strange processes running, rxhostt.exe?

Hello,

Yesterday I changed firewall from ZA to Kerio PF and when I was done with the installation, two processes wanted access to the Internet; lsass.exe and rxhostt.exe. I know what lsass.exe is but as for rxhostt.exe I am clueless. Is this a virus? Also, my system is running slower than usual with a lot of delay, when I for example double-click the Kerio firewall. I have run the Ad-aware 6 scan as per your instructions, and my hijack log is enclosed below.

I would really appreciate if someone could take a look at it!

Logfile of HijackThis v1.97.7
Scan saved at 19:51:43, on 2004-07-06
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rxhostt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rxhostt.exe
C:\WINDOWS\system32\id2scaps.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Andreas\Desktop\Blandat\HiJack This\hijack2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Microsoft Update Machine] rxhostt.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] rxhostt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] rxhostt.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .sgn: C:\Program Files\Internet Explorer\PLUGINS\npSign.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://ssd01.web.sh.se/iNotes.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://ssd01.web.sh.se/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37378.5828587963
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/236/webolr/OCX/FlashAX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9ECECD89-7965-4406-8D65-0C79A2BCFC3C}: NameServer = 81.26.228.3,81.26.228.2

Best regards
Andreas

 

I think that what you have is
http://fr.trendmicro-europe.com/ent...etail.php?id=59666&VName=WORM_RBOT.AJ&VSect=T

Use Taskmanager (Ctrl-Alt-Del) to end these running processes if you can
(or use Process Explorer)
C:\WINDOWS\System32\rxhostt.exe
C:\WINDOWS\System32\rxhostt.exe

Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
Next, close all browser Windows, and push the 'Fix checked' button in HijackThis

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Microsoft Update Machine] rxhostt.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] rxhostt.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] rxhostt.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg Scheduler V3.exe

Empty the TIF (Temporary Internet Files)
To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK

Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder

Set your Explorer up using the info in this link so that hidden and System files are visible
Also Uncheck the "Hide extensions for known file types" box

Reboot to SAFE mode
How to start the computer in Safe mode

Delete the following files:
C:\WINDOWS\System32\rxhostt.exe

Reboot normally

Get a good online virus scan at HouseCall

 

Hi,
Thanks for the reply!

I have used hijackthis to fix the items you specified and I have also deleted rxhostt.exe in safe mode. While in safe mode i did an entire search after rxh* and found the following file: rxhostt.exe-233AD399.pf
locaded in C:\WINDOWS\Prefetch

I deleted that file as well. I have also installed the SP1 since my first post. I actually did that before I got to read your post, could that have caused any problems? One thing I notice after I have installed the SP1 plus other windows updates is that when I boot my computer it takes a very long time for msn messenger and Norton AV to log on. Do you have any ideas as to what this could depend on?

I have enclosed my file log as it looks right now below:

Logfile of HijackThis v1.98.0
Scan saved at 01:07:39, on 2004-07-07
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\id2scaps.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Documents and Settings\Andreas\Desktop\Blandat\HiJack This\hijack2\hijack 1.98\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .sgn: C:\Program Files\Internet Explorer\PLUGINS\npSign.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://ssd01.web.sh.se/iNotes.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://ssd01.web.sh.se/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/236/webolr/OCX/FlashAX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9ECECD89-7965-4406-8D65-0C79A2BCFC3C}: NameServer = 81.26.228.3,81.26.228.2

Best regards
Andreas

 

Did you do an online virus scan ?
Did you check for available critical updates from M$ after installing SP1 ?
There may well be a back door left still.

I don't recognize this one (which is running)
C:\WINDOWS\system32\id2scaps.exe

Can you find the file and right click it for properties such as manufacturer etc?

 

Hi,
I have now done three different online virus scans:
http://housecall.antivirus.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/

Pandasoftware found the following: Virus:W32/Sasser.ftp
it was located: C:\WINDOWS\system32\cmd.ftp

The status now is disinfected for the above, so I guess that should be fine now.

I still have a problem when I log in though. It takes several minutes before the system actually checks the floppydisc (it usually does that directly when the desktop is becoming visible) and along with the sound of the floppycheck, msn messenger and Norton AV loads up.

I have downloaded and installed all of the critical updates available at Windows update, but the problem persists.

Do you have any suggestions?

BTW: C:\WINDOWS\system32\id2scaps.exe is a program for my bank, so that should be fine.

Best regards
Andreas

 

If you had sasser - you really need to go to windows update and get all the critical updates.
I think they are actively checking for sasser damage.

The 30 day trial of TDS-3 http://tds.diamondcs.com.au/ is also worth a shot here.

 

Now something has happened. I ran spy sweeper and put everything it found in quarantine. Then I was about to reboot and the computer froze. When I shut down and tried to reboot, it found an error. So I pressed F1 into the setup and the only thing I could find was that the fan speed was 1450-1500 something and in marked as red.

Therefore I didnt do anything about that, but when I before I got in to the system a window popped up telling me that my date and time was wrong. So now my date is set to 31st December 1999 with the time at 23:21. And under Start, Programs, almost every program is marked as though they just been installed. I tried to run the automatic synchronize function for the time, but it didnt work.

Could Spy Sweeper have deleted something that caused this or what?

Best regards
Andreas

 

Not that I'm aware of - but have been noticing bios issues with some trojans lately
Can you reload the bios defaults and then set it up again - or is it unfamiliar territory?
At least try to set the correct date and time there.
There have been some rumours of 'baddies' trying to use the firmware areas to survive reformats - are you comfortable flashing? (the bios that is )

It could actually just be a bad fan?

 

I am not too familiar with flashing the BIOS, Im in safe mode now because I cannot boot the system normally anymore, it just freezes when I reach the "welcome" text.

I tried to get a restore point but since the date is set at 1999-12-31 that backfired.

Is it easy to flash the BIOS or should I just try to change the time and date in the BIOS?

 

I was able to change the time and date in BIOS, and once I had done that I could log in to the system. Do I need to flash the BIOS anyway? I mean, was the solution to change the date and time in BIOS just a quick solution?

I am puzzled as to what to do next. It seems like I have some kind of trojan, virus or whatever running on my system. I have found the sasser but that should be disinfected by Panda, and I have run several virus scans on-line as well as AdAware 6, Spybot, Spy Sweeper, Spywareblaster, Stinger, SasserFx....perhaps something more....

I have to log off now and get some sleep, but I will check in again tomorrow. So if you have any suggestions as to what I might do I would really appreciate it! It just seems like I am still infected with something, and that my system seems very unstable....dont know what to do!

Best regards
Andreas

 

While uninstalling a program, Kerio reported that GLB1A2B.EXE wanted to access the Internet.

Before I pushed any button I googled and found that this may be: W95.MTX

I downloaded the anti-virus program and ran it through safe mode, but when I rebooted the log did not state that any virus had been removed, so I did a search but couldnt find the file anymore. The location of the file was ...\User\Lokal settings\Temp

Some websites found through Google also indicated that this was something that was loaded at the same time that Windows loaded.

Any suggestions?

 

GLB1A2B.EXE is (I think) a fairly common name for a rather common installer (not viral)
I think the info you found on google is likely wrong.
Re kerio - with some firewalls it can be difficult to tell if they want the internet or just a local connection.
If in doubt - you can always allow connect with the phone line (cable) unplugged to see where it tries to go.

Is the mtx tool you used the one from symantec ?
http://service1.symantec.com/sarc/sarc.nsf/html/pf/w95.mtx.html