Jump to content

Virus removed but comes back after a few restarts, USB Shortcut virus


Recommended Posts

I have a suspicious file named gbhvexig.exe that keeps coming back after a restart or two. I suspect it to be causing multiple instances of iexplore.exe (reaches up to 4 instances when my normal number of instances is only 2) upon startup and these instances are detected as malicious ads. I also think it is responsible for breaking the .dll files of two games in my PC.

 

Another concern is, all USB sticks I insert in my PC gets infected with the RECYCLER folder and "shortcut virus". I have ran several scans already using Malwarebytes but still my USBs are getting infected.

 

I have attempted to run some scans using FRST and ADWCleaner as I have seen in other threads with similar problems as mine but I always seem to get lost in the way. Please do help me because I have grown tired of reinstalling my affected programs again and again.

gbhvexig.jpg

usb virus.jpg

game breaking.jpg

multiple instances.jpg

Edited by PissedOff
Added screenshots
Link to post
Share on other sites

Hi PissedOff:)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the thread below, and provide me both FRST logs (FRST.txt and Addition.txt) and the Malwarebytes log. You can attach them in your next post, or copy/paste their content.

https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

Link to post
Share on other sites

Thank you for replying Aura. May I take a few moments before upload the files you are requesting?

 

While I was waiting for a reply in my thread I decided to re-scan my PC using Malawarebytes with the Scan for Rootkits checked. It's been scanning now for 44 minutes and is still scanning (by the time I replied). It has detected a file C:\WINDOWS\PSS\GBHVEXIG.EXE.STARTUP which something I haven't seen in my previous scans. And knowing that I would need to restart my PC after this scan, I want to it to finish  before I continue to follow some of your instructions. Would that be fine?

 

I would send the required files after the scan is finished.

Edited by PissedOff
Link to post
Share on other sites

GBHVEXIG.EXE still is coming back even if the file from C:\Windows\pss directory was detected and deleted. And I also keep getting a live notification from malwarebytes about a website being blocked

 

Attached in this reply are my new scans from a newer version of Malwarebytes, FRST and ADWCleaner.

Addition.txt

FRST.txt

AdwCleaner[S02].txt

Edited by PissedOff
Link to post
Share on other sites

LdH4gmf.pngGoogle Chrome - Remove Extension/App

  • In Google Chrome, enter chrome://extensions in the address bar and press on Enter
  • In the Extensions page, uninstall these (by clicking on the little garbage can icon on their right)
    • Chrome Cleaner Pro
  • If you don't see the extension listed, it means that it's installed as an App. So enter chrome://apps in the address bar and press on Enter
  • From the Apps page, look for the app, right-click on it and select Remove from Chrome

Your Google Chrome installation is infected. You'll need to uninstall and reinstall it.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

fixlist.txt

Link to post
Share on other sites

I did not find any "Chrome Cleaner Pro" in neither chrome://extensions nor chrome://apps. I remember that it was removed using ADWCleaner.

 

Here is the log you required

 

I also would like to mention that Malwarebytes still keeps notifying me that a Website is blocked due to malware even after the fix was applied and rebooted. The malware it was indicating iexplore.exe.

Fixlog.txt

Link to post
Share on other sites

All good. Now let's do a scan with RogueKiller.

RQKuhw1.pngRogueKiller

  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply

Link to post
Share on other sites

Looks like your Google Chrome install is still infected. First, I would like you to install all your missing Windows Updates, since your system looks like it hasn't been updated in years, and therefore, is vulnerable to exploits and that's probably how you got infected.

Once your Windows is fully updated, let me know.

Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Thanks for reoppening the thread Aura.

The GBHVEXIG.exe seem to have reappeared on my system after my premium trial expired. I also noticed that those websites that were blocked by MB  when I still had my premium trial were connected to the malware I first mentioned. I came to think that those websites downloaded the file when it was no longer blocked by the free version of Malwarebytes because when I ended the iexplore.exe upon startup, GBHVEXIG.exe would not also be present in my computer.

 

What I did after scanning was, I disabled Internet Explorer from the Windows Features. After that, I did not have any problems anymore but I doubt that I might encounter problems if I used a software which is Internet Explorer based. That is why I wish this thread to be reoppened because I would want to know any alternative solutions regarding my matter.

Link to post
Share on other sites

Let's start by getting a fresh set of FRST logs.

Did you install your Windows Updates yet, or not? I feel like you're system is being reinfected because it isn't patched against several CVEs, most of which can be used to download and install malware on your system just by visiting a website.

Link to post
Share on other sites

No I haven't installed the Windows Updates yet. The reason I couldn't install it immediately is our internet speed is only 1mbps and I couldn't use the computer for more than 2 hours in a day. The update might size up to more than 3gb and that would mean a few hours of download. 

 

If the updates are really that important, please do allow me to get back to you after a day or two so I could download it part by part.

Link to post
Share on other sites

I can wait, no worries. Keep in mind that in the future, you should always, always install your Windows Updates. You can install any security software you want, but if you don't keep your Windows updated, you'll be at risk as soon as you connect to the Internet.

Link to post
Share on other sites
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.