kxvo.exe infection

I hope I did this right.

My computer was infected by the kxvo.exe malware. So far nothing drastic has happened yet but the pop-up informing me about running out of memory comes out everytime I use Yahoo Messenger v.8.

So I followed the READ ME. However upon running MGtools, I was told that I didnt have processdll.exe. Do I need that?

So I tried logging in to Yahoo and so far nothing has happened yet. But my firefox keeps shutting down. Is it still the malware?

Please find attached the SASlog.txt, MBAMlog.txt, Combofix.txt. I'll be uploading the MGlogs.zip in another message.

 

here's MGlogs.zip

 

Hi nininya,
I'm looking through your logs now and will get back to you with a set of instructions.
abri

 

Hi nininya,

1) I don't see either a resident antivirus program or a two-way firewall installed on your computer. Without these, the work we do here will easily be reversed.

2) I need information about the following files and folders: (do not open any files you don't recognize)

C:\Documents and Settings\KESTREL\My Documents\RegRun2
C:\Documents and Settings\KESTREL\My Documents\omg2k.xls
C:\TempEI4


3) Please disable your guest account if this hasn't already been done.


4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe

After you click fix, just close hijackthis.


6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Please download ATF Cleaner by Atribune.

This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi Abri!

Thanks for the help. I wont be able to go through my "sick" computer right now since I wont be in for work until Tuesday. Off hand these are what I know--

1) I don't see either a resident antivirus program or a two-way firewall installed on your computer. Without these, the work we do here will easily be reversed.-- before i did the scans as per the read me, I uninstalled all my antispyware and antivirus program. I reinstalled only after the last scan. I now use the home version of avast. The firewall I'm currently using is the one that comes with Windows

2.) I need information about the following files and folders: (do not open any files you don't recognize)

C:\Documents and Settings\KESTREL\My Documents\RegRun2-- not sure what this does
C:\Documents and Settings\KESTREL\My Documents\omg2k.xls-- this is an excel file i made
C:\TempEI4--not sure about this one either

Thank you so much for the reply. I'll do the rest of the items as soon as I get back to the office.

Nina

 

Hi nininya,

When you work on the other steps, please do the following as well:

Open these two folders (but not any of the files inside of them) and tell me if you can give me more information about them. It would be helpful to know what is inside of them. Also, you can get further information about them by right-clicking on them and checking the properties for the size of these two folders and the date they were created on.

C:\Documents and Settings\KESTREL\My Documents\RegRun2
C:\TempEI4

abri

 

Hi Abri,

C:\Documents and Settings\Kestrel|My Documents\RegRun2
This folder is for the RegRun application. I ran it before as an attempt to get rid of kxvo.exe. The folder size is 8.71 kb. The files in the folder are: Regrun2.rr2 and rr2log.txt.

I checked the C:\TempEI4 folder, its 252 kb. it has .LOG files and .temp files. I'm sending you a screenshot of the folder along with the avenger and mgtools log.

Thanks for the help!

Nininya

 

Hi nininya,

Both of those folders can be deleted. Just right click on each one to delete it.
C:\Documents and Settings\KESTREL\My Documents\RegRun2
C:\TempEI4

Then I would like for you to do the following:

1) Download and install Erunt. Use it to create a backup of your registry.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

3) Now run CCleaner at the default setting with the Windows tab as the top one.

4) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.

Let me know if you got a success message after you ran the registry patch REGEDIT4


How things are running now?

abri

 

Hi Abri,

To update you,

I did all of the things instructed (04-06-08, 02:45) yesterday morning. The logs for that were uploaded yesterday 11:20. So far I have not gotten the "you do not have enough memory to run" warning. I usually get it after reboot and whenever I run my Yahoo messenger.

Today I did the things you instructed me to do (Today, 05:02). I was able to backk up my registry, I made the fixMe.reg and I got a success message after I ran it, but when I ran the C:\MGtools\GetLogs.bat, I got this message. ProcessDll.exe-Application Error The application failed to initialize properly (0xc0000135). Click on Ok to terminate the application. I'll update you at the end of the day if I encounter any more problems. So far my pc has been doing great thanks for all the help.

