sxe7.tmp

Discussion in 'ProcessGuard' started by Spray-on Dust, Jan 10, 2005.

Thread Status:
Not open for further replies.
  1. Spray-on Dust

    Spray-on Dust Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    51
    Ah crap. Sorry in advance for the kind of a long story but it's all important to what my problem is. Well it happened last night when a friend was over and he was searching the web while I was watching a movie. After he went home either I did a manual scan or a scheduled scan was performed in Microsoft antispyware and it caught two pieces of junk. One being 'Searchsquire' and the other 'BrilliantDigital'. MS antispyware told me it got rid of both of the threats but I was still skeptical because my security was pretty robust to begin with. So I ran all kinds of online tests such as bitdender, rav, mcafee, f-secure, trend-micro. THEN, I ran all of my security stuff on my own pc like ewido, spybot, spysweeper, adaware and TDS-3. All found absolutely nothing. But then today I did a manual scan with MS antispyware again just for the heck of it and Searchsquire showed up again. I then deleted it again.

    Now for the sxe7.tmp part; I was looking through the security tab in ProcessGuard 3.1 and I saw the sxe7.tmp. I quickly Google'd it and saw that a few people had it in their Hijack This logs where knowledgable persons told them the file was a problem. One of the guys that had the file on his pc said that it was infected with the hacktools.rootkit. That scared me so I set it's priveledges to deny always and rebooted. Now I just set it to remove. Symantecs site says that if you are infected with the hacktools rootkit that you should restore your system from clean backups (something I do not have. *&&%$&^$$!!!) or patch your system. I have 90 gb's of precious music on my system and I just got done moving them off my maxtor one touch to my pc after a clean install of windows. i didn't have a chance to make another back up as I just got done with the process a couple days ago. I'm really freaking out here guys because the hacktools.rootkit sounds really nasty.

    Any help and I would eternally be at your service. Thank you.

    Respectfully,
    Spray-on Dust



    EDIT: I almost forgot to mention that another thing that worried me was that I rebooted my pc a few hours ago and did a scan with Microsoft antispyware and left my pc unattended for maybe an hour or an hour and a half. When I turned on the monitor I saw that PG 3.1 was asking for permission give the go-ahead to my disk defragmenter (diskeeper 8 ). I thought nothing of it and granted it access. I did this because 1) I always put diskeeper on 'set it and forget it mode' to run every 2 hours and I thought that this was what it was asking for permission for. But after clean installing windows and re-installing all of my apps etc I never got around to 'setting it and forgetting it' on diskeeper. I didn't realize this until I read on symantecs site that hacktools.rootkit often disguises itself as another app to gain access to and hide on your pc. My heart sank when I read that and I hope I really am not infected. Also, this may just be me being paranoid but I could've swore that applications were asking for access when I had already defined their rules in learning mode when setting up PG. I'm sorry about the rambling.

    Please help. Thank you.
     
    Last edited: Jan 10, 2005
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Spray-On :)

    it is not clear from your remarks that you attempted to scan while in safe mode. If you haven't, please make sure TDS is up-to-date and then boot into safe mode and scan from there.
     
  3. Spray-on Dust

    Spray-on Dust Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    51
    No I have not done that yet. Totally forgot to. Thanks, Dan. :)
     
  4. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Spray-on Dust,

    The first thing I would do is delete the entry for sxe7.tmp in the Security list and see if it executes again. Next I would look through the PG logs for the first instance of sxe7.tmp and then for how often, if at all, it has executed since the first time. The log should show you the command-line path associated with its execution. Post it if you can. For example:

    [EXECUTION] Started by "c:\windows\system32\winlogon.exe" [1164]

    About the Diskeeper executable (I assume it's running as a service), I believe that some sevices, if not all, need to be stopped and restarted before PG prompts you to add the executable to the Security list. This is after exiting Learning Mode.

    Nick
     
    Last edited: Jan 11, 2005
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Spray-on-Dust, If you want to check for rootkits your could try unhackme available from here:
    http://www.unhackme.com
    http://www.greatis.com/unhackme

    ProcessGuard should be installed on a clean machine though it can help to diagnose problems purely because of the logging and it's method of operation.

    Please report back your findings. Pilli
     
  6. Spray-on Dust

    Spray-on Dust Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    51
    Hi all. Thank you for the replys.

    I dl'ed unhackme and ran it: came back clean. Although the scan took about 3 seconds. Is that normal?

