Ah crap. Sorry in advance for the kind of a long story but it's all important to what my problem is. Well it happened last night when a friend was over and he was searching the web while I was watching a movie. After he went home either I did a manual scan or a scheduled scan was performed in Microsoft antispyware and it caught two pieces of junk. One being 'Searchsquire' and the other 'BrilliantDigital'. MS antispyware told me it got rid of both of the threats but I was still skeptical because my security was pretty robust to begin with. So I ran all kinds of online tests such as bitdender, rav, mcafee, f-secure, trend-micro. THEN, I ran all of my security stuff on my own pc like ewido, spybot, spysweeper, adaware and TDS-3. All found absolutely nothing. But then today I did a manual scan with MS antispyware again just for the heck of it and Searchsquire showed up again. I then deleted it again. Now for the sxe7.tmp part; I was looking through the security tab in ProcessGuard 3.1 and I saw the sxe7.tmp. I quickly Google'd it and saw that a few people had it in their Hijack This logs where knowledgable persons told them the file was a problem. One of the guys that had the file on his pc said that it was infected with the hacktools.rootkit. That scared me so I set it's priveledges to deny always and rebooted. Now I just set it to remove. Symantecs site says that if you are infected with the hacktools rootkit that you should restore your system from clean backups (something I do not have. *&&%$&^$$!!!) or patch your system. I have 90 gb's of precious music on my system and I just got done moving them off my maxtor one touch to my pc after a clean install of windows. i didn't have a chance to make another back up as I just got done with the process a couple days ago. I'm really freaking out here guys because the hacktools.rootkit sounds really nasty. Any help and I would eternally be at your service. Thank you. Respectfully, Spray-on Dust EDIT: I almost forgot to mention that another thing that worried me was that I rebooted my pc a few hours ago and did a scan with Microsoft antispyware and left my pc unattended for maybe an hour or an hour and a half. When I turned on the monitor I saw that PG 3.1 was asking for permission give the go-ahead to my disk defragmenter (diskeeper 8 ). I thought nothing of it and granted it access. I did this because 1) I always put diskeeper on 'set it and forget it mode' to run every 2 hours and I thought that this was what it was asking for permission for. But after clean installing windows and re-installing all of my apps etc I never got around to 'setting it and forgetting it' on diskeeper. I didn't realize this until I read on symantecs site that hacktools.rootkit often disguises itself as another app to gain access to and hide on your pc. My heart sank when I read that and I hope I really am not infected. Also, this may just be me being paranoid but I could've swore that applications were asking for access when I had already defined their rules in learning mode when setting up PG. I'm sorry about the rambling. Please help. Thank you.
Hi Spray-On it is not clear from your remarks that you attempted to scan while in safe mode. If you haven't, please make sure TDS is up-to-date and then boot into safe mode and scan from there.
Hi Spray-on Dust, The first thing I would do is delete the entry for sxe7.tmp in the Security list and see if it executes again. Next I would look through the PG logs for the first instance of sxe7.tmp and then for how often, if at all, it has executed since the first time. The log should show you the command-line path associated with its execution. Post it if you can. For example: [EXECUTION] Started by "c:\windows\system32\winlogon.exe" [1164] About the Diskeeper executable (I assume it's running as a service), I believe that some sevices, if not all, need to be stopped and restarted before PG prompts you to add the executable to the Security list. This is after exiting Learning Mode. Nick
Hi Spray-on-Dust, If you want to check for rootkits your could try unhackme available from here: http://www.unhackme.com http://www.greatis.com/unhackme ProcessGuard should be installed on a clean machine though it can help to diagnose problems purely because of the logging and it's method of operation. Please report back your findings. Pilli
Hi all. Thank you for the replys. I dl'ed unhackme and ran it: came back clean. Although the scan took about 3 seconds. Is that normal? I booted into safe mode and ran tds-3 and caught nothing. I also ran Mcafee and ewido in safe mode and still nothing. Oh, I ran the Panda Active Scan as well for the first time: Came up clean. To Nick, I can't say I followed your second form of advice. There had to be about a thousands lines of executables in the PG log and I just don't have the patience or the time to go through them all. Either way, sxe7.tmp has not popped up in the PG security tab again. Knock on wood. Still, i'm a bit worried because reading that stuff on Symantec's site really did not sit right in my head. The thought of a hacker having complete control over me pc sucks. Anyway, I mean, do you guys know much about this sxe7.tmp? When I googled it, I saw it under a few different names like sxe872.tmp (I made that number up, but it was always a number after the sxe part.) Have you seen the file pop up in discussion before? Most of all, do you think there's a possibility a hacker could have complete control over me pc right now?
The PG log file should be in a Logs folder in your Process Guard program folder. Open the right file (there will be separate one for each month) using Notepad and use Ctrl-F to do a search for sxe7.tmp. This should get you to the execution entry. The key thing to check is whether it was blocked from installing a driver or service. If you see an entry like: Wed 05 - xx:xx:xx [DRIVER/SERVICE] c:\blah\sxe7.tmp [nnn] Tried to install a driver/service named XXXX listed after the [EXECUTION] entry then this indicates that sxe7.tmp tried to install a service but was blocked - this means that it could not have installed a rootkit on your system. If you see no [DRIVER/SERVICE] entry, then either it was allowed to install a service (your "friend" would have had to change Process Guard's configuration to permit this so check the Protection list for an entry for sxe7.tmp) or it did not try. If you have a Protection entry for sxe7.tmp and it has the Install Drivers/Services option checked, then a rootkit is a real possibility. In this case, you should consider a clean Windows reinstall - and perhaps visiting your friend with a baseball bat...
Hi Spray-On-Dust, Regarding searching through the log, didn't you just use the "search" function of your editor to find the entry... that way you don't need to do the looking Another program that you could use to check and see if there are hidden processes running is kproccheck Its not a pretty GUI program and you need to interpret the results a little so its not as friendly as unhackme You will find it on the SIG^2 website here Have a read of the documentation that comes with the program and run kprocheck with the different "show" flags and see if it reports anything as being hidden. It doesn't work fully on XP yet, if you have Win2k it will show a little bit more information... Anything that is not hidden has at least a fair chance of being picked up by the other scanners that you have already used, or it will do in the coming days/weeks If you think it is a rootkit then something should be hidden, its just a question of who is currently winning the tug of war in the malware vs anti-malware realm
Yes quite normal unhackme knows where to look To check whether there is anything unknown communicating with the Net, please download Port Explorer from here: http://www.diamondcs.com.au/portexplorer/ This utility will show the status of known and hidden sockets and what is leaving your PC etc. If you have any queries regarding this please post back. HTH Pilli
Hi, In the past there was an IRC backdoor using these sxe.tmp files. Perhas it's not as serious as you think it. A total check of your system is necessary in this case: * On online virus scan (Panda, Symantec ...), *A scan of your ports with and without connection, *A check up on Dos Mode, *Use HThis and post your log on the right forum, (....) Regards
With regard to SearchSquire, if you use Spybot S&D, have a look at these links:- https://www.wilderssecurity.com/showthread.php?t=57922 https://www.wilderssecurity.com/showthread.php?t=58490 The defrag thing happens when you leave the system idle for a bit. So I'm not sure what the problem is.
What a bummer! Once you get all clean, consider a partition backup app. I ghost my entire partition each week end to a second partition on my HD weekly ( I restore often ) and every couple months over my network to a server. It's easy to step back a week by ghosting back, and if need be, a couple months if it's a more long term problem. If you are going to let people use your PC and not watch, log off and let them use the guest account without admin rights! Better yet point them to an underpowered old useless laptop sitting around! I know, hind sight is 20/20. I hope you get it clean!
As regards Diskeeper. I am pretty sure the default setting is "Set It and Forget It" so even though you didn't configure it after re-installing then what happened is quite normal. (I recently downloaded an update to Diskeeper 9 and "Set It and Forget It" was automatically enabled even though I had this turned off prior to the update).
