Can't get rid of Trojan : hjgruityvtsoaw.dll !

[bab]

Hello,

Kapersky and other antiviruses found this trojan - hjgruityvtsoaw.dll - in memory, but none was able to remove it.

Can you help ?

Many thanks.

Babouin

[Rene-gad]

Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore

- Execute following script in Manual Cure

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 StopService('eqgudxweblioarw');
 QuarantineFile('C:\WINDOWS\system32\drivers\qeupa.sys','');
 QuarantineFile('%systemroot%\system32\hjgruityvtsoaw.dll','');
 QuarantineFile('O:\autorun.inf','');
 QuarantineFile('N:\autorun.inf','');
 QuarantineFile('M:\autorun.inf','');
 QuarantineFile('H:\autorun.inf','');
 DeleteFile('O:\autorun.inf');
 DeleteFile('N:\autorun.inf');
 DeleteFile('M:\autorun.inf');
 DeleteFile('H:\autorun.inf');
 DeleteFile('%systemroot%\system32\hjgruityvtsoaw.dll');
 DeleteFile('C:\WINDOWS\system32\drivers\qeupa.sys');
 DeleteService('eqgudxweblioarw');
BC_ImportAll;
ExecuteSysClean;
BC_DeleteSvc('eqgudxweblioarw');
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.

After reboot execute following script in Manual Cure

Код:

begin
CreateQurantineArchive('C:\quarantine.zip');
end.

- Remove Bonjour
- Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool cleanmgr or CCleaner or ClearProg
- Close all the programs and start only Internet Explorer!!!
- Repeat a log file.
- Switch Antivirus and, if you have - Firewall, on.
- Go On-Line
- Upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.
- Attach a log to your new post..

[bab]

Hello,

I have performed your instructions step by step.
I have uploaded the quarantine file and the new log is attached to this message.

After scanning, I still get the message :
not found: Trojan program Trojan.Win32.Agent.crez File: globalroot\systemroot\system32\hjgruityvtsoaw.dll

Thanks for your help.

Babouin

[Rene-gad]

It's a wrong log. You have to make the same actions as by your 1st post - the result should be a new avptool_syscheck.zip.
Additionally make a GMER log file--- www.gmer.net: download->run the tool -> press SCAN->wait (possibly 2-3 hours) ->press SAVE - >saved logfile attach here.

[bab]

I have done it all again.
- quarantine uploaded
- log file attached

GMER currently running. Log file will be posted within 2 hours.

Please note that I cannot disable system restore. The checkbox is unchecked and greyed (although logged as admin...).

[bab]

And now GMER's log file.

[Rene-gad]

Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore

- Execute following script in Manual Cure

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
 StopService('hjgruipqmlxyid');
 QuarantineFile('c:\windows\system32\drivers\hjgruiegkenxfd.sys','');
 QuarantineFile('c:\windows\system32\hjgruityvtsoaw.dll','');
 QuarantineFile('c:\windows\system32\nmsaccessu.exe','');
 QuarantineFile('C:\WINDOWS\system32\hjgruippcaoebc.dll','');
 QuarantineFile('C:\WINDOWS\system32\hjgruintyhfgvi.dat','');  
 QuarantineFile('C:\WINDOWS\system32\hjgruiysltoxul.dat',''); 
 RegKeyParamDel('HKLM','SYSTEM\CurrentControlSet\Services','hjgruipqmlxyid');
 RegKeyParamDel('HKLM','SYSTEM\ControlSet005\Services','hjgruipqmlxyid');
 DeleteFileMask('C:\WINDOWS\system32','hjgrui*.*',false);
 DeleteFileMask('C:\WINDOWS\system32\drivers','hjgrui*.*',false);
 DeleteService('hjgruipqmlxyid');
BC_ImportAll;
ExecuteSysClean;
BC_DeleteSvc('hjgruipqmlxyid');
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.

After reboot execute following script in Manual Cure

Код:

begin
CreateQurantineArchive('C:\quarantine.zip');
end.

- Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool cleanmgr or CCleaner or ClearProg
- Close all the programs and start only Internet Explorer!!!
- Make the new log files avptool_syscheck.zip + gmer.
- Switch Antivirus and, if you have - Firewall, on.
- Go On-Line
- Upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.
- Attach the logs to your new post..

[bab]

Quarantine posted. Avptool_syscheck.zip attached.
GMER coming soon...

No effect when clicking on the attachment icon...

Добавлено через 1 минуту

Same when I click on "Manage attachments" !

Sorry. Here it is.

[Rene-gad]

Sorry. Here it is.

GMER log seems to be very small... Have you really SCANNED your system? If YES - it's very good.

Let ONLY ONE antivirus on your system, such tools as A-squared are not really necessary and TuneUp is NOT NECESSARY AT ALL- remove it, please.

Clean Task Sheduler.

[bab]

Everything looks clean, now.
Thanks a lot for your help, Rene, I'm very grateful. Your latest script was the good one.
Have a nice day.

Babouin