spyware.passwords.xgen?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by charlotte7, May 28, 2011.

  1. charlotte7

    charlotte7 Private E-2

    Computer has a virus/malware that we can't seem to get rid of. When trying to log into sites, like yahoo, it just goes back to the log in page, rather than actually logging in. Also, any virus/malware removal tool websites we try to get on won't load.

    Malware bytes scanned and found something called Spyware.Passwords.Xgen

    Have only been able to scan with malware bytes and hijack this so far as they were already installed on the computer. The logs are attached
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Try downloading the scanning tools to a different computer and transfer them via either thumb drive or CD.

    Use windows explorer to find and delete:
    C:\Program Files\xbrjalwt\ghfklkax.exe -- First the exe file and then the whole folder.

    HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    We need to see the logs, esp. both ComboFix and C:\MGLogs.zip ( from running the C:\MGTools.exe.)

    Now see if you can also run this:
    TDSSkiller - How to run
     
  3. charlotte7

    charlotte7 Private E-2

    Thanks for your reply.

    I meant to put this in the original post but forgot. I can find the folder,(C:\Program Files\xbrjalwt\ghfklkax.exe) but when you open it it does not contain anything. Although when you look on the properties it says there is 1 file in there but I can't find a way for this file to show.

    I shall try the programs you suggested, thanks again.
     
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Get me what logs you can run. If something doesn't run in normal mode, try running it in safe mode. If it still doesn't run, try renaming it to something like 123.com.
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Most likely you are dealing with a Ramnit infection but it would help if you posted a log from MGtools to help us see more. But see the below standard boilerplate for Ramnit infections:

     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds