• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1204
  • Last Modified:

Malware Infection - rundll32.exe is infected / wuauclt.exe is infected

I have a client laptop (WinXP Pro OS) that has become infected with malware. The symptoms are that no programs will run. Control panel will not run. errors popup stating that rundll32.exe and wuauclt.exe are infected. There are also multiple "newupdates are ready for your computer" in the taskbar. I am attaching the hijackthis log for your viewing pleasure. Can anyone give any help as to how to get rid of this except for wiping the drive clean and reloading the OS?
Thanks in advance!
steve-hijackthislog.txt
0
Brad Adams
Asked:
Brad Adams
3 Solutions
 
houssam_balloutCommented:
0
 
johnb6767Commented:
Boot to Safe Mode (F8 when booting, right after turning on...), and rerun HJT.
Clear the following.....
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555 (responsible for no Internet Connection)
 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - HKLM\..\Run: [oarjilyj] C:\Documents and Settings\Steve\Local Settings\Application Data\dihvlq\jtcqsysguard.exe(This one ios the main infection)
O4 - HKCU\..\Run: [oarjilyj] C:\Documents and Settings\Steve\Local Settings\Application Data\dihvlq\jtcqsysguard.exe(duplicate)



0
 
johnb6767Commented:
Combofix is a tad overkill for this, as it is a basic Rogue.FakeAV infection. After the reboot, go delete the folder at C:\Documents and Settings\Steve\Local Settings\Application Data\dihvlq, along with the junk files in it.
Install and update Super Anti Spyware and reboot to Safe Mode. Then do a full scan, and see what it finds.

SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!
http://www.superantispyware.com/
One of the best on the market (and it is free, although you can upgrade and get Real Time Protection). Under the Options, go to Scanning Control> and make sure it is set to the following.....
.
Ignore Files larger than 4MB - Unchecked
Ignore Non-Executable files - Unchecked
Ignore System Restore - Unchecked
Scan only known file types - Unchecked
Close Browsers before scanning - Checked
Scan for tracking cookies - Your choice
Terminate memory threats - Checked
Scan Alternate Data Streams - Checked
Use kernel firect file access- Checked
Use kernel firect registry access- Checked
Use Direct Disk Access -  Checked
Display scan option in Explorer -
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
johnb6767Commented:
Oh, from above..."Display scan option in Explorer - Checked"...  :)
0
 
rpggamergirlCommented:
O4 - HKLM\..\Run: [oarjilyj] C:\Documents and Settings\Steve\Local Settings\Application Data\dihvlq\jtcqsysguard.e
xe(This one ios the main infection)
O4 - HKCU\..\Run: [oarjilyj] C:\Documents and Settings\Steve\Local Settings\Application Data\dihvlq\jtcqsysguard.exe(duplicate)


The above entries in Hijackthis are bad so you can fix those if it helps, but a lot of nasties also don't show up in the scan so that means there could be other nasties not showing in the log.

C:\Documents and Settings\Steve\Local Settings\Application Data\dihvlq <-- this folder needs to be deleted as Hijackthis does not delete directories.
But you also need to show hidden files and folders because that folder is hidden.

I would suggest fixing those entries, and letting the tools take care of the bad files by running the tools that are suggested already.
If using ComboFix, plese attach the log here for us to analyze to make sure it's clean.


Check this link for ways in renaming tools when blocked by viruses. You need to rename them prior to saving the file, in MalwareBytes case sometimes you also need to rneame it after installation.

If you can't run .exes in an infected system:
http://www.experts-exchange.com/articles/Software/Internet_Email/Anti-Virus/CAN%27T-RUN-EXES-IN-AN-INFECTED-SYSTEM.html
0
 
Brad AdamsSystems EngineerAuthor Commented:
Thanks very much! Great information and the fix worked just as described.
0
 
Brad AdamsSystems EngineerAuthor Commented:
Thanks to johnb6767.... I removed the lines from highjackthis as described and the computer booted right back up and the infection was gone. Download the super-antispyware and ran the scan. It found and fixed 88 other bits of malware. Upgraded the machine to my AVG Antivirus Network Edition and all is well. Thanks!
0
 
johnb6767Commented:
Glad it wasnt a meaner malware...... Some of them are FUN to remove...
0
 
Brad AdamsSystems EngineerAuthor Commented:
Yes, absolutely. Thanks again for the info.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now