?
Solved

Malware Infection - rundll32.exe is infected / wuauclt.exe is infected

Posted on 2010-01-11
9
Medium Priority
?
1,201 Views
Last Modified: 2012-05-08
I have a client laptop (WinXP Pro OS) that has become infected with malware. The symptoms are that no programs will run. Control panel will not run. errors popup stating that rundll32.exe and wuauclt.exe are infected. There are also multiple "newupdates are ready for your computer" in the taskbar. I am attaching the hijackthis log for your viewing pleasure. Can anyone give any help as to how to get rid of this except for wiping the drive clean and reloading the OS?
Thanks in advance!
steve-hijackthislog.txt
0
Comment
Question by:radioman-ct
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 17

Expert Comment

by:houssam_ballout
ID: 26288302
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 2000 total points
ID: 26288326
Boot to Safe Mode (F8 when booting, right after turning on...), and rerun HJT.
Clear the following.....
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555 (responsible for no Internet Connection)
 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O4 - HKLM\..\Run: [oarjilyj] C:\Documents and Settings\Steve\Local Settings\Application Data\dihvlq\jtcqsysguard.exe(This one ios the main infection)
O4 - HKCU\..\Run: [oarjilyj] C:\Documents and Settings\Steve\Local Settings\Application Data\dihvlq\jtcqsysguard.exe(duplicate)



0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 2000 total points
ID: 26288358
Combofix is a tad overkill for this, as it is a basic Rogue.FakeAV infection. After the reboot, go delete the folder at C:\Documents and Settings\Steve\Local Settings\Application Data\dihvlq, along with the junk files in it.
Install and update Super Anti Spyware and reboot to Safe Mode. Then do a full scan, and see what it finds.

SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!
http://www.superantispyware.com/
One of the best on the market (and it is free, although you can upgrade and get Real Time Protection). Under the Options, go to Scanning Control> and make sure it is set to the following.....
.
Ignore Files larger than 4MB - Unchecked
Ignore Non-Executable files - Unchecked
Ignore System Restore - Unchecked
Scan only known file types - Unchecked
Close Browsers before scanning - Checked
Scan for tracking cookies - Your choice
Terminate memory threats - Checked
Scan Alternate Data Streams - Checked
Use kernel firect file access- Checked
Use kernel firect registry access- Checked
Use Direct Disk Access -  Checked
Display scan option in Explorer -
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 2000 total points
ID: 26288367
Oh, from above..."Display scan option in Explorer - Checked"...  :)
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 26290031
O4 - HKLM\..\Run: [oarjilyj] C:\Documents and Settings\Steve\Local Settings\Application Data\dihvlq\jtcqsysguard.e
xe(This one ios the main infection)
O4 - HKCU\..\Run: [oarjilyj] C:\Documents and Settings\Steve\Local Settings\Application Data\dihvlq\jtcqsysguard.exe(duplicate)


The above entries in Hijackthis are bad so you can fix those if it helps, but a lot of nasties also don't show up in the scan so that means there could be other nasties not showing in the log.

C:\Documents and Settings\Steve\Local Settings\Application Data\dihvlq <-- this folder needs to be deleted as Hijackthis does not delete directories.
But you also need to show hidden files and folders because that folder is hidden.

I would suggest fixing those entries, and letting the tools take care of the bad files by running the tools that are suggested already.
If using ComboFix, plese attach the log here for us to analyze to make sure it's clean.


Check this link for ways in renaming tools when blocked by viruses. You need to rename them prior to saving the file, in MalwareBytes case sometimes you also need to rneame it after installation.

If you can't run .exes in an infected system:
http://www.experts-exchange.com/articles/Software/Internet_Email/Anti-Virus/CAN%27T-RUN-EXES-IN-AN-INFECTED-SYSTEM.html
0
 

Author Closing Comment

by:radioman-ct
ID: 31675793
Thanks very much! Great information and the fix worked just as described.
0
 

Author Comment

by:radioman-ct
ID: 26293229
Thanks to johnb6767.... I removed the lines from highjackthis as described and the computer booted right back up and the infection was gone. Download the super-antispyware and ran the scan. It found and fixed 88 other bits of malware. Upgraded the machine to my AVG Antivirus Network Edition and all is well. Thanks!
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 26300454
Glad it wasnt a meaner malware...... Some of them are FUN to remove...
0
 

Author Comment

by:radioman-ct
ID: 26303391
Yes, absolutely. Thanks again for the info.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Can you find a fax from a vendor you saved a decade ago in seconds? Have you ever cursed your PC under your breath during an audit because you couldn’t find the requested statement or driver history?  If you answered no to the first question or yes …
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question