My Online Armor reports that the file c:\WINDOWS\system32\chg.exe wants to run. No other of my apps (McAfee, Mamutu and X-Cleaner) is able to pick up on this chg.exe thingy. Looking for it on the disk I can't find it anywhere. Doing a quick search on google turns up a few results, all related to suspicious activities/malware but no real info on that specific file. I've blocked the file from running atm. How can I find out more and how to delete it etc. when no other tool detects it? Have anyone else here been in contact with this chg.exe file? I tried to look for it on what-is-exe.com without any results.
I think it is a nasty. But to be sure, put it in a password-protected archive and email it to: newvirus@kaspersky.com vsample@avertlabs.com virus@avira.com samples@superantispyware.com support@xblock.com Be sure to include the password and a description of your problem in the email. If you want to take a risk and delete it now use Pocket Killbox. thanatos
Good advice but the OP has stated The odds are that it is either hidden state or hidden from WinAPI. So we need to delve deeper to affect a recovery of the file zaxxon, Download the following ARK forensic tool(IceSword)from here>>> http://www.majorgeeks.com/Icesword_d5199.html ** Use only as directed as this is a very powerful tool and if miss used can cause severe damage to a PC** Open(Unzip) IceSword Look to the lower left of IceSword main gui for file option.Use the explorer tree generated by Icesword to get to System32 folder.Now on the right is a list of files in system32 folder.Locate chg.exe if present and highlight its line by clicking on it. Next right click and select *copy to....* .Save by file name "Suspect.old" to a holding area. From there you can upload the file(suspect.old) for malware checking(VirusTotal) as it will be no longer hidden http://www.virustotal.com/ If it gets flagged as malware when it is uploaded then it is time to use IceSword again.Repeat original steps as above but when you highlight the line for cfg.exe select *Forced delete* and then reboot immediately. Check again with IceSword to see if the file persists and if it has been nuked then uninstall IceSword as its work has been done
Here is what Ewido found at one time C:\WINDOWS\Chg.exe -> Hijacker.Spywad.b : Cleaned with backup http://www.spywareinfoforum.com/lofiversion/index.php/t69535.html
Don't know if it's got anything to do with this but I get this on launching IceSword. After that it seems to start ok. http://vraavatn.info/pal026.jpg Unfortunately chg.exe is not there Would unblocking it in OnlineArmor and let it run next time it wants to help perhaps? Out of the theory it would have to reveal itself?
Yep, unblock it and grant execution when it fires again but don't grant any further execution parented by chg.exe until we can ascertain whether it is legit or malware code. BTW I'm not familiar with OA's operations.Dose it display parent information as in which process has launched the file ?
Do this: Windows XP Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Go to the system32 folder and try locating it again. thanatos
Sorry for double posting. See this thread from majorgeeks.com. The OP had the same problem. I suggest you post a hijackthis log there. thanatos
That's my standard setup. Old school, I like to see stuff Unblocked it now to "ASK" OA doesn't provide much log info from what I'm been able to find out during my test of it. But if it comes up in the open I should be able to see process and window info through X-Cleaner/X-raypc
If you have'nt tried ProcessExplorer(TaskManager on steroids) yet i would give it a tilt When the exe launch's jsut double click on its line to bring up more info. http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx thanatos_theos,IceSword see's all thoes files by default.No need to tweak the *view* settings
Think I've solved the mystery of the vanishing chg.exe SoftThinks PCAngel I got my suspicions after seeing from the logs that the OP over at MajorGeeks also had an HP computer. From what I understand chg.exe is responsible for launching PCAngel.exe when required. PCAngel is a rollback tool and is a part of the HP Protected Tools suite. Thanks for the link to MajorGeeks thanatos_theos, put me on the right track