?
Solved

Virus xxtra32.exe ??? Please help !!!

Posted on 2005-03-01
7
Medium Priority
?
246 Views
Last Modified: 2010-04-11
Hi Experts,

A LapTop infected with a serious virus. It’s generating higher amount of traffic to the gateway. After that all the Internet browse getting slowing down and stopping.

MacAfee can’t identify it with the latest Dats. I used also latest Stinger.exe.

In the registry I found a xxtra32.exe in following entries, after I delete the entries it will be ok for a couple of hours, and again it’s infecting with this virus.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunService

I search over the hard disk in the safe mode but no luck. IN the c:windows/prefetch/ having some same name files but it’s coming again and again when I deleting them.

Please advice !

Thanks !
0
Comment
Question by:Affno
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 

Accepted Solution

by:
joseywales earned 900 total points
ID: 13436461
According to this website its a newly found variant of a known virus

http://www.cyberdefender.com/risk/html/20050221070700.log.html

I would try the online scan at Trendmicro

http://housecall.trendmicro.com/

and also download a trial of AVG

http://www.grisoft.com/us/us_index.php

If all else fails try Trojan Guarder trial version. It looks like it was designed by Playskool but it did find the navasp23.exe virus on out corporate network when nothing else would.

www.your-soft.com

Next I would run Hijack This

http://www.spywareinfo.com/~merijn/downloads.html

and post the logfile here or run it thru a web based scanner like this one and follow its reccomendations

http://hijackthis.de/

A good spyware scanner or three would also help. We use a combination of Adaware, Spybot search and destroy and the Micorsoft anti spyware beta

www.lavasoft.com
http://www.safer-networking.org/en/index.html
www.microsoft.com

Finally, if you are using Windows XP and havent upgradd to Service pack 2, its time to do so, the built in firewall will block a lot of the current worms
www.windowsupdate.com

hope this helps, i spend a lot of my time fighting spyware and viruses for our corporation since our AV software stinks and these are the standard suite of programs i run on a machine that have persistant problems with spyware and viruses






0
 
LVL 1

Author Comment

by:Affno
ID: 13436676
will try to install Win XP SP2 and see
0
 

Expert Comment

by:joseywales
ID: 13436753
i would download the tools i mentioned, download sp2, then take the machine off the network and clean it then patch it then put it back on the network and look for more critical updates. we tried just cleaning at first and like you kept getting reinfected, sp2 will probably block reinfection once you have it installed and cleaned

to give you an idea of how critical sp2 is, i took it off my box to get screenshots of installing it and other software for our remote users and within 2 hours of it being unpatched i had warnings from the MS anti spyware tool a virus was trying to add itself to my startup.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 12

Assisted Solution

by:kneH
kneH earned 600 total points
ID: 13438115
Few things to keep in mind:

Scan for malware in safemode
reboot a few times and rescan
turn off system restore
do not connect to internet or any net really.
0
 
LVL 1

Author Comment

by:Affno
ID: 13553098
Any of virus guard or a removal tool didn’t recognize this virus.

So, I have search the registry for the xxtra32.exe and deleted all entries. After that I have installed XP service pack 2.

Now it always pops a  errorwindow called,

“Rpc Locator has encountered a problem and needs to close. We are sorry for the inconvenient.”

This message coming again and again and the machine is freezing with this message. Any tips???

Thanks !
0
 
LVL 12

Expert Comment

by:kneH
ID: 13553350
Yup.

enter the windowsXp cd and choose the repair option.

Other possible solution (but I'm not sure so make a backup of the file!!!!)
replace svchost.exe in the windows\system32 dir with a backup one.

Will either be on the windowscd (prolly as svchost.ex_) or in the windows\system23\dllcache or in an i386 directory.
type this (after the backup!!)
expand c:\windows\system32\dllcache\svchost.ex_ c:\svchost.exe
If the filename and dirname are correct.
Then reboot into DOS (might need a win98 bootdisk from www.bootdisk.com) replace the windows\system32\svchost.exe with the c:\svchost.exe

But first of all try the xpcd solution :)
0
 

Assisted Solution

by:joseywales
joseywales earned 900 total points
ID: 13562191
did you delete the files, registry and startup entries in safe mode? and did you install xp sp2 with the machine offline?

i just dealt with a similar version of sdbot that wasnt picked up by any scanner but i could tell what files were involved so i deleted tehm in safe mode and killed all teh registry entries for them as well and didnt have problems installing sp2 from a CD i made.
 run hijack this and post teh entry and we may be able to see whats still causing problems. otherwise an in place xp reinstall would be a good idea, however you will still need SP2 on CD to patch it right after install or you risk getting the same type viruses again while trying to download the patches

note that to do the in-place reinstall of xp you need to put in the CD and do NOT choose repair from the first menu(thats the recovery console), instead proceed as if you were going to reinstall the OS and it should detect your previous install and give you an option to repair it
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question