Re: Xi.exe

Discussion in 'adware, spyware & hijack cleaning' started by YamnuskaBill, May 6, 2004.

Thread Status:
Not open for further replies.
  1. YamnuskaBill

    YamnuskaBill Registered Member

    Joined:
    May 6, 2004
    Posts:
    6
    I have had a file appear in C:\Documents and Settings\All Users\Documents

    by the name of Xi.exe

    I have run Spybot, Adaware, Spywareblaster, Trend housecall etc.

    I have followed various instructions to remove it.

    It keep reappearing.

    Any help would be greatly appreciated.

    Logfile of HijackThis v1.97.7
    Scan saved at 3:12:29 PM, on 06/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\s3hotkey.exe
    C:\WINDOWS\System32\S3Tray2.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\system32\netdde.exe
    C:\WINDOWS\system32\clipsrv.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\BRMFRSMG.EXE
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Bill Betts\Local Settings\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytelus.com/home_page.html
    O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {32B989C2-13D4-426C-81F3-D68D7393E487} (ChainCast VMR Client Proxy) - http://64.124.45.181/download/ccpm_0200.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://ebony.gov.bc.ca/mapplace/mgaxctrl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37517.4629050926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Nothing suspicious in your log.

    Copy notepad.exe to C:\Documents and Settings\All Users\Documents and rename it to Xi.exe

    Let us know what happens.

    Regards,

    Pieter
     
  3. YamnuskaBill

    YamnuskaBill Registered Member

    Joined:
    May 6, 2004
    Posts:
    6
    Did as suggested

    Search revealed:

    NOTEPAD.EXE-336351A9.pf C\WINDOWS 15KB PF File 18/08/2001 appears to emulate previous.

    Recyclers file shows many copies that I can't get rid of.

    Spybot, Trend, Adaware etc show nothing.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:27:41 AM, on 07/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\netdde.exe
    C:\WINDOWS\system32\clipsrv.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\s3hotkey.exe
    C:\WINDOWS\System32\S3Tray2.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\BRMFRSMG.EXE
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\PROGRA~1\MAXIMI~1\Maxwin.exe
    C:\Pvsw\Bin\W3DBSMGR.EXE
    C:\Documents and Settings\Bill Betts\Local Settings\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytelus.com/home_page.html
    O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {32B989C2-13D4-426C-81F3-D68D7393E487} (ChainCast VMR Client Proxy) - http://64.124.45.181/download/ccpm_0200.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://ebony.gov.bc.ca/mapplace/mgaxctrl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37517.4629050926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Where to/ what to now??

    Thanks YB

    Additional:

    Restore is disabled

    As well I disabled the Recycle bin.

    There is a file under C\Recycler S-1-5-21-1203752577-2552189465-2221179514-500 that Wrns me not to delete. I had gone to safe mode and successfully deleted all others but this one.


    Under search I still show:

    NOTEPAD.EXE C:\WINDOWS 65KB Application 18/08/2001 5:00 AM
    notepad.exe C:\WINDOWS\system32 65KB Application 18/08/2001 5:00 AM
    notepad.exe C:\WINDOWS\system32\dllcache 65KB Application 18/08/2001 5:00 AM

    Note: this last dll is highlighted in blueo_O
     
    Last edited: May 7, 2004
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.