I have a file called aux.txz which my Sophos anti-virus always takes several hours to crawl through. What is aux.txz? What does it do? Is it expendable? Can it be deleted? I have only ever found one reference to it on Google and that is on another forum - but in Polish. I speak several languages, but Polish ............. !!!

Hi,
same problem here, it seems like a trojan or virus to me.
i found it on my father's laptop, along with half a dozen of virii. got NAV corporate 7 on this computer and it hangs forever when the scan reaches this file (in system32).
don't know wich virus it is.
the size of the file is 2.2mb, locked by a process (don't know wich one).
it could be a keylogger, gonna test if the size grow when i type something.

What operating system are you guys running? It's not found on mine with Windows 2000.

aux.txz is a text file. .txz, .txt, .doc are all text file extensions.

aux.txz is a text file. .txz, .txt, .doc are all text file extensions.
These days, DOC is more often associated with Word or WordPerfect....

Never heard of .txz before, but is it possible it's a compressed ("zip") file of some sort? I don't even see it im my WinXP registry but .tz is a filetype associated with WinZip - if the file is compressed, that would explain why it takes so long to scan... maybe a log file of some sort?

It is a compressed file. I've had two people tell me different things.

One that it is associated with GP32's and the other says it's perl and VB.

The only thing I ever knew was that it was a text file extension.

Not only one, but three!!!!
I was just about to give up so I thought I'd try the old 'search within results' trick. - A real rags to riches story :O) -

http://www.google.ca/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=file+extensions&as_q=txz&btnG=Search%C2%A0

within%C2%A0results



Got it!!! - TXZ = Morfwarp au file
http://www.icdatamaster.com/t.html





txz Gzipped text file
http://www-2.cs.cmu.edu/afs/cs/project/ai-repository/ai/util/gzip/0.html




Data structures


Hypertext documents consist of two basic data structures - nodes and links. Nodes include the

content of the document and links represent the document structure. The two data structures and the

essence of hypertext itself is preciously described in [?].
INTERES stores these structures in the following ordered files (with corresponding extensions):
1. Text file containing all text nodes of the hypertext document (.txe)
2. Directory of all text nodes of the previous file with their addresses (.adr)
3. File containing links (.ref)
4. Backup text file (.txz)
http://www.uniba.sk/~kravcik/interes.html


From the Animations shareware collection.
# Filename
(click to download) Size Date Description
1 morfwarp.zip 767327 12-04-93 Morphing and Warping Effects generated with D-MORF. Player included.

Good animations
http://www.filelibrary.com:8080/descriptions/Multi-Platform/92/morfwarp.zip.shtml3

So it is either a unix compressed txt file, a dos backup txt file , or a game/animation program file.
I vote for the last one. I remember trying to 'disassemble' a file type that was in one of the games I had (it wouldn't copy!) and I came across all sorts of exotic software compilers and decompilers - dragon extract(or something) was one. Lots of these files are like .cab files, oe dll files - compressed, large, self contained, and could contain all manner of COM or EXE etc.
Maybe delete it!

So this is happening MUCH to often these days!
By the time I submit my post, there is one ahead of me that wasn't there wen(lol) I started!

Typing lessons, please wen! (I'm up to about thirty, thirty five a min. Scared yet? :o)

You're startin' to scare me there Mik, do I hear 40 wpm by next week? ;)

wen wrote:
You're startin' to scare me there Mik, do I hear 40 wpm by next week? ;)

Pretty soon, wen, I'm warnin' ya' :o)
Only 5 times faster and not looking at my keyboard or even my moniter, then... be afraid, be very afraid. I sure will be. lol I already get the shakes!

Hi,
seems, I'm number three with this file. The facts:
- I'm running WinXP.
- aux.txz has been created 29.June2003, half a year after I bought the computer.
- It resides in system32.
- It gets changed (I guess extended) every time I connect to the internet.
- It's got 34,197 KB (!) right now.
- It's attribute is only "A", no system, no hidden...
- It has NO entry in the Explorer's column "owner".
- Deleting isn't possible. Seems to be locked by a process (don't know yet which one).
- Trying to move it leads - INDEPENDENT of the destination dir - to the response:
..'This directory already contains a file "aux."
..Do you wish to replace the existing file 0 byte
..by this one 'icon' 0 byte ?'
- There is NO string "aux.txz" in the registry.
- But there are a lot of keys mentioning "txz", e.g.:
..HKCR/.txz/(standard) of the type REG_SZ and the value "txz_auto_file",
..HKCR/txz_auto_file/shell/... ,
..HKCR/txz_auto_file/open/... and some others
..connecting ".txz" to notepad.exe .
- Opening Notepad and loading aux.txz results in 'access denied'.
- Trying to store some information using the file name "AUX.TXZ.txt" gave me the following response:
..'This file name is a reserved device name.
..Choose a different name.'
- I never installed any game. So that's no possibility of the origin of aux.txz .

Anyone out there, who is able to help in any way?
Thanks so far...

The word AUX is used in reference to RS-232 communications. It is one of the lines to transmit and receive with.

Two of the Pin terminations on the RS-232 serial com are marked TX and RX. These abbreviations are often used to describe the flow of data in serial communications.

