Last week I had a virus attack on my explorer.exe that forced me to reinstall Windows from scratch. Since then I have had trouble with a trojan and its associated files coming back repeatedly. I even went so far as to try to read the code inside the file with ProcessExplorer, which showed it might be certified by Thawte, among other things.
Since Monday I haven't had any real problems with infections, but even after around 8-10 reinstallations of Windows (lost count) the suspicious files keep returning. I was about to use the method described here to remove the files when Cecilia - our national hero at the Swedish IDG e-forums - insisted on having me uninstall Trend Micro's Internet Security suite. The reason was that I found a bmp image that looks like the logo of Trend Micro's Transaction Protector addon for MSIE inside one of the three suspicious folders (%SystemRoot%\kdefense), as well as the system tray icon for the same TIS suite addon. The other two folders contain amongst others .ini-files that refer to other TIS components. Cecilia referred to http://www.pcguide.com/vb/showthread.php?t=59666&page=6 post #131 where it is stated that the suspicious files are legit as well as a page at PrevX. I have not really been inclined to listen to that, since I have been too suspicious about the whole thing surrounding kdfmgr.exe.
I had seen that when I started IE the suspicious kdfmgr.exe was launched by an svchost process along with the WLLoginProxy.exe, at the same time as the HSChkProxy.exe was launched by IE itself. I had also seen that the two processes disappeared when IE was terminated. Usually kdfmgr.exe and HSChkProxy.exe (the main process for the Transaction Protector ) stick around, hooking themselves to the explorer.exe process that launched the previous MSIE process. I had a period of days when kdfmgr.exe was just terminated when terminating IE, though, which I regarded as a good thing a couple of days ago, since that meant that I could avoid running a trojan simply by refraining from using IE. I even went so far as to rename the WLLoginProxy.exe to something else.
Also, interestingly enough, kdfmgr.exe is not launched when IE was initiated from within Firefox, by using the Firefox IE tab addon. At the time I thought that was a good thing, because I thought kdfmgr.exe was malware. Today I am not so sure.
I have now confirmed that the returning suspicious files...
...disappear when TIS is uninstalled. The dll and exe files return after reinstalling TIS, but the folders seem to need a little more time. That means that following the advice given here might actually weaken the protection offered by TIS.
And to think that I this evening submitted these files to TM as possible threats. Well, perhaps a clearer name that identifies them as TM files instead of belonging to some dodgy Bluegem Security/Kings Information & Network would be a good first step. The curious thing is that one of Trend Micro's support staff last weekend told me to try to remove kdfmgr.exe with HijackThis on reboot. I am becoming increasingly certain that was an error.
That said, I am now unsure what I should do about the dodgy
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
that the named topic in this forum claims should be removed. I think I will have to think about that for a while and see if there some more explanation given about these entries.
Strange... I have this dťjŗ vý feeling editing this post- somehow I hear someone telling me "but this I told you a long time ago", making me blush. Have to shake that off. =)
Edited by rawd, 21 March 2008 - 10:05 PM.