Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake compute programs [Moved]


  • Please log in to reply
15 replies to this topic

#1 Pop tarts

Pop tarts

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 14 June 2009 - 01:00 AM

I got a bunch of fake exe. programs from a virus and cant get rid of it. I use the task manger to end process and it just reappear later. I use a anti virus program and it said it got rid of the virus, but i doubt it because new exe. programs just appear. Here is what it says on my task manger. This is some of it.

AAWService.exe
AAWTray.exe
svchost.exe x6 wtf!??!! :thumbsup:
ashdisp.exe
Im not sure what these are, but i NEVER had this exe. before. There is a real svchost.exe.
There a whole bunch more.
I dont know which ones are needed or virus.
Please i need help !!! I dont know if it infected any other files. I only know one symptoms which is slowing my computer . I dont have any cd to reinstall programs that destroyed. and i need free programs, not paying ones.

Edited by Pop tarts, 14 June 2009 - 01:01 AM.


BC AdBot (Login to Remove)

 


#2 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 14 June 2009 - 01:05 AM

Hello there Pop tarts, welcome to Bleeping Computer.

Please try a couple of these free online scanners to see if anything has slipped by your protection:
(Be advised that some of these scanners will pickup things in "quarantine" from other anti-virus programs - so review the results carefully)

http://www.pandasecurity.com/homeusers/solutions/activescan/
http://us.mcafee.com/root/mfs/default.asp
http://housecall.trendmicro.com
http://www.bitdefender.com/scan8/ie.html
http://support.f-secure.com/enu/home/ols.shtml
http://onlinescan.avast.com/
http://ca.com/us/securityadvisor/virusinfo/scan.aspx
http://www.eset.com/onlinescan/

http://www.kaspersky.com/virusscanner Scan Only - no removal


If you find that you're infected (or the scan doesn't complete or closes unexpectedly), post in the Am I Infected forum located here: http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/

regards,

The weatherman

#3 Pop tarts

Pop tarts
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 14 June 2009 - 11:15 PM

None of it works. the programs seems to take too long. I use some other programs to scan it and it said it remove the virus. I dont know if it removed or not because i still have to deal with the fake exe. programs. I cant remove some of them due to it says critical process or access is denied. Do you knoe any programs that remove that. here a log of what it said.

Malwarebytes' Anti-Malware 1.37
Database version: 2274
Windows 5.1.2600 Service Pack 2

6/14/2009 8:41:39 PM
mbam-log-2009-06-14 (20-41-39).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 131418
Time elapsed: 3 hour(s), 46 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
d:\i386\APPS\App31126\add-gateway.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\owner.david\local settings\Temp\tmp145.cab (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\Owner.David\Desktop\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#4 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:07:50 PM

Posted 14 June 2009 - 11:27 PM

Do you have Ad-Aware by Lavasoft and Avast antivirus installed on your system?

AAWService.exe http://www.bleepingcomputer.com/startups/a....exe-18582.html
AAWTray.exe http://www.bleepingcomputer.com/startups/A....exe-19640.html
are components of Ad-Aware.

ashdisp.exe http://www.bleepingcomputer.com/startups/a...sp.exe-452.html
is associated with Avast

The virus scanners by The weatherman do take a long time to run. That's the nature of a virus scan-it takes time to scan everything on your system. Please run at least one and let it complete the scan.
You mentioned running other programs to scan-what programs did you use?

Edited by Queen-Evie, 14 June 2009 - 11:34 PM.


#5 Pop tarts

Pop tarts
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 15 June 2009 - 12:17 AM

here is what i use.
Ad-ware, avast, notrton, superantispyware, spybot S&D, and smitfraudfix, sysclean
Do you regconize any other exe. programs ? here are some more

ati2evxx.exe x2
atiptaxx.exe
BCMWLTRY.EXE
ccSvchst.exe x2
csrss.exe
alg.exe
dlllhost.exe
ehmsas.exe
ehrecvr.exe
ehSched.exe
ehtry.exe
lsass.exe
mcrdsvc.exe
PRISMXL.SYS
Whew, there a bunch more. I never saw any of these before, so i dont know what it can be. :thumbsup:

I some other ash.exe programs. Are those with avast ?

Edited by Pop tarts, 15 June 2009 - 12:26 AM.


#6 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:07:50 PM

Posted 15 June 2009 - 07:54 AM

here is what i use.
Ad-ware, avast, notrton, superantispyware, spybot S&D, and smitfraudfix, sysclean
Do you regconize any other exe. programs ? here are some more


atiptaxx.exe x2 http://www.bleepingcomputer.com/startups/a....exe-18582.html associated with your graphics card

BCMWLTRY.EXE http://www.bleepingcomputer.com/startups/b...ry.exe-539.html Broadcom Corporation Wireless Network Tray Applet

ccSvchst.exe x2 http://www.bleepingcomputer.com/startups/b...ry.exe-539.html related to Symantec products, although this could also be a varient of a Backdoor.sdbot worm. You have 2 because of the various components of Symantec

csrss.exe may be legitimate http://www.neuber.com/taskmanager/process/csrss.exe.html (for info only, don't run the Security Task Manager from this page-I know nothing about the program and would not want you to make your problems worse if this is a bad program)

It could also be a trojan or worm http://www.bleepingcomputer.com/startups/s...filename-0.html
Where is the file located on your computer?

What I suggest is that you click on one of the Bleeping Computer links above. After reading the information, copy the names of each of the listings below and paste it in the search box. If nothing comes back for it, use your favorite search engine to find out about it. You will find that some of them are legitimate but could also in some cases be cases of malware which use a legitimate process name to insert itself onto your system.

alg.exe
dlllhost.exe
ehmsas.exe
ehrecvr.exe
ehSched.exe
ehtry.exe
lsass.exe
mcrdsvc.exe
PRISMXL.SYS
Whew, there a bunch more. I never saw any of these before, so i dont know what it can be. :thumbsup:

I some other ash.exe programs. Are those with avast ?


Did you run at least one of the online virus scanners mentioned above?

You stated you had a virus. After checking each of the above entries, if you feel you may still be infected, please do as The weatherman suggests and post here http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/ in Am I Infected? Include a link to this topic.

I just noticed you mentioned Avast and Norton. Which Norton are you using?-stand-alone firewall, stand-alone antivirus, or the Norton Suite which includes both.
If you are using the suite or antivirus, you will need to uninstall one of your antivirus programs. Read this Why should you never install two Antivirus programs? explaining why you should not install more than one.

Edited by Queen-Evie, 15 June 2009 - 08:29 AM.


#7 Pop tarts

Pop tarts
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 15 June 2009 - 10:46 PM

i trying to use one of the virus scan by weathermen. I have norton antivirus online. Should i uninstall the Norton or the avast antivirus? For now i trying to get rid of the trojan downloader on my computer. I dont know what to do with the exe. programs. :thumbsup: I use maleware to remove the trojan downloader and it said it remove, but then i use ad-ware to scan my computer again after i restarted my computer and it found a trojan downloader again. What up with that? Did it not remove fully? :flowers:

Edited by Pop tarts, 15 June 2009 - 10:49 PM.


#8 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:07:50 PM

Posted 15 June 2009 - 11:32 PM

It's your choice regarding which antivirus to remove.
At this point, I'm going to ask a moderator to move your topic to the Am I Infected forum.
Our malware removal experts will be able to help you.

#9 golfdude

golfdude

  • Members
  • 219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft Wayne, Indiana
  • Local time:07:50 PM

Posted 16 June 2009 - 07:33 AM

The following programs are part of Windows Media Center Edition:

ehmsas.exe
ehrecvr.exe
ehSched.exe
ehtry.exe

Thanks,
Golfdude

America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
Intel i7-3820, 32 GB DDR3-1600, Intel 330 SSD Boot Drive, WD 3TB Data Drive, Radeon HD7770 GHz Edition, Windows 10 Professional 64 Bit
 


#10 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:07:50 PM

Posted 16 June 2009 - 07:55 AM

The following programs are part of Windows Media Center Edition:

ehmsas.exe Some malware camouflage themselves as ehmsas.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the ehmsas.exe process on your pc whether it is pest.

ehrecvr.exe Some malware camouflage themselves as ehRecvr.exe

ehSched.exe Some malware camouflage themselves as ehSched.exe

ehtry.exe Some malware camouflage themselves as ehSched.exe


Bottom line, follow the advice of those who are able to help you determine if these are legitimate or not as they work to help you make sure you have a clean machine.

How do I get help? Who is helping me?

Edited by Queen-Evie, 16 June 2009 - 07:58 AM.


#11 Pop tarts

Pop tarts
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 16 June 2009 - 10:27 PM

