chg.exe ??

My Online Armor reports that the file c:\WINDOWS\system32\chg.exe wants to run. No other of my apps (McAfee, Mamutu and X-Cleaner) is able to pick up on this chg.exe thingy. Looking for it on the disk I can't find it anywhere. Doing a quick search on google turns up a few results, all related to suspicious activities/malware but no real info on that specific file.

I've blocked the file from running atm. How can I find out more and how to delete it etc. when no other tool detects it? Have anyone else here been in contact with this chg.exe file? I tried to look for it on what-is-exe.com without any results.

 

I think it is a nasty. But to be sure, put it in a password-protected archive and email it to:

newvirus@kaspersky.com
vsample@avertlabs.com
virus@avira.com

samples@superantispyware.com
support@xblock.com

Be sure to include the password and a description of your problem in the email.

If you want to take a risk and delete it now use Pocket Killbox.

thanatos

 

Good advice but the OP has stated

The odds are that it is either hidden state or hidden from WinAPI.

So we need to delve deeper to affect a recovery of the file

zaxxon,

Download the following ARK forensic tool(IceSword)from here>>>
http://www.majorgeeks.com/Icesword_d5199.html

** Use only as directed as this is a very powerful tool and if miss used can cause severe damage to a PC**

Open(Unzip) IceSword

Look to the lower left of IceSword main gui for file option.Use the explorer tree generated by Icesword to get to System32 folder.Now on the right is a list of files in system32 folder.Locate chg.exe if present and highlight its line by clicking on it.

Next right click and select *copy to....* .Save by file name "Suspect.old"
to a holding area.

From there you can upload the file(suspect.old) for malware checking(VirusTotal) as it will be no longer hidden
http://www.virustotal.com/

If it gets flagged as malware when it is uploaded then it is time to use IceSword again.Repeat original steps as above but when you highlight the line for cfg.exe select *Forced delete* and then reboot immediately.

Check again with IceSword to see if the file persists and if it has been nuked then uninstall IceSword as its work has been done

 

My bad, I read the post too fast .

thanatos

 

Here is what Ewido found at one time

C:\WINDOWS\Chg.exe -> Hijacker.Spywad.b : Cleaned with backup

http://www.spywareinfoforum.com/lofiversion/index.php/t69535.html

 

Don't know if it's got anything to do with this but I get this on launching IceSword. After that it seems to start ok.
http://vraavatn.info/pal026.jpg

Unfortunately chg.exe is not there Would unblocking it in OnlineArmor and let it run next time it wants to help perhaps? Out of the theory it would have to reveal itself?

 

Yep, unblock it and grant execution when it fires again but don't grant any further execution parented by chg.exe until we can ascertain whether it is legit or malware code.

BTW I'm not familiar with OA's operations.Dose it display parent information as in which process has launched the file ?

 

Do this:

Windows XP

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

Go to the system32 folder and try locating it again.

thanatos

 

Sorry for double posting. See this thread from majorgeeks.com. The OP had the same problem. I suggest you post a hijackthis log there.

thanatos

 

That's my standard setup. Old school, I like to see stuff

Unblocked it now to "ASK"
OA doesn't provide much log info from what I'm been able to find out during my test of it. But if it comes up in the open I should be able to see process and window info through X-Cleaner/X-raypc

 

If you have'nt tried ProcessExplorer(TaskManager on steroids) yet i would give it a tilt

When the exe launch's jsut double click on its line to bring up more info.
http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx

thanatos_theos,IceSword see's all thoes files by default.No need to tweak the *view* settings

 

Think I've solved the mystery of the vanishing chg.exe



SoftThinks PCAngel

I got my suspicions after seeing from the logs that the OP over at MajorGeeks also had an HP computer. From what I understand chg.exe is responsible for launching PCAngel.exe when required. PCAngel is a rollback tool and is a part of the HP Protected Tools suite.

Thanks for the link to MajorGeeks thanatos_theos, put me on the right track

 

Sorry, I am not familiar with IceSword.

You are welcome.

thanatos