strange processes running, rxhostt.exe?

Discussion in 'adware, spyware & hijack cleaning' started by Adde, Jul 6, 2004.

Thread Status:
Not open for further replies.
  1. Adde

    Adde Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    9
    Hello,

    Yesterday I changed firewall from ZA to Kerio PF and when I was done with the installation, two processes wanted access to the Internet; lsass.exe and rxhostt.exe. I know what lsass.exe is but as for rxhostt.exe I am clueless. Is this a virus? Also, my system is running slower than usual with a lot of delay, when I for example double-click the Kerio firewall. I have run the Ad-aware 6 scan as per your instructions, and my hijack log is enclosed below.

    I would really appreciate if someone could take a look at it!

    Logfile of HijackThis v1.97.7
    Scan saved at 19:51:43, on 2004-07-06
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\rxhostt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\rxhostt.exe
    C:\WINDOWS\system32\id2scaps.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Andreas\Desktop\Blandat\HiJack This\hijack2\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Microsoft Update Machine] rxhostt.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Machine] rxhostt.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Update Machine] rxhostt.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .sgn: C:\Program Files\Internet Explorer\PLUGINS\npSign.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://ssd01.web.sh.se/iNotes.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://ssd01.web.sh.se/iNotes6.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37378.5828587963
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/236/webolr/OCX/FlashAX.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9ECECD89-7965-4406-8D65-0C79A2BCFC3C}: NameServer = 81.26.228.3,81.26.228.2

    Best regards
    Andreas
     
  2. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    I think that what you have is
    http://fr.trendmicro-europe.com/ent...etail.php?id=59666&VName=WORM_RBOT.AJ&VSect=T

    Use Taskmanager (Ctrl-Alt-Del) to end these running processes if you can
    (or use Process Explorer)
    C:\WINDOWS\System32\rxhostt.exe
    C:\WINDOWS\System32\rxhostt.exe


    Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
    Next, close all browser Windows, and push the 'Fix checked' button in HijackThis

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Microsoft Update Machine] rxhostt.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Machine] rxhostt.exe
    O4 - HKCU\..\Run: [Microsoft Update Machine] rxhostt.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: PowerReg Scheduler V3.exe


    Empty the TIF (Temporary Internet Files)
    To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
    Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK

    Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder

    Set your Explorer up using the info in this link so that hidden and System files are visible
    Also Uncheck the "Hide extensions for known file types" box

    Reboot to SAFE mode
    How to start the computer in Safe mode

    Delete the following files:
    C:\WINDOWS\System32\rxhostt.exe

    Reboot normally

    Get a good online virus scan at HouseCall
     
  3. Adde

    Adde Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    9
    Hi,
    Thanks for the reply!

    I have used hijackthis to fix the items you specified and I have also deleted rxhostt.exe in safe mode. While in safe mode i did an entire search after rxh* and found the following file: rxhostt.exe-233AD399.pf
    locaded in C:\WINDOWS\Prefetch

    I deleted that file as well. I have also installed the SP1 since my first post. I actually did that before I got to read your post, could that have caused any problems? One thing I notice after I have installed the SP1 plus other windows updates is that when I boot my computer it takes a very long time for msn messenger and Norton AV to log on. Do you have any ideas as to what this could depend on?

    I have enclosed my file log as it looks right now below:

    Logfile of HijackThis v1.98.0
    Scan saved at 01:07:39, on 2004-07-07
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\id2scaps.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Documents and Settings\Andreas\Desktop\Blandat\HiJack This\hijack2\hijack 1.98\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .sgn: C:\Program Files\Internet Explorer\PLUGINS\npSign.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://ssd01.web.sh.se/iNotes.cab
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://ssd01.web.sh.se/iNotes6.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/236/webolr/OCX/FlashAX.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9ECECD89-7965-4406-8D65-0C79A2BCFC3C}: NameServer = 81.26.228.3,81.26.228.2

    Best regards
    Andreas
     
  4. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Did you do an online virus scan ?
    Did you check for available critical updates from M$ after installing SP1 ?
    There may well be a back door left still.

    I don't recognize this one (which is running)
    C:\WINDOWS\system32\id2scaps.exe

    Can you find the file and right click it for properties such as manufacturer etc?
     
  5. Adde

    Adde Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    9
    Hi,
    I have now done three different online virus scans:
    http://housecall.antivirus.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/

    Pandasoftware found the following: Virus:W32/Sasser.ftp
    it was located: C:\WINDOWS\system32\cmd.ftp

    The status now is disinfected for the above, so I guess that should be fine now.

    I still have a problem when I log in though. It takes several minutes before the system actually checks the floppydisc (it usually does that directly when the desktop is becoming visible) and along with the sound of the floppycheck, msn messenger and Norton AV loads up.

    I have downloaded and installed all of the critical updates available at Windows update, but the problem persists.

    Do you have any suggestions?

    BTW: C:\WINDOWS\system32\id2scaps.exe is a program for my bank, so that should be fine.

    Best regards
    Andreas
     
  6. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    If you had sasser - you really need to go to windows update and get all the critical updates.
    I think they are actively checking for sasser damage.

    The 30 day trial of TDS-3 http://tds.diamondcs.com.au/ is also worth a shot here.
     
  7. Adde

    Adde Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    9
    Now something has happened. I ran spy sweeper and put everything it found in quarantine. Then I was about to reboot and the computer froze. When I shut down and tried to reboot, it found an error. So I pressed F1 into the setup and the only thing I could find was that the fan speed was 1450-1500 something and in marked as red.

    Therefore I didnt do anything about that, but when I before I got in to the system a window popped up telling me that my date and time was wrong. So now my date is set to 31st December 1999 with the time at 23:21. And under Start, Programs, almost every program is marked as though they just been installed. I tried to run the automatic synchronize function for the time, but it didnt work.

    Could Spy Sweeper have deleted something that caused this or what?

    Best regards
    Andreas
     
  8. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Not that I'm aware of - but have been noticing bios issues with some trojans lately
    Can you reload the bios defaults and then set it up again - or is it unfamiliar territory?
    At least try to set the correct date and time there.
    There have been some rumours of 'baddies' trying to use the firmware areas to survive reformats - are you comfortable flashing? (the bios that is :) )

    It could actually just be a bad fan?
     
  9. Adde

    Adde Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    9
    I am not too familiar with flashing the BIOS, Im in safe mode now because I cannot boot the system normally anymore, it just freezes when I reach the "welcome" text.

    I tried to get a restore point but since the date is set at 1999-12-31 that backfired.

    Is it easy to flash the BIOS or should I just try to change the time and date in the BIOS?
     
  10. Adde

    Adde Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    9
    I was able to change the time and date in BIOS, and once I had done that I could log in to the system. Do I need to flash the BIOS anyway? I mean, was the solution to change the date and time in BIOS just a quick solution?

    I am puzzled as to what to do next. It seems like I have some kind of trojan, virus or whatever running on my system. I have found the sasser but that should be disinfected by Panda, and I have run several virus scans on-line as well as AdAware 6, Spybot, Spy Sweeper, Spywareblaster, Stinger, SasserFx....perhaps something more....

    I have to log off now and get some sleep, but I will check in again tomorrow. So if you have any suggestions as to what I might do I would really appreciate it! It just seems like I am still infected with something, and that my system seems very unstable....dont know what to do!

    Best regards
    Andreas
     
  11. Adde

    Adde Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    9
    While uninstalling a program, Kerio reported that GLB1A2B.EXE wanted to access the Internet.

    Before I pushed any button I googled and found that this may be: W95.MTX

    I downloaded the anti-virus program and ran it through safe mode, but when I rebooted the log did not state that any virus had been removed, so I did a search but couldnt find the file anymore. The location of the file was ...\User\Lokal settings\Temp

    Some websites found through Google also indicated that this was something that was loaded at the same time that Windows loaded.

    Any suggestions?
     
  12. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    GLB1A2B.EXE is (I think) a fairly common name for a rather common installer (not viral)
    I think the info you found on google is likely wrong.
    Re kerio - with some firewalls it can be difficult to tell if they want the internet or just a local connection.
    If in doubt - you can always allow connect with the phone line (cable) unplugged to see where it tries to go.

    Is the mtx tool you used the one from symantec ?
    http://service1.symantec.com/sarc/sarc.nsf/html/pf/w95.mtx.html
     
Thread Status:
Not open for further replies.