July 8, 2008 07:55pm pdt

1. rpggamer... 34,608
2. IndiGenus 34,230
3. jahboite 20,842
4. r-k 17,990
5. arnold 10,150
6. nsx106052 9,825
7. briancassin 7,000
8. PowerIT 6,400
9. richrumble 6,050
10. ahoffmann 5,625
11. johnb6767 5,600
12. KCTS 5,500
13. paradoxe... 5,300
14. tigermatt 4,900
15. Jonvee 4,800

1. rpggamer... 146,733
2. r-k 99,237
3. Sheharya... 88,781
4. IndiGenus 56,470
5. war1 45,835
6. blue_zee 39,997
7. sunray_2003 39,840
8. ghana 29,660
9. Tolomir 29,508
10. rossfingal 27,308
11. jahboite 26,786
12. johnb6767 22,034
13. PowerIT 19,977
14. ahoffmann 19,075
15. LucF 17,713

05.09.2008 at 07:54AM PDT, ID: 23389552

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

6.3

NOD32 antivirus recurringly finds a virus in this file: C:\WINNT\system32\pro\pro.exe

Zones: Networking Security Vulnerabilities, Windows XP Operating System, Windows Network Security Questions

Tags: Microsoft, Windows XP Professional, SP2, Virus

Hello, this problem looked like it had been solved here:
http://www.experts-exchange.com/Security/Vulnerabilities/Q_23374774.html

but instead after a week it came back.

My NOD32 antivirus has been finding a virus in C:\WINNT\system32\pro\pro.exe.
It quarantines the file saying it has "multiple infections", but after a while the file is there again even after I manually deleted the folder.

The folder shouldn't be there in the first place since I have XP professional, not NT.

Start your free trial to view this solution

Question Stats

Zone: Security

Question Asked By: Maioneis

Solution Provided By: webwolf_3000

Participating Experts: 4

Solution Grade: B

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

05.09.2008 at 08:12AM PDT, ID: 21533660

The_Computer_Guru_777:

You should post a HiJackThis or Autoruns log:

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html?cdlPid=10781312

Anytime I run into a really bad infection, I boot to my UBCD4win and then start cleaning off files that have been modified too recently. They normally like to hide in the C:\windows and C:\windows\system32

http://www.ubcd4win.com/

Assisted Solution

05.09.2008 at 08:13AM PDT, ID: 21533676

AllKnowing1:

This IS a virus and will not be removed without removing the virus. See this post:
http://www.liutilities.com/products/wintaskspro/processlibrary/pro/

You need to run ad-aware along with a full virus scan and (most importantly) registry scan. Unfortunately, you are infected.

05.09.2008 at 08:17AM PDT, ID: 21533723

webwolf_3000:

http://www.experts-exchange.com/Security/Vulnerabilities/Q_23374774.html

see this post - You should follow the advice found there, I think youl find the answer.

05.09.2008 at 08:24AM PDT, ID: 21533807

AllKnowing1:

webwolf 3000:

You should really read the FULL question....

05.09.2008 at 08:41AM PDT, ID: 21533999

Rank: Master

jahboite:

Maioneis, please do post another hijackthis log and we'll have another look at it gladly. I suspect that not removing the XB service that was present will be the reason you're having difficulties. I'm sure that this is what webwolf_3000 is suggesting too.

Let's just explain something that might enlighten you. When a process runs, including services, its files are read from disk and loaded into memory. The process executes from the memory and if you delete its files, you still have the process running in memory. When you unload that process from memory, for example when you reboot, it won't run again unless it has its files to load from.
Malware writers don't make it that easy to remove them from your computer. The Malware will have a process for recreating the files from an image in memory - so when you delete the files, it just puts them back - usually somewhere you won't think to look or somewhere you'll overlook them - or even hidden in another file.
This is why, in my previous answer, I prompted you to first disable the service, so it couldn't restart itself, then to stop the service to unload it from memory, then to uninstall the service to remove its details from the registry, then to delete the files on disk or to let NOD32 clean them up.
Perhaps I should have explained this before - it didn't occur to me at that time that it would be helpful, but I hope that it is.

Assisted Solution

05.09.2008 at 08:55AM PDT, ID: 21534148

Maioneis:

Ok guys, in a few minutes I'll post the new log.

