17 replies to this topic

[lotus79]

My system seems to be running fine. When I opened windows defender, under the history option, two entries appeard there. The path to these items are C:\system32\LxrSge10s.exe, and the other is C:\WINDOWS\system32\Drivers\Lxrsge10d.sys. I have no clue what they are, and neither does windows defender. If anyone knows what they actually are, please let me know. Here is my HJT log.




Logfile of HijackThis v1.99.1
Scan saved at 7:34:59 PM, on 3/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Remote Master\Remote Master.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\David\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware...mothership.aspx
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://help.bellsout...cess/launch.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IR501 Remote Control] C:\Program Files\Remote Master\Remote Master.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com/mothership.aspx
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase3401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137637022718
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks in advance.

[burtman]

Apparently, LxrSge10s.exe is part of the SmartGenie toolbar, a customizable search bar for IE.
I can't find any reference to the other file, but I assume it is related.

[AndyManchesta]

Hi Lotus79

The log looks fine. Regarding the files that Windows Defender detected, CastleCops has the LxrSge10s.exe listed Here and shows its related to Smart Genie Toolbar. I'm not sure why a toolbar would need to add itself as a Service but assuming it was that entry it should be listed in Hijack This like this:

O23 - Service: SmartGenie (LxrSGe10s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSge10s.exe

This entry isnt in your log, SmartGenie Toolbar will also add 02,03 & 016 entries when it installs and you have no signs of SmartGenie showing in the log so you should check the files out at jotti's Malware scan site to make sure they are clean.

First Run Hijack This, Choose System scan then place a check next to this entry:

O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)

Close all open Browser and other windows except Hijack This then press the 'Fix Checked' button.

Next Goto Jotti's scan site Here

Press Browse then find this file :

C:\WINDOWS\system32\LxrSge10s.exe

Double click LxrSge10s.exe and then press Submit on Jotti's site and copy and paste the results back if any problems are found.

Do the same for this file :

C:\WINDOWS\system32\Drivers\Lxrsge10d.sys

If they cannot be found then enable hidden files and folders then try to locate them.

To enable hidden files if needed:

Click Start. Goto MyComputer then c:\drive

Select the Tools menu from the top bar and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".

UnCheck the "Hide protected operating system files (recommended)" option.

Click Yes to confirm then OK

Set this back once you have checked for the files by opening the same page and pressing the restore defaults button.

Let us know what the Jotti scan results show for both files.

Thanks

Andy

[lotus79]

I put both files through the site you recommended and they both came out ok. I have never downloaded a tool bar called smart genie. Since I did not install it, is it safe for me to get rid of it? Thank for the help.

[AndyManchesta]

Hi Again

Thats abit strange if you have never installed their Toolbar, If you have the time can you locate both of the files again then right click them and choose 'Send To' then 'Compressed Zipped Folder' , This will create a copy of the files in a zipped folder in the same folder (System32 & System32\Drivers). Can you then email both of the files to me at (AndyManchesta@hotmail.com) and I will check them out as I dont want to say remove them untill I know what put them there.

If you did want to delete them then still send them to compressed zipped folders before removing the files as this will create a copy in the zipped folder incase you need it again. If you do not notice any problems after removing the files and rebooting then you can delete the backup zipped files.

Regards

Andy

[lotus79]

Thanks AndyManchesta!!! E-mail is underway.

[AndyManchesta]

Thanks

I will check my email now and see if I find anything usefull by running the .exe with monitoring tools in place, I'll repost as soon as I can

Andy

[AndyManchesta]

Hi Again

The .exe file does nothing when its run, It just opens a cmd screen very quickly then it closes. It didnt create or remove any files on the system and doesnt create any registry entries so I still cannot say where it came from as it also doesnt have any file or company information included. I noticed in the email you said next to the LxrSge10s.exe file there is another one created at the same time called LxrDPart. Is that another .exe file ? When you right click the LxrDPart file and choose Properties does it give any Company or File information ? , Its not common for a .sys file to have no company information.

