Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Too Many Secrets error, cannot access dvd drive


  • Please log in to reply
4 replies to this topic

#1 High500

High500

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 28 June 2009 - 08:30 AM

Firstly Hi, first post, hope you guys can help with my problem as it seems you have alot of experience in this area!

I recently attempted to use imgburn and it failed to locate drives citing the following error:

[codebox]I 14:08:25 ImgBurn Version 2.4.4.0 started!
I 14:08:26 Microsoft Windows Vista Ultimate Edition (6.0, Build 6001 : Service Pack 1)
I 14:08:26 Total Physical Memory: 3,406,216 KB - Available: 2,011,656 KB
I 14:08:26 Initialising SPTI...
I 14:08:26 Searching for SCSI / ATAPI devices...
E 14:08:28 CreateFile Failed! - Device: '\\.\CdRom0' (E:)
E 14:08:28 Reason: The maximum number of secrets that may be stored in a single system has been exceeded.
W 14:08:28 Errors were encountered when trying to access a drive.
W 14:08:28 This drive will not be visible in the program.
W 14:08:28 No devices detected!
[/codebox]

After alot of searching the net, it seems to be the most common response is a rootkit/malware/virus problem (including responses in the imgburn forums)

As I am an IT Support Technician by trade, I set out doing various rootkit checks and virus scans and malware scans. But this one defeats me totally. I also was experiencing google link redirects which I have managed to fix (well so far so good!).

On further inspection I have an extra optical drive appear in "My Computer" which does not exist. Both that and my existing dvd recorder both appear to be registering as a cdrom device (not a dvdrom as previously). Also in the "Disk Management section of "Computer Management" I appear to be only showing 4 drives out of the total 10 that appear in explorer. All 4 hard drives are missing, the real dvd drive and the fake one are missing, only 4 present are part of a usb combo reader with registers each memory card port as a seperate drive (4 ports).

I have had several virii show up on my system recently which occured when my son was using the computer. They were healed/vaulted by AVG Free but here are the items found:

Virus Check results:

Trojan Horse: Generic_c.AMAE (2 instances)
Virus: Win32/Cryptor (possibly something to do with my too many secrets error which google searches appear to show its something to do with too many encrypted items existing on my system in some form?)

Spyware Results:

RemoteAdmin.AXI (2 instances) (on a side note I do have remote admin 3.0 installed on this machine so it may be legit!)

I hope this is not too much information or overkill. I am trying to give you the most detailed report I can including the dds reports as required byt the forum.

If you can help me I would much appreciate it, I would rather not format the drives as I have alot of software installed on this machine and a helluva lot of work that would be hard to backup and restore in the event of a re-install (unfortunatley my messy nature of storing stuff is going to back fire on me i guess!)

DDS Log:


DDS (Ver_09-06-26.01) - NTFSx86
Run by iMedia at 14:00:34.68 on 28/06/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.44.1033.18.3326.2061 [GMT 1:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\SOUNDGRAPH\iMON\iMON.exe
C:\Program Files\MCE\My Movies\My Movies Tray.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\iMedia\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\iMedia\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\iMedia\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\iMedia\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\iMedia\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [iMON] c:\program files\soundgraph\imon\iMON.exe /startup
mRun: [My Movies Tray] "c:\program files\mce\my movies\My Movies Tray.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\web2~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} - hxxp://download.yahoo.com/dl/installs/bt/yregucfg.cab
DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} - hxxps://register.btinternet.com/templates/btmailcontrol013.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {B947BD34-91CC-4590-9BA0-6F0F0D2028E8} - hxxp://www.productsandservices.bt.com/consumer/consumerProducts/js/BTEmailConfig.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} - hxxps://register.btinternet.com/templates/btwebcontrol028.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
STS: Deskscapes Class: {ec654325-1273-c2a9-2b7c-45d29bce68fb} - c:\progra~1\stardock\object~1\desksc~1\deskscapes.dll
STS: Stardock Vista ControlPanel Extension: {ec654325-1273-c2a9-2b7c-45d29bce68fd} - c:\progra~1\stardock\object~1\desksc~1\DesktopControlPanel.dll
STS: StardockDreamController: {ec654325-1273-c2a9-2b7c-45d29bce68ff} - c:\progra~1\stardock\object~1\desksc~1\DreamControl.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 atitray;atitray;c:\program files\ray adams\ati tray tools\atitray.sys [2007-5-22 18088]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-27 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-27 108552]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2007-2-2 41176]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\cyberlink\powerdvd\000.fcl [2006-11-2 13560]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-3-16 180224]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-27 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-27 298776]
R2 MSSQL$MYMOVIES;SQL Server (MYMOVIES);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-6-27 1153368]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2007-4-27 316992]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l160x86.sys [2008-2-24 46592]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-2-20 95760]
S3 CrystalSysInfo;CrystalSysInfo;c:\program files\mediacoder\SysInfo.sys [2007-9-25 15152]
S3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]
S3 rkhdrv40;Rootkit Unhooker Driver;c:\windows\system32\drivers\rkhdrv40.sys [2009-6-28 24448]
S3 YEBTCUK;YEBTCUK;c:\users\imedia\appdata\local\temp\yebtcuk.exe --> c:\users\imedia\appdata\local\temp\YEBTCUK.exe [?]
S4 RServer3;Radmin Server V3;"c:\windows\system32\rserver30\rserver3.exe" /service --> c:\windows\system32\rserver30\rserver3.exe [?]

=============== Created Last 30 ================

2009-06-28 13:39 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-06-28 13:24 161,792 a------- c:\windows\SWREG.exe
2009-06-28 13:24 155,136 a------- c:\windows\PEV.exe
2009-06-28 13:24 98,816 a------- c:\windows\sed.exe
2009-06-28 13:23 <DIR> --ds---- C:\Combo-Fix
2009-06-28 12:43 <DIR> a-dshr-- C:\autorun.inf
2009-06-28 11:46 24,448 a------- c:\windows\system32\drivers\rkhdrv40.sys
2009-06-28 10:52 <DIR> --d----- c:\program files\Sophos
2009-06-27 23:21 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-06-27 23:21 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-27 23:21 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-06-27 22:27 <DIR> --d----- c:\users\imedia\appdata\roaming\Malwarebytes
2009-06-27 22:26 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-27 22:26 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-27 22:26 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-27 22:26 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 22:26 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-27 15:18 <DIR> --d----- c:\programdata\Windows Genuine Advantage
2009-06-27 15:06 <DIR> --d----- C:\iforedit
2009-06-27 14:46 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-06-27 14:43 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-27 14:43 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-27 14:43 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-27 14:42 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-27 14:42 <DIR> --d----- c:\programdata\AVG Security Toolbar
2009-06-27 14:42 <DIR> --d----- c:\progra~2\AVG Security Toolbar
2009-06-27 14:42 <DIR> --d----- c:\programdata\avg8
2009-06-27 14:42 <DIR> --d----- c:\program files\AVG
2009-06-27 14:42 <DIR> --d----- c:\progra~2\avg8
2009-06-27 14:38 <DIR> --d----- c:\users\imedia\appdata\roaming\AVG8
2009-06-26 23:26 <DIR> --d----- C:\DECCHECK
2009-06-26 17:44 90,112 a------- c:\windows\unvise32.exe
2009-06-22 20:35 111,380 a------- C:\0077.LWO
2009-06-20 23:49 307 a------- c:\windows\IfoEdit.INI
2009-06-20 23:26 <DIR> --d----- c:\program files\DVD Decrypter
2009-06-20 15:28 <DIR> --d----- c:\windows\Nero Ultra Edition
2009-06-15 22:03 <DIR> --d----- c:\program files\GraphEditPlus
2009-06-15 21:37 <DIR> --d----- c:\program files\common files\DivX Shared
2009-06-15 21:37 <DIR> --d----- c:\program files\DivX
2009-06-15 19:12 3,426,072 a------- c:\windows\system32\d3dx9_32.dll
2009-06-15 19:10 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-06-15 19:06 <DIR> --d----- c:\program files\common files\Nikon
2009-06-15 19:05 <DIR> --d----- c:\program files\Microsoft Expression
2009-06-13 12:48 2,241,536 a------- c:\windows\system32\msi.dll
2009-06-13 12:48 332,800 a------- c:\windows\system32\msihnd.dll
2009-06-13 12:48 73,216 a------- c:\windows\system32\msiexec.exe
2009-06-13 12:48 2,560 a------- c:\windows\system32\msimsg.dll
2009-06-13 00:17 <DIR> --d----- c:\windows\system32\1033
2009-06-10 20:15 172 a------- c:\windows\ODBC.INI
2009-06-10 20:14 <DIR> --d----- c:\windows\system32\js
2009-06-10 20:14 <DIR> --d----- c:\windows\system32\images
2009-06-10 20:14 <DIR> --d----- c:\windows\system32\html
2009-06-10 20:14 <DIR> --d----- c:\windows\system32\css
2009-06-10 20:14 <DIR> --d----- c:\program files\Business Objects
2009-06-10 20:11 <DIR> --d----- c:\program files\Microsoft Device Emulator
2009-06-10 20:10 <DIR> --d----- c:\program files\Windows Mobile 5.0 SDK R2
2009-06-10 20:09 <DIR> --d----- c:\program files\Microsoft Synchronization Services
2009-06-10 20:09 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-06-10 20:04 <DIR> --d----- c:\programdata\PreEmptive Solutions
2009-06-10 20:04 <DIR> --d----- c:\progra~2\PreEmptive Solutions
2009-06-10 20:01 <DIR> --d----- c:\program files\common files\Merge Modules
2009-06-10 20:01 <DIR> --d----- c:\program files\CE Remote Tools
2009-06-10 19:59 <DIR> --d----- c:\program files\Microsoft Web Designer Tools
2009-06-10 19:57 <DIR> --d----- c:\programdata\Microsoft Help
2009-06-08 19:53 <DIR> --d----- c:\users\imedia\appdata\roaming\AceBIT
2009-06-08 19:53 <DIR> --d----- c:\programdata\AceBIT
2009-06-08 19:53 <DIR> --d----- c:\progra~2\AceBIT
2009-06-08 19:53 1,366,528 a------- c:\windows\system32\we5.dll
2009-06-08 19:53 629,584 a------- c:\windows\system32\acebitaw.dll
2009-06-08 19:53 503,280 a------- c:\windows\system32\wodSFTP.dll
2009-06-08 19:53 449,984 a------- c:\windows\system32\wodKeys.dll
2009-06-08 19:53 <DIR> --d----- c:\program files\AceBIT
2009-06-08 19:41 <DIR> --d----- C:\Website
2009-06-08 18:25 <DIR> --d----- c:\temp\fonts
2009-06-04 20:56 <DIR> --d----- c:\program files\AviSynth 2.5
2009-06-02 21:46 <DIR> --d----- c:\program files\AllToAVI
2009-06-02 21:30 <DIR> --d----- C:\VirtualDubMod_1_5_10_2_b2542
2009-06-02 21:22 <DIR> --d----- C:\avimux
2009-06-02 21:16 <DIR> --d----- C:\mkv
2009-06-01 19:35 <DIR> --d----- C:\graphedit041201
2009-05-31 22:15 608,448 a------- c:\windows\system32\comctl32.ocx
2009-05-31 22:14 <DIR> --d----- c:\program files\Total Video Converter
2009-05-31 22:07 <DIR> --d----- c:\program files\FLV to AVI
2009-05-31 22:00 <DIR> --d----- c:\program files\common files\SWF Studio
2009-05-31 22:00 <DIR> --d----- c:\program files\Riva
2009-05-31 21:56 <DIR> --d----- c:\users\imedia\dwhelper
2009-05-31 21:34 <DIR> --d----- C:\virtuadub
2009-05-31 18:29 <DIR> --d----- c:\users\imedia\appdata\roaming\Broad Intelligence
2009-05-31 18:28 <DIR> --d----- c:\program files\MediaCoder
2009-05-31 18:18 <DIR> --d----- C:\YouTubeDownload
2009-05-31 18:18 <DIR> --d----- C:\ConverterOutput
2009-05-31 18:18 372,736 a------- c:\windows\system32\xvid.ax
2009-05-31 18:18 98,304 a------- c:\windows\system32\L3CODECX.AX
2009-05-31 18:18 <DIR> --d----- c:\program files\Cucusoft
2009-05-31 18:17 <DIR> --d----- c:\users\imedia\appdata\roaming\GetRightToGo

==================== Find3M ====================

2009-06-28 11:51 51,200 a------- c:\windows\inf\infpub.dat
2009-05-28 18:03 86,016 a------- c:\windows\inf\infstrng.dat
2009-05-25 19:15 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-05-25 17:04 86,016 a------- c:\windows\inf\infstor.dat
2009-05-25 16:16 174 a--sh--- c:\program files\desktop.ini
2009-05-25 16:08 665,600 a------- c:\windows\inf\drvindex.dat
2009-05-25 15:56 101,888 a------- c:\windows\system32\ifxcardm.dll
2009-05-25 15:56 82,432 a------- c:\windows\system32\axaltocm.dll
2009-05-25 15:33 152,576 a------- c:\windows\system32\SPWizUI.dll
2009-05-25 15:33 47,560 a------- c:\windows\system32\SPReview.exe
2009-05-23 14:51 61,440 a------- c:\windows\system32\winipsec.dll
2009-05-23 14:51 28,672 a------- c:\windows\system32\FwRemoteSvr.dll
2009-05-23 14:51 361,984 a------- c:\windows\system32\IPSECSVC.DLL
2009-05-23 14:51 272,896 a------- c:\windows\system32\polstore.dll
2009-05-23 14:50 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-05-23 14:50 160,768 a------- c:\windows\system32\PortableDeviceTypes.dll
2009-05-23 14:50 94,720 a------- c:\windows\system32\PortableDeviceClassExtension.dll
2009-05-23 14:49 376,832 a------- c:\windows\system32\winhttp.dll
2009-05-23 14:48 296,960 a------- c:\windows\system32\gdi32.dll
2009-05-23 14:47 212,480 a------- c:\windows\system32\drivers\mrxsmb10.sys
2009-05-23 14:46 562,176 a------- c:\windows\system32\msdtcprx.dll
2009-05-23 14:46 38,912 a------- c:\windows\system32\xolehlp.dll
2009-05-23 14:45 269,312 a------- c:\windows\system32\es.dll
2009-05-23 14:45 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-05-23 14:45 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2009-05-23 14:45 2,560 a------- c:\windows\apppatch\AcRes.dll
2009-05-23 14:45 541,696 a------- c:\windows\apppatch\AcLayers.dll
2009-05-23 14:45 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2009-05-23 14:45 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-05-23 14:45 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-05-23 14:45 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-05-23 14:45 1,695,744 a------- c:\windows\system32\gameux.dll
2009-05-23 14:44 303,616 a------- c:\windows\system32\wmpeffects.dll
2009-05-23 14:43 1,191,936 a------- c:\windows\system32\msxml3.dll
2009-05-23 14:43 2,048 a------- c:\windows\system32\msxml3r.dll
2009-05-23 14:41 2,048 a------- c:\windows\system32\tzres.dll
2009-05-23 14:40 428,544 a------- c:\windows\system32\EncDec.dll
2009-05-23 14:40 293,376 a------- c:\windows\system32\psisdecd.dll
2009-05-23 14:39 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-05-23 14:39 7,680 a------- c:\windows\system32\spwmp.dll
2009-05-23 14:39 4,096 a------- c:\windows\system32\dxmasf.dll
2009-05-23 14:36 2,927,104 a------- c:\windows\explorer.exe
2009-05-23 14:31 1,808,896 a------- c:\windows\system32\NlsLexicons0046.dll
2009-05-23 14:31 1,793,536 a------- c:\windows\system32\NlsLexicons0045.dll
2009-05-23 14:31 2,136,064 a------- c:\windows\system32\NlsLexicons0021.dll
2009-05-23 14:31 1,782,272 a------- c:\windows\system32\NlsLexicons0039.dll
2009-05-23 14:31 1,558,016 a------- c:\windows\system32\NlsLexicons0049.dll
2009-05-23 14:31 1,411,072 a------- c:\windows\system32\NlsLexicons0047.dll
2009-05-23 14:31 1,236,992 a------- c:\windows\system32\NlsLexicons0020.dll
2009-05-23 14:31 7,964,672 a------- c:\windows\system32\NlsLexicons0024.dll
2009-05-23 14:31 5,791,232 a------- c:\windows\system32\NlsLexicons0026.dll
2009-05-23 14:31 5,499,904 a------- c:\windows\system32\NlsLexicons0022.dll
2009-05-23 14:29 4,152,184 a------- c:\windows\system32\wgaer_m.exe
2009-05-23 14:26 1,255,936 a------- c:\windows\system32\lsasrv.dll
2009-05-23 14:26 441,400 a------- c:\windows\system32\drivers\ksecdd.sys
2009-05-23 14:26 72,704 a------- c:\windows\system32\secur32.dll
2009-05-23 14:26 9,728 a------- c:\windows\system32\lsass.exe
2009-05-23 14:26 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-05-23 14:26 24,064 a------- c:\windows\system32\amxread.dll
2009-05-23 14:26 13,824 a------- c:\windows\system32\apilogen.dll
2009-05-23 14:25 425,472 a------- c:\windows\system32\PhotoMetadataHandler.dll
2009-05-23 14:25 712,704 a------- c:\windows\system32\WindowsCodecs.dll
2009-05-23 14:25 347,136 a------- c:\windows\system32\WindowsCodecsExt.dll
2009-05-23 14:24 443,392 a------- c:\windows\system32\win32spl.dll
2009-05-23 14:24 37,888 a------- c:\windows\system32\printcom.dll
2009-05-23 14:23 113,664 a------- c:\windows\system32\drivers\rmcast.sys
2009-05-23 14:23 14,848 a------- c:\windows\system32\wshrm.dll
2009-05-23 14:23 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-05-23 14:22 268,288 a------- c:\windows\system32\schannel.dll
2009-05-23 14:19 622,080 a------- c:\windows\system32\icardagt.exe
2009-05-23 14:19 97,800 a------- c:\windows\system32\infocardapi.dll
2009-05-23 14:19 11,264 a------- c:\windows\system32\icardres.dll
2009-05-23 14:19 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-05-23 14:19 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-05-23 14:19 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-05-23 14:19 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-05-23 14:05 96,760 a------- c:\windows\system32\dfshim.dll
2009-05-23 14:05 41,984 a------- c:\windows\system32\netfxperf.dll
2009-05-23 14:05 282,112 a------- c:\windows\system32\mscoree.dll
2009-05-23 14:05 158,720 a------- c:\windows\system32\mscorier.dll
2009-05-23 14:05 83,968 a------- c:\windows\system32\mscories.dll
2009-05-23 13:55 2,868,736 a------- c:\windows\system32\mf.dll
2009-05-23 13:55 98,816 a------- c:\windows\system32\mfps.dll
2009-05-23 13:55 53,248 a------- c:\windows\system32\rrinstaller.exe
2009-05-23 13:55 24,576 a------- c:\windows\system32\mfpmp.exe
2009-05-23 13:55 2,048 a------- c:\windows\system32\mferror.dll
2009-05-23 13:55 996,352 a------- c:\windows\system32\WMNetMgr.dll
2009-05-23 13:55 94,720 a------- c:\windows\system32\logagent.exe
2009-05-23 13:55 738,304 a------- c:\windows\system32\inetcomm.dll
2009-05-23 13:55 84,480 a------- c:\windows\system32\INETRES.dll
2009-05-23 13:54 1,645,568 a------- c:\windows\system32\connect.dll
2009-05-23 13:53 1,314,816 a------- c:\windows\system32\quartz.dll
2009-05-23 13:52 2,033,152 a------- c:\windows\system32\win32k.sys
2009-05-23 13:52 1,334,272 a------- c:\windows\system32\msxml6.dll
2009-05-23 13:52 2,048 a------- c:\windows\system32\msxml6r.dll
2009-05-23 13:50 827,392 a------- c:\windows\system32\wininet.dll
2009-05-23 13:50 72,704 a------- c:\windows\system32\admparse.dll
2009-05-23 13:50 78,336 a------- c:\windows\system32\ieencode.dll
2009-05-23 13:50 48,128 a------- c:\windows\system32\mshtmler.dll
2009-05-23 13:50:22 A------- 26,624 c:\windows\system32\ieUnatt.exe
2007-07-11 16:27 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 14:04:35.24 ===============

I have alot of experience in spotting unusual files and drivers etc, but nothing to me stands out as such in the logs provided. Hopefully you guys will know different!

Thanks in advance for any assistance you could give me.

High500

BC AdBot (Login to Remove)

 


m

#2 High500

High500
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 28 June 2009 - 09:21 AM

Just a quick update, the browser redirects are back again so that part is not fixed neither! (I havent installed any new software nor carried out any further scans/prevention attempts, the redirects have just restarted out of the blue!).

The redirects appear to end up with the following url:

,http://www.blinkx.com/> with various page instances from blinkx.com each time

with a quick redirect just before to www.abcjump.com but it was so fast i could not catch the whole url
though this part seems to be random and other urls have been noticed but too quick to catch.

Hope this helps also!

high500

Deactivate link. ~ OB

Thanks OB i thought id renamed the http part, my bad sorry!

High500

Edited by High500, 28 June 2009 - 12:27 PM.


#3 High500

High500
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 01 July 2009 - 05:38 PM

Hi Again

It seems you guys are mighty busy, and i respect that, volunteering your time for this stuff is mighty honoury!

As this is my production machine i need it fixed in a hurry so being the inquisitive and adventurous type i took it on myself to try fix this.
I have looked at a variety of issues posted on here and looked in depth at the replies and logs to see how things work. I have a pretty good understanding of the routes you guys have taken so i took it on myself to create my own fix, and the results well see:

I looked at your combofix procedures and the logs you used on various posts to realise this was definatley out of the ordinary:

c:\windows\system32\drivers\hjgruixwiuickd.sys
c:\windows\system32\hjgruiopcbuxye.dll
c:\windows\system32\hjgruiptpvrxrd.dat
c:\windows\system32\hjgruisijchuts.dat
c:\windows\system32\hjgruitxoopsbs.dll

from a combofix scan along with an associated registry key in the services section. so i set about running mbam, av scans bmer and found nothing except what combofix revealed.

I then looked up some info on mbr rootkits and downloaded mbrfix, that wouldnt even access the mbr access denied. BCDEdit gave the same "Too Many Secrets" error , sysinternals rootkit revealer from M$ showed there was activity going on so i grabbed prevxcsi 3.0 (which apparently had mebroot fixes for free but the scan found 4 entries but wanted a licence to pay for it :/)

So it seems i had a rootkit from everything i could deduct so using all the knowledge gathered from looking at tons of your cases on here, i made the following cfscript.txt file:

[codebox]Rootkit::
c:\windows\system32\drivers\hjgruixwiuickd.sys
c:\windows\system32\hjgruiopcbuxye.dll
c:\windows\system32\hjgruiptpvrxrd.dat
c:\windows\system32\hjgruisijchuts.dat
c:\windows\system32\hjgruitxoopsbs.dll
a few other files were listed here (tmp files) but the original combofix log got overwritten

Driver::
hjgruimqwmnjdi.sys <<< i made this filename up for this example as the original combofix log got overwritten but you get the idea

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ hjgruimqwmnjdi]
[/codebox]

I dragged this onto combofix which then told me "rootkit activity detected blah blah" voila in business it sees it!! what next??
I wrote the listed files down just incase, then combo fix rebooted the machine, deleted the files, rebooted and scanned and finished!

Now I have no more ghost cdrom, my dvd drive now shows as a dvd drive and my disk manager now shows all my drives!
also here is my log from imgburn:

[codebox]I 23:09:22 ImgBurn Version 2.4.4.0 started!
I 23:09:22 Microsoft Windows Vista Ultimate Edition (6.0, Build 6001 : Service Pack 1)
I 23:09:22 Total Physical Memory: 3,406,216 KB - Available: 2,299,660 KB
I 23:09:22 Initialising SPTI...
I 23:09:22 Searching for SCSI / ATAPI devices...
I 23:09:22 Found 1 DVD±RW!
[/codebox]

no more "too many secrets" errors there,bcdedit now runs without getting the "too many secrets" error

Seems like I hit the right nail on that gamble. But i really must confess, for those not experienced in this sort of thing, leave the custom combo scripts to the guys here who know how, follow their guide. Im a computer technician by trade and deal with malware and virii all the time and it was a calculated risk for me to do so, but in most cases wait for an expert to guide you.

Ok well im not claiming im out of the water yet, im about to run every single scan known to mankind on this machine, back it up and then get a new hd and start a fresh!

Thanks for such a great site and I would appreciate any input on the logs i paste after im done with all my scanning, so maybe a day or 2 before they get posted!

High500

Just a slight thought. The too many secrets error is common on google searches, but no relation to rootkits appear to be showing up in alot of the results (a few hints of malware, most dismissed), is there anyway we can link the 2 somehow so people know this is a likely cause??

Edited by High500, 01 July 2009 - 05:42 PM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,605 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:22 PM

Posted 02 July 2009 - 04:56 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 High500

High500
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 02 July 2009 - 05:04 AM

Thanks Elise, if you see my last post on this subject I believe I may have resolved the issue (using many techniques i picked up from looking at hundreds of cases on here!)

But I will repost my logs tonight just incase I have missed anything! Hopefully you can then move on the the next lost soul!

High500




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users