MSConfigStartUp-XSECVA - c:\users\gothalls\AppData\Roaming\xsecva\xsecva.exe

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by HellHoundian, Jul 9, 2012.

  1. HellHoundian

    HellHoundian Private E-2

    TY i realized i had a virus for a few weeks started working on it today to save my 500 movies on my pc hehe. my wife downloaded the wrong file it was that nasty root kit virus changes ip redirects your browser.


    Well what i posted in the title i found it before my antivirus did so TY for the tools to remove i posted the logs in case i missed something.

    I tend to fix computers and build them so it was fun i try never to use system restore :)
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.




    Now do not stop, please continue on with the below instructions too! :)

    v
    V
    V
    V
    READ & RUN ME FIRST. Malware Removal Guide
     
  3. HellHoundian

    HellHoundian Private E-2

    OK the next 2 sets scans are now uploaded.

    1) ! thing i have not solved yet if a random sound my pc makes for no reason like a usb being unpluged and pluged back in .

    After all this is done i think i will upgrade to windows 7 i here it is faster ?
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Continue on with the other instructions! :) (Look where I typed, "do not stop! continue on with the other instructions") I still need more logs from you.

    Hmm, yes the usb sound happens for me too with my laptop, it's whenever I move the lid. Don't know what it is in your case however it probably aint malware. Attach the rest of the logs and what malware does exist we'll sort out.
     
  5. HellHoundian

    HellHoundian Private E-2

    OK fixTDSS say's no back door sevc found. could not find logs for that scan just that 1 pop up.

    more logs to come yet
     

    Attached Files:

  6. HellHoundian

    HellHoundian Private E-2

    Well i posted logs i could find the last few scans removed more stuff.

    My web browser no longer gets redirected since i started on day 1

    is windows 7 less of a resorce hog than vista ?

    I was considering upgrading depending if it's better resorce wise.

    I know i had to go into SCVHOST shut down some widows programs cause used to much cpu on me.

    i have a compacted form pc cooling not that good thinking i should buy an ATX cause put it in there and increase power supply get a good graphics card for gamming.maybe cpu and heat sink need new paste as well from all times i cleaned the system
     

    Attached Files:

  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You have not attached the correct logs. Check the instructions! :) It tells you what I need.
     
  8. HellHoundian

    HellHoundian Private E-2

    just let me know what logs you need i'll do a new scan i'm not sure what logs you need atm
     
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Logs from running:

    • HitmanPro
    • MGTools
     
  10. HellHoundian

    HellHoundian Private E-2

    the other logs in a .XML format i had change it to a .txt format to upload it.
     

    Attached Files:

  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It should have been zipped/compressed as the instructions say. Nevermind. I have seen it now.


    STOPzilla! <--- Uninstall this

    Now we need to use ComboFix by sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    DirLook::
    c:\windows\scoped_dir_25712_13704
    File::
    c:\windows\Tasks\ParetoLogic Registration3.job
    c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe
    Folder::
    c:\program files\Common Files\ParetoLogic
    Firefox::
    FF - ProfilePath - c:\users\gothalls\AppData\Roaming\Mozilla\Firefox\Profiles\qtfwvxyu.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3131886&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Vgrabber1 Customized Web Search
    FF - prefs.js: browser.startup.homepage - hxxp://search.babylon.com/?babsrc=HP_Prot
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3131886&SearchSource=2&q=
    FF - user.js: extensions.searchya_i.hmpg - true
    FF - user.js: extensions.searchya_i.hmpgUrl - hxxp://searchya.com/?chnl=ft-100&s=0&cr=1429807498&cd=2XzutAtN2Y1L1QzutDtDtC0DyBtB0AyB0BzztCtDzytAzzyByDtN0D0TzutBtDtCtBtDtBtCyB
    FF - user.js: extensions.searchya_i.dfltSrch - true
    FF - user.js: extensions.searchya_i.srchPrvdr - SearchYa!
    FF - user.js: extensions.searchya_i.dnsErr - true
    FF - user.js: extensions.searchya_i.newTab - true
    FF - user.js: extensions.searchya_i.newTabUrl - hxxp://searchya.com/?chnl=ft-100&s=2&cr=1429807498&cd=2XzutAtN2Y1L1QzutDtDtC0DyBtB0AyB0BzztCtDzytAzzyByDtN0D0TzutBtDtCtBtDtBtCyB
    FF - user.js: extensions.searchya_i.tlbrSrchUrl - hxxp://searchya.com/?chnl=ft-100&s=3&cr=1429807498&cd=2XzutAtN2Y1L1QzutDtDtC0DyBtB0AyB0BzztCtDzytAzzyByDtN0D0TzutBtDtCtBtDtBtCyB&q=
    FF - user.js: extensions.searchya_i.id - 24a93875000000000000001644f3b1b5
    FF - user.js: extensions.searchya_i.instlDay - 15387
    FF - user.js: extensions.searchya_i.vrsn - 1.5.13.0
    FF - user.js: extensions.searchya_i.vrsni - 1.5.13.0
    FF - user.js: extensions.searchya_i.vrsnTs - 1.5.13.09:50
    FF - user.js: extensions.searchya_i.prtnrId - ironsrc
    FF - user.js: extensions.searchya_i.prdct - searchya
    FF - user.js: extensions.searchya_i.aflt - foxtab
    FF - user.js: extensions.searchya_i.smplGrp - none
    FF - user.js: extensions.searchya_i.tlbrId - base
    FF - user.js: extensions.searchya_i.instlRef - ft-100
    FF - user.js: extensions.searchya_i.dfltLng - 
    FF - user.js: extensions.searchya_i.excTlbr - false
    FF - user.js: extensions.incredibar_i.newTab - false
    FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6PQsyzPQtt&loc=IB_TB&i=26&search=
    FF - user.js: extensions.incredibar_i.id - 24a93875000000000000001644f3b1b5
    FF - user.js: extensions.incredibar_i.instlDay - 15426
    FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
    FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
    FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.144:39
    FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
    FF - user.js: extensions.incredibar_i.prdct - incredibar
    FF - user.js: extensions.incredibar_i.aflt - orgnl
    FF - user.js: extensions.incredibar_i.smplGrp - none
    FF - user.js: extensions.incredibar_i.tlbrId - base
    FF - user.js: extensions.incredibar_i.instlRef - 
    FF - user.js: extensions.incredibar_i.dfltLng - 
    FF - user.js: extensions.incredibar_i.excTlbr - false
    FF - user.js: extensions.incredibar_i.ms_url_id - 
    FF - user.js: extensions.incredibar_i.upn2 - 6PQsyzPQtt
    FF - user.js: extensions.incredibar_i.upn2n - 92542610706574667
    FF - user.js: extensions.incredibar_i.productid - 26
    FF - user.js: extensions.incredibar_i.installerproductid - 26
    FF - user.js: extensions.incredibar_i.did - 10606
    FF - user.js: extensions.incredibar_i.ppd - 68%5F5
    FF - user.js: extensions.BabylonToolbar_i.id - 24a93875000000000000001644f3b1b5
    FF - user.js: extensions.BabylonToolbar_i.hardId - 24a93875000000000000001644f3b1b5
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15438
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1721:08
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
    FF - user.js: extensions.BabylonToolbar_i.newTab - false
    FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110001
    FF - user.js: extensions.BabylonToolbar_i.babExt - 
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds