Posted 28 August 2009 - 11:17 PM
Hello all. I'm a newbie here and came across this site after hours of troubleshooting an infection.
Hoping that one of you kind folks can help me clean this off so as to preclude a lengthy rebuild. I have a good amount of computer experience and have all my data backed up on a now-disconnected USB drive.
I have an XP SP3 computer that apparently got infected at 9am this morning. My Symantec AnitVirus Corporate Edition v10 seemed to catch some of it (I can see that the quarantine was updated at that time), but the computer started to misbehave and then BSODed at 9:15am. I booted into safe mode and started poking around and tried to remediatevia a combo of SAV, AdAware and manual effort, as I have done during other virus infections on other PCs.
- searched and found all files created between 9-9:15am
- moved all the obvious files to a separate folder and set with list-only NTFS rights
- saw that my previous System Restore point had probably been infected, removed those files as well
- removed references to jukazena.dll and tepidike.dll in HKLM\software\microsoft\windows\currentversion\run
When I booted into normal mode, I was unable to login and quickly got a message about SERVICES.EXE terminating unexpectedly with error -1073741819 and a countdown to restart. So back to Safe Mode....
When I went to run SAV and AdAware in Safe Mode, both exhibited the same behavior: the scans would start and then dissapear, the processes disappearing from Task Manager as well. In addition, the NTFS permissions on the .exes for SAV and AdAware were modified to prevent subsequent running. I know enough to reset the permissions, but this trend of killing the scan and resetting the NTFS permissions happened as a tried other utilities such as Malwarebyte's Anti-Malware HijackThis and SDFix.
Digging deeper, I found that while in Safe Mode, I only had base OS processes running (I even disabled WMI and the Crypt services) but that the reference to jukazena.dll in the \Run regkey came back 5 sec after deletion. So figuring the virus had its hooks in Explorer, I dug through the Explorer extenstions and Browser Help Objects and deleted a suspicious entry, but to no avail, the \Run entry kept getting reinstated after deletion.
So I went surfing and found my way here. I tried to run both DDS.SCR and RootRepeal, but they were both killed within 10sec of starting their scans. I killed explorer and same results, so now I fear this infection is deep inside XP.
I would appreciate any help anyone can provide, as a full rebuild is never enjoyable and I don't want to let the bastards win!