Author Topic: spyware trojan in x.exe file  (Read 53274 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: spyware trojan in x.exe file
« Reply #30 on: December 12, 2008, 05:15:33 PM »
Also look for the mountpoint as that appears to quite critical

joannaex

  • Guest
Re: spyware trojan in x.exe file
« Reply #31 on: December 14, 2008, 10:58:52 PM »
No x.exe or x.bat in registry.  I checked as soon as you mentioned it.  It's been driving me nuts... I must have checked every single file on my system folders and I still come up empty.  You're correct about the mounting point but I don't know what the file name is.  See x.exe is created by something... What I am looking for is that something.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: spyware trojan in x.exe file
« Reply #32 on: December 15, 2008, 08:57:56 PM »
I know this is a nightmare to try and clear

I could see what your mountpoints are if you wish

To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.

Download OTScanit2  to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All Users
  • Check the Radio button for Rootkit check YES
  • Under Additional Scans check the following:
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EventViewer Errors/Warnings (last 10)
    • Now click the Run Scan button on the toolbar.
    • Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

    joannaex

    • Guest
    Re: spyware trojan in x.exe file
    « Reply #33 on: December 15, 2008, 09:52:28 PM »
    File uploaded to: http://www.mediafire.com/?xi5ywlwmcdf

    I checked the file and the registry.  The only thing that makes me wonder is mem.pif
    mem.PIF -> %SystemRoot%\System32\mem.PIF -> [2008/12/03 23:55:03 | 00,002,855 | ---- | C] ()

    Then again opening the file with Ultra Edit, all I see are referenced to mem.exe which is Microsoft file and autoexec.nt which is again related to that mem.exe and dos.

    I'm stumped and possibly blind.  I hope you see something more than I do.

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: spyware trojan in x.exe file
    « Reply #34 on: December 15, 2008, 10:17:42 PM »
    Hi joannaex There is nothing there apart from x.exe GMER shows clean my next thought is a possible MBR infection

    Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
    • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
    • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, mark the drives that you want to scan.
    • Select all drives. A red dot shows which drives have been chosen.
    • Click the green arrow at the right, and the scan will start.
    • Click 'Yes to all' if it asks if you want to cure/move the file.
    • When the scan has finished, in the menu, click file and choose save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.

    joannaex

    • Guest
    Re: spyware trojan in x.exe file
    « Reply #35 on: December 15, 2008, 10:21:03 PM »
    As I said before, I created a zero byte x.exe file and made it read-only to stop the x.exe from being created all the time.

    I'll post the Dr. Web report if you like, but I've already scanned with that and numerous others.  Nada... I can't find the darn thing.

    What's even more strange is that I have files being created in C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2GFT1MEU (and similar folders in same path) with files names x[1].exe
    Yes the OTscan didn't even "see" this file in the 30 day list.  Huh?
    « Last Edit: December 15, 2008, 10:24:54 PM by joannaex »

    Offline polonus

    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 33891
    • malware fighter
    Re: spyware trojan in x.exe file
    « Reply #36 on: December 15, 2008, 10:29:46 PM »
    Hello joannaex,

    What you could do is do a full scan with SmartDreck and check everything this finds.

    Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

    Unzip to its own folder and start the program:
    Press 'Config'
    Press 'mark all'

    Uncheck the following boxes only:
    System/Running Process -> List Modules
    System/Drivers -> NT Services
    System/Drivers -> NT Kernel- and FS-drivers
    Press 'OK'

    Press 'Save' and select the location to save the log file (default is the same folder as the application)

    Post the log in this thread.

    Then also try this: Download Silent runners.Vbs http://www.silentrunners.org/Silent%20Runners.vbs
    1. Make sure you have any script blocking software disabled
    2. Run the program. It will take a few minutes to complete.
    3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.

    We (that means essexboy and little old me) will give it a glance if anything there starts up or runs that seems fishy,

    polonus
    Cybersecurity is more of an attitude than anything else. Avast Evangelists.

    Use NoScript, a limited user account and a virtual machine and be safe(r)!

    joannaex

    • Guest
    Re: spyware trojan in x.exe file
    « Reply #37 on: December 15, 2008, 10:33:53 PM »
    One thing at a time guys! :)

    I'll post things as they come up.  I'll start the scan.  Meanwhile I'm trying to view the contents of x[1].txt which is of course a binary file and Avast thinks it's really cool and non-threatening.  You'd think a binary txt file would set the damn alarms off...

    joannaex

    • Guest
    Re: spyware trojan in x.exe file
    « Reply #38 on: December 15, 2008, 10:47:51 PM »
    This is killing my self esteem.  I'm supposed to be the tech here, cleaning other people's crap.  Never in my 20 years have I ever come across something like this.  It's driving me nuts.  Of course I could format but I absolutely refuse! I formatted this PC 6 months ago after 5 years... I still have another 4.5 years to go! I refuse to be beaten by some 16yr old smuck, however clever he may be.  I have to figure this one out, it's a matter of principle at this point.

    Oh did I mention I've checked all running processes with process explorer and check with tcpview as well? Nothing is phoning home at least.

    Silent Runner Log: http://www.mediafire.com/?fzzmvg3xlfl  nothing odd that I can see in there.  Most things it reports are MS Office or ATI files.

    Dr. Web will take a while to scan 1TB so I'll let it scan all night and report back in the morning.
    « Last Edit: December 15, 2008, 11:27:37 PM by joannaex »

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: spyware trojan in x.exe file
    « Reply #39 on: December 15, 2008, 11:40:17 PM »
    So far I have only been able to kill one of these and I believe I got it very early.  I only used Dr. web to check the MBR section

    OTScanit did not see that as far as I can see (and I double checked) but normally I empty all temp files as a matter of routine with that programme.

    My only thought after this is that a windows file has been modified and replaced with the trigger file, and if it was done carefully enough it would pass unseen

    Could I have a copy of the binary text and I will pass it on to one of the experts who understands that sort of thing to see if he can make head or tail of it

    Ta  ;D

    joannaex

    • Guest
    Re: spyware trojan in x.exe file
    « Reply #40 on: December 16, 2008, 12:01:01 AM »
    You'll have to wait till morning, file is locked (in use by whatever @!#$@%$#!!!) and I need to reboot.  I don't want to stop Dr. Web right now.  But if you get really lucky, I'll have a fresh copy in a few mins, new ones seem to pop up often enough.

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: spyware trojan in x.exe file
    « Reply #41 on: December 16, 2008, 12:03:31 AM »
    OK and thanks iin advance

    joannaex

    • Guest
    Re: spyware trojan in x.exe file
    « Reply #42 on: December 16, 2008, 12:08:37 AM »
    As I said... fresh from the oven... http://www.mediafire.com/?tlydvfrmi5g

    This one is 3K.  I have another one (the locked one) which is 17K and I've seen a 32K one as well.  It's odd that they vary in size but you can start with that one.

    New one with different letter appeared this morning! p[1].txt.  Well I do like variety, I mean the same letter all the time would be just... well... boring.  Here it is: http://www.mediafire.com/?a5fiz9g0ft2
    « Last Edit: December 16, 2008, 08:08:45 AM by joannaex »

    t68kv

    • Guest
    Re: spyware trojan in x.exe file
    « Reply #43 on: December 16, 2008, 11:59:33 AM »
    Try using quicksmash. Just follow the quicksmash assistance instruction.

    Check it here:
    http://t68kv.net76.net/

    You can also check the log yourself, i integrate hijackthis because it is some popular these days. The botton part of the log tell you if quicksmash detected and removed something "readme". If you see "delete on reboot" reboot immediately after using quicksmash or if you like run quicksmash again and then reboot it is safe.

    If your afraid or cannot understand much about the software feel free to pm me thru instant messenger.
    I already tested and remove that x.exe but of course test it first before we say it is very effective if it removed yours.

    You will expect this to remove the main processes of the malwares. Any non-executables is not included "use your anti-virus "AVAST" or cleaner tools".
    Anyway, main processes or malwares that active or can be activated is important to remove.

    t68kv
    :)
    « Last Edit: December 16, 2008, 12:17:44 PM by t68kv »

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: spyware trojan in x.exe file
    « Reply #44 on: December 16, 2008, 08:16:55 PM »
    Hi joannaex while I am waiting for an expert to look at the file, I have been informed that Prevxx will identify the files associated with this nasty.  I have found three possible culprits so far but none of them are on your machine

    Quote
    CLIENT.EXE — 57 344 bytes
    SERVER.EXE — 65 024 bytes
    QUICKTIME.EXE


    A quick run with Prevxx may give us the location of the files, which I can then delete and upload for further analysis

     http://info.prevx.com/downloadcsi.asp