Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unsure if I STILL have Trojan.TDSS (mbam logs inconclusive)


  • Please log in to reply
13 replies to this topic

#1 zarlz

zarlz

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 18 July 2009 - 07:37 PM

Hi there I had some problems with viruses/trojans in the last week or so which I was able to mostly cleanse with repeated MBAM passes. I was having detections from both scotty watchdog (programs wanting to autorun, which I blocked), as well as browser redirects.

I was repeatedly scanning with MBAM even once the obvious problems/symptons had cleared as there was one last infection showing up:

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrowkpbsmy.dll (Trojan.TDSS) -> Delete on reboot.


However on reboot and rescan the above was still present. I was away from this pc for 4 days and rescanned on my return, getting a clean pass from MBAM however I'm still getting some google redirects. Below are my 3 most recent MBAM logs:

Malwarebytes' Anti-Malware 1.39
Database version: 2435
Windows 5.1.2600 Service Pack 2

15/07/2009 21:55:45
mbam-log-2009-07-15 (21-55-45).txt

Scan type: Quick Scan
Objects scanned: 94229
Time elapsed: 3 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrowkpbsmy.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrowkpbsmy.dll (Trojan.TDSS) -> Quarantined and deleted successfully.


After reboot scanned again and detected same infection

Malwarebytes' Anti-Malware 1.39
Database version: 2435
Windows 5.1.2600 Service Pack 2

15/07/2009 22:22:35
mbam-log-2009-07-15 (22-22-35).txt

Scan type: Quick Scan
Objects scanned: 5984
Time elapsed: 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrowkpbsmy.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrowkpbsmy.dll (Trojan.TDSS) -> Quarantined and deleted successfully.


and 4 days later (pc not accessed or used since above scan).


Malwarebytes' Anti-Malware 1.39
Database version: 2435
Windows 5.1.2600 Service Pack 2

19/07/2009 01:09:49
mbam-log-2009-07-19 (01-09-49).txt

Scan type: Quick Scan
Objects scanned: 94715
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Does this mean I am now clear of the infection? or is this some form of false positive? What else would you advise I scan with to ensure that I am clear - or to root out any remaining infection?

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:36 PM

Posted 18 July 2009 - 08:54 PM

It looks like you still have some things


ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

------------------------------------

SAS,may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
---------------------------------

Follow that up with a Dr. Web CureIt scan


Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 zarlz

zarlz
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 19 July 2009 - 10:29 AM

Hi thanks for the swift reply,


Ran ATF-cleaner - already had it from trying to clean problems before but downloaded newest version and cleared everything.

I've run SAS in safemode as requested - log below. However I couldn't get CureIT to run (tried first in safe mode, then in normal and crashed with a 'kernel' error each time) - error message log was:

