Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 20 of 33 Posts

·
Registered
Joined
·
52 Posts
Discussion Starter · #1 ·
Hello,

I'm hoping you can help me get rid of an annoying problem I'm having with my PC.

First off, my machine runs Windows 2000 Professional and is upgraded with Windows update. I'm using Kerio Personal Firewall as a firewall, a bought copy of McAfee VirusScan, and Microsoft AntiSpyware beta. Also running are TCMonitor from TheCleaner and TCActive!

My problem is that .exe files keep getting added to my c:\winnt\system32\ directory, and I can't figure out what is causing it. When these .EXEs try to run either the Firewall reports that one of them is trying to execute the other, or (most of the time) McAfee says that this executable contains a virus (with a generic name like Win32.Worm.Gen or New Malware.h) and scans the whole disk. It then sometimes finds more of these .EXEs in the same location, or in the Local Settings of my user.

I'm not able to pin this problem down to the usage of one application or Web site, nor does my registry look suspicious. Can you help me find out where the problem is?

Below is a log of HijackThis; I've checked its contents using the Article on merijn.org, but I can't find anything wrong.

Logfile of HijackThis v1.99.0
Scan saved at 10:49:08 AM, on 6/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwproxy.xs4all.nl:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\[email protected]\[email protected]\mount.exe /z
O4 - Startup: Shortcut to Connect to Internet.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B94D01D-172F-4D8B-8EBB-849B5F5FCC85}: NameServer = 194.109.6.66,194.109.9.99
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D47D89F-4981-4F06-B82E-EFD50526FB51}: NameServer = 194.109.104.104 194.109.6.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B94D01D-172F-4D8B-8EBB-849B5F5FCC85}: NameServer = 194.109.6.66,194.109.9.99
O17 - HKLM\System\CS2\Services\Tcpip\..\{1B94D01D-172F-4D8B-8EBB-849B5F5FCC85}: NameServer = 194.109.6.66,194.109.9.99
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #3 ·
At the moment, there aren't any. (I can check quite easily by hand, by sorting my system32\ folder by date.) But they are all short, letters-only names. I'm sure that firefox.exe was in there (obviously not the browser) as an EXE trying to start another EXE. I don't remember others exactly, but it was stuff like "goodtob.exe", "hello.exe" etc. Different every time BTW.
Oh, and the icon displayed with them is often of a self-extracting WinRAR file.
 

·
Retired Moderator
Joined
·
72,109 Posts
Are these valid entries?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wwwproxy.xs4all.nl:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://;<local>
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #6 ·
These entries are valid, yes. My ISP kicked me off internet at some point because I had a Trojan. I was then allowed to access internet only through this Proxy Server. I'm now connecting the normal way again, but I guess the settings remain.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #7 ·
BTW: new .exes have appeared:
enslaved.exe
enslaveed.exe
myversion.exe (marked as type winRAR)
All these are detected as containing "New Malware.h" by McAfee.
There's also a duck.exe of an earlier date that I didn't notice before. Perhaps it was added now and predated.
 

·
Registered
Joined
·
56 Posts
This may not help much, but make sure you can view hidden files and look for a dll file that looks fishy. I delt with a similar problem where a bunch of executables were getting run upon restart, even after I had deleted them. I had some oddly named, hidden dll in system32 that kept re-creating the executables. I found it the way you suggested, sorting by date.

Did you try Ad-Aware??
 

·
Retired Moderator
Joined
·
72,109 Posts
Disable Microsoft AntiSpyware for now.

Download Spybot http://www.safer-networking.org/en/download/index.html

Click on "Search For updates" when prompted.
Click on "Immunize" when prompted.


Scan, click on fix problems.

Reboot.

Download AdAware SE Personal: http://www.majorgeeks.com/Ad-Aware_SE_Personal_d506.html

Install the program and launch it.

On the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

In the main window: Click Start and under Select a scan Mode tick Perform full system scan.

Deselect Search for negligible risk entries.

