Not for the faint at heart....AUX.TXZ in system32, popups

Discussion in 'other security issues & news' started by Reallytangy, Oct 5, 2003.

Thread Status:
Not open for further replies.
  1. Reallytangy

    Reallytangy Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    4
    Guys any help would be GREATLY appreciated, I have been working on a system for several hours (used adaware, spybot, BHOdemon, hijackthis, CWShredder, Spywareblaster, NAV2k4, Sophos AV,) reinstalled SP1a for XP Pro, IE6 and OE, SFC etc. etc......but it's still not clean (still getting porn popups)....unfortunately reinstalling (over XP or using another folder... i.e. winxp) is not an option.

    I just finished running sophos with the CLI in safe mode, and I noticed it chocked on AUX.TXZ....checked the net and found nothing (other then somebody asking what it was and a foreign language page).

    As I said before, any ideas on where else to look or what tools to use can't even be expressed in words!!

    Thanks in Advance,

    Mike


    PS Of course AUX.TXZ cant be deleted even in safe mode, it's 0 bytes and has no file information (not a problem, I have tools like Admin Pack from Winternals) I would simply like to crosscheck and delete the source and not overlook something.

    PSS Foreign language page http://forum.mks.com.pl/forum/viewthread.p...id=4080#pid4080
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Well, you could post a HijackThis log here... Perhaps it will help to identify something that the tools you've run can't identify.

     
  3. Reallytangy

    Reallytangy Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    4
    Thank you for replying here is a log file from HJT...FYI copy and paste from another forum....Thanks Again

    Did some research and followed the thread and links but there was no sign of the exploit...FYI I DL the patches this morning (KB828750)

    Here is the new log, I apologize for the delay, being proactive....

    file of HijackThis v1.97.3
    Scan saved at 6:45:16 PM, on 10/5/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
    C:\Program Files\Sophos\SWNETSUP.EXE
    C:\Program Files\Sophos\SWEEPSRV.SYS
    C:\WINNT\System32\xl.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Sophos\ICMON.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\WINNT\System32\ctfmon.exe
    C:\WINNT\REGEDIT.exe
    C:\Documents and Settings\Decher\Desktop\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos\ICMON.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37898.980775463
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MY DOMAIN
    O17 - HKLM\Software\..\Telephony: DomainName = MY DOMAIN
    O17 - HKLM\System\CCS\Services\Tcpip\..\{18B58F74-388C-41AF-AB9E-FAC6D18C0E68}: NameServer = MY DNS
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MY DOMAIN
     
  4. Reallytangy

    Reallytangy Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    4
    Here is a log from DiamondCS ASV 1.4

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for decher@JDECHER, 10-05-2003
    c:\winnt\system32\autoexec.nt
    C:\WINNT\system32\mscdexnt.exe
    C:\WINNT\system32\redir.exe
    C:\WINNT\system32\dosx.exe
    C:\WINNT\system32\nw16.exe
    C:\WINNT\system32\vwipxspx.exe
    c:\winnt\system32\config.nt
    C:\WINNT\system32\himem.sys
    c:\winnt\system.ini [drivers]
    timer=timer.drv
    c:\winnt\system.ini [boot]\shell
    C:\WINNT\explorer.exe
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINNT\explorer.exe
    HKCR\vbsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINNT\System32\WScript.exe "%1" %*
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
    C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\tscuninstall
    C:\WINNT\system32\tscupgrd.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINNT\System32\webcheck.dll
    C:\WINNT\System32\stobject.dll
    C:\WINNT\system32\SHELL32.dll
    C:\WINNT\system32\SHELL32.dll
    C:\WINNT\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterCheck Monitor.LNK
    C:\Program Files\Sophos\ICMON.EXE
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINNT\System32\Userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINNT\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINNT\system32\mswsock.dll
    C:\WINNT\system32\rsvpsp.dll
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINNT\system32\JAVASUP.VXD
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    You've obviously tuned your system quite a bit considering how little you have running on an XP system. Your HijackThis log is very clean. (You have no autostart entries at all in the registry Run keys? Your system must boot up almost instantly.)

    I assume you know what xl.exe is, and that it is a valid program, right?
     
  6. Reallytangy

    Reallytangy Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    4
    ;) Yes I have....It boots pretty fast for a PIII 850MHZ laptop....as for the lx.exe....I'm not very fond of it but it's Symantecs DRM stuff, it's not my system but I'm going to advise the user to go down a different path....BTW I ran ASV on my system and I noticed 3 differences..

    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
    C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\tscuninstall
    C:\WINNT\system32\tscupgrd.exe

    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINNT\system32\JAVASUP.VXD

    what do you think? Any ideas?....
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Have you tried installing HTAstop?
    http://www.nsclean.com/htastop.html
    If that stops it, we would know what to look for.
    Cleared TIF and Temp folders?
    Where are the popups coming from?
    Can you check the URL on them or maybe see the IP address?

    Sorry,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.