Virus xxtra32.exe ??? Please help !!!

Hi Experts,

A LapTop infected with a serious virus. It’s generating higher amount of traffic to the gateway. After that all the Internet browse getting slowing down and stopping.

MacAfee can’t identify it with the latest Dats. I used also latest Stinger.exe.

In the registry I found a xxtra32.exe in following entries, after I delete the entries it will be ok for a couple of hours, and again it’s infecting with this virus.


I search over the hard disk in the safe mode but no luck. IN the c:windows/prefetch/ having some same name files but it’s coming again and again when I deleting them.

Please advice !

Thanks !
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

According to this website its a newly found variant of a known virus

I would try the online scan at Trendmicro

and also download a trial of AVG

If all else fails try Trojan Guarder trial version. It looks like it was designed by Playskool but it did find the navasp23.exe virus on out corporate network when nothing else would.

Next I would run Hijack This

and post the logfile here or run it thru a web based scanner like this one and follow its reccomendations

A good spyware scanner or three would also help. We use a combination of Adaware, Spybot search and destroy and the Micorsoft anti spyware beta

Finally, if you are using Windows XP and havent upgradd to Service pack 2, its time to do so, the built in firewall will block a lot of the current worms

hope this helps, i spend a lot of my time fighting spyware and viruses for our corporation since our AV software stinks and these are the standard suite of programs i run on a machine that have persistant problems with spyware and viruses


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AffnoAuthor Commented:
will try to install Win XP SP2 and see
i would download the tools i mentioned, download sp2, then take the machine off the network and clean it then patch it then put it back on the network and look for more critical updates. we tried just cleaning at first and like you kept getting reinfected, sp2 will probably block reinfection once you have it installed and cleaned

to give you an idea of how critical sp2 is, i took it off my box to get screenshots of installing it and other software for our remote users and within 2 hours of it being unpatched i had warnings from the MS anti spyware tool a virus was trying to add itself to my startup.
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Few things to keep in mind:

Scan for malware in safemode
reboot a few times and rescan
turn off system restore
do not connect to internet or any net really.
AffnoAuthor Commented:
Any of virus guard or a removal tool didn’t recognize this virus.

So, I have search the registry for the xxtra32.exe and deleted all entries. After that I have installed XP service pack 2.

Now it always pops a  errorwindow called,

“Rpc Locator has encountered a problem and needs to close. We are sorry for the inconvenient.”

This message coming again and again and the machine is freezing with this message. Any tips???

Thanks !

enter the windowsXp cd and choose the repair option.

Other possible solution (but I'm not sure so make a backup of the file!!!!)
replace svchost.exe in the windows\system32 dir with a backup one.

Will either be on the windowscd (prolly as svchost.ex_) or in the windows\system23\dllcache or in an i386 directory.
type this (after the backup!!)
expand c:\windows\system32\dllcache\svchost.ex_ c:\svchost.exe
If the filename and dirname are correct.
Then reboot into DOS (might need a win98 bootdisk from replace the windows\system32\svchost.exe with the c:\svchost.exe

But first of all try the xpcd solution :)
did you delete the files, registry and startup entries in safe mode? and did you install xp sp2 with the machine offline?

i just dealt with a similar version of sdbot that wasnt picked up by any scanner but i could tell what files were involved so i deleted tehm in safe mode and killed all teh registry entries for them as well and didnt have problems installing sp2 from a CD i made.
 run hijack this and post teh entry and we may be able to see whats still causing problems. otherwise an in place xp reinstall would be a good idea, however you will still need SP2 on CD to patch it right after install or you risk getting the same type viruses again while trying to download the patches

note that to do the in-place reinstall of xp you need to put in the CD and do NOT choose repair from the first menu(thats the recovery console), instead proceed as if you were going to reinstall the OS and it should detect your previous install and give you an option to repair it
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.