What has infected my .exe files..???

[ALL THUMBS]

Below are my responses to the actions you requested for me to apply.

Hi Vince,

We're making a bit of progress


It will be at this location as shown in the log:

C:\WINDOWS\vchost.exe

At this point, I do not know what it is, good or bad. You ought to be able to navigate to it with the Browse box at the top of the Jotti page. You should also be able to locate it in the Windows Folder manually.
You might need to Enable the Viewing of Hidden Files to see it.

I would definitely like to get that scanned....

I have done the actions to show all hidden files, and I could not find this file other than the one i have mentioned previously which only shows vchost with no extensions

Most of those are backups and you can delete them safely:
-- C:\QooBox\Quarantine

-- Run HijackThis and, on the Quickstart gui, select View the list of backups and then delete those malware backups that show in the AVG log. These are just Registry keys belonging to what we would hope are deleted malware files

-- You do need to DELETE this one manually:
C:\WINDOWS\system32\winpdc32.dll
You may need to do this in Safe Mode and with Viewing of Hidden Files Enabled.
Let me know how that shakes out.

I have looked in C:\WINDOWS\system32\ for the winpdc.dll and had it wasn't to be found to delete..


ALSO:
Please scan with HijackThis and Check the Boxes for the following, if they remain:

O2 - BHO: (no name) - {A1D6ACF0-0874-47EC-BA66-E3A93C27979D} - (no file)
O2 - BHO: (no name) - {D7FD6C15-4927-4AAE-BF12-FBDABD287EB1} - (no file)

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: nnnmmkj - C:\WINDOWS\

Be sure All Browser Windows are Closed and then Click Fix Checked.
**You'll probably need to turn off SpybotSD's Tea Timer to to allow the above changes.

Ran it, and removed the above entries.

Also, I would suggest removing AdwareAlert, as there are better options to be found - including those that you already have onboard (Spyware Doctor, Windows Defender, Spybot)

Are you able to provide better option other than AdwareAlert.

Then, please do the AVG AntiSpy and Kaspersky Online scan steps in the Read Me First Sticky that Judy linked earlier and post those logs for me.

Please find attached scan logs.

Should there be a file in C:\WINDOWS\system32\drivers\etc that has these files within it:

hosts (no extension)
hosts.20080121-224941
lmhosts.sam
networks (no extension)
protocol (no extension)
services(no extension)
tmvsthfss.bin
tmvsthfud.bin

I would also like to mention that AVG Antivirus is showing no infections to date.



Cheers
PP

[PhilliePhan]

Hi Vince,

I have done the actions to show all hidden files, and I could not find this file other than the one i have mentioned previously which only shows vchost with no extensions
I have looked in C:\WINDOWS\system32\ for the winpdc.dll and had it wasn't to be found to delete

That vchost.exe bugs me - It shows in the log, but I wonder if there is more going on such as a rootkit... Also, given the Hosts file situation, I wonder....
I have written a batch tool that might help find and kill it. We may give that a go. I'd like to see a fresh combofix log first, though. In fact, let me try a CFScript for that and the winpdc32.dll. Instructions at bottom of post

Are you able to provide better option other than AdwareAlert

The other anti-spy apps you already have onboard are better. I like Spyware Doctor and AVG anti-spy.
Adware Alert has a poor reputation - false positives and such. It used to be on Spyware Warrior's Rogue List.

Should there be a file in C:\WINDOWS\system32\drivers\etc that has these files within it:

hosts (no extension)
hosts.20080121-224941
lmhosts.sam
networks (no extension)
protocol (no extension)
services(no extension)
tmvsthfss.bin
tmvsthfud.bin

tmvsthfss.bin & tmvsthfud.bin are malware-related and can be deleted. Not sure if they are part of Vundo, or something else... You can also delete hosts.20080121-224941.

-- Can you open your Hosts File (hosts (no extension)) with notepad and upload that as an attachment for me to check out?

I would also like to mention that AVG Antivirus is showing no infections to date.

Happy to hear that! The Kaspersky log looks OK too.


** Here is the ComboFix step :


-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe



-- Let Combofix run as before and post me that log along with the contents of your Hosts File.

I'll try to check back Sunday, but may not be back until Monday evening.


Best
PP

[ALL THUMBS]

Hi there Phil,

Sorry I taken a while to respond, but i have been caught up with work.

[tmvsthfss.bin & tmvsthfud.bin are malware-related and can be deleted. Not sure if they are part of Vundo, or something else... You can also delete hosts.20080121-224941.]

Have been deleted!!

I have done what you requested and attached the log files from Combofix and the host file as a text file.

The pc has been running smooth, (touch wood).

Thanks again.....

Vince

[PhilliePhan]

Sorry I taken a while to respond, but i have been caught up with work.

Hi Vince,
I know the feeling - real life always seems to intrude!

Everything looks OK to me except for this one:
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{06FAFF59-A4D6-198C-0003-050508020107}]
C:\WINDOWS\vchost.exe

Very likely a baddie.

I am not sure if it is hidden/stealthed by a rootkit or similar technology and that is why we can't see it....
I am pretty certain that you have rootkit technology on your machine. To the best of my memory, Daemon Tools employs this to circumvent copy protection on dvds, etc...

I cannot help but wonder if this same technology can be exploited by malware in the same way the Sony DRM rootkit could be exploited to hide trojans, etc...

Or, this could be part of one of your video programs. . . . I just can't tell.


