PSEXESVC.EXE registry deletion failed

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by threeonefour, Dec 23, 2008.

  1. threeonefour

    threeonefour Private E-2

    Unfortunately, because this is my boss's computer and not my own, I can't give you much information about the behavior that may have triggered these problems. The computer did not have any sort of anti-virus/spyware software whatsoever - for how long I don't know (it does now though). Looking at the creation date of several malware items, it appears there was a lot of activity on the 10 & 11 Dec.

    My boss was also not terribly clear about what exact problems he was encountering, but I'm told that every time he went to Google, he would be redirected and otherwise, a number of error notifications came up - none of which got written down. I barely let the computer touch the internet once I got it, so I didn't witness any of this behavior firsthand.

    I was unable to complete Run & Read Me step 2 (enable viewing of hidden files, system files and file extensions) because some malware was preventing me from seeing Folder Options in both the Tools drop down menu and Control Panel (or accessing the registry editor). However, after running the Spybot S&D scan, I was able to see Folder Options and make files viewable. I also initially was unable to install Super AntiSpyware; I was given a generic Windows error telling me that the file could not be run - nothing to do with the System Admin disabling privileges. Sorry, I actually forget exactly how I fixed this, but I followed some advice from a thread on this forum that involved going to the Device Manager and disabling a certain virtual device.

    After going through this whole process, everything is running a lot better and all of the malware I saw before is gone. I also installed Avast, Spyware Terminator (only in anti-spyware mode, not antivirus), and AdAware (free versions). Scanning with Avast found nothing and AdAware found 1 MRU object which it successfully deleted. Spyware Terminator found a couple tracking cookies and 2 more items that concern me.

    On the Full Scan it found:

    Sensis Toolbar (Remaining items of toolbar)
    Registry HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
    (registry key deletion failed)

    APPL/PsExec.E (Unclassified Threat)
    File C:\WINDOWS/PSEXESVC.EXE

    On the Fast Scan following the Full Scan and restart it found again:

    Sensis Toolbar (Remaining items of toolbar)
    Registry HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}
    (registry key deletion failed)

    I can post these scan reports if needed.

    I realize these logs seem a little old but I haven't had time to post them until now. The computer has also been off (99% of the time) and not connected to the internet since then. Obviously I can run scans again if need be.

    Thank you in advance!
     

    Attached Files:

    threeonefour, Dec 23, 2008
    #1
  2. threeonefour

    threeonefour Private E-2

    final log upload

    MGlogs.zip
     

    Attached Files:

    threeonefour, Dec 23, 2008
    #2
  3. threeonefour

    threeonefour Private E-2

    Sorry, I forgot to change the thread title to something more comprehensible. I realize (or at least I think) they're separate issues.
     
    threeonefour, Dec 23, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Your in pretty good shape now but I have a couple things for you to do.

    Note PSEXESVC.EXE is not malware. It is a program from SysInternals which is actually part of Microsoft now. However it can be used for malicious purposes like many programs. It is also used for good reason and to help remove malware which is how ComboFix and other programs use it.

    I recommend that you uninstall the ineffective Ad-Aware and keep the much much better SUPERAntiSpyware and Malwarebytes for on demand scanning. And while on the subject of SUPERAntiSpyware I recommend that you do the below to get an improved updated version.




    Important Notice: A new version of SUPERAntiSpyware is out that should help with this problem from Vundo.
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this first log later just to make sure it installed properly and all is clean.
    You should also update Malwarebytes to the current definitions by running it and using the Updates tab.

    Now delete the below file:
    c:\windows\20081203051514-downloader_silent.exe




    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Dec 25, 2008
    #4
  5. threeonefour

    threeonefour Private E-2

    Well, it looks like I got infected again in the brief time I connected the computer to the internet to download/update Antivirus stuff. Aside from the items found in the SAS log, I found several malware items created late on 12/17 in C:WINDOWS - SWXCACLS.exe, VFIND.EXE, fdsv.exe, among others. I'm guessing this has something to do with that silent downloader you had me delete.

    I actually already deleted ComboFix and MGtools.exe after I first finished everything and thought I was clean, but let me know if I need to go through everything again. System Restore has also been off since before I started anything and I don't plan on turning it on again.

    Thanks for your help!
     

    Attached Files:

    threeonefour, Dec 26, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    These are not malware. They are from running ComboFix or similar malware removal programs.

    Since the updated SUPERAntiSpyware did find and remove a few things, I just suggest that you run it and first update it again and then run a new scan and attach a new log so we can see if anything is being found. Also do the same with Malwarebytes.
     
    chaslang, Dec 29, 2008
    #6
  7. threeonefour

    threeonefour Private E-2

    Well that's excellent! I guess I should have figured that out since that was when I was installing ComboFix (apparently the first page of Google can be fallible). I updated SAS and Malwarebytes and ran scans which came up totally clean, as you can see. Thank you so much for all your help!! Let me know if there's anything else I should do - otherwise have a happy and malware-free New Year!
     

    Attached Files:

    threeonefour, Dec 30, 2008
    #7
  8. threeonefour

    threeonefour Private E-2

    A new Spyware Terminator full scan also turned up nothing, for what it's worth.

    Thanks again!
     
    threeonefour, Dec 30, 2008
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    Yes because they already removed the files from Combofix that were false positives. If you install and run ComboFix again at some point in time, you will have the same issues. If fact some of the tools in the MGtools folder may also get incorrectly detected (like process.exe, swreg.exe, swwhoami.exe, vfind.exe, & zip.exe). Some people who create malware software need to get out into the real world and forums like this more frequently so they learn what real malware is. ;)

    Surf safely.
     
    chaslang, Dec 30, 2008
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds