documentx.exe

Discussion in 'malware problems & news' started by Kyria, Nov 25, 2010.

Thread Status:
Not open for further replies.
  1. Kyria

    Kyria Registered Member

    Joined:
    Nov 25, 2010
    Posts:
    22
    Hello everyone,

    After recovering from a virus on my PC and a problem (which I'm not quite sure what the problem exactly was) probably caused by that virus, I fixed with Testdisk, I found this running under my startup in msconifg: "documentx.exe". After reasearching it online, all I come accross is "document.exe" and that is said to be a worm or so... I also found this old thread in this forum:

    https://www.wilderssecurity.com/showthread.php?t=92300

    of course, being so old, it wouldn't let me reply to that thread, so I'm opening a new one.

    Now my question is, is this "documentx.exe" file actually that virus "document.exe" or no? If not, what is it?
    I checked the registry for the value specified in the old thread I mentioned above and could not find the mentioned entry in my registry.

    Thanks for your help and Happy Thanksgiving!
     
  2. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Hi Kyria!

    Welcome to the forum. document.exe surely seems virus/virus remnant.

    You can scan your system anf file with Hitman Pro 3. Report your finding here.
     
  3. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    it is sort of impossible to make that assessment here in the forum. perhaps upload it to virustotal and see the result from various AV engines.
     
  4. Kyria

    Kyria Registered Member

    Joined:
    Nov 25, 2010
    Posts:
    22
    Thank you! Well it is documentx.exe (note the "x") that's why I was wondering if it IS the virus described as "document.exe"

    I will check out that program you mentioned when I get the chance. Now it is turkey time! Thanks for such a quick answer!

    what is virustotal?

    My anti virus programm couldn't find anything. I checked it with Avira, Malwarebytes' Anti-Malware, Avast and Spybot.

    None of these found anything after I removed the viruses my programs detected prior to me finding that file running in msconfig.

    Thank you!

    edit: and upload what exactly?
     
  5. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    google virustotal
    it is a website where you can upload a file and it will scan with multiple engines and tell you how many think it is malware.
     
  6. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    documentx.exe
     
  7. Kyria

    Kyria Registered Member

    Joined:
    Nov 25, 2010
    Posts:
    22
    good morning.

    I can't find the file itself. I only see it in the startup tab in msconfig!
     
  8. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    option 1 - it is not present on the machine
    option 2 - it is present but hiding

    what path is set for it in msconfig? is it traceable in the registry?
     
  9. Kyria

    Kyria Registered Member

    Joined:
    Nov 25, 2010
    Posts:
    22
    msconfig location says: software\Microsoft\windows\currentversion\run

    When I open regedit and look at that location, I can not see it there.

    (edit: I can only see it under "startup" tab in msconfig, not under services... and I unchecked it for startup so I'm assuming that's why it doesn't show in the regedit?!)


    Hitman Pro 3 found nothing.
     
  10. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    Sounds like an entry in the registry, but no actual file?

    Just to be clear, I assume from what I have read so far that documentx.exe does NOT show up in the list of processes in taskmgr?

    If that is the case, it sounds like you have a stray entry in the registry but no actual infection. You could try to clean up the registry with ccleaner or a similar product.
     
  11. Kyria

    Kyria Registered Member

    Joined:
    Nov 25, 2010
    Posts:
    22
    correct.

    like I said... I can't find the registry entry for it... at least not where msconfig says it is.

    I'll check out ccleaner, thanks.



    -- Does anyone know the program "fixcleaner"? -- is it a good program or a scam?
     
  12. Kyria

    Kyria Registered Member

    Joined:
    Nov 25, 2010
    Posts:
    22
    ok, I tried ccleaner. I did a registry scan with it and it didn't find anything by the name of "documentx.exe"

    However, it found several other things, I'm now wondering what all this is. Sorry, I'm not very knowledgable when it comes to this kind of thing, so maybe someone can explain to me what these mean:

    ccleaner has several listings on these:

    Missing Shared DLL
    Unused File Extension
    Invalid Default Icon
    Open with Application Issue
    ActiveX/COM Issue
    Missing TypeLib Reference (that one is only there on one entry)
    Application Paths Issue
    Help File Issue
    Installer Reference Issue
    Uninstaller Reference Issue (that one is only there on one entry)
    Obsolete software key
    Old Start Menu key
     
  13. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    I will let someone more knowledgeable than myself explain what those are.

    I would have thought anything in msconfig would have a related entry in the registry.

    So you find this entry in msconfig, but is it checked to start? Since it doesn't show up in taskmgr and you can't actually find the file, I think you can just assume that documentx.exe is gone and won't cause you trouble. If the entry is checked in msconfig, uncheck it and restart your computer.
     
  14. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    Also, when I use ccleaner, I usually back up the registry, scan the list to see if there is anything I DON'T want to miss, and if not, just remove it all, since I can recover from the backup. I have never had to do that. That does not mean I guarantee you won't have problems.

    If you leave those entries that ccleaner found in the registry and leave msconfig the way it is, you should still be fine. A few extra unused entries in the registry aren't going to cause a slowdown or cause problems that I can think of. Same with any extra entries in msconfig's startup tab that are not actually being started. If they are unchecked, of course they can't start, but in your case, even if it is checked, there doesn't seem to be an executable to start anyway, so you should be fine.
     
  15. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    the system could get wrecked if you play around. restore points or rollback images could save you big deal of trouble if anything goes south
     
  16. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    that is a highly hypothetical assumption, which might be well in this case. however, it would install a false sense of system sanity as sophisticated malware has not trouble from hiding in window's build-in task manager or in other on-board tools for that matter
     
  17. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,284
    Location:
    England
  18. Kyria

    Kyria Registered Member

    Joined:
    Nov 25, 2010
    Posts:
    22

    it was checked, I had unchecked it before posting here.
     
  19. Kyria

    Kyria Registered Member

    Joined:
    Nov 25, 2010
    Posts:
    22
    well I didn't play around. I only let it scan and when I saw the results and didn't know what they meant, I asked here. So can you explain what they mean?
     
  20. Kyria

    Kyria Registered Member

    Joined:
    Nov 25, 2010
    Posts:
    22

    the link you provided doesn't work for me cuz I'm not signed up on that website I guess. At least that's the message it gave me. However, I know how to turn on and off hidden files and folders to be shown or not. I'm not that unknowledgable. I just don't know much about registry stuff.

    Well, I didn't think of turning that on when searching for it. However, I just did and it still found nothing...
     
  21. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    ccleaner help site
     
  22. Kyria

    Kyria Registered Member

    Joined:
    Nov 25, 2010
    Posts:
    22
    that is nice and it explains how to use the program but it doesn't tell me what the issues I listed above mean.
    obviously you don't know it either, otherwise you would have explained it to me instead of giving me a link that gives me no answer to my question...

    thanks anyway...

    might anyone else know?
     
  23. redgrum

    redgrum Registered Member

    Joined:
    Nov 16, 2010
    Posts:
    50
    If these are both installed and running realtime, that might cause you a bit of bother.

    They are just entries that the program finds which it deems safe to remove, they will be different for every system. Most of the time, 'cleaning' the registry isn't really worth it, plus it could brick your pc.

    You can probably delete the startup entry using Ccleaner, rather than just disabling it in MSConfig. Did you do a boot time scan with Avast?
     
  24. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    It sounds like typical SpyEye naming convention -

    C:\cleanswepx.exe\cleanswepx.exe
    C:\documentx.exe\documentx.exe

    Run regedit > Ctrl + F to bring up the find dialog
    type in documentx.exe > Find Next

    *msconfig disabled entries should be found in: HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\MSConfig\startupreg
     
    Last edited: Nov 29, 2010
  25. Kyria

    Kyria Registered Member

    Joined:
    Nov 25, 2010
    Posts:
    22
    Well not quite. I did Avira on one machine and then had a startup problem a couple days later, so I took the HDD and put it in another machine, which had Avast on it and scanned it from there.

    Yea I figured that much... kind of ... so you don't know what it means when it says for example "missing shared DLL" - I mean that's not something to be removed, obviously, something is missing, so how can ccleaner remove it when it's missing?... I'd really just like to know what each individual item means. I'm curious and would like to learn it.

    What do you mean by "brick"?

    No...

    SpyEye naming convention? What does that mean?

    wow, didn't think you could use Ctrl F in Registry, or never really thought of it. Nice.

    but couldn't find it that way so I searched the entry you listed above. And there it was! And then I realized that I was missing an "s". It is actually documentsx.exe

    So now I found it. Should I delete that entry? It has the command, hkey, inimapping, item and key.
     
Thread Status:
Not open for further replies.