Nasty virus-help!

Folks, I'm stumped. Forgive me if this is rather long.

Running Windows XP sp2, IE Explorer, and Defenses originally were AVG, Hijack This, and Spybot. The problem started when AVG picked up a virus called obfustat.ACUA which infected files dgsetup.dll, dgsetupj.dll, and dgsetup.dll.bak in C:Windows/system32. At same time, Hijack This notes a BHO with no name and corresponding registry key.

AVG said it cleaned it, but it came up again. Tried a manual delete of the .dll after backup but access denied as file in use.

Tried next to delete the reg key and couldn't. After finding absolutely nothing on this virus, obfustat.ACUA, I did an update install over XP.

That done, did a scan with AVG and dgsetupj.dll still infected. Also HJT noted now a 020 Notify Winlogon-axrxxtjt-WINDOWS\SYSTEM32\dgsetupj.dll which according to them is not the method used when a .dll is loaded except if it's a trojan.

Switched to McAffe which picked up the Vondo trojan. Cleaned that, but it didn't pick up this infected .dll. Used UNLOCK THIS to see exactly how this file is in use, and got explorer.exe, winlogon.exe, and svchost.exe. Crap.

Tried again to knock out the reg key entry to see if that might help, but after both disabling BHO through IE properites and using WIN Utilities 5.3 system tools its still coming up in HJT.

Tried HJT and Killbox on the small chance the .dll might be deleted at start of reboot, but no dice. Just to make sure it wasn't rebuilding itself, I checked the DLLCACHE and while dgsetup.dll is listed, dgsetupj.dll is not. That, along with everything else, has me convinced I have a bug I can't get rid of except with a full reinstillation. I've tried half a dozen bug zapper, such as spyhunter and trojan hunter, and IBPROCMAN, but they can't kill it. It's just loading too early on boot.

If anyone has an idea, or a really, really good app I haven't tried it, it would be much appreciated. I'd be happy also if anyone could tell me this dgsetupj.dll and the associated activity is a legit windows function. Believe me I tried to find any mention of it, but if that's truly what it is I'll leave a happy idiot and go back to making macaroni pictures instead of talking tech.

James

 

dgsetup.dll is a legitimate windows file for .NET

http://www.webtropy.com/articles/dll-api.aspx?dll=dgsetup

dgsetupj.dll is probably the trojan as was noted in your reference.

The virus, obfustat.ACUA is noted here:

http://forums.digitaltrends.com/showthread.php?p=72306

Note a smiliarity: a legimitate file, dmband.dll and a trojan dmbandl.dll


Your best bet for help is one of the malware discussion forums, such as

http://forum.sysinternals.com/


----
rich

 

I suggest to post an HijackThis log at this forum (among others):

http://forum.aumha.org/

 

Hi!

Use these utilities in safe mode => http://www.atribune.org/ccount/click.php?id=4
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Scan system with Eset Online Scanner => http://www.eset.com/onlinescan/index.php

Infected files you can remove with UnDLL => http://secit.sk/content/view/28/1/

 

Thanks for the advice folks. Tried the apps and a few other things and nope, couldn't get rid of the infected files. It just hit a .dll that loads too soon to catch. A full re-install finally did the trick.

Only thing I can add is how I "think" I caught it. Received an email from ebay saying I "might like this item" and being concerned a fraudulent account was opened clicked on the URL. Now according to Norton and McAfee a rash of fake ebay messages have been going around, except mine wasn't an obvious fishing attempt. That's what fooled me.

Thanks again for the response.

 

james.. Many other members may contradict me here, and claim what I sugest uses far too much memory or whatever but the fact is this, after you've used it to fix your problem, you dont have to keep it if you dont want, but why wouldnt you And the prgoram I'm talking about is..Webroot Spy Sweeper Regardless of what others say, this is the ONLY! Spyware program that will most certainly remove tha nasties, and restore your settings back to the way they were after it has detected and removed them I've tried others, but nevertheless, none work as good as Spy Sweeper