I fought this little monster last night. Here is how I beat it.
I have a friend who called me over for pop ups and lockups on his Dell Inspiron desktop running Vista Home Premium. I went there with the old standards, HihackThis, CWShredder, MalwareBytes, combofix, vundofix, etc. I thought 30 minutes and I would be out. But this was no script kitty sissy drop loader, as I would soon find out.
When I arrived, I saw some of the usually malware suspects, Registry Mechanic, SpyDoctor, etc. I removed them and ran CCleaner to get the simple junk out of the way. Each time IE or FireFox was opened, AVG would find a Win32/Huer with a c:\windows\system32\esqullmbxxxwlmxskyrfxoorreqtpqsqpf.dll as the affected file, (this name would very each time). Doing a search for it in Windows would yield no results with hidden files shown. Running AVG or MalwareBytes in normal mode would hard-lock the system. Running ACG in Safe Mode would not pick anything up, and MalwareBytes detected the same file, but under a different infection name, and would lock up again. So knowing where these two files lived, I went to Vista RE command prompt, searched for the files in the system32, and deleted them. I figured I did not get the loader, so I rebooted and sure enough, the 2 dll files reloaded. I tried to track the file through process tracing, but completely stealth.
This is where it got furry.
After the 2nd reboot, I received the message at the desktop that “Windows security processor reported a system file mismatch”, reducing Windows functionality to where explorer would not start. I used the “get more information” link for the validation site to restart explorer.exe from the URL line, and left the functionality error up so the system would not reboot. I opened a command prompt and ran the cscript c:\system32\slmgr.vbs /ilc c:\System32\licensing\ppdlic\Security-Licensing-SLC-ppdlic.xrm-ms to force the product key entry to come back at the next reboot. Once rebooted, I entered the Dell provided product key and fixed that problem. Then I pulled out the big guns.
I ran Rootkit Repeal and Rootkit revealer to track the hidden loader. Rootkit Revealer found no stealth processes, but Rootkit Repeal found the loader under the stealth section. It was hidden in the c:\windows\system32\drivers folder. It had the same esqulbrxxx**** name, but was a .sys file. I went back into RE command prompt, navigated to the directory and got it, along with the 2 dll files it was creating. Rebooted 25 times, ran scans, all clear.
Basically, the loader and the files it creates can only be seen outside of the Windows environment. Just boot to the Vista DVD, choose repair my computer, click on Command Prompt. Type c: and press <Enter>. Then type cd \windows\system32\drivers and press <Enter>. Now type dir *esqu*.sys and press <Enter>. It will show the loader file by itself. Now type del filename you found and press <enter>. Now type cd.. and press <enter>. At the c:\windows\system32 prompt, type dir *esqu*.dll and press <enter>. Follow the same stpe above to delete the two dll files you just found that were created by this loader. Reboot and you should be golden.