Solved

Can't Remove dvdfax.exe

Posted on 2004-11-01
1,735 Views
Last Modified: 2012-06-21
I have found a process running on one of our computers.
dvdfax.exe

This file is hidden in the C:\WINDOWS\TASKS folder.
There was a reference to is in the registry, as well:   RUNONCE: dvdfax.exe rerun

I can not end the task in taskmanager...it simply reloads a moment later.

Once I kill it in the registry and reboot...I can stop the file in taskmanager (although, I'm not sure how it reloaded in the first place)...HOWEVER...it seems to create addtional .exe files:  In the past hour I have noticed new files running in RUNONCE portion of registry, and in the Taskmanger:
antihard.exe
winimprvse.exe
inetanti.exe
catvga.exe

I am looking for information about the original culprit:    dvdfax.exe
Where did it come from?
What harm can it cause?
How can I permenantly remove it?
etc....

Thanks,

kloder
0
Question by:kloder
    19 Comments
     
    LVL 27

    Expert Comment

    by:Asta Cu
    I happen to know German and found others in Germany with this same problem.

    Have you scanned with a good updated Viruscan Program Deep Scanning as well as Spyware fighters?

    Tried HijackThis?
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    http://www.experts-exchange.com/Web/Browser_Issues/Q_20975384.html  Many spyware tools and links here.  I choose Adaware SE Pro and updtae it and do deep scanning including the Hosts file.  Also Spybot S&D and udpate it and use the Immunize function.... Then HijackThis to scan the system and post the resulting log here to get insight:
    http://www.hijackthis.de/index.php?langselect=english
    Post our HijackThis log results in the above and paste the problems of items you can't understand here (not the full log); we can help further.  The HijackThis process and recommendations follow in the link below.

    http://www.experts-exchange.com/Web/Browser_Issues/Q_21149514.html

    Asta
    0
     

    Author Comment

    by:kloder
    Yes.
    I have scanned the machine with 10/29/2004 STINGER

    I have scanned the machine with McAfee Antivirus ASaP (which is currently updated to today's date and .dat files

    Both programs found nothing.

    I have also run updated versions of:
    Lavasoft's Ad-Aware SE v. 1.05
    and
    SpyBot 1.3

    Spybot detects...but cannot shut down or remove:  Cydoor and Webinstall references.

    I manually searched and deleted registry references from all profiles on the pc...

    When I reboot...they are back...

    spybot again tries to remove but can't
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    It will always return if you don't turn off system restore prior to cleaning it.... What is your Operating System?
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    So, turn off system restore (control panel - system - system restore).... then clean .... (viruscan then spyware tools).... then reboot and back to control panel - system - system restore to turn it back on.  Be sure WindowsUpdate is current .... let me know your progress or if more is needed.
    0
     

    Author Comment

    by:kloder
    I'm sorry I did not include that information earlier...but the FIRST thing I did was turn off system restore and shutdown the system.
     
    Once it was powered up again...I started all of the above mentioned attempts.
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    start-run-msconfig and startup to clear any related items...
    Then start-run-regedut ,, search your registry for the intruder (export keys first prior to fixing in case you need to restore)...

    Look for run keys and runonce

    At work, more when I can.
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    You also said ... Spybot detects...but cannot shut down or remove

    Likely because the item is in use at startup

    Try booting in SAFE MODE with Admin access and scan again.
    0
     

    Author Comment

    by:kloder
    Well...
    Ran the scan again...after following the most recent advise.

    Spybot SD 1.3 finds and kills 5 additional registry entries.
    But......they return every time I reboot, re-run Spybot etc...

    I do believe that I have found the offending files:
    bkinst.exe  and unexp.exe  both tried to "run" while I was in SAFE mode.
    Windows reported them as errors...
    Further searching the internet reported this statement from  http://www.giantcompany.com:

    LINK URL:     http://www.giantcompany.com/antispyware/research/spyware/spyware-Unclassified.Trojan.B.aspx

    I remained in safe mode.
    Located *.exe files that were tagged with    +h and +s  
    These included:  bkinst.exe, antihard.exe, unexp.exe, and several wmiprsv.exe

    I removed these files after removing the -h and -s attributes.

    System seems to be running normal again now.

    THANKS TO ALL THAT CONTRIBUTED!!!!
    0
     
    LVL 27

    Accepted Solution

    by:
    I was the only one here working with you, though it may appear to have been many of us, LOL.  Happy to hear the issue is resolved.  Best wishes to you,  Asta
    0
     

    Author Comment

    by:kloder
    I also noticed a file keyw.exe

    Haven't found out where this all started...or additional risks that may exisit.

    Giant Antispyware is running now....hope it does more than SpyBot SD


    Thanks again for all YOUR help!!!

    Ken
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    Thank you, Ken..... Found this in another German forum ....

    To system start (win XP home) the error message comes:
    KEYW.exe - errors in application
    Application could not be initialized correctly (0xc0000005). Click on "OK ONE", in order to terminate application.

    We do not know, to which this application is good. The file is in the "system32"-Ordner. I do not have already in regedit everything became scanned un fuendig.

    On the equipment a virus "W32.Pinfi" is according to Norton.

