Bitminer, xsecva, odd processes/files

[wyxxyr]

Hi forum! Went through a bunch of other threads, performed the steps first on the Google Redirects guide, then the Malware Removal guide. Logs attached.

I'll go through the processes I went through before coming to your guides, including symptoms noted, strange processes, strange files, what I deleted, etc. With the exceptions of xsecva and the bitminer program, which I deleted immediately, I appended bogus extensions to most of the strange files (".fakextension," ".fake", or putting a 0 on either end of the existing extension like .0exe0---I wasn't consistent). If none of this is of particular consequence, then I write this assuming some people will just skip to the logs. But for the sake of being thorough:

**************

Before I came to this site:

----------
Symptoms
----------
First, Google search hit links were being replaced to go through doubleclick, etc., computer dragging, websites taking an unusual amount of time before loading. Chrome didn't seem to suffer from these redirects, but still slow.

In the task manager, a few things were unfamiliar. (In order of most to least suspicious):

• xsecva.exe, in AppData/Roaming/xsecva/xsecva.exe
  • deleted immediately, along with the other file in the directory, xsecva.dll
• upon opening Chrome, maybe 10 instances of chrome.exe would appear, and 12-15 svchost.exe (including two svchost.exe*32 from sysWOW64)
• Two copies of rundll32.exe and two copies of rundll32.exe*32 (I'm running 64bit Win7, these are located in sysWOW64)
  • All four using more resources than I would think.
• wmpnetwk (I don't have WMP installed, and it wouldn't stay closed)
• WLIDSVC.EXE, WLIDSVCM.EXE
  • I know they're normal processes, but this is the first time I've seen them, and would keep launching when closed
• two instances of taskeng.exe, 1 of taskhost.exe
  • probably nothing, just haven't taken note of them before

-----------
Initial Scan
-----------
Ran MalwareBytes. It found Bitminer.pub in a folder of bitcoin utilities I downloaded maybe 2 years ago and don't think I ever even ran ("guiminer"). Deleted, emptied bin.

-------------------
Problem File Hunting
-------------------
I poked around for other odd files, inspired by xsecva. Only noting those modified/created since the beginning of the month.

• in the Windows directory
  • PFRO.log, a short log that seems to monitor the status of certain files, oen of them being the guiminer file.
  • setupact.log
  • srun.log
  • \WmiApRpi\
    • WmiApRpl.h
    • \0009\
      • WmiApRpl.ini
  • \Prefetch\ReadyBoot\
    • 5 files, Trace1.fx-Trace5.fx, the last two from 7/14
  • \Temp\
    • hpqddsvc.log
    • MpCmdRun.log
      • both of the above also seen in task manager, but at least WERE normal ---- Hp printer which hasn't been used in months
    • fwtsqmfile03.sqm
  • \System32\
    • (two files with names like 7B296FB0-3760-497e-and so on for another 40 characters or so]
    • perfc009.dat
    • perfh009.dat
    • PerfStringBackup.ini
• in the Program Files (x86) directory
  • \Common Files\Akamai
    • hidden, seems to be sending logs, but nothing terribly interesting in them.
• in the ProgramData directory
  • \McAfee\MCLOGS\Common\chromeinstall-7u5\chromeinstall-7u5000.log
    • I've never had McAfee installed
• in the AppData directory
  • \Roaming\
    • clali.dll
      • this was very out of place, so I wasn't surprised to see it pop up in a couple of the logs...hitmanpro uploaded it and noted it, but didn't label it as suspicious
    • sbredv.dll
      • ditto, but this one was labeled as suspicious
    • \Microsoft\
      • (4 strange empty folders (IME12, IMJP8_1, IMJP9_0, IMJP12))
  • \Local\
    • \{64D2F991-CA13-11E1-8270-B8AC6F996F26}\
      • chrome.manifest
      • \chrome\content\browser.xul (no other files or folders)
    • \{64D32B17-CA13-11E1-8270-B8AC6F996F26}\
      • background.html
      • icon.png
      • manager.js
      • manifest.json

---
Sfc
---
Ran sfc /scannow. no integrity violations.