I dont know how to check and remove the exe. programs. :thumbsup:
Here was the scan result.
Export to:
Threats with free disinfection (1)
Low danger level (1)
Generic Malwar... Virus
Latent
Show + Info
1. C:\WINDOWS\system32\404Fix.exe
2. C:\System Volume Information\_restore{A0427B7...2D4-F22E7758340C}\RP10\A0008389.exe
Threats disinfected with the paid version (13)
Low danger level (13)
Cookie/BurstNe... Tracking Cookie
Latent
Show + Info
1. C:\Documents and Settings\Owner.David\Cookies\owner@burstnet[2].txt
Cookie/RealMed... Tracking Cookie
Latent
Show + Info
1. C:\Documents and Settings\Owner.David\Cookies\owner@realmedia[1].txt
Cookie/YieldMa... Tracking Cookie
Latent
Show + Info
1. C:\Documents and Settings\Owner.David\Cookies\owner@ad.yieldmanager[2].txt
Cookie/Zedo Tracking Cookie
Latent
Show + Info
1. C:\Documents and Settings\Owner.David\Cookies\owner@zedo[1].txt
Cookie/Tribalf... Tracking Cookie
Latent
Show + Info
1. C:\Documents and Settings\Owner.David\Cookies\owner@tribalfusion[1].txt
Rootkit/Agent.... Hack Tool
Latent
Show + Info
1. C:\System Volume Information\_restore{A0427B7...92D4-F22E7758340C}\RP7\A0005844.sys
Cookie/Adverti... Tracking Cookie
Latent
Show + Info
1. C:\Documents and Settings\Owner.David\Cookies\owner@advertising[2].txt
Cookie/Adrevol... Tracking Cookie
Latent
Show + Info
1. C:\Documents and Settings\Owner.David\Cookies\owner@adrevolver[2].txt
Cookie/FastCli... Tracking Cookie
Latent
Show + Info
1. C:\Documents and Settings\Owner.David\Cookies\owner@fastclick[2].txt
Cookie/Atlas D... Tracking Cookie
Latent
Show + Info
1. C:\Documents and Settings\Owner.David\Cookies\owner@atdmt[1].txt
Cookie/Doublec... Tracking Cookie
Latent
Show + Info
1. C:\Documents and Settings\Owner.David\Cookies\owner@doubleclick[1].txt
Application/IE... Tracking Application
Latent
Show + Info
1. C:\WINDOWS\system32\IEDFix.C.exe
2. C:\System Volume Information\_restore{A0427B7...2D4-F22E7758340C}\RP10\A0008397.exe
Cookie/Casalem... Tracking Cookie
Latent
Show + Info
1. C:\Documents and Settings\Owner.David\Cookies\owner@casalemedia[1].txt
Only available in paid version.
Buy - I am a client
Suspicious files (1)
C:\System Volume Information\_restore{A0427B7...2D4-F22E7758340C}\RP10\A0008388.exe
Vulnerabilities (52)
MS07-058 High + Info
MS06-045 Medium + Info
MS07-016 High + Info
MS07-057 High + Info
MS06-072 High + Info
MS06-042 High + Info
MS06-041 High + Info
MS07-013 High + Info
MS07-012 High + Info
MS07-069 High + Info
MS07-011 High + Info
MS07-067 High + Info
MS07-061 High + Info
MS08-073 High + Info
MS07-008 High + Info
MS06-008 Medium + Info
MS07-007 High + Info
MS06-065 Medium + Info
MS07-006 Medium + Info
MS06-036 High + Info
MS06-070 High + Info
MS09-014 High + Info
MS07-045 High + Info
MS06-067 High + Info
MS07-027 High + Info
MS08-031 High + Info
MS07-043 High + Info
MS06-057 High + Info
MS06-025 High + Info
MS07-033 High + Info
MS08-045 High + Info
MS06-022 High + Info
MS06-021 High + Info
MS08-025 High + Info
MS08-024 High + Info
MS07-017 High + Info
MS08-078 High + Info
MS06-053 Medium + Info
MS06-052 Medium + Info
MS08-020 High + Info
MS09-006 High + Info
MS05-049 Medium + Info
MS08-061 High + Info
MS07-021 High + Info
MS08-010 High + Info
MS08-058 High + Info
MS07-020 High + Info
MS07-019 High + Info
MS08-008 High + Info
MS06-050 Medium + Info
MS06-075 Medium + Info
MS06-046 High + Info

#12 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:07:50 PM

Posted 17 June 2009 - 09:35 AM

There are several entries listed in the Avast folder.
Out of curiousity, I went to my Avast folder and attempted to deleted some of them.
Deletion was denied. These are a critical component to Avast, if they are removed your Avast would not be effective and most likely you would get error messages from Avast.

Why are you wanting to remove the .exe programs? What makes you think they are fake?
What program did you use to scan? The log above doesn't say which one.

#13 Pop tarts

Pop tarts
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:50 PM

Posted 17 June 2009 - 10:01 PM

i think most of them are fake, so i'm just guessing.
I use all of the programs above.

#14 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:07:50 PM

Posted 18 June 2009 - 07:53 AM

You posted the following:

ati2evxx.exe x2
atiptaxx.exe
BCMWLTRY.EXE
ccSvchst.exe x2
csrss.exe
alg.exe
dlllhost.exe
ehmsas.exe
ehrecvr.exe
ehSched.exe
ehtry.exe
lsass.exe
mcrdsvc.exe
PRISMXL.SYS
Whew, there a bunch more. I never saw any of these before, so i dont know what it can be.


WHERE did you see them listed? And again I ask, what makes you think they are fake?

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:50 PM

Posted 18 June 2009 - 09:23 AM

Hi do you have 2 active A?V's ,Norton and avast.. this will cause you some issues. from slowness to false positives as they scan each others databases etc..
You need to remove one if that's the case.
What was that log from Avast?

Install and run a new copy of Smitfraud fix.. You actually shoul not run this tool on your own.
Run part 1
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm



Now update and run a SUPER scan. First run ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Now the SUPER scan after checking for an update...then post that log also.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users