I type netsh winsock reset into run, i click ok, "C:\Windows\system32\netsh.exe illegal operation attempted on a registry key that has been marked for deletion"
that shows...
ignore it? and restart?
Hi
Yes Just restart
I have found someone else with the hgjrui rootkit (you had UAC to) and had AVG and Norton installed, conflicting the bits out of the PC with the Drivers
Ok... well, I had to switch over to another computer to get back on because it seems something went quite wrong. I followed all those instructions but after reboot I was unable to start firefox (or IE for that matter). I get an error message saying "illegal operation attempted on registry key marked for deletion"
A couple other notes...
1. Unfortunately I forgot to turn off Windows Defender (which I had turned back on after using ComboFix the first time).
2. I got some sort of error right before the reboot required by ComboFix. It went away before I could read it. All I caught was "application" and "failed" and some file name with a 'p' in it.
3. I've also noticed that my desktop wallpaper is gone and the IE icon that I had removed from my desktop is back.
I'm praying I haven't lost Firefox and such from some terrible mishap. Please let me know what to do now.
Edit: In fact, now that I explore more... I can't open any files! They all give me the same error message. What's going on? DDDD:
Oh jeez... phew. I rebooted and everything appears to be fine now. Thank you. Do you have any idea what caused that?
YESSSSSSSSSSSSSSS HAHAHAHAHAHAH THANK YOU SO MUCH!!!!!!!
IT WORKED
THANK YOUUUU!!!
YOU THE BEST!
I'm truly grateful for what you've done!
Come back here, all we did was break the rootkit
We have more to go
Quads
Now Try the AVG Removal tool while I script for another program to test and remove both Rootkits leftovers (like registry keys)
Quads
Oh dang, ahahaha, i thought it was done, turns out not, it was really late on my side, about 4am, so i grabbed the frist chance to sleep.
Ok, i'll try to AVG removal again and post the log.
Thank you very very much
Definitely stick around until Quads says you are clean. There was a lot to be done just getting access to what was needed. Now things will move along better.
Ok, AVG has been removed(can't be ran or found), but it still remains in my program files.
Delete that?
Yeah, i just kind of jumped the gun.
I'm very glad that it will run smoother now.
But i have 3 questions right now,
1) Windows Firewall is off, turn it on? Or did norton firewall replace it, so they dont conflict with each other?
2) Windows Defender is also off, turn it on? Or did norton replace it, so they dont conflict with each other?
3) Kind of unrelated, but Windows update shows a Vista Service Pack 2, install now or later?
I saw these because Windows Security Alerts is red with a cross.
Hi
Do you mean you have this folder 'C:\Program Files\AVG\"??
Nortons Firewall is runnong instead of the Windows Firewall.
Quads
Yes, that’t what i meant.
Hi
Some of the script is just to double check
If you have Spybot S&D installed remove it
Also during the restarts with Avenger if Your PC has a Startup repair center like with HP and Toshiba tell it to start Normally if it kicks in.
1. Download Avenger to your desktop,
Unzipped version http://homepages.slingshot.co.nz/~crutches/Avenger/
OR Creators website http://swandog46.geekstogo.com/avenger2/avenger2.html with zipped version to the unzip to desktop
2. Click to run "Avenger.exe" (right click "Run as Administrator" if using Vista)
3. In the "Input script here:" copy and paste the script between the lines
Drivers to disable:
UACd.sys
hjgruibxaqewye
Drivers to delete:
UACd.sys
hjgruibxaqewye
Files to delete:
C:\WINDOWS\system32\drivers\UACisepifhvuqrcxlydp.sys
C:\WINDOWS\system32\drivers\hjgruiepsooypc.sys
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\hjgruiiarvkxlc.dat
C:\WINDOWS\system32\hjgruiosmctjuy.dll
C:\WINDOWS\system32\hjgruirfiuakwh.dat
C:\WINDOWS\system32\hjgruitnkgexkm.dll
C:\WINDOWS\system32\UACarnqrokvttdunrbqo.dat
C:\WINDOWS\system32\UACffqxobxbemgwvmwnc.dll
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\UACpihylqhwnegjmyxjy.db
C:\WINDOWS\system32\UACpnitbpurtsiqvyrvo.dll
C:\WINDOWS\system32\UACrqqsjvjqotfrumcos.dll
C:\WINDOWS\system32\UACtfmvxbmfdtpgmdcox.dll
C:\WINDOWS\system32\uactmp.db
C:\WINDOWS\system32\UACvscptgdvurpqwufnj.dll
C:\WINDOWS\Temp\hjgruiecmtfbaxwq.tmp
C:\WINDOWS\Temp\hjgruirdxpvnqbwm.tmp
Folders to delete:
C:\Program Files\AVG
Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet011\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hjgruibxaqewye
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hjgruibxaqewye
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\hjgruibxaqewye
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hjgruibxaqewye
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\hjgruibxaqewye
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\hjgruibxaqewye
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\hjgruibxaqewye
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\hjgruibxaqewye
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\hjgruibxaqewye
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\hjgruibxaqewye
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\hjgruibxaqewye
Here is a screenshot (script updated since shot)
Make sure the "Automatically disable any rootkits found" is NOT selected
4. Click "Execute"
You will be asked to restart the PC click "Yes", when the PC restarts the load screen will takes slightly longer, then when it looks as though windows is loading the PC will restart again.
Then when Windows fully loads the Avenger log will be loaded, showing files it could or could not find.
5. Restart the PC again, then see if you can install Update and run Malwarebytes http://www.filehippo.com/download_malwarebytes_anti_malware/
Quads
Windows was fully loaded, however, no log was displayed.
See if there is it's log "C:\Avenger.txt"
Quads
Yes there is. I will upload it,
Install update?
I'll download malwarebyte and run it,
approved?
Hi
The Rootkits are Gone execpt any file in the Combofix Quarantine, you will also see the AVG folder is gone.
Now Download, Install, Update and Run a Full Scan with Malwarebytes
When you start malwarebytes find the Update Tab.
Quads
Message Edited by Quads on 08-06-2009 09:39 AM
Here is the result, remove them with malwarebyte?
[edit: Resized image.]
Message Edited by shannons on 08-05-2009 05:20 PM
OK what you can do is in Malwarebytes click the "Save Log file" button, etc.
Quads
I removed them, they are now under the qurantined tab of Malwarebyte