Rogue executable in C:\windows\temp

[hipp2112]

After rebooting from in Safe Mode, a newly named file and process has reappeared. This time it is called SG7CB6.exe. I submitted this file to the 2 sites suggested by PhilliePhan and the file was not recognized as a 'baddy'. When jotti was done, there was text that indicated this file was submitted before. I'm really baffled by this. It appears I may have no choice but to wipe this machine and reinstall. Any other suggestions before I do this?

[jholland1964]

No, No don't wipe clean, Try the following two tools first! If these find either of the two items noted by PP they will remove them, if they aren't there neither tool will harm the computer BUT then we can try something else.

VundoFix by Atribune

• Double-click VundoFix.exe to run it.
• When VundoFix opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log in the thread you are working in.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions above, starting from "Click the
Scan for Vundo button" when VundoFix appears at reboot.

To remove the latest forms of Qoologic infections, follow the steps below:

• Download Qoofix to your Desktop or any other convient location
• Unzip the files from Qoofix.zip to a convenient location such as C:\Qoofix.
• Navigate to the folder you unzipped the files to and double click on the file named Qoofix.exe.
• Finally, select Begin Removal and the removal process will commence. A reboot may be necessary if an infection is found.

Credit: Marcin Kleczynski redesigned LonnyRJones' Qoofix.bat program. Credit is all given to Merijn, Sean, Anil, Calvin, and Aaron.

Then run new HJT scan and post new log back here.

[hipp2112]

ran Vundo and Qoofix. nothing found. attached are the vundofix, hjtscan run after Vundo and hjtscan run after Qoofix text files. i'll be waiting to hear from you.
thank you for all of your efforts.

[jholland1964]

Dang! Still there. One thing, your Java is WAY out of date.
Go here and download the latest version which is version 6 update 3. Choose the offline install which is the second one down. Save it to the desktop for easy location.
Go Offline.
Go to Add/Remove and uninstall all instances of Java you find there.
Once you have uninstalled all older versions then install the new one you just downloaded. After that is installed then go back online and go here
to verify the installation was complete.

After you have done that then do the following;

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post it back here.

Note:

• Do not mouseclick combofix's window while it is running. That may cause it to stall.

[hipp2112]

Here is the log file after running ComboFix.
I checked the Java version via their website. I was already up to date with Version 6 / update 3.

[jholland1964]

Did you remove all those old versions found by the Vundo Fix program?
Java version 1.5.0.3
Java version 1.5.0.5
Java version 1.5.0.6
Java version 1.5.0.9
Java version 1.5.0.10
Java version 1.5.0.11
They all are still on the machine unless you just removed them, if you didn't then you should. I am still going through the combofix log

[hipp2112]

I have just uninstalled those versions of Java as suggested. I neglected to do so earlier.

I have also gone through the startup list in msconfig and stopped 2 3rd party apps, one at a time and rebooted after each, that this user installed and is running. After both reboots, this process/file continues to show up.

I'm heading out for the day, soccer practice, but will do these latest steps first thing in the a.m.

As always, thank you Judy and PP for your continued and unrelenting help with this.

Scott

[PhilliePhan]

As always, thank you Judy and PP for your continued and unrelenting help with this.

We are happy to try to help

Obviously there is some "parent" program that is creating these .exes in the TEMP folder. The thing is, if this were a malware program behind the temp .exes, it ought to show in the ComboFox log - very likely as a recent addition. The fact that nothing obvious stands out leads me to believe it to be bundled with a legitimate app.

-- You might consider installing Process Explorer ( I use it instead of Task Manager) and use it to investigate the random running process a bit further.
http://www.microsoft.com/technet/sys...sexplorer.mspx


*** Judy will be gone over the weekend - I am here off and on these days as time permits, but will try to follow up as best I can. I really do not think this is any sort of major problem calling for drastic action - just a real PITA to track the source of the adware!

Best
PP

[hipp2112]

I agree that it appears to be bundled with a legit app. Thing is we aren't sure when this started but when it was found, the user indicated nothing was installed around the time we noticed it. This user is very computer savvy and is not one to install anything haphazardly. Instead of listing the contents of the StartupList and Uninstall Manager, I am attaching them to this post. I am also attaching another HJT scan.

I suppose I can disable all startup programs via msconfig to see if this makes a difference and enable them one at a time if it appears one of these is the cause. Like I said earlier, I've already done this with 2 programs, WordWeb and Timex Datalink USB, but it didn't make a difference.

I will run ProcessManager that PP suggested and will be waiting for further instruction or ideas.

Scott

[hipp2112]

Quick question that is slightly off subject. Have you heard of a product called Powersuite 2007 by Spotmau? there was a link to this on nliteos.com and was curious.
Thanks.