Has anybody come accross spyware/malware called XNET666?

Posted on 2005-05-12
Last Modified: 2010-04-11
I am having a problem with the DNS server on my network (single server running 2003 standard). The DNS server appears to be running perfectly but when I try to access the console I get an error syaing that I cannot connect.

To cut a long story short I have raised a Microsoft support call on this issue and they asked me to send them a netmon trace. They came back to me and said the netmon trace contained a reference to a website called XNET666 and they believe there is some spyware or possibly a Denial of Service application being run from our server.

Now, i have run an adaware scan, a microsoft anti spyware scan, a Macafee Virus Scan 8 full system scan, a full registry and file search and can't find any reference to XNET666. I have also had a look on the internet and the few websites that mention it are all in German.

So, here are my questions....

1. Does anybody know anything about XNET666, what it does and how you get rid of it?

2. Can anyone recommend any anti spyware/malware programs (either free or commercial) which may be more effective than the 2 which I have tried.

Hope you can help


Question by:metamatic
    LVL 32

    Assisted Solution

    I am not familiar with that specific problem, but you should be able to detect it with standard techniques. Here is what I suggest:

    Download Autoruns.exe from:

    When you run it, it shows a bunch of things that start automatically. Open the "View" menu and select everything from "Show Appinit Dlls" to "Hide Microsoft Entries",then select Refresh and it will give you a new list of startups.

    Examine that list carefully for anything suspicious. If you are sure, you can un-check the box next to it and reboot, then verify that it is still un-checked.

    If you are not sure about what is suspicious, you can use File-> Save as.. to save the list to a text file and cut and paste it here so others can give you an opinion.

    Good luck.
    LVL 12

    Assisted Solution

    Never heard of it.

    But as for most adware... I suggest giving hijackthis a go.
    Might point you towards the problem

    also if you are connecting to that website it should show up when you do
    netstat -a
    in DOS.

    Lastly your firewall might be of assistance. If anything is going anywhere it should report it. Try removing all programs in the firewall and reboot the server.
    Multiple programs should ask if they can connect. Examine those before passing them.
    LVL 7

    Accepted Solution

    Sounds like you were playing with irc :)  I could be wrong but xnet666 sounds like a botnet program...

    I'd start with the freeware stuff first.

    1.  First i'd try some packet sniffing
    2.  Then maybe some process exploring
    3.  If you find the offending file/files use bart pe to remove if your cant remove normally

    What port/ports is it going out on, going to?  What ip's.  What is it sending?

    You can always cirmcuvent the problem by adding the line : in your hosts file.  

    Whats the complete url or ip its going out to or etc

    Here's some info on url if its .com...doesnt look promising, you can also try sending a email to the DNS register to make sure the url is not hijacked...etc:)

    Registration Service Provided By:
    Domain name: XNET666.COM

    Registrant Contact:
       Huslr NoLastName (
       Horrors, - 66666


    Author Comment

    Thanks for the input, folks.

    It turned out that it was due to a PC on the network being infected with a variant of the rbot worm. Once I cleaned it off everything was fine.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Suggested Solutions

    Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
    Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video discusses moving either the default database or any database to a new volume.

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now