Hi all, hi essexboy
Thank you for helping me to resolve the problem similar to this post http://forum.avast.com/index.php?topic=40551.msg340262#msg340262 related to an infection by x.exe file.
Please find below the link to the OTScanit log that you have required.
http://www.mediafire.com/file/mdjjmnmwkyt/20081202 Nicodemius OTScanIt.Txt
Thank you
Nico
Hi I am now going to be a pain in the butt as the programme you used was updated today and is a lot more powerfull and thorough
To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.
Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
[*]Close ALL OTHER PROGRAMS.
[*]Open the OTScanit folder and double-click on OTScanit.exe to start the program.
[*]Check the box that says Scan All Users
[*]Check the Radio button for Rootkit check YES
[*]Under Additional Scans check the following:
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EventViewer Errors/Warnings (last 10)
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
OK methinks I found the ini but lets try it and see
Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Drives with AutoRun files > ->
YY -> H:\Autorun.inf [[autorun] | open=RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe | icon=%SystemRoot%\system32\SHELL32.dll,4 | action=Open folder to view files | shell\open=Open | shell\open\command=RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe | shell\open\default=1 | ] -> H:\Autorun.inf [ FAT32 ]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YY -> \{ed812af3-79f7-11dd-a7cc-0010dc7bdb2a}\Shell\AutoRun\command\\"" -> H:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe [H:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe]
YY -> \{ed812af3-79f7-11dd-a7cc-0010dc7bdb2a}\Shell\open\command\\"" -> H:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe [H:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe]
[Files/Folders - Created Within 90 Days]
NY -> i -> %SystemRoot%\System32\i
NY -> SecurityandPrivacy3.ini -> %SystemRoot%\SecurityandPrivacy3.ini
[Files/Folders - Modified Within 90 Days]
NY -> 1e74314e9ec17fba8f6c6564628e9652.dll -> F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\1e74314e9ec17fba8f6c6564628e9652.dll
NY -> a90345612c0a4da37a217ab2158ffdf4.dll -> F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\a90345612c0a4da37a217ab2158ffdf4.dll
NY -> adc0a30ac2ec86a8ca2ba506352d899b.dll -> F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\adc0a30ac2ec86a8ca2ba506352d899b.dll
NY -> c7152a6b17345c19ed17d72b56516ee7.dll -> F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\c7152a6b17345c19ed17d72b56516ee7.dll
NY -> f617732e511d9e55dbbfe8f4f1385356.dll -> F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\f617732e511d9e55dbbfe8f4f1385356.dll
NY -> i -> %SystemRoot%\System32\i
NY -> xpy.ini -> %AppData%\xpy.ini
[Empty Temp Folders]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.
I will review the information when it comes back in.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
hi
I was unable to apply the fix as thr process of OTscanIt was not responding, the fix is blocked at line
[Files/Folders - Created Within 90 Days]
NY → i → %SystemRoot%\System32\i
and therefore no message box pop up.
OK let me try my other removal programme as I can see what to remove
Please download the OTMoveIt3 by OldTimer.
[*] Save it to your desktop.
[*] Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Reg
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ed812af3-79f7-11dd-a7cc-0010dc7bdb2a}]
:Files
F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\1e74314e9ec17fba8f6c6564628e9652.dll
F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\a90345612c0a4da37a217ab2158ffdf4.dll
F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\adc0a30ac2ec86a8ca2ba506352d899b.dll
F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\c7152a6b17345c19ed17d72b56516ee7.dll
F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\f617732e511d9e55dbbfe8f4f1385356.dll
%SystemRoot%\System32\i
%SystemRoot%\SecurityandPrivacy3.ini
%AppData%\xpy.ini
%SystemRoot%\System32\i
H:\Autorun.inf
:Commands
[purity]
[emptytemp]
[*] Return to OTMoveIt3, right click in the “Paste Instructions for Items to be Moved” window (under the yellow bar) and choose Paste.
[*]Click the red Moveit! button.
[*]Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
[*]Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
hi no luck today I had to run the program twice as it asked me for pearl56.dll; for the second attemp no dll was required ???, please find below the two logs
Note after running the program twice that the x.exe is still present. 
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{ed812af3-79f7-11dd-a7cc-0010dc7bdb2a}\ deleted successfully.
========== FILES ==========
LoadLibrary failed for F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\1e74314e9ec17fba8f6c6564628e9652.dll
F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\1e74314e9ec17fba8f6c6564628e9652.dll NOT unregistered.
F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\1e74314e9ec17fba8f6c6564628e9652.dll moved successfully.
LoadLibrary failed for F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\a90345612c0a4da37a217ab2158ffdf4.dll
F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\a90345612c0a4da37a217ab2158ffdf4.dll NOT unregistered.
F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\a90345612c0a4da37a217ab2158ffdf4.dll moved successfully.
LoadLibrary failed for F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\adc0a30ac2ec86a8ca2ba506352d899b.dll
F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\adc0a30ac2ec86a8ca2ba506352d899b.dll NOT unregistered.
F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\adc0a30ac2ec86a8ca2ba506352d899b.dll moved successfully.
LoadLibrary failed for F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\c7152a6b17345c19ed17d72b56516ee7.dll
F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\c7152a6b17345c19ed17d72b56516ee7.dll NOT unregistered.
F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\c7152a6b17345c19ed17d72b56516ee7.dll moved successfully.
LoadLibrary failed for F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\f617732e511d9e55dbbfe8f4f1385356.dll
F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\f617732e511d9e55dbbfe8f4f1385356.dll NOT unregistered.
F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\f617732e511d9e55dbbfe8f4f1385356.dll moved successfully.
F:\WINDOWS\System32\i moved successfully.
F:\WINDOWS\SecurityandPrivacy3.ini moved successfully.
F:\Documents and Settings\Administrator\Application Data\xpy.ini moved successfully.
Folder F:\WINDOWS\System32\i not found.
File/Folder H:\Autorun.inf not found.
========== COMMANDS ==========
File delete failed. F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp~DF6BA5.tmp scheduled to be deleted on reboot.
File delete failed. F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp~DF8717.tmp scheduled to be deleted on reboot.
File delete failed. F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp~DF8731.tmp scheduled to be deleted on reboot.
User’s Temp folder emptied.
User’s Temporary Internet Files folder emptied.
User’s Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. F:\WINDOWS\temp_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. F:\WINDOWS\temp\Perflib_Perfdata_610.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 12022008_223539
Files moved on Reboot…
File move failed. F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp~DF6BA5.tmp scheduled to be moved on reboot.
F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp~DF8717.tmp moved successfully.
F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp~DF8731.tmp moved successfully.
File move failed. F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. F:\WINDOWS\temp_avast4_\Webshlock.txt scheduled to be moved on reboot.
File move failed. F:\WINDOWS\temp\Perflib_Perfdata_610.dat scheduled to be moved on reboot.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{ed812af3-79f7-11dd-a7cc-0010dc7bdb2a}\ deleted successfully.
========== FILES ==========
File/Folder F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\1e74314e9ec17fba8f6c6564628e9652.dll not found.
File/Folder F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\a90345612c0a4da37a217ab2158ffdf4.dll not found.
File/Folder F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\adc0a30ac2ec86a8ca2ba506352d899b.dll not found.
File/Folder F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\c7152a6b17345c19ed17d72b56516ee7.dll not found.
File/Folder F:\Documents and Settings\Administrator\Local Settings\Temp\pdk-Administrator\f617732e511d9e55dbbfe8f4f1385356.dll not found.
Folder F:\WINDOWS\System32\i not found.
Folder F:\WINDOWS\SecurityandPrivacy3.ini not found.
Folder F:\Documents and Settings\Administrator\Application Data\xpy.ini not found.
Folder F:\WINDOWS\System32\i not found.
H:\Autorun.inf moved successfully.
========== COMMANDS ==========
File delete failed. F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp~DF6BA5.tmp scheduled to be deleted on reboot.
User’s Temp folder emptied.
User’s Temporary Internet Files folder emptied.
User’s Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. F:\WINDOWS\temp_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. F:\WINDOWS\temp\Perflib_Perfdata_610.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 12022008_224107
Files moved on Reboot…
F:\DOCUME~1\ADMINI~1\LOCALS~1\Temp~DF6BA5.tmp moved successfully.
File move failed. F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File F:\WINDOWS\temp_avast4_\Webshlock.txt not found!
File F:\WINDOWS\temp\Perflib_Perfdata_610.dat not found!
hope it will help
What we will do now is run combofix to take x out and see what remains
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Hi,
Thank you I will do that this evening but note that after implemented the last fix with OtMoveit3, the internet connection was very low or not existing ("internet explorer can not display the page) and I 've still the problem. If I can not sort it out I will do a system restore.
I will let you know the result.
Nico
Hi essexboy,
I have run combofix and my internet connexion is back again 
You can find the log here: http://www.mediafire.com/?m2wm3yygdiz
The problem is that x.exe, quicktime. exe and the “I” file are back, they have seen terminator or what? 8)
Tx nic
Is your G drive a USB stick or a separate partition ?
1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.[*] Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.[*] The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.[*] Wait until it has finished scanning and then exit the program.[*] Reboot your computer when done.Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder…it will help protect your drives from future infection.
THEN
Please open Notepad
[*] Click Start , then Run[*]Type notepad .exe in the Run Box.
Now copy/paste the entire content of the codebox below into the Notepad window:
KillAll::
File::
f:\windows\system32\Cache
f:\windows\system32\csrsc.exe
f:\windows\system32\i
f:\windows\system32\x.exe
f:\windows\system32\y.exe
G:\x.bat
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b1caed0-7aa4-11dd-a7cd-0010dc7bdb2a}]
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Save the above as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Hi,
I was totally not aware of the G drive ??? What I have normally is F: main drive C: backup H: usb stick
Find the logs of Combofix.txt and HijackThis log there: http://www.mediafire.com/?jmgorrbzxay
OK call me a numpty when I wrote the fix I inadvertently deleted one file that should have been removed. Put it down to my age
Please open Notepad
[*] Click Start , then Run[*]Type notepad .exe in the Run Box.
Now copy/paste the entire content of the codebox below into the Notepad window:
KillAll::
File::
f:\windows\system32\Cache
f:\windows\system32\csrsc.exe
f:\windows\system32\i
f:\windows\system32\x.exe
f:\windows\system32\y.exe
f:\windows\system32\quicktime.exe
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Save the above as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Hi
no stress 
please find the logs http://www.mediafire.com/?nmtmcjtudzn
Hi Nicodemius how is your system running now ?
unfortunately the x.exe file is still present !
Damn
We will now do a deep search of your processes and files using a Russian programme. Could you upload both Zip files to Mediafire
Download avz4.zip from here
[*]Unzip it to your desktop to a folder named avz4
[*]Double click on AVZ.exe to run it.
[*]Run an update by clicking the Auto Update button on the Right of the Log window:
http://rathat.geekstogo.com/images/AVZupdate.jpg
[*]Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again
[*] Start AVZ.
[] Choose from the menu “File” => "Standard scripts " and mark the “Healing/Quarantine and Advanced System Investigation” check box.
[] Click on the “Execute selected scripts”.
[] Automatic scanning, healing and system check will be executed.
[] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[] All applications will work properly after the system restart.
When restarted
[*] Start AVZ.
[] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Investigation” check box.
[] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
Hi thank you I will check that this week end and I will post my answer on monday
have a good week end.
Well according to AVZ it killed it. However lets check shall we
AVZ FIX
[*] Double click on AVZ.exe
[*] Click File > Custom scripts
[*] Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
begin
DeleteFile('F:\WINDOWS\system32\x.exe');
SetAVZGuardStatus(True);
SearchRootkit(true, true);
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[] Note: When you run the script, your PC will be restarted
[] Click Run
[*] Restart your PC if it doesn’t do it automatically.
ON COMPLETION
[*] Start AVZ.
[] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Investigation” check box.
[] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
Attach the zip file to your next post