w4sgeen9[1].exe and or w4sgeen9.exe

Hello:

I did a routine scan with Norton AntiVirus 2005 and another with Pandasoftware Active Scan Pro as well as a few other spyware apps and the scans didn't turn up anything other than cookies.

I also looked through Sysinternals Process Explorer and didn't see anything suspicious there.

What is wierd is that when I looked through the list of allowed programs in Norton Internet Security 2005 I found 2 w4sgeen9[1].exe and and w4sgeen9.exe.

When I did a search for them in Windows Explorer (with the checkbox selected for show hidden folders and files) neither showed up.

I have blocked access to both, but would be very interested in knowing what they do or what app they might be associated with.

Thanks!

Dave
daveokstAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rpggamergirlCommented:
Do you know the path to those files?

Can we look at your Hijackthis log?

download HijackThis 1.99.1
http://www.majorgeeks.com/download3155.html
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe

Open Hijackthis, click "scan and save a logfile" don't fix anything yet, just upload the logfile created and post the link to the log here.

Or copy and paste the log at;
http://www.hijackthis.de/ 
and click Analyse, Save.  Post a link to the saved list here.


You could also try Ewido and see what it finds.
Download and install the free version of Ewido Security Suite.
http://www.ewido.net/en/download/
Update first then scan in safe mode.
rpggamergirlCommented:
Looks like those files points to a bad activex belonging to
http://w4s.work4sure.com/c/ge

It's a NetSource101 which is in SpywareBlaster's restricted sites list
There should be an entry related to it in Hijackthis log that you can fix.
daveokstAuthor Commented:
Hello:

I'll download the others, here is the path from the Hijack this scan...

O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O16 - DPF: {F1EA17CB-F7BD-4108-A742-1BC7774383FF} (Seisint GraphView Control 1.0) - https://secure.accurint.


Thanks
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

rpggamergirlCommented:
You can fix this entry:(scan again and let me know if it won't go away)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s.work4sure.com/c/ge/w4sgeen9.exe

Are there any suspicious entries in your Hijackthis log?
daveokstAuthor Commented:
Hello:

Yes it went away....

I'm really interested in knowing what it was, any ideas?

Thank you,

Dave
rpggamergirlCommented:
The CLSID belongs to NetSource101.com
Some malware are very sneaky that they put their files/installer in the DPF folder so the user can't see it. By default only activex/plugins are shown by explorer when you open DPF folder, so in order to see everything in that folder you must unregister the occache.dll(viewer dll) that's why malware writers like to put their files there.
rpggamergirlCommented:
If you feel like doing some reading, you might like to watch out for this new exploit.
There is a recent exploit that has no patch yet. Any application that automatically displays a WMF image will cause the user’s machines to get infected. One can easily get infected, even clicking a link in google search which happens to someone yesterday.

http://www.updatexp.com/wmf-exploit.html
http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html

This one below is Symantec flaw:
Symantec flaw when scanning .rar files
http://www.rem0te.com/public/images/symc2.pdf
http://www.pcpro.co.uk/news/81792/rar-vulnerability-reported-for-antivirus-software.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
daveokstAuthor Commented:
Thanks I will read thses articles and I will Google how to unregister the occache.dll so I can peek inside that folder, what is the CLSID?
rpggamergirlCommented:
>>Thanks I will read thses articles and I will Google how to unregister the occache.dll so I can peek inside that folder, what is the CLSID?<<
CLSID = Class ID or Class Identifier, the numbers inside the brackets -->{15589FA1-C456-11CE-BF01-00AA0055595A}

No need to google it, I can tell you how to unregister occache.dll.

Start > Run > type
regsvr32 /u occache.dll
Click OK

Delete malware files found, when you finish register back the occache.dll

Click Start > Run
Paste in this command
regsvr32 occache.dll
And Click OK


You can also see all the entries in DPF folder by using this batchfile:(you can see the entries but you can not delete any malware entries because you still can't see them(except for the activex/plugins), even if showing hidden files and folders. You can only delete them using killbox or by unregistering the occache.dll first.
* copy and paste the text below into notepad.
* Save this as "show.bat", choose to save it as *all files and place it on your desktop.
* Doubleclick on "show.bat" and a notepad will open with all the entries in your DPF folder.

@echo off
cd %windir%\Downloaded Program Files
dir > files.txt
move "%windir%\Downloaded Program Files\files.txt" "%userprofile%\Desktop"
cd %userprofile%\Desktop
notepad files.txt


Thanks for the points with an "A" grade!
Happy New Year!
daveokstAuthor Commented:
Happy New Years!!!
You deserve the A your sharp!

Here is what turned up, and thanks I feel a lot smarter now!

 135,168 ASPROinst.dll
10/20/2005  09:28 AM               505 asproinst.inf
10/14/1997  08:52 PM               697 DirectAnimation Java Classes.osd
12/31/2005  04:39 PM                 0 files.txt
05/31/2005  10:02 AM           723,968 graphviewctl.dll
03/30/2005  04:54 PM               313 GraphViewCtl.inf
08/26/2005  05:57 PM               495 LegitCheckControl.inf
01/20/2000  05:25 PM             1,162 Microsoft XML Parser for Java.osd
               8 File(s)        862,308 bytes
               0 Dir(s)   5,085,585,408 bytes free
rpggamergirlCommented:
>>You deserve the A your sharp!<<
Very nice of you, thanks!

Your DPF folder looks clean!
No malware entries in that folder.

Happy computing! :)
BCA-AdminCommented:
I found that file associated with a memory scanner used by memoryx.com. Supposed to download and scan what kind of memory you have so it can recommend the correct type to purchase. It is supposed to go away after a restart.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.