It is a possiblity that all three of these people are using the serial port to upload data from some type of device. The serial software they are using, possibly HyperTerminal??? is depositing this file in the System32 directory....why there I do not know.

Another possibility is that all three are using dial-up modem connections, and the dialer they are using has something in common -- possibly being outdated and not XP compatible.

If there is a way that you can transmit that file to me, I would be able to tell you more. Perhaps if you can zip the file up and send it to my Yahoo email address --- I can take a look at it for you.

- There is NO string "aux.txz" in the registry.
- But there are a lot of keys mentioning "txz", e.g.:
..HKCR/.txz/(standard) of the type REG_SZ and the value "txz_auto_file",
..HKCR/txz_auto_file/shell/... ,
..HKCR/txz_auto_file/open/... and some others
..connecting ".txz" to notepad.exe .
- Opening Notepad and loading aux.txz results in 'access denied'.
- Trying to store some information using the file name "AUX.TXZ.txt" gave me the following response:
..'This file name is a reserved device name.
..Choose a different name.'


Since you are the first one to post about using the registry (and the latest post on this thread) could you go to your Folder Options and click on the File Type tab?

The little flashlight will start it's search. When the list comes up....scroll down to the .TXZ entry and tell me what it says, if you would please?

You were possibly looking at the program registered to that extension in the Registry....but you cut that information off in your post above.

The Shell and Open commands registered for that extension would of told us that...but sometimes not. These entries appear more than once in the Registry.
The best way is in the File Type list.

Your error for the filename kind of makes sense to me, because AUX is a registered device name. But then it does not make sense that it would restrict it as a filename. But then again it does, cuz everyone is saying the file is in use and locked....this all leads back to my previous post about the serial ports and how there might be connection (pardon the pun..hehehe).

Out of curiosity also....are any of you or have you been involved with a NetFirms free web hosting site at all???

This struck me as odd was that they have a sub-domain with the extension it in www.txz.netfirms.com

Also, can you boot to "safe-mode without network support' and do anything?
There is a programcalled PrcessView that is like a super steroided version of 'Task Manger' and you may be able to track down a running application's access path (or whatever - this is area that gets slightly over my head) and drivers and dll's in use.
Actually, this "Filemon" looks good for this task:
http://www.webattack.com/get/filemon.html
(I think 'processMon is at sysinternal.com)
Ron, you seem to be quite knowledgeable! (no surprise)
I'm wondering if this thread shouldn't get relocated to the IT forum?

Total bytes read: 170
HTTPS GET request "/" to www.txz.netfirms.com port 80 (209.171.43.28)

GET request "/" to www.txz.netfirms.com (209.171.43.28)

HTTP/1.1 503 Unknown site

Date: Fri, 26 Dec 2003 03:44:25 GMT

Server: Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.7c

Connection: close

Content-Type: text/html
---------------------------
Welcome to the Network Solutions WHOIS Server.
There is no match for this domain name.
This domain is available for purchase!
Go to www.netsol.com to register it today!
---------------------------
ARIN:
No match for "WWW.TXZ.NETFIRMS.COM".

>>> Last update of whois database: Thu, 25 Dec 2003 18:29:08 EST <<<

-----------------------------
Check this out!
I used superscan from here:

http://foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/freetools.htm

ALL APPS THAT I RECOMMEND are freeware, spyware/adware free, and almost always run from a directory (folder) and do not install into windows.

These foundstone tools are wild!!

Also, can you boot to "safe-mode without network support' and do anything?
There is a programcalled PrcessView that is like a super steroided version of 'Task Manger' and you may be able to track down a running application's access path (or whatever - this is area that gets slightly over my head) and drivers and dll's in use.
Actually, this "Filemon" looks good for this task:
http://www.webattack.com/get/filemon.html
(I think 'processMon is at sysinternal.com)
Ron, you seem to be quite knowledgeable! (no surprise)
I'm wondering if this thread shouldn't get relocated to the IT forum?

Some of those utilities look interesting. And they are Freeware. I usually have a problem with Freeware, cuz a lot of it is junk. But I looked at some of this Authors work and I may bend my rules a little...hehehe. It looks pretty good to me.

One that looked good, and thought I would pass on to Minstrel for use in identifying his FP publishing problem is this TCP Monitor. It monitors your connection and what ports are getting hit, and which are transmitting....looked like it might help identify if one of your ports is gettin hit by your suspected authentication echo.

http://www.webattack.com/get/tcpview.html

Booting in SafeMode will not help if it is a driver problem MikMik....only generic drivers are loaded for just he basics. But it might release the lock on the file so you can at least view it maybe. That might be worth a shot.

And I got lost when you started talking about IT this, and TaskModerators being on steroids that, and how you fell down on your head....it was all too confusing. But I agree that we should move this to the Break Room where we could get a laugh out of it...that was good idea you have there MikMik. ;0)

One that looked good, and thought I would pass on to Minstrel for use in identifying his FP publishing problem is this TCP Monitor (http://www.webattack.com/get/tcpview.html). It monitors your connection and what ports are getting hit, and which are transmitting.... looked like it might help identify if one of your ports is gettin hit by your suspected authentication echo.
Thanks for the suggestion, Ron - I got a lot of script errors on that website but after clicking "no don't bother to debug" about 6 times I was able to download the utility - I'll give it a shot and see what it reveals...

Thanks for the suggestion, Ron - I got a lot of script errors on that website but after clicking "no don't bother to debug" about 6 times I was able to download the utility - I'll give it a shot and see what it reveals...

Dang I hate those script errors. I had a debugger running, and ran into that all the time. I finally just turned the damn thing off. Don't know why I even had up and running anyway....like I am going to debug script errors, sure! :0)

No problem. There are some other utilities there for port monitoring and tcp connections in there too. Whole slews of them.

You would know better than I what to look for. But, I am not too partial to freeware as I said. There is a shareware side to that site. I don't like that stuff much either....so forget I even mentioned any of this. Erase from your mind, cuz it too late...I already typed it. ;0)

I did download one thing off of there called IP Updater. If you are running an Apache Server (which I am) and your IP address is dynamic (which mine is) this sends out changes in your address and updates your sub-domain name. Which is kind of cool. They give you a free sub-domain name too. I am still reading about it to see what the catch is. But if it is any good I will be able to at least have a regular easy to remember domain name and not just an IP address that keeps changing. http://12.178.132.123 right now.

minstrel wrote:
Thanks for the suggestion, Ron - I got a lot of script errors on that website but after clicking "no don't bother to debug" about 6 times I was able to download the utility - I'll give it a shot and see what it reveals...

Yes, I find a lot of sites with javascript errors, I even had to put a script that blocks the javascript error notification because the script works perfectly! And logging in here, let me tell you. The only prob is that I forget to turn the notification back on when try out my pages. Woe is me.

Hey, ronniethedodger, I used to DESPISE third party software of any type, but there is a lot of very good stuff out there these days. I am up to 50 or 60 add-ons, this install (I wipe and re-install every 2-3 months or so), and my boot-ups are still at 75 seconds, 105Mb RAM, and 19 processes with IIS and Norton2003 running, all critical updates done also. No windows messenger.
I am amazed at what is available. Why are you hesitant? I find sites that offer user reviews AND editor recommendations to give good indications of what I'm getting into. I agree that there is a lot of crapola around, but...

By the way, minstrel, remember that discuassion, re: disable windows/msn messenger from startup etc? I got the startup manager app you recommended - there is another freeware/runs from folder/no overhead baby that is nifty.

My point is, though, I still had to go to Program Files and rename it "'x'msnmsg.exe" to disable it from running in background, but good app you got me, nevertheless.

Anyways, I'm thinking of winning the lottery soon so I can devote more time to this forum and helping you guys with any medication costs that you may be incurring as a result of needing treatment for injuries/brain damage/hangovers and to prevent potential lucid posting that can be used as blackmail leverage by the women. It is stuff like this that has me concerned:

And I got lost when you started talking about IT this, and TaskModerators being on steroids that, and how you fell down on your head....it was all too confusing. But I agree that we should move this to the Break Room where we could get a laugh out of it...that was good idea you have there MikMik. ;0)
I wish you a lengthy, demoral enhanced convalescence. Let me know if things start making sense and we'll bring in re-enforcements.
(Oh, no. Another de-dijeree-doo-ja-vu experience...)

Yes, I meant to use safe mode to try to see if there was a dll thayt could be disabled in order to at least prevent the thingy we're talking aboot here from launching.

Let's see, what else....

I have found that a lot of javascript errors come about while using pop-up ad blockers. Usually the error is in reference to "object does not exist" and that object is the pop-up that got blocked.

And yes I am very hesitant about third-party software. You see I am programming hobbiest of sorts, I have VB.NET 2003 installed and monkey around with it.

It is really easy to start developing some app with this kind of tool, have it work great, then throw it out on the web. Problem is there is really no solid beta testing or any other kind of testing done on this kind of software. What works on their computer, could have undesirous effects on someone elses.

I have seen some of this software saying it is XP compatible....but same said software requires VB3 .vbx controls to run. C'mon...I am no expert, but VB3 was back in the Windows 3.11 for Workgroup days.

The reviews...uh, huh..."3 out of 5 reviewers have rated this..." really instills a lot of assurance in me that the product is great for the masses (at least 60% of the time)

Don't get me wrong though...I do use it. But only after I have done a little background checking into the software. If I mention it in one of my posts, I will also be sure to mention that "I have not checked it out". Hopefully you guys won't hold me responsible for any damages if I do mention something without my patent disclaimer ;0)

Finally...MikMik? What is this about when you are starting up in DLL rocket mode and not being safe to disable the boot on the launch pad thingy? You also mentioned something about a "prevent safety" gismo...are we talking football or have you got a hold of some 3-day old Egg Nog again? ;0)

Well so far this one http://www.webattack.com/get/iespell.html which allows spell-check on goodies typed in your browser, like the forum here, found at which ever one you guys' favorite hang out that is; is proving well worth the download time. Of course it would never work for Mik, because it doesn't translate in old egg nog!

And, it would appear to have some tracking software that may or may not render it useless, the next time I run Ad-Aware and toast all the spy-ware on board my computer.