If you want to pursue this further, you could try the following:

-- Scan with Sophos Anti-Rootkit v1.3.1:
http://www.sophos.com/products/free-...i-rootkit.html

-There is an instruction manual on that page for your reference:
http://www.sophos.com/sophos/docs/en.../rk_13_men.pdf

Run the scan, but I think it might be best to hold off on having it clean anything at this point.

Rather, allow the scan to finish completely and then click Start --> Run and then type or copy & paste %TEMP%\sarscan.log in the box and hit Enter.
A log ought to open. Please save it to where you can find it easily and then submit it for me.
-- Do not use your computer while the scan is running.


ALSO:

Please run http://www.eset.com/onlinescan/

-- You will need to temporarily disable your current Anti-virus program.
-- Make sure that the option Remove found threats is Unchecked, and the option Scan unwanted applications is checked.

-- Remember to Re-enable your Resident Anti-virus program after the scan has finished.
-- A logfile ought to be found at C:\\Program Files\\EsetOnlineScanner\\log.txt.
Please post that for me.


Best Luck
PP

[ALL THUMBS]

Hi PP,

I have done all those actions you requested and found that it didn't find malware.

As for the root kit programs, I have the AVG Anti Rootkit scanner which has found no root kits.

I have attached some log files for you to look at.

Vince

[PhilliePhan]

As for the root kit programs, I have the AVG Anti Rootkit scanner which has found no root kits.

That's odd - I believe Daemon tools still employs that technology (though I haven't checked in a while) and I would expect that to show in a rootkit scan.
Rootkit Revealer would probably show it.
http://technet.microsoft.com/en-us/s.../bb897445.aspx

I can't imagine there are "whitelists" for these.... LOL!

I suppose we could try to delete that vchost.exe with a tool such as swandog46's Avenger, but I'd be more comfortable locating it and IDing it first to get an idea of what it is. Are you able to use regedit to export this key?

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components]

Or, you could do this:
Download the attached peek.bat to the desktop.
DoubleClick it and submit the log that pops up for me.
I don't know if it will tell any more than ComboFix, but worth a shot.


-- The rest of the logs look OK. The MVPs Hosts file ought to help keep the baddies at bay.

Cheers
PP

[ALL THUMBS]

Hello PP

Please see attached Peek.bat log file as well as the Rootkit Revealer sreencapture. Yes, thats right....screen capture. The Rootkit Revealer utility was hanging after it finished when I asked it to save a log file. I had to ALT-CONT-DEL to get to shutdown because it wasn't responding.

Can I also add which was very strange. A little GUI window had popped up when I tried to download the ultility. I have never seen it before. What I found strange is that this window ask for a password and user name to log so that the download could continue. I found it disturbing because I have broadband, and if I am correct, it is always connected to the internet.

Could this be a hidden trojan or someone trying to gain remote access?

I did find the in the registry for the vchost.exe where you told me to look, however, i had to doubleclick on the submusk key to see if it was there. I did a find in that folder and looked like it found something but it didn't show the file that i asked it to look for, hence why i double clicked on the sub something file to see if was there. Should i delete this key or value?

[PhilliePhan]

Hi Vince,
Sorry for the delay - busy weekend.

The Rootkit Revealer utility was hanging after it finished when I asked it to save a log file. I had to ALT-CONT-DEL to get to shutdown because it wasn't responding.

That is odd. Though, this is a "touchy" app - you pretty much need to leave the compy alone until it completely finishes.

Anyhoo, I recognize a few of the items in the screen capture:

I've seen these before and I think they are harmless --> HKLM\SECURITY\Policy\Secrets\SAC*
HKLM\SECURITY\Policy\Secrets\SAI*

This is the one belonging to Daemon Tools that I mentioned --> HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s ptd\Cfg
I do not know why this did not show in the Gmer portion of the ComboFix log or your other rootkit scans. The security community must've whitelisted it, though that would seem counter-intuitive to me . . . LOL!

I do not know what these are and they bother me a bit because of their recent appearance:
HKU\.DEFAULT\Control Panel\International
HKU\.DEFAULT\Control Panel\International\Geo
HKU\S-1-5-21-........\Control Panel\International
HKU\S-1-5-21-........\Control Panel\International\Geo
HKU\S-1-5-18\Control Panel\International
HKU\S-1-5-18\Control Panel\International\Geo

When we start getting into these, we are really pushing the limits of my expertise. I would not be the best authority to advise you on them.
I would rather see a number of different scans from, say, Sophos - AVG - F-secure Blacklight and the like which would probably do a better job of designating which are bad and which are benign....

Can I also add which was very strange. A little GUI window had popped up when I tried to download the ultility. I have never seen it before.

That is strange -I've not experienced that from Sysinternals/M$...
Could you get a screenshot of that?

Could this be a hidden trojan or someone trying to gain remote access?

Anything is possible, but I doubt that is the case there. It certainly would not ask for permission

I did find the in the registry for the vchost.exe where you told me to look, however, i had to doubleclick on the submusk key to see if it was there. I did a find in that folder and looked like it found something but it didn't show the file that i asked it to look for, hence why i double clicked on the sub something file to see if was there. Should i delete this key or value?

I'm not following you here - Do you mean subnet mask?

-- That whole key [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{06FAFF59-A4D6-198C-0003-050508020107}] seems out of whack to me.
I think we tried to delete it earlier and it would not go.

Go ahead and delete that registry key, if it will allow you to do so. If it turns out to be something legit and needed, we can put it back.
We do need to find that vchost.exe if it is still on your compy. It reeks of being malware.....

I'll try to put together a small batch file to try to deal with it as soon as I am able.

Sorry I can't be more help at the moment.

Best
PP