[appoo]

Hi,

I am posting for the first time here, and hope you can help me with this problem.
I recently noticed a file named XMMCC.exe in my USB drive. It appears to be a hidden fie, and only appears after i make hidden files visible from folder options -> view. I notice it first because Winpatrol softare warned of a XMMCC.exe added to my startup list. I scanned with AVG, spybot search & destroy, and malwarebytes anti malware, but has not found anything. Anyone can tell what to do with this ? Did not find anything on google search

[istanbul]

http://www.techsuppo...ed-atl-dll.html

Hi appoo and welcome,from what i've been reading,mmcc.exe appears to be the M/soft management console,but i can't be certain,

Check on the above link,and see what you make of it.

Let us know what happens,if you like.Good luck.

İ just came uppon this site,which may be useful to you,see if it answers your question. http://www.file.net/...ss/mmc.exe.html

Important: Some malware camouflage themselves as mmc.exe, particularly if they are located in c:\windows or c:\windows\system32 folder,so the above link is worth a read.

This post has been edited by istanbul: 12 November 2009 - 07:19 AM

[appoo]

istanbul, on 12 November 2009 - 06:42 AM, said:

http://www.techsuppo...ed-atl-dll.html

Hi appoo and welcome,from what i've been reading,mmcc.exe appears to be the M/soft management console,but i can't be certain,

Check on the above link,and see what you make of it.

Hi
thanks for the reply
I checked the links but i think my file may be different - "XMMCC.exe" and not mmc.exe which is the microsoft management console. "XMMCC.EXE" has an icon showing a hand/finger pressing a key. I just searched the registry for XMMCC.exe and found xmmcc.exe as the value in the following keys. Don't know what to make of it.

HKEY_USERS\S-1-5-21-790525478-764733703-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3b3195fc-becb-11de-87b9-0015c5aadbfb}\Shell\AutoRun\command
HKEY_USERS\S-1-5-21-790525478-764733703-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3b3195fc-becb-11de-87b9-0015c5aadbfb}\Shell\Explore\command

HKEY_USERS\S-1-5-21-790525478-764733703-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3b3195fc-becb-11de-87b9-0015c5aadbfb}\Shell\opEN\command (keyvalue = XMMCC.exe explorer.exe /idlist,%I,%L)
HKEY_USERS\S-1-5-21-790525478-764733703-839522115-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache (Value name - G:\XMMCC.exe value data - XMMCC)

Also the file is not on my hard drive, but G:\(pen drive). I searched my hard drives - No file, but found this
XMMCC.EXE-0C2AC917.pf in C:\Windows\prefetch

This post has been edited by appoo: 12 November 2009 - 08:47 AM

[istanbul]

appoo, on 12 November 2009 - 04:30 PM, said:

istanbul, on 12 November 2009 - 06:42 AM, said:

http://www.techsuppo...ed-atl-dll.html

Hi appoo and welcome,from what i've been reading,mmcc.exe appears to be the M/soft management console,but i can't be certain,

Check on the above link,and see what you make of it.

Hi
thanks for the reply
I checked the links but i think my file may be different - "XMMCC.exe" and not mmc.exe which is the microsoft management console. "XMMCC.EXE" has an icon showing a hand/finger pressing a key. I just searched the registry for XMMCC.exe and found xmmcc.exe as the value in the following keys. Don't know what to make of it.

HKEY_USERS\S-1-5-21-790525478-764733703-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3b3195fc-becb-11de-87b9-0015c5aadbfb}\Shell\AutoRun\command
HKEY_USERS\S-1-5-21-790525478-764733703-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3b3195fc-becb-11de-87b9-0015c5aadbfb}\Shell\Explore\command

HKEY_USERS\S-1-5-21-790525478-764733703-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3b3195fc-becb-11de-87b9-0015c5aadbfb}\Shell\opEN\command (keyvalue = XMMCC.exe explorer.exe /idlist,%I,%L)
HKEY_USERS\S-1-5-21-790525478-764733703-839522115-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache (Value name - G:\XMMCC.exe value data - XMMCC)

Also the file is not on my hard drive, but G:\(pen drive). I searched my hard drives - No file, but found this
XMMCC.EXE-0C2AC917.pf in C:\Windows\prefetch

İt looks like a legitimate file to me Appoo,i wouldn't worry about it,however i could be wrong so stick around and see what other members will
say.İ'll keep looking to see if i can find something.