    I booted into safe mode and ran tds-3 and caught nothing. I also ran Mcafee and ewido in safe mode and still nothing. Oh, I ran the Panda Active Scan as well for the first time: Came up clean.

    To Nick, I can't say I followed your second form of advice. There had to be about a thousands lines of executables in the PG log and I just don't have the patience or the time to go through them all. Either way, sxe7.tmp has not popped up in the PG security tab again. Knock on wood.

    Still, i'm a bit worried because reading that stuff on Symantec's site really did not sit right in my head. The thought of a hacker having complete control over me pc sucks.

    Anyway, I mean, do you guys know much about this sxe7.tmp? When I googled it, I saw it under a few different names like sxe872.tmp (I made that number up, but it was always a number after the sxe part.) Have you seen the file pop up in discussion before? Most of all, do you think there's a possibility a hacker could have complete control over me pc right now?
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The PG log file should be in a Logs folder in your Process Guard program folder. Open the right file (there will be separate one for each month) using Notepad and use Ctrl-F to do a search for sxe7.tmp. This should get you to the execution entry.

    The key thing to check is whether it was blocked from installing a driver or service. If you see an entry like:

    Wed 05 - xx:xx:xx [DRIVER/SERVICE] c:\blah\sxe7.tmp [nnn] Tried to install a driver/service named XXXX

    listed after the [EXECUTION] entry then this indicates that sxe7.tmp tried to install a service but was blocked - this means that it could not have installed a rootkit on your system. If you see no [DRIVER/SERVICE] entry, then either it was allowed to install a service (your "friend" would have had to change Process Guard's configuration to permit this so check the Protection list for an entry for sxe7.tmp) or it did not try.

    If you have a Protection entry for sxe7.tmp and it has the Install Drivers/Services option checked, then a rootkit is a real possibility. In this case, you should consider a clean Windows reinstall - and perhaps visiting your friend with a baseball bat... ;)
     
  8. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Hi Spray-On-Dust,
    Regarding searching through the log, didn't you just use the "search" function of your editor to find the entry... that way you don't need to do the looking

    Another program that you could use to check and see if there are hidden processes running is kproccheck
    Its not a pretty GUI program and you need to interpret the results a little so its not as friendly as unhackme
    You will find it on the SIG^2 website here

    Have a read of the documentation that comes with the program and run kprocheck with the different "show" flags and see if it reports anything as being hidden. It doesn't work fully on XP yet, if you have Win2k it will show a little bit more information...
    Anything that is not hidden has at least a fair chance of being picked up by the other scanners that you have already used, or it will do in the coming days/weeks

    If you think it is a rootkit then something should be hidden, its just a question of who is currently winning the tug of war in the malware vs anti-malware realm
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes quite normal unhackme knows where to look :)

    To check whether there is anything unknown communicating with the Net, please download Port Explorer from here: http://www.diamondcs.com.au/portexplorer/
    This utility will show the status of known and hidden sockets and what is leaving your PC etc.
    If you have any queries regarding this please post back.

    HTH Pilli
     
  10. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    In the past there was an IRC backdoor using these sxe.tmp files.
    Perhas it's not as serious as you think it.

    A total check of your system is necessary in this case:

    * On online virus scan (Panda, Symantec ...),
    *A scan of your ports with and without connection,
    *A check up on Dos Mode,
    *Use HThis and post your log on the right forum,

    (....)

    Regards
     
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
  12. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    What a bummer! Once you get all clean, consider a partition backup app.

    I ghost my entire partition each week end to a second partition on my HD weekly ( I restore often ) and every couple months over my network to a server. It's easy to step back a week by ghosting back, and if need be, a couple months if it's a more long term problem.

    If you are going to let people use your PC and not watch, log off and let them use the guest account without admin rights! Better yet point them to an underpowered old useless laptop sitting around!

    I know, hind sight is 20/20. I hope you get it clean!
     
  13. bch

    bch Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    122
    Location:
    Rochdale, UK
    As regards Diskeeper. I am pretty sure the default setting is "Set It and Forget It" so even though you didn't configure it after re-installing then what happened is quite normal. (I recently downloaded an update to Diskeeper 9 and "Set It and Forget It" was automatically enabled even though I had this turned off prior to the update).
     
  14. Spray-on Dust

    Spray-on Dust Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    51
    Thanks for the recommendations everyone.

    I'm downloading Port Explorer now.

    Can someone direct to a proper site to post a HJT log?

    Thanks.



    EDIT: to Paranoid2000, I'm only using the free version of PG 3.1 so that security setting is not a possibility for me. I guess I am more screwed now huh.... :'(

    I'm going to call my friend and really bitch him out. I can't believe this. He must've tried to install Kazaa because it looks like that's the only place where you can get infected with the Brililant Digital. Why the hell would he try to dl Kazaa is beyond me.

    EDIT #2: I've installed Port Explorer and ran it, and it in the bottom left hand corner it is saying 17 sockets: 14 system, 0 hidden, 3 normal. I have no idea how to use this utility though. Or maybe all i'm supposed to do it open it and run it. I'll read the help info now. Stay with me, guys. :(
     
    Last edited: Jan 11, 2005
  15. Spray-on Dust

    Spray-on Dust Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    51
    Any suggestions, knowledge, ramblings? Anything. Anything at all. :'(
     
  16. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Good point - not having the global settings does greatly reduce PG's scope. In retrospect, I think that PG2 Free's approach (which had global settings but only allowed you to create a protection entry for one program) may have been the better option security-wise.

    I'd suggest going through the steps outlined in the Parasite Fight! webpage. Many have been mentioned above, but that page does provide a comprehensive set of links and instructions to follow. If you then need to post a HJT log check ASAP for a list of forums which accept them (but take care to follow any forum guidelines first).
     
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hidden sockets are the ones to watch, they can be innocent such as an iconised program but they could also be Trojanic. If you check your logs you should be able to see anything that looks out of place.
    Report back here if you are uncertain :)
    To view the log go to Settings - File logging - View file log. You can cut and paste anything suspicious into your next post

    Pilli
     
  18. Spray-on Dust

    Spray-on Dust Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    51
    I found it in the logs. Looks like it was executed 3 times altogether. It looks as if maybe it is related to the google toolbar? Hmm.

    Mon 10 - 21:29:04 [EXECUTION] "c:\documents and settings\local settings\temporary internet files\content.ie5\9gofhxst\sxe7.tmp" was allowed to run
    [EXECUTION] Started by "c:\documents and settings\local settings\temporary internet files\content.ie5\9gofhxst\googletoolbarinstaller[1].exe" [2704]
    [EXECUTION] Commandline - [ "c:\documents and settings\local settings\temporary internet files\content.ie5\9gofhxst\sxe7.tmp" ]

    Mon 10 - 21:29:18 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
    [EXECUTION] Started by "c:\documents and settings\local settings\temporary internet files\content.ie5\9gofhxst\sxe7.tmp" [2276]


    Also, Pilli. I dl'ed and ran Port Explorer and (i've also posted this in the Port Explorer forum) I saw an instance when I hovered my cursor over the Port Explorer sys tray icon that said 15 system, 4 hidden, 0 normal. I guess that is bad to have hidden but I'm not sure of how to interpret the logs etc. Could you help me with that? Thanks.
     
    Last edited: Jan 12, 2005
  19. Spray-on Dust

    Spray-on Dust Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    51
    I've just sent an e-mail to google asking them about the file to see if it is included in their google toolbar installer. I'll let you know when I get a response.
     
  20. newbornii

    newbornii Guest

    When your box is clean up completely free from malicious wares, it is better to have full version of PG installed to defend.
     
  21. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Spray-on Dust,

    I tested the Google Toolbar install and get the following in my PG logs:

    [EXECUTION] "c:\documents and settings\*\desktop\googletoolbarinstaller.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\explorer.exe" [820]
    [EXECUTION] Commandline - [ "c:\documents and settings\*\desktop\googletoolbarinstaller.exe" ]

    [EXECUTION] "c:\documents and settings\*\desktop\sxe3.tmp" was allowed to run
    [EXECUTION] Started by "c:\documents and settings\*\desktop\googletoolbarinstaller.exe" [312]
    [EXECUTION] Commandline - [ "c:\documents and settings\*\desktop\sxe3.tmp" ]

    I think it is safe to say that your sxe7.tmp was not the source of any infection.

    Nick
     
  22. Spray-on Dust

    Spray-on Dust Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    51
    Ah thanks so much for doing that, Nick. I really appreciate it. Man I was so worried I couldn't even get any sleep the past two nights. I'm so glad my 90 gb's of music is safe and sound. For now.... :ninja: :ninja: :ninja:

    Thanks to everyone else as well.


    Until next time,
    Spray-on Dust :)
     
  23. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Take a look at ProcessGuard, it protects your processes at the kernel level and has many other powerful security features which do not require downloading daily updates.
    You will find the full description here: http://www.diamondcs.com.au/processguard/

    Pilli :)
     
Thread Status:
Not open for further replies.