What has infected my .exe files..???

[PhilliePhan]

Hi Vince,

We're making a bit of progress

I did serch for the file vchost.exe but only found vchost that showed that was related to a mp3 file. Is that the file I need to upload to the website above?

It will be at this location as shown in the log:

C:\WINDOWS\vchost.exe

At this point, I do not know what it is, good or bad. You ought to be able to navigate to it with the Browse box at the top of the Jotti page. You should also be able to locate it in the Windows Folder manually.
You might need to Enable the Viewing of Hidden Files to see it.

I would definitely like to get that scanned....

Attached, please find another log from from AVG which i reinstalled and updated. It did show up trojans aslo which has placed them into the Vault.

Most of those are backups and you can delete them safely:
-- C:\QooBox\Quarantine

-- Run HijackThis and, on the Quickstart gui, select View the list of backups and then delete those malware backups that show in the AVG log. These are just Registry keys belonging to what we would hope are deleted malware files

-- You do need to DELETE this one manually:
C:\WINDOWS\system32\winpdc32.dll
You may need to do this in Safe Mode and with Viewing of Hidden Files Enabled.
Let me know how that shakes out.


ALSO:
Please scan with HijackThis and Check the Boxes for the following, if they remain:

O2 - BHO: (no name) - {A1D6ACF0-0874-47EC-BA66-E3A93C27979D} - (no file)
O2 - BHO: (no name) - {D7FD6C15-4927-4AAE-BF12-FBDABD287EB1} - (no file)

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: nnnmmkj - C:\WINDOWS\

Be sure All Browser Windows are Closed and then Click Fix Checked.
**You'll probably need to turn off SpybotSD's Tea Timer to to allow the above changes.

Also, I would suggest removing AdwareAlert, as there are better options to be found - including those that you already have onboard (Spyware Doctor, Windows Defender, Spybot)


Then, please do the AVG AntiSpy and Kaspersky Online scan steps in the Read Me First Sticky that Judy linked earlier and post those logs for me.

Cheers
PP

[ALL THUMBS]

Below are my responses to the actions you requested for me to apply.

Hi Vince,

We're making a bit of progress


It will be at this location as shown in the log:

C:\WINDOWS\vchost.exe

At this point, I do not know what it is, good or bad. You ought to be able to navigate to it with the Browse box at the top of the Jotti page. You should also be able to locate it in the Windows Folder manually.
You might need to Enable the Viewing of Hidden Files to see it.

I would definitely like to get that scanned....

I have done the actions to show all hidden files, and I could not find this file other than the one i have mentioned previously which only shows vchost with no extensions

Most of those are backups and you can delete them safely:
-- C:\QooBox\Quarantine

-- Run HijackThis and, on the Quickstart gui, select View the list of backups and then delete those malware backups that show in the AVG log. These are just Registry keys belonging to what we would hope are deleted malware files

-- You do need to DELETE this one manually:
C:\WINDOWS\system32\winpdc32.dll
You may need to do this in Safe Mode and with Viewing of Hidden Files Enabled.
Let me know how that shakes out.

I have looked in C:\WINDOWS\system32\ for the winpdc.dll and had it wasn't to be found to delete..


ALSO:
Please scan with HijackThis and Check the Boxes for the following, if they remain:

O2 - BHO: (no name) - {A1D6ACF0-0874-47EC-BA66-E3A93C27979D} - (no file)
O2 - BHO: (no name) - {D7FD6C15-4927-4AAE-BF12-FBDABD287EB1} - (no file)

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: nnnmmkj - C:\WINDOWS\

Be sure All Browser Windows are Closed and then Click Fix Checked.
**You'll probably need to turn off SpybotSD's Tea Timer to to allow the above changes.

Ran it, and removed the above entries.

Also, I would suggest removing AdwareAlert, as there are better options to be found - including those that you already have onboard (Spyware Doctor, Windows Defender, Spybot)

Are you able to provide better option other than AdwareAlert.

Then, please do the AVG AntiSpy and Kaspersky Online scan steps in the Read Me First Sticky that Judy linked earlier and post those logs for me.

Please find attached scan logs.

Should there be a file in C:\WINDOWS\system32\drivers\etc that has these files within it:

hosts (no extension)
hosts.20080121-224941
lmhosts.sam
networks (no extension)
protocol (no extension)
services(no extension)
tmvsthfss.bin
tmvsthfud.bin

I would also like to mention that AVG Antivirus is showing no infections to date.



Cheers
PP

[PhilliePhan]

Hi Vince,

I have done the actions to show all hidden files, and I could not find this file other than the one i have mentioned previously which only shows vchost with no extensions
I have looked in C:\WINDOWS\system32\ for the winpdc.dll and had it wasn't to be found to delete

That vchost.exe bugs me - It shows in the log, but I wonder if there is more going on such as a rootkit... Also, given the Hosts file situation, I wonder....
I have written a batch tool that might help find and kill it. We may give that a go. I'd like to see a fresh combofix log first, though. In fact, let me try a CFScript for that and the winpdc32.dll. Instructions at bottom of post

Are you able to provide better option other than AdwareAlert

The other anti-spy apps you already have onboard are better. I like Spyware Doctor and AVG anti-spy.
Adware Alert has a poor reputation - false positives and such. It used to be on Spyware Warrior's Rogue List.

Should there be a file in C:\WINDOWS\system32\drivers\etc that has these files within it:

hosts (no extension)
hosts.20080121-224941
lmhosts.sam
networks (no extension)
protocol (no extension)
services(no extension)
tmvsthfss.bin
tmvsthfud.bin

tmvsthfss.bin & tmvsthfud.bin are malware-related and can be deleted. Not sure if they are part of Vundo, or something else... You can also delete hosts.20080121-224941.

-- Can you open your Hosts File (hosts (no extension)) with notepad and upload that as an attachment for me to check out?

I would also like to mention that AVG Antivirus is showing no infections to date.

Happy to hear that! The Kaspersky log looks OK too.


** Here is the ComboFix step :


-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe



-- Let Combofix run as before and post me that log along with the contents of your Hosts File.

I'll try to check back Sunday, but may not be back until Monday evening.


Best
PP