• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1755
  • Last Modified:

Can't Remove dvdfax.exe

I have found a process running on one of our computers.
dvdfax.exe

This file is hidden in the C:\WINDOWS\TASKS folder.
There was a reference to is in the registry, as well:   RUNONCE: dvdfax.exe rerun

I can not end the task in taskmanager...it simply reloads a moment later.

Once I kill it in the registry and reboot...I can stop the file in taskmanager (although, I'm not sure how it reloaded in the first place)...HOWEVER...it seems to create addtional .exe files:  In the past hour I have noticed new files running in RUNONCE portion of registry, and in the Taskmanger:
antihard.exe
winimprvse.exe
inetanti.exe
catvga.exe

I am looking for information about the original culprit:    dvdfax.exe
Where did it come from?
What harm can it cause?
How can I permenantly remove it?
etc....

Thanks,

kloder
0
kloder
Asked:
kloder
  • 11
  • 6
  • 2
1 Solution
 
Asta CuTechnical consultant & graphic designCommented:
I happen to know German and found others in Germany with this same problem.

Have you scanned with a good updated Viruscan Program Deep Scanning as well as Spyware fighters?

Tried HijackThis?
0
 
Asta CuTechnical consultant & graphic designCommented:
http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html  Many spyware tools and links here.  I choose Adaware SE Pro and updtae it and do deep scanning including the Hosts file.  Also Spybot S&D and udpate it and use the Immunize function.... Then HijackThis to scan the system and post the resulting log here to get insight:
http://www.hijackthis.de/index.php?langselect=english
Post our HijackThis log results in the above and paste the problems of items you can't understand here (not the full log); we can help further.  The HijackThis process and recommendations follow in the link below.

http://www.experts-exchange.com/Web/Browser_Issues/Q_21149514.html

Asta
0
 
kloderAuthor Commented:
Yes.
I have scanned the machine with 10/29/2004 STINGER

I have scanned the machine with McAfee Antivirus ASaP (which is currently updated to today's date and .dat files

Both programs found nothing.

I have also run updated versions of:
Lavasoft's Ad-Aware SE v. 1.05
and
SpyBot 1.3

Spybot detects...but cannot shut down or remove:  Cydoor and Webinstall references.

I manually searched and deleted registry references from all profiles on the pc...

When I reboot...they are back...

spybot again tries to remove but can't
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Asta CuTechnical consultant & graphic designCommented:
It will always return if you don't turn off system restore prior to cleaning it.... What is your Operating System?
0
 
Asta CuTechnical consultant & graphic designCommented:
So, turn off system restore (control panel - system - system restore).... then clean .... (viruscan then spyware tools).... then reboot and back to control panel - system - system restore to turn it back on.  Be sure WindowsUpdate is current .... let me know your progress or if more is needed.
0
 
kloderAuthor Commented:
I'm sorry I did not include that information earlier...but the FIRST thing I did was turn off system restore and shutdown the system.
 
Once it was powered up again...I started all of the above mentioned attempts.
0
 
Asta CuTechnical consultant & graphic designCommented:
start-run-msconfig and startup to clear any related items...
Then start-run-regedut ,, search your registry for the intruder (export keys first prior to fixing in case you need to restore)...

Look for run keys and runonce

At work, more when I can.
0
 
Asta CuTechnical consultant & graphic designCommented:
You also said ... Spybot detects...but cannot shut down or remove

Likely because the item is in use at startup

Try booting in SAFE MODE with Admin access and scan again.
0
 
kloderAuthor Commented:
Well...
Ran the scan again...after following the most recent advise.

Spybot SD 1.3 finds and kills 5 additional registry entries.
But......they return every time I reboot, re-run Spybot etc...

I do believe that I have found the offending files:
bkinst.exe  and unexp.exe  both tried to "run" while I was in SAFE mode.
Windows reported them as errors...
Further searching the internet reported this statement from  http://www.giantcompany.com:

LINK URL:     http://www.giantcompany.com/antispyware/research/spyware/spyware-Unclassified.Trojan.B.aspx

I remained in safe mode.
Located *.exe files that were tagged with    +h and +s  
These included:  bkinst.exe, antihard.exe, unexp.exe, and several wmiprsv.exe

I removed these files after removing the -h and -s attributes.

System seems to be running normal again now.

THANKS TO ALL THAT CONTRIBUTED!!!!
0
 
Asta CuTechnical consultant & graphic designCommented:
I was the only one here working with you, though it may appear to have been many of us, LOL.  Happy to hear the issue is resolved.  Best wishes to you,  Asta
0
 
kloderAuthor Commented:
I also noticed a file keyw.exe

Haven't found out where this all started...or additional risks that may exisit.

Giant Antispyware is running now....hope it does more than SpyBot SD


Thanks again for all YOUR help!!!

Ken
0
 
Asta CuTechnical consultant & graphic designCommented:
Thank you, Ken..... Found this in another German forum ....

To system start (win XP home) the error message comes:
KEYW.exe - errors in application
Application could not be initialized correctly (0xc0000005). Click on "OK ONE", in order to terminate application.

We do not know, to which this application is good. The file is in the "system32"-Ordner. I do not have already in regedit everything became scanned un fuendig.

On the equipment a virus "W32.Pinfi" is according to Norton.

Source here:  http://translate.google.com/translate?hl=en&sl=de&u=http://forum.de.selfhtml.org/archiv/2004/1/&prev=/search%3Fq%3Dkeyw.exe%26hl%3Den%26lr%3D%26sa%3DG

I could not find another think at McAfee, Norton or anywhere else on that exe file...  

If you do a right-click/properties, does it give you any information on that exe file at all?
0
 
kloderAuthor Commented:
My file was existing in the fonts directory...along with a couple other +s +h files:  
gepjssv.ini
gepjssv.tmp
wyek.bak1
wyek.bak2

I've noticed every .exe file is accompanied by a .bak1 and .bak2 and often an .ini

In the registry they are followed by   "rerun"

I have already reversed the attributes on the file and deleted it.

I will hunt the RUN command as soon as Giant AntiSpyware is done...since the machine tried to run keyw.exe ~ but couldn't find the file (since I had already found it and deleted it)

I've spent a lot of time on this...and would LOVE to find out where it all started and which of my users is responsible for it...(just so I can "properly" exterminate them...errr I mean educate them).  haha
0
 
Asta CuTechnical consultant & graphic designCommented:
It's been a real zonker, so to speak, trying to unravel the culprit.  Did more searching on www.google.com for this dvdfax.exe problem and rarely find anything in English, but the little I could determine from all of them is that it is 1) freeware/shareware 2) appears to be a cracking tool perhaps password type ..... all not good from the little I could find and the ones I could read about on various German forums are in your same situation; keeps coming back after using Norton 2004 and other products.  Gads, what a nighmare.
0
 
kloderAuthor Commented:
For sure.

Usually, my user's are pretty well behaved...but occaisionally they will seek software to "cover" their tracks...

It is in these cases that I get this kind of stuff on a machine.

I suspect they were trying to "remove" internet traces

I'm really surprised that there wasn't more out there.

The timedata on the bkinst.exe file is 4:54 am on 10/14

I've had reports from my users that the computer was running slow and that virus scans were clear....so I finally got a hold of the computer and looked deeper....

Thanks again for the help and concern.

this was my first time in the forum...its pretty cool!!!

I concur with you...very little info...and most is German

Yahoo came up with a few "forums" discussing these files

I am wondering if I have to do some password changes around here today???
0
 
Asta CuTechnical consultant & graphic designCommented:
I wish we could make a better determination on how invasive this thing is; and what full functions it has .... if it contains variants and so on.  I'd sure be doing some serious talking to the people (if that's an option) and re-educating them on work systems and business-use only lectures.  Any way to check your user's history files for the day you think this activity was first loaded?  

Since you're a McAfee subscriber (as am I); I'd also consider escalating this issue to them since I could not find a trace of information there on this problem.   I would hope they'd either have some clues to help here or get the information and start loading the definition files to help fix them.....
Free Internet Chat - Available 24 x 7
 Speak one-on-one with a live support technician who can provide you with solutions and even assist you with downloading important files to your computer.
Average contact Length: 24 minutes
Estimated Wait Time: 1 minute
http://ts.mcafeehelp.com/default.asp?siteID=1&resolution=1024x768&rurl=&rqs=

I agree with you 100%.  I've been here for some years and think it's the greatest site out here, having been helped as well through time.

As regards changing passwords; can't say because I'm still not clear about what this has done to your security ...  wish I knew more or could have found more in these regards.

Asta
0
 
Asta CuTechnical consultant & graphic designCommented:
I spoke with McAfee via the Tech Chat and they advised me to do this....  will explore this on my brother's system as well, which appears to be similarly plagued.  Since he and I are both subscribers to the McAfee Security Center and Viruscan/Firewall Plus, found this helpful.

Synopsis.... I am very anxious to help you but I would like to inform you that we had a separate department for Virus and Spyware removal support having expert professionals the team of professionals I am referring you to is specifically trained to handle these kinds of issues., so you need to visit the site www.mcafeehelp.com and select the option "Virus Removal Support" they have the latest tools that help you in resolving your issue.

You can submit the file to the McAfee AntiVirus Emergency Response Team (AVERT™) for research.
Email the zip infected file to the Virus Research Team at virus_research@nai.com.

0
 
lawrencet-dCommented:
I was called out today to examine a client's laptop that was being eaten alive by a runaway process called regexp.exe - it was consuming over 100,000Kb ram but the total used cycled up and down in waves. Autoruns found HKLM referencing an exe in the c:\windows\system folder (not system32). It was a hidden system file and had some interesting companion files called pxeger.tmp, pxeger.ini, pxeger.bak1 and pxeger.bak2. They were HUGE. The ini file was close to 1/2 Gig. I used filesnoop to examine them all and there was no discernable text in them. These were very similar to the file types found by kloder.

Spysweeper, Spybot, Adaware SE and Trend Micro never paid any attention to them!

A Google search for led me to believe that the exe was possibly a java based web server. I'd really like to get more information on this one. Is this a new exploit?

PS This was an XP SP1 system.
0
 
lawrencet-dCommented:
Well just after I posted, I came across this:

http://www.sophos.com/virusinfo/analyses/trojagentas.html 

This is the culprit!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

  • 11
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now