Aces High Bulletin Board
General Forums => Hardware and Software => Topic started by: Stoney on February 09, 2011, 02:20:07 AM
-
Ok, I've got this entry: HKLM:Run Amiwuguxavigame rundll32.exe "C:\WINDOWS\usehijucivic.dll",Startup in my startup list. I've tried CCleaner, MalwareBytes, MGAM, everything I can find that's supposed to be worthwhile to try and disable and remove this .dll and nothing works. I delete it, and it shows up again. Any idea what this is? Google search turns up nothing. I'm running Firefox for a web browser, Windows XP with SP3, with the most recent updates...
-
At least in Vista there is a way to track down programs which use that DLL and if the parent program monitors it presence in your system it is tracked too. My bet goes to some nasty bugger in your temp directory.
Have you tried rootkit detectors?
-C+
-
You might try booting to Linux distro from CD and then scan. Since it will no longer be protected under that OS it will probably remove it.
I've done that a time or 2 when I had nasty ones that wouldn't be fixed any other way.
Most good linux distro's have a boot from cd option that has built in virus scanner.
Or if your setup to dual boot you can use that to get around it.
FYI I seldom install Windows OS to C:/windows anymore, just because almost all bugs are written to look for it there. I may put a dummy or unused xp install there, but my main install will be on D:/. Its amazing sometimes how minor tricks like that can make a huge difference.
-
after removing the thing, you might try running a system restore to back before the thing showed up. It sounds like it has imbedded itself in the registry to respawn itself..this is assuming it is a badguy and not part of some legit program you have installed
-
Have you tried rootkit detectors?
-C+
MGAM is a rootkit detector, and it doesn't pick it up. The thing that concerns me is that I can't find the file name on google searches--most of the time if I see something suspicious, I do a google search, and one of the anti-malware websites has a listing of all the known files out there. I can't find anything about this one. First serious issue I've had since I started using Firefox...
-
MGAM is a rootkit detector, and it doesn't pick it up. The thing that concerns me is that I can't find the file name on google searches--most of the time if I see something suspicious, I do a google search, and one of the anti-malware websites has a listing of all the known files out there. I can't find anything about this one. First serious issue I've had since I started using Firefox...
Any more advanced virus will generate files with random names just for this purpose. You might have 5-10 more hidden in random locations.
-
Stoney, some links for linux distro standalone virus/malware killers
http://trinityhome.org/Home/index.php?wpid=113&front_id=12 (http://trinityhome.org/Home/index.php?wpid=113&front_id=12) Trinity Rescue Kit
http://www.avira.com/en/support-download-avira-antivir-rescue-system (http://www.avira.com/en/support-download-avira-antivir-rescue-system) Avira (in case you cant get the virus killer updates for TRK
Wont bother with spybot s+d, or malwarebytes, as they are easy enough to find.
Hth,
Wurzel
-
after removing the thing, you might try running a system restore to back before the thing showed up. It sounds like it has imbedded itself in the registry to respawn itself..this is assuming it is a badguy and not part of some legit program you have installed
A lot of bugs (especially sophisticated bugs) will embed themselves in the restore point before proceeding to destroy your computer. Perhaps the worst thing you can do is attempt a restore.
I know it's another half-empty solution. Yet give AVG Anti-Rootkit Free a shot. I've used it in the past and had some decent results. No, it does not install AVG to your system.
http://www.softpedia.com/get/Antivirus/AVG-Anti-Rootkit.shtml
-
And a link to an online scanner (if you trust such things)
http://www.f-secure.com/en_US/downloads/ (http://www.f-secure.com/en_US/downloads/) (left hand side, middle link)
Wurzel
-
Just an update as I continue to work on this...
Found this file in my Temp directory: perflib_perfdata_614.dat Can't delete this file at all with any of my utilities and from a google search, it looks like its a known rootkit, or maybe a windows file?
For Ghost and GPwurzel, I don't have any experience with Linux. Are those applications self-contained or do I need to install Linux first, then run them?
(GPwurzel) Just saw you're in the Stumps--USMC?
-
F-Secure also has a downloadable Linux based bootable Rescue-CD (http://www.f-secure.com/en_EMEA-Labs/security-threats/tools/rescue-cd/). I suppose it should do even better with rootkits than Avira's one. Depends mostly on hardware which one to choose. After that I'd run Anti Malware (http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html) in Safe Mode with Networking. And after that I'd run some online scans, still in Safe Mode. Eset (http://www.eset.com/online-scanner) has a good one working also on Java instead of ActiveX (So does F-Secure's one, too), BitDefender (http://www.bitdefender.com/scanner/online/free.html) may find what others ignore. There's a bunch of others, too, like TrendMicro Housecall (http://housecall.trendmicro.com/). Last, in normal Windows, I'd run Microsoft's Live One Care (http://onecare.live.com/).
-
Can't modify... Quoting myself looked kinda stupid adding only one word :bolt:
-
Just an update as I continue to work on this...
Found this file in my Temp directory: perflib_perfdata_614.dat Can't delete this file at all with any of my utilities and from a google search, it looks like its a known rootkit, or maybe a windows file?
For Ghost and GPwurzel, I don't have any experience with Linux. Are those applications self-contained or do I need to install Linux first, then run them?
(GPwurzel) Just saw you're in the Stumps--USMC?
Its an OS created file
http://techsalsa.com/information-on-perflib_perfdatadat-files-stored-in-local-temp-folder/
-
Its an OS created file
http://techsalsa.com/information-on-perflib_perfdatadat-files-stored-in-local-temp-folder/
Ah, ok. Probably not the cause of the original .dll file then
-
Stoney, regarding your question about Linux, you have two options.
1. You can generate a LiveCD. Basically, this is an OS installer in which you download a bootable ISO from a website such www.linuxmint.com and burn it to a CD. Afterward, you boot from the disc and it automatically loads Linux without installing anything. The benefit is that you have a GUI Interface (similar to MAC) where you can open your Windows partition and remove any file you wish. In short, a temporary Operating System which goes away after a restart.
2. After burning a LiveCD, you can re-parition your hard-drive and install Linux.
Choice 1 is far better as it's less labor-intensive and reaps the same results.
-
TY Denholm, many Linux distro's come with a boot from cd option which includes basic functionality including good virus scanners. Because your running off a temp os the files in question are not protected. Rendering them easier to dispose of.
Ubuntu is one such, but there are many to choose from.
-
Ok, I've got a boot disk that I made tonight. The TRK had a lot of utilities available. How can I get into the start menu to delete that file, or will one of those anti-virus utilities pick it up? I ran one scan that took over 4 hours before I interrupted it. Looks like my old system restore files took the majority of the time to scan. Can I just go erase those except for the last few?
-
You can erase start menu entries by looking in two separate folders. Chances are, it's in the "All Users" portion of the Start Menu, yet you may want to check your private portion of the Start Menu.
To check the "All Users" portion of Start Menu, browse to:
[your disk label]\Documents and Settings\All Users\Start Menu\Programs
To check your private portion of the Start Menu, browse to:
[your disk label]\Documents and Settings\[your user name]\Start Menu\Programs
Hopefully this helps.
-
I still suggest you track down which files use that DLL. It may not have anything to do with a virus but it may be a vital component of running program which starts it again if it sees it's missing. I think many Windows components are able to do that too.
You could also do a search and find the file and change its name to xxx.OLD. If it is created again then it is possibly created by a virus, but if it does not you may find that some program you use does not work anymore in which case you have found the parent to that DLL. Then just change the file name back to xxx.DLL.
I once had a difficult virus and as Ripley said the parent program changed its name constantly so if you deleted the parent it was soon again in system with different name. In a way the virus was always in a piggyback mode so that the actual virus had a backup running which knew the name of the running file, which was the parent to several DLLs, and if the running file was deleted the backup activated and created the EXEs and DLLs and a backup with random name -which again ensured that if the parent was destroyed the virus itself would survive. I saw it in its working directory as a newly created file but didn't realize what it was until later.
-C+
-
Here's the listing in the startup menu:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Amiwuguxavigamerundll32.exe "C:\WINDOWS\usehijucivic.dll",Startup = rundll32.exe "C:\WINDOWS\usehijucivic.dll",Startup
-
Here's the listing in the startup menu:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Amiwuguxavigamerundll32.exe "C:\WINDOWS\usehijucivic.dll",Startup = rundll32.exe "C:\WINDOWS\usehijucivic.dll",Startup
I'd nuke it from orbit. I hope you have backups.
-
You can erase start menu entries by looking in two separate folders. Chances are, it's in the "All Users" portion of the Start Menu, yet you may want to check your private portion of the Start Menu.
To check the "All Users" portion of Start Menu, browse to:
[your disk label]\Documents and Settings\All Users\Start Menu\Programs
To check your private portion of the Start Menu, browse to:
[your disk label]\Documents and Settings\[your user name]\Start Menu\Programs
Hopefully this helps.
I don't see it listed in either of those folders...
-
Final update: I was finally able to find the file and delete it. Upon reboot, it did not return to my start menu.
Thanks everyone for the help.
-
Just an update as I continue to work on this...
Found this file in my Temp directory: perflib_perfdata_614.dat Can't delete this file at all with any of my utilities and from a google search, it looks like its a known rootkit, or maybe a windows file?
For Ghost and GPwurzel, I don't have any experience with Linux. Are those applications self-contained or do I need to install Linux first, then run them?
(GPwurzel) Just saw you're in the Stumps--USMC?
Sorry Stoney, just woke up and saw this - TRK runs from its own engine, so no need to install linux first. And yep, I'm in the stumps, but not USMC (English expat - ex Royal Navy). Its a long long story lol......
Wurzel
-
Final update: I was finally able to find the file and delete it. Upon reboot, it did not return to my start menu.
Thanks everyone for the help.
I wouldn't trust any computer that has had suspicious files and someone just manually deleted the most likely cause. There could be 10 others hidden. This is exactly how computer botnets grow, people continuing to use the machines even after discovering that it's compromised.
Of course you can go ahead and trust it's gone. I hope you don't do banking over internet or anything important on it though ;)
-
I wouldn't trust any computer that has had suspicious files and someone just manually deleted the most likely cause. There could be 10 others hidden. This is exactly how computer botnets grow, people continuing to use the machines even after discovering that it's compromised.
Of course you can go ahead and trust it's gone. I hope you don't do banking over internet or anything important on it though ;)
I've scanned my rig with everything I can get my hands on, and now its showing clean. The scans were showing clean even when this one file was still there. Anyway, there's nothing nefarious going on with my rig right now, so I can't do anything other than assume that its clean. Unless someone knows of something else I should do?
-
The recommendation is to reformat your computer. Basically, you wipe the hard-drive clean and re-install windows. This procedure removes all malicious software in one sweep.
Yes, your personal files will be lost during this procedure, thus the comments regarding backups.
-
The recommendation is to reformat your computer. Basically, you wipe the hard-drive clean and re-install windows. This procedure removes all malicious software in one sweep.
Yes, your personal files will be lost during this procedure, thus the comments regarding backups.
Well, I can transfer my personal files to backup CDs / USB and then do it. Since most of this stuff lays around in the registry and other system components of Windows, just backing up the files should be ok, right. No chance the malware gets transferred over into the normal files? (pictures, documents, etc.)
-
The chances are low. I'd give it a shot.
-
Just a suggestion, if you (Stoney) reformat, make a shadow or a image of your new install. If fact make a couple, like one with and one without updates to the OS.
Do regular backups of your data after up and running. (Keydrive,Extra HD, whatever)
Now you'll be ready for future problems like malware or component failure in your computer as examples.