MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.

Closed Thread
Thread Tools Display Modes
Old 07-15-12, 14:02
wyxxyr wyxxyr is offline
Private E-2
Join Date: Jul 2012
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default Bitminer, xsecva, odd processes/files

Hi forum! Went through a bunch of other threads, performed the steps first on the Google Redirects guide, then the Malware Removal guide. Logs attached.

I'll go through the processes I went through before coming to your guides, including symptoms noted, strange processes, strange files, what I deleted, etc. With the exceptions of xsecva and the bitminer program, which I deleted immediately, I appended bogus extensions to most of the strange files (".fakextension," ".fake", or putting a 0 on either end of the existing extension like .0exe0---I wasn't consistent). If none of this is of particular consequence, then I write this assuming some people will just skip to the logs. But for the sake of being thorough:


Before I came to this site:

First, Google search hit links were being replaced to go through doubleclick, etc., computer dragging, websites taking an unusual amount of time before loading. Chrome didn't seem to suffer from these redirects, but still slow.

In the task manager, a few things were unfamiliar. (In order of most to least suspicious):
  • xsecva.exe, in AppData/Roaming/xsecva/xsecva.exe
    • deleted immediately, along with the other file in the directory, xsecva.dll
  • upon opening Chrome, maybe 10 instances of chrome.exe would appear, and 12-15 svchost.exe (including two svchost.exe*32 from sysWOW64)
  • Two copies of rundll32.exe and two copies of rundll32.exe*32 (I'm running 64bit Win7, these are located in sysWOW64)
    • All four using more resources than I would think.
  • wmpnetwk (I don't have WMP installed, and it wouldn't stay closed)
    • I know they're normal processes, but this is the first time I've seen them, and would keep launching when closed
  • two instances of taskeng.exe, 1 of taskhost.exe
    • probably nothing, just haven't taken note of them before

Initial Scan
Ran MalwareBytes. It found in a folder of bitcoin utilities I downloaded maybe 2 years ago and don't think I ever even ran ("guiminer"). Deleted, emptied bin.

Problem File Hunting
I poked around for other odd files, inspired by xsecva. Only noting those modified/created since the beginning of the month.
  • in the Windows directory
    • PFRO.log, a short log that seems to monitor the status of certain files, oen of them being the guiminer file.
    • setupact.log
    • srun.log
    • \WmiApRpi\
      • WmiApRpl.h
      • \0009\
        • WmiApRpl.ini
    • \Prefetch\ReadyBoot\
      • 5 files, Trace1.fx-Trace5.fx, the last two from 7/14
    • \Temp\
      • hpqddsvc.log
      • MpCmdRun.log
        • both of the above also seen in task manager, but at least WERE normal ---- Hp printer which hasn't been used in months
      • fwtsqmfile03.sqm
    • \System32\
      • (two files with names like 7B296FB0-3760-497e-and so on for another 40 characters or so]
      • perfc009.dat
      • perfh009.dat
      • PerfStringBackup.ini
  • in the Program Files (x86) directory
    • \Common Files\Akamai
      • hidden, seems to be sending logs, but nothing terribly interesting in them.
  • in the ProgramData directory
    • \McAfee\MCLOGS\Common\chromeinstall-7u5\chromeinstall-7u5000.log
      • I've never had McAfee installed
  • in the AppData directory
    • \Roaming\
      • clali.dll
        • this was very out of place, so I wasn't surprised to see it pop up in a couple of the logs...hitmanpro uploaded it and noted it, but didn't label it as suspicious
      • sbredv.dll
        • ditto, but this one was labeled as suspicious
      • \Microsoft\
        • (4 strange empty folders (IME12, IMJP8_1, IMJP9_0, IMJP12))
    • \Local\
      • \{64D2F991-CA13-11E1-8270-B8AC6F996F26}\
        • chrome.manifest
        • \chrome\content\browser.xul (no other files or folders)
      • \{64D32B17-CA13-11E1-8270-B8AC6F996F26}\
        • background.html
        • icon.png
        • manager.js
        • manifest.json
Ran sfc /scannow. no integrity violations.

Launched msconfig. In the startup, xsecva was listed with a "-s" parameter. Removed.

basically dug around a bit, but mostly just took action on certain search results for xsecva, bitc, mine...

removed HKLM/Software/wow6432node/Microsoft/tracing/xsecva_rasapi32 with the following variables:
  • ConsoleTracingMask=4294901760
  • EnableConsoleTracing=0
  • EnableFileTracing=0
  • FileDirectory %windir%\tracing
  • FileTracingMask=4294901760
  • MaxFileSize=1048576
  • Note: these seem to be the same variables/values for everything in the tracing folder

removed HKLM/Software/wow6432node/Microsoft/tracing/xsecva_RASMANCS with the same stuff as above.

found a line with the xsecva.exe path [and removed it] in hkey_users/S-1-5-21-934329192-2778475491-581669269-1000/Software/Classes/Local Settings/Software/Microsoft/Windows/Shell/MuiCache

removed hklm/software/microsoft/shared tools/msconfig/startupreg/XSECVA with variables that included the path to the file, date/time stuff, and key SOFTWARE/Wow6432Node/Microsoft/Windows/CurrentVersion/Run (although this path didn't contain anything that looked unusual).

removed all references to bitcoin and the now removed guiminer exe installer

After going through your guides
Things are running a bit faster, I think, and I haven't seen any redirects, but several instances of chrome.exe and svchost.exe are still opening as soon as I launch that browser. I know certain extensions have their own process, but I don't have this many extensions. At the moment, I have 3 chrome tabs open: two from a wiki and this one. Aside from Notepad, that's all that's open. Malwarebytes is in the tray not doing anything. There are 14 instances of chrome.exe*32 and 14 svchost.exe, one of which is a very resource-heavy LocalSystemNetworkRestricted svchost.exe, currently using ~320,000k. There are additionally two svchost.exe*32, one for with a -k Akamai and the other with -k hpdevmgmt.

AGH! I opened another tab to look something up just now and it redirected!!!

Ok time for the logs. Sorry if this is TMI. Thanks so much for your help!
Sponsored links
Old 07-15-12, 14:06
wyxxyr wyxxyr is offline
Private E-2
Join Date: Jul 2012
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Bitminer, xsecva, odd processes/files

hm. I don't see my attachments, but will only upload those that didn't fit as attachments to the previous message in case it's just a matter of moderator approval...
Attached Files
File Type: zip (306.2 KB, 4 views)
File Type: txt RKreport[1].txt (2.6 KB, 5 views)
File Type: txt TDSSKiller. (133.3 KB, 3 views)
Old 07-15-12, 14:08
wyxxyr wyxxyr is offline
Private E-2
Join Date: Jul 2012
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Bitminer, xsecva, odd processes/files

ok I see the attachments for my reply but not original post so I'll assume I messed it up somehow and reattach...sorry.
Attached Files
File Type: txt ccleaner_log_2012-07-14.txt (356.4 KB, 1 views)
File Type: zip (860 Bytes, 4 views)
File Type: txt mbam-log-2012-07-15 (11-05-45).txt (1.8 KB, 4 views)
File Type: txt MBRCheck_07.14.12_23.52.02.txt (14.1 KB, 3 views)
Old 07-16-12, 03:40
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,183
Thanks: 280
Thanked 1,441 Times in 1,358 Posts
Default Re: Bitminer, xsecva, odd processes/files

Welcome to MajorGeeks, wyxxyr

Most of what you listed in your first message are normal even though they make look odd.

Here are the steps I'd like you to complete and also let me know if you are experiencing redirects in all the browsers you use or just some of them.

From Programs and Features (via Control Panel), please uninstall the below:
  • Java(TM) 6 Update 22
  • Java(TM) 6 Update 29

Delete objects using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[3].txt
Attach RKreport[3].txt to your next message. (How to attach)


Use Windows Explorer to find and delete the following files:
  1. C:\Users\Anti\AppData\Roaming\clali.dll
  2. C:\Users\Anti\AppData\Roaming\sbredv.dll
  3. C:\Users\Anti\Desktop\6frwul9r.exe


Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:
  1. R3 - URLSearchHook: (no name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
  2. O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4


Suspicious files:

and many more...
Do you know what these files are for? If not, you can upload them to VirusTotal for review


Please download OTL by OldTimer.
  • Save it to your desktop.
  • Right mouse click on the OTL icon on your desktop and select Run as Administrator
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Change the setting of "Drivers" and "Services" to "All"
  • Copy the text in the code box below and paste it into the text-field.
    %systemdrive%\xsecva.exe /s /md5
    %systemdrive%\clali.dll /s /md5
  • Now click the button.
  • One report will be created:
    • OTL.txt <-- Will be opened
  • Attach OTL.txt to your next message. (How to attach)
Facebook . Twitter . Blog . VirusTotal
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
MSConfigStartUp-XSECVA - c:\users\gothalls\AppData\Roaming\xsecva\xsecva.exe HellHoundian Malware Removal 10 07-13-12 07:12
Xsecva.exe randomly appeared Ktsjr Malware Removal 1 07-13-12 02:35
PUP.BitMiner help please NDAPUPR Malware Removal 27 01-10-12 15:28
how do i remove pup.bitminer conkamp Malware Removal 1 12-15-11 12:27
I cant get rid of these files and processes deadone115 Malware Removal 1 08-19-09 14:44

All times are GMT -5. The time now is 03:25.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds

All content Copyright source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger