spyware trojan in x.exe file

[joannaex]

Hey Thx

I can back home this evening and found a bunch of crap on my machine.  I had left Dr Web running and had turned Avast off.  ATM I'm cleaning up the registry in safe mode @!^%$!#~ and swearing profusely.  I've created reg files of all the crap and zipped the offending files.  I've scanned them all with Avast and Dr. Web it but neither ones seems to think they're "bad".

And for the first time ever whatever this crap is, it actually creates pop up windows in FF3! Amazing! Never seen this one before, it's usually IE that gets all screwed up.  Pop ups go to http://online-securityscanner.com/2009/1/en/_freescan.php?nu=770522164054  which is called "Antivirus 2009" way ahead of it's time. 

Anybody have a shotgun? I'm royally pissed now!

How can I report all this to avast and send them the files?

[t68kv]

i can remove antivirus 2009 semi-automatically using quicksmash. Malwarebytes anti-malware can also do the job automatically by using quickscan.

[essexboy]

"Antivirus 2009" can easily be removed by Malwarebytes instructions below.  But this x file is driving me nuts, still no reply yet from an expert but hopefully within the next 24 hours.  Have  you tried Prevx ?

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[t68kv]

@joannaex

is x.exe still exist on your system? If malwarebytes cannot fix them just try quicksmash. Earlier we removed one of our friends using quicksmash and x.exe and its parent programs never return.

[joannaex]

x.exe cannot be created because I've created read-only file with same name.  Let me clean up the crap I found this evening and tell me how I can report it to Avast.  Then maybe we can get back to the x.exe problem.

I'm telling you this one I just found is nasty and non detected!

[t68kv]

just use malwarebytes anti-malware quickscan and it can remove your problem with antivirus 2009 then follow quicksmash assistance " also posted earlier" for your problem with x.exe

I can't remember if quicksmash can also remove antivirus2009.

Remove the zero bytes file you've created first.

For effective removal of x.exe using quicksmash.
1. Quicksmash assistance procedure
2. Reboot
3. Check those x.exe malware and run quicksmash assistance for final checking.

PROVEN AND TESTED TO REMOVE THIS X.EXE PROBLEM
Another ampaw malware hehe.



QUICKSMASH ASSISTANCE

1. Download quicksmash, after downloading open it.
2. Check "include hijackthislog", "Update Before Smashing".
3. Follow the steps on uploading the log created by the quicksmash.
   Wait for the "Finish" message, and follow the instruction on the next messageboxes.
   Usually the filename is named at the current date on you computer. EX "13-08-2008"
4. Post the link, The link must be working for fast response from the team.
5. Wait For Response Or Further Instruction From T68KV or Other Reliable Team Member.
   Usually they will tell you to redo the instruction. After Updating the Defintion.

Quicksmash
http://www.4shared.com/file/49439376/457533bb/QuickSMASH.html

[joannaex]

Well I managed to get rid of it manually.  Winlogon dll's are so annoying.  Took me a while to get rid of those.  Anyway, I THINK I might be done for now.  I'll wait and see if the files keep showing up and let you all know.  We'll take it from there.

[marcik]

dear joannaex,

i have the same annoying problem with this x.exe..have tried to delete it from system32, deleted registers, formatted all discs, reinstalled the system a few times and, as you know, it is still there eating me for a more than one month..could you please tell me, to a simple user, how you got rid of it?

Thanks very much in advance 

[t68kv]

@marcik

try following my post earlier "above my post before joannaex" using quicksmash.

[joannaex]

OK, it took me 3 hours last night but I have to report that my system is now clean for 24hours.  No more files popping up out of nowhere, no x.exe, nothing, nada, horray!

I need to thank you all because I couldn't have done it without you.  I tried some of the things you recommended (though I didn't have time to try them all) but you helped me think and held my hand.

@marcik and whoever else is going crazy with this crap:

Things to check:

• C:\WINDOWS\Tasks - I found a task in there scheduled on the hour - right click to see task properties. (@%#!^$!!!)
• Check system32 folder order by created date.  Any oddly named filenames need to hit the road.  If you can't delete the files ->
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\] - check there is anything in the pointing to those files.
• Check C:\Windows\Security for anything named svchost.exe.  svchost.exe is a system process that runs out of system32 folder.  If you find a copy in ANY other folder it's malware, delete and check that there are no services associated with it (HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\)
• Check system users for any files that appear to be txt but are in fact binary: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5 and C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (all subfolders).  If you find anything in there other than desktop.ini, DELETE.
• Check BHOs and delete anything that points back to files with odd names created recently. (I used Spybot's built in tool but plenty of other utilities to check BHOs out there, including Hijackthis)
• Check System Startup (with Hijackthis) to make sure no malware is set to load on startup
• If all utilities fail and you do have something in Winlogon you cannot get rid off, then enable Recovery Console in XP or use the System Recovery options in Vista (no safemode doesn't help, winlogon still runs) and delete from command prompt.
  

Hope this helps a bit.

Now could one the Avast Evangelists please tell me how to report my findings to Avast? I've kept rar'ed copies of all files and exported all registry settings.  I'd like to send them the files so that next time, Avast won't remain all happy and nice when someone's system is ground to a hault by this.

Joanna

[essexboy]

Thanks for the data joannaex - filed and saved.  The text file when opened was a direction for downloading Rogue av programmes (2009 variant) in the background and giving them system permissions.  Do you know which was the trigger file ?

If they are in Avast's virus chest they should get submitted next time you update the VPS.

[joannaex]

They're not in the chest, I wish they were.  That would mean Avast aknowledged them as something malicious... I scanned and scanned and scanned.  Other than one of the t[1].txt files and x.exe, Avast (and ALL OTHERS!) didn't detect anything as malware, trojan or virus.

No idea what the trigger was... I can back to all this when I left Dr.Web running all day (which btw found nothing wrong with my system, except for a couple of jokes and password revealers I keep as utilities for customers who forget their email pass.  While this was running AND Avast was disabled, all hell broke loose.  When I came back I found around 10 new files, numerous registry entries, my taskbar stuck, unable to run exe files from explorer including task manager, no start button to open programs (since task bar was dead) and hence to run command,  and my system basically crawling.  I had to hit reset just to do anything.

So basically whatever it was, I have to assume that it was triggered by the scan.  Don't get me wrong, I was swearing for 3 hours, but getting severly infected was actually the only way to spot everything and clean my machine.

[essexboy]

We have come across some malware recently that is actually quite good at removing competing malware and then installing itself (cyberwars) so maybe next time I come across this I should infect the system with another malware and see if that works  

Methinks I might set up a honeypot after christmas and see what I can find  

[joannaex]

I can send you some nice ones if you like.  Got about 10 exe/dlls and about the same amount of reg files.  Should be a nice xmas bonus. 

[marcik]

to t68kv
to joannaex

thanks very much for the reply, guys..i will try all the above, hope it works