In the email you said you believe this file is from Microsoft , What makes you think that it is ? , I would expect all Microsoft files to have Company and File information so I would be suprised if these were connected to Microsoft in any way.

CastleCops did show it as being connected to SmartGenie, I was curious why it creates a Service so installed SmartGenie on my machine, It didnt create any files with that name or any Services so maybe CastleCops are referring to an older version . The uninstaller for Smart Genie is listed in Add/Remove screen and the uninstall command is

C:\Program Files\GENIEBAR Toolbar\Uninstall.exe

You can copy and paste that into the Start Menu > Run area then press ok and if it shows the file cannot be found then it isnt a SmartGenie entry.

Do you recall downloading anything around the time these files were created, The files you sent to me have a creation date and time at - 3/4/2006 10.15pm

Even though the files show clear at Jotti's scan site, I would still consider removing them as its not clear what they are or how they got there. If you send all the files to Compressed Zipped Folder's first then at least you have a backup copy available after removing the files incase you remember downloading something around the above date and time, then give it a couple of days and make sure there isnt any problems with programs you use and remove the backup 'zipped' folders.

To be sure the system is clean run Panda Activescan from Here.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.

Andy

[lotus79]

I will give that a try thanks. As far as the LxrDPart.exe, when i double click it it opens a small window. It says "Microsoft Diskpart version 5.1.3553. copyright 1999-2001 microsoft corporation. The last thing it says is "DISKPART>" then i guess you can enter a command from there. I know for a fact that this is not part of the original software that came with this pc, and I know that i didn't download this. I can email you this as well if you like. Let me know. Thanks again

[AndyManchesta]

Hi Again

That makes it sound like diskpart.exe which would be a genuine file but diskpart.exe should have full details about the company (Microsoft) and the file version plus have the Description 'Diskpart Application', Its used to create and delete partitions on a hard drive and only works when used with the Recovery Console.

DiskPart.exe should be already on your pc in the system32 folder. Ive just run it on my pc and it shows:

Microsoft DiskPart version 5.1.3565

Copyright © 1999-2003 Microsoft Corporation.
On computer: ANDYMANCHESTA

DISKPART>

It still doesnt explain how they got there especially if you havent downloaded anything from Microsoft as the genuine DiskPart.exe should already exist on your system, Its also abit worrying that the files you sent to me had no company or file information and there is no information at all on those filenames using Google's Search Engine except for the one reference to SmartGenie but they maybe harmless with no AV scanner finding problems.

You can send the LxrDPart.exe if you want as It would be good to see how it compares to the DiskPart.exe I already have on the system but they are probably nothing to be concerned about at this stage, If you have the time run Panda's Activescan, if that shows the system is clean then they are probably genuine as there would have to be some sort of initial infection on the system to allow someone to download files without you knowing.

Andy

[lotus79]

I ran the Panda scanner and it shows my pc to be clean. I'll just delete those two files. They appear to be clean, but I did not download them. Thanks for all the help AndyManchesta.

[AndyManchesta]

Hi lotus79

Thats good to hear the Panda scan was clean, Its still abit of a mystery how those files got on your system but I think your right to remove them as they contain no company info' which isnt common for a file that looks like its from Microsoft as they always give full company/version information with the files. If you have any more problems on the pc just repost and there will always be people who are happy to help

All The Best

Andy

[Eldmannen]

Norton Antivirus, no wonder your comp runs as crap.

[lotus79]

Thanks again AndyManchesta. Norton is a resource hog, but my computer doesn't run like crap Eldmannen.

[lotus79]

Hey AndyManchesta I figured out where these two files came from. I own a Lexar USB jumpdrive lightning. The drive has many options like file synchronization, and the ability to encrypt files. So I guess it really isn't a problem. Thanks again for the help.

[AndyManchesta]

Thats good news

I still have copies saved if you need them back anytime

Andy

[lotus79]

You can delete those. When I inserted the drive, it automatically created those files again. Thanks again

[AndyManchesta]

No Problem

Glad you found out where they came from , I will remove the files now you know who put them there

All The Best

Andy