05.09.2008 at 08:58AM PDT, ID: 21534179

Maioneis:

Here is the new hijackthis log:

http://www.deathless.it/hijackthis.txt

05.09.2008 at 09:09AM PDT, ID: 21534277

Maioneis:

Oh since I also have Autoruns, here's a log from that program:

http://www.deathless.it/autoruns.txt

05.09.2008 at 09:16AM PDT, ID: 21534337

The_Computer_Guru_777:

My Computer > Tools > Folder Options > View

show hiden files
uncheck hide extentions
show hidden protected OS files

then:

Start > Run > "C:\windows"

Use details view and sort columns by date modified. Put newest files at the top.

What is filename and date modified for top 10 (.dll or .exe) files?

repeat steps for C:\windows\system32.

05.09.2008 at 09:17AM PDT, ID: 21534341

Maioneis:

As you can see the XB service is not there anymore, since as I said in the other question's thread it is a legitimate service which only runs while you're checking your system with Rootkit Revealer (by the same guys behind Autoruns). I've checked daily and it was never there during the last week. It is not in the list of services from the control panel applet (administration tools), either.

05.09.2008 at 09:26AM PDT, ID: 21534413

Maioneis:

Guru 777, here is a list of the files you requested, I printed them to file:

http://www.deathless.it/windows.txt

http://www.deathless.it/system32.txt

05.09.2008 at 09:33AM PDT, ID: 21534479

Maioneis:

Hey a stroke of luck!

While I was just done printing to file the list of recently changed files in the System32 folder, Nod32 warned me that the folder had appeared again and quarantined the file for the nth time, and I noticed a new file had just appeared in the System32 folder, called Psexesvc.exe.

I had already found a trojan with this name using Adaware a week ago but it was reported as deleted...

05.09.2008 at 01:12PM PDT, ID: 21536085

Maioneis:

So what can I do to delete this Psexesvc?

05.09.2008 at 02:24PM PDT, ID: 21536489

webwolf_3000:

It sounds to me like that file is being created by some other service or process, Do you have an active firewall / AV scanner ( not just AV that runs on command ? ).

Also make sure all your Firewall / AV software is upto date and Windows update is running and all updates are installed.

following that, try running an antivirus scanner from a boot CD, ie: not from the live system.

05.09.2008 at 02:39PM PDT, ID: 21536554

Maioneis:

Yes the antivirus is scanning actively in the background and so is the firewall. What's strange is the firewall (Comodo) has the defense+ component which should block processes from creating files with no user permission.

Everything is up to date. I will try to check everything out from the Ultimate Boot Cd.

I've also been trying to monitor system activity with Process Monitor. I will report later on both activities.

05.09.2008 at 06:20PM PDT, ID: 21537477

Maioneis:

I'm starting to get the impression that this virus is set to run only on fridays, since it ran last friday, then nothing for a week, then again today, and now it's saturday here and no trace until now.

05.10.2008 at 02:41AM PDT, ID: 21538354

webwolf_3000:

Anything showing up in your evet logs - If it is a service, then it Could be set to run on a time scale.
Also check your Task Scheduler. ( Start - run - task scheduler )

If I remember correctly, XP will not have anything in there that wasnt added by either yourself or a service of some sort - It could, in theory be downloading malware from the internet and installing it.

05.10.2008 at 04:22AM PDT, ID: 21538514

Maioneis:

I've run all possible utilities from the Ultimate Boot Cd for Windows, but didn't come up with anything of notice.

There is nothing in the task scheduler, I've been checking the event logs to see if there's something strange around the time the folder creation happened, as you said, but there doesn't seem to be anything out of place. There's only one small thing, a missed call to a service linked to pctsSvc.exe. I don't have this file on my pc but the call is about the time when the winnt folder appeared yesterday evening.

05.10.2008 at 05:39AM PDT, ID: 21538786

Maioneis:

I have noticed through the firewall log that around the time when the winnt folder appears there's often blocked activity with intrusion attempts through ports 445 and 135.

05.10.2008 at 04:39PM PDT, ID: 21540944

webwolf_3000:

Ok, those blocked activity attempts will be the service trying to "phone home" -

Run a registry search for " pctsSvc.exe " and see if you can find anything, if you do, dont delete the key straight away, check all the properties, keys, values within that reg and then continue searching ( hit F3 ) -

once the registry comes up with no more matches, post up here evething you found - especially the symlinks ( 79847398478893785403047843 ) type numbers, these reference other keys in the registry hive, any referenced filenames etc within the key etc.

even if it doesnt look like it might be important, post it anyway. these are things that the virus scanner might miss and also Hijack this. Virii are created to survive scanners, sometimes you just cant beat a manual removal.

Removing virii manually isnt always easy, but it is effective.

Accepted Solution

05.11.2008 at 04:12AM PDT, ID: 21542100

Maioneis:

There's nothing with pctsSvc in the registry. I looked also for psexesvc, here's what I found:

HKEY_CURRENT_USER\Software\DownloadManager\5266, Referer, http://www.exterminate-it.com/malpedia/remove-psexesvc
HKEY_CURRENT_USER\Software\DownloadManager\5268, Referer, http://www.spywaredb.com/remove-psexesvc/
HKEY_CURRENT_USER\Software\Sysinternals\Process Monitor, FilterRules, 01 03 00 00 00 87 9c 00 00 06 00 00 00 01 12 00 00 00 70 00 73 00 65 00 78 00 65 00 73 00 76 00 63 00 00 00 00 00 00 00 00 00 00 00 87 9c 00 00 06 00 00 00 01 12 00 00 00 63 00 3a 00 5c 00 77 00 69 00 6e 00 6e 00 74 00 00 00 00 00 00 00 00 00 00 00 92 9c 00 00 00 00 00 00 00 14 00 00 00 50 00 72 00 6f 00 66 00 69 00 6c 00 69 00 6e 00 67 00 00 00 00 00 00 00 00 00 00 00
HKEY_CURRENT_USER\Software\Sysinternals\Process Monitor, Filter#Fottuto psexesvc e affini
HKEY_CURRENT_USER\Software\Sysinternals\Process Monitor, Filter#Fottuto psexesvc e affini, 01 03 00 00 00 87 9c 00 00 06 00 00 00 01 12 00 00 00 70 00 73 00 65 00 78 00 65 00 73 00 76 00 63 00 00 00 00 00 00 00 00 00 00 00 87 9c 00 00 06 00 00 00 01 12 00 00 00 63 00 3a 00 5c 00 77 00 69 00 6e 00 6e 00 74 00 00 00 00 00 00 00 00 00 00 00 92 9c 00 00 00 00 00 00 00 14 00 00 00 50 00 72 00 6f 00 66 00 69 00 6c 00 69 00 6e 00 67 00 00 00 00 00 00 00 00 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\349, Filename, c:\windows\system32\psexesvc.exe
HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\0\HIPS\Policy\349, DeviceName, c:\windows\system32\psexesvc.exe

I think I have an explanation for these though: the first two are web pages where I downloaded info about psexesvc.exe, the following three are the settings for Process Monitor (I configured it so it filters away actions not related to this damn trojan) and the last two are configurations I added to the firewall (I blocked any possible activity from psexesvc.exe).

05.11.2008 at 04:41AM PDT, ID: 21542156

webwolf_3000:

Sounds about right to me.

ok, so something is creating these files on fridat regardless of rebooting or not ?
usually the service will be set to run on bootup..

http://www.prevx.com/filenames/X1374073016078011381-0/PCTSSVC.EXE.html

looks like a nasty piece of programming, although it seems to be associated with spyware doctor - I guess the properties of the program are useful for killing virii.

Give this a try, http://www.exterminate-it.com/malpedia/remove-psexesvc
it claims to detect all associated files with found malware. might do the trick, we just realy need to know which process is creating the folder.

05.11.2008 at 08:26AM PDT, ID: 21542666

Maioneis:

I am checking the system with exterminate it, it's the trial version so it won't allow me to clean the hard drive if it finds something, but at least we'll see what it finds. I'll report results later, looks like it's a long wait.

05.11.2008 at 08:41AM PDT, ID: 21542703

Maioneis:

Ok, it ran but it just found a tracking cookie which I manually removed. I guess the only option left is to wait for friday and see if Process Monitor can intercept the malicious process. I've set the filter to make it intercept any process meddling with a path containing C:\winnt or psexesvc or pctssvc.

I've tested by manually creating folders and files with those names and my activity got intercepted and logged, so I hope it works.

05.11.2008 at 12:38PM PDT, ID: 21543260

webwolf_3000:

Sounds good - should do the trick.

05.16.2008 at 03:25PM PDT, ID: 21586938

Maioneis:

Ok, friday has passed and no trace of the virus. I guess I'll give point to all people who gave consistent help, since there was no definitive solution. Thanks everybody.

20080236-EE-VQP-29 / EE_QW_Related_20080208