Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

strange file appearing


  • Please log in to reply
4 replies to this topic

#1 terrygh

terrygh

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 21 December 2010 - 09:42 PM

every so often this file appears vssCxe15.exe if you google it you get noting on it. its definately a virus which seems to infect the task scheduler causing multiple task to run constantly. has anyons else run into this proplem, i am running win7 64bit ultimate. killing vssCxe is not the proplem why it keeps reapearing is also a propram called whitesmoke seems to be part of it in some way. whitesmoke seems to be a legimate program but i have never downloaded any from their website. i would attach the file but i dont wnat to spread this. if anyone has anyinfo on this i would appreciate any assistance you can give, i cant believe i am the only person seeing this. thanks terrygh

BC AdBot (Login to Remove)

 


#2 CrimsonSpider

CrimsonSpider

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Matrix
  • Local time:12:13 AM

Posted 21 December 2010 - 09:45 PM

Hiya,

Not certain, but could you re-post your problem in the Security section of bleepingComputer?

It'd be more likely that you'd get a response faster and one-to-one help from the bc team!

CrimsonSpider
"Don’t worry if it doesn’t work right. If everything did, you’d be out of a job."
(Mosher’s Law of Software Engineering)

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:13 PM

Posted 22 December 2010 - 04:17 PM

A nothing in Google is a good indicator or a randome named maleware///
The WhiteSmoke web site indicates it makes English grammar correction software, translation software, and other specialized English writing tools. However, many users have reported they did not know how WhiteSmoke was downloaded or installed. From our investigation and dealings with this software we are also finding many cases of it with a TDSS rootkit infection. So depending on the severity of system infection will determine how the disinfection process goes.

The web site says the software can be removed through Add/Remove Programs or Programs and Features if using Vista/Windows 7 so check there first, highlight anything with the name "Whitesmoke", select Remove and restart the computer normally. This appears to work in most cases with the Whitesmoke Toolbar but not with the Translator.

Please post the complete results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
  • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
    -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd


Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.

  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to these instructions if you're unsure how to unzip a file.
  • If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure is selected, then click Continue > Reboot now to finish the cleaning process.<- Important!!
    Note: If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 terrygh

terrygh
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 02 January 2011 - 12:40 PM

Sorry about the length of time that has passed since the last post. Corrected the problem by doing a search by date and deleting the files that did not belong there, using regedit and repaired the registary. used tcpip to track the remote ip address that vsscxe15 was talking to. a service is installed called network security service, windows power management is its description. use sth sc delete command from the command prompt to remove the service. this infection came in through the peer networking identy manager service since i dont use it i disabled all 3 peer networking services. also used rkill and process explorer to find and kill vsscxe15 in the beginning. thaks for your reply and i appreciate everyones time terrygh

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:13 PM

Posted 03 January 2011 - 02:36 PM

Thank you for letting us know.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users