Unknown files

[Guest]

I use Win Patrol as part of the programs I use to protect my computer along
with AVG and AdAware.
Frequently Win Patrol tells me that the file "dmhox.exe" is trying to be
added to my Windows startup. I tell it no. There are several other of these
exe files whch are also trying to do the same thing.
My question: Where can I go to find if these (or any other) files/folders
are really Windows files or spyware? There are four of these files, and they
are located in Sys 32.
I have Win XP Home.
Bob

 

[MAP]

I use Win Patrol as part of the programs I use to protect my computer
along with AVG and AdAware.
Frequently Win Patrol tells me that the file "dmhox.exe" is trying
to be added to my Windows startup. I tell it no. There are several
other of these exe files whch are also trying to do the same thing.
My question: Where can I go to find if these (or any other)
files/folders are really Windows files or spyware? There are four of
these files, and they are located in Sys 32.
I have Win XP Home.
Bob

Hi Bob,I suspect that you have some parasite that Ad-Aware is missing,are
you using the latest version?
Use Spybot as well

Spybot S&D - http://www.safer-networking.org/en/index.html
Ad-Aware SE - http://majorgeeks.com/Ad-Aware_SE_Personal_d506.html
SpywareBlaster - http://www.javacoolsoftware.com/spywareblaster.html

 

[Patrick Keenan]

I use Win Patrol as part of the programs I use to protect my computer
along
with AVG and AdAware.
Frequently Win Patrol tells me that the file "dmhox.exe" is trying to be
added to my Windows startup. I tell it no. There are several other of
these
exe files whch are also trying to do the same thing.
My question: Where can I go to find if these (or any other) files/folders
are really Windows files or spyware? There are four of these files, and
they
are located in Sys 32.
I have Win XP Home.
Bob

Do a Google search on the file names. If you don't find them, chances are
good they are malware; a lot of times filenames are randomly generated.
Very few non-malware programs will add themselves to the startup entries
without you explicitly launching an install process.

Also - locate the file itself, and choose Properties. Look on the extended
properties to see who published the files. Most manufacturers add this
information, and if it's not there and you can't find references, things
don't look good.

So, I expect that you have a malware infestation. Restart in Safe Mode,
and rename those files to .bad from .exe. However, something else is
running that's trying to load them. Try Hijack This and Spybot to detect
and remove. Finally, get ccleaner.exe from www.ccleaner.com to clean out
the temporary files and temporary internet files folders, which is where a
lot of spyware launches itself from.

HTH
-pk

 

[johnf]

Do a Google search on the file names. If you don't find them, chances
are good they are malware; a lot of times filenames are randomly
generated. Very few non-malware programs will add themselves to the
startup entries without you explicitly launching an install process.

Also - locate the file itself, and choose Properties. Look on the
extended properties to see who published the files. Most
manufacturers add this information, and if it's not there and you can't
find references, things don't look good.

So, I expect that you have a malware infestation. Restart in Safe
Mode, and rename those files to .bad from .exe. However, something
else is running that's trying to load them. Try Hijack This and
Spybot to detect and remove. Finally, get ccleaner.exe from
www.ccleaner.com to clean out the temporary files and temporary
internet files folders, which is where a lot of spyware launches itself
from.
HTH
-pk

Sorry to butt in, but out of curiousity I did a complete Google search with
no results which is unusual.
Is it possible that "dmhox.exe" is a typo?
It would be interesting to see what the properties are.

 

[pcbutts1]

Download, install, update and run all of the following.

Ad-Aware
http://www.lavasoftusa.com/software/adaware/

Spybot search and destroy
http://www.safer-networking.org/en/download/

Microsoft Windows AntiSpyware (Beta1)
http://www.microsoft.com/downloads/...A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en

If none of the above fixes the issue then download Hijack this, run it, save
a copy of the log file and cut and paste it back here to the group so that
it can be analyzed.

HijackThis
http://www.spywareinfo.com/~merijn/downloads.html

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[Patrick Keenan]

Sorry to butt in,

Not at all.

but out of curiousity I did a complete Google search with no results which
is unusual.

It's actually not unusual, since many times malware filenames are generated
locally and are semi-random. Sometimes the sole result is the post that
names the file, asking for information.

Is it possible that "dmhox.exe" is a typo?

Quite likely *not* a typo.

I doubt that it is a legitimate file, and further, it's probably being
generated and named by something else that the OP hasn't detected. The OP
mentions that there are four files trying to get themselves into the startup
references - an examination may well reveal that they are four
differently-named copies of the same file.

Closer examination may reveal that another so-far undected program is
creating these and trying to make the startup references.