    Source here:  http://translate.google.com/translate?hl=en&sl=de&u=http://forum.de.selfhtml.org/archiv/2004/1/&prev=/search%3Fq%3Dkeyw.exe%26hl%3Den%26lr%3D%26sa%3DG

    I could not find another think at McAfee, Norton or anywhere else on that exe file...  

    If you do a right-click/properties, does it give you any information on that exe file at all?
    0
     

    Author Comment

    by:kloder
    My file was existing in the fonts directory...along with a couple other +s +h files:  
    gepjssv.ini
    gepjssv.tmp
    wyek.bak1
    wyek.bak2

    I've noticed every .exe file is accompanied by a .bak1 and .bak2 and often an .ini

    In the registry they are followed by   "rerun"

    I have already reversed the attributes on the file and deleted it.

    I will hunt the RUN command as soon as Giant AntiSpyware is done...since the machine tried to run keyw.exe ~ but couldn't find the file (since I had already found it and deleted it)

    I've spent a lot of time on this...and would LOVE to find out where it all started and which of my users is responsible for it...(just so I can "properly" exterminate them...errr I mean educate them).  haha
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    It's been a real zonker, so to speak, trying to unravel the culprit.  Did more searching on www.google.com for this dvdfax.exe problem and rarely find anything in English, but the little I could determine from all of them is that it is 1) freeware/shareware 2) appears to be a cracking tool perhaps password type ..... all not good from the little I could find and the ones I could read about on various German forums are in your same situation; keeps coming back after using Norton 2004 and other products.  Gads, what a nighmare.
    0
     

    Author Comment

    by:kloder
    For sure.

    Usually, my user's are pretty well behaved...but occaisionally they will seek software to "cover" their tracks...

    It is in these cases that I get this kind of stuff on a machine.

    I suspect they were trying to "remove" internet traces

    I'm really surprised that there wasn't more out there.

    The timedata on the bkinst.exe file is 4:54 am on 10/14

    I've had reports from my users that the computer was running slow and that virus scans were clear....so I finally got a hold of the computer and looked deeper....

    Thanks again for the help and concern.

    this was my first time in the forum...its pretty cool!!!

    I concur with you...very little info...and most is German

    Yahoo came up with a few "forums" discussing these files

    I am wondering if I have to do some password changes around here today???
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    I wish we could make a better determination on how invasive this thing is; and what full functions it has .... if it contains variants and so on.  I'd sure be doing some serious talking to the people (if that's an option) and re-educating them on work systems and business-use only lectures.  Any way to check your user's history files for the day you think this activity was first loaded?  

    Since you're a McAfee subscriber (as am I); I'd also consider escalating this issue to them since I could not find a trace of information there on this problem.   I would hope they'd either have some clues to help here or get the information and start loading the definition files to help fix them.....
    Free Internet Chat - Available 24 x 7
     Speak one-on-one with a live support technician who can provide you with solutions and even assist you with downloading important files to your computer.
    Average contact Length: 24 minutes
    Estimated Wait Time: 1 minute
    http://ts.mcafeehelp.com/default.asp?siteID=1&resolution=1024x768&rurl=&rqs=

    I agree with you 100%.  I've been here for some years and think it's the greatest site out here, having been helped as well through time.

    As regards changing passwords; can't say because I'm still not clear about what this has done to your security ...  wish I knew more or could have found more in these regards.

    Asta
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    I spoke with McAfee via the Tech Chat and they advised me to do this....  will explore this on my brother's system as well, which appears to be similarly plagued.  Since he and I are both subscribers to the McAfee Security Center and Viruscan/Firewall Plus, found this helpful.

    Synopsis.... I am very anxious to help you but I would like to inform you that we had a separate department for Virus and Spyware removal support having expert professionals the team of professionals I am referring you to is specifically trained to handle these kinds of issues., so you need to visit the site www.mcafeehelp.com and select the option "Virus Removal Support" they have the latest tools that help you in resolving your issue.

    You can submit the file to the McAfee AntiVirus Emergency Response Team (AVERT™) for research.
    Email the zip infected file to the Virus Research Team at virus_research@nai.com.

    0
     

    Expert Comment

    by:lawrencet-d
    I was called out today to examine a client's laptop that was being eaten alive by a runaway process called regexp.exe - it was consuming over 100,000Kb ram but the total used cycled up and down in waves. Autoruns found HKLM referencing an exe in the c:\windows\system folder (not system32). It was a hidden system file and had some interesting companion files called pxeger.tmp, pxeger.ini, pxeger.bak1 and pxeger.bak2. They were HUGE. The ini file was close to 1/2 Gig. I used filesnoop to examine them all and there was no discernable text in them. These were very similar to the file types found by kloder.

    Spysweeper, Spybot, Adaware SE and Trend Micro never paid any attention to them!

    A Google search for led me to believe that the exe was possibly a java based web server. I'd really like to get more information on this one. Is this a new exploit?

    PS This was an XP SP1 system.
    0
     

    Expert Comment

    by:lawrencet-d
    Well just after I posted, I came across this:

    http://www.sophos.com/virusinfo/analyses/trojagentas.html

    This is the culprit!
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
    UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    845 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now