Re: Xi.exe

Discussion in 'adware, spyware & hijack cleaning' started by YamnuskaBill, May 6, 2004.

Thread Status:
Not open for further replies.
  1. YamnuskaBill

    YamnuskaBill Registered Member

    Joined:
    May 6, 2004
    Posts:
    6
    I have had a file appear in C:\Documents and Settings\All Users\Documents

    by the name of Xi.exe

    I have run Spybot, Adaware, Spywareblaster, Trend housecall etc.

    I have followed various instructions to remove it.

    It keep reappearing.

    Any help would be greatly appreciated.

    Logfile of HijackThis v1.97.7
    Scan saved at 3:12:29 PM, on 06/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\s3hotkey.exe
    C:\WINDOWS\System32\S3Tray2.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\system32\netdde.exe
    C:\WINDOWS\system32\clipsrv.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\BRMFRSMG.EXE
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Bill Betts\Local Settings\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytelus.com/home_page.html
    O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {32B989C2-13D4-426C-81F3-D68D7393E487} (ChainCast VMR Client Proxy) - http://64.124.45.181/download/ccpm_0200.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://ebony.gov.bc.ca/mapplace/mgaxctrl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37517.4629050926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Nothing suspicious in your log.

    Copy notepad.exe to C:\Documents and Settings\All Users\Documents and rename it to Xi.exe

    Let us know what happens.

    Regards,

    Pieter
     
  3. YamnuskaBill

    YamnuskaBill Registered Member

    Joined:
    May 6, 2004
    Posts:
    6
    Did as suggested

    Search revealed:

    NOTEPAD.EXE-336351A9.pf C\WINDOWS 15KB PF File 18/08/2001 appears to emulate previous.

    Recyclers file shows many copies that I can't get rid of.

    Spybot, Trend, Adaware etc show nothing.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:27:41 AM, on 07/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\netdde.exe
    C:\WINDOWS\system32\clipsrv.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\s3hotkey.exe
    C:\WINDOWS\System32\S3Tray2.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\BRMFRSMG.EXE
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\PROGRA~1\MAXIMI~1\Maxwin.exe
    C:\Pvsw\Bin\W3DBSMGR.EXE
    C:\Documents and Settings\Bill Betts\Local Settings\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytelus.com/home_page.html
    O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {32B989C2-13D4-426C-81F3-D68D7393E487} (ChainCast VMR Client Proxy) - http://64.124.45.181/download/ccpm_0200.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://ebony.gov.bc.ca/mapplace/mgaxctrl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37517.4629050926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Where to/ what to now??

    Thanks YB

    Additional:

    Restore is disabled

    As well I disabled the Recycle bin.

    There is a file under C\Recycler S-1-5-21-1203752577-2552189465-2221179514-500 that Wrns me not to delete. I had gone to safe mode and successfully deleted all others but this one.


    Under search I still show:

    NOTEPAD.EXE C:\WINDOWS 65KB Application 18/08/2001 5:00 AM
    notepad.exe C:\WINDOWS\system32 65KB Application 18/08/2001 5:00 AM
    notepad.exe C:\WINDOWS\system32\dllcache 65KB Application 18/08/2001 5:00 AM

    Note: this last dll is highlighted in blueo_O
     
    Last edited: May 7, 2004
Thread Status:
Not open for further replies.