On 7/7/09 I was hit with a virus that restarted my computer and installed System Security 2009. The virus redirected google searches to generic ad sites, as well as disabling access to things such as task manager, system restore, and msconfig.
The next day, the problems seemed to recede and I was able to download and run malwarebytes' anti-malware. This found and quarantined the following:
Trojan.Agent (2 instances)
Rogue.Multiple.H (4 instances)
Adware.Minibug (5 instances)
Fake.Dropped.Malware (2 instances)
I then checked windowsupdate which, to my surprise, had a small backlog of updates. Upon completion, I received a message that it had found traces of Alureon and that I should run full antivirus scans. I did so in safe mode with Dr.Web, and then once again on a normal boot.
This found hjgrui*.dll files in System32, which I quarantined. It also found malware in my Java Cache and in the executable for AOL Instant Messenger.
Since then, I've run scans with MBAM and Dr.Web (individually, of course) and found no more results.
At this point, I'm not sure if my system is as clean as it's going to get or if there are more nasties in hiding. I tried System Restore and it was able to create a new restore point. Things -seem- to be back to normal.
I've just now run a RootRepeal scan and found the following:
Service Name: hjgruikklypatg
Image Path: C:\WINDOWS\system32\drivers\hjgruiwtdybjrw.sys
This file does not appear in the drivers folder.
Additionally, visible in the System32 folder are hjgruihypxwnam.dat (1 KB) and hjgruikecnrbmf.dat (64 KB).
1) Should these be deleted/wiped immediately?
2) What diagnostic logs are relevant to post in this situation?
Thanks in advance for any assistance.
Edit: Update - Overnight, Dr.Web found two infections attempt to modify System Restore, so it's definitely not clean.
Edit2: I deleted both .dat files and attempted to wipe hjgrui*.sys with Root Repeal. The wipe failed "Could not find file on disk!"
I also went into the registry and searched for hjgrui*. It found several instances, but could not delete any of them.
Edit3: Another RootRepeal curiosity under SSDT - NtCreateKey, NtEnumerateKey, NtEnumerateValueKey, NtOpenKey, NtQueryKey, NtQueryValueKey, NtSetValueKey are displayed in red and showed with a module of sp**.sys (two random characters, changing on each reboot). These files are hooked. Is this normal or possibly part of an infection?
Edit4: Successfully found the Registry value that was linked to hjgrui*.sys and killed it with rootrepeal. My computer no longer has any trace of hjgrui*.*, and it does not regenerate. If the issue described in Edit3 is normal, then I may have gotten most, if not all of the virus. After performing more scans, I will clear system restore and create a new point.
Edit5: DrWeb is still detecting malware trying to install itself in System32. I don't know where to go from this point so I could really use assistance.
Edited by Zerst, 10 July 2009 - 02:28 AM.