[Kraellin]

anyone know if this file: ibhfcyte.exe is a virus or is my avg anti-virus giving me a false positive? i ask because even though this popped up with AVG, they dont list the thing in their virus encyclopedia/database and google has nothing on it either.

AVG says it's a 'Trojan horse downloader.Generic3XEN' . i've got so many automatic downloaders that i just cant tell if this is a legitimate file or a virus.

[Doug Nelson]

It gets zero google hits, so I definitely wouldn't trust it.

[Cameraken]

Hi Craig

This does sound like a random file name and is probably a bad file.
You may get more info by checking its properties (right click the file and click properties)

You can test the file at jotti or virustotal.
[*]Go to VirusTotal or Jotti's, and scan the following file(s).

ibhfcyte.exe

• Click on the Browse button at the top of the screen.
• Browse to the file.
• Click OK.
• Click Send, and the file will upload to VirusTotal / Jotti, where it will be scanned by several anti-virus programmes.
• After a while, a window will open, with details of what the scans found.
• Note details of any viruses found.

Ken.

[Kraellin]

thanks, doug, ken.

this thing is quite weird. it's only 9kb and when i open windows explorer and go to windows, system32 to look at the file, when the file comes into view, the avg alert goes off. i dont have to click on anything or even mouse ever anything. all i have to do is see the file name in windows explorer and the alert goes off.

but, that's not even the strangest part. i decided to go to microsoft.com and see if they recognized it. i entered the file name into their search and it came up with nothing, but on the new results page of the search, avg once again went off seeing the name.

then, going down to the task bar and minimizing windows explorer or internet explorer and then maximizing either one again with that same name showing, avg would go off again.

quite odd.

oh, and i went to both of those sites, ken and both gave the same results, the file wouldnt upload so they couldnt analyze it.

and when the avg alert comes up, it gives me 4 options, ignore, info, heal or move to vault. when i click on info, it takes me to avg's encyclopedia. they have no knowledge of the file/virus.

when i try to open it in notepad, i'm denied because it's a 'system file'.

never seen a file act quite like this.

[chillin]

If this is only 9kb I would drop it into a notepad or text pad to see what is hidden inside. Could you send it to me? I'll try to play with it.

[Kraellin]

Quote:

when i try to open it in notepad, i'm denied because it's a 'system file'.

sorry, chillin, tried that.

[Photo678]

2 things, do a system search for the file name and try to find out what folder it is hiding itself in...that could give you an idea of what program it is attached to.

2nd thing.....go to your "run" command under the start menu, type "msconfig" without quotes, and click the startup tab....look through the list and try to spot that file, it will typically tell you what program is running that exe file.

basically, it IS a program that is running on your computer. My guess is some plugin that you recently installed.

[Kraellin]

photo678, it's in the system32 folder.

well, there's lots of programs in system32 that dont get run until you call something else up. the file is not in my startup list, at least not in the stuff that msconfig can see. the file has been there since january of this year, apparently.

i dont ever recall seeing that name come up in zone alarm asking for permissions and i dont recall win patrol ever asking about it either. it doesnt seem to be an active program. it's not denying me access to because of 'file in use'. it's just denying me access because it's a 'system file', or so it says. but microsoft has no knowledge of it and google has no knowledge of it and avg has no knowledge of it, even though the avg alerter is calling it a 'trojan horse downloader.generic3xen'. so, i dont know where it came from or if it's doing anything or associated with some other program. it may well be a legit file and associated with something i installed back in january of this year, but i cant tell.

i suppose i could isolate it to the avg virus vault and see if anything then fails to run. but i hate doing things like that blindly, with no knowledge of if this is legit or not.

[Cameraken]

Hi Craig.

That is often the effect of files in use and malware files that protect themself.
Try copying the files to some other place and submit them from there. If that does not work try the following:

1. Go to Start > My Computer. Click the C drive. On the right side of the window please find Make a new folder and click it. Call it Cleanup
   
2. Now download IceSword from http://www.majorgeeks.com/Icesword_d5199.html to a place where you can find it.
   
3. Extract it to a place where you can find it.
   
4. Once you have extracted it click on Icesword.exe to start the program.
   Next find the tab Files on the right side. Click it and it will open up an interface that looks like Windows Explorer.
   
5. Navigate your way to >ibhfcyte.exe<
   
6. Right click it and select "copy to". Send it to C:\Cleanup
   
7. Next please submit C:\cleanup\bad File to be scanned by Jotti and/or by Virus Total.

Ken.

[Gary Richardson]

Run a HJT scan and post the log back here Craig, there may be other items on your log that will give us a clue as to what your problem file is connected with.


Glad to see you've been reading Elrond's posts Ken.

[Kraellin]

it wont do it, ken. i got icesword, followed everything exactly as you said, but it wont enter the file name or save in the copy to window. enclosed is a screenshot of where i got to. everything worked fine up to being able to save to 'Cleanup'.

[Kraellin]

in fact, i cant copy anything with this. nothing will enter into where the file name shld go. this is version 1.20. maybe bugged or blocked? and yes, i can do normal copies in windows explorer. just tried it.

[Kraellin]

this must be a newer/older version. the 'files' tab is on the lower left, not the right.

and what is this 'cooperator' thing that came with icesword?

[Kraellin]

here's the hjt logfile, gary:

Logfile of HijackThis v1.99.1
Scan saved at 12:11:12 AM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo XI\Corel Paint Shop Pro Photo.exe
D:\Applications-Utilities\HijackThis-1-9 free\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.retouchpro.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.filterforge.com
O15 - Trusted Zone: http://www.retouchpro.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1171850158937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1172812827828
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Gary Richardson]

HJT log's clean Craig.

However HJT isn't the be all and end all of diagnostics and there's a whole bunch of things it doesn't show, so lets look a little further.

First clear your temp files out so we have less to scan.

• Click Start > Run and type cleanmgr then click OK.
• This will bring up the Disk Cleanup window.
• Check the following entries.
  • Temporary Internet Files.
  • Recycle Bin.
  • Temporary Files.
• Click OK.
• When a prompt pops up click Yes.

Next

Please do an online scan with Kaspersky Online Scanner

Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings.
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
    • Extended (If available otherwise Standard)
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK.
• Now under select a target to scan select My Computer.
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

Might as well check for "hidden" stuff as well.

Download GMER and unzip it to your Desktop. (It will create a folder GMER)

Alternate Download Site

• Disconnect from the Internet, and close all running programmes.
• There is a small chance this programme may crash your computer, so save any work you have open.
• Open the GMER folder, and double click gmer.exe
• Let the gmer.sys driver load if asked.
• If it gives you a warning at programme start about rootkit activity and asks if you want to run a scan ..... click OK.
• If no warning:
  • Click Rootkit tab.
  • Ensure that All the boxes to the right of the program are checked except Show All.
  • Click Scan.
• Once scan is finished click Copy.
  • Click Start > Run then type Notepad.exe then click OK.
  • This will open a Notepad file.
  • Hit Ctrl+V to paste log into it.
  • Save the log to your Desktop.
• Reconnect to internet and post the log please.

Don't try and clear anything it says is a Rootkit, a lot of Firewall and Anti-Virus programmes use techniques similar to Rootkits to operate, the entries found may be related to them.

Post each log seperately as they can be quite long sometimes and the post size limiter might cut them off.


Photoshop. Tried the IceSword technique myself, didn't work for me either. This was posted at MRU by one of the teachers there, which is why Ken posted it, I'll have to have a word with him about it.