Keeps generating exe files aaa, bbb, ccc, etc.

[wagonman76]

I have Windows NT4, service pack 6. Recently, it has developed a problem. It keeps generating these exe files in the system32 folder called aaa.exe, bbb.exe, ccc.exe, etc. I think Ive seen every letter of the alphabet so far, but theyre always 3 letters of the same letter. When it does that, Dr Watson gives an error message, and then I delete the file. Once it has generated the file, I lose my ability to copy/paste, the ability to fill out some forms online, the ability to open a link in a new window, and who knows what else. I restart the computer and it is fine, until it does it again.

Heres what Ive done so far. When it first started developing the file, Norton would pop up and show it as being infected with "W32.Randex". It did it a few times, and I ran a full system scan. It showed maybe 6 or 7 files infected, including explorer.exe and winlogon.exe. I restarted in DOS and deleted then copied fresh versions of these files from the Windows CD. I also re-ran the SP6 update to make sure they were updated, since the CD has the original versions before any service packs. After that, Ive done a couple full system scans, along with making sure the virus definitions were updated, and it comes out clean.

But it is still doing it. And it no longer would show the files as being infected, but it is the same thing so it seems something is infected. Someone suggested it might be spyware, so I installed Spybot along with its updates, and it found a bunch of stuff and cleaned it out. Now a spyware scan comes out clean too. It ran like a million bucks for a little bit, then it created up one of those files again. Its done it about 3 times in the last hour, which is about usual. Spybot doesnt detect anything wrong.

Ive gone through the registry and checked both current user and local machine in the currentversion/run section for things that start up with the computer, and there is nothing that shouldnt be. The only thing thats there is Norton.

Ive searched on the Symantec site about W32.Randex, and read up on every instance of it, and nothing applies to what mine is doing.

Can anyone help?

 

[cybertech]

Hi wagonman76, Welcome to TSG!!

Click on this link: http://www.thespykiller.co.uk/files/HJTsetup.exe Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
Click on the entry in start menu or on the desktop to run HijackThis
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on Edit, Select All then click Edit, Copy then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.

Someone here will be happy to help you analyze the results.

 

[wagonman76]

Heres the logfile with everything off. Is this ok, or should I run it after it acts up?

Logfile of HijackThis v1.99.1
Scan saved at 9:03:08 PM, on 6/27/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT35\System32\smss.exe
D:\WINNT35\system32\winlogon.exe
D:\WINNT35\system32\services.exe
D:\WINNT35\system32\lsass.exe
D:\WINNT35\System32\nddeagnt.exe
D:\WINNT35\System32\Explorer.exe
D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\WINNT35\system32\systray.exe
D:\WINNT35\system32\spoolss.exe
D:\WINNT35\system32\RpcSs.exe
D:\WINNT35\system32\tapisrv.exe
D:\WINNT35\system32\rasman.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\NOPDB.EXE
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
d:\winnt35\system32\pstores.exe
C:\hjt\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (D:\Program Files\Netscape\Users\myello\prefs.js)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT35\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: systray.exe.lnk = system32\systray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.1_06\bin\npjpi141_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.1_06\bin\npjpi141_06.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT35\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT35\web\related.htm
O12 - Plugin for .ppt: D:\Program Files\Netscape\Communicator\Program\PLUGINS\NPDOC.DLL
O13 - WWW. Prefix: http://
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\NOPDB.EXE

 

[wagonman76]

It seems to only act up when Im dialed in (using RAS). I dialed in and not 5 minutes later it acted up. It created zzz.exe. I then ran the hijack program again and heres the log. Maybe this might be more helpful.


Logfile of HijackThis v1.99.1
Scan saved at 11:40:41 PM, on 6/27/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT35\System32\smss.exe
D:\WINNT35\system32\winlogon.exe
D:\WINNT35\system32\services.exe
D:\WINNT35\system32\lsass.exe
D:\WINNT35\System32\nddeagnt.exe
D:\WINNT35\System32\Explorer.exe
D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\WINNT35\system32\systray.exe
D:\WINNT35\system32\spoolss.exe
D:\WINNT35\system32\tapisrv.exe
D:\WINNT35\system32\rasman.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\NOPDB.EXE
D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
d:\winnt35\system32\pstores.exe
D:\WINNT35\System32\ddhelp.exe
D:\PROGRA~1\Plus!\MICROS~1\iexplore.exe
D:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
D:\WINNT35\system32\rasmon.exe
D:\PROGRA~1\Plus!\MICROS~1\iexplore.exe
C:\hjt\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (D:\Program Files\Netscape\Users\myello\prefs.js)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT35\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: systray.exe.lnk = system32\systray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.1_06\bin\npjpi141_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.1_06\bin\npjpi141_06.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT35\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINNT35\web\related.htm
O12 - Plugin for .ppt: D:\Program Files\Netscape\Communicator\Program\PLUGINS\NPDOC.DLL
O13 - WWW. Prefix: http://
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\NOPDB.EXE

 

[cybertech]

It created zzz.exe.

What was the location of the file?

 

[wagonman76]

D:\WINNT35\System32

Thats where they always go.

 

[cybertech]

When the file is present submit it here:

http://www.kaspersky.com/remoteviruschk.html

and post back with what it says about the file.

 

[wagonman76]

It will not scan it. It simply comes back to the online virus input screen and asks me to try again. It does not matter where I move it to or what I rename it to, it still always gives the same message. However, I try to scan other files on my computer and it works just fine. Maybe theres something in the file that screws with this scanner?

BTW this one is fff.exe (system 32 as always). This time I didnt get an error about fff.exe, and I noticed it created it about an hour earlier. I got an actual Norton warning that it quarantined ljfu.exe in the system 32 folder and said it contained W32.Linkbot.M. Whether the two are related I dont know. Ill do a full scan again through the night, it takes almost 2 hours.

 

[cybertech]

* Go here to download CCleaner.

• Install CCleaner
• Launch CCleaner and look in the upper right corner and click on the "Options" button.
• Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
• Click OK
• Do not run CCleaner yet. You will run it later in safe mode.

* Download the trial version of Ewido Security Suite here.

• Install ewido.
• During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido
• It will prompt you to update click the OK button and it will go to the main screen
• On the left side of the main screen click update
• Click on Start and let it update.
• DO NOT run a scan yet. You will do that later in safe mode.

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Run Ewido:

• Click on scanner
• Put a check by the following before you scan:
  • Binder
    [*]Crypter
    [*]Archives
• Click the Start Scan button to start the scan.
• During the scan it will prompt you to clean files, click OK
• When the scan is finished, look at the bottom of the screen and click the Save report button.
• Save the report to your desktop

* Start Ccleaner and click Run Cleaner

* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan and the ewido scan

 

[wagonman76]

I downloaded Ewido twice, and both times it would not install because it said the file was possibly damaged or there was possibly a virus. So I downloaded Avast. It quarantined 5 infected files. I downloaded and installed Ccleaner, should I go and run that?

 

[wagonman76]

Here is what Avast found.

7/3/05 3:58:02 AM Administrator 208 Sign of "Win32:SecondThought [Trj]" has been found in "D:\WINNT35\Downloaded Program Files\install026.exe" file.

7/3/05 3:59:23 AM Administrator 208 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "D:\WINNT35\Downloaded Program Files\install007.exe" file.

7/3/05 3:59:23 AM Administrator 208 Sign of "Win32:Qdownl [Trj]" has been found in "D:\WINNT35\Downloaded Program Files\QDow_AS2.dll" file.

7/3/05 4:12:18 AM Administrator 208 Sign of "Win32:Adan-037 [Adw]" has been found in "D:\Program Files\Win Comm\WinComm.exe" file.

7/3/05 4:15:24 AM Administrator 208 Sign of "Win32:Trojan-gen. {Other}" has been found in "D:\updaterInstall_112.exe" file.

 

[wagonman76]

Here is what HijackThis found after running for a little bit after the scan.

Logfile of HijackThis v1.99.1
Scan saved at 5:07:56 AM, on 7/3/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT35\System32\smss.exe
D:\WINNT35\system32\winlogon.exe
D:\WINNT35\system32\services.exe
D:\WINNT35\system32\lsass.exe
D:\WINNT35\System32\nddeagnt.exe
D:\WINNT35\System32\Explorer.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\WINNT35\system32\spoolss.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\WINNT35\system32\RpcSs.exe
D:\WINNT35\system32\tapisrv.exe
D:\WINNT35\system32\rasman.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
d:\winnt35\system32\pstores.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINNT35\system32\ntvdm.exe
D:\WINNT35\system32\rasmon.exe
D:\Program Files\Atomic Clock Sync\Atomic.exe
D:\Program Files\Yahoo!\Messenger\YPager.exe
D:\PROGRA~1\Plus!\MICROS~1\iexplore.exe
D:\WINNT35\System32\ddhelp.exe
C:\hjt\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (D:\Program Files\Netscape\Users\myello\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT35\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.1_06\bin\npjpi141_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.1_06\bin\npjpi141_06.dll
O12 - Plugin for .ppt: D:\Program Files\Netscape\Communicator\Program\PLUGINS\NPDOC.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

 

[cybertech]

Run HJT again and put a check in the following:

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

Close all applications and browser windows before you click "fix checked".

Did Avast remove those items?

 

[wagonman76]

I ran HJT and had it fix that item. Just for kicks, I restarted the computer and did another HJT scan and it is back. Not sure what it is though.

I had Avast just keep the items in quarantine (virus chest).

One thing is for sure, the computer is faster than it was with Norton. Even with the virus sensitivity on Avast set to max. And most times Ive been browsing with it so far, it eventually pops up a box saying it blocked something trying to be sent to me. Could be what was giving me the aaa.exe, etc. files.

 

[wagonman76]

Hmmm It is doing it again. And Avast comes out clean, even with the files right under its nose and a direct scan on them and a full system scan. But this time the kaspersky virus check program worked on them, which were hhh.exe and fff.exe. Both times the kaspersky program detected them as

Backdoor.Win32.Codbot.ag.

I did a google search on Backdoor.Win32.Codbot.ag and came up with this.

http://www.sophos.com/virusinfo/analyses/w32codbotag.html

This is an interesting page, because when windows starts up it usually gives me a DHCP error. Ive always let it go because I thought it was just a glitch with the network setup, which even though I followed the networking instructions, has always seemed screwy to me. DHCP seemed like it was an integral part of networking, it was always present throughout the setup, otherwise I would just try to get rid of it.

Awhile back I went to services and set the DHCP client to manual, to hopefully get rid of the message, and it didnt go away. This time I set it to disabled, and the error went away. That page showed some registry entries. Im not sure if those are something to delete, or if they are shown just for reference. I downloaded the security hole update for NT4 workstation that they recommended on the top of the page.

It looks like I may have finally found the very root of the problem. I sure hope so anyway.