chg.exe ??

Discussion in 'malware problems & news' started by zaxxon, Dec 10, 2007.

Thread Status:
Not open for further replies.
  1. zaxxon

    zaxxon Registered Member

    Joined:
    Dec 8, 2007
    Posts:
    15
    Location:
    Norway
    My Online Armor reports that the file c:\WINDOWS\system32\chg.exe wants to run. No other of my apps (McAfee, Mamutu and X-Cleaner) is able to pick up on this chg.exe thingy. Looking for it on the disk I can't find it anywhere. Doing a quick search on google turns up a few results, all related to suspicious activities/malware but no real info on that specific file.

    I've blocked the file from running atm. How can I find out more and how to delete it etc. when no other tool detects it? Have anyone else here been in contact with this chg.exe file? I tried to look for it on what-is-exe.com without any results.
     
    Last edited: Dec 10, 2007
  2. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Last edited: Dec 10, 2007
  3. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Good advice but the OP has stated
    The odds are that it is either hidden state or hidden from WinAPI.

    So we need to delve deeper to affect a recovery of the file:thumb:

    zaxxon,

    Download the following ARK forensic tool(IceSword)from here>>>
    http://www.majorgeeks.com/Icesword_d5199.html

    ** Use only as directed as this is a very powerful tool and if miss used can cause severe damage to a PC**

    Open(Unzip) IceSword

    Look to the lower left of IceSword main gui for file option.Use the explorer tree generated by Icesword to get to System32 folder.Now on the right is a list of files in system32 folder.Locate chg.exe if present and highlight its line by clicking on it.

    Next right click and select *copy to....* .Save by file name "Suspect.old"
    to a holding area.

    From there you can upload the file(suspect.old) for malware checking(VirusTotal) as it will be no longer hidden ;)
    http://www.virustotal.com/

    If it gets flagged as malware when it is uploaded then it is time to use IceSword again.Repeat original steps as above but when you highlight the line for cfg.exe select *Forced delete* and then reboot immediately.

    Check again with IceSword to see if the file persists and if it has been nuked then uninstall IceSword as its work has been done:cool:
     
  4. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    My bad, I read the post too fast :oops:.

    thanatos
     
  5. controler

    controler Guest

  6. zaxxon

    zaxxon Registered Member

    Joined:
    Dec 8, 2007
    Posts:
    15
    Location:
    Norway
    Don't know if it's got anything to do with this but I get this on launching IceSword. After that it seems to start ok.
    http://vraavatn.info/pal026.jpg

    Unfortunately chg.exe is not there :( Would unblocking it in OnlineArmor and let it run next time it wants to help perhaps? Out of the theory it would have to reveal itself?
     
    Last edited: Dec 10, 2007
  7. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Yep, unblock it and grant execution when it fires again but don't grant any further execution parented by chg.exe until we can ascertain whether it is legit or malware code.

    BTW I'm not familiar with OA's operations.Dose it display parent information as in which process has launched the file ?
     
  8. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Do this:

    Windows XP

    • Click Start.
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading select Show hidden files and folders.
    • Uncheck the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.

    Go to the system32 folder and try locating it again.

    thanatos
     
  9. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Sorry for double posting. See this thread from majorgeeks.com. The OP had the same problem. I suggest you post a hijackthis log there.

    thanatos
     
  10. zaxxon

    zaxxon Registered Member

    Joined:
    Dec 8, 2007
    Posts:
    15
    Location:
    Norway
    That's my standard setup. Old school, I like to see stuff :)

    Unblocked it now to "ASK"
    OA doesn't provide much log info from what I'm been able to find out during my test of it. But if it comes up in the open I should be able to see process and window info through X-Cleaner/X-raypc
     
  11. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
  12. zaxxon

    zaxxon Registered Member

    Joined:
    Dec 8, 2007
    Posts:
    15
    Location:
    Norway
    Think I've solved the mystery of the vanishing chg.exe

    pal027.jpg

    SoftThinks PCAngel

    I got my suspicions after seeing from the logs that the OP over at MajorGeeks also had an HP computer. From what I understand chg.exe is responsible for launching PCAngel.exe when required. PCAngel is a rollback tool and is a part of the HP Protected Tools suite.

    Thanks for the link to MajorGeeks thanatos_theos, put me on the right track :D
     
  13. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    540
    Sorry, I am not familiar with IceSword.

    You are welcome.

    thanatos
     
Thread Status:
Not open for further replies.