Spybot S&D keeps finding "XerOx"

Discussion in 'other anti-malware software' started by jayzzz, May 19, 2004.

Thread Status:
Not open for further replies.
  1. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    When I run Spybot S & D on my husband's computer (he's running Win98 in a Compaq Presario), it keeps finding a problem it calls "XerOx." There is no additional information available through Spybot about it, and Google isn't showing me anything with the same unusual capitalization of the "O," even though I enter it that way and use quotation marks around it for the search. I think it may have begun to show up when I downloaded the latest version of Spybot. Underneath, it says "Settings," then "HKEY_LOCAL_MACHINE\Software\xerox." It reappears every time the computer is booted. We've got an HP printer connected to that machine. I'd be real grateful if anyone could tell me what it might be about. o_O mj
     
  2. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    putting the file path into google brings up this among a couple other things. Looks as though you may have a worm there. By saying I put the filepath into google I mean I put "HKEY_LOCAL_MACHINE\Software\xerox" in there just like in your post ;)
     
  3. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    I don't see anything about how to get rid of it. Where it looks like it should explain how, it merely defines the term. Any ideas? We've never had a worm in one of our computers before. :( mj
     
  4. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Hmm well I'm not one of our experts in this area, but what AV/AT do you use? If nothing you have now detects it, I'd probably try downloading the 30 day trial of TDS and see what it has to say. Googling for the name in different ways makes it appear only network associates call it by that name (and apparently spybot).
     
  5. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    I've got AVG 6--always kept current--in there (which was oblivious to it, as of late yesterday, though it was already present), and no AT...never seemed to need one before. He doesn't tend to go to high risk types of sites, i.e., porn or music. He does tend to shut down his firewall when he gets frustrated. If I put an AT in that machine now, do you think it might be able to take care of it? Or add SpywareGuard on top of SpywareBlaster? I did the Google search like you did and the more I read, the less clear it becomes; a lot of the terminology is beyond me. :rolleyes: I see where TDS is discussed, but have not yet figured out where to download or what to do with it after I do. I wish his system was more stable. :doubt: mj
     
    Last edited: May 20, 2004
  6. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Hmm well adding an AT at this time ought to work really, and tds can be found here. Others and information can be found at the regular www.wilders.org page.

    Alternatively, and possibly easier, you can go to this section of the forum and follow the directions in the "how to" thread.
     
  7. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    Thank you! After I take care of some of my own business in this (my) computer, I'll go fire up the other one and try downloading one of the permanently free ATs listed at DSL Reports' Security Software Updates, first. If there's a particular one you'd recommend, not only for its effectiveness but for its relative SIMPLICITY, I'd appreciate the guidance. If that does not work as it "ought to," I'll run a fresh set of scans and post a HJT this log from that machine as instructed in the "How to" thread you provided the link to. That way, I won't make the process any more complex than is necessary to do the deed. ;)

    Before I do any of that, I'd best ask a few questions if you're willing to answer them: 1) Because the older system is not all that stable (booting temperamentally, etc., ad infinitum), is 'the cure' apt to cause problems that the worm currently does not seem to be causing by virtue of its presence? Or is the worm likely to be causing some of the instability? (Wish I knew if it was there before the new Spybot...never saw it, if so.) The computer is to be replaced, but really needs to work for at least another 3 weeks to allow my husband to finish a course he's taking for which he's got software installed for a fictitious business. I don't want to have to inform him that I ruined the machine for his purposes just to make it clean! And 2) might the worm cause the computer to send emails on its own over our CoNcast broadband? I read that was a possibility during the night...but was unclear about whether what I read was in reference to the specific worm he's got. 3) Are you (or anyone else who may read this) aware of worms being associated with educational software? Some of the stuff his professors have given him to use over the past year seemed flaky to me, but I'm more cynical than knowledgeable. The current class' software is from Thompson Learning at http://www.swcollege.com.

    I appreciate your time and attention...would give cookies if I still could! :) mj
     
  8. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    To be perfectly honest; the only AT I've ever used before TDS3 was TrojanCheck; which has long been abandoned and is very outdated by now. There are plenty of folks around here who have tested lots of anti-trojans, perhaps one of them will speak up in this regard.

    now..

    #1 - Most likely the worm is the culprit causing some instability. Worms, virii and the like are most often pretty buggy bits of code themselves.

    #2 - It's almost very possible with worms and such but I can't find anything about exactly what this particular worm does either - I'll ask around a bit.

    #3 - I've not heard of it but that certainly doesn't rule out the possibility. Wish I could be of more help on these :doubt:
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Jayzzz,

    What exactly is in that registry key when you look at it in regedit?

    Spybot 1.3 has a bug where it is incorrectly finding the "xer0x" worm by seeing the "xerox" key. It should be triggering on xer0x not xerox according to this thread at Net-Integration:

    http://forums.net-integration.net/index.php?showtopic=15523

    If you have a xerox entry there, which could be from many different types of programs, not just a printer, then it probably is valid or at least could be, especially since it was only adding Spybot 1.3 that showed the problem in the first place and others have seen it, too.
     
  10. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    There are a couple of reasons I'm hesitant about going with the TDS3. I'd rather put something in permanently than just for a 30-day trial...I'll lose it just about the time I start to understand it. Plus, I won't understand it today! A "paid for" AT would be a worthwhile investment for someone who spends time cruising adult sites and/or downloading music, or even surfing further and wider than either of us does, if I understand where the higher risks are correctly.

    Hmmm. Perhaps I should run the scans and post a HJT log as the first step because that process involves software I've used before and am less likely to screw up with. By the time I took over some of his computer's maintenance (installed a firewall, the AVG--to replace pre-Y2K McAfee just last year!--Ad-Aware, Spybot, & recently, SpywareBlaster...) the machine was already sadly neglected, and it likely has more than a worm. I think he uses all of his patience and organization at work and at school, leaving none for his poor 'puter. The OS has not been updated since new, and I imagine you can figure out the potential for problems just reading that. When he first got that machine, I didn't yet know enough to recognize that he wasn't doing what he should've been. Besides, I was busy screwing up my own equipment, learning by trial and error! ;)

    Your honesty is greatly appreciated, and you've been a big help to me. Before I found forums like this one, the so-called technical support from companies like HP and Compaq was worse than dealing with stuff alone and in ignorance because they lied or made things up. The proof was in the results, which sucked. You told me what was wrong, and I still wouldn't have a clue if you'd left me to my own devices. Heck, I'd still be reading the ENDLESS pages of info about "Xerox," hoping to stumble on a listing with the "o" capitalized. :D Thank you very much. If you run into additional relevant info that you're kind enough to share, I'll be notified that you posted or PM'd me, depending on your preference. :) mj (Joyce)
     
  11. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    I didn't see your post until just now, LowWaterMark. I don't know how to look at a registry key or anything else in regedit. That's a place I've only watched 2 other people work on in my previous machine (at different times) by remote. I'll check out the thread you referred to, though. That sure would be nice, but confusing if a worm and something valid can look exactly the same! :p mj
     
  12. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Actually, that's exactly why the malware writers do it, to make it look like a valid file, key or whatever, in hopes that people will over look these things.

    While there is certainly a chance you have that worm, it is also very likely that since only Spybot 1.3 found it, and other's have reported it as a false positive, that you also are seeing a false positive.
     
  13. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    Bubba's attached image is an exact match to what I see! When I typed it out in quotes, the first time, I copied EXACTLY the upper/lower cases displayed to me. But I don't know how to look where you suggest. If that's it, it's confusing, still, but very cool. Interesting that something valid and something wormy are identical...at what level does the difference happen to be recognized one way or the other electronically? mj
     
    Last edited: May 20, 2004
  14. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Well, Spybot is triggering and alerting solely because of a registry key's existence. But, the various technical summaries of malware that use similar or even identical key names always report all the other things that the malware does or need in order to be harmful... i.e. other files present on the system, symptoms related to infection, etc.

    If you read through the technical summary of that worm link in the first reply above, and start looking for the other things related to the worm and don't find any, that's how you can tell that there isn't a problem.

    Edit: As to explaining how to use regedit, well I'm afraid that if you aren't comfortable using it, there's probably not a lot I can recommend. Microsoft and the technical industry in computing have done a good job of trying to scare people away from using regedit. In truth, it can be dangerous if used wrongly, but just running regedit is not dangerous. It is only a problem when you start trying to change or delete things.

    You can goto Start menu > Run > regedit and open the registry editor. Doing so won't break anything. You can also go through the tree of registry keys and look at stuff without danger. And then you can use the normal "X" for closing that window to get out of regedit without problem.

