Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Can't Remove dvdfax.exe

Posted on 2004-11-01
19
Medium Priority
?
1,749 Views
Last Modified: 2012-06-21
I have found a process running on one of our computers.
dvdfax.exe

This file is hidden in the C:\WINDOWS\TASKS folder.
There was a reference to is in the registry, as well:   RUNONCE: dvdfax.exe rerun

I can not end the task in taskmanager...it simply reloads a moment later.

Once I kill it in the registry and reboot...I can stop the file in taskmanager (although, I'm not sure how it reloaded in the first place)...HOWEVER...it seems to create addtional .exe files:  In the past hour I have noticed new files running in RUNONCE portion of registry, and in the Taskmanger:
antihard.exe
winimprvse.exe
inetanti.exe
catvga.exe

I am looking for information about the original culprit:    dvdfax.exe
Where did it come from?
What harm can it cause?
How can I permenantly remove it?
etc....

Thanks,

kloder
0
Comment
Question by:kloder
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 6
  • 2
19 Comments
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12468506
I happen to know German and found others in Germany with this same problem.

Have you scanned with a good updated Viruscan Program Deep Scanning as well as Spyware fighters?

Tried HijackThis?
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12468518
http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html  Many spyware tools and links here.  I choose Adaware SE Pro and updtae it and do deep scanning including the Hosts file.  Also Spybot S&D and udpate it and use the Immunize function.... Then HijackThis to scan the system and post the resulting log here to get insight:
http://www.hijackthis.de/index.php?langselect=english
Post our HijackThis log results in the above and paste the problems of items you can't understand here (not the full log); we can help further.  The HijackThis process and recommendations follow in the link below.

http://www.experts-exchange.com/Web/Browser_Issues/Q_21149514.html

Asta
0
 

Author Comment

by:kloder
ID: 12468530
Yes.
I have scanned the machine with 10/29/2004 STINGER

I have scanned the machine with McAfee Antivirus ASaP (which is currently updated to today's date and .dat files

Both programs found nothing.

I have also run updated versions of:
Lavasoft's Ad-Aware SE v. 1.05
and
SpyBot 1.3

Spybot detects...but cannot shut down or remove:  Cydoor and Webinstall references.

I manually searched and deleted registry references from all profiles on the pc...

When I reboot...they are back...

spybot again tries to remove but can't
0
WEBINAR - Latest Cyber Tips for Defense

Join the WatchGuard Threat Research Team on October 26th for an informative webinar featuring expert tips and tricks for defending your organization from today's latest cyber threats. Don't leave yourself vulnerable to attack. Register for the webinar today!

 
LVL 27

Expert Comment

by:Asta Cu
ID: 12468563
It will always return if you don't turn off system restore prior to cleaning it.... What is your Operating System?
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12468577
So, turn off system restore (control panel - system - system restore).... then clean .... (viruscan then spyware tools).... then reboot and back to control panel - system - system restore to turn it back on.  Be sure WindowsUpdate is current .... let me know your progress or if more is needed.
0
 

Author Comment

by:kloder
ID: 12468596
I'm sorry I did not include that information earlier...but the FIRST thing I did was turn off system restore and shutdown the system.
 
Once it was powered up again...I started all of the above mentioned attempts.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12468618
start-run-msconfig and startup to clear any related items...
Then start-run-regedut ,, search your registry for the intruder (export keys first prior to fixing in case you need to restore)...

Look for run keys and runonce

At work, more when I can.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12468625
You also said ... Spybot detects...but cannot shut down or remove

Likely because the item is in use at startup

Try booting in SAFE MODE with Admin access and scan again.
0
 

Author Comment

by:kloder
ID: 12470189
Well...
Ran the scan again...after following the most recent advise.

Spybot SD 1.3 finds and kills 5 additional registry entries.
But......they return every time I reboot, re-run Spybot etc...

I do believe that I have found the offending files:
bkinst.exe  and unexp.exe  both tried to "run" while I was in SAFE mode.
Windows reported them as errors...
Further searching the internet reported this statement from  http://www.giantcompany.com:

LINK URL:     http://www.giantcompany.com/antispyware/research/spyware/spyware-Unclassified.Trojan.B.aspx

I remained in safe mode.
Located *.exe files that were tagged with    +h and +s  
These included:  bkinst.exe, antihard.exe, unexp.exe, and several wmiprsv.exe

I removed these files after removing the -h and -s attributes.

System seems to be running normal again now.

THANKS TO ALL THAT CONTRIBUTED!!!!
0
 
LVL 27

Accepted Solution

by:
Asta Cu earned 500 total points
ID: 12472392
I was the only one here working with you, though it may appear to have been many of us, LOL.  Happy to hear the issue is resolved.  Best wishes to you,  Asta
0
 

Author Comment

by:kloder
ID: 12472668
I also noticed a file keyw.exe

Haven't found out where this all started...or additional risks that may exisit.

Giant Antispyware is running now....hope it does more than SpyBot SD


Thanks again for all YOUR help!!!

Ken
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12472797
Thank you, Ken..... Found this in another German forum ....

To system start (win XP home) the error message comes:
KEYW.exe - errors in application
Application could not be initialized correctly (0xc0000005). Click on "OK ONE", in order to terminate application.

We do not know, to which this application is good. The file is in the "system32"-Ordner. I do not have already in regedit everything became scanned un fuendig.

On the equipment a virus "W32.Pinfi" is according to Norton.

Source here:  http://translate.google.com/translate?hl=en&sl=de&u=http://forum.de.selfhtml.org/archiv/2004/1/&prev=/search%3Fq%3Dkeyw.exe%26hl%3Den%26lr%3D%26sa%3DG

I could not find another think at McAfee, Norton or anywhere else on that exe file...  

If you do a right-click/properties, does it give you any information on that exe file at all?
0
 

Author Comment

by:kloder
ID: 12472896
My file was existing in the fonts directory...along with a couple other +s +h files:  
gepjssv.ini
gepjssv.tmp
wyek.bak1
wyek.bak2

I've noticed every .exe file is accompanied by a .bak1 and .bak2 and often an .ini

In the registry they are followed by   "rerun"

I have already reversed the attributes on the file and deleted it.

I will hunt the RUN command as soon as Giant AntiSpyware is done...since the machine tried to run keyw.exe ~ but couldn't find the file (since I had already found it and deleted it)

I've spent a lot of time on this...and would LOVE to find out where it all started and which of my users is responsible for it...(just so I can "properly" exterminate them...errr I mean educate them).  haha
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12473100
It's been a real zonker, so to speak, trying to unravel the culprit.  Did more searching on www.google.com for this dvdfax.exe problem and rarely find anything in English, but the little I could determine from all of them is that it is 1) freeware/shareware 2) appears to be a cracking tool perhaps password type ..... all not good from the little I could find and the ones I could read about on various German forums are in your same situation; keeps coming back after using Norton 2004 and other products.  Gads, what a nighmare.
0
 

Author Comment

by:kloder
ID: 12473203
For sure.

Usually, my user's are pretty well behaved...but occaisionally they will seek software to "cover" their tracks...

It is in these cases that I get this kind of stuff on a machine.

I suspect they were trying to "remove" internet traces

I'm really surprised that there wasn't more out there.

The timedata on the bkinst.exe file is 4:54 am on 10/14

I've had reports from my users that the computer was running slow and that virus scans were clear....so I finally got a hold of the computer and looked deeper....

Thanks again for the help and concern.

this was my first time in the forum...its pretty cool!!!

I concur with you...very little info...and most is German

Yahoo came up with a few "forums" discussing these files

I am wondering if I have to do some password changes around here today???
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12473368
I wish we could make a better determination on how invasive this thing is; and what full functions it has .... if it contains variants and so on.  I'd sure be doing some serious talking to the people (if that's an option) and re-educating them on work systems and business-use only lectures.  Any way to check your user's history files for the day you think this activity was first loaded?  

Since you're a McAfee subscriber (as am I); I'd also consider escalating this issue to them since I could not find a trace of information there on this problem.   I would hope they'd either have some clues to help here or get the information and start loading the definition files to help fix them.....
Free Internet Chat - Available 24 x 7
 Speak one-on-one with a live support technician who can provide you with solutions and even assist you with downloading important files to your computer.
Average contact Length: 24 minutes
Estimated Wait Time: 1 minute
http://ts.mcafeehelp.com/default.asp?siteID=1&resolution=1024x768&rurl=&rqs=

I agree with you 100%.  I've been here for some years and think it's the greatest site out here, having been helped as well through time.

As regards changing passwords; can't say because I'm still not clear about what this has done to your security ...  wish I knew more or could have found more in these regards.

Asta
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12473778
I spoke with McAfee via the Tech Chat and they advised me to do this....  will explore this on my brother's system as well, which appears to be similarly plagued.  Since he and I are both subscribers to the McAfee Security Center and Viruscan/Firewall Plus, found this helpful.

Synopsis.... I am very anxious to help you but I would like to inform you that we had a separate department for Virus and Spyware removal support having expert professionals the team of professionals I am referring you to is specifically trained to handle these kinds of issues., so you need to visit the site www.mcafeehelp.com and select the option "Virus Removal Support" they have the latest tools that help you in resolving your issue.

You can submit the file to the McAfee AntiVirus Emergency Response Team (AVERT™) for research.
Email the zip infected file to the Virus Research Team at virus_research@nai.com.

0
 

Expert Comment

by:lawrencet-d
ID: 12611299
I was called out today to examine a client's laptop that was being eaten alive by a runaway process called regexp.exe - it was consuming over 100,000Kb ram but the total used cycled up and down in waves. Autoruns found HKLM referencing an exe in the c:\windows\system folder (not system32). It was a hidden system file and had some interesting companion files called pxeger.tmp, pxeger.ini, pxeger.bak1 and pxeger.bak2. They were HUGE. The ini file was close to 1/2 Gig. I used filesnoop to examine them all and there was no discernable text in them. These were very similar to the file types found by kloder.

Spysweeper, Spybot, Adaware SE and Trend Micro never paid any attention to them!

A Google search for led me to believe that the exe was possibly a java based web server. I'd really like to get more information on this one. Is this a new exploit?

PS This was an XP SP1 system.
0
 

Expert Comment

by:lawrencet-d
ID: 12611330
Well just after I posted, I came across this:

http://www.sophos.com/virusinfo/analyses/trojagentas.html 

This is the culprit!
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question