, you should get some info on it in the lower pane.

I note though that it's located in the 'lenovo' folder, so I guess you have a Lenovo laptop. Is it still under warranty? If so, you could call Lenovo's tech support and ask them is they know anything about it.

There's another utility you can download from the same site as Process Explorer. It's called "Autoruns" and shows everything which launches on startup. Download from here: http://technet.microsoft.com/en-us/sysinternals/bb963902 Find it in the list and then right click and choose "Jump to entry" which will take you to the registry hive it's loading under.

#5 banlu

banlu
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 16 March 2012 - 06:44 AM

thank you ,

i did split the pane and is totally empty on that file not a single letter

funny is , iv tried changing the file's attribute , force delete , force owner change , all through command prompt with several commands like

- icacls ... /GRANT ADMINISTRATORS:F
- takeown /f ...
- DEL /F /S /Q /A ...

and all i get is Access denied or Error changing owner

, using 3rd party program like File assassin , Unlocker , it wont even select the file because as soon as u browse the file to delete and click on this myth file it would say "you don't have permission to open .."

im sure its a virus because Kaspersky detected it saying its W32... something and even that thing fails to delete it .. i dont know what to do now

#6 Guest_Xircal_*

Guest_Xircal_*

  • Guests
  • OFFLINE
  •  

Posted 16 March 2012 - 12:48 PM

Was the original Windows 7 installation an upgrade, or a fresh install? It sounds like a file left over from an upgrade if you say it appears as a legacy device in the registry.

Try uploading it to this multi-scanner site: Jotti.org You might have to restart in "Safe Mode with Networking".

#7 banlu

banlu
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 16 March 2012 - 09:21 PM

i dont think its from windows upgrade or something from microsoft, iv disabled those services on this laptop and i have never seen this file before until yesterday, i tried to upload it to check on the site u gave the link but same , says "i don't have permission to open this file"

Posted Image

#8 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:02:17 AM

Posted 16 March 2012 - 09:34 PM

Hi Banlu

You should post about this in the 'Am I Infected Forum'. Here's some information about posting there...
http://www.bleepingcomputer.com/forums/topic182397.html

Hope This Helps
James

#9 banlu

banlu
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 16 March 2012 - 11:15 PM

thank you Xircal and James for helping i will try posting in that forums soon

#10 Guest_Xircal_*

Guest_Xircal_*

  • Guests
  • OFFLINE
  •  

Posted 17 March 2012 - 02:54 AM

What you could also do is post the problem on the Lenovo forums since the file is located in the Lenovo folder: http://forums.lenovo.com/lnv/?profile.language=en

#11 hamluis

hamluis

    Moderator


  • Moderator
  • 55,398 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:17 AM

Posted 18 March 2012 - 10:32 AM

http://www.prevx.com/filenames/2585165020133051202-X1/INFO%5B1%5D.EXE.html

Topic moved to Am I Infected forum.

Louis

#12 Guest_Xircal_*

Guest_Xircal_*

  • Guests
  • OFFLINE
  •  

Posted 18 March 2012 - 10:48 AM

http://www.prevx.com/filenames/2585165020133051202-X1/INFO%5B1%5D.EXE.html

Topic moved to Am I Infected forum.

Louis


Well, theoretically, banlu should be able to avail himself of the "Free Cleanup" offer on that site to delete it. It would be interesting to know whether it's still present on his system after running a scan.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users