Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Key.exe recreating itself @ login


  • This topic is locked This topic is locked
2 replies to this topic

#1 Daniel11

Daniel11

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 27 July 2009 - 03:06 PM

Referred from: http://www.bleepingcomputer.com/forums/t/244545/keyexe-in-windowstemp-folder/ ~ OB

A couple of days ago I noticed that whenever I boot my computer and logged in, Symantec Endpoint Protection would pop-up with its Auto-Protect window saying that it has detected Key.exe in the WINDOWS\Temp folder and then it would close the analysis pop-up and open another pop-up with the "Action Taken" stating "Cleaned by Deletion". Whenever I restart; or shutdown and start my computer, Symantec Endpoint Protection does the same thing all over again. I would like to figure out how to remove this "Key.exe" once and for all and how to stop it from recreating at login.


DDS (Ver_09-06-26.01) - NTFSx86
Run by HP_Administrator at 14:54:49.96 on Mon 07/27/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2459 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup

utilities\winstyler\tu_logonui.exe
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [Taskbar Shuffle] c:\program files\taskbar shuffle\taskbarshuffle.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [FirefoxUltimateOptimizer] "c:\program files\mozilla firefox\optimizers\fuo\Firefox Ultimate Optimizer.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\speedf~1.lnk - c:\program files\speedfan\speedfan.exe
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program

files\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232815039750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {6BE8E280-8A4B-457A-AFA0-8D9C59048B8D} = 192.168.0.1,4.2.2.2
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\d49j5ryp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\hp_administrator\application data\idm\idmmzcc3\components\idmmzcc.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: content.notify.backoffcount - 5
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
user_pref(browser.cache.memory.capacity, 65536)
FF - user.js: browser.tabs.showSingleWindowModePrefs - true
FF - user.js: network.http.request.timeout - 300
FF - user.js: config.trim_on_minimize - true

============= SERVICES / DRIVERS ===============

R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [2009-4-19 181120]
R1 IfsMount;IfsMount;c:\windows\system32\drivers\ifsmount.sys [2009-4-19 51072]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-1-24 211216]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [2009-5-7 14416]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe

[2008-12-8 2440120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys

[2009-6-11 101936]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-1-24 19096]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090726.022\NAVENG.SYS [2009-7-26 87888]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090726.022\NAVEX15.SYS [2009-7-26 875728]
R3 OA002Afx;Provides a software interface to control audio effects of OA002

camera.;c:\windows\system32\drivers\OA002Afx.sys [2009-4-30 148056]
R3 OA002Ufd;Creative Camera OA002 Upper Filter Driver;c:\windows\system32\drivers\OA002Ufd.sys [2009-4-30 144672]
R3 OA002Vid;Creative Camera OA002 Function Driver;c:\windows\system32\drivers\OA002Vid.sys [2009-4-30 268672]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S2 Apache2.2;Apache2.2;"c:\program files\xampp\apache\bin\apache.exe" -k runservice --> c:\program

files\xampp\apache\bin\apache.exe [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2009-1-24 80384]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2009-5-7 44344]
S3 GatewayAgentService;O&O Gateway Agent Service;c:\program files\oo software\shared\gatewayagent\ooemcgats.exe [2008-10-27

320768]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-5-23 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-5-23 8320]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-5-21 34576]
S3 PanasonicKX-TG5576USBD;Panasonic KX-TG55 USB;c:\windows\system32\drivers\pccusbd.sys [2009-3-5 48224]
S3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-5-28 108032]
S4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-1-24 603904]

=============== Created Last 30 ================

2009-07-27 11:38 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-27 11:38 --d----- c:\program files\SUPERAntiSpyware
2009-07-27 11:38 --d----- c:\docume~1\hp_adm~1\applic~1\SUPERAntiSpyware.com
2009-07-27 10:33 --d----- c:\program files\Sophos
2009-07-23 08:21 --d----- C:\Sandbox
2009-07-22 23:14 2,070 a------- c:\windows\Sandboxie.ini
2009-07-22 23:14 --d----- c:\program files\Sandboxie
2009-07-20 20:31 --d----- c:\windows\system32\wbem\Repository
2009-07-20 13:11 --d----- c:\program files\common files\HP
2009-07-20 13:08 --d----- c:\program files\common files\Hewlett-Packard
2009-07-20 13:04 --d----- c:\program files\HP
2009-07-20 13:04 68,492 -------- c:\windows\hpoins05.dat.temp
2009-07-20 13:04 19,696 -------- c:\windows\hpomdl05.dat.temp
2009-07-17 16:36 --d----- c:\program files\Vuze
2009-07-12 16:07 5,632 a------- c:\windows\system32\ptpusb.dll
2009-07-12 16:07 159,232 a------- c:\windows\system32\ptpusd.dll
2009-07-10 12:05 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2009-07-10 12:05 205,824 a------- c:\windows\system32\xvidvfw.dll
2009-07-10 12:05 90,112 a------- c:\windows\system32\dpl100.dll
2009-07-10 12:05 685,056 a------- c:\windows\system32\divx.dll
2009-07-10 12:05 85,504 a------- c:\windows\system32\ff_vfw.dll
2009-07-10 12:05 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-07-10 12:05 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-07-10 12:05 --d----- c:\program files\K-Lite Codec Pack
2009-07-04 19:32 --d----- c:\program files\Bonjour

==================== Find3M ====================

2009-07-20 13:18 68,964 a------- c:\windows\hpoins05.dat
2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-29 16:31 881,664 a------- c:\windows\system32\xvidcore.dll
2009-05-23 09:56 1,310,720 a------- c:\windows\system32\avisynth.dll
2009-05-23 09:55 106,496 a------- c:\windows\system32\MT.dll
2009-05-19 22:00 720,896 a------- c:\windows\iun6002.exe
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-05 17:31 2,402,304 a------- c:\windows\system32\x264vfw.dll
2009-01-24 11:30 87,608 a------- c:\docume~1\hp_adm~1\applic~1\inst.exe
2009-01-24 11:30 47,360 a------- c:\docume~1\hp_adm~1\applic~1\pcouffin.sys
2007-12-16 18:02 269,312 a------- c:\documents and settings\hp_administrator\upx.exe

============= FINISH: 14:55:13.29 ===============

Attached Files


Edited by Orange Blossom, 27 July 2009 - 11:48 PM.


BC AdBot (Login to Remove)

 


#2 Daniel11

Daniel11
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 29 July 2009 - 12:51 AM

Please close this topic. i have solved the Key.exe problem. It was not a virus or malware of any kind to begin with. :thumbup2: Thanks for all of your help.

#3 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 29 July 2009 - 05:12 PM

Thanks for letting us know Daniel11.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users