--------
Startup
--------
Launched msconfig. In the startup, xsecva was listed with a "-s" parameter. Removed.

--------
Registry
--------
basically dug around a bit, but mostly just took action on certain search results for xsecva, bitc, mine...

removed HKLM/Software/wow6432node/Microsoft/tracing/xsecva_rasapi32 with the following variables:

• ConsoleTracingMask=4294901760
• EnableConsoleTracing=0
• EnableFileTracing=0
• FileDirectory %windir%\tracing
• FileTracingMask=4294901760
• MaxFileSize=1048576
• Note: these seem to be the same variables/values for everything in the tracing folder

removed HKLM/Software/wow6432node/Microsoft/tracing/xsecva_RASMANCS with the same stuff as above.

found a line with the xsecva.exe path [and removed it] in hkey_users/S-1-5-21-934329192-2778475491-581669269-1000/Software/Classes/Local Settings/Software/Microsoft/Windows/Shell/MuiCache

removed hklm/software/microsoft/shared tools/msconfig/startupreg/XSECVA with variables that included the path to the file, date/time stuff, and key SOFTWARE/Wow6432Node/Microsoft/Windows/CurrentVersion/Run (although this path didn't contain anything that looked unusual).

removed all references to bitcoin and the now removed guiminer exe installer


**************************
After going through your guides
**************************
Things are running a bit faster, I think, and I haven't seen any redirects, but several instances of chrome.exe and svchost.exe are still opening as soon as I launch that browser. I know certain extensions have their own process, but I don't have this many extensions. At the moment, I have 3 chrome tabs open: two from a wiki and this one. Aside from Notepad, that's all that's open. Malwarebytes is in the tray not doing anything. There are 14 instances of chrome.exe*32 and 14 svchost.exe, one of which is a very resource-heavy LocalSystemNetworkRestricted svchost.exe, currently using ~320,000k. There are additionally two svchost.exe*32, one for with a -k Akamai and the other with -k hpdevmgmt.

AGH! I opened another tab to look something up just now and it redirected!!!

Ok time for the logs. Sorry if this is TMI. Thanks so much for your help!

[wyxxyr]

hm. I don't see my attachments, but will only upload those that didn't fit as attachments to the previous message in case it's just a matter of moderator approval...

[wyxxyr]

ok I see the attachments for my reply but not original post so I'll assume I messed it up somehow and reattach...sorry.

[thisisu]

Welcome to MajorGeeks, wyxxyr

Most of what you listed in your first message are normal even though they make look odd.

Here are the steps I'd like you to complete and also let me know if you are experiencing redirects in all the browsers you use or just some of them.

From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 22
• Java(TM) 6 Update 29

Delete objects using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[3].txt
Attach RKreport[3].txt to your next message. (How to attach)

__

Use Windows Explorer to find and delete the following files:

1. C:\Users\Anti\AppData\Roaming\clali.dll
2. C:\Users\Anti\AppData\Roaming\sbredv.dll
3. C:\Users\Anti\Desktop\6frwul9r.exe

__

Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

1. R3 - URLSearchHook: (no name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
2. O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

__

Suspicious files:

Code:

C:\Users\Anti\Documents\asdf.pgn
C:\Users\Anti\Documents\biriades.pgn
C:\Users\Anti\Documents\ftcarioca.pgn
C:\Users\Anti\Documents\garryramus.pgn
C:\Users\Anti\Documents\garryramus1.pgn
C:\Users\Anti\Documents\hoshor.pgn
and many more...

Do you know what these files are for? If not, you can upload them to VirusTotal for review

__

Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  %systemdrive%\xsecva.exe /s /md5
  %systemdrive%\clali.dll /s /md5

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)