New Trojan/Virus Can't be killed

April 2, 2009 at 17:26:38
Specs: Windows XP
I definitely have a virus. something keeps writing to HKLM\Software\...Run\

as soon as I delete the entry, it's re-written.
I'm running Sysinternals Registry Monitor and it's actually explorer.exe that's writing the entry.

I've uploaded my explorer.exe to VirusTotal and nothing is found.

The exe file that's running at startup shows up as a virus by only Microsoft on VirusTotal. So, I ran MS's free online tool, it supposedly eradicated it, but viola, it's right back.

The reg entry name changes frequently, but currently its something like: wximukogi, and it's running: runndll32.exe "C:\windows\uxucedojod.dll, e"
The virus also creates another entry in CurrentVersion with somewhat random letters and a bunch of strange entries. Looks Russian.

I've also compared my explorer.exe file to another machine, and it has the same MD5 checksum from a machine not infected, so it appears it must be one of the support dll's that explorer.exe is utilizing, but I haven't been able to trace it down.

No virus tools I've found have detected any viruses in the system, except Microsoft's.

Unfortunately there's another sneaky problem:
I currently have AVG8.5 installed and cannot UNINSTALL it (as required to install MS live) because the virus somehow has corrupted my registry (HKLM/Software\microsoft\windows NT\currentVersion\Windows cannot be deleted or written to. I've tried all the security tricks, Bart PE, everything... won't budge).

Another problem: at some point my System Restore points got hosed. So I can't go back!

This thing is really pernicious. I'm surprised none of the antivirus companies have detected it yet!

Currently, here's the symptom of the virus:
1) installs itself in registry to run
2) hijacks links in both IE and Firefox: go to a search engine, type in something, and click on a link and it takes you to some bogus site. Go back in browser, click the same link again and it now goes to the correct site.
3) apparently corrupts the registry so that a specific entry cannot be deleted or written to.
4) apparently removes system restore entry points.


See More: New Trojan/Virus Cant be killed

Report •

April 3, 2009 at 08:17:27
look for the Bitdefender online scanner i had the same trouble and waste 3 days with other scanners and spyware stuff but the bitdefender did remove it and it took about 9 hours

I bought a Maxtor 40 gb drive in july 04 from a dealer in california and it died last week. I called maxtor and they siad online sales only have 60 day warranty although there is nothing in their sale

Report •

April 3, 2009 at 12:34:19
Update: this appears to be a new variation of the win32/Hiloti.gen!A trojan/virus.

Bitdefender was not able to fix my strain of this virus.

Windows defender today started recognizing this virus and ATTEMPTS to fix, but to no avail.. it keeps coming back.

I ran Procmon (sysinternals) to watch what process was recreating the virus:
looks like Explorer.exe was opening a website, then moving a temp html file to the windows directory and renaming it to *.dll.

Then explorer also puts the entry back into the registry.

ALAS I have found the solution
Looking at the stack of the explorer process, there is a file the virus is using "ACNCPSE.DLL"... this file also has the Hiloti virus, and it is the ultimate culprit!

So... to fix:
1) rename ACNCPSE.DLL to *.DLLX (you can't delete it, since it's in use, but you can rename it)
2) Remove the RUN entry in the registry that points to some bogus dll "Rundll.exe xyzsldldld.dll"
3) restart windows
4) delete the ACNCPSE.DLL file

Hope that helps someone.

Report •

Related Solutions

Ask Question