Can't run virus/spyware/adware scans, Firefox, IE, etc.

Discussion in 'Windows - Virus and spyware problems' started by SinRama, Aug 30, 2009.

  1. SinRama

    SinRama Member

    Joined:
    Aug 30, 2009
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    Windows XP Pro SP3
    Dell Inspiron 530
    Intel Core2 Quad - Q660@2.4

    Just got attacked with a bad virus. Froze everything. Ran a scan with AVGFree, froze again and started up with pop-ups - Windows Police Pro. Finally stopped that and got rid of it(hopefully).

    Very new to all this. I usually fix things by looking at other threads but no use.

    I deleted a.exe, b.exe, c.exe, d.exe out of Temp folder. Deleted Win Police Pro where ever I could find it. Everything seemed back to normal but programs would not work. Downloaded "EXE (lnk and regfile) Fix for Windows XP". Everything works again except for
    - Firefox - (never opens)
    - IE - (opens then closes quickly)
    - Google desktop sidebar
    - AVG - doesn't scan
    - Ad-Aware "Failed to connect to service"
    - Spybot "Windows cannot access the specified device...May not have the appropriate permissions..."
    - Adware Away (same as spybot)
    - Online scans don't work either - AVG won't close or uninstall.

    - and finally Hijackthis. 2.0 would not start. 1.9 starts but as soon as it finishes the scan, it disappears and won't open again. Same message as Spybot & Adware Away.

    I run it from my thumb and am able to freeze and printscreen so this is all I have.

    I'm very sorry for being a novice at this but gotta get this up and running as soon as possible. Art computer at work. Thanks for any suggestions. First time ever posting anywhere.

    [​IMG]
    [​IMG]
     
  2. SinRama

    SinRama Member

    Joined:
    Aug 30, 2009
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    **UPDATE**
    Firefox & IE are now working!
    Still can't run Virus/spyware scanners. Tried uninstalling AVG in SafeMode but would not finish uninstalling.
    AVG errors keep popping up in normal mode. Don't think it's on.
    I did manage to get this from HijackThis(not sure if it helps):

    StartupList report, 8/31/2009, 2:07:43 PM
    StartupList version: 1.52.2
    Started from : J:\HijackThis_v1.99.1.EXE
    Detected: Windows XP SP3 (WinNT 5.01.2600)
    Detected: Internet Explorer v7.00 (7.00.6000.16876)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\svchasts.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\Drivers\WTSRV.EXE
    c:\WINDOWS\system32\ZuneBusEnum.exe
    C:\Program Files\Adobe\Adobe Illustrator CS3\Support Files\Contents\Windows\Illustrator.exe
    C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
    C:\Program Files\Sirius\MySiriusStudio\My Sirius Studio.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    J:\HijackThis_v1.99.1.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    RTHDCPL = RTHDCPL.EXE
    PDVDDXSrv = "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    LogMeIn GUI = "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    ISUSPM Startup = "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    HP Software Update = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    GrooveMonitor = "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    Google Desktop Search = "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    dscactivate = "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    DellSupportCenter = "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    AVG8_TRAY = C:\PROGRA~1\AVG\AVG8\avgtray.exe
    ATICCC = "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
    AppleSyncNotifier = C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    Alcmtr = ALCMTR.EXE
    Adobe_ID0EYTHM = C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
    Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    Acrobat Assistant 8.0 = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    WTClient = WTClient.exe
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
    SunJavaUpdateSched = "C:\Program Files\Java\jre6\bin\jusched.exe"

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
    swg = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    ISUSScheduler = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    Messenger (Yahoo!) = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    Monopod = C:\DOCUME~1\ARTDEP~1\LOCALS~1\Temp\a.exe
    SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    =

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    [AdobeUpdater]
    =

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\system32\sstext3d.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll - {074C1DC5-9320-4A9A-947D-C042949C6216}
    BitComet ClickCapture - C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}
    WormRadar.com IESiteBlocker.NavFilter - C:\Program Files\AVG\AVG8\avgssie.dll - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
    (no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll - {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
    (no name) - (no file) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
    (no name) - C:\WINDOWS\system32\dddesot.dll - {76DC0B63-1533-4ba9-8BE8-D59EB676FA02}
    (no name) - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll - {A3BC75A2-1F87-4686-AA43-5347D756017C}
    (no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
    (no name) - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
    (no name) - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
    Browser Address Error Redirector - C:\Program Files\Dell\BAE\BAE.dll - {CA6319C0-31B7-401E-A518-A07C3DB8F777}
    (no name) - C:\Program Files\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}
    JQSIEStartDetectorImpl - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll - {E7E6F031-17CE-4C07-BC86-EABFE594F69C}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Ad-Aware Update (Weekly).job
    AppleSoftwareUpdate.job
    Google Software Updater.job
    GoogleUpdateTaskMachineCore.job
    GoogleUpdateTaskMachineUA.job
    {7B02EF0B-A410-4938-8480-9BA26420A627}.job
    {BB65B0FB-5712-401b-B616-E69AC55E2757}.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [SysProWmi Class]
    InProcServer32 = C:\WINDOWS\system32\Dell\SystemProfiler\SysPro.ocx
    CODEBASE = http://support.dell.com/systemprofiler/SysPro.CAB

    [Performance Viewer Activex Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\RACtrl.dll
    CODEBASE = https://secure.logmein.com/activex/ractrl.cab?lmi=100

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\system32\webcheck.dll
    SysTray: C:\WINDOWS\system32\stobject.dll
    WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

    --------------------------------------------------
    End of report, 8,993 bytes
    Report generated in 0.032 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  3. justynf

    justynf Member

    Joined:
    Aug 31, 2009
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    Hi I have same exact problem...
    I know C:\WINDOWS\svchasts.exe is part of the virus.
    So far I havn't gotten help on another site so I hope someone can help here. I can't even run hijackthis cause it closes right after, as well as any other antivirus software. I am thinking of doing a hard format cause it would be faster to get my laptop working.. :(

    Please help anyone.
     
  4. justynf

    justynf Member

    Joined:
    Aug 31, 2009
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    Sorry for double post, forgot to ask, how did you get hijackthis to work?
     
  5. SinRama

    SinRama Member

    Joined:
    Aug 30, 2009
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    justynf...yup, that's what I ended up doing. Back in the office on Monday and had to do something.
    Backed up everything and reformatted.
    Before that though, I tried the "repair" on Windows XP Setup with disc. Got to 10 minutes left and restarted all of sudden on its own. Went on the "Windows XP" Start up logo, then nothing. Thinking Worm got way in there. Only thing left I could do is reformat.

    As for HijackThis, it's not the actual logfile...just the startup list report. Don't know how to read them so not sure on the difference.

    Started "Hijack" from a thumb. Instead of running the scan (after running it and it disappearing, mind you) hit "config" Button under other stuff. Then hit "Generate startuplist log". Saved that to the thumb.

    Forgot to mention, after IE started working again, and after a couple of times of closing and restarting the program. Windows Police Pro popup started again, but just in IE. Firefox started redirecting to different websites. But Google Chrome worked. Installed with Spyware/malware program(forgot which one). Guess I never got it all off.

    That's one bad, bad worm.
     
  6. migTMC

    migTMC Member

    Joined:
    Sep 9, 2009
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    16
    Hi guys, new here and really have a major problem, very similar to what has been posted in this thread, but I haven't had the success of resolving this now very headache of an issue.

    I have followed the instructions given in this thread. I used the Trend online virus scanner and it was slow, and it just stopped, din't finish the scan. I installed Malwarebytes' Anti-Malware and after trying to scan my computer, the program just disappeared and after I tried opening it again, it came up with an error message saying:
    Windows can not access the specified device, path or file. You may not have the appropriate permissions to access the item

    An hour or so ago, my icon for Internet Explorer, that I hadn't used in months (as I like firefox much more), but used twice the last two days, since firefox was playing up, has become blank and I can't open IE now, error message comes up saying the device is not accessible.

    I've tried System Restore to dates last week, but either I am unable to (click next after I choose the date to restore to and nothing happens) or am able to and then get a message saying that "unable to restore to that date, please choose another date to restore from" and I get that same message when choosing another date to restore from.

    I got spywareblaster and it doesn't scan the computer, just stays in the backgorund detecting spyware that may come in after. Also went to download.com and got Ad-Aware Aniversary Edition and like Malwarebytes' Anti-Malware, it just closes suddenly a few seconds after it starts to scan and then I get a "can't access this" error message if I try to use it again.

    Don't know where to go. Firefox and email running slow. My AVG Free Antivirus now doesn't even scan, as I've found out today by trying to scan the few files I've downloaded, like spywareblaster and Ad-Aware Aniversary Edition.

    I downloaded and installed superantispyware, same result as with Malwarebytes' Anti-Malware, when I start it up, it quickly disappears and when I try to get it to run again, I get an error message like before and I can't access it anymore. What ever this is, I assume Trojan crap, it is smart and detects when programs that can detect it are running and has the ability to completely shut them dowm.

    I partitioned my hard drive when I got it a few years ago, a smart thing as it allowed me to fix a pretty major problem some two years ago. Now, I tried to scan the larger partition of the hard rive (which I always use and is infected ofcourse) a couple of hours ago. The three programs I used worked (superantispyware, Malwarebytes' Anti-Malware and Combo-Fix) worked from the small partition and detected and elimated 9 trojan (one was a backdoor.bot). I then restarted the computer, loaded with the usual partition that was/is infected and thought things would likely be fixed now. I was wrong! Still can't run superantispyware, Malwarebytes' Anti-Malware and haven't tried ComboFix yet. AVG Free antivirus still does not scan when I try to use it and firefox wasn't even loading up any of the webpages, though now I happen to have fixed that and it functions again.

    Hijackthis would not start.

    I will paste the logs that have appeared,I assume might give some information that might help you experts in trying to help me resolve this very nasty problem:


    ComboFix 09-09-09.04 - mig 10/09/2009 19:06.1.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.243 [GMT 9:00]
    Running from: c:\combo-fix\Combo-Fix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\recycler\S-1-5-21-1659004503-796845957-725345543-1003
    c:\recycler\S-1-5-21-854245398-1935655697-1801674531-1003
    C:\smp.bat
    c:\windows\atualmenteo.dll
    c:\windows\iexplorer.exe
    c:\windows\system\KEYBOARD1.DRV

    c:\windows\system32\qmgr.dll . . . is infected!!

    .
    ((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))
    .

    2009-09-10 09:08 . 2009-09-10 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-09-10 09:08 . 2009-09-10 09:09 -------- d-----w- C:\warhor
    2009-09-10 09:08 . 2009-09-10 09:08 -------- d-----w- c:\documents and settings\mig\Application Data\SUPERAntiSpyware.com
    2009-09-10 09:04 . 2009-09-10 09:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-09-10 04:36 . 2009-09-10 04:36 -------- d-----w- c:\documents and settings\mig\Application Data\Malwarebytes
    2009-09-10 04:36 . 2009-08-03 04:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-09-10 04:36 . 2009-09-10 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-09-10 04:36 . 2009-08-03 04:36 18456 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-09-10 04:35 . 2009-09-10 09:07 -------- d-----w- C:\heyho
    2009-09-08 12:37 . 2002-08-28 16:32 56832 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-08-20 1511453]
    "SUPERAntiSpyware"="c:\warhor\warhor\SUPERAntiSpyware.exe" [2009-09-04 1994480]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\warhor\warhor\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 06:21 548352 ----a-w- c:\warhor\warhor\SASWINLO.dll

    R1 SASDIFSV;SASDIFSV;c:\warhor\warhor\sasdifsv.sys [4/09/2009 2:50 PM 9968]
    R1 SASKUTIL;SASKUTIL;c:\warhor\warhor\SASKUTIL.SYS [4/09/2009 2:49 PM 74480]
    R3 SASENUM;SASENUM;c:\warhor\warhor\SASENUM.SYS [4/09/2009 2:50 PM 7408]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - ALG
    *NewlyCreated* - IPNAT
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.westnet.com.au/
    IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
    TCP: {8C037449-ED60-44E7-987E-C2AE22790ED3} = 203.21.20.20,203.10.1.9
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-09-10 19:10
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(672)
    c:\windows\System32\ODBC32.dll
    c:\warhor\warhor\SASWINLO.dll

    - - - - - - - > 'lsass.exe'(728)
    c:\windows\System32\dssenh.dll

    - - - - - - - > 'explorer.exe'(956)
    c:\windows\System32\msi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\rundll32.exe
    .
    **************************************************************************
    .
    Completion time: 2009-09-10 19:11 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-09-10 10:11

    Pre-Run: 231,311,360 bytes free
    Post-Run: 210,669,568 bytes free

    93





    Malwarebytes' Anti-Malware 1.40
    Database version: 2770
    Windows 5.1.2600 Service Pack 1

    10/09/2009 5:48:06 PM
    mbam-log-2009-09-10 (17-48-06).txt

    Scan type: Quick Scan
    Objects scanned: 99152
    Time elapsed: 36 minute(s), 36 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 9

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    f:\WINDOWS\system32\msxm192z.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
    f:\WINDOWS\system32\eventlog.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.
    f:\WINDOWS\system32\geyekrtueqaavn.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
    f:\WINDOWS\system32\drivers\geyekrboiesmpr.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
    f:\WINDOWS\Temp\a.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    f:\WINDOWS\Temp\hifxyjpyom.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
    f:\WINDOWS\Temp\geyekrejtctbnums.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
    f:\Download Programs\Azureus\Azureus\Complete Downloads\DVDFab Platinum 5.1.1.0 + Serial + patch.2.2\universal.dvdfab.platinum.5-patch.2.2.exe (Trojan.Patcher) -> Quarantined and deleted successfully.
    f:\Documents and Settings\Miguel\My Documents\My Completed Downloads\VideoEggPublisher.exe (Malware.Tool) -> Quarantined and deleted successfully.







    Please help
     
  7. justynf

    justynf Member

    Joined:
    Aug 31, 2009
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    Are you able to run a hijackthis log after running combofix?
     
  8. migTMC

    migTMC Member

    Joined:
    Sep 9, 2009
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    16

    Thankyou dearly for the reply, I thought I wasn't going to get any and I was on the verge of just reinstalling XP Pro.

    See, I can only scan my large partition (Drive D),that I always use, from the small partition (Drive C). I am not able to do any scans with any of the mentioned programs from Drive D (the infected partition). The scan with combofix was from drive C, scanning drive D. Can I o the same with hijaclthis? That is, can I scan Drive D from Drive C? If so, show how, as I thought hijackthis was only able to do a scan on the drive that is running at the time, the drive that XP is loaded from currently


     
  9. justynf

    justynf Member

    Joined:
    Aug 31, 2009
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    Try running hijackthis on each partition and posting a log.

    Also the reason files become inaccessable after they get closed by the malware is that the malware is changing security permissions to deny everyone. Which you can temporarily fix (Because opening it again will just cause it to deny access again until the malware is removed).

    go to the access denied file:

    Right click properties.
    Click security tab.
    Click edit, click the name everyone and Click remove.
    now click add and type your login username and click check names.
    now once it finds it click Ok.

    Next click your name and tick full control on allow side.
    This will give you access to the file again afterwards.

    If that still wont work you can go to advanced, owner tab.
    Click edit then click your name then apply to take ownership of the file.
     
  10. justynf

    justynf Member

    Joined:
    Aug 31, 2009
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    Also if you can't run hijackthis, try running a GMER scan and clicking copy when it finishes, paste the GMER log here.
     
  11. migTMC

    migTMC Member

    Joined:
    Sep 9, 2009
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    16

    GMER has been scanning for over three hours now, not sure if it scans the drive more than once. I am letting continue, but the log so far is this:

    GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
    Rootkit scan 2009-09-11 22:06:45
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xF6900FC0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF68FDC80]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xF6918170]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xF6901580]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xF6901670]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF68FE210]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xF69189F0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xF69187A0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xF6918F10]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF6918F90]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF68FE070]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xF69196F0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xF6919150]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xF6900BE0]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xF6919540]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF68FE440]
    SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xF69184E0]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!_abnormal_termination + 1D5 804E2831 7 Bytes [8F, 91, F6, 90, 8F, 91, F6]
    ? srescan.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text D:\Program Files\MSN Messenger\MsnMsgr.Exe[468] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 5 Bytes JMP 004DE392 D:\Program Files\MSN Messenger\MsnMsgr.Exe (Messenger/Microsoft Corporation)

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F6905B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F6905930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F6906260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F6903E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F6903E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F6905B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F6905930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F6906260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F6905B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F6906260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F6905930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F6903E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F6906260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F6905930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F6905B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F6903E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F6905B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F6905930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F6906260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F691EB30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F6905B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F6903E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F6906260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F6905930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F68FE980] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F68FE8D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F68FEA80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F68FE5E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 0133BCA0
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 0133BC50
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 01337EA0
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 01339100
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 0133AA10
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 01339370
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 01339180
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 0133A010
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 0133B950
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 0133B990
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 0133BD30
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 0133B810
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 0133A970
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 01339930
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 013392E0
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 01339660
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 0133C2B0
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 0133A360
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 0133A7D0
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 0133AE90
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 0133AC20
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 0133AE10
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 0133B2F0
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 0133B000
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 01339250
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 013397E0
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 0133BA70
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 0133AD60
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 0133A910
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 0133A790
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 0133AB20
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 0133BD50
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 0133AB60
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 0133BFF0
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 0133BF90
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 0133C1E0
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 0133C280
    IAT D:\Registry Mechanic\RegMech.exe[480] @ D:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 0133C0B0

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
    Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Services - GMER 1.0.15 ----

    Service system32\drivers\geyekrboiesmpr.sys (*** hidden *** ) [SYSTEM] geyekrxvkopxep <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep@start 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep@type 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep@group file system
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep@imagepath \systemroot\system32\drivers\geyekrboiesmpr.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main@aid 10020
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main@sid 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main@cmddelay 14400
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main\delete
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main\injector
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main\injector@* geyekrwsp8.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main\tasks
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrboiesmpr.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules@geyekrcmd.dll \systemroot\system32\geyekrtueqaavn.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules@geyekrlog.dat \systemroot\system32\geyekryviuwmtt.dat
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules@geyekrwsp.dll \systemroot\system32\geyekrqrrnrxdu.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules@geyekr.dat \systemroot\system32\geyekrymfoxweh.dat
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules@geyekrwsp8.dll \systemroot\system32\geyekrfulkdubo.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep@start 1
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep@type 1
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep@group file system
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep@imagepath \systemroot\system32\drivers\geyekrboiesmpr.sys
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main@aid 10020
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main@sid 1
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main@cmddelay 14400
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main\delete (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main\injector (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main\injector@* geyekrwsp8.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main\tasks (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrboiesmpr.sys
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules@geyekrcmd.dll \systemroot\system32\geyekrtueqaavn.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules@geyekrlog.dat \systemroot\system32\geyekryviuwmtt.dat
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules@geyekrwsp.dll \systemroot\system32\geyekrqrrnrxdu.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules@geyekr.dat \systemroot\system32\geyekrymfoxweh.dat
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules@geyekrwsp8.dll \systemroot\system32\geyekrfulkdubo.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1




    GMER has picked far more files than superantispyware and Malwarebytes' Anti-Malware did, much more in fact. I think I have to select the files on the log and choose delete myself, not sure yet.

    Looks real promising and hopefully all will be back to normal soon. Thanks heaps and I will post saying whether everything gets good again or not

     
  12. justynf

    justynf Member

    Joined:
    Aug 31, 2009
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    Don't go deleting every listed thing right away, not everything listed is malware, But I know for sure the GEYEKR******** files are malware. Which is what was in my system previously.

    GMER will probably close itself once it reaches the FILES part of the scanning process. If it does close on you just uncheck that part and run scan again, then delete the following:


    Service system32\drivers\geyekrboiesmpr.sys (*** hidden *** ) [SYSTEM] geyekrxvkopxep <-- ROOTKIT !!!

    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep@start 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep@type 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep@group file system
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep@imagepath \systemroot\system32\drivers\geyekrboiesmpr.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main@aid 10020
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main@sid 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main@cmddelay 14400
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main\delete
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main\injector
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main\injector@* geyekrwsp8.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main\tasks
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrboiesmpr.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules@geyekrcmd.dll \systemroot\system32\geyekrtueqaavn.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules@geyekrlog.dat \systemroot\system32\geyekryviuwmtt.dat
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules@geyekrwsp.dll \systemroot\system32\geyekrqrrnrxdu.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules@geyekr.dat \systemroot\system32\geyekrymfoxweh.dat
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules@geyekrwsp8.dll \systemroot\system32\geyekrfulkdubo.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep@start 1
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep@type 1
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep@group file system
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep@imagepath \systemroot\system32\drivers\geyekrboiesmpr.sys
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main@aid 10020
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main@sid 1
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main@cmddelay 14400
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main\delete (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main\injector (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main\injector@* geyekrwsp8.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main\tasks (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrboiesmpr.sys
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules@geyekrcmd.dll \systemroot\system32\geyekrtueqaavn.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules@geyekrlog.dat \systemroot\system32\geyekryviuwmtt.dat
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules@geyekrwsp.dll \systemroot\system32\geyekrqrrnrxdu.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules@geyekr.dat \systemroot\system32\geyekrymfoxweh.dat
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules@geyekrwsp8.dll \systemroot\system32\geyekrfulkdubo.dll



    Once those are done, Run GMER again searching for FILES only (That is if it closed on you before it got to that part).
     
  13. justynf

    justynf Member

    Joined:
    Aug 31, 2009
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    With those parts gone, you should be able to reboot and run the scans that closed on you previously, such as malwarebytes, combo-fix, and a hijackthis log.
     
  14. migTMC

    migTMC Member

    Joined:
    Sep 9, 2009
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    16

    GMER closed soon after I got back on my computer this morning, after leaving it on all night as it is a long scan. The computer restare, but not before I tried deleting:
    Service system32\drivers\geyekrboiesmpr.sys (*** hidden *** ) [SYSTEM] geyekrxvkopxep <-- ROOTKIT !!!
    A couple of error messages came up and the file was not deleted. I tried a second time, the same error messages came up and the file disappeared, not sure if it was deleted or not.

    The registry files:

    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep@start 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep@type 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep@group file system
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep@imagepath \systemroot\system32\drivers\geyekrboiesmpr.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main@aid 10020
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main@sid 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main@cmddelay 14400
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main\delete
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main\injector
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main\injector@* geyekrwsp8.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\main\tasks
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrboiesmpr.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules@geyekrcmd.dll \systemroot\system32\geyekrtueqaavn.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules@geyekrlog.dat \systemroot\system32\geyekryviuwmtt.dat
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules@geyekrwsp.dll \systemroot\system32\geyekrqrrnrxdu.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules@geyekr.dat \systemroot\system32\geyekrymfoxweh.dat
    Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep\modules@geyekrwsp8.dll \systemroot\system32\geyekrfulkdubo.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep@start 1
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep@type 1
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep@group file system
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep@imagepath \systemroot\system32\drivers\geyekrboiesmpr.sys
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main@aid 10020
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main@sid 1
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main@cmddelay 14400
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main\delete (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main\injector (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main\injector@* geyekrwsp8.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\main\tasks (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrboiesmpr.sys
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules@geyekrcmd.dll \systemroot\system32\geyekrtueqaavn.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules@geyekrlog.dat \systemroot\system32\geyekryviuwmtt.dat
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules@geyekrwsp.dll \systemroot\system32\geyekrqrrnrxdu.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules@geyekr.dat \systemroot\system32\geyekrymfoxweh.dat
    Reg HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep\modules@geyekrwsp8.dll \systemroot\system32\geyekrfulkdubo.dll

    I tried deleting a couple and when I right clicked on one or both files at the same time, the option to "delete service" and the other "dosable service", were not available, I couldn't select them. Found it strange.

    Do you know how to overcome this?


     
  15. justynf

    justynf Member

    Joined:
    Aug 31, 2009
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    Just a sec I will try to create a script for you to run to disable and delete it. anyways these files are suspicious if you haven't deleted them, try to. Unless you know what they are.

    C:\warhor
    C:\heyho

    now download The Avenger and run it and paste this script in it:
    Back up your files just to be safe if you didn't already.

    Code:
    
    Drivers to disable:
    svchast.exe
    geyekrboiesmpr.sys
    
    Drivers to delete:
    svchast.exe
    geyekrboiesmpr.sys
    
    
    Files to delete:
    c:\windows\system32\svchast.exe
    c:\system32\drivers\geyekrboiesmpr.sys
    c:\system32\geyekrtueqaavn.dll
    c:\system32\geyekryviuwmtt.dat
    c:\system32\geyekrqrrnrxdu.dll
    c:\system32\geyekrymfoxweh.dat
    c:\system32\geyekrfulkdubo.dll
    
    Registry keys to delete:
    HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep
    HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep
    
    
    Run it and when it asks to restart reboot click yes.
    Your computer will reboot twice.

    That may not be all to removing it yet but it is a start if it works. Reply to tell me if it helped any and run new scans to see if anything was forgotten.

    Also Run CCleaner, it will delete all the temp files and folders where there may be leftover malware files. It still isn't 100% removed but it's a start, then continue running all scans and posting more logs.
     
  16. migTMC

    migTMC Member

    Joined:
    Sep 9, 2009
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    16

    I've unblocked Malwarebytes' Anti-Malware and SUPERAntiSpyware, but wasn't able to do so for HiJackThis and Internet Explorer. The blocking happened at the setup file which installs all the program, not the .exe file that runs the program (after install). Do you know how to overcome this?

    Also, I unblock ComboFix, but it goes back to being blocked straight away, it doesn't get unblocked. I haven't had that with any of the mentioned programs so it is strange.

    I have downloaded CCleaner and am doing a scan right now, will edit this post or make a new post with the results. Does seem like this infection/worm is real bad and can't be fully removed. Will reinstall XP tonight if I just can't find a total solution.

    I managed then to run a full scan with Malwarebytes' Anti-Malware and the results were the same as when I was able to run the first and only scan on Tuesday, before the program was blocked). The log is below:


    Malwarebytes' Anti-Malware 1.41
    Database version: 2784
    Windows 5.1.2600 Service Pack 2

    13/09/2009 9:52:31 AM
    mbam-log-2009-09-13 (09-52-31).txt

    Scan type: Full Scan (D:\|)
    Objects scanned: 198013
    Time elapsed: 1 hour(s), 52 minute(s), 34 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 5
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{53e30863-280f-4cfa-99ab-55caeb95271c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Bind (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Nvchost (Trojan.Goldun) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StormCodec_Helper (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    D:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    D:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    D:\Ringz Studio\Storm Codec\StormSet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
     
    Last edited: Sep 12, 2009
  17. justynf

    justynf Member

    Joined:
    Aug 31, 2009
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    rename the setup file .src and try to run it. Tell me if that works. After partially removing the malware with malwarebytes and restarting your computer, does it allow you to run any programs that were being blocked before?
     
  18. justynf

    justynf Member

    Joined:
    Aug 31, 2009
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    Forgot to add, sometimes it is a good idea to rename the programs before saving them to the computer, this can help sometimes if the malware service is blocking it by name or something.

    Anyways, another thing you can try is downloading and running silentrunners and posting the log.

    If you can get a list of startup services running on your computer we could figure out which ones are malware and try to disable them so you can try to run programs to finish removing the malware files.

    Hope this helps.
     
    Last edited: Sep 13, 2009
  19. migTMC

    migTMC Member

    Joined:
    Sep 9, 2009
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    16

    I can't run Silent Runners.vbs
    It opens it notepad,so I have to use command prompt. I followed the instructions in the FAQ on the site and I get the message in command prompt (DOS) that Silent Runners.vbs can not be found, yet I'm in the correct directory so it should be present.

    I still can't access IE, ComboFix and HiJackThis. I get the same error message saying I don't have access to those programs

     
  20. justynf

    justynf Member

    Joined:
    Aug 31, 2009
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    11
    Last thing I can think of to try to disable the Malware driver. If this works it will let you run certain scans I mentioned. The avenger and the script I gave, Etc.

    Go to Start > Run, Type and Copy paste this line:

    notepad "C:\Windows\System32\drivers\geyekrboiesmpr.sys"

    Select all that is shown when notepad opens, and delete it. Save it once done.

    Now open The Avenger and run the script I gave. Other programs as well if it lets you.
     

Share This Page