maximum number of secrets exceded

hi i was adv to user gmer from lightninguk at img burn and suggested to post log from chewy here so here is the log from gmer ran today on windows xp home service pack 3 i have bolded and and marked which ones show red in gmer



GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-04-29 18:32:41
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 8216D5F8 ZwEnumerateKey
Code 82070B20 ZwFlushInstructionCache
Code 82197B16 IofCallDriver
Code 8219A4C6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 82197B1B
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 8219A4CB
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 8216D5FC
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 82070B24
? C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified. !
? C:\WINDOWS\system32\drivers\rootrepeal.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\spoolsv.exe[1456] msvcrt.dll!tan 77C4D5E4 2 Bytes [83, 7C]
.text C:\WINDOWS\system32\spoolsv.exe[1456] msvcrt.dll!tan + 3 77C4D5E7 5 Bytes [08, 01, 75, 19, 6A]
.text C:\WINDOWS\system32\spoolsv.exe[1456] msvcrt.dll!tan + 9 77C4D5ED 28 Bytes [6A, 00, 68, 88, 67, 90, 7C, ...]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2804] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00A3000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2804] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00A6000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2804] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00A4000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2804] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00A5000A
---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\system32\dll.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1456] this shows in red in gmer 0x10000000
Library \\?\globalroot\systemroot\system32\gxvxceenagdlvksblmkmuqxducvqsyufxceju.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [2804]
0x10000000 this one also shows in red

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\gxvxcrsvpxeoewqelwbwexvitalnbmqppyrbb.sys (*** hidden *** ) [SYSTEM] gxvxcserv.sys <-- ROOTKIT !!! this one also

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcrsvpxeoewqelwbwexvitalnbmqppyrbb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcrsvpxeoewqelwbwexvitalnbmqppyrbb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxceenagdlvksblmkmuqxducvqsyufxceju.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcrsvpxeoewqelwbwexvitalnbmqppyrbb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcrsvpxeoewqelwbwexvitalnbmqppyrbb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxceenagdlvksblmkmuqxducvqsyufxceju.dll

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\SYSTEM32\DRIVERS\gxvxcrsvpxeoewqelwbwexvitalnbmqppyrbb.sys 32256 bytes executable <-- ROOTKIT !!! and this one
File C:\WINDOWS\SYSTEM32\gxvxccounter 4 bytes
File C:\WINDOWS\SYSTEM32\gxvxceenagdlvksblmkmuqxducvqsyufxceju.dll 14336 bytes executable

---- EOF - GMER 1.0.15 ----

Edited by wolfj, 29 April 2009 - 05:47 PM.

See if you can get rootrepeal to run

Use any of the same methods you have used with gmer

Rename it, run it from safe mode, whatever

If you can get the program open then change the tab at the bottom to file scan, not driver

All we need is for rootrepeal to show

C:\WINDOWS\SYSTEM32\DRIVERS\gxvxcrsvpxeoewqelwbwexvitalnbmqppyrbb.sys

Highlight it and right click, wipe file

Not delete

Immediately reboot and then run MBAM

Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself.
• Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Sounds so easy. Doesn't it ?.

I have no problem when i open my RootRepeal. But when i press File Scan, i get to select c:/ and then it "blue screen" my computer. And that's no matter how i do it. Safe Mode etc. Always the same.

I really hate this damn rootkit.

Using MBAM and other programs to weaken or attack the infection usually allows rootrepeal to work

If not it's best to post in our HJT forum or reload your computer

no luck couldn't get root repeal to work keeps giving me a crash report both in safe mode and windows when i try o launch malwarebytes it doesn't launch when i double click on it also both in safe mode and windows

Here are some tips to install and run MBAM

Some people even have to rename everything before using another computer to load the program on a usb drive and transfer to the infected computer

Try this to install MBAM

Try renaming the setup file to install.com

try installing in safe mode

here's a random renamer for the program if you can get it installed

http://kixhelp.com/wr/files/mb/randmbam.exe

Here's a link for MBAM definition update

http://www.gt500.org/malwarebytes/database.jsp

thanks chewy as posted on the img burn site for the root kit listed in my gmer file if uniccodec was installed you can try dr web cure it i used it it detected that file deleted and rebooted all is good now for the maximum secrets exceded error and redirects worth a shot for some other ppl as well if it is recommended by the admins here. here also is the report after running mbam
Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

01/05/2009 3:04:19 PM
mbam-log-2009-05-01 (15-04-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 106785
Time elapsed: 1 hour(s), 2 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.144,85.255.112.5 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{45860438-f98b-4253-af24-de35a450a11f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.144,85.255.112.5 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{be94b08b-3c26-4b27-888d-d207ab1c637f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.144,85.255.112.5 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.144,85.255.112.5 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{45860438-f98b-4253-af24-de35a450a11f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.144,85.255.112.5 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{be94b08b-3c26-4b27-888d-d207ab1c637f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.144,85.255.112.5 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.144,85.255.112.5 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{45860438-f98b-4253-af24-de35a450a11f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.144,85.255.112.5 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{be94b08b-3c26-4b27-888d-d207ab1c637f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.144,85.255.112.5 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\TEMP\tempo-3923081.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Edited by wolfj, 01 May 2009 - 02:06 PM.

Actually. Forget Rootrepeal.

It crash.

Not sure i can be of much help here. Malwarebytes-Antimalware update 2066 found something. And when i started scan, Norton Antivirus updated May 1 started to quarantine and delete the virus. They worked together then.