Author Topic: How to remove x.exe ?  (Read 11300 times)

0 Members and 1 Guest are viewing this topic.

tempuser

  • Guest
How to remove x.exe ?
« on: October 14, 2010, 01:36:40 PM »
Hello,

My system is a Windows XP Pro SP2, clean install after a format, and Avast 5.0.677 Free.
I am using this at the office, in an office network, with a total of 4 pc's. This only happens only to may pc.

Avast keeps informing me (around 11 am):

avast File System Shield has blocked a threat.
No further action is required.
Object: C:\Windows\System32\x
Infection: Win32:Confi [Wrm]
Action: Moved to chest
Process: C:\Windows\System32\svchost.exe
The threat was detected and blocked just before the file was executed.


Another messages says something else (same day around 12:15):

avast File System Shield has blocked a threat.
No further action is required.
Object:C:\Documents And Settings\NetworkService\Local Settings\Temporary Internet Files\Content IE5\zqhxi[1].jpg
Infection: Win32:Confi [Wrm]
Process: C:\Windows\System32\x.exe
The threat was detected and blocked just before the file was executed.


These messages repeat each day, no matter what I do. But the real harm is that after Avast kills SVCHOST.EXE i get this error:

Generic Host Process for Win32 Services has encountared an error and needs to close

I have attached the details of the entire error to this post, with the name Service error.jpg.

Ok so this error kills some of my important processes: Server process, Workstation process, windows audio process. I am able to start all these processes, except one, a vital one: Windows Firewall/Internet Connection Sharing (ICS), which has a path to: C:\WINDOWS\System32\svchost.exe -k netsvcs, yes the SVCHOST.exe that Avast killed and moved to chest. If I can't start Windows Firewall/Internet Connection Sharing (ICS) means that, excludind the essetial firewall protection, other pc in my workgroup cannot see my SHARED FILES, vital to my office.

So how can I get rid of this virus? Or how can I start Windows Firewall/Internet Connection Sharing (ICS) service?

I have also attached a ComboFix log to this post, and a hijackthis log.
Thank you very much.


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37614
  • Not a avast user
Re: How to remove x.exe ?
« Reply #1 on: October 14, 2010, 02:08:52 PM »
Try this

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always run update before you scan so you have the latest database
click on the remove selected button to quarantine anything found
you may post the scan log here

tempuser

  • Guest
Re: How to remove x.exe ?
« Reply #2 on: October 15, 2010, 07:58:27 AM »
Thank you for taking the time to assist me in my particular issue.

Here is the log from MalwareBytes:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4827

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

15/10/2010 08:32:18
mbam-log-2010-10-15 (08-32-18).txt

Scan type: Quick scan
Objects scanned: 134249
Time elapsed: 10 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LH1IG7AY\xzda[1].png (Worm.Conficker) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\UQJH2Z7Y\dwdgsvxg[1].bmp (Worm.Conficker) -> Quarantined and deleted successfully.


After this, I've restarted and scanned again, no viruses were found at the second scan.
I will try and monitor today and see if x.exe is still being created. My guess is that these files from C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LH1IG7AY\xzda[1].png create x.exe, or some .dll in my system somehow creates x.exe.

I just hope Avast won't kill my SVCHOST.exe again, this will make my SHARED FOLDERS inaccessible again, and force me to restart.

Again, thank you.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37614
  • Not a avast user
Re: How to remove x.exe ?
« Reply #3 on: October 15, 2010, 08:29:27 AM »
« Last Edit: October 15, 2010, 08:42:36 AM by Pondus »

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: How to remove x.exe ?
« Reply #4 on: October 15, 2010, 09:17:15 AM »
Any reason to not update it to SP3?
Not a bad idea.
Support (MS updates) for SP2 has been withdrawn, if I remember correctly.
Windows 10,Windows Firewall,Firefox w/Adblock.

SafeSurf

  • Guest
Re: How to remove x.exe ?
« Reply #5 on: October 15, 2010, 10:21:17 AM »
I agree with Tarq in updating SP2 to SP3.  However given that the OP was exposed to the Confiker virus, I would suggest downloading the following for protection for the future to vaccinate his/her machine and any removable devices:
http://research.pandasecurity.com/panda-usb-and-autorun-vaccine/

I use this and it does not conflict with Avast at all.  It is just an added measure of protection.

I would also clean your machine with something like CCleaner, a freeware system optimization, privacy and cleaning tool.  There is a Slim version available as well at http://www.piriform.com/ccleaner/builds - 4th option down.  It removes unused files (cache, temporary Internet files, etc.) from your system - allowing Windows to run faster and freeing up valuable hard disk space.  It also cleans traces of your online activities such as your Internet history.  Additionally it contains a fully featured registry cleaner, but I suggest making a backup prior to doing a registry cleaning.

Additionally, you can clean temp. Internet Files not cleaned with CCleaner with TFC by OldTimer - download to your desktop.  http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
·    Please double-click TFC.exe to run it.  (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
·    It will close all programs when running, so make sure you have saved all your work before you begin.
·    Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.  Let it run uninterrupted to completion.
·    Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

However leave the items quarantined by MBAM there; do not delete.  Keep your Avast definitions up to date and you may want to do a boot-time scan as well. 

Since XP firewall is ineffective and only allows 1-way protection, I recommend a third-party firewall with 2-way protection (Online Armor, Outpost, and Comodo without AV seem to work well with Avast).  You should consider changing your FW to maximize your protection.

SafeSurf

  • Guest
Re: How to remove x.exe ?
« Reply #6 on: October 18, 2010, 09:15:16 AM »
@ Seymourr,

You're welcome, and welcome to the forum.  :)