I've found this, though I don't know how accurate or if it will be of much help: http://www.filext.com/detaillist.php?extdetail=TXZ

Have you tried opening it up with notepad? Perhaps, if you can view the file it will give you a better clue as to what it pertains to.

rockythe1 wrote
And, it would appear to have some tracking software that may or may not render it useless, the next time I run Ad-Aware and toast all the spy-ware on board my computer.
Guess you need this: Silencer - http://www.webattack.com/Freeware/misctools/fwfilter.shtml
I have never had a problem with it whatsoever. I run Windows 3.11 on a Cyrix abacus with dual exhaust.

ronniethedodger wrote/posted it like this
...blah...espanol...au fransay..etc..Finally...MikMik? What is this about when you are starting up in DLL rocket mode and not being safe to disable the boot on the launch pad thingy? You also mentioned something about a "prevent safety" gismo...are we talking football or have you got a hold of some 3-day old Egg Nog again? ;0)

3 day old eggnog. The drink that eats like a meal.

Thanks for the info on the VBS and popupblockers.
I only recommend software that I have infected with my own DCOM stack overflow scret ring decoder subroutines with a RPC auto responder and SMTP thrown in for good measure. This is to insure that I can keep an eye on usage patterns to improve future versions, and I only launch 'ethical' DDoS's anyways.

mikmik said:

Anyways, I'm thinking of winning the lottery soon so I can devote more time to this forum and helping you guys with any medication costs that you may be incurring as a result of needing treatment for injuries/brain damage/hangovers and to prevent potential lucid posting that can be used as blackmail leverage by the women. It is stuff like this that has me concerned. . .

I suppose it could happen; sheer odds dictate that it's a mathematical possibility.

I've found this, though I don't know how accurate or if it will be of much help: http://www.filext.com/detaillist.php?extdetail=TXZ

Have you tried opening it up with notepad? Perhaps, if you can view the file it will give you a better clue as to what it pertains to.

I came across that same page, and all it references is something called MorphWarp. Although I cannot find anything out about MorphWarp anywhere on the net...so who knows what that is.

There are three people so far who have mentioned having this file on their computers. Yet, they have not reported back in so far.

I offered to look at the file for them...but even that may be a problem because they cannot access the file. It is locked, in use, or some other thing. Viewing it in Notepad is not an option.

I would think that if a copy was made, say, on the desktop, it should be able to be opened. Perhaps, if still not able to open it, splitting the file into smaller segments or renaming the copy may facilitate opening.

If you go back a bit to the beginning of this thread, you'll notice that one of the first two posters who found a copy of this faile said, "the size of the file is 2.2mb". Also, from the TXZ extension, there is a pretty good chance this is either a compressed file or a binary file - in either case, Notepad probably isn't going to help even on a piece of it.

My advice is move the file to another directory - if it's a locked file, you can have the file moved on the next boot using a free GiPo utility called "move-copy-on-boot" from GibinSoft (http://www.gibinsoft.net/gipoutils/dbutil/) - there are several other good utilities there, including one that will delete a file on the next boot (useful for Windows XP in particular).

Then reboot and wait to see (1) is it recreated? (2) does anything object to not finding the file?

If the answer to #2 is "yes", you'll have your answer as to which program created the file. Then you can move it back where you found it if that program is something you still want to be using.

If the answer to #2 is "no" then feel free to set it up for deletion using the delete on next boot feature mentioned above. Actually, if the answer to #1 is "yes", I guess you can do the same thing.

Thanks, minstrel. We were all over this like a hacker on a new game release, like you said!

Got it!!! - TXZ = Morfwarp au file
http://www.icdatamaster.com/t.html



I just installed WinMorph yesterday

I was trying to make swf's of people like janeth and lisa 'morph' between their beautiful 'apparent' selves and monsters

It has a warp feature, it is freeware, and I RECOMMEND IT - so far. Believe me, I scan the shit out of stuff like this before I try it, but I think I'll look further into it.

Go here: http://www.debugmode.com

To add to what Minstrel said, one of them (or two) said that they could not open the file in Notepad. One also mentioned when they tried to move the file (or was it delete) they couldn't, they got some error saying that "Device is in use, access denied"

The fact that this file is located in the System32 directory is another cause for concern. None of them mentioned it, but could it be this file could of been in a sub-directory of system32 and inadvertantly omitted that info....nobody knows, cuz they have not been back.

Now that MikMik has downloaded this Morph (w/Warp Factor capabilities) and he has posted his stock "I scan the !bleep! out of stuff like this before I try it, but I think I'll look further into it." disclaimer, we all should wait on whether or not this is the culprit for the strange file that appears in the System32 directory.

I did notice that version 3.01 of this software was last year, 2002. Also there are two patches required for Adobe Premiere and Video Vegas otherwise the docs simply state "it don't work properly, man". I slightly remember this program, an older version though, from a few years back. I used it once, but don't remember too much about it (too much egg nog I guess) It has been around for quite some time.

If MikMik's machine suddenly freezes, the hard drive is erased, and will never boot again...then we will know that is the cause. Of course, it will take about 3 or 4 days of MikMik not being around WPW before we realize this. ;0)

WOW, what a response! Thanks to all of you !

I've had some time now to test around a little bit more. So, let me answer to your questions and suggestions. I'm really happy about your great feed back:

--- Concerning "AUX": My RS232(COM1) jack was never used. A COM2 jack doesn't exist. I'm not aware of ever having used Hyper Terminal here.

--- Concerning dialer: My dial-up modem is a PCI card. The dialer I'm using is the default function of IE 6.0, I think; (= programs\windowsNT\dialer.exe ? - OK, I have to confess, I still use IE.)

--- Concerning the file type .txz: Folder options and registry, both connect ".txz" to notepad.exe .

--- 'transmitting the file': Thanks a lot, Ron, for your offer to look at it, but the problem is:
aux.txz cannot be copied: The pasting results in 'Access denied'.
aux.txz cannot be edited or opened with notepad: 'Access denied'.
aux.txz cannot be deleted: 'Access denied'.
aux.txz cannot be renamed: 'Access denied'.
aux.txz cannot be moved: EVERY destination directory 'already contains a file "aux." Do you wish to replace the existing file 0 byte by this one 'icon' 0 byte ?' -- YES -- 'Not possible. A file with this name already exists. Choose another name.' -- Only quitting possible!!!
aux.txz cannot be zipped: Selecting aux.txz as file to be added results in 'No such file found'.

SAME THING in 'safe mode without network support'!

SAME THING in 'safe mode with command prompt': VERY STRANGE:
C:\WINDOWS\system32>dir au?.txz --> … 26.12.2003 23:41 35,039,575 aux.txz …
C:\WINDOWS\system32>dir aux.tx? --> … 26.12.2003 23:41 35,039,575 aux.txz …
C:\WINDOWS\system32>dir aux.txz --> directory of \\. File not found
C:\WINDOWS\system32>copy au?.txz \aaa.txt
--> aux.txz (linefeed) The system cannot find the file. (linefeed) 0 file(s) copied.
C:\WINDOWS\system32>copy eul?.txt \aaa.txt
--> eula.txt (linefeed) 1 file(s) copied.

Any idea what cryptic file storage this may be?

As described a little bit further down, I identified – with your great help !!! – the process that was extending aux.txz constantly. I cancelled the process, locked the exe-file away, deactivated the relating registry entries, and restarted; BUT aux.txz still behaves as described above (except from growing - that's stopped now - you know, 34 MB are enough (though RightClick|Properties say: 0 KB !?!)).

Anyone any hint, how to get rid of the corps (or even look into it before disintegrating)?

--- Concerning NetFirmsFreeWebHosting: Ron - OK, I surfed around a lot during the last year. Maybe I came in contact with www.txz.netfirms.com, but I really don't know any more. As I delete the Temporary Internet Files on a regular base, I cannot tell any more.

--- Concerning the growth of aux.txz: I've had the impression, it could be related to my internet activities. But having a closer look at the growth made this more unlikely. Sometimes it fits - sometimes not. No reliable rules detected till now.

--- Concerning Filemon from Sysinternals: Thanks a lot, Mik, that was the right utility at the right point (and so small, 84 KB zip!).
It showed, that "logon.exe:2004" was the extending process (whatever this ":2004" may mean – (my system clock is running correctly ;-) )).
A few weeks ago I had compared all process file names of the TaskManager to www.liutilities.com/products/wintaskspro/processlibrary and dito/allprocesses . As there IS a logon.exe in the WinTasks Process Library, I didn't get sceptical. But doing some Google research now, made it most probable, that I caught the trojan "Troj/Golon-A" by this file. There is not really much information about it (www.sophos.com/virusinfo/analyses/trojgolona.html), but enough points are hitting. I cleaned up like described 3 points formerly.

Now there are two questions left about this:
1. What about the Windows-logon.exe? Has it any relevance for WinXP, so that I should search for a file to restore the state?
2. In that same minute (!) of the creation of the odd logon.exe (29.June2003 20:20, according to WinExplorer) 3 further files came down on me: mswinsck.exe, MDOS.EXE, and Browser_Plugin.exe residing in different directories. I'd found and locked them away some time ago.
Anyone ever heard about these? (just curious)
(btw: aux.txz was created 6 minutes later, according to WinExplorer)

And of course, as mentioned above:
3. How do I get rid of the 34 MB corps?


PS: I've just read Minstrel's hint "move-copy-on-boot" from GibinSoft . Will have a look on it!

Thanks so far!

I've done a search on mswinsck.exe, please see this page: http://www.safersite.com/pestinfo/n/netamine.asp, it is a trojan.

As for MDOS.EXE see this: http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=MDOS.EXE&btnG=Google+Search

Browser_Plugin.exe see here: http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=Browser_Plugin.exe+&btnG=Google+Search, this is also a trojan

Your browser possibly had been hijacked, I would suggest after dealing with the above files, go through your Windows and System 32 folders, checking all the executable files for date, version and company. Anything you find suspicious, if possible move to your desktop, do a search on the file, find out what it is and delete (if appropriate). If you're not sure, place files in a folder on the desktop or in the Recycle Bin without emptying and restart, if everything is ok, without any error messages, delete them. A handy program is HijackThis, you'll find a list of processes, some that belong, others that do not. Another good program is SpywareGuard, keeps spyware and browser hijacking from happening. You can download both from my website in the free download section, under the heading Utilities.

Yes, it does seem that you have been infected - to add to what Computers and others have said above, the real logon for Windows is I think called winlogon.exe, not logon.exe.

I'd suggest two things:

(1) in case your AV program has been compromised or the instructions from Symantec didn't help, you can try this free on-line AV scanner from Trend Micro: http://housecall.antivirus.com/.
(2) if you haven't already done so, download and run BOTH Ad-Aware and Spybot Search and Destroy (each seems to catch stuff the other misses) - do a Google search on those program names - both are free downloads.

The "move-on-boot" and "delete-on-boot" programs I mentioned may be free or may cost $17US. I know I bought a utility from them but I think it was the JITScheduler - even if they cost something, they are worth it for situations like this, but you'll still need to clean out the garbage before doing that and the antivrius or anti-spyware programs may do the job for you.

I've done a search on mswinsck.exe, please see this page: http://www.safersite.com/pestinfo/n/netamine.asp, it is a trojan.

As for MDOS.EXE see this: http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=MDOS.EXE&btnG=Google+Search

Browser_Plugin.exe see here: http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&q=Browser_Plugin.exe+&btnG=Google+Search, this is also a trojan

Your browser possibly had been hijacked

The one reference I found in the above links that had the most bearing on what is happening had to do with a "dialing" program.

http://securityresponse.symantec.com/avcenter/venc/data/dialer.dilos.html

This hijacks the modem and calls out (in most cases) to high-cost phone numbers. The "dialer" details are in the link above.

Although it does not mention it in this article, the dialer is an old one and could have possibly involved the winsck.exe file (WinSocket) which was used once upon a time (only provided now for Win95 compatibity).

The fact that some of the files where quarantined might also explain why the AUX file is frozen. I think that the file is more likely to be a cached comm buffer that inadvertantly was written to disk and now it is stuck there.

Basically it is not a "file" per say...it is a device. This dialer created a comm buffer for AUX probably thru some DOS shell commands and wasn't shut down properly.

This would explain the name of the file itself. AUX with the TXz extension. They are comm device abbreviations.

As for the file MDOS.EXE, I don't know. But, could it be that he mistyped that one and meant MSDOS.EXE? If it is MSDOS.EXE and he has quarantined it, then probably releasing it may also release the still open AUX device (I said maybe....no guarantees)

What would be nice (and since there are 3 of you reporting this) is to send in that one post with all the details and a link to this topic to Norton, McAfee, a couple other virus places, and Microsoft. Also in the letter let them know that you CCed each of the others. Chances are one of them, or a couple may jump on it.

ronniethedodger wrote :
What would be nice (and since there are 3 of you reporting this) is to send in that one post with all the details and a link to this topic to Norton, McAfee, a couple other virus places, and Microsoft. Also in the letter let them know that you CCed each of the others. Chances are one of them, or a couple may jump on it.
That's a good idea. Ill take PCcillan aka Trendmicro.

I also want to warn the others that our lives are about to undergo a dramatic change. As more and more of my searches for 'info' seem to contain links to forums, and, if I recall, when this free for all started (free) there was only free downloads sex one forum thread free ly listed, we are not free sex of the mp3 danger of becoming famous ( and getting free sex and downloads with cerials for free newly released top title games for free with cerial nombers that come with free offers of free sex for free ) wen this is listed for free pay per click free number1 ranking.

What I am saying to you for free is that we should watch out for paparazzi free taking nude photos of us, and always wear a smile wen moving freely about in public.

I would also ask that someone either warn me, or just delete this post before a spider indexes this page - of its own free will.

I want to be funny but not get us in trouble as lawyers are not free or nude usually !

I want to be funny but not get us in trouble as lawyers are not free or nude usually !

Get thee to the Colony...after a few hours there and you land in jail from taking pictures, I have no doubt that you may have your wish granted. Albeit a lawyer for the prosecution of course.

ronniethedodger wrote
Get thee to the Colony...after a few hours there and you land in jail from taking pictures, I have no doubt that you may have your wish granted. Albeit a lawyer for the prosecution of course.
What is the sentence for SEO sp*amm*ing

I want to know what I'm getting you guys into when I 'deal you up' in return for immunity lol

(Actually, Papillon is my hero. I will take the rap and escape later on a raft of coco-puffs. Was that the 6th wave or the 7th? hmmm...lol)

21.4kb
http://factor1.net/temp/wpw/champ.gif

I aplogize for heavy optimization --> poor image qualities.
I am so exited that words cannot begin to describe how it feels to finally be World Champion!
I now no longer hang my head in shame everytime I look at that bloody "carbonize. #1 on google. If you search for carbonize that's." lol

I want to thank the Academy, my neurons, my co-conspirators, and Gawd - for finally recognizing our greatness of being.

I, being a selflessly considerate humanitarian, would like to take a moment of silence to remember all the poor SEO conspiracy theorists on their poor rankingsthanks and may You be blessed by our presense some day!

Goodnight all, and remember to have your pets spayed and neutered before they realize what they are missing - have a heart!

Let me, at first, answer to your replies and suggestions:


... HijackThis ... SpywareGuard ... You can download both from my website ... Thanks, Computers, your website is great! - I loaded down. - I had read about HijackThis and seen some HijjackThis reports on other boards, but never used it. And SpywareGuard - I'll test it.

... go through your Windows and System 32 folders, checking all the executable files for date, version and company. Anything you find suspicious, if possible move ... That's the way, I found and locked away those 3 exe-files, some time ago. My Google research concerning mswinsck.exe had made me suspicious, but not sure, - concerning C:\MDOS.EXE I'd found nothing, - concerning Browser_Plugin.exe I was pretty sure to have a dialer. Thanks for your work!

... the real logon for Windows is I think called winlogon.exe, not logon.exe ... Thanks, I'd be happy, if so. I was unsure, because there is a logon.exe in the list of www.liutilities.com/products/wintaskspro/processlibrary/allprocesses , but I guess, this list applies to all Windows operating systems, not only to XP.

... you can try this free on-line AV scanner from Trend Micro ... I tried and found 22 bugs, most of them in my prison for renamed strange candidates and four in edges I would never have guessed or have used, like \programs\NetMeeting\ or \...\downloaded files\WinCommander\ .

... download and run BOTH Ad-Aware and Spybot Search and Destroy ... Thanks, I loaded down and will test them.

But, could it be that he mistyped that one and meant MSDOS.EXE? If it is MSDOS.EXE and he has quarantined it, then probably releasing it may also release the still open AUX device (I said maybe....no guarantees)I found both in the root of C:, MDOS.EXE (1,627 KB) and msdos.exe (73 KB). Both had NO property entry of company or version and both had strange dates of creation and last change. So I quarantined both. (Has the WindowsNT series to have an own msdos.exe file? I don't know. My system has none, now. Nevertheless, the command window and DOS commands are running properly.)

What would be nice ... is to send in that one post with all the details and a link to this topic to Norton, McAfee, a couple other virus places, and Microsoft.Ok, the idea is convincing. I searched for Norton and found Symantec. www.mcafee.com is simple. I found www.sophos.com. But I don't know "a couple other virus places", which could be interested. Any suggestions?
And Microsoft? Do they really care about something like that? I never heard, but that's no criterion.

about: ... dramatic changes, mp3 danger, free sex with cerial nombers, paparazzi in jail, and the world championship in patting and neutering SEO conspiracy theorists in the name of Gawd ...
(... or something like that)Huu, sometimes I really regret, not to understand English as good as I'd like to. I guess, if I would, I'd have done more than only smile ( ..."neutered" one of the many words, I had to look up). :-)


BUT: Back to the roots !

I ' VE GOT IT !!!

Minstrel, your suggestion "MoveOnBoot" was SUCCESSFUL !

MoveOnBoot is a program, that copies, renames (=moves), or deletes files on the next system boot.
The freeware MoveOnBoot 1.9.5 has some kind of availability check for the concerned file BEFORE rebooting. This check comes to the result: 'Access Denied On aux.txz'. So, that wasn't very helpful.
But the shareware MoveOnBoot 2.9, which is part of FileUtilities 2.9, obviously doesn't do this special check - AND IT WORKED ( - even without the presence of the 30-days-trial-key; the program only complains, but works) !

I moved aux.txz to \NewDir\aaa.txt and could open, edit, rename, move, or delete it without any problem. So, it's no compressed file, but simply text:
logon.exe had been started by HKLM/.../run and recorded program starts and keystrokes to aux.txz . So, I found a few of my passwords in there. But as I don't do e-banking, I hope that won't be so much of a problem.
logon.exe didn't record all the time and every activity. I just couldn't figure out, what exactly activated or stopped recording.


Thus, let me say a BIG "Thank You" to all of you for your gracious hints, suggestions, and help. This is my first experience of finding a solution this way !


Eventually, can anyone explain to me poor amateur, what kind of restriction, protection, or locking process, activated during booting, could have blocked \WINDOWS\system32\aux.txz from being accessed? ...if possible in plain words? ... and only if it's possible at all to tell in remote diagnosis.

neward asked, "How to avoid things like this happening again"...

1. install a firewall and have it set to (a) operate in real time and start when your system boots, and (b) autoupdate its signatures - there's even a couple of good free ones, ZoneAlarm being the one usually rated as best - once it's installed, go through any list of "safe" programs it may have created on setup and delete or disable any entires you know nothing about. If they are legitimate programs, you'll later get popup warnings from the firewall informing you that "programname.exe" is trying to connect to the internet and asking you if you want to allow that to happen, so if it's genuine all you have to do is say "yes - it's safe".

2. install a real-time antivirus scanner - do an initial total system scan and then and have it set to autoscan any files that are created, all files from your diskette and CD-ROM drives as they are copied or installed, and all incoming email (if you've done everything else right, you really don't need to scan outgoing email but you can usually to be extra safe) - I've posted URLs for two free ones (AVG and AVAST) elsewhere in the WPW forums). Do a full system scan at least once a month as a safety net.

3. install and run both Ad-Aware and Spybot Search and Destroy monthly and delete anything it finds unless you can identify it as something you need.

4. install Startup Control Panel 2.8 (http://www.mlin.net/StartupCPL.shtml) (free from Mike Lin)
to easily see what programs are starting up automatically when you boot - disable any you're not sure you want (if they absolutely must run, you'll find out soon enough and the utility allows you to easily re-enable it).

5. Don't install shareware or indeed any software without reading the fine print to check that they are not installing other things along with whatever it is you actually wanted to try - my personal choice is not to install ANYTHING no matter how good it claims to be if it says it's going to install other stuff along with it and doesn't give me the choice of NOT installing those extras. Once you've installed the new software, run at least one of Ad-Aware and Spybot S&D to double check that it didn't install something by stealth. Also, after installation, check if anything has been added to autostart using Startup Control Panel above.

Neward - I couldn't quite make out what your were trying to say when you looked at the file after you moved it. Is it possible to get a copy of it?

It is nice to see, as MikMik pointed out, that this thread is showing up in the number one position at Google for the query "aux.txz".

Hi, I'm back again.

Thanks a lot, Minstrel, for your good overview.
I have to admit, that my methods of gaining security - until now - had been a little bit, let's say, unconventional... old fashioned, just some kind of hand made.
I'd seen a lot of advertisements for firewalls, AV programs, adware and spyware protectors, but until now I just couldn't make up my mind, just missing criteria for the decision against this one or for another program. So, it's really good to hear the opinion and suggestions of experienced people.

Ron, as I only have a dial up connection with an average effective transfer rate of about 3 KB/s, it would be an about 3.5 hours job to mail the 34 MB "ex-aux.txz-x" - nothing I'd really be looking forward to.
So, I've cut the first 10 logging threads of this file and in there deleted all lines containing password records. The resulting file has only 288 KB unzipped. If you want I can post it to your Yahoo email address as you mentioned some posts formerly. Post your address here or send it via PM and I'll transfer the sample file.

So, I've cut the first 10 logging threads of this file and in there deleted all lines containing password records. The resulting file has only 288 KB unzipped. If you want I can post it to your Yahoo email address as you mentioned some posts formerly. Post your address here or send it via PM and I'll transfer the sample file.

Logging threads? I take it that this is a log file then? Interesting.

It disturbs me that it is logging such things as password records too. Question? When you looked at those entries...was it apparent that they were password entries? Or did it look more like captured keyboard strokes?

Yes...please do send the file. You can PM it to me if you wish or use my Yahoo address (that address is the same as my name here at WPW @yahoo.com)

Ron, maybe "logging threads" isn't the correct english expression. It seemed appropriate to me, but I'm no english native speaker. And I'm also not sure what the exact definition for a "log file" is. So, just have a look at it for yourself.

Your question: "...was it apparent that they were password entries? Or did it look more like captured keyboard strokes?"
They were definitely captured keyboard strokes. But password entries consist of keyboard strokes either. So I don't see a distinct difference. Maybe, this is a language problem again.

...the file is coming!

By the way: Happy new year to everybody !

Ron, maybe "logging threads" isn't the correct english expression. It seemed appropriate to me, but I'm no english native speaker. And I'm also not sure what the exact definition for a "log file" is. So, just have a look at it for yousself.

Your question: "...was it apparent that they were password entries? Or did it look more like captured keyboard strokes?"
They were definitely captured keyboard strokes. But password entries consist of keyboard strokes either. So I don't see a distinct difference. Maybe, this is a language problem again.

...the file is coming!

By the way: Happy new year to everybody !

HNY to you too.

One thing comes to mind while thinking about capturing keyboard strokes, and that is Remote Access Software or RAS (another acronym to banty around the forum with....hehehe) Another popular use for keyboard capture is programs that automatically log you into online control panels and such.

Am looking forward to the seein the file...when do you think it will get there....next Friday? ;0)

Ron, I tried to mail the file, but:

"A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: ronniethedodger@yahoo.com
SMTP error from remote mailer after end of data:
host mx2.mail.yahoo.com [64.156.215.5]: 554 delivery error:
dd This user doesn't have a yahoo.com account …
for ronniethedodger@yahoo.com; Sun, 04 Jan 2004 01:44:41 +0100 (CET) ..."

...or do I have to wait until next Friday before sending? ;-)

Ron, I tried to mail the file, but:

"A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: ronniethedodger@yahoo.com
SMTP error from remote mailer after end of data:
host mx2.mail.yahoo.com [64.156.215.5]: 554 delivery error:
dd This user doesn't have a yahoo.com account …
for ronniethedodger@yahoo.com; Sun, 04 Jan 2004 01:44:41 +0100 (CET) ..."

...or do I have to wait until next Friday before sending? ;-)

Darn, sorry, that is my fault. I keep doing that to people, then sit here and wait. I went through a bunch of bulk mail looking for it too. I should of known, but I have not used that account for so long.

It is "ronnie_the_dodger" with underscores in the name. I should snag that name up at Yahoo too.

Again, I apologize...I can see you sitting over there sending that damn thing too...clunk, clunk, clunking along. :0(