    If you can make yourself comfortable doing that, then you can "browse" through there and look at the keys involved and noted in the technical article.
     
    Last edited: May 20, 2004
  15. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    Thank you! I'll search for xex0x.exe, xer0x.exe, x3rox.exe, etc., and see if I find any of them, then log in from that computer.

    I've got a clean Ad-Aware scan on it, done per your instructions in the link Detox posted for me. I'll go ahead and post a HJT log, in any case, with the URL for this page copied and pasted into the explanation of why I'm posting.

    Worm or no worm, bits & pieces of junkware remain from when I experimented on his (then faster) pc with Internet telephony (DialPad? :D ) back in 2000. I didn't remove anything I saw when I scanned it with HJT about a year ago because I'd learned BIG lessons about the ramifications of my uneducated decisions to delete files & folders in my own previous computers. :eek:

    With all the time I've spent reading about & looking at that 'da--ed' computer since yesterday, it would be nice to have something to show for it in terms of improved ANYthing. :D I've got my fingers figuratively crossed. :) mj
     
  16. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    IMO....until this minor bug is fixed....I would just check that item off so Spybot does not scan for it via the Advanced mode\Settings\Ignore products section. Don't forget to check for Xerox with an o....as in Oh well :)
     

    Attached Files:

  17. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Thnx for the help LWM :D
     
  18. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    Thank you for that, Bubba. I will do as you suggest. Might there be a similar way to get AdAware to stop flagging my computer's home page setting of 'about:blank' as 2 suspicious situations, or must I ask that in another thread? :p

    I was not able to stay logged in to post the HJT log from the other computer, so I'll post it from here. I was back and forth, and may have inadvertently tried to be logged in on both computers when I clicked to post and got dumped, just like old times with the previous software. :oops:

    I didn't find ANY of the file names in the complete list I referred to earlier, saying I'd search for them. Separate from the search, I triggered a fatal exception error, a shut-down for doing something illegal, and then the Compaq locked up on me twice.

    Grateful, grateful, & grateful. :) mj (Joyce)
     
  19. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    I do believe that when you find something in Ad-Aware 6 that you want to "ignore," you select it and the option will be available after the scan and detection - in other words; I do not believe you can "ignore" without scanning to have it pop up as "detected" first. I can't give specific instructions from there since I cannot get Ad-Aware to find anything right now :p , but I am sure it's not hard to find.
     
  20. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Your Welcome ;)

    As for the about:blank....you can have Adaware ignore that entry in the future IF indeed a blank Home page is what you have set ?

    via Adawares Help section....
    Adding items to the Ignore list

    Sometimes you may want to keep a particular detected content on your system, and don't want Ad-aware to detect
    its components over and over again.In this case simply add the entire product, or the desired components to the ignore list.
    Items are added to the ignore-list from the scan-result window.

    Follow these steps, to add objects to the ignore-list:
    1. On the scan result list, check all items that you want to ignore.
    2. Right click in the list window to open the result-list menu,
    3. Select "Add selection to ignore-list",
    4. Click "OK".
    Although ignored items will be counted during the scan as being ignored, they will not show up in the scan-result list.


    Bubba
     

    Attached Files:

    Last edited: May 20, 2004
  21. jayzzz

    jayzzz Registered Member

    Joined:
    Mar 23, 2003
    Posts:
    367
    Location:
    California
    <giggling> Yes. it is. That's why I called it
    Did you type "Originally Posted by..." or does the board do that, somehow?

    I'll follow your instructions, and take care of it. Muchos gracias. My mistake was in thinking that by checking the items, I was locked into deleting them and finding myself back at an M$N home page. I've been looking for the control in all the wrong places.

    If ever there's cause to want Ad-Aware to flag any old thing to allow access to controls, setting the home page to about:blank is an easy way to do it...or locking the home page so it can't be changed. :cool: I don't understand how about:blank might help an outside influence w/o html or anything, but obviously others do.

    I will experiment with regedit in my Dell, and appreciate the step-by-step instructions for doing that, too. It's best I'm not comfortable doing that which I don't know how to do. I remember my MANY 'brand newbie on-line' decisions to delete files because I didn't think they sounded or looked "right," with zero knowledge or understanding of what they were. No computer stood a chance of survival while I did things like that. :rolleyes: mj
     
Thread Status:
Not open for further replies.