Jump to content

Delself virus and uacinit.dll


Recommended Posts

Hi all, i recently made this thread in another thread on your forum before realising that i had actually posted it in the wrong thread. So i'll post it here and please disregard the previous thread i made in the malware forum.

Hi all, yesterday morning i was unlucky enough to get a virus which installed something called delself onto my desktop and then giving me a icon in my lower right screen saying my computer was infected. I use AVG and i immediately ran a full computer virus scan. The virus scan came back finding 12 infected files. They were immediately deleted but still found various problems. I went online to find that any attempts to do a google search about the virus immediately re-directed me to another website. So using my PSP i came across this forum where i found others having undergone similar problems. I downloaded Mbam (which was fun since i had problems installing the thing. Luckily one of your forums said about renaming the install file and the application).

So i managed to get Mbam up and running and after a full scan it managed to track down 40 infected files. This however leads into my current problem. Even after a scan, Mbam says that 2 files need to be deleted upon reboot. So i reboot the computer, run another scan and it still located them. I ran Mbam in safe mode and one of those files (str.sys it was called) has now been deleted and has not been seen since (touch wood) However this still leaves the remaining file (called uacinit.dll) that refuses to bugger off.

Now my worst case scenario planning is for a wipe of the hard drive and reinstall everything. However having gotten so far i would prefer to get past this last hurdle before throwing in the towel.

My log is as follows

Malwarebytes' Anti-Malware 1.38

Database version: 2411

Windows 5.1.2600 Service Pack 3

12/07/2009 10:30:31

mbam-log-2009-07-12 (10-30-31).txt

Scan type: Quick Scan

Objects scanned: 96251

Time elapsed: 5 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

and my hijack this log says

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:30:58, on 12/07/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AskBarDis\bar\bin\AskService.exe

C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\System32\GEARSec.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\ehome\RMSvc.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\WINDOWS\ehome\RMSysTry.exe

C:\QUICKENW\QWDLLS.EXE

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\hope\hope.exe.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.wikipedia.org/wiki/Main_Page

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Java

Link to post
Share on other sites

just as a update, i was reading another thread where someone was having similar problems as to mine and someone had replied to use Combo Fix. Having plenty of time i went ahead and used it and let it do its work.

Its log file is as follows. I tried shutting down AVG but ran into several problems trying to get it to shut down so this may have set it a bit off kilter.

ComboFix 09-07-09.08 - Neils PC 12/07/2009 11:35.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1536 [GMT 1:00]

Running from: c:\documents and settings\Neils PC\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-06-12 to 2009-07-12 )))))))))))))))))))))))))))))))

.

No new files created in this timespan

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2009-04-02 11:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-06-26 09:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2006-02-01 98304]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-30 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-18 1948440]

"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-08-07 16384]

"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2005-08-07 18944]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-04-30 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Billminder.lnk - c:\quickenw\BILLMIND.EXE [2006-12-1 36864]

Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]

Quicken Startup.lnk - c:\quickenw\QWDLLS.EXE [2006-12-1 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-06-18 22:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk /r \??\I:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^Neils PC^Start Menu^Programs^Startup^Norton System Doctor.LNK]

path=c:\documents and settings\Neils PC\Start Menu\Programs\Startup\Norton System Doctor.LNK

backup=c:\windows\pss\Norton System Doctor.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\DC++\\DCPlusPlus.exe"=

"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader

"6112:TCP"= 6112:TCP:Blizzard Downloader

"65535:TCP"= 65535:TCP:DC++

"65535:UDP"= 65535:UDP:DC++

"3776:UDP"= 3776:UDP:Media Center Extender Service

"3390:TCP"= 3390:TCP:Remote Media Center Experience

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-07-05 335752]

S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-06-18 108552]

S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2009-04-02 464264]

S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-04-02 234888]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-07-05 907032]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-06-18 298776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

QWAVE REG_MULTI_SZ QWAVE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://en.wikipedia.org/wiki/Main_Page

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Neils PC\Start Menu\Programs\IMVU\Run IMVU.lnk

Trusted Zone: apple.com\www

FF - ProfilePath - c:\documents and settings\Neils PC\Application Data\Mozilla\Firefox\Profiles\a7kcdhdw.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Yahoo! Search

FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-12 11:43

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE?

CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

c:\windows\system32\drivers\hjgruiakasxomp.sys 67584 bytes executable

c:\docume~1\NEILSP~1\LOCALS~1\Temp\hjgrui000 0 bytes

c:\windows\TEMP\hjgruisaayplpsex.tmp 93 bytes

c:\windows\TEMP\hjgruiuctfdswlrx.tmp 18944 bytes executable

c:\windows\system32\hjgruifvxrkrpj.dat 93 bytes

c:\windows\system32\hjgruihoqotpxb.dll 18944 bytes executable

c:\windows\system32\hjgruiqbmtbamg.dat 80981 bytes

c:\windows\system32\hjgruixbqotprl.dll 42496 bytes executable

scan completed successfully

hidden files: 8

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruidaolwhbm]

"imagepath"="\systemroot\system32\drivers\hjgruiakasxomp.sys"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-484763869-115176313-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-484763869-115176313-682003330-1003\Software\Zepter Software\RegLib*88c7b7b7\CloneDVDmobile/1]

"1"=dword:4516d60b

"2"=dword:472e0c80

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(812)

c:\windows\system32\WININET.dll

.

Completion time: 2009-07-12 11:47

ComboFix-quarantined-files.txt 2009-07-12 10:47

Pre-Run: 159,372,759,040 bytes free

Post-Run: 160,159,768,576 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

178 --- E O F --- 2009-07-06 00:13

As a side note i ran Mbam afterwards and its log said

Malwarebytes' Anti-Malware 1.38

Database version: 2411

Windows 5.1.2600 Service Pack 3

12/07/2009 11:51:49

mbam-log-2009-07-12 (11-51-49).txt

Scan type: Quick Scan

Objects scanned: 92951

Time elapsed: 2 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\system32\hjgruihoqotpxb.dll (Trojan.TDSS) -> Delete on reboot.

c:\WINDOWS\system32\hjgruixbqotprl.dll (Trojan.TDSS) -> Delete on reboot.

c:\WINDOWS\system32\drivers\hjgruiakasxomp.sys (Trojan.TDSS) -> Quarantined and deleted successfully.

c:\WINDOWS\Temp\hjgruicqdnpnhwmc.tmp (Trojan.TDSS) -> Delete on reboot.

c:\WINDOWS\Temp\hjgruiuctfdswlrx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

i did notice that uacinit.dll has now disappeared, hopefully this has turned the tide.

Link to post
Share on other sites

ok, i rebooted the computer and ran mbam and it came back completely clear

Malwarebytes' Anti-Malware 1.38

Database version: 2411

Windows 5.1.2600 Service Pack 3

12/07/2009 12:01:28

mbam-log-2009-07-12 (12-01-28).txt

Scan type: Quick Scan

Objects scanned: 93122

Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

does this mean that i can now claim success and the virus is now successfully gone?

on a side note, after i rebooted the computer i've been getting a lot of messages whenever i start a application saying "The application or DLL globalroot/systemroot/system32/*******.dll Please check this against your installation diskette." is this normal because i've used Combo Fix and everything has been rebooted or something.

Link to post
Share on other sites

  • Root Admin

Every system is different and when or why to use Combofix is not just because someone else did. This tool can easily delete required files and render your system non bootable - please do not run software or tools without being asked for your own safety. Many Helpers will not help you if you run tools on your own.

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

File::
c:\windows\system32\drivers\hjgruiakasxomp.sys
c:\docume~1\NEILSP~1\LOCALS~1\Temp\hjgrui000
c:\windows\TEMP\hjgruisaayplpsex.tmp
c:\windows\TEMP\hjgruiuctfdswlrx.tmp
c:\windows\system32\hjgruifvxrkrpj.dat
c:\windows\system32\hjgruihoqotpxb.dll
c:\windows\system32\hjgruiqbmtbamg.dat
c:\windows\system32\hjgruixbqotprl.dll

RegLock::
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_USERS\S-1-5-21-484763869-115176313-682003330-1003\Software\Zepter Software\RegLib*88c7b7b7\CloneDVDmobile/1]
RegNull::
[HKEY_USERS\S-1-5-21-484763869-115176313-682003330-1003\Software\Zepter Software\RegLib*88c7b7b7\CloneDVDmobile/1]
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruidaolwhbm]
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"=-
"CTxfiHlp"=-

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup220_slim.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 03

Please temporarily disable your current Anti-Virus and run this Online Anti-Virus scanner

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Anvirisus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.