I've also been finding that these files sometimes take the System and Hidden
attributes, so they are harder to find and delete.

It would be interesting to see what the properties are.

Often the properties lists are very short, which is an indication of
malware. Not an infallible indication, but a clue.

-pk

 

[Guest]

Thanks to all of you who answered my post.
Here's some additional info.:
A list of files which have tried to become active in my start up:
dmbtx.exe-OA179715.pf Locatation: C:\Windows\Prefetch
dmhde.exe-0836AO16.pf : Same as above.
dminiq.exe

 

[Guest]

Thanks to all who have answered my post.
Here is a list of files which have tried to become active in my Auto
startup:
dmbtx.exe
dmhde.exe
dminiq.exe (no longer found with "search").
dmhox.exe (no longer found with "search").
dmfao.exe
dmraf.exe (The one currently trying to access my computer. Yesterday it
was
dmfao.exe.
The first two are located in C\:Windows\Prefetch.
The las two are located in C:\Windows\System 32.
I'll install Spy Bot and see if it catches what ever is trying to load
these programs.
Bob

 

[Guest]

Sorry about the double entry. I fumble fingered my key board.
If I can figure out how to attach a jpg here I'll show you the properties
for the dmraf.exe file. The rest are similiar.
Bob
Guess I won't do that. Can't figure how to send an attachment.

 

[johnf]

Thanks to all who have answered my post.

Here is a list of files which have tried to become active in my Auto
startup:
dmbtx.exe
dmhde.exe
dminiq.exe (no longer found with "search").
dmhox.exe (no longer found with "search").
dmfao.exe
dmraf.exe (The one currently trying to access my computer. Yesterday it
was
dmfao.exe.
The first two are located in C\:Windows\Prefetch.
The las two are located in C:\Windows\System 32.
I'll install Spy Bot and see if it catches what ever is trying to load
these programs.

Very wise move.

 

[pcbutts1]

Download Hijack this, run it, save
a copy of the log file and cut and paste it back here to the group so that
it can be analyzed.

HijackThis
http://www.spywareinfo.com/~merijn/downloads.html


--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com

 

[Guest]

I have been away for a while, but my problem is still with me.
I am unable to paste the log file into here. The "paste" is not highlighted
when I copy the file and open this post.
Please advise.
Thank you,
Bob

 

[Guest]

Logfile of HijackThis v1.99.1
Scan saved at 6:44:04 PM, on 7/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Robert Burns\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP
Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [updatelavasoft] C:\WINDOWS\System32\updatelavasoft.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program
Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540004} -
http://freepcscan.com/spyware/Install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.real.com/295139aa86897b6b0900/netzip/RdxIE601.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{30A49DE7-F5A0-40D6-812E-D48ACC1C86E4}:
NameServer = 69.50.184.86,85.255.112.9
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[BillP Studios]

Many times malicious programs will come in pairs or groups that protect
each other to prevent you from removing them. It looks like that's what
you're experiencing.

WinPatrol can help by killing multiple tasks in a single step. You
will want to find all the suspicious tasks on the Active Tasks list and
use the Kill Task feature to shut down each one before removing the
suspicious entry from the Startup Programs list.

Close down all the applications that you know about.
Click the Active Tasks tab to check what programs are still listed.
Hold down the CTRL key to select the filenames you mentioned as being
suspicious
Click on the Kill Task button.
WinPatrol will allow you to kill them all at once.

Once the programs are no longer active you should be able to remove
them from the Startup Programs list and also from the list of IE
Helpers. Once everything is successfully removed you can reboot.

"Delete File on Reboot"
If after trying to remove a suspicious or dangerous program you find it
still will not go away, right-click on the title of the program and
select "Delete File on Reboot." This action will not take place until
the next time you boot, but the file will be deleted before Windows
starts and any other programs that may attempt to prevent its deletion.
This process can not be reversed.

Good Luck,
Bill Pytlovany
BillP Studios

 

[Guest]

The Active Tasks list does not show me anything suspicious.
I have been trying to copy and paste the list here, but nothing works to
do so.
Thanks for your reply.
Bob

 

[Guest]

I went to http://www.highjackthis.de/index.php? langselect=english and
asked for an analization of the log file.
It came back with three 'bad" entries which I deleted, but my problem is
still with me.
I wonder if Win Patrol itself isn't the culprit?

 

[Guest]

Nothing in Win Patrol is helping me here.
I'm beginning to think that win Patrol is the cause of my problem.
bob

 

[Guest]

I traced my problem to Win Patrol itself.
I removed it, and I have had no problems.
Bob