Forum Home
Press F1

Thread ID: 91799	2008-07-19 03:34:00	system process ms_windows.exe	lobos (13984)	Press F1

Post ID	Timestamp	Content	User
690262	2008-07-19 03:34:00	I get this and it is greedy on cpu / memory usage - I queried google and nothing - normally these come up, ie saying if it's a virus or normal system thingy... thanks for any advice! -Adam	lobos (13984)
690263	2008-07-19 16:26:00	there is no normal windows process called "ms_windows.exe" nor is there any normal application that has this process that I know of. Where's it running from? Probably System32 folder? Highly likely it's a virus/malware of some sort	Agent_24 (57)
690264	2008-07-19 23:41:00	Get hijack this (in my sig) - do a scan, and post the log back here. We'll see whats there that shouldn't be. Quite possibly your "ms_windows.exe" is related to "windows.exe" ----------------------- Process name: Trojan.W32.Zotob windows.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system. Note: windows.exe could also be added to the system as a result of W32.Feldor.A WORM. It attempts to spread itself through file-sharing networks and e-mail applications. This process is a security risk and should be removed from your system. If found on your system make sure that you have downloaded the latest update for your antivirus application. --------------------- Description: File windows.exe is located in the folder C:\Windows\System32. Known file sizes on Windows XP are 2123297 bytes (20% of all occurrence), 1337027 bytes, 91136 bytes, 1285334 bytes, 48002 bytes, 137281 bytes, 15312 bytes, 55296 bytes. The program has no file description. The process is loaded during the Windows boot process (see Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run, C:\Windows\win.ini, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce, HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\ open\command, HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Runonce, HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run). windows.exe is not a Windows core file. windows.exe is able to hide itself, monitor applications. Therefore the technical security rating is 65% dangerous. If windows.exe is located in the folder C:\Windows then the security rating is 59% dangerous. File size is 229376 bytes (16% of all occurrence), 258048 bytes, 315392 bytes, 249856 bytes, 27634 bytes, 1789952 bytes. The application has no file description. windows.exe is not a Windows system file. The program is not visible. File windows.exe is an unknown file in the Windows folder. The application starts when Windows starts (see Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run, C:\Windows\win.ini, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce, HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\ open\command, HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Runonce, HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run). windows.exe is able to hide itself, monitor applications, record inputs. If windows.exe is located in a subfolder of C:\ then the security rating is 63% dangerous. File size is 249856 bytes. Program has no file description. The program is not visible. File windows.exe is not a Windows core file. If windows.exe is located in C:\ then the security rating is 72% dangerous. File size is 57344 bytes (33% of all occurrence), 45056 bytes, 33792 bytes. If windows.exe is located in a subfolder of C:\Windows then the security rating is 100% dangerous. File size is 214480 bytes.	bevy121 (117)
690265	2008-07-22 16:48:00	This is the log file from hijack this: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:04:20 PM, on 7/22/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\S24EvMon.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\system32\1XConfig.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Taskix\Taskix32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\DNA\btdna.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\RegSrvc.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\wamp2\wampmanager.exe c:\wamp2\bin\apache\apache2.2.8\bin\httpd.exe c:\wamp2\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe C:\wamp2\bin\apache\apache2.2.8\bin\httpd.exe C:\Program Files\Mozilla Firefox 3\firefox.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe C:\Program Files\FlashFXP\FlashFXP.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DebugBar BHO - {69FC0024-10EB-480A-BBF2-3BF4E78E17B1} - C:\Program Files\Core Services\DebugBar\DebugInfoBar.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.3.24.3\gears.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL O3 - Toolbar: DebugBar - {3E1201F4-1707-409F-BB45-A5F192381DA0} - C:\Program Files\Core Services\DebugBar\DebugToolBar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [Taskix] C:\Program Files\Taskix\Taskix32.exe start O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [ms_windows] C:\programdata\system\ms_windows.exe O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.3.24.3\gears.dll O9 - Extra 'Tools' menuitem: &Google Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.3.24.3\gears.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{78FE6CEB-41FC-4D95-8CFF-715EB3B705F1}: NameServer = 200.150.160.36,200.150.160.37 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Update Service (gupdate1c8b54464326a60) (gupdate1c8b54464326a60) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: wampapache - Apache Software Foundation - c:\wamp2\bin\apache\apache2.2.8\bin\httpd.exe O23 - Service: wampmysqld - Unknown owner - c:\wamp2\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe -- End of file - 10943 bytes Thanks for any help you can give	lobos (13984)
690266	2008-07-22 17:08:00	O4 - HKCU\..\Run: [ms_windows] C:\programdata\system\ms_windows.exe there it is - can i delete this?	lobos (13984)
690267	2008-07-22 22:34:00	Yes, and hopefully that will fix your problem - reboot and see if it's gone (it might come back) Before you delete it though, I would suggest uploading the file "ms_windows.exe" to http://www.virustotal.com/ to see if you can find out exactly what it is. That should give you better information on how to get rid of it. O17 - HKLM\System\CCS\Services\Tcpip\..\{78FE6CEB-41FC-4D95-8CFF-715EB3B705F1}: NameServer = 200.150.160.36,200.150.160.37 This also could be dodgy, if those IP addresses are not for your ISP or such	Agent_24 (57)
690268	2008-07-23 05:06:00	These can be ticked as well . Then tick fix checked Close browsers O1 - Hosts: 127 . 255 . 255 . 255 serial . alcohol-soft . com O4 - HKLM\ . . \Run: [PRONoMgr . exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr . exe O4 - HKLM\ . . \Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8 . 0\Reader\Reader_sl . exe" O4 - HKLM\ . . \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask . exe" -atboottime O4 - HKLM\ . . \Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1 . 6 . 0_06\bin\jusched . exe" Whats this do? O4 - HKLM\ . . \Run: [Taskix] C:\Program Files\Taskix\Taskix32 . exe start O4 - HKCU\ . . \Run: [Skype] "C:\Program Files\Skype\Phone\Skype . exe" /nosplash /minimized O4 - HKCU\ . . \Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer . exe Then uninstall all versions of Java, yours is out of date . Link is in my sig	Speedy Gonzales (78)
1