Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

could c:\windows\ehome\ehrec.exe be infected?


  • Please log in to reply
12 replies to this topic

#1 modification

modification

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 14 May 2009 - 10:48 AM

Been trying to sort this on my own for about 1 week so thought it was time to ask for help!

Had several virus/ Trojans that orignally slipped through avast / norton fire wall, but picked it up on a scan. (I didn't really want to format the hard disc so,)

I have been reading the forums & run Malwarebytes & Superantivirus in normal & safe mode. Malwarebytes detected & removed viruses etc including win32:rootkit-gen ins system 32 \msfgw32.dll & Trojan-Spy.win32.zbot.tml.

& Trojan-Dropper.WIN32.Agent.aow, (The anti virus said these had been removed)


While trying to remove the virus i was then unable to log in as an administrator, but managed to log in under one or the other USERS & run a VB Script to re-gain access.

In addition AFTER this scan on my Kaspersky 7.00 scan (which i rushed out to purchase) removed Trojan-Dropper.WIN32.Agent.aow from c:\window\internat\exe//PE_Patch.UPX//UPX & system 32 \Wbem\grpconv.exe

i removed lots of unused programmes etc &

Cleaned up the disc / registry with WinUtillites that i aready had installed.

I was still very worried something was left behind !

This is a message I just received in KASPERSKY 7.00 today (only recently purchased due to virus ), reports log ''detected:riskware Dialer Software (modification) running process c:\windows\ehome\ehrec.exe''

I know this is normally the media center updater process, but I did notice while trying to free the computer from the virus that my modem 'wire' was accidently connected & that it started to dial out on its own (i had already disconnected the broadband & don't use dial up connention was already checked in internet options ) . I had a 'poke' around on the computer & and found a warning log in administrator tools etc that said that the media center updater could not disconnect & many other media center warnings?

I did a file search on the Pc for 'media center' (to try & access it) & it produced several results all that looked like shortcuts to internet explore web pages ( i didn't click on them & had already disconnect my broadband.)

The message in KASPERSKY reports log ''detected:riskware Dialer Software (modification) running process c:\windows\ehome\ehrec.exe'', appeared after all my own attempted remedies were carried out.

I don't really use the media center much & but i can't seem to see where to access the media center (button on task bar has disappered although this process is supposed to be running,

Could this also have been disabled by the virus? Can i disable the auto update of media center some how?

Do I think i could still be infected ? What other steps should i take to make sure i'm not?

(running XP service pack3)

Kind regards

(hope you find me worthy of moving to a 'remove virus' forum are as i am a bit out of ideas now)

Edited by modification, 14 May 2009 - 12:32 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:02:45 AM

Posted 14 May 2009 - 06:55 PM

Update mbam and run a FULL scan
Please post the results

Then run

Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 modification

modification
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 15 May 2009 - 04:07 AM

First of all many thanks for the reply, :thumbsup: i am very grateful for you replying to me post.

Have update mbam & scanning now.



As soon as i connected to broadband to update mbam the media center started to dial up a telephone number starting +44 which looks to be an old dial up connection (which shows in my events log in Kaspersky 7.00 )

Would it be possible to disable Media Center from dialing up before i go on line again?


I will try & find a memory stick & down load Dr.Web Cure It on my laptop ( from where i am typing this) & transfer it to the desk top after scanning with mbam & waiting up for the reply.

One again many thanks for you help! :flowers:

Will report results of MBAM when scan completed.

I am happy to try any thing you may suggest, but want try & keep as safe as possbile while doing it. :trumpet:

Edited by modification, 15 May 2009 - 10:37 AM.


#4 modification

modification
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 15 May 2009 - 08:05 AM

copy of Malwarebytes scan two items which i deleted & restarted PC as requested by mbam

mbam-log-2009-05-15 (13-30-57) deleted Malwarebytes' Anti-Malware 1.36
Database version: 2133
windows 5.1.2600 Service pack 3
15/05/2009 13:30:57 mbam-log-2009-05-15 (13-30-57).txt
Scan type: Full Scan (C:\ID:\IE:\IF:\IG:\IH:\II:\IL:\I) objects scanned: 388567
Time elapsed: 2 hour(s), 16 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected: (NO malicious items detected)
Memory Modules Infected:
(NO malicious items detected)
Registry Keys Infected:
(NO malicious items detected)
Registry values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows NT\Currentversion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\AntivirusDisableNotify (Disabled.securitycenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(NO malicious items detected)
Files Infected:
(NO malicious items detected)



nothing on Dr.Web express scan now doing Dr. Web complete Scan

While i am thinking of it & for your information HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows NT\Currentversion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully was previously detected & removed on 08/05/09

at the same time Backdoor.bot was also removed from \winlog\ userinit
C\WINDOWS \system32\userinit.exe,C:\WINDOWS\SYSTEM32\ tewxt.exe,)Good:(userinit.exe)->Quarantined & deleted.

I have a copy of that previous scan if you need to see it.

Edited by modification, 15 May 2009 - 09:07 AM.


#5 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:02:45 AM

Posted 15 May 2009 - 11:10 AM

Can i disable the auto update of media center some how?

Download autoruns
http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx
Look in the startup applications and disable it from there

ehrec.exe is a process belonging to the Microsoft Media Center and is described as the recording process which integrates with your Windows tuner. "This program is a non-essential process, but should not be terminated unless suspected to be causing problems.\r"


I believe media center has become corrupt
You can run SFC.exe to repair the files. I assume you have a recovery disk and not a retail Windows CD, so you will have to pay attention to post number 2 where it talks about the i386 folder:
http://www.bleepingcomputer.com/forums/t/43051/how-to-use-sfcexe-to-repair-system-files/
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 modification

modification
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 15 May 2009 - 12:09 PM

Many thanks for the reply! Dr Web is still running the full scan.

So far (only half way through ) it has picked up KillWind.exe in C:\hp\bin Tool.ProcessKill.

Am i right in thinking this is a false positive, & this is a legitimate hp process for remote assitance etc.

Should i try & leave it rather than delete it?

I have a windows profesional disc i purchased for another computer a while ago which has now died from a bad hard disc (probably have a recovery disc too.) I will try & fix it or disable the process mentioned when scan finshes.

P.s i was just really surprised that media center started trying to use dial up, after the virus, rather than use the broadband connection as it would normally do / was doing previously :flowers:

P.P.s really apprechiate you help especially as you should be winding down for the weekend ahead. :trumpet: :thumbsup:

Edited by modification, 15 May 2009 - 04:44 PM.


#7 modification

modification
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 15 May 2009 - 04:38 PM

Dr web full scan all done & good news i think :thumbsup: nothing found apart from

KillWind.exe l Path C:\hp\bin lTool.ProcessKill

As this could be a false positive just wanted to confirm if i should Cure or Select None , before i move on ?

Cheers

Edited by modification, 15 May 2009 - 04:43 PM.


#8 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:02:45 AM

Posted 15 May 2009 - 08:51 PM

From HP Support:

Vinson S: Welcome to HP Total Care for Desktops.
My name is Vinson. How may I assist you today?




PC Utility Files & Tools to Facilitate File Management HP home personal computers have a special directory of
utility files and tools that facilitate file management to
enhance the behavior of preloaded applications. Some of
these files improve the interactive experience, others
display characteristics, or others how applications are
loaded, and others still how the system is optimized for
peak performance, and so forth. Each utility file is unique
and performs a vital background purpose to ensure the best in application functionality. These files are stored in the directory c:\HP\bin\.

If you look in this directory, you will see these files,
some with names like:

cloaker.exe
fondlewindow.exe
killit.exe
killwind.exe
processlogger.exe
rpcopy.exe
sendkey.exe
sleep.exe
spawn.exe
terminator.exe

Notice that these files are executable files, and that they
have names that may be sensitive to today's virus checking software. Because the frequency of new viruses and worms being introduced is occurring at a rapid rate, public awareness of the need to routinely run virus checking software is heightened.

However, popular virus checking software is erroneously
flagging the files in directory c:\HP\bin\ as possibility
malicious, and prompting users to remove or quarantine them.

This is a not a recommended response action as the files are not malicious, and removing them will degrade PC
performance. Users are encouraged to ignore prompts from virus checking software to remove or quarantine these files.


Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 modification

modification
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 16 May 2009 - 12:59 AM

c:\HP\bin\

killwind.exe


Good Morning, Mark!

It shows in Dr.Web as Path: C:\hp\bin. Object: KillWind.exe

exactly as i have typed it (with a small h, big K big W) . I guess that's what he means?

Would you suggest i 'Select none' button & move on? Don't want to get it wrong as it was an 8 hour scan :thumbsup:

Edited by modification, 16 May 2009 - 01:35 AM.


#10 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:02:45 AM

Posted 16 May 2009 - 05:41 PM

Would you suggest i 'Select none' button & move on?


I believe you are fine
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#11 modification

modification
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 16 May 2009 - 05:55 PM

I hope you had a fun weekend, do you spend all week helping people with PC problems.What a Guy :thumbsup:

Have come out of Doc Web (not changed anything, not gone on line etc) & restarted to normal mode. i notice a new item on the desk top after reboot setup_XP looks like a note pad with a yellow cog on it. When i hover over it with the mouse it says

'Type Configuration & settings

Date modified 16/05/2009 07:40 size 2.63 KB.



Pc has been in safe mode since then, while wating for reply & i haven't changed anything?

(Also could hear some random noises when in safe mode ,a bit like voices, coming through the Altec Lansing speakers ,also while off line, but this might well have been caused by some local issue i guess.)

While i am thinking of it & for your information HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows NT\Currentversion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully was previously detected & removed on 08/05/09

at the same time Backdoor.bot was also removed from \winlog\ userinit
C\WINDOWS \system32\userinit.exe,C:\WINDOWS\SYSTEM32\ tewxt.exe,)Good:(userinit.exe)->Quarantined & deleted.


Anything we need to do further regarding the above (Malware.Trace) , as it reappered on the more recent scan after previously being deleted on a previous scan?


Thanks

Edited by modification, 17 May 2009 - 05:08 PM.


#12 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:02:45 AM

Posted 17 May 2009 - 05:05 PM

We are going to need stronger tools than we can run here, I suggest that you submit a HJT log
Please bear in mind that they are very busy and it will take a week or more for a response
Good luck




Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#13 modification

modification
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 17 May 2009 - 05:14 PM

Will do !

Many thanks for you help so far, keep up the good work.

Kindest regards




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users