I have the same problem. I have manually cleaned the registry, deleted some of the files but apparently something is still “running” recreating the t[1].txt and C:\windows\system32\x.exe
When x.exe is allowed to run even for 5 mins (i.e. when it’s created, avasts pops up and I’m fast asleep at 3am) then svchost crashes and all hell breaks loose.
Needless to say I’ve double and triple checked ALL FILES created around the date I noticed the problem, I’ve manually checked every single file in system32 to make sure it’s MS or whatever and not something offbeat.
I can’t find the damn thing, it’s driving me nuts. Of course I’ve scanned with 100 antivirus programs, malware, adware, spyware, whateverware. NOTHING.
Congrats to whoever made this, great job, I’d like to kill you! >:(
So basically I hope you guys figure this one out soon… I’ll keep watching.
Sorry for the delay in getting back to you, but I have been researching
Could you post a hijackthis log please and also search for the following file on your system it will be either C:\Windows\scvhost or C:\windows\system\scvhost (note not system32)
Sorry for my late answer but I had a big problem with this sh… >:( on monday no internet connexion in normal mode, windows explorer reboot all the time therefore I reboot windows in safe mode. the x.exe was still present but “inactive”. Then due to these problems I have taken the decision to reformat the HD in LLF “low level format” just to be sure ;D So I’ve reinstalled windows, all the progs, drivers and then who reappears?!! the f… x.exe file http://smileys.sur-la-toile.com/repository/Surpris/ahhhhh.gif
I am having the same problem as Nico…but my problem is network wide. That X.exe file gets caught by symantec and deleted but as it is being deleted, it makes some offshoot files named x[1] or x[2] in the Default users/Temp internet files. When you delete those 2 files, the X.exe replicates itself and appears again. The only thing me and my coworkers can come up with is that we think there is an .exe file or .dll file somewhere avoiding detection and throwing commands to recreate that x.exe problem.
At the same time, Symantec is saying that this X.exe file is associated with the W32.IRCbot.gen. After we saw that, we proceeded to research on different forums and websites, including Symantecs and still have not found a fix related to what is going on with this file.
Hi again maybe another hint I was reviewing the combofix log where the g drive appeared in the last post Iv’ said that I had no G drive but this key was in my registry
(my program files are on the F drive)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{6b1caed0-7aa4-11dd-a7cd-0010dc7bdb2a}]
\Shell\AutoRun\command - G:\x.bat
\Shell\explore\Command - G:\x.bat
\Shell\open\Command - G:\x.bat
so Iv’e searched in the registry x.bat and x.exe. I found e.exe in registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers (do not forget that in the meantime I formatted my HD) I killed the key but the x.exe reappeared (only one time till now I cross my fingers)
I created a txt file in \windows\system32, renamed it to x.exe and set it to read only. Which worked for now, at least system is stable. However… before I did that, the files that appeared where t[1].txt in NetworkService and x.exe in system32 which Avast detected as viruses. Since the creation of the read only file, whatever is doing this, now makes 4K and 14K x[1].txt and x[2].txt files in NetworkService. These txt files are not detected by Avast. Clean bill of health. Of course they are binary files. I tried using Ultra edit to see if I can spot a string in there but came up empty.
Needless to say, posting logs and stuff prolly won’t help, being a computer tech myself I have checked everything and their mother to no avail. Of course 2 heads are better than one, and someone might spot something I missed, so I might get around to doing that at some point. For now I am determine to hunt down whatever this is and kill it.
after killing the key containing x.exe in registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers I have downloaded the windows update (I don’t know if it is related ???) then I restarded my pc and no alarm so far do you have also x.exe and / or x.bat in the registry?
No x.exe or x.bat in registry. I checked as soon as you mentioned it. It’s been driving me nuts… I must have checked every single file on my system folders and I still come up empty. You’re correct about the mounting point but I don’t know what the file name is. See x.exe is created by something… What I am looking for is that something.
To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.
Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
[*]Close ALL OTHER PROGRAMS.
[*]Open the OTScanit folder and double-click on OTScanit.exe to start the program.
[*]Check the box that says Scan All Users
[*]Check the Radio button for Rootkit check YES
[*]Under Additional Scans check the following:
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EventViewer Errors/Warnings (last 10)
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
I checked the file and the registry. The only thing that makes me wonder is mem.pif
mem.PIF → %SystemRoot%\System32\mem.PIF → [2008/12/03 23:55:03 | 00,002,855 | ---- | C] ()
Then again opening the file with Ultra Edit, all I see are referenced to mem.exe which is Microsoft file and autoexec.nt which is again related to that mem.exe and dos.
I’m stumped and possibly blind. I hope you see something more than I do.
Hi joannaex There is nothing there apart from x.exe GMER shows clean my next thought is a possible MBR infection
Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
[]Doubleclick the drweb-cureit.exe file and Allow to run the express scan
[]This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
[]Once the short scan has finished, mark the drives that you want to scan.
[]Select all drives. A red dot shows which drives have been chosen.
[]Click the green arrow at the right, and the scan will start.
[]Click ‘Yes to all’ if it asks if you want to cure/move the file.
[]When the scan has finished, in the menu, click file and choose save report list
[]Save the report to your desktop. The report will be called DrWeb.csv
[*]Close Dr.Web Cureit.
As I said before, I created a zero byte x.exe file and made it read-only to stop the x.exe from being created all the time.
I’ll post the Dr. Web report if you like, but I’ve already scanned with that and numerous others. Nada… I can’t find the darn thing.
What’s even more strange is that I have files being created in C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2GFT1MEU (and similar folders in same path) with files names x[1].exe
Yes the OTscan didn’t even “see” this file in the 30 day list. Huh?
Unzip to its own folder and start the program:
Press ‘Config’
Press ‘mark all’
Uncheck the following boxes only:
System/Running Process → List Modules
System/Drivers → NT Services
System/Drivers → NT Kernel- and FS-drivers
Press ‘OK’
Press ‘Save’ and select the location to save the log file (default is the same folder as the application)
Make sure you have any script blocking software disabled
Run the program. It will take a few minutes to complete.
Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.
We (that means essexboy and little old me) will give it a glance if anything there starts up or runs that seems fishy,
I’ll post things as they come up. I’ll start the scan. Meanwhile I’m trying to view the contents of x[1].txt which is of course a binary file and Avast thinks it’s really cool and non-threatening. You’d think a binary txt file would set the damn alarms off…
This is killing my self esteem. I’m supposed to be the tech here, cleaning other people’s crap. Never in my 20 years have I ever come across something like this. It’s driving me nuts. Of course I could format but I absolutely refuse! I formatted this PC 6 months ago after 5 years… I still have another 4.5 years to go! I refuse to be beaten by some 16yr old smuck, however clever he may be. I have to figure this one out, it’s a matter of principle at this point.
Oh did I mention I’ve checked all running processes with process explorer and check with tcpview as well? Nothing is phoning home at least.
So far I have only been able to kill one of these and I believe I got it very early. I only used Dr. web to check the MBR section
OTScanit did not see that as far as I can see (and I double checked) but normally I empty all temp files as a matter of routine with that programme.
My only thought after this is that a windows file has been modified and replaced with the trigger file, and if it was done carefully enough it would pass unseen
Could I have a copy of the binary text and I will pass it on to one of the experts who understands that sort of thing to see if he can make head or tail of it
ta Tech
do you have also x.exe and / or x.bat in the registry?