CUREIT error log

<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="blnyp.exe" FILTER="GRABMI_FILTER_PRIVACY">
<MATCHING_FILE NAME="ba32vk.exe" SIZE="116024" CHECKSUM="0x3B07323C" BIN_FILE_VERSION="2.5.5.9151" BIN_PRODUCT_VERSION="2.5.5.9151" PRODUCT_VERSION="2.55" FILE_DESCRIPTION="AutoRun" COMPANY_NAME="Doctor Web, Ltd." PRODUCT_NAME="AutoRun Manager" FILE_VERSION="2.55" ORIGINAL_FILENAME="AutoRun.exe" INTERNAL_NAME="AutoRun" LEGAL_COPYRIGHT="Copyright © 2005 Doctor Web, Ltd." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x278B8" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.5.5.9151" UPTO_BIN_PRODUCT_VERSION="2.5.5.9151" LINK_DATE="09/15/2008 10:31:51" UPTO_LINK_DATE="09/15/2008 10:31:51" VER_LANGUAGE="Language Neutral [0x0]" />
<MATCHING_FILE NAME="blnyp.exe" SIZE="2094320" CHECKSUM="0x27C35768" MODULE_TYPE="WIN32" PE_CHECKSUM="0x202241" LINKER_VERSION="0x0" LINK_DATE="06/30/2009 16:54:45" UPTO_LINK_DATE="06/30/2009 16:54:45" />
<MATCHING_FILE NAME="dwebio16.dll" SIZE="25664" CHECKSUM="0xDD53B09F" BIN_FILE_VERSION="1.1.0.6" BIN_PRODUCT_VERSION="1.1.0.6" PRODUCT_VERSION="0.0.000.006" FILE_DESCRIPTION="DRWEB32. Low-level I/O. 16-bit part of thunking interface" COMPANY_NAME="Doctor Web Ltd. " PRODUCT_NAME="Dr.Web" FILE_VERSION="1.1.005" ORIGINAL_FILENAME="DWEBIO16.DLL" INTERNAL_NAME="DWEBIO16" LEGAL_COPYRIGHT="Copyright © Vitaly Ladygin. 1997-98." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x1" VERFILETYPE="0x2" MODULE_TYPE="WIN16" S16BIT_DESCRIPTION="DrWeb-32 for Windows 95. 16-bit I/O DLL. V.Ladygin" S16BIT_MODULE_NAME="DWEBIO16" UPTO_BIN_FILE_VERSION="1.1.0.6" UPTO_BIN_PRODUCT_VERSION="1.1.0.6" VER_LANGUAGE="Russian [0x419]" />
<MATCHING_FILE NAME="dwebio32.dll" SIZE="24576" CHECKSUM="0xA9CC19FD" BIN_FILE_VERSION="4.32.0.0" BIN_PRODUCT_VERSION="4.32.0.0" PRODUCT_VERSION="4, 32, 0, 0" FILE_DESCRIPTION="DWEBIO32" COMPANY_NAME="Doctor Web Ltd." PRODUCT_NAME="Dr.Web (R)" FILE_VERSION="4, 32, 0, 0" ORIGINAL_FILENAME="DWEBIO32.dll" INTERNAL_NAME="DWEBIO32" LEGAL_COPYRIGHT="Copyright © 1998-2000, Dmitry Mostovoy & Vitaly Ladygin" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x10004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="4.32.0.0" UPTO_BIN_PRODUCT_VERSION="4.32.0.0" LINK_DATE="07/27/2004 08:28:41" UPTO_LINK_DATE="07/27/2004 08:28:41" VER_LANGUAGE="Language Neutral [0x0]" />
<MATCHING_FILE NAME="dwebllio.dll" SIZE="51200" CHECKSUM="0x2BDF9685" BIN_FILE_VERSION="4.32.0.0" BIN_PRODUCT_VERSION="4.32.0.0" PRODUCT_VERSION="4, 32, 0, 0" FILE_DESCRIPTION="DWEBLLIO" COMPANY_NAME="Doctor Web Ltd." PRODUCT_NAME="Dr.Web (R)" FILE_VERSION="4, 32, 0, 0" ORIGINAL_FILENAME="DWEBLLIO.dll" INTERNAL_NAME="DWEBLLIO" LEGAL_COPYRIGHT="Copyright © 1998-2000, Dmitry Mostovoy & Vitaly Ladygin" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="4.32.0.0" UPTO_BIN_PRODUCT_VERSION="4.32.0.0" LINK_DATE="07/26/2004 14:05:18" UPTO_LINK_DATE="07/26/2004 14:05:18" VER_LANGUAGE="Language Neutral [0x0]" />
<MATCHING_FILE NAME="setup.dll" SIZE="3694080" CHECKSUM="0xA63822C" BIN_FILE_VERSION="5.0.0.12182" BIN_PRODUCT_VERSION="5.0.0.12182" PRODUCT_VERSION="5, 00, 0, 12182" FILE_DESCRIPTION="Dr.Web ® Virus-Finding Engine" COMPANY_NAME="Doctor Web, Ltd." PRODUCT_NAME="Dr.Web (R)" FILE_VERSION="5, 00, 0, 12182" ORIGINAL_FILENAME="DrWeb32.dll" INTERNAL_NAME="Dr.Web (R) Virus-Finding Engine" LEGAL_COPYRIGHT="Copyright © Igor Daniloff, 1992-2008" VERFILEDATEHI="0x0" VERFILEDATELO="0x494A8F7C" VERFILEOS="0x0" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x38EB63" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="5.0.0.12182" UPTO_BIN_PRODUCT_VERSION="5.0.0.12182" LINK_DATE="12/18/2008 17:59:25" UPTO_LINK_DATE="12/18/2008 17:59:25" VER_LANGUAGE="Language Neutral [0x0]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="984576" CHECKSUM="0xF0B331F6" BIN_FILE_VERSION="5.1.2600.3119" BIