File name: Ixbcgwrb.sys or lxbcgwrb.sys
File listed as autorun allowed Online Armor. See attached below. Currently have autorun blocked.
Google shows no results.
The file date is more than suspicious…!!
Any VT results…??
Not to mention the services name which, like the file name appear to be randomly generated. This is probably why you find no information on the google search.
Recommendation?
Agree file date is anomalous, as is the file name. Have run autoruns, used that to check the registry, no current entries found. OA has same feature using the File Information box and right-clicking that option within to go search for exact location in registry. Nothing there either.
Thanks for the feedback.
Have the autorun set to block for now.
Can’t VT as cannot find the file; not registered in the registry either. Have searched with all options enabled.
So it isn’t in the drivers folder as in the first image you posted ?
Could be time to go down the analysis scans path, OTL, etc.
Yes, I’m thinking that also.
Next replies will have all logs posted, except for Malwarebytes, which I will update and run now. AdwCleaner, OTL, and aswMBR.exe will be posted sometime tomorrow.
Note the time it took for a quick scan.
Ok. I’ve run the normal requested scans. OTL was run as not on quick scan, so took a bit of time to finish. Do want to point out that there are various Norton drivers left over on the system as I once had Norton’s System Utilities, as well as the a/v, they both have been removed for some years now.
Attached logs are below:
All scans run with the usual start up programs running and active; also connected to the internet whilst these scans were running.
Now I wait.
A malware removal specialist has been informed of your topic.
Hmm that is showing in control set 3 I would like to run Combofix as I can see no triggers for that service
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Well, Combofix has been run with avast!, OA, and WD disabled. Some files were deleted, including a windows.ini file. Reboot was automatic, run took only 6 minutes, and the attached windows error message popped up on logon to admin.
I’ve set OA to allow the executable from Comobofix.
No Combofix txt can be found anywhere, so nothing to attach. Have run Combofix once before, but that was under your supervision, date was August 29, 2012, but that log would not apply? [EDIT:] Have a file 377 bytes in size, but not what I expected. Attached below.
OK that is OA blocking combofix on restart so that it was unable to generate a log
Could you re-run Combofix but not let OA block that on start
Done. Will post the resulting log on next reply.
Successfully run Comobfix to completion, as it was OA on reboot that blocked Combofix.
Note the second attachment; do not know what to make of this? [EDIT:] This process popped up whilst Combofix was still running.
That was Combofix releasing your registry
Is OA still finding this start up ?
Thank you for that.
Yes, OA still shows the same autorun as present but blocked.
Attached find registry search for autorun entry. Same result as before; no entry found.
If need be, can we clean this computer up a bit? I like tidy, but do not know how to do this safely. Additional note: Norton Ghost 10 is installed, so… (See replies #1, 3, and 7).
[EDIT:] It’s not reply 7, it is 6.
OK lets see if combofix can find them
-
Close any open browsers.
-
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-
Open notepad and copy/paste the text in the quotebox below into it:
File:: C:\windows\system32\drivers\lxbcgwrb.sysRegistry::
[-hklm\system\controlset003\services\yrthkxc]Driver::
yrthkxc
Save this as CFScript.txt, in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Ok. In addition, will completely disable OA startup via msconfig, just so you know. Goal here is to let Combofix run unhindered.
Next reply will have requested Combo log.
Combo log 2 attached. Run CFscript.txt done.
Noted that before fix was run, that msconfig and services.msc both denied changes when modifications were applied. Was attempting to disable OA from startup on reboot prior to running Combofix, access denied errors for both programs. Had to go to Safe Mode and use services.msc in user admin to disable. Also disabled WD, Rubotted, and avast! for duration in normal admin prior to Combo script run.
Note also Combofix reset some settings to default, such as Folder Options>View>Hide extensions for known file types, and IE reset to default browser, among other changes.
Reboot following script run showed avast! as disabled. Second reboot took care of that issue, as well as resetting the changes to OA made in Safe Mode to enable start up. So no need to re-enter Safe Mode to enable OA start up as figured I might have to do, second reboot fixed that.
System seems to be running about the same as before, cold boot time usually takes about 4 to 4 1/2 minutes to complete.
Combofix is not finding them either, lets check the LL2 mbr
[*] Download RogueKiller and save it on your desktop.
NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan
https://dl.dropbox.com/u/73555776/RKScan.GIF
[]Wait for the end of the scan.
[] The report has been created on the desktop.
RogueKiller is positive. See attached. Used task manager to kill all extraneous programs, disabled OA, WD, RUBotted, and avast! No changes or deletions made.
Waiting for instructions.