Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Traces of malware found and removed, not sure if clean.


  • Please log in to reply
1 reply to this topic

#1 Zerst

Zerst

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:08 AM

Posted 09 July 2009 - 04:36 AM

(Windows XP SP3)

On 7/7/09 I was hit with a virus that restarted my computer and installed System Security 2009. The virus redirected google searches to generic ad sites, as well as disabling access to things such as task manager, system restore, and msconfig.

The next day, the problems seemed to recede and I was able to download and run malwarebytes' anti-malware. This found and quarantined the following:

Trojan.TDSS
Trojan.Agent (2 instances)
Rogue.Multiple.H (4 instances)
Adware.Minibug (5 instances)
Fake.Dropped.Malware (2 instances)
Broken.OpenCommand

I then checked windowsupdate which, to my surprise, had a small backlog of updates. Upon completion, I received a message that it had found traces of Alureon and that I should run full antivirus scans. I did so in safe mode with Dr.Web, and then once again on a normal boot.

This found hjgrui*.dll files in System32, which I quarantined. It also found malware in my Java Cache and in the executable for AOL Instant Messenger.

Since then, I've run scans with MBAM and Dr.Web (individually, of course) and found no more results.

At this point, I'm not sure if my system is as clean as it's going to get or if there are more nasties in hiding. I tried System Restore and it was able to create a new restore point. Things -seem- to be back to normal.


I've just now run a RootRepeal scan and found the following:

Service Name: hjgruikklypatg
Image Path: C:\WINDOWS\system32\drivers\hjgruiwtdybjrw.sys

This file does not appear in the drivers folder.


Additionally, visible in the System32 folder are hjgruihypxwnam.dat (1 KB) and hjgruikecnrbmf.dat (64 KB).


1) Should these be deleted/wiped immediately?

2) What diagnostic logs are relevant to post in this situation?


Thanks in advance for any assistance.



Edit: Update - Overnight, Dr.Web found two infections attempt to modify System Restore, so it's definitely not clean.

Edit2: I deleted both .dat files and attempted to wipe hjgrui*.sys with Root Repeal. The wipe failed "Could not find file on disk!"
I also went into the registry and searched for hjgrui*. It found several instances, but could not delete any of them.

Edit3: Another RootRepeal curiosity under SSDT - NtCreateKey, NtEnumerateKey, NtEnumerateValueKey, NtOpenKey, NtQueryKey, NtQueryValueKey, NtSetValueKey are displayed in red and showed with a module of sp**.sys (two random characters, changing on each reboot). These files are hooked. Is this normal or possibly part of an infection?

Edit4: Successfully found the Registry value that was linked to hjgrui*.sys and killed it with rootrepeal. My computer no longer has any trace of hjgrui*.*, and it does not regenerate. If the issue described in Edit3 is normal, then I may have gotten most, if not all of the virus. After performing more scans, I will clear system restore and create a new point.

Edit5: DrWeb is still detecting malware trying to install itself in System32. I don't know where to go from this point so I could really use assistance.

Edited by Zerst, 10 July 2009 - 02:28 AM.


BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:08 AM

Posted 20 July 2009 - 12:18 AM

@ Zerst we need your log to recommend what can and cannot be deleted.


Thank you.

Edited by Pandy, 20 July 2009 - 01:04 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users