HELP!!! Can't remove this file?

[scotty1105]

Today I tried to save a file to my flash drive and found that when I saved the file it also created a shortcut for the file. I attempted to delete the file, I was able to delete it but then a second later the file returned. I thought maybe it was the flash drive but when I was searching my system configuration to check my startup programs (msconfig) I came across a file called new clean. I found it on my C drive
"C" Users\my name\appdata\local\temp\adope flash player.exe. The crazy part is every time I try to delete the file it deletes for a second then comes back. I am unable to get rid of the program which I am convinced is a virus. I have tried to delete it from my registry and it does the same thing I delete it then it returns, making it impossible to get rid of it. It is labeled as HKCU/software\microsoft\windows\Currentversion\run, in my registry. I tried to do a forced uninstall, same thing it deletes then magically returns a second later. I do not have any programs called "new clean" I never installed it or downloaded it. I CANNOT DELETE IT, it wont let me. I tried to scan it for a virus but it comes up as an ok file.

Is there anyway I can remove this file, I want it gone, besides screwing up my flashdrive I have No idea what other damage it is inflicting.

 

[2x4b]

Go to control panel - Programs and features - then uninstall Adobe Flash player.
But many websites will want you to re-install it.

 

[Man of Steel]

it is definitely a virus

scan it in another computer and maybe different antivirus

 

[himnextdoor]

In you situation I would do a clean install of my operating system.

But not before I had a go at it.

We can see that this is a problem of two halves.

There is the file that you found. You seemed to call it 'Adope Flash Player.exe', which is quite funny and this seems to be the 'Transmission Vehicle' and it scans for and writes files to any drives connected to the system in the form of a hidden 'autorun' file and an exe file..

The other part checks to see if Adope exists and if it doesn't, it re-creates it. It monitors the registry in the same way .

Obviously if we take this one out, the other is easy, but that won't be easy. We would have to track it down by being patient and diligent and perhaps, even, a little bit devious.

The methods I would employ for this are somewhat difficult to get across but I will make some suggestions for the purposes of tracking down and eliminating this thing, if your virus protection can't, it it is your wish.

I find this kind of thing fun and I wish it were I who was infected.

But there is option 'B', tackle the transmitter since you know its identity and there may be a way to eliminate the threat and render the regeneration component impotent.

Do you want to give it a go?

Okay. Let's go.

Method 1

Create a new 'Text Document' on your desktop and name it 'Adope Flash Player.exe'.

Open the new document and type in upper-case letters,

'IF I SEE YOU AROUND HERE AGAIN, I WILL TRACK DOWN THE REST OF YOUR CREW AND SEND THEM TO VIRUS HELL.

NOW BEGONE!!!'

AND SAVE IT.

Oops, I'm sorry, I meant, save it.

Now rename it to 'Adope Flash Player.exe'.

Right-click on the file and select Properties.

In Properties, check the 'Read only' box. You could hide it too and make it look like it has really gone.

Now copy and paste the new file into the same file as the naughty one.

Check to see if this worked by inserting your newly formatted flash drive.

(Don't forget to back up your data.)

If that didn't work, or it did and you would like to go further, then let me know.

Also, you should go to Control Panel > Folder Options, select the view tab and un-check 'Don't show file extensions' otherwise you will end up saving a file called '... exe.txt' which is no good to man nor beast.

 

[scotty1105]

Thanks for the help...Instead of it being labeled "new clean" its now showing up as 39e72daf93d4890da9ec87426ee863c3 and from what I found when I looked it up online was that it is a Trojan virus?

This was the article

Technical Information
Virus Name : Trojan.DownLoader9.2698
Named By : Dr.Web

TO ENSURE AUTORUN AND DISTRIBUTION:
Modifies the following registry keys:
[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '39e72daf93d4890da9ec87426ee863c3' = '"%TEMP%\Adope FlashPlayer.exe" ..'
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '39e72daf93d4890da9ec87426ee863c3' = '"%TEMP%\Adope FlashPlayer.exe" ..'
Creates or modifies the following files:
%HOMEPATH%\Start Menu\Programs\Startup\39e72daf93d4890da9ec87426ee863c3.exe
Creates the following files on removable media:
<Drive name for removable media>:\39e72daf93d4890da9ec87426ee863c3.exe
MALICIOUS FUNCTIONS:
To bypass firewall, removes or modifies the following registry keys:
[<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\Adope FlashPlayer.exe' = '%TEMP%\Adope FlashPlayer.exe:*:Enabled:Adope FlashPlayer.exe'
Creates and executes the following:
'%TEMP%\Adope FlashPlayer.exe'
Executes the following:
'<SYSTEM32>\netsh.exe' firewall add allowedprogram "%TEMP%\Adope FlashPlayer.exe" "Adope FlashPlayer.exe" ENABLE
MODIFIES FILE SYSTEM :
Creates the following files:
%TEMP%\Adope FlashPlayer.exe
Sets the 'hidden' attribute to the following files:
<Drive name for removable media>:\39e72daf93d4890da9ec87426ee863c3.exe
NETWORK ACTIVITY:
Connects to:
'ma####lwa.no-ip.biz':1177
UDP:
DNS ASK ma####lwa.no-ip.biz
MISCELLANEOUS:
Searches for the following windows:
ClassName: 'Indicator' WindowName: ''
Please note : some of the characters are replaced with symbols in order to prevent improper access to malwares.


Steps to remove "Trojan.DownLoader9.2698" automatically

Download Dr.Web CureIt! and save it in desktop.
Download Security Space Pro 7.0 (32/64-bit), save it in desktop.
Reboot computer to Safe Mode (press F8 before any Microsoft logo appears).
Double click "cureit.exe" on desktop, follow on screen instructions to scan hard disk.
(Wait patiently, it may take 20-60 minutes to perform an express scan.)
After scanning is done, select all viruses found and choose "Cure".
(If some files are not suitable to be cured, choose "Quarantine" or "Delete".)
When all viruses found are cured, quarantined, or deleted, reboot to Normal Mode.
Uninstall existing anti-virus software which cannot kill the viruses, and then reboot again.
Locate the setup file of Security Space Pro on desktop, double click to run it.
(For step-by-step procedures, please refer to installation video guide.)
During setup, choose to obtain a demo key.
After first time update, the scanner will be launched again, quit the scanner at this point.
Complete the setup by rebooting computer.
When time is allowed (may need several hours), perform a full scan in Dr.Web Scanner.
Note :
If it is unable to start Windows due to virus infection, try Dr.Web LiveCD or Dr.Web LiveUSB instead of Dr.Web CureIt!
Time needed for express scan or full scan relies on many factors, such as system performance, available memory, running processes, number of drives and files, etc.

Now I have never had a virus so I dont know if this above article is what this thing I got maybe. I will try what you have suggested in hopes that it will work. I would REALLY hate to do a new install of my OS but if that is what it takes I am game. I will let you know how it goes, keep your fingers crossed.