Author Topic: spyware trojan in x.exe file  (Read 53030 times)

0 Members and 1 Guest are viewing this topic.

Nicodemius

  • Guest
Re: spyware trojan in x.exe file
« Reply #15 on: December 04, 2008, 11:46:27 PM »
unfortunately the x.exe file is still present !

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: spyware trojan in x.exe file
« Reply #16 on: December 05, 2008, 12:03:14 AM »
Damn

We will now do a deep search of your processes and files using a Russian programme.  Could you upload both Zip files to Mediafire

Download avz4.zip from here
  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window:
  • Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again


  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box.
  • Click on the “Execute selected scripts”.
  • Automatic scanning, healing and system check will be executed.
  • A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  • It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  • All applications will work properly after the system restart.
When restarted

  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Nicodemius

  • Guest
Re: spyware trojan in x.exe file
« Reply #17 on: December 05, 2008, 01:32:26 PM »
Hi thank you I will check that this week end and I will post my answer on monday

have a good week end.

Nicodemius

  • Guest
Re: spyware trojan in x.exe file
« Reply #18 on: December 08, 2008, 09:05:24 AM »
Hi,

please find the logs http://www.mediafire.com/?tgydnh3u31m

Nice day

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: spyware trojan in x.exe file
« Reply #19 on: December 08, 2008, 09:18:05 PM »
Well according to AVZ it killed it.  However lets check shall we

AVZ FIX

  • Double click on AVZ.exe
  • Click File > Custom scripts
  • Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
Code: [Select]
begin
DeleteFile('F:\WINDOWS\system32\x.exe');
SetAVZGuardStatus(True);
SearchRootkit(true, true);
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
  • Note: When you run the script, your PC will be restarted
  • Click Run
  • Restart your PC if it doesn't do it automatically.

ON COMPLETION

  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
Attach the zip file to your next post

joannaex

  • Guest
Re: spyware trojan in x.exe file
« Reply #20 on: December 10, 2008, 01:15:26 PM »
I have the same problem.  I have manually cleaned the registry, deleted some of the files but apparently something is still "running" recreating the t[1].txt and C:\windows\system32\x.exe

When x.exe is allowed to run even for 5 mins (i.e. when it's created, avasts pops up and I'm fast asleep at 3am) then svchost crashes and all hell breaks loose.

Needless to say I've double and triple checked ALL FILES created around the date I noticed the problem, I've manually checked every single file in system32 to make sure it's MS or whatever and not something offbeat. 

I can't find the damn thing, it's driving me nuts.  Of course I've scanned with 100 antivirus programs,  malware, adware, spyware, whateverware.  NOTHING. 

Congrats to whoever made this, great job, I'd like to kill you!  >:(

So basically I hope you guys figure this one out soon... I'll keep watching.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: spyware trojan in x.exe file
« Reply #21 on: December 11, 2008, 09:24:50 PM »
Sorry for the delay in getting back to you, but I have been researching

Could you post a hijackthis log please and also search for the following file on your system it will be either
C:\Windows\scvhost or C:\windows\system\scvhost   (note not system32)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re: spyware trojan in x.exe file
« Reply #22 on: December 11, 2008, 09:26:52 PM »
C:\Windows\scvhost or C:\windows\system\scvhost   (note not system32)
Just to confirm, are you saying scvhost or svchost?
The best things in life are free.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: spyware trojan in x.exe file
« Reply #23 on: December 11, 2008, 09:28:14 PM »
I can't spell  :'(  ta Tech

C:\WINDOWS\system\svchost.exe
C:\WINDOWS\svchost.exe

Nicodemius

  • Guest
Re: spyware trojan in x.exe file
« Reply #24 on: December 11, 2008, 10:12:24 PM »
Hi essexboy,

Sorry for my late answer but I had a big problem with this sh.. >:( on monday no internet connexion in normal mode, windows explorer reboot all the time therefore I reboot windows in safe mode. the x.exe was still present but "inactive". Then due to these problems I have taken the decision to reformat the HD in LLF "low level format" just to be sure  ;D So I've reinstalled windows, all the progs, drivers and then who reappears?!! the f... x.exe file
Now I'm wondering if it is possible to kill it or do I have to buy another HD

Any info is welcome

tx

Lordain

  • Guest
Re: spyware trojan in x.exe file
« Reply #25 on: December 11, 2008, 10:43:25 PM »
I am having the same problem as Nico...but my problem is network wide.  That X.exe file gets caught by symantec and deleted but as it is being deleted, it makes some offshoot files named x[1] or x[2] in the Default users/Temp internet files.  When you delete those 2 files, the X.exe replicates itself and appears again.  The only thing me and my coworkers can come up with is that we think there is an .exe file or .dll file somewhere avoiding detection and throwing commands to recreate that x.exe problem.

At the same time, Symantec is saying that this X.exe file is associated with the W32.IRCbot.gen.  After we saw that, we proceeded to research on different forums and websites, including Symantecs and still have not found a fix related to what is going on with this file.

A response ASAP would be greatly appreciated.

Nicodemius

  • Guest
Re: spyware trojan in x.exe file
« Reply #26 on: December 11, 2008, 11:06:53 PM »
Hi again maybe another hint I was reviewing the combofix log where the g drive appeared in the last post Iv' said that I had no G drive but this key was in my registry
(my program files are on the F drive)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b1caed0-7aa4-11dd-a7cd-0010dc7bdb2a}]
\Shell\AutoRun\command - G:\x.bat
\Shell\explore\Command - G:\x.bat
\Shell\open\Command - G:\x.bat


so Iv'e searched in the registry x.bat and x.exe. I found e.exe in registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers (do not forget that in the meantime I formatted my HD) I killed the key but the x.exe reappeared (only one time till now I cross my fingers)

Good evening

Nico

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: spyware trojan in x.exe file
« Reply #27 on: December 11, 2008, 11:15:25 PM »
Removal of that mount point would have killed it.  Thanks for that data I will add it to my little database on this thing 

joannaex

  • Guest
Re: spyware trojan in x.exe file
« Reply #28 on: December 11, 2008, 11:28:54 PM »
Well here's where I'm at so far:

I created a txt file in \windows\system32, renamed it to x.exe and set it to read only.  Which worked for now, at least system is stable.  However... before I did that, the files that appeared where t[1].txt in NetworkService and x.exe in system32 which Avast detected as viruses.  Since the creation of the read only file, whatever is doing this, now makes 4K and 14K x[1].txt and x[2].txt files in NetworkService.  These txt files are not detected by Avast.  Clean bill of health.  Of course they are binary files.  I tried using Ultra edit to see if I can spot a string in there but came up empty.

Needless to say, posting logs and stuff prolly won't help, being a computer tech myself I have checked everything and their mother to no avail.  Of course 2 heads are better than one, and someone might spot something I missed, so I might get around to doing that at some point.  For now I am determine to hunt down whatever this is and kill it. 

I'll post anything I find.

Nicodemius

  • Guest
Re: spyware trojan in x.exe file
« Reply #29 on: December 12, 2008, 12:04:24 AM »
hi joannaex,

after killing the key containing x.exe in registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers I have downloaded the windows update (I don't know if it is related  ???) then I restarded my pc and no alarm so far  :D do you have also x.exe and / or x.bat in the registry?