xsecva.exe and xrwmensoac.exe

Discussion in 'Malware Help (A Specialist Will Reply)' started by AceFrehley, Aug 17, 2012.

  1. AceFrehley

    AceFrehley Private E-2

    Earlier today, Microsoft Security Essentials notified me that these two files (xsecva.exe and xrwmensoac.exe) were unrecognised and potential threats. I'm not sure of their origins, as multiple people use this account/computer. Also, it's possible that there are other infections. I've followed the instructions in the "READ & RUN ME FIRST" sticky and the requested logs are attached. I would very much appreciate any help! Thank you in advance! :)
     

    Attached Files:

    AceFrehley, Aug 17, 2012
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 3 detections:
    • [SUSP PATH] HKCU\[...]\Run : XSECVA ("C:\Users\JJ\AppData\Roaming\xsecva\xsecva.exe" -s) -> FOUND
      [BLACKLIST DLL] HKCU\[...]\Run : aprnt (rundll32.exe "C:\Users\JJ\AppData\Roaming\aprnt.dll",MawDeviceCallback) -> FOUND
      [BLACKLIST DLL] HKCU\[...]\Run : ashns (rundll32.exe "C:\Users\JJ\AppData\Roaming\ashns.dll",InPlacePower) -> FOUND
      [BLACKLIST DLL] HKCU\[...]\Run : dmapet (rundll32.exe "C:\Users\JJ\AppData\Roaming\dmapet.dll",Unicode) -> FOUND
      [BLACKLIST DLL] HKLM\[...]\Run : dmapet ("C:\Windows\System32\rundll32.exe" "C:\Users\JJ\AppData\Roaming\dmapet.dll",Unicode) -> FOUND
      [BLACKLIST DLL] HKLM\[...]\Run : ashns ("C:\Windows\System32\rundll32.exe" "C:\Users\JJ\AppData\Roaming\ashns.dll",InPlacePower) -> FOUND
      [BLACKLIST DLL] HKLM\[...]\Run : aprnt (rundll32.exe "C:\Users\JJ\AppData\Roaming\aprnt.dll",MawDeviceCallback) -> FOUND
      [SUSP PATH] HKUS\S-1-5-21-1636433886-2942376392-1809212147-1000[...]\Run : XSECVA ("C:\Users\JJ\AppData\Roaming\xsecva\xsecva.exe" -s) -> FOUND
      [BLACKLIST DLL] HKUS\S-1-5-21-1636433886-2942376392-1809212147-1000[...]\Run : aprnt (rundll32.exe "C:\Users\JJ\AppData\Roaming\aprnt.dll",MawDeviceCallback) -> FOUND
      [BLACKLIST DLL] HKUS\S-1-5-21-1636433886-2942376392-1809212147-1000[...]\Run : ashns (rundll32.exe "C:\Users\JJ\AppData\Roaming\ashns.dll",InPlacePower) -> FOUND
      [BLACKLIST DLL] HKUS\S-1-5-21-1636433886-2942376392-1809212147-1000[...]\Run : dmapet (rundll32.exe "C:\Users\JJ\AppData\Roaming\dmapet.dll",Unicode) -> FOUND
      [ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\JJ\AppData\Local\{1c5071d2-ee0d-0e28-754b-a57f090917cb}\n.) -> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.

    Do the same for these items on the Files/Folder tab.

    • [ZeroAccess][FILE] @ : c:\users\jj\appdata\local\{1c5071d2-ee0d-0e28-754b-a57f090917cb}\@ --> FOUND
    • [ZeroAccess][FOLDER] U : c:\users\jj\appdata\local\{1c5071d2-ee0d-0e28-754b-a57f090917cb}\U --> FOUND
    • [ZeroAccess][FOLDER] L : c:\users\jj\appdata\local\{1c5071d2-ee0d-0e28-754b-a57f090917cb}\L --> FOUND

    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Do not reboot your computer yet.


    Run HitmanPro and have it fix these if it finds them.

    • C:\Users\JJ\AppData\Local\Temp\xrwmensoac.exe
    • C:\Users\JJ\AppData\Roaming\xsecva\xsecva.exe
    • C:\Users\JJ\AppData\Local\{1c5071d2-ee0d-0e28-754b-a57f090917cb}\@ (ZeroAccess)
    • C:\Users\JJ\AppData\Local\{1c5071d2-ee0d-0e28-754b-a57f090917cb}\L\ (ZeroAccess)
    • C:\Users\JJ\AppData\Local\{1c5071d2-ee0d-0e28-754b-a57f090917cb}\U\ (ZeroAccess)
    • C:\Users\JJ\AppData\Local\{1c5071d2-ee0d-0e28-754b-a57f090917cb}\U\00000008.@ (ZeroAccess)

    Reboot the machine.
    Re run RogueKiller - no fix just a scan and attach log.
    Re run HitmanPro just a scan - and attach that log too.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Aug 17, 2012
    #2
  3. AceFrehley

    AceFrehley Private E-2

    I encountered absolutely no problems following your instructions. That seems to have cleared up all of the issues, such as the weird iexplorer.exe processes that were constantly running beforehand. Thanks very much! Thanks for the quick response, too. You're a lifesaver. The logs you asked for are attached, just in case.
     

    Attached Files:

    AceFrehley, Aug 17, 2012
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yep. Those logs look squeaky clean. :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Aug 18, 2012
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds