Author Topic: spyware trojan in x.exe file  (Read 53021 times)

0 Members and 1 Guest are viewing this topic.

Nicodemius

  • Guest
spyware trojan in x.exe file
« on: December 02, 2008, 06:50:06 PM »
Hi all, hi essexboy

Thank you for helping me to resolve the problem similar to this post http://forum.avast.com/index.php?topic=40551.msg340262#msg340262 related to an infection by x.exe file.

Please find below the link to the OTScanit log that you have required.

http://www.mediafire.com/file/mdjjmnmwkyt/20081202 Nicodemius OTScanIt.Txt

Thank you

Nico

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: spyware trojan in x.exe file
« Reply #1 on: December 02, 2008, 08:00:55 PM »
Hi I am now going to be a pain in the butt as the programme you used was updated today and is a lot more powerfull and thorough

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTScanit2  to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All Users
  • Check the Radio button for Rootkit check YES
  • Under Additional Scans check the following:
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EventViewer Errors/Warnings (last 10)
    • Now click the Run Scan button on the toolbar.
    • Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

    Nicodemius

    • Guest
    Re: spyware trojan in x.exe file
    « Reply #2 on: December 02, 2008, 09:00:43 PM »
    Hi

    I've uploaded the new file, http://www.mediafire.com/?djjy2ejtmim

    tx

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: spyware trojan in x.exe file
    « Reply #3 on: December 02, 2008, 09:25:16 PM »
    OK methinks I found the ini but lets try it and see

    Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

    Code: [Select]
    [Unregister Dlls]
    [Registry - Safe List]
    < Drives with AutoRun files > ->
    YY -> H:\Autorun.inf [[autorun] | open=RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe | icon=%SystemRoot%\system32\SHELL32.dll,4 | action=Open folder to view files | shell\open=Open | shell\open\command=RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe | shell\open\default=1 | ] -> H:\Autorun.inf [ FAT32 ]
    < MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
    YY -> \{ed812af3-79f7-11dd-a7cc-0010dc7bdb2a}\Shell\AutoRun\command\\"" -> H:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe [H:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe]
    YY -> \{ed812af3-79f7-11dd-a7cc-0010dc7bdb2a}\Shell\open\command\\"" -> H:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe [H:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe]
    [Files/Folders - Created Within 90 Days]
    NY -> i -> %SystemRoot%\System32\i
    NY -> SecurityandPrivacy3.ini -> %SystemRoot%\SecurityandPrivacy3.ini
    [Files/Folders - Modified Within 90 Days]
    NY -> 1e74314e9ec17fba8f6c6564628e9652.dll -> F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\1e74314e9ec17fba8f6c6564628e9652.dll
    NY -> a90345612c0a4da37a217ab2158ffdf4.dll -> F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\a90345612c0a4da37a217ab2158ffdf4.dll
    NY -> adc0a30ac2ec86a8ca2ba506352d899b.dll -> F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\adc0a30ac2ec86a8ca2ba506352d899b.dll
    NY -> c7152a6b17345c19ed17d72b56516ee7.dll -> F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\c7152a6b17345c19ed17d72b56516ee7.dll
    NY -> f617732e511d9e55dbbfe8f4f1385356.dll -> F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\f617732e511d9e55dbbfe8f4f1385356.dll
    NY -> i -> %SystemRoot%\System32\i
    NY -> xpy.ini -> %AppData%\xpy.ini
    [Empty Temp Folders]


    The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

    I will review the information when it comes back in.

    Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

    Nicodemius

    • Guest
    Re: spyware trojan in x.exe file
    « Reply #4 on: December 02, 2008, 10:17:07 PM »
    hi

    I was unable to apply the fix as thr process of OTscanIt was not responding, the fix is blocked at line

    >[Files/Folders - Created Within 90 Days]
    >NY -> i -> %SystemRoot%\System32\i

    and therefore no message box pop up.




    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: spyware trojan in x.exe file
    « Reply #5 on: December 02, 2008, 10:26:32 PM »
    OK let me try my other removal programme as I can see what to remove

    Please download the OTMoveIt3 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: [Select]
    :Reg
    [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ed812af3-79f7-11dd-a7cc-0010dc7bdb2a}]

    :Files
    F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\1e74314e9ec17fba8f6c6564628e9652.dll
    F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\a90345612c0a4da37a217ab2158ffdf4.dll
    F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\adc0a30ac2ec86a8ca2ba506352d899b.dll
    F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\c7152a6b17345c19ed17d72b56516ee7.dll
    F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\f617732e511d9e55dbbfe8f4f1385356.dll
    %SystemRoot%\System32\i
    %SystemRoot%\SecurityandPrivacy3.ini
    %AppData%\xpy.ini
    %SystemRoot%\System32\i
    H:\Autorun.inf
    :Commands
    [purity]
    [emptytemp]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt3
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    Nicodemius

    • Guest
    Re: spyware trojan in x.exe file
    « Reply #6 on: December 02, 2008, 10:56:25 PM »
    hi no luck today I had to run the program twice as it asked me for pearl56.dll; for the second attemp no dll was required ???, please find below the two logs

    Note after running the program twice that the x.exe is still present. :'(

    first one
    --------
    ========== REGISTRY ==========
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ed812af3-79f7-11dd-a7cc-0010dc7bdb2a}\\ deleted successfully.
    ========== FILES ==========
    LoadLibrary failed for F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\1e74314e9ec17fba8f6c6564628e9652.dll
    F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\1e74314e9ec17fba8f6c6564628e9652.dll NOT unregistered.
    F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\1e74314e9ec17fba8f6c6564628e9652.dll moved successfully.
    LoadLibrary failed for F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\a90345612c0a4da37a217ab2158ffdf4.dll
    F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\a90345612c0a4da37a217ab2158ffdf4.dll NOT unregistered.
    F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\a90345612c0a4da37a217ab2158ffdf4.dll moved successfully.
    LoadLibrary failed for F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\adc0a30ac2ec86a8ca2ba506352d899b.dll
    F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\adc0a30ac2ec86a8ca2ba506352d899b.dll NOT unregistered.
    F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\adc0a30ac2ec86a8ca2ba506352d899b.dll moved successfully.
    LoadLibrary failed for F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\c7152a6b17345c19ed17d72b56516ee7.dll
    F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\c7152a6b17345c19ed17d72b56516ee7.dll NOT unregistered.
    F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\c7152a6b17345c19ed17d72b56516ee7.dll moved successfully.
    LoadLibrary failed for F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\f617732e511d9e55dbbfe8f4f1385356.dll
    F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\f617732e511d9e55dbbfe8f4f1385356.dll NOT unregistered.
    F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\f617732e511d9e55dbbfe8f4f1385356.dll moved successfully.
    F:\WINDOWS\System32\i moved successfully.
    F:\WINDOWS\SecurityandPrivacy3.ini moved successfully.
    F:\Documents and Settings\Administrator\Application Data\xpy.ini moved successfully.
    Folder F:\WINDOWS\System32\i not found.
    File/Folder H:\Autorun.inf not found.
    ========== COMMANDS ==========
    File delete failed. F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF6BA5.tmp scheduled to be deleted on reboot.
    File delete failed. F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF8717.tmp scheduled to be deleted on reboot.
    File delete failed. F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF8731.tmp scheduled to be deleted on reboot.
    User's Temp folder emptied.
    User's Temporary Internet Files folder emptied.
    User's Internet Explorer cache folder emptied.
    Local Service Temp folder emptied.
    File delete failed. F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
    Local Service Temporary Internet Files folder emptied.
    File delete failed. F:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
    File delete failed. F:\WINDOWS\temp\Perflib_Perfdata_610.dat scheduled to be deleted on reboot.
    Windows Temp folder emptied.
    Java cache emptied.
    Temp folders emptied.
     
    OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 12022008_223539

    Files moved on Reboot...
    File move failed. F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF6BA5.tmp scheduled to be moved on reboot.
    F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF8717.tmp moved successfully.
    F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF8731.tmp moved successfully.
    File move failed. F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
    File move failed. F:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
    File move failed. F:\WINDOWS\temp\Perflib_Perfdata_610.dat scheduled to be moved on reboot.

    second one
    ---------------
    ========== REGISTRY ==========
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ed812af3-79f7-11dd-a7cc-0010dc7bdb2a}\\ deleted successfully.
    ========== FILES ==========
    File/Folder F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\1e74314e9ec17fba8f6c6564628e9652.dll not found.
    File/Folder F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\a90345612c0a4da37a217ab2158ffdf4.dll not found.
    File/Folder F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\adc0a30ac2ec86a8ca2ba506352d899b.dll not found.
    File/Folder F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\c7152a6b17345c19ed17d72b56516ee7.dll not found.
    File/Folder F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\f617732e511d9e55dbbfe8f4f1385356.dll not found.
    Folder F:\WINDOWS\System32\i not found.
    Folder F:\WINDOWS\SecurityandPrivacy3.ini not found.
    Folder F:\Documents and Settings\Administrator\Application Data\xpy.ini not found.
    Folder F:\WINDOWS\System32\i not found.
    H:\Autorun.inf moved successfully.
    ========== COMMANDS ==========
    File delete failed. F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF6BA5.tmp scheduled to be deleted on reboot.
    User's Temp folder emptied.
    User's Temporary Internet Files folder emptied.
    User's Internet Explorer cache folder emptied.
    Local Service Temp folder emptied.
    File delete failed. F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
    Local Service Temporary Internet Files folder emptied.
    File delete failed. F:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
    File delete failed. F:\WINDOWS\temp\Perflib_Perfdata_610.dat scheduled to be deleted on reboot.
    Windows Temp folder emptied.
    Java cache emptied.
    Temp folders emptied.
     
    OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 12022008_224107

    Files moved on Reboot...
    F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF6BA5.tmp moved successfully.
    File move failed. F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
    File F:\WINDOWS\temp\_avast4_\Webshlock.txt not found!
    File F:\WINDOWS\temp\Perflib_Perfdata_610.dat not found!


    hope it will help


    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: spyware trojan in x.exe file
    « Reply #7 on: December 02, 2008, 11:53:55 PM »
    What we will do now is run combofix to take x out and see what remains

    Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

    Nicodemius

    • Guest
    Re: spyware trojan in x.exe file
    « Reply #8 on: December 03, 2008, 11:36:01 AM »
    Hi,

    Thank you I will do that this evening but note that after implemented the last fix with OtMoveit3, the internet connection was very low or not existing ("internet explorer can not display the page) and I 've still the problem. If I can not sort it out I will do a system restore.
    I will let you know the result.

    Nico

    Nicodemius

    • Guest
    Re: spyware trojan in x.exe file
    « Reply #9 on: December 03, 2008, 06:30:09 PM »
    Hi essexboy,

    I have run combofix and my internet connexion is back again  :D
    You can find the log here: http://www.mediafire.com/?m2wm3yygdiz

    The problem is that x.exe, quicktime. exe and the "I" file are back, they have seen terminator or what?  8)

    Tx nic

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: spyware trojan in x.exe file
    « Reply #10 on: December 03, 2008, 10:06:08 PM »
    Is your G drive a USB stick or a separate partition ?

      1 - Flash Drive Disinfector
      Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
      • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
      • Wait until it has finished scanning and then exit the program.
      • Reboot your computer when done.
      Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.[/list]

      THEN

      1. Please open Notepad
      • Click Start , then Run
      • Type notepad .exe in the Run Box.
      2. Now copy/paste the entire content of the codebox below into the Notepad window:

      Code: [Select]
      KillAll::

      File::
      f:\windows\system32\Cache
      f:\windows\system32\csrsc.exe
      f:\windows\system32\i
      f:\windows\system32\x.exe
      f:\windows\system32\y.exe
      G:\x.bat

      Registry::
      [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b1caed0-7aa4-11dd-a7cd-0010dc7bdb2a}]

      3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

      4. Save the above as CFScript.txt

      5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




      6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
      • Combofix.txt
      • A new HijackThis log.

      Nicodemius

      • Guest
      Re: spyware trojan in x.exe file
      « Reply #11 on: December 03, 2008, 11:27:53 PM »
      Hi,

      I was totally not aware of the G drive ??? What I have normally is F: main drive C: backup H: usb stick

      Find the logs of Combofix.txt  and  HijackThis log there: http://www.mediafire.com/?jmgorrbzxay


      Offline essexboy

      • Malware removal instructor
      • Avast Überevangelist
      • Probably Bot
      • *****
      • Posts: 40589
      • Dragons by Sasha
        • Malware fixes
      Re: spyware trojan in x.exe file
      « Reply #12 on: December 03, 2008, 11:39:06 PM »
      OK call me a numpty when I wrote the fix I inadvertently deleted one file that should have been removed.  Put it down to my age  

      1. Please open Notepad
      • Click Start , then Run
      • Type notepad .exe in the Run Box.
      2. Now copy/paste the entire content of the codebox below into the Notepad window:

      Code: [Select]
      KillAll::

      File::
      f:\windows\system32\Cache
      f:\windows\system32\csrsc.exe
      f:\windows\system32\i
      f:\windows\system32\x.exe
      f:\windows\system32\y.exe
      f:\windows\system32\quicktime.exe

      3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

      4. Save the above as CFScript.txt

      5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




      6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
      • Combofix.txt
      • A new HijackThis log.

      Nicodemius

      • Guest
      Re: spyware trojan in x.exe file
      « Reply #13 on: December 04, 2008, 12:02:13 AM »
      Hi
      no stress  ;)

      please find the logs http://www.mediafire.com/?nmtmcjtudzn


      Offline essexboy

      • Malware removal instructor
      • Avast Überevangelist
      • Probably Bot
      • *****
      • Posts: 40589
      • Dragons by Sasha
        • Malware fixes
      Re: spyware trojan in x.exe file
      « Reply #14 on: December 04, 2008, 09:56:01 PM »
      Hi Nicodemius how is your system running now ?