[SpiritWind]

Hi Appoo :

As a safeguard, I recommend you use the FREE
"Flash Disinfector" developed by antimalware
Expert "sUBs" . Start with the Info at
http://experi3nc3.wo...fector-by-subs/ .

Edit : Just noticed some of the Info in your 2nd
Post that mentions "autorun" and "MountPoints2";
this indicates a probable Autorun - type
"infection" that the Flash Disinfector program
is geared to fight .

This post has been edited by SpiritWind: 12 November 2009 - 11:50 AM

[coastie65]

Hi. As a side note. It has been noted in the past that some of those Flash Drives come "Preinfected" and they should be checked. I don't think it is a common occurance, but it does happen.

[istanbul]

Hi again appoo,i searched at WinPatrol as i am a WinPatrol PLUS member,for the file xmmcc.exe,they have no record of it.The same with PC Pitstop.
İ also drew a blank with Symantec,have you found anything about the file as yet?

[appoo]

istanbul, on 13 November 2009 - 08:06 AM, said:

Hi again appoo,i searched at WinPatrol as i am a WinPatrol PLUS member,for the file xmmcc.exe,they have no record of it.The same with PC Pitstop.
İ also drew a blank with Symantec,have you found anything about the file as yet?

Hi,

No, the file is still there. I tried flash disinfector as some of the others have suggested, still no use... I wouldn't have worried too much if not for the win patrol warning about Xmmcc.exe in startup (That shouldn't happen with a "normal" system file surely?). Otherwise it does not seem to affect anything - at least as of now - but what i fit turns out to be something nasty ? On deleting it simply disappears for a second and comes back.

[istanbul]

appoo, on 14 November 2009 - 09:39 AM, said:

istanbul, on 13 November 2009 - 08:06 AM, said:

Hi again appoo,i searched at WinPatrol as i am a WinPatrol PLUS member,for the file xmmcc.exe,they have no record of it.The same with PC Pitstop.
İ also drew a blank with Symantec,have you found anything about the file as yet?

Hi,

No, the file is still there. I tried flash disinfector as some of the others have suggested, still no use... I wouldn't have worried too much if not for the win patrol warning about Xmmcc.exe in startup (That shouldn't happen with a "normal" system file surely?). Otherwise it does not seem to affect anything - at least as of now - but what i fit turns out to be something nasty ? On deleting it simply disappears for a second and comes back.

At this point i would suggest to download http://www.freedrweb.com/cureit?lng=en this scanner and run a full system scan.İt's very thorough
and efficient.İf it finds anything that should not be on your system,it will stop and ask you whether you want it removed or not.

Regarding WinPatrol,when something downloads on your system,it asks you whether you want to allow that happen Or not,and leaves that decision up to you.

Please open WinPatrol,and click on 'File Types'Check for the file there,if you do find it WinPatrol can remove it for you.
You see if you want the extra layer of insurance against unauthorised downloads,upgrading to WinPatrol PLUS will provide you with lots more info and help in such situations.

The above scanner by the way,needs no installation.Just download and open the exe.

Do let me know how you go.

[smax013]

appoo, on 12 November 2009 - 07:57 AM, said:

Hi,

I am posting for the first time here, and hope you can help me with this problem.
I recently noticed a file named XMMCC.exe in my USB drive. It appears to be a hidden fie, and only appears after i make hidden files visible from folder options -> view. I notice it first because Winpatrol softare warned of a XMMCC.exe added to my startup list. I scanned with AVG, spybot search & destroy, and malwarebytes anti malware, but has not found anything. Anyone can tell what to do with this ? Did not find anything on google search

I could not find anything with a Google search either.

At this point, my best suggestion would be to install a good firewall software package that will ask which applications to allow to have access to your Internet connection, such as ZoneAlarm. This will at least allow you to see if it is trying to "phone home" somewhere...and if so, block its Internet access if it is some sort of malware.

Is this a USB flash drive? Or a USB external hard drive?

If the former, do you have another USB flash drive? If so, does that same thing happen with that one?

And which version of Windows are you running? I am guessing Vista.

[SpiritWind]

Hi Appoo :

Since Flash Disinfector did not work for you, I
recommend you look into trying the Recommendations
of "Saraceno" posted Sept 30 at 8:05 AM on the
Wilders Security Forums, specifically at
http://www.wildersse...ad.php?t=254585 .
I am speaking about using a-squared HiJackFree program
and/or Malwarebytes's FileASSASSIN, the latter being
at http://www.malwareby...ileassassin.php .

[appoo]

Hi all,
I think i got rid of XMMCCexe, so big thanks to everybody. Here is what i did..
Yesterday on righ-clicking the file -> Properties - Version tab I found
Version "Haaaaaaaaaaa" and Originalfilename "Harshad.exe". Now i was almost sure this is malware (Searched Harshad.exe but did'nt find anything. "Harshad" by the way is an indian name...)
Today I found a copy of the file in C:Windows directory.
Scanned with Dr. Web antivirus without effect.
Ran a-squared Hijackfree, and initially did not find the process running. Then i noticed the same icon (Finger pressing on key) against the process services.exe. The description window was showing unknown or unavailable to most of the file properties (There was another services.exe by microsoft)
Tried "kill process" in hijackfree it came back and could not be deleted after that.
Then downloaded malwarebytes file assassin and it finally worked!!!. Deleted the file in c:windows and my flash drive.
Just to make sure i searched for "Harshad" and guess what ? - a "Harshad.log" in c:windows, with pretty much everything i typed from 12/11/09, including password to pcworld.com !
On rebooting i found "windows cannot find XMMCC.exe......." message. So i searched registry again, and found XMMCC.exe at the following keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (Valuename = Shell Value data = Explorer.exe XMMCC.exe)
HKEY_CURRENT_USER\Software\BillP Studios\Detected\Hidden
HKEY_CURRENT_USER\Software\BillP Studios\Detected\Startup
HKEY_CURRENT_USER\Software\BillP Studios\WinPatrol\Hidden
HKEY_CURRENT_USER\Software\BillP Studios\WinPatrol\Run

I guess the startup message will go if i remove the filename from Shell = Explorer, (or is there any other way it should be done ?)
THe entries under Winpatrol registry keys can be safely deleted as well?
Anything else to be deleted altered ? I did the disabling autorun.inf registry tweak as suggested
Got to see my laptop and office computers now...

[appoo]

Just looked up autorun.inf in my flashdrive (don't know why i did not think of it earlier :-))
It had the following
[Autorun]
Shell\opEN\DEfault=1
Open=XMMCC.exe
shell\Open\command=XMMCC.exe explorer.exe /idlist,%I,%L
shell\Explore\command=xmmcc.exe
Shell\Search\command=xmmcc.exe

Deleting it as well..

[smax013]

Glad you found a solution. And thanks for posting back what your solution was!

[coastie65]

That thing sounded like a keylogger. I'm not so sure I even trust Flash drives as I am hearing of way too many that are "Preinfected" out the box and pass the infection on to your computer. Glad you got to root of the problem and got it taken care of. I too came up with zilch when I ran a search for that thing.

[SpiritWind]

Hi Appoo :

I feel anything related to WinPatrol in your current
"situation" would receive the most knowledgeable
reply by either posting on a WinPatrol Support Forum
at http://forum.securit...hp?showforum=57
OR by sending an email to : support@WinPatrol.com OR
calling 1-866-752-9130 . Providing a link to this
thread may be helpful !?

[istanbul]

appoo, on 15 November 2009 - 12:44 PM, said:

Just looked up autorun.inf in my flashdrive (don't know why i did not think of it earlier :-))
It had the following
[Autorun]
Shell\opEN\DEfault=1
Open=XMMCC.exe
shell\Open\command=XMMCC.exe explorer.exe /idlist,%I,%L
shell\Explore\command=xmmcc.exe
Shell\Search\command=xmmcc.exe

Deleting it as well..

Hi again,you've probably already done this but since it wasn't mentioned,you might like to check the following just to be sure.
Please open WinPatrol,click on the 'Recent'tap and check that,the file is not listed there,as it well may be.

As you know that page was specifically designed to help clean up Recent malware infections. İf the file is there WinPatrol can permanetly
delete it on Reboot.Just right click and choose this option.
İf it's not there,good for you.