Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
I'm running Windows 7 and my normal user is a "power user" account, not administrator. When needing to make administrator-level changes I either "run as administrator" or login as the administrator user, but normally I operate as the power user.
I had this infection: http://www.bleepingcomputer.com/virus-removal/remove-system-fix
and was getting MANY "Delayed Write Failed" warnings, just like described in the link above. "YPfdbKQmYWnOqAL.exe" appeared in C:\ProgramData, "Xeef\udgimii.exe" appeared in C:\Users\<PowerUserName>\AppData\Roaming, and two corresponding entries appeared in HKEY_USERS\software\microsoft\windows\CurrentVersion\Run (this last I found after watching )
I've had this kind of infection several times before, so I thought I had everything I needed to fix this. I ran MBAM as BOTH the administrator and my usual "power user" (found different infections in each case), cleaned everything with ccleaner (mistake in this case as I now know), manually deleted the registry entries with regedit and also removed the HKCU:Run keys for the two files using ccleaner's Startup tool, then rebooted.
No more YPfdbKQmYWnOqAL.exe yellow triangle warning in system tray, no more "System Fix" icon in system tray, no more warnings. However, almost all desktop icons are still gone, applications pinned to the taskbar are still gone, system tray still looks different than before (different settings, apparently), and in the Start menu on the right side, under the user icon (hot air balloon in my case), no entries at all (used to have Computer, Devices and Printers, Control Panel, etc). I think the shortcuts on the left side of Start menu were back by this time. Also, half the folders on C:\ not visible. After a little more Googling I figure out that all these have been made hidden. After changing settings can see desktop stuff and everything else, but attributes still set to hidden (appear semi-transparent).
Download and run unhide.exe. It unhides everything as expected, but all the cached settings are still wrong - all desktop entities properly visible, but in the wrong places, system tray still looks wrong, still no entries on right side of Start menu, applications pinned to task bar still missing. I drag firefox to the taskbar and see that the new icon is named "Mozilla Firefox (2)". Sure enough, in C:\Users\<PowerUserName>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar there are both "Mozilla Firefox" and "Mozilla Firefox (2)".
From this I conclude that all my cached settings didn't get deleted, but rather are still there and are still being masked somehow by whatever is left of the infection. I check back in regedit and in ccleaner's Startup tool: C:\Users\<PowerUserName>\AppData\Roaming\Xeef\udgimii.exe HKCU:Run key has reappeared and is now found in HKEY_USERS\S-1-5-21-...-1004\software\microsoft\windows\CurrentVersion\Run (I don't know if this last is a system backup or what). So I manually delete the regestry entry again, delete it in ccleaner also, delete the C:\Users\<PowerUserName>\AppData\Roaming\Xeef\udgimii.exe file, and restart. The file and the registry entry both reappear.
Now I don't think I've completely cleared the infection, but I can't find what can be recreating this Xeef\udgimii.exe and the registry entry on reboot. I've also found a bunch more registry entries for udgimii: Windows\Shell\MuiCache ("Windows Privacy Tray"), Wow6432Node\Microsoft\Tracing (udgimii_RASAPI32, udgimii_RASMANCS), services\SharedAccess\Parameters\FirewallPolicy\FirewallRules (TCP Query User, UDP Query User), etc. That doesn't sound good at all, if this file really is part of the rootkit.
So, am I still infected or not? Is udgimii.exe part of the rootkit or a legitimate binary? Are my cached settings still being blocked, or are they just gone and I need to reset them? I'd love to get my desktop icon arrangement, Start menu settings, systray settings, pinned applications back, but I'm even more concerned about still being infected. Please help!