| View previous topic :: View next topic |
| Author |
Message |
Allan
Guest
IP: 67.74.*.*
|
 Posted: Tue Nov 25, 2003 3:01 am Post subject: wordwsx |
|
|
Found this on my machine after recently downloading some stuff through limewire. Zone Alarm keeps detecting that it wants internet access and ther is an associated txt file with it. Trying to delete it in Windows Exploprer gives me the message that I don't have access to it and going into the file folder with Norton Clean Sweep to take it off says the same thing. The following paste is from hijack as of five minutes ago:
Logfile of HijackThis v1.97.7
Scan saved at 9:09:39 PM, on 11/24/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\soundman.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\PTBSync\PTBSync.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\javaw.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\WINDOWS\wordwsx.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\RamBooster\Rambooster.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Allan\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.usaa.net/?cookieset=L29wdC94bWwvZWFydGhsaW5rLm5ldC94bWwzLzAwMTQ4L3hpZmZlcjIwMDIvcHNwLnhtbA==
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [PTBSync] C:\Program Files\PTBSync\PTBSync.exe /Start
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Eraser1066] "C:\Program Files\Eraser\Eraserl.exe" -disk C:\
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StartupCleaner] C:\Program Files\CM Data Software\CM DiskCleaner\StartupCleaner.exe
O4 - HKLM\..\Run: [Schedule] C:\Program Files\CM Data Software\CM DiskCleaner\Schedule.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LimeShop] javaw -cp "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [wordwsx] C:\WINDOWS\wordwsx.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster\Rambooster.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: LimeWire 3.6.15.lnk = C:\Program Files\LimeWire\3.6.15\LimeWire.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC6976FB-3590-4237-B271-B6ADD76AEE65}: NameServer = 207.217.126.81 207.217.77.82
Anyone got any ideas before I fix it with hijack??
|
|
| Back to top |
|
 |
Bulldog
General
Premium Member
Joined: Nov 16, 2003
Posts: 4375
Location: Canada
|
| Posted: Tue Nov 25, 2003 4:14 am Post subject: |
|
|
Hi Allan, welcome.
Could you do us a favor and locate the file please:
C:\WINDOWS\wordwsx.exe
Right click > send to > compressed (zipped) folder.
Then PM myself or Tony Klein and we will send you an e-mail addy to mail the zipped file to.
We would appreciate it.
Thanks.
Also.. Do you know what this is ?
O4 - HKLM\..\Run: [Eraser1066] "C:\Program Files\Eraser\Eraserl.exe" -disk C:\
And are you able to tell us anything about it?
If it is unknown to you, please locate the folder:
C:\Program Files\Eraser
Then zip it up, same mo as other file above.
NOTE: To avoid the risk of any of the above not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show:
How to Show Hidden/System Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
|
|
| Back to top |
|
|
TonyKlein
Site Moderator
Microsoft MVP
Joined: Oct 15, 2002
Posts: 13120
Location: Netherlands
|
| Posted: Tue Nov 25, 2003 12:59 pm Post subject: |
|
|
You can send the file to submit-stuffATxs4all.nl for analysis. (replace "AT" in that e-mail addy by the familiar @)
Much appreciated 
|
|
| Back to top |
|
|
Allan
Guest
IP: 67.74.*.*
|
| Posted: Wed Nov 26, 2003 3:49 am Post subject: update |
|
|
Hey,
Thanks for the info. I've sent the email as requested to the "submit" address. I am unable to find "eraser" using windows explorer. No idea what it is. Also my start page was changed this time to some page "terra.es" or something similar. It was in spanish.
Thanks again, Allan
|
|
| Back to top |
|
|
plato_451
Cadet
Joined: Nov 25, 2003
Posts: 4
Location: USA
|
| Posted: Wed Nov 26, 2003 4:47 am Post subject: I've registered with the site |
|
|
Just a quick note to let you guys(moderators and advisors) know that I've registered with the site to improve my experience here. 
Allan
|
|
| Back to top |
|
|
TonyKlein
Site Moderator
Microsoft MVP
Joined: Oct 15, 2002
Posts: 13120
Location: Netherlands
|
| Posted: Wed Nov 26, 2003 8:32 am Post subject: |
|
|
Thanks for the file!
It appears to be a hijacker or redirector of some sort, but I can't make much sense out of it. It contains the url http://www.geocities.com/tsitex/newstart.html which take you to a web page with just a counter on it somewhere in Thailand:
inetnum: 203.146.0.0 - 203.146.255.255
netname: LOXINFO-TH
descr: Loxley Information Company Ltd.
descr: 304 Suapah Rd, Promprab, Promprab Suttruphai, Bangkok
country: TH
admin-c: LIA1-AP
tech-c: LIA1-AP
remarks: This is an Aggregated objects from the small /22s.
mnt-by: APNIC-HM
mnt-lower: LOXINFO-IS
changed: hostmaster@apnic.net 20001123
status: ALLOCATED PORTABLE
changed: hm-changed@apnic.net 20030313
source: APNIC
role: Loxinfo IP Admins
address: 304 Suapah Rd, Pomprab
address: Pomprab Suttruphai,Bangkok
country: TH
phone: +662 6225678
fax-no: +662 6228380
e-mail: domaster@loxinfo.co.th
admin-c: DL85-AP
tech-c: DL85-AP
nic-hdl: LIA1-AP
mnt-by: LOXINFO-IS
changed: sureerat@loxinfo.co.th 20020312
source: APNIC
I did submit the file to a few developers, so we may soon know more.
Thanks again!
|
|
| Back to top |
|
|
Allan
Guest
IP: 65.58.*.*
|
| Posted: Mon Dec 01, 2003 2:20 am Post subject: wordwsx is gone !!!! |
|
|
Well somehow Norton wipe info worked this last time I tried using it. So my problem seems to be solved. A word of advice to those using Limewire, beware of what you download.
Thanks again for all of your help,
Allan
|
|
| Back to top |
|
|
TonyKlein
Site Moderator
Microsoft MVP
Joined: Oct 15, 2002
Posts: 13120
Location: Netherlands
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
