kxvo.exe

hi
i'm having problems removing this little bugger from my system. i tried nod32 and Malwarebytes' Anti-Malware, but obviously it didnt work. i'm attaching MGTools and MBAM logs.
thanks

 

and here is a log from the HijackThis-MGTools. i've downloaded the Avenger program, but i didnt take any other actions yet since it seems that treatment depends on user-specific logs and info.
thanks

 

Hi robertski,
Welcome to Major Geeks!

Was there a reason you didn't run the other scans we requested? You're missing the logs for SuperAntiSpyware and Combofix. The following instructions may be missing information that would be helpful. Please go ahead with these instructions first and then we'll see.


1) Please go to the following folder in Windows Explorer and delete any of the files in it that you are allowed to delete. Windows will not allow you to delete files from the current date.

C:\WINDOWS\Temp\

2) Go to add/remove programs and uninstall the below:

Java(TM) 6 Update 2
Java(TM) 6 Update 5


3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TQ566808] "E:\Setup.exe"
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe


Do the following programs need to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

After you click fix, just close hijackthis.


5) Download and install Erunt. Use it to create a backup of your registry.

6) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

7) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

8) Now run CCleaner at the default setting with the Windows tab as the top one.

9) Install the current version of Sun Java from: Sun Java Runtime Environment

10) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger log.


Let me know how things are running now?

abri

 

thanks for the quick reply. the missing logs are a result of me being tired and not having time for more scans.
i did what you recommended and the truth is that it didnt use much untill i used combofix at the end. combofix removed the malware and it seems that my system is clean since... for now

here are all the logs i could think of - i made them after everything seemed to be fine.

oh, and BTW: my system recovery for my drives is off since the problems started. should i turn it back on now?

thanks once again

 

...more logs. i don't know if the SAS log is the correct one tho.

 

Hi Robertski_OG,

I think we're making two steps forward and one step back rather than the reverse, so that's positive.


First a question: What is the following file?

C:\WINDOWS\T-72 BoF v103 patch.exe

Now continue as follows:

1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

For the next steps, please physically disconnect your computer from the internet and disable all your security software before continuing. You will need to copy the instructions before you disconnect.


2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

After you click fix, just close hijackthis.


3) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files". Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

4) Now run The Avenger by Swandog46 which is on your Desktop.

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Now run CCleaner at the default setting with the Windows tab as the top one.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger log.


Let me know how things are running now?

abri

 

hmm well, the virus is back. it seems it reactivated itself right after i inserted a flash drive - but i might me wrong.

C:\WINDOWS\T-72 BoF v103 patch.exe is a patch to a game that i uninstalled some time ago. i have no idea what it's still doing here

my windows messenger was deactivared via gpedit.msc commad since i installed the OS

i will attach the newest logs, proceed with your instructions and post new logs again

thanks

 

more logs

oh, and i forgot, that i also have a cell phone, which i use as a flash drive... i'm affraid to plug it in now lol dunno if it's infected

 

well, i did it all twice, because after executing avenger the system did not start properly - it rebootet itself when the loading screen showed up. i thought it might help, but it seems that the virus is still there (the log stated that avenger failed to delete kxvo.exe as you see... or i messed something up )

i think i am following your instructions correctly, or at least i hope i do.
i hope the new info helps, maybe the flashdrives are the problem?

thank you

 

Hi Robertski_OG,

Can you update the most recent .NET Framework from Microsoft updates? You have the earlier versions showing in add/remove programs, but not yet version 2.0
You're missing one of the MG logs called procdll which requires this and this particular log might be helpful in this case to see what the virus is hooking into.

It's possible that your external devices are also infected and in that case will also need to be clean in order to keep the system clean. For your flash drive, you can make a folder under C:\Documents & Settings \ your name \ Flash Drive Backup (or some folder name) and copy everything from your flash drive there. If the virus is in the backups of your flash drive, combofix should pick it up. After you've run the following scans, if Combofix picks up anything in the files from the flash drive, you can reformat the flashdrive to clean it and then copy clean files back onto it. For the phone, I'm less sure how to do that.

Let's try the following. Again, be sure to run everything while disconnected from the internet and with your security software disabled.

1) First we're going to run Process Explorer.

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL or exe files (if found) and then click the kill button.

C:\WINDOWS\system32\kxvo.exe
C:\WINDOWS\system32\ieso0.dll

After you have killed all instances of any of the above DLL's or exe's under winlogon click ok.
(If you do not find these DLL's or exe's, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL or exe files (if found) and then click the kill button.

C:\WINDOWS\system32\kxvo.exe
C:\WINDOWS\system32\ieso0.dll

After you have killed all instances of any of the above DLL's or exe's under Explorer click ok.
(If you do not find these DLL's or exe's, just continue on.)

Next double click on iexplore.exe and again click once on each instance of any of the below DLL or exe files (if found) and then click the kill button.

C:\WINDOWS\system32\kxvo.exe
C:\WINDOWS\system32\ieso0.dll

After you have killed all instances of any of the above DLL's or exe's under iexplore click ok.
(If you do not find these DLL's or exe's, just continue on.)

Now just exit Process Explorer.


2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe

After you click fix, just close hijackthis.


3) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
kxvo
kxva

FILE::
C:\WINDOWS\TEMP\exp31.tmp
C:\xaul0q8u.bat
C:\WINDOWS\system32\kxvo.exe

REGISTRY::

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"
"CheckedValue"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001
"HideFileExt"=dword:00000000

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\kxva]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"kxva"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.

4) Now run CCleaner at the default setting with the Windows tab as the top one.

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

seems i'm always missing some logs T.T sorry for that. i'm now 99% sure the virus backs up from my flash drive - had no problems since last instructions untill i inserted the drive. i copied the files, but couldn't copy any hidden files (the virus won't let let me change settings). i formated it but i dont know i it helped since the virus is still in the system. i'll do what you wrote me now, and post the logs soon.

 

It's not that big of a pain to get rid of this thing, so it's odd it's causing such a lot of trouble this time.
I'll wait to hear back from you.

 

ok, heres what i did:
formated the flash drive
followed the instructions
formated the drive again
did the instructions again

i have to admit, that now i realize that i probably, unknowingly, sabotaged your efforts to help me. you see, the instructions say, that i have to save all to my desktop - i never do that. i run everything from my C: or D: drive. i simply asumed, that the whole desktop thing is ment for total n00bz who don't know how to access any "higher functions" of the OS. well, maybe my arrogance has blinded me (welcome to the dark side, jedi). but this time i ran combofix from the desktop as you told me to. the Process Explorer didn't show any of the files you mentioned, altho i found a f00l.dll (or so) in the iexplorer.exe and i killed it.

 

i didn't try to connect the phone yet (MicroSD card), but i did it yesterday and nothing happened. the problems began today, while that cursed flash drive (which is an .mp3 player by creative BTW ) was inserted. everything is fine now. i'll try to connect those two drives now and see what happends.

hmm wanted to attach the hijackthis.log, but the forum won't let me
i hope that this time i provided all the needed logs. this may be a stupid question, but what the hell... those logs save automatically, i dont have to copy/paste them, right? just wanted to make sure....

thanks thanks and so on...

oh yeah, and one more thing - maybe it's just me being a pain in the ***, but my PC always has problems that others don't have. dunno why. maybe i'm cursed that could be the reason why i can't get rid of that kxvo.exe >.< either that or im doing it all wrong >.>

 

Hi Robertski_OG!

Yes, partly for people who aren't that knowledgeable, but also, because the scan and the file you create need to be in the same place, and this is easiest for most people on the desktop.

I'm glad you found that one f00l.dll file. I'd been looking for it, but something kept switching your hidden files back and maybe that's why I couldn't find it.

Please do the final cleanup instructions now which will remove all of our tools and logs and get a new restore point.

If you want to keep HijackThis (analyse.exe), then please skip the step which asks you to remove HijackThis via add/remove programs and see the extra instructions in gray at the bottom of the box.

abri

 

heres what i did now:
i've insereted the flash drive, copied back on it the files that were on it before i formated it - nothing happended
plugged the phone in, copied some files from it to my C: drive - nothing happended so far...

theres one more thing i could think of - i don't use either AOL Messenger nor Windows Messenger, but i use a polish messenger called Tlen (Oxygen - translated ^^)... dunno if thats a problem or not. yea, i'm from poland - thats why my english is so bad

i really appreciate your help. i wish i could be helpfull myself. i know viruses suck >.<

i think i know where i've got that bugger from (it's not the first time), i'm smart enough to connect the dots. if that problem gets it's final solution, i'll try to avoid infecting myself again (obviously lol).

