Jump to content

Recommended Posts

My desktop computer has been infected with the log on/log off virus (I believe from xsecva.exe). Whenever I tried to logged in, I was immediately logged off (even in safe mode). I did some research and found the best solution was to remove the hard drive from the desktop and connect it to another computer to run Malwarebytes to remove the virus.

I removed the hard drive, connected it to a very old laptop, ran Malwarebytes, and it reported that it successfully quarantined and deleted the infected files (including xsecva.exe). One concern that I had was one of the user profiles on the hard drive had a password and I could not view any files in that user directory, however Malwarebytes did scan that directory and identified/removed infected files from that user directory.

I reconnected the hard drive to the desktop, turned it on, and still encountered the log on/log off issue (I had forgotten that the virus probably had altered the registry and other files). To be safe, I removed the hard drive again, reconnected it to the laptop, and re-scanned it with Malwarebytes (no infected files were found).

Attached are my two Malwarebytes logs, the first is the most current (showing no infected files found) and the second is the report from the initial scan (showing the infected files that had been quarantined and deleted, including xsecva.exe).

Following the instructions on the pinned thread “I’m infected – What do I do now?” under the “Malware Removal – HijackThis Logs” forum, since I am still experiencing issues, I downloaded DDS. However, since I cannot log into the infected hard drive on the desktop computer, I must have it connected externally to the laptop. When I save the DDS files to the desktop of the laptop, DDS is analyzing the C: drive of the laptop. I tried copying the DDS files to a desktop directory on the infected hard drive, but again it analyzed the C: drive of the laptop. I could copy & paste the DDS.txt and Attach.txt files for you to analyze, but I do not believe they would be providing you with the information you need to investigate this issue.

Is there a way that I can run DDS on an infected hard drive that is connected externally to another computer (due to the issue of not being able to log into it)? Could you please help me past this issue by telling me how to proceed? Please let me know if you need any more information from me.

Many thanks in advance,

Bob

mbam-log-2013-01-12 (16-10-24).txt

mbam-log-2013-01-08 (18-57-54).txt

Link to post
Share on other sites

That's a weird log, for almost everything it says:

File not found

------------------

This may be the problem:

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe"C:\Documents and Settings\Bob\Application Data\xsecva\xsecva.exe" -s) - File not found

-------------------

When you use OTLPE again, see if this file exists:

C:\Documents and Settings\Bob\Application Data\xsecva\xsecva.exe

---------------------

I want you to run a different scan using FRST. (I'm pretty sure this will work)

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  1. Plug the flash drive into the infected PC.
  2. Boot the computer up with the OTLPE disk.
  3. Navigate to the flash drive and run FRST.exe
  4. The tool will start to run.
  5. When the tool opens click Yes to disclaimer.
  6. Press Scan button.
  7. It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Let me knbow....MrC

Link to post
Share on other sites

I have just a couple of questions/comments before I proceed with the steps that you provided above.

Regarding why C:\Documents and Settings\Bob\Application Data\xsecva\xsecva.exe may not exist, the initial scan of MBAM quarantined and deleted that file (see the MBAM log 2013-01-08 (18-57-54).txt attached at the start of this topic).

Since I am experiencing the Log On/Log Off virus, I have been scanning this hard drive (from my desktop computer) with MBAM and OTLPE while it has been connected externally to two different laptops (as either the E: drive or the F: drive). In your reply above, with the first step in scanning this hard drive using FRST, you said "1. Plug the flash drive into the infected PC." Should I: (a) scan the infected hard drive with FRST while it is connected as an external hard drive to the laptop, or (b) disconnect the infected hard drive from the laptop and reconnect back in the desktop computer?

If I should proceed using (b) above (i.e., connect the hard drive back in the desktop computer), then you can ignore the questions that follow below and I will perform the steps that you provided above.

If I should scan it with FRST while connected to the laptop (i.e., (a) above), should I do anything different than you suggested above? Currently, with the hard drive connected externally to the laptop, the laptop is still open having been booted up with the OTLPE disk. Can I download FRST to a flash drive and connect it to the laptop without re-booted and then start with step #3 or am I required to boot up again from the OTLPE disk?

Link to post
Share on other sites

First...this computer is badly infected:

Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Before I give you a fix.....

Do you recognize these two files or programs: (I can't find any info on them)

HKLM\...\Run: [wipdl] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\Bob\Application Data\wipdl.dll",VecStartFeedLoad [398336 2012-07-15] (M-Audio)

C:\Documents and Settings\Bob\Application Data\wipdl.dll from----------> M-Audio

HKLM\...\Run: [tvcag] "rundll32.exe" "C:\Documents and Settings\Bob\Application Data\tvcag.dll",CopyRegistry [135168 2012-07-29] (Crytek)

C:\Documents and Settings\Bob\Application Data\tvcag.dll from ---------->Crytek

From OTLPE log:

[2012/07/29 22:59:06 | 000,135,168 | ---- | C] (Crytek) -- C:\Documents and Settings\Bob\Application Data\tvcag.dll

[2012/07/15 22:28:23 | 000,398,336 | ---- | C] (M-Audio) -- C:\Documents and Settings\Bob\Application Data\wipdl.dll

Let me know....MrC

Link to post
Share on other sites

Thank you for letting me know that the computer is badly infected. I have not used this computer in several months (due to the log on/log off virus problem). I have not done many financial transactions on this computer and will make sure not to use this computer for any credit card transactions in the future.

Regarding the files/programs - I am not familiar with the files and googled to check what the programs might be:

- M-Audio - used for digital audio - I might have something that could use this, but if you are concerned with it, I do not mind deleting it. If I might that I needed it, I will deal with it at that later time.

- Crytek - this is a German video game company - I never play video games, so I am not concerned if this is deleted.

Link to post
Share on other sites

I'm going to include those two files, Google comes back with zero hits for them which is not good.

OK, here you go......Please carefully carry out this procedure!!!!!!

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Boot up using OTLPE as before

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

MrC

Link to post
Share on other sites

Thank you for preparing the fixlist.txt file specific to my computer.

I still had the desktop computer booted up with the OTLPE disk (i.e., I didn't re-boot). I copied the fixlist.txt file to the flash drive, ran FRST.exe, and clicked "Fix" once. It ran relatively quickly and produced the attached fixlog.txt file.

I then re-started the computer normally and was able to successfully log into it for the first time in months!!!!!

Assuming we are not finished yet, what should I do next?

Link to post
Share on other sites

Yes we have more to do.

Please download and run RogueKiller to your desktop.

http://tigzy.geekstogo.com/Tools/RogueKillerX64.exe <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

MrC

Link to post
Share on other sites

I have run the RogueKiller scan. I mistaken copied it to a directory, rather than to the desktop, when I ran the scan the first time (producing the attached file ending *048.txt). I then copied RogueKiller to my desktop and ran the scan a second time (producing the attached file ending *051.txt). Sorry about that mistake. After the scans completed, I closed the program and did not fix anything.

RKreport1_S_02152013_02d2048.txt

RKreport2_S_02152013_02d2051.txt

Link to post
Share on other sites

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Documents and Settings\Bob\Local Settings\Application Data\{16d0acff-807c-891f-b9cc-d4bf027d28fa}\n.) [x] -> FOUND

Now click Delete on the right hand column under Options

-------------------------------------

Then.............

Please create a new system restore point before running Malwarebytes Anti-Rootkit if you can.

MBAR tutorial

Download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

more-reply-options.jpg

New window that comes up.

choose-files1.jpg

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot.

Verify that your system is now functioning normally.

MrC

Link to post
Share on other sites

I just have one question before I proceed.

The first scan file showed the registry line in question as:

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Documents and Settings\Bob\Local Settings\Application Data\{16d0acff-807c-891f-b9cc-d4bf027d28fa}\n.) [x] -> FOUND

The second scan file (and the current scan) showed that same registry line in question as something slightly different:

[HJ INPROC][PREVRUN] HKCR\[...]\InprocServer32 : (C:\Documents and Settings\Bob\Local Settings\Application Data\{16d0acff-807c-891f-b9cc-d4bf027d28fa}\n.) [x] -> FOUND

It is the same directory path, but instead of showing the "type" as [ZeroAccess], it is now shown as [PREVRUN]. Just to confirm before I proceed, even though it is no longer identified as the "type" [ZeroAccess], should I leave the [PREVRUN] checked, so it can be deleted, and uncheck the others before clicking Delete?

Link to post
Share on other sites

I have followed your procedures above, but stopped at a point before running the Cleanup with Malwarebytes Anti-Rootkit ("MBAR") due to a potential problem encountered during RogueKiller.

I scanned and deleted the registry item with RogueKiller, set the Restore Point, and scanned and identified one item with MBAR. I have attached the one RogueKiller report (after running Delete) and the two MBAR reports before running Cleanup.

The scan of RogueKiller identified six registry items. I unchecked the first four boxes with a single click each (no problem). The fifth box I made several clicks into the box to uncheck the item, but it was not unchecking the box. After about five or six attempts to uncheck the box, the box was finally unchecked (I thought that was odd, but thought I was ok at that point). I left the sixth box checked in order to delete the ZeroAccess entry in the registry. I hit delete at that point, but then when RogueKiller returned the results, it showed that the fifth item in the list may have also been deleted (i.e., "Replaced (0)"). The RogueKiller report showed the following entry for the two items replaced:

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

[HJ INPROC][PREVRUN] HKCR\[...]\InprocServer32 : (C:\Documents and Settings\Bob\Local Settings\Application Data\{16d0acff-807c-891f-b9cc-d4bf027d28fa}\n.) [x] -> REPLACED (C:\WINDOWS\system32\shell32.dll)

I am fearful of rebooting the computer with not knowing whether there will be problem with the unintended deletion of the one entry above, which is why at stopped prior to running Cleanup with MBAR, which may automatically reboot the computer. I thought if that item should not have been deleted, then possibly we need to insert the entry back into the registry before rebooting. Please let me know how to proceed.

Thanks,

Bob

RKreport5_D_02162013_02d0806.txt

system-log.txt

mbar-log-2013-02-16 (08-52-27).txt

Link to post
Share on other sites

The only item I wanted you to fix with RogueKiller was this one:

[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Documents and Settings\Bob\Local Settings\Application Data\{16d0acff-807c-891f-b9cc-d4bf027d28fa}\n.) [x] -> FOUND

Reboot the computer and finish up with MBAR.

You're making this more complicated than it is.

MrC

Link to post
Share on other sites

I apologize for that and agree that I made it more complicated than it needed to be. I swore that the box was unchecked for hitting Delete with RogueKiller.

I am proceeding with MBAR (from the step where I left off with running Cleanup and then rebooting) and will report back to you.

Thank you very much for your help and I appreciate your patience with me.

Link to post
Share on other sites

Hi MrCharlie,

Thank you very much for your help and patience!!! It has been greatly appreciated. I apologize for any issues that I created which complicated this matter.

Is there any concern that I should have regarding the registry entry that I accidently deleted (i.e., “Replaced (0)”)? Should that deleted entry be added back to the registry? The deleted entry again was:

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

I ran the fixdamage tool to address a Windows Firewall problem and now that seems to be working.

Is there anything more that needs to be done?

If there is nothing more to do:

1. The versions of internet security software packages have expired. Before I start using this computer again, I will purchase and install the current versions of those software packages, as well as add Malwarebytes Anti-Malware PRO. Considering that this computer was badly infected with Rootkit.ZeroAccess (a BackDoor Trojan), if I do not plan to use this computer for transactions with financial accounts and credit cards, and ensure that my passwords for my financial accounts are not on this computer, will this computer be safe to use on the internet?

2. If I decide to replace this computer at some point in the future, will it be safe to copy individual personal files from this computer to another computer? I would only copy such individual personal files that are known to me. My concern would be that I could potentially copy a virus file since this computer was badly infected.

Thank you very much,

Bob

mbar-log-2013-02-16 (14-16-41).txt

system-log.txt

Link to post
Share on other sites

will this computer be safe to use on the internet?

Yes it will be

individual personal files will be OK

Yes there's more to do:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Looks Good...next:

Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.

AdwCleaner is a tool that deletes :

· Adwares (software ads)

· PUP/LPI (Potentially Undesirable Program)

· Toolbars

· Hijacker (Hijack of the browser's homepage)

It works with a Search and Deletion methode. It can be easily uninstalled using the "Uninstall" mode.

  1. Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  2. Now click on the Search tab.
  3. Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

Please look over what was found, we're going to delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

MrC

Link to post
Share on other sites

I have downloaded AdwCleaner to my desktop and ran the Search. Attached is the resulting report. I have reviewed the report and do not have a problem with deleting anything identified in the report.

Please let me know when it is ok to turn on the Windows Firewall and re-activate the protections of the anti-virus and anti-malware software.

Also, please let me know when it is ok to uninstall the ComboFix.exe (as I read in the instructions that it should be uninstalled) and if any of the other applications with which we have been working should be uninstalled or deleted.

Thanks,

Bob

AdwCleanerR1.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.