To start the scan, click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

Reboot and post another log.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #11 ·
I now also installed Spybot S&D, updated, immunized and did "Check for problems".
"Congratulations! No immediate threats were found."
Almost at the exact same moment, my Firewall popped up again to say that "myversion.exe" was trying to start "enslaved.exe" and then "enslaveed.exe".
That's right, the exes are back yet again.

UPDATE: Upon reboot, I get the following Firewall alert, which I have never seen before:
Outgoing connection alert (trusted area)
82.131.2.20, port 2431
Microsoft File & Printer Sharing.
(I denied this connection of course)

...and another UPDATE:
New EXEs:
surviv.exe attempts to start anotherone.exe and yetanother.exe [only last one is identified as New Malware.h by McAfee]
 

·
Retired Moderator
Joined
·
72,109 Posts
Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #13 ·
This virus scanner detects 3 possible viruses:
C:\RECYCLER\S-1-5-21-1881766634-1181373573-1244031209-1001\Dc5.exe
C:\RECYCLER\S-1-5-21-1881766634-1181373573-1244031209-1001\Dc8.exe
C:\WINNT\system32\enslaveed.exe
I didn't see the Auto Clean check box you mentioned.
The first two files weren't there when I looked for them. The second one was, of course, with its friends enslaved.exe and myversion.exe. And, as usual, I deleted them all.
At the same time, the firewall popped up reporting again that these EXEs were trying to start each other, AND McAfee reported that in the Local Settings\Temp dir of the current user, a file V65OQOb01508 was infected with W32/Sdbot.worm and with Proxy-FBSR.gen, but when I tried to remove it, it said it wasn't infected. I guess this was TrendMicro HouseCall being detected, right?

Sorry this is such a hard nut to crack. I swear that these EXEs now appeared while I was surfing to the most innocent of sites (e.g. the Wikipedia), so who or what is writing these EXEs?
 

·
Retired Moderator
Joined
·
72,109 Posts
The image I've attached shows the Recycler folder, you can delete the C:\RECYCLER\S-1-5-21-1881766634-1181373573-1244031209-1001 *file* to remove those two items you mentioned.

Click here to download CCleaner.
Do Not run it yet.

Reboot to safe mode.

Start Ccleaner and click Run Cleaner.

Reboot to normal mode.

What is the current level of your McAfee virus definition files? You can find that by right clicking on the McAfee icon in the system tray and selecting "About".
 

Attachments

·
Registered
Joined
·
52 Posts
Discussion Starter · #15 ·
Done the CCleaner thing, will stay on the lookout for new .exes.
McAfee reports up to date (last update 22 Jun), and I know it updates from time to time.

Thanks for your help, I hope this fixed it.
 

·
Retired Moderator
Joined
·
72,109 Posts
Click here to download the trial version of Ewido Security Suite.
Install it, and update the definitions to the newest files.

Reboot to safe mode.

Run Ewido:

Click on scanner
Put a check by the following before you scan:
Binder
Crypter
Archives

Click the Start Scan button to start the scan.
During the scan it will prompt you to clean files, click OK
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop

Reboot and post the Ewido log.
 

·
Registered
Joined
·
52 Posts
Discussion Starter · #18 ·
Hello, here is the report from ewido. The d:\duck.exe was a new one for me. I'll keep you posted on how I fare now. Thanks for the help so far!

c

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:45:36 PM, 6/28/2005
+ Report-Checksum: 82206472

+ Date of database: 6/28/2005
+ Version of scan engine: v3.0

+ Duration: 47 min
+ Scanned Files: 47417
+ Speed: 16.79 Files/Second
+ Infected files: 5
+ Removed files: 5
+ Files put in quarantine: 5
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\A. User\Cookies\a. [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\A. User\Cookies\a. [email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINNT\system32\anotherone.exe -> Backdoor.SdBot.aav -> Cleaned with backup
C:\WINNT\system32\surviv.exe/anotherone.exe -> Backdoor.SdBot.aav -> Cleaned with backup
D:\duck.exe -> Backdoor.Agobot.aaf -> Cleaned with backup

::Report End
 
1 - 20 of 33 Posts
Status
Not open for further replies.
Top