Jump to content


Photo

xis7guxlv0.exe


  • Please log in to reply
5 replies to this topic

#1 varlag

varlag

    Member

  • New Member
  • Pip
  • 3 posts

Posted 12 June 2004 - 04:22 AM

You may or may not be able to help me out with this:

Each time I start up by PC (Windows XP) a program named xis7guxlv0.exe starts up and hogs 97%-99% of the CPU and 3.092K of the RAM. It is pretty annoying having to end this process each time I fire up the PC and pretty disconcerting that it has been somehow installed in there in the first place. I am unaware of what it does and whether I have been "polluted" by other garbage processes too.

Any ideas? Thx in advance!

#2 smckillop

smckillop

    Rockin' Apple of SWI

  • Retired Staff - Helper
  • PipPipPip
  • 143 posts

Posted 12 June 2004 - 11:54 AM

Hello varlag and welcome to the SpywareInfo forums. To better address your issues please complete the following:

Posted Image Download 'Hijack This!'. http://www.spywarein.../HijackThis.exe
Save it in a convenient permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
smckillop
He who has tasted a sour apple, will have the more relish for a sweet one.

If the information I have provided has been helpful, please consider Supporting SpywareInfo

#3 varlag

varlag

    Member

  • New Member
  • Pip
  • 3 posts

Posted 13 June 2004 - 07:48 AM

Logfile of HijackThis v1.97.7
Scan saved at 15:45:58, on 13/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.windowws.cc/sp.htm?id=632
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [uuea2grol5] C:\WINDOWS\xis7guxlv0.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Dictionary - http://www.ezreferen..._/ie-com-sp.htm
O8 - Extra context menu item: &Encyclopedia - http://www.ezreferen...ie-com-e-sp.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8066.0932407407
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B377B0A-2565-480C-BBD9-220BA45D67AC}: NameServer = 193.92.150.3 194.219.227.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{4B377B0A-2565-480C-BBD9-220BA45D67AC}: NameServer = 193.92.150.3 194.219.227.2

#4 smckillop

smckillop

    Rockin' Apple of SWI

  • Retired Staff - Helper
  • PipPipPip
  • 143 posts

Posted 13 June 2004 - 08:29 AM

Hello varlag!

I will be working with you to clean up your log.

Posted Image You have a CoolWebSearch infection.
Download and run http://www.spywarein.../CWShredder.exe from its own folder.
Click Fix and then Next, let it fix everything it asks about.

Posted Image Reboot your PC and reply to this topic with an updated HijackThis log
smckillop
He who has tasted a sour apple, will have the more relish for a sweet one.

If the information I have provided has been helpful, please consider Supporting SpywareInfo

#5 varlag

varlag

    Member

  • New Member
  • Pip
  • 3 posts

Posted 13 June 2004 - 09:43 AM

The miscreant process seems to be gone. Thx!
Here is the log.
Two questions:
(1) Why are these people doing this? E.g. what did they gain in my case?
(2) How did I get infected in the first place? CWShredder.exe talks about
an MS JVM vulnerability, but I had the SP1 for XP installed already...

===============================================

Logfile of HijackThis v1.97.7
Scan saved at 17:40:40, on 13/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Dictionary - http://www.ezreferen..._/ie-com-sp.htm
O8 - Extra context menu item: &Encyclopedia - http://www.ezreferen...ie-com-e-sp.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8066.0932407407
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B377B0A-2565-480C-BBD9-220BA45D67AC}: NameServer = 193.92.150.3 194.219.227.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{4B377B0A-2565-480C-BBD9-220BA45D67AC}: NameServer = 193.92.150.3 194.219.227.2

#6 smckillop

smckillop

    Rockin' Apple of SWI

  • Retired Staff - Helper
  • PipPipPip
  • 143 posts

Posted 13 June 2004 - 10:01 AM

Excellent Work varlag! It definitely looks like you've cleaned that CWS infection!

(1) Why are these people doing this? E.g. what did they gain in my case?

The simple and short answer to this question is money... These guys make money from redirecting users to specific sites and poping open ads on user's PC's.

(2) How did I get infected in the first place?

Excellent Question! See my prevention speech below for some more info! :thumbsup:

If you have any further questions, don't hesitate to ask!

Posted Image I would recommend looking into the following to try and prevent future infections:

SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed.
http://www.wildersse...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates.

And also see TonyKlein's good advice
So how did I get infected in the first place?
smckillop
He who has tasted a sour apple, will have the more relish for a sweet one.

If the information I have provided has been helpful, please consider Supporting SpywareInfo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button