 

i've just red and followed your last instructions. seems to be working. the strange thing is - i have really set the system recovery to OFF, but just right now it was ON ... well i've turned it off and back on now.

i deleted all the kxvo.exe files that were in any art of quarantine or else by any of the MGtools i've installed (i may not be a geek, but some thing are
simply obvious ) before i even looked at the newest instructions. i hope that was a good thing to do.

i just can't stop saying it: thank you for your help!

uhmm... just one more last thing... .NET Framework from Microsoft updates... did it twice in the last few days via auto-update... does it mean that it ain't working? strange. i also had a service pack 3 info (70 or so MB) message once... didn't happen much tho, after i accepted it . was it a fake, or is there really a SP3 that for some reasons won't install on my system?

and yet another edit: it's about the firewalls... i know the windows-based one sucks, but i used ZoneAlarm a while ago, and some other anti-vir programs and i had more viruses than i do now - on nod32 and winXP-firewall only. do the 3rd party FWs really help? kxvo.exe is the only virus i had problems with since a loooong time, and i stopped using multiple Anti-Vir programs (not at one of course...) long ago. if you really think 3rd party FWs help, than i'll reconsider using one. but so far those FWs were more of an annoyance then help to me...

 

Hi Roberski_OG,

Poland's glorious tomatos put Holland's to shame. In your HijackThis log, your operating system is listed as Windows XP Dodatek SP2 (WinNT 5.01.2600). Do you know what the Dodadek refers to? As for the messenger, I looked at it, but there's not that much info about it as yet. It would seem reasonable to think that Oxygen and O2 are related companies in some way, although I'm not sure, but there's no reason at this point to think their messenger would be more vulnerable than any of the others. All messengers are to some degree vulnerable.

The only thing I can tell you about your SP3 and your .Net Framework, is that according to your last set of MGlogs, you had a lot of files come into your computer on April 19th. The release date for SP3 was April 14th, so if you didn't use your computer for a few days in there, they may have been late. Nevertheless, neither SP3 nor version 2.0 of .NET Framework shows as being on your computer. This brings me back to the question of what does the Dodatek in your XP SP2 refer to? In this area, you may get more feedback by posting about this in the Software Forum. If you start a thread over there, you can post the link to this one and simply ask how you can know if your updates are actually getting installed. Or are they just getting downloaded without getting installed? There's a setting like this in the Windows Security Center in the control panel where you can see which setting you have. If they're getting downloaded but not installed, then you need to complete that process yourself by giving them permission to install. If there's some other problem, like you have a special issue of XP, then you may need more information as to how best to proceed.

Okay, and one last comment. The problem with the Windows Firewall is that it's a one-way firewall. It looks at incoming traffic. It ignores anything going back out. If you have a trojan and it wants to connect to a remote computer, you won't know it. The advantage of something like Zone Alarm, is that it monitors traffic in both directions. It additionally masks the presence of your computer by not answering incoming pings that it knows to be harmful rather than rejecting them. I don't know how it works with NOD32. Comodo is somewhat more complex. Online Armor is growing in popularity. Sygate remains my favorite, but Symantec bought it and it doesn't get support anymore. I'm thinking of trying AVG8 as a security suite, but I'm waiting for them to get the bugs out. As a stand-alone antivirus program, it was notoriously light on resources and excellent, but security suites which try to cover all aspects of security are more complex. I have high hopes for this one though and will see how it develops.

Let me know if you make any progress with your updates.
abri

 

Dodatek = Supplement, so Windows XP Dodatek SP2 means simply Windows XP with SP2 update. this is some corporate version of windows, that requires no activation - or so said a friend of mine, who gave it to me as a gift.

my Windows Security Center is set to prompt me on everything it does, and i had no problems whatsoever with updates so far... if SP3 and the .Net Framework updates won't show up anytime soon, then i'll try to find some ansewers to that problems.

thanks

 

Okay, Robertski_OG,
You might get some further advise about that in the Software Forum.
All the best!
abri

 

Hi Robertski_OG,

I wanted to get back to you about this one entry in your security center. You can disable getting messages that tell you your antivirus is not working or is not up to date and I wondered if you set it this way? If you did not set it this way (to not notify you), I would have you change it back. At the moment it looks like the following:

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

If you want to be notified that your antivirus is not working, you need to modify the DWord so that it is 0 instead of 1. This can be changed by going to start / run typing in REGEDIT and clicking on okay. In the regstry navigate to the above key, right-click on AntiVirusOverride and select modify or edit. A small window will open up in which you can see the dword and you can modify it. Change this from 1 to 0.

abri