Jump to content

Recommended Posts

Hi,

I'm running Windows XP 2002 SP 3. Yesterday I got

infected by "Antispyware Doctor" when surfing with

Crome. It installed amongst other things "bxvwl".

Malwarebytes 1.46 with DB 4119 correctly detects the file

\WINDOWS\System32\drivers\bxvwl.sys as a thread.

However, Malwarebytes fails to delete bxvwl.sys with

a reboot. The file remains.

FileASSASSIN isn't able to delete the file either.

So I tried to delete the registry entries for bxvwl:

- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BXVWL and

below

- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bxvwl and below

- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_BXVWL and

below

- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\bxvwl and below

However, RegASSASSIN returns:

- "RegASSASSIN could NOT remove the registry key"

I checked Google and Bing for bxvwl with no luck.

Help would be welcome!

Frank

---

Frank Bergmann

Dipl.-Ing., MBA

Founder ]project-open[

Tel: +34 933 250 914

Cell: +34 609 953 751

Fax: +34 932 890 729

Link to post
Share on other sites

Hello ,Welcome to Malwarebytes.org

We don't work on Malware removal or diagnostics in the general forums.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

Thank You - :)

Link to post
Share on other sites

@Frank

You may follow what noknojon said in the post above, and post the required logs and description of your system in the malware removal forum. Apart from using the forum, since you have mentioned you are a paid customer, you can directly contact the help desk at support@malwarebytes.org or here. Remember to quote the cleverbridge Reference Number if you contact the help desk.

Please post back if you have further questions.

Thank You :)

Edit - Adding info.

Link to post
Share on other sites

Hi!

> No product can remove everything.

Ok, that wasn't clear to me.

I would still assume that you:

- Update the signature file to deal with the bxvwl registry entries and

- Debug why Malwarebyte couldn't delete the bxvwl.sys file, even

with the reboot method...

- Check RegASSASSIN and add permission granting code to make

sure it can delete entries with strange permissions set.

Don't you?

I'm the founder of an open-source project, and we can't check all bugs

reported in forums, but these two ones are relatively clear, aren't they?

Anyway, here is a summary of what I did to remove bxvwl from my

computer:

1. Run Malwarebytes. This removed some 10 different

scareware items etc.

It left the \WINDWOWS\System32\drivers\bxvwl.sys in place and

also didn't delete the registry entries above, so the bxvwl was still

active. Also, there was apparently a 2nd rootkit active

2. I managed to boot Windows in the command line mode.

In this mode I managed to remove bxvwl.sys by renaming it...

3. After reading about regedit's permissions, I finally managed to remove

the registry entries for bxvwl. Basically, I had to grant "complete control"

to the user "Everybody" and/or my user, before I could delete the

entries. RegASSASSIN didn't perform this task...

4. After these actions, a Malwarebytes scan reported a clean system.

However, Malwarebytes' IP filter still came up regularly with blocked

IP addresses, so there was a Rootkit active.

This IP filter is a great feature of Malwarebytes!

5. I checked more forums and finally ran ComboFix, which apparently

removed the remaining threads:

- Rests of the "Antispyware Doctor" scareware at

\Datos de programa\99850E6FBA4DF0C6DC1B26C3CFF9A65E\enemies-names.txt and

\Datos de programa\99850E6FBA4DF0C6DC1B26C3CFF9A65E\lsrslt.ini

- \Datos de programa\ATManager (Trojan.Agent/Gen-MSFake)

- c:\windows\Nlikaa.exe (yet another rootkit...)

- c:\windows\system32\drivers\disk.sys (infected and not found by Malwarebytes, AVG and Windows defender!)

Enjoy! :-)

Frank

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.