What has infected my .exe files..???

[ALL THUMBS]

Hi there Phil,

Sorry I taken a while to respond, but i have been caught up with work.

[tmvsthfss.bin & tmvsthfud.bin are malware-related and can be deleted. Not sure if they are part of Vundo, or something else... You can also delete hosts.20080121-224941.]

Have been deleted!!

I have done what you requested and attached the log files from Combofix and the host file as a text file.

The pc has been running smooth, (touch wood).

Thanks again.....

Vince

[PhilliePhan]

Sorry I taken a while to respond, but i have been caught up with work.

Hi Vince,
I know the feeling - real life always seems to intrude!

Everything looks OK to me except for this one:
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{06FAFF59-A4D6-198C-0003-050508020107}]
C:\WINDOWS\vchost.exe

Very likely a baddie.

I am not sure if it is hidden/stealthed by a rootkit or similar technology and that is why we can't see it....
I am pretty certain that you have rootkit technology on your machine. To the best of my memory, Daemon Tools employs this to circumvent copy protection on dvds, etc...

I cannot help but wonder if this same technology can be exploited by malware in the same way the Sony DRM rootkit could be exploited to hide trojans, etc...

Or, this could be part of one of your video programs. . . . I just can't tell.


If you want to pursue this further, you could try the following:

-- Scan with Sophos Anti-Rootkit v1.3.1:
http://www.sophos.com/products/free-...i-rootkit.html

-There is an instruction manual on that page for your reference:
http://www.sophos.com/sophos/docs/en.../rk_13_men.pdf

Run the scan, but I think it might be best to hold off on having it clean anything at this point.

Rather, allow the scan to finish completely and then click Start --> Run and then type or copy & paste %TEMP%\sarscan.log in the box and hit Enter.
A log ought to open. Please save it to where you can find it easily and then submit it for me.
-- Do not use your computer while the scan is running.


ALSO:

Please run http://www.eset.com/onlinescan/

-- You will need to temporarily disable your current Anti-virus program.
-- Make sure that the option Remove found threats is Unchecked, and the option Scan unwanted applications is checked.

-- Remember to Re-enable your Resident Anti-virus program after the scan has finished.
-- A logfile ought to be found at C:\\Program Files\\EsetOnlineScanner\\log.txt.
Please post that for me.


Best Luck
PP

[ALL THUMBS]

Hi PP,

I have done all those actions you requested and found that it didn't find malware.

As for the root kit programs, I have the AVG Anti Rootkit scanner which has found no root kits.

I have attached some log files for you to look at.

Vince

[PhilliePhan]

As for the root kit programs, I have the AVG Anti Rootkit scanner which has found no root kits.

That's odd - I believe Daemon tools still employs that technology (though I haven't checked in a while) and I would expect that to show in a rootkit scan.
Rootkit Revealer would probably show it.
http://technet.microsoft.com/en-us/s.../bb897445.aspx

I can't imagine there are "whitelists" for these.... LOL!

I suppose we could try to delete that vchost.exe with a tool such as swandog46's Avenger, but I'd be more comfortable locating it and IDing it first to get an idea of what it is. Are you able to use regedit to export this key?

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components]

Or, you could do this:
Download the attached peek.bat to the desktop.
DoubleClick it and submit the log that pops up for me.
I don't know if it will tell any more than ComboFix, but worth a shot.


-- The rest of the logs look OK. The MVPs Hosts file ought to help keep the baddies at bay.

Cheers
PP