Help with unknown exe files...

I have just cleaned my pc of all spyware/adaware (I hope) using a mixture of spydoctor/hijack this/spybot/regedit & adaware... running them all seperately they each return that I am clean.

but there are three exe files that have popped up that do not appear on the scans and I don't know if they are malicious or not

falo.exe, iblo.exe & dkoo.dat

they have all generated prefetch files

I have searched the net and can't find an explantion of what they are other than that they may be mirc scripts (whatever that is)

Can anybody put my mind at rest and tell me what these files are and what they do?

 

I have pretty much followed all the steps in the thread indicated. All the spyware/malaware scanners identified the various adaware/malaware that was present, cleaned them were they could, and where not I went into the registry and deleted the keys they indicated as malicious. They now scan my pc as being clear.

The only incidents I have are that on the 30/10/04 falo.exe was created in my temporary files and generated a prefetch file, on the 31/10/04 iblo.dat was created in the same fashion, and yesterday,when I came to these forums dkoo.dat popped up... in every case a "pop up" add was displayed, only it appeared embedded in the page I was looking at rather than a window of it's own - refreshing the internet page got rid of it. Ironically it was advertising spyware - saying that there were 'several malicious diallers on my system and that webroot recommends that I click here to try one of several solutions'. Coincidently I have webroot win washer trial version installed, but that has been on my pc for ages and I havn't had these pop ups before. They do not appear malicious and do not occur often, but I would like to know what they are/what is causing them - even if they are actually adaware/spyware..

My hijack this log as a text file is attached.

Any help/advice you can give is much appreciated

 

Apologies for not getting back straight away, but I read your advice and have been working away at trying to get rid of this problem. I followed your suggestion and got rid of the Spyware Begone (the only one I did actually pay for) then I've done the following...

Turned off Windows Restore

Boot up in safe mode

Norton Antivirus returns no issues

Adaware returns no issues

Spybot returns no issues

Spyware Doctor returns no issues

Giant Antispyware returns no issues

Xsoft Spy returns one malicious registry key for the W32 HLLW.Heffer Worm
"SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NAV Agent"
(which I believe is a red herring – when I delete this key, Norton Antivirus stops running when the sytem first starts up.
When the default settings are reset in Norton and set to start at windows start up this key is reinstalled)

CW Shredder returns three values
"C:\WINDOWS\smcfg.exe" (which I ask it to ignore as I think it is my modem driver)
"CWS.Jksearch"
"CWS.HiddenDll"
It claims that these last two items have been removed from my system, but they reappear again every time it is run.

In normal mode Rav anitivirus on line scan returns no issues neither does the online Norton scan or the online webroot spysweep.

But the following is still happening.

After logging online a randomly named dat file is created in the C:\Documents and Settings\user\Local Settings\Temp folder. Usually four digits long and usually four alphabetical characters (jmfb.dat, hkmd.dat etc).

This dat file then requests to connect to the internet.

If I do not let zone alarm give it permission, it just sits there reasking occasionally until I end the process in the task manager.
After ending the process, a seemingly random time later another differently named dat file is generated and asks for permission

If one is given permission to connect then the ‘layered’ pop ups start appearing, I sometimes get a TIB browser installing itself and sometimes a program called 'c:\Install' downloads, installs and launches a dialler called 14782.exe which is nasty.

This is driving me crazy... any advice anyone can give as to what else I can do to try and get rid of this...

My new Hijack This log *in the correct place on my c drive this time*

Thx...

 

Thanks for responding cl,

I have shredder v2

and I have gone through the steps you outlined below - new hijack log file attached - hidden files and known extensions are definately all shown and I doubt that this is going to go away quite so easily, over the past few days I have deleted every temp dat file that has been roduced, and all the mess each one leaves behind, but they still keep coming back.

Another thing they sometimes appear to do is to set up a new folder on my C drive called "spe" with one file in it called start.htm which attempts to reset my homepage, but norton stops it. I end the dat process and delete the entire folder in safe mode.

Am I looking at a wipe and rebuild here to reclaim my pc or is there anything else I can try?

 

Right,

The startchm found no issues.

booted up in safe mode and ran all the spy searches again and they returned nothing.

That version of cw shredder removes jksearch but it still shows again the next time cwshredder is run again.

But following the sartchm advice I ran a search on "notepad" and I found the following;

notepad.exe in c:\windows
notepad.exe in c:\windows\system32

and these

notepad.chm in c:\windows\help
notepad.hlp in c:\windows help
notepad.exe.bak in c:\windows\system32
notepad.exe in c:\windows\softwaredistribution\download\9ded4ee34a35fced0033d3e152a36eoe

a notepad shortcut in c:\documents and settings\default user\start menu\programs\accessories
a notepad shortcut in c:\documents and settings\user\start menu\programs\accessories
a notepad shortcut in c:\program files\adobe\photoshop 7.0\helpers\jump Tp HTML editor
and
a notepad shortcut in c:\windows\system32\config\systemprofile\startmenu\programs\accessories

is it this bak file and one of the shortcuts in startup that is causing this you reckon?

 

ok so the second notepad file has been deleted

the hosts file checks out fine

I have downloaded startup manager and identified the non essential processes and disabled them at startup... but even without any background process running the various dat files still keep on appearing.

Usually after I have accessed internet explorer. If I have no net connection open they seem not to appear.

I have set zone alarm to alert me whenever anything tries to access the internet and I get no warnings until the created dat file appears. I have run a search on my pc and asked for any files (including hidden) that have been updated; No files appear to be updated immediately around the dat file being created.

The spyware scans still return no problems.

Is it possible that there is nothing on my pc and this is something that is somehow dropping on to my system when I have an internet connection open?

*pulling my hair out now*

 

Well I figured that since this problem was only occuring when I opened up IE and not just when starting up and staying disconnected, and that nothing seemed to be asking for permission from zonealarm, that whatever this malware was it was somehow connected with explorer.

So, despite all the scans aying they were harmless, I deleted all downloaded activex programs, which can be replaced, ran all the scans again, just to make sure there was nothing evil on my pc at that exact moment, backed up, and installed service pack 2 - something I'd been putting off until my system was totally clean... and *touch wood* the dat files do not seem to be getting created anymore, and everything is running much quicker - although this might be physcological.

So not sure if it was a dodgy program piggy backing on the back of explorer, or a system file that got corrupted but then subsequently overwritten when sp2 was installed, but the main thing is I appear to have my pc back.

This is just to say cheers, cl, you are a scholar and a gentleman, and I appreciate the time and help - I now have a system that is apparantly clean and has enough kit installed on it to keep this sort of stuff off my pc from now on (hopefully).

I just hope it really has gone now. Some unknown program sitting on your pc and running stuff without your consent makes you feel like you've been burgled, dramatic but true.

Anyway. Thanks.

*salutes*