Thanks for the recommendations everyone. I'm downloading Port Explorer now. Can someone direct to a proper site to post a HJT log? Thanks. EDIT: to Paranoid2000, I'm only using the free version of PG 3.1 so that security setting is not a possibility for me. I guess I am more screwed now huh.... I'm going to call my friend and really bitch him out. I can't believe this. He must've tried to install Kazaa because it looks like that's the only place where you can get infected with the Brililant Digital. Why the hell would he try to dl Kazaa is beyond me. EDIT #2: I've installed Port Explorer and ran it, and it in the bottom left hand corner it is saying 17 sockets: 14 system, 0 hidden, 3 normal. I have no idea how to use this utility though. Or maybe all i'm supposed to do it open it and run it. I'll read the help info now. Stay with me, guys.
Good point - not having the global settings does greatly reduce PG's scope. In retrospect, I think that PG2 Free's approach (which had global settings but only allowed you to create a protection entry for one program) may have been the better option security-wise. I'd suggest going through the steps outlined in the Parasite Fight! webpage. Many have been mentioned above, but that page does provide a comprehensive set of links and instructions to follow. If you then need to post a HJT log check ASAP for a list of forums which accept them (but take care to follow any forum guidelines first).
Hidden sockets are the ones to watch, they can be innocent such as an iconised program but they could also be Trojanic. If you check your logs you should be able to see anything that looks out of place. Report back here if you are uncertain To view the log go to Settings - File logging - View file log. You can cut and paste anything suspicious into your next post Pilli
I found it in the logs. Looks like it was executed 3 times altogether. It looks as if maybe it is related to the google toolbar? Hmm. Mon 10 - 21:29:04 [EXECUTION] "c:\documents and settings\local settings\temporary internet files\content.ie5\9gofhxst\sxe7.tmp" was allowed to run [EXECUTION] Started by "c:\documents and settings\local settings\temporary internet files\content.ie5\9gofhxst\googletoolbarinstaller[1].exe" [2704] [EXECUTION] Commandline - [ "c:\documents and settings\local settings\temporary internet files\content.ie5\9gofhxst\sxe7.tmp" ] Mon 10 - 21:29:18 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run [EXECUTION] Started by "c:\documents and settings\local settings\temporary internet files\content.ie5\9gofhxst\sxe7.tmp" [2276] Also, Pilli. I dl'ed and ran Port Explorer and (i've also posted this in the Port Explorer forum) I saw an instance when I hovered my cursor over the Port Explorer sys tray icon that said 15 system, 4 hidden, 0 normal. I guess that is bad to have hidden but I'm not sure of how to interpret the logs etc. Could you help me with that? Thanks.
I've just sent an e-mail to google asking them about the file to see if it is included in their google toolbar installer. I'll let you know when I get a response.
When your box is clean up completely free from malicious wares, it is better to have full version of PG installed to defend.
Hi Spray-on Dust, I tested the Google Toolbar install and get the following in my PG logs: [EXECUTION] "c:\documents and settings\*\desktop\googletoolbarinstaller.exe" was allowed to run [EXECUTION] Started by "c:\windows\explorer.exe" [820] [EXECUTION] Commandline - [ "c:\documents and settings\*\desktop\googletoolbarinstaller.exe" ] [EXECUTION] "c:\documents and settings\*\desktop\sxe3.tmp" was allowed to run [EXECUTION] Started by "c:\documents and settings\*\desktop\googletoolbarinstaller.exe" [312] [EXECUTION] Commandline - [ "c:\documents and settings\*\desktop\sxe3.tmp" ] I think it is safe to say that your sxe7.tmp was not the source of any infection. Nick
Ah thanks so much for doing that, Nick. I really appreciate it. Man I was so worried I couldn't even get any sleep the past two nights. I'm so glad my 90 gb's of music is safe and sound. For now.... Thanks to everyone else as well. Until next time, Spray-on Dust
Take a look at ProcessGuard, it protects your processes at the kernel level and has many other powerful security features which do not require downloading daily updates. You will find the full description here: http://www.diamondcs.com.au/processguard/ Pilli
