Not for the faint at heart....AUX.TXZ in system32, popups

Guys any help would be GREATLY appreciated, I have been working on a system for several hours (used adaware, spybot, BHOdemon, hijackthis, CWShredder, Spywareblaster, NAV2k4, Sophos AV,) reinstalled SP1a for XP Pro, IE6 and OE, SFC etc. etc......but it's still not clean (still getting porn popups)....unfortunately reinstalling (over XP or using another folder... i.e. winxp) is not an option.

I just finished running sophos with the CLI in safe mode, and I noticed it chocked on AUX.TXZ....checked the net and found nothing (other then somebody asking what it was and a foreign language page).

As I said before, any ideas on where else to look or what tools to use can't even be expressed in words!!

Thanks in Advance,

Mike


PS Of course AUX.TXZ cant be deleted even in safe mode, it's 0 bytes and has no file information (not a problem, I have tools like Admin Pack from Winternals) I would simply like to crosscheck and delete the source and not overlook something.

PSS Foreign language page http://forum.mks.com.pl/forum/viewthread.p...id=4080#pid4080

 

Thank you for replying here is a log file from HJT...FYI copy and paste from another forum....Thanks Again

Did some research and followed the thread and links but there was no sign of the exploit...FYI I DL the patches this morning (KB828750)

Here is the new log, I apologize for the delay, being proactive....

file of HijackThis v1.97.3
Scan saved at 6:45:16 PM, on 10/5/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Sophos\SWNETSUP.EXE
C:\Program Files\Sophos\SWEEPSRV.SYS
C:\WINNT\System32\xl.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Sophos\ICMON.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\System32\ctfmon.exe
C:\WINNT\REGEDIT.exe
C:\Documents and Settings\Decher\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos\ICMON.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37898.980775463
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MY DOMAIN
O17 - HKLM\Software\..\Telephony: DomainName = MY DOMAIN
O17 - HKLM\System\CCS\Services\Tcpip\..\{18B58F74-388C-41AF-AB9E-FAC6D18C0E68}: NameServer = MY DNS
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MY DOMAIN

 

Here is a log from DiamondCS ASV 1.4

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for decher@JDECHER, 10-05-2003
c:\winnt\system32\autoexec.nt
C:\WINNT\system32\mscdexnt.exe
C:\WINNT\system32\redir.exe
C:\WINNT\system32\dosx.exe
C:\WINNT\system32\nw16.exe
C:\WINNT\system32\vwipxspx.exe
c:\winnt\system32\config.nt
C:\WINNT\system32\himem.sys
c:\winnt\system.ini [drivers]
timer=timer.drv
c:\winnt\system.ini [boot]\shell
C:\WINNT\explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINNT\explorer.exe
HKCR\vbsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\tscuninstall
C:\WINNT\system32\tscupgrd.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINNT\System32\webcheck.dll
C:\WINNT\System32\stobject.dll
C:\WINNT\system32\SHELL32.dll
C:\WINNT\system32\SHELL32.dll
C:\WINNT\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterCheck Monitor.LNK
C:\Program Files\Sophos\ICMON.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINNT\System32\Userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINNT\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINNT\system32\mswsock.dll
C:\WINNT\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINNT\system32\JAVASUP.VXD

 

Yes I have....It boots pretty fast for a PIII 850MHZ laptop....as for the lx.exe....I'm not very fond of it but it's Symantecs DRM stuff, it's not my system but I'm going to advise the user to go down a different path....BTW I ran ASV on my system and I noticed 3 differences..

HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\tscuninstall
C:\WINNT\system32\tscupgrd.exe

HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINNT\system32\JAVASUP.VXD

what do you think? Any ideas?....

 

Have you tried installing HTAstop?
http://www.nsclean.com/htastop.html
If that stops it, we would know what to look for.
Cleared TIF and Temp folders?
Where are the popups coming from?
Can you check the URL on them or maybe see the IP address?

Sorry,

Pieter