Malware?

[Ghosth]

TY Denholm, many Linux distro's come with a boot from cd option which includes basic functionality including good virus scanners. Because your running off a temp os the files in question are not protected. Rendering them easier to dispose of.

Ubuntu is one such, but there are many to choose from.

[Stoney]

Ok, I've got a boot disk that I made tonight.  The TRK had a lot of utilities available.  How can I get into the start menu to delete that file, or will one of those anti-virus utilities pick it up?  I ran one scan that took over 4 hours before I interrupted it.  Looks like my old system restore files took the majority of the time to scan.  Can I just go erase those except for the last few?

[Denholm]

You can erase start menu entries by looking in two separate folders. Chances are, it's in the "All Users" portion of the Start Menu, yet you may want to check your private portion of the Start Menu.

To check the "All Users" portion of Start Menu, browse to:
[your disk label]\Documents and Settings\All Users\Start Menu\Programs

To check your private portion of the Start Menu, browse to:
[your disk label]\Documents and Settings\[your user name]\Start Menu\Programs


Hopefully this helps.

[Charge]

I still suggest you track down which files use that DLL. It may not have anything to do with a virus but it may be a vital component of running program which starts it again if it sees it's missing. I think many Windows components are able to do that too.

You could also do a search and find the file and change its name to xxx.OLD. If it is created again then it is possibly created by a virus, but if it does not you may find that some program you use does not work anymore in which case you have found the parent to that DLL. Then just change the file name back to xxx.DLL.

I once had a difficult virus and as Ripley said the parent program changed its name constantly so if you deleted the parent it was soon again in system with different name. In a way the virus was always in a piggyback mode so that the actual virus had a backup running which knew the name of the running file, which was the parent to several DLLs, and if the running file was deleted the backup activated and created the EXEs and DLLs and a backup with random name -which again ensured that if the parent was destroyed the virus itself would survive. I saw it in its working directory as a newly created file but didn't realize what it was until later.

-C+

[Stoney]

Here's the listing in the startup menu:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>

@Amiwuguxavigamerundll32.exe "C:\WINDOWS\usehijucivic.dll",Startup = rundll32.exe "C:\WINDOWS\usehijucivic.dll",Startup

[MrRiplEy[H]]

Here's the listing in the startup menu:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>

@Amiwuguxavigamerundll32.exe "C:\WINDOWS\usehijucivic.dll",Startup = rundll32.exe "C:\WINDOWS\usehijucivic.dll",Startup

I'd nuke it from orbit. I hope you have backups.

[Stoney]

You can erase start menu entries by looking in two separate folders. Chances are, it's in the "All Users" portion of the Start Menu, yet you may want to check your private portion of the Start Menu.

To check the "All Users" portion of Start Menu, browse to:
[your disk label]\Documents and Settings\All Users\Start Menu\Programs

To check your private portion of the Start Menu, browse to:
[your disk label]\Documents and Settings\[your user name]\Start Menu\Programs


Hopefully this helps.

I don't see it listed in either of those folders...

[Stoney]

Final update:  I was finally able to find the file and delete it.  Upon reboot, it did not return to my start menu.

Thanks everyone for the help.

[gpwurzel]

Just an update as I continue to work on this...

Found this file in my Temp directory:  perflib_perfdata_614.dat  Can't delete this file at all with any of my utilities and from a google search, it looks like its a known rootkit, or maybe a windows file?

For Ghost and GPwurzel, I don't have any experience with Linux.  Are those applications self-contained or do I need to install Linux first, then run them?

(GPwurzel) Just saw you're in the Stumps--USMC?

Sorry Stoney, just woke up and saw this - TRK runs from its own engine, so no need to install linux first. And yep, I'm in the stumps, but not USMC (English expat - ex Royal Navy). Its a long long story lol......


Wurzel

[MrRiplEy[H]]

Final update:  I was finally able to find the file and delete it.  Upon reboot, it did not return to my start menu.

Thanks everyone for the help.

I wouldn't trust any computer that has had suspicious files and someone just manually deleted the most likely cause. There could be 10 others hidden. This is exactly how computer botnets grow, people continuing to use the machines even after discovering that it's compromised.

Of course you can go ahead and trust it's gone. I hope you don't do banking over internet or anything important on it though

[Stoney]

I wouldn't trust any computer that has had suspicious files and someone just manually deleted the most likely cause. There could be 10 others hidden. This is exactly how computer botnets grow, people continuing to use the machines even after discovering that it's compromised.

Of course you can go ahead and trust it's gone. I hope you don't do banking over internet or anything important on it though

I've scanned my rig with everything I can get my hands on, and now its showing clean.  The scans were showing clean even when this one file was still there.  Anyway, there's nothing nefarious going on with my rig right now, so I can't do anything other than assume that its clean.  Unless someone knows of something else I should do?

[Denholm]

The recommendation is to reformat your computer. Basically, you wipe the hard-drive clean and re-install windows. This procedure removes all malicious software in one sweep.

Yes, your personal files will be lost during this procedure, thus the comments regarding backups.

[Stoney]

The recommendation is to reformat your computer. Basically, you wipe the hard-drive clean and re-install windows. This procedure removes all malicious software in one sweep.

Yes, your personal files will be lost during this procedure, thus the comments regarding backups.

Well, I can transfer my personal files to backup CDs / USB and then do it.  Since most of this stuff lays around in the registry and other system components of Windows, just backing up the files should be ok, right.  No chance the malware gets transferred over into the normal files? (pictures, documents, etc.)

[Denholm]

The chances are low. I'd give it a shot.

[cattb]

Just a suggestion, if you (Stoney) reformat, make a shadow or a image of your new install. If fact make a couple, like one with and one without updates to the OS.
Do regular backups of your data after up and running. (Keydrive,Extra HD, whatever)
Now you'll be ready for future problems like malware or component failure in your computer as examples.