 

Hi nininya,

You're still getting some malware files. Please begin by running CCleaner at the default setting with the Windows tab as the one on top.

Then I would like for you to go to How to Protect Yourself from Malware and download and install one of the free antivirus programs there. Be sure to update it and then allow it to run.

After you've completed that, I would like for you to run Combofix again which is on your desktop. Attach the log with your next post. The instructions can be found at How to properly run Combofix.

Please attach the Combofix log and then, if you have the time, I would like for you to go to the Alternate Scans and scroll about halfway down the page where you'll find a list of rootkit scans. Please run GMER and the AVG Antirootkit scans and attach the logs from these if they find anything. I would not ask you to do this, but at least one of the files you got came in yesterday, meaning that something is still creating them.

abri

 

Hi Abri,

Sorry this took so long.

I downloaded Avast and installed it in my computer.

Ran combofix, GMER and AVG Antirootkit. Attached are the logs for ComboFix and GMER. I dont know how to create a log file for AVG, but it only found one rootkit in C:\Windows\System32\userinit.exe.

Thanks,
Nina

PS. I'm having trouble signing in the majorgeeks forum. I key in the correct username and password many times before I get to log in. Is this malware related?

 

Hi nininya,

Which rootkit virus did AVG Antirootkit find? Did it delete it? If you're not sure, please see if you can have it scan the System32 directory again to see if it's still there.

Then I would like for you to zip the file C:\n2.bat and attach it to your next post.
Do not double click on it as this will cause it to run!

abri

 

Hi Abri,

As mentioned in the previous post, AVG Anti Rootkit found this:
C:\Windows\System32\userinit.exe.

I didnt delete it last night. I ran the AVG Anti Rootkit again, but the software wasnt able to spot the file again. I checked the system32 folder however, the .exe file was still there. Should I delete it?

Please find attached the file you asked for.

thanks,
nina

 

Hi Abri,

I remember you asking me to delete some files found by Avenger.

I was going through my other drive and I saw the same files I deleted in C in my other drive (D). I deleted them now, but is there a way to run Avenger in my D?

 

Hi nininya,

Do not delete C:\Windows\System32\userinit.exe.

This is one of your system files. What AVG Antirootkit may have found was an infected form of that file and replaced it with one that is not infected. In the log you attached here, my antivirus program gave me an alert that there is a trojan horse in it called PSW-Online Games AO.

Since you are finding infected files in your other drives as well, I would like for you to run the BitDefender online scan and see if it picks anything up. This is a very thorough scan which requires the use of Internet Explorer and you need to have it set to enable Active X. Please go to Alternate Scans and look for the free online scans. (note: there are both offline and online scans) Click on the link called Running BitDefender Online Scan.

Please read the instructions carefully so that when you finish you will be able to copy the information correctly to make a log that we can use. Let me know how this goes.

abri

 

Hi Abri,

Finished the bitdefender scan. It found a loot of malwares. Please see attached log

nina

 

Hi nininya,

That was worth the time! I would like for you to go ahead with the final cleanup instructions which include erasing all your previous restore points and setting a new one. After you do this, I would like for you to rerun BitDefender on a single folder. I will explain how to do that following the cleanup instructions in the box. Do the cleanup instructions first and then the BitDefender scan.

And now... to run BitDefender, go to Running BitDefender Online Scan . Be sure you are running Internet Explorer when you click on the link. After you click on the "I agree" button and just before you click on the "start scan" button, look above it in the box where there are two "click here" links in red. Select the top one of these "Click here" buttons (under "select what you want to check for viruses") and click on it. This will take you to a menu where you can have BitDefender scan more specific folders. See if you can get it to scan just the following folder and save the report as per the same instructions you used last time. Attach the report here. If it doesn't find anything this time, just tell me.
C:\Documents and Settings\KESTREL\Desktop

After you complete both of the above, please run C:\GetLogs.bat by double-clicking on it and attach a fresh MGlogs.zip with your next post. They are found directly under C:\

How is your computer working?
abri