Rootkit "geyekrwoixtnxo" virus

View previous topic View next topic Go down

Solved Rootkit "geyekrwoixtnxo" virus

Post by Nic on 3rd September 2009, 1:10 am

Hi,

I'm having a problem with this virus on my computer. I've run MBAM, Avast, and SpyBot and have been unable to get rid of the geyekrwoixtnxo virus and other things that come up in the virus scans. I follow the prompts to try to remove or repair the problems, but it is unsuccessful every time. Lately, I've been logging on to my computer only to have the screen go blue with a message to the effect of "not enough memory; physical dump of memory" appear on the screen. Any help would be greatly appreciated.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:24 PM, on 9/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Nicole Valerio\My Documents\Downloads\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O18 - Filter hijack: text/html - {c1e89fe8-4fc6-4e6d-a5dd-5559bf34a413} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9365 bytes

Nic
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-03
OS OS : XP
Points Points : 26543
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Rootkit "geyekrwoixtnxo" virus

Post by Belahzur on 3rd September 2009, 3:11 pm

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved GMER 1 of 4

Post by Nic on 3rd September 2009, 11:38 pm

GMER 1.0.15.15077 [jxmhy99k.exe] - [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-03 20:58:54
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 865030E8 ZwEnumerateKey
Code 865014A8 ZwFlushInstructionCache
Code 86507036 ZwSaveKey
Code 86506E96 ZwSaveKeyEx
Code 8650760E IofCallDriver
Code 865076E6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A0 5 Bytes JMP 86507613
.text ntkrnlpa.exe!IofCompleteRequest 804EF230 2 Bytes JMP 865076EB
.text ntkrnlpa.exe!IofCompleteRequest + 3 804EF233 2 Bytes [01, 06] {ADD [ESI], EAX}
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B5642 5 Bytes JMP 865014AC
PAGE ntkrnlpa.exe!ZwSaveKey 80620A4A 5 Bytes JMP 8650703A
PAGE ntkrnlpa.exe!ZwSaveKeyEx 80620ADA 5 Bytes JMP 86506E9A
PAGE ntkrnlpa.exe!ZwEnumerateKey 80622DE0 5 Bytes JMP 865030EC

---- User code sections - GMER 1.0.15 ----


Last edited by Nic on 4th September 2009, 1:01 am; edited 2 times in total (Reason for editing : got gmer to work)

Nic
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-03
OS OS : XP
Points Points : 26543
# Likes # Likes : 0

View user profile

Back to top Go down

Solved GMER 2 of 4

Post by Nic on 4th September 2009, 12:59 am

.text C:\WINDOWS\Explorer.EXE[272] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 00C5000A
.text C:\WINDOWS\stsystra.exe[488] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0098000A
.text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[504] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 00A3000A
.text C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe[544] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 02A4000A
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[556] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 02AD000A
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
---- Processes - GMER 1.0.15 ----


Last edited by Nic on 4th September 2009, 1:01 am; edited 1 time in total

Nic
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-03
OS OS : XP
Points Points : 26543
# Likes # Likes : 0

View user profile

Back to top Go down

Solved GMER 3 of 4

Post by Nic on 4th September 2009, 1:00 am

Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [272] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\WINDOWS\stsystra.exe [488] 0x00960000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Dell\Media Experience\DMXLauncher.exe [504] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe [544] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\WINDOWS\System32\DLA\DLACTRLW.EXE [556] 0x00A20000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe [596] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [612] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Windows Defender\MSASCui.exe [632] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [656] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [704] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [724] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [852] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [868] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\Ati2evxx.exe [988] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1112] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe [1192] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [1200] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Windows Defender\MsMpEng.exe [1216] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [1228] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1256] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1328] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [1404] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Digital Line Detect\DLG.exe [1444] 0x00EC0000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1512] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [1580] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\iPod\bin\iPodService.exe [1600] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast4\ashServ.exe [1680] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Documents and Settings\Nicole Valerio\My Documents\Downloads\jxmhy99k.exe [1688] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1904] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2080] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\dlcccoms.exe [2108] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe [2132] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2264] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [2296] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2364] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe [2688] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe [2720] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2796] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe [3000] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe [3056] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\wdfmgr.exe [3128] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Viewpoint\Common\ViewpointService.exe [3160] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\WINDOWS\system32\wuauclt.exe [3516] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe [3648] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [4056] 0x10000000
Library \\?\globalroot\systemroot\system32\geyekrwoixtnxo.dll (*** hidden *** ) @ C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [4084] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\geyekrtjkvdbba.sys (*** hidden *** ) [SYSTEM] geyekrfultfqrs <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Nic
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-03
OS OS : XP
Points Points : 26543
# Likes # Likes : 0

View user profile

Back to top Go down

Solved GMER 4 of 4

Post by Nic on 4th September 2009, 1:00 am

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs@imagepath \systemroot\system32\drivers\geyekrtjkvdbba.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrtjkvdbba.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs\modules@geyekrcmd.dll \systemroot\system32\geyekritltmqmp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs\modules@geyekrlog.dat \systemroot\system32\geyekrjinswwup.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs\modules@geyekrwsp.dll \systemroot\system32\geyekrwoixtnxo.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs\modules@geyekr.dat \systemroot\system32\geyekrjduxbrfo.dat
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs@imagepath \systemroot\system32\drivers\geyekrtjkvdbba.sys
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs\main@aid 10002
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrtjkvdbba.sys
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs\modules@geyekrcmd.dll \systemroot\system32\geyekritltmqmp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs\modules@geyekrlog.dat \systemroot\system32\geyekrjinswwup.dat
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs\modules@geyekrwsp.dll \systemroot\system32\geyekrwoixtnxo.dll
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs\modules@geyekr.dat \systemroot\system32\geyekrjduxbrfo.dat

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\geyekrtjkvdbba.sys 70144 bytes <-- ROOTKIT !!!
File C:\WINDOWS\system32\geyekritltmqmp.dll 43520 bytes
File C:\WINDOWS\system32\geyekrjduxbrfo.dat 43 bytes
File C:\WINDOWS\system32\geyekrjinswwup.dat 136162 bytes
File C:\WINDOWS\system32\geyekrwoixtnxo.dll 18432 bytes
File C:\WINDOWS\Temp\geyekripkpuxnseb.tmp 43 bytes

---- EOF - GMER 1.0.15 ----

Nic
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-03
OS OS : XP
Points Points : 26543
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Rootkit "geyekrwoixtnxo" virus

Post by Belahzur on 4th September 2009, 3:33 pm

Hello.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.]

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to disable:
geyekrfultfqrs

Drivers to delete:
geyekrfultfqrs

Files to delete:
C:\WINDOWS\system32\drivers\geyekrtjkvdbba.sys
C:\WINDOWS\system32\geyekritltmqmp.dll
C:\WINDOWS\system32\geyekrjduxbrfo.dat
C:\WINDOWS\system32\geyekrjinswwup.dat
C:\WINDOWS\system32\geyekrwoixtnxo.dll
C:\WINDOWS\Temp\geyekripkpuxnseb.tmp

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs
HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Avenger

Post by Nic on 8th September 2009, 1:00 am

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Disablement of driver "geyekrfultfqrs" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)

Driver "geyekrfultfqrs" deleted successfully.

Error: could not delete file "C:\WINDOWS\system32\drivers\geyekrtjkvdbba.sys"
Deletion of file "C:\WINDOWS\system32\drivers\geyekrtjkvdbba.sys" failed!
Status: 0xc0000156


Error: could not delete file "C:\WINDOWS\system32\geyekritltmqmp.dll"
Deletion of file "C:\WINDOWS\system32\geyekritltmqmp.dll" failed!
Status: 0xc0000156


Error: could not delete file "C:\WINDOWS\system32\geyekrjduxbrfo.dat"
Deletion of file "C:\WINDOWS\system32\geyekrjduxbrfo.dat" failed!
Status: 0xc0000156


Error: could not delete file "C:\WINDOWS\system32\geyekrjinswwup.dat"
Deletion of file "C:\WINDOWS\system32\geyekrjinswwup.dat" failed!
Status: 0xc0000156


Error: could not delete file "C:\WINDOWS\system32\geyekrwoixtnxo.dll"
Deletion of file "C:\WINDOWS\system32\geyekrwoixtnxo.dll" failed!
Status: 0xc0000156


Error: file "C:\WINDOWS\Temp\geyekripkpuxnseb.tmp" not found!
Deletion of file "C:\WINDOWS\Temp\geyekripkpuxnseb.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\geyekrfultfqrs" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet003\Services\geyekrfultfqrs" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Nic
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-03
OS OS : XP
Points Points : 26543
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Rootkit "geyekrwoixtnxo" virus

Post by Belahzur on 8th September 2009, 1:40 am

Hello.
Go to Start > Run. In the run box, copy and paste in the following.

notepad "C:\WINDOWS\system32\drivers\geyekrtjkvdbba.sys"

Notepad will open with a bunch of random rubbish letters, this is normal.
Press and hold ther control (ctrl) button, then hit the A key to select all.

Now hit the backspace key to delete everything so the file should now be blank.
Go to the File menu, hit Save.

Now lets see how this goes.

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
C:\WINDOWS\system32\drivers\geyekrtjkvdbba.sys
C:\WINDOWS\system32\geyekritltmqmp.dll
C:\WINDOWS\system32\geyekrjduxbrfo.dat
C:\WINDOWS\system32\geyekrjinswwup.dat
C:\WINDOWS\system32\geyekrwoixtnxo.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Avenger

Post by Nic on 8th September 2009, 1:50 am

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "geyekrfultfqrs" found!
ImagePath: \systemroot\system32\drivers\geyekrtjkvdbba.sys
Driver disabled successfully.

Rootkit scan completed.

File "C:\WINDOWS\system32\drivers\geyekrtjkvdbba.sys" deleted successfully.
File "C:\WINDOWS\system32\geyekritltmqmp.dll" deleted successfully.
File "C:\WINDOWS\system32\geyekrjduxbrfo.dat" deleted successfully.
File "C:\WINDOWS\system32\geyekrjinswwup.dat" deleted successfully.
File "C:\WINDOWS\system32\geyekrwoixtnxo.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Nic
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-03
OS OS : XP
Points Points : 26543
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Rootkit "geyekrwoixtnxo" virus

Post by Belahzur on 8th September 2009, 1:54 am

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Combo-Fix log

Post by Nic on 8th September 2009, 2:27 am

ComboFix 09-09-07.03 - Nicole Valerio 09/07/2009 22:16.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.633 [GMT -4:00]
Running from: c:\documents and settings\Nicole Valerio\My Documents\Downloads\Combo-Fix.exe
AV: avast! antivirus 4.8.1351 [VPS 090907-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common
c:\program files\Common\_helper.sig
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_geyekrfultfqrs
-------\Legacy_PCMSTUB
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_6to4
-------\Service_geyekrfultfqrs


((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-04 11:57 . 2009-09-04 16:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-04 00:04 . 2009-09-04 00:04 -------- d-----w- C:\VundoFix Backups
2009-09-03 00:57 . 2009-09-03 00:57 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-03 00:56 . 2009-09-03 00:56 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-03 00:55 . 2009-09-03 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-03 00:47 . 2009-09-03 00:52 -------- d-----w- c:\documents and settings\Nicole Valerio\.SunDownloadManager
2009-09-02 22:49 . 2009-09-02 22:49 -------- d-----w- c:\documents and settings\Nicole Valerio\Local Settings\Application Data\{DE7A88A0-9A60-4F1C-BBEF-AF3189B2ADE3}
2009-09-02 10:56 . 2009-09-02 10:56 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-08-17 22:19 . 2009-08-17 22:19 -------- d-----w- c:\documents and settings\Nicole Valerio\Application Data\Yahoo!
2009-08-17 22:19 . 2009-09-04 16:18 -------- d-----w- c:\program files\Yahoo!
2009-08-17 22:19 . 2009-08-17 22:20 -------- d-----w- c:\program files\CCleaner
2009-08-13 12:18 . 2009-08-13 12:18 -------- d-----w- c:\windows\ServicePackFiles
2009-08-13 10:59 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-08-13 00:48 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-13 00:48 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-13 00:48 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-13 00:48 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-13 00:47 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-13 00:47 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-13 00:47 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-13 00:47 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-13 00:47 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-13 00:47 . 2009-08-13 00:47 -------- d-----w- c:\program files\Alwil Software
2009-08-11 00:06 . 2009-08-11 00:06 -------- d-----w- c:\documents and settings\Nicole Valerio\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 00:49 . 2008-01-02 01:24 -------- d-----w- c:\program files\Dl_cats
2009-09-04 16:24 . 2007-12-28 18:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-04 16:24 . 2007-12-28 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-04 16:15 . 2006-09-13 07:11 -------- d-----w- c:\program files\Google
2009-09-04 16:15 . 2006-09-13 06:59 -------- d-----w- c:\program files\Dell
2009-09-04 16:13 . 2006-09-13 07:03 -------- d-----w- c:\program files\Common Files\AOL
2009-09-04 16:13 . 2006-09-13 07:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-08-14 10:58 . 2009-09-04 11:58 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-12 01:18 . 2009-08-03 00:43 -------- d-----w- c:\program files\Bonjour
2009-08-07 02:36 . 2009-01-05 03:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 09:11 . 2004-08-10 16:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2009-01-05 03:16 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-01-05 03:16 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-03 00:44 . 2009-08-03 00:44 -------- d-----w- c:\documents and settings\Nicole Valerio\Application Data\Apple Computer
2009-08-03 00:44 . 2009-08-03 00:43 -------- d-----w- c:\program files\iTunes
2009-08-03 00:44 . 2009-08-03 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-03 00:43 . 2009-08-03 00:43 -------- d-----w- c:\program files\iPod
2009-08-03 00:43 . 2009-08-03 00:42 -------- d-----w- c:\program files\Common Files\Apple
2009-08-03 00:43 . 2009-08-03 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-03 00:43 . 2009-08-03 00:42 -------- d-----w- c:\program files\QuickTime
2009-08-03 00:42 . 2009-08-03 00:42 -------- d-----w- c:\program files\Apple Software Update
2009-08-03 00:42 . 2009-08-03 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-17 18:55 . 2004-08-10 16:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-10 16:51 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-08-10 16:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-10 16:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-10 16:50 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:55 . 2004-08-10 16:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-08-10 16:51 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2004-08-10 16:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-10 16:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-10 16:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
2008-01-08 01:37 . 2007-12-28 17:43 88 --sh--r- c:\windows\system32\A342E58E19.sys
2008-01-08 01:38 . 2007-12-28 17:43 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-12 176201]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-02-10 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-13 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/12/2009 8:47 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/12/2009 8:47 PM 20560]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 4:47 PM 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 4:47 PM 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 4:47 PM 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 4:47 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 4:47 PM 262215]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/28/2007 3:08 PM 24652]
S2 pzxpci;pzxpci;c:\windows\system32\drivers\jyrcpj.sys --> c:\windows\system32\drivers\jyrcpj.sys [?]
S2 rayd;rayd;c:\windows\system32\drivers\zrbkkpn.sys --> c:\windows\system32\drivers\zrbkkpn.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-07 22:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3220)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\dlcccoms.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-08 22:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-08 02:25

Pre-Run: 130,910,986,240 bytes free
Post-Run: 130,957,418,496 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

227 --- E O F --- 2009-09-03 22:02

Nic
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-03
OS OS : XP
Points Points : 26543
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Rootkit "geyekrwoixtnxo" virus

Post by Belahzur on 8th September 2009, 2:36 pm

Hello.

Now open a new notepad file.
Input this into the notepad file:

Folder::
C:\VundoFix Backups
c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-

Driver::
pzxpci
rayd

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved ComboFix Log

Post by Nic on 8th September 2009, 10:57 pm

ComboFix 09-09-07.03 - Nicole Valerio 09/08/2009 18:43.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.505 [GMT -4:00]
Running from: c:\documents and settings\Nicole Valerio\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Nicole Valerio\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1351 [VPS 090908-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\DIFxAPI.dll
c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\DifXInstall32.exe
c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\DIFxInstallLog.txt
c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\GEARAspiWDM.inf
c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\gearaspiwdmx86.cat
c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspi.dll
c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
C:\VundoFix Backups

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_pzxpci
-------\Service_rayd


((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-04 11:57 . 2009-09-04 16:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-03 00:57 . 2009-09-03 00:57 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-03 00:56 . 2009-09-03 00:56 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-03 00:55 . 2009-09-03 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-03 00:47 . 2009-09-03 00:52 -------- d-----w- c:\documents and settings\Nicole Valerio\.SunDownloadManager
2009-09-02 22:49 . 2009-09-02 22:49 -------- d-----w- c:\documents and settings\Nicole Valerio\Local Settings\Application Data\{DE7A88A0-9A60-4F1C-BBEF-AF3189B2ADE3}
2009-09-02 10:56 . 2009-09-02 10:56 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-08-17 22:19 . 2009-08-17 22:19 -------- d-----w- c:\documents and settings\Nicole Valerio\Application Data\Yahoo!
2009-08-17 22:19 . 2009-09-04 16:18 -------- d-----w- c:\program files\Yahoo!
2009-08-17 22:19 . 2009-08-17 22:20 -------- d-----w- c:\program files\CCleaner
2009-08-13 12:18 . 2009-08-13 12:18 -------- d-----w- c:\windows\ServicePackFiles
2009-08-13 10:59 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-08-13 00:48 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-13 00:48 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-13 00:48 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-13 00:48 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-13 00:47 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-13 00:47 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-13 00:47 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-13 00:47 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-13 00:47 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-13 00:47 . 2009-08-13 00:47 -------- d-----w- c:\program files\Alwil Software
2009-08-11 00:06 . 2009-08-11 00:06 -------- d-----w- c:\documents and settings\Nicole Valerio\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 02:45 . 2007-12-28 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-08 00:49 . 2008-01-02 01:24 -------- d-----w- c:\program files\Dl_cats
2009-09-04 16:24 . 2007-12-28 18:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-04 16:15 . 2006-09-13 07:11 -------- d-----w- c:\program files\Google
2009-09-04 16:15 . 2006-09-13 06:59 -------- d-----w- c:\program files\Dell
2009-09-04 16:13 . 2006-09-13 07:03 -------- d-----w- c:\program files\Common Files\AOL
2009-09-04 16:13 . 2006-09-13 07:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-08-14 10:58 . 2009-09-04 11:58 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-12 01:18 . 2009-08-03 00:43 -------- d-----w- c:\program files\Bonjour
2009-08-07 02:36 . 2009-01-05 03:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 09:11 . 2004-08-10 16:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2009-01-05 03:16 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-01-05 03:16 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-03 00:44 . 2009-08-03 00:44 -------- d-----w- c:\documents and settings\Nicole Valerio\Application Data\Apple Computer
2009-08-03 00:44 . 2009-08-03 00:43 -------- d-----w- c:\program files\iTunes
2009-08-03 00:43 . 2009-08-03 00:43 -------- d-----w- c:\program files\iPod
2009-08-03 00:43 . 2009-08-03 00:42 -------- d-----w- c:\program files\Common Files\Apple
2009-08-03 00:43 . 2009-08-03 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-03 00:43 . 2009-08-03 00:42 -------- d-----w- c:\program files\QuickTime
2009-08-03 00:42 . 2009-08-03 00:42 -------- d-----w- c:\program files\Apple Software Update
2009-08-03 00:42 . 2009-08-03 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-17 18:55 . 2004-08-10 16:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-10 16:51 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-08-10 16:51 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-10 16:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-10 16:50 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:55 . 2004-08-10 16:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-08-10 16:51 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 11:50 . 2004-08-10 16:51 76288 ----a-w- c:\windows\system32\telnet.exe
2008-01-08 01:37 . 2007-12-28 17:43 88 --sh--r- c:\windows\system32\A342E58E19.sys
2008-01-08 01:38 . 2007-12-28 17:43 3558 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-08 22:49 . 2009-09-08 22:49 16384 c:\windows\Temp\Perflib_Perfdata_ec.dat
+ 2009-09-08 22:49 . 2009-09-08 22:49 16384 c:\windows\Temp\Perflib_Perfdata_610.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-12 176201]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-02-10 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-13 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/12/2009 8:47 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/12/2009 8:47 PM 20560]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 4:47 PM 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 4:47 PM 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 4:47 PM 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 4:47 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 4:47 PM 262215]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/28/2007 3:08 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-08-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-08 18:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1052)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\dlcccoms.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-08 18:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-08 22:53
ComboFix2.txt 2009-09-08 02:25

Pre-Run: 130,919,366,656 bytes free
Post-Run: 130,906,206,208 bytes free

186 --- E O F --- 2009-09-03 22:02

Nic
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-03
OS OS : XP
Points Points : 26543
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Rootkit "geyekrwoixtnxo" virus

Post by Belahzur on 9th September 2009, 12:11 am

Hello.
Good work, almost done now.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Rootkit "geyekrwoixtnxo" virus

Post by Nic on 9th September 2009, 12:34 am

924PLC32
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1
AIM 6
Amazon MP3 Downloader 1.0.3
AOLIcon
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
avast! Antivirus
Banctec Service Agreement
Bonjour
CCleaner (remove only)
CinepPlayer 30 Update
Conexant D850 56K V.9x DFVc Modem
Corel Photo Album 6
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
Dell Media Experience
Dell Photo AIO Printer 924
DellSupport
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
ELIcon
Games, Music, & Photos Launcher
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
iTunes
J2SE Runtime Environment 5.0 Update 6
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Outlook 2003 with Business Contact Manager Update
Microsoft Office Small Business Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft Visual C++ 2005 Redistributable
Modem Helper
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch® Jukebox
NetWaiting
QuickTime
RealPlayer Basic
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Sonic Activation Module
Sonic Update Manager
Spybot - Search & Destroy
Trend Micro PC-cillin Internet Security 12
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebCyberCoach 3.2 Dell
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859

Nic
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-03
OS OS : XP
Points Points : 26543
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Rootkit "geyekrwoixtnxo" virus

Post by Belahzur on 9th September 2009, 7:01 pm

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    J2SE Runtime Environment 5.0 Update 6
    Viewpoint Media Player

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Rootkit "geyekrwoixtnxo" virus

Post by Nic on 9th September 2009, 10:58 pm

Just removed those last two things.

It's running much faster now and hasn't shut down in the middle of something. Thank you so much!

Nic
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-03
OS OS : XP
Points Points : 26543
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Rootkit "geyekrwoixtnxo" virus

Post by Dr Jay on 16th September 2009, 8:56 pm

Since this issue appears to be solved, this topic is now closed and being marked solved.

If you need the topic reopened, PM an administrator, moderator, or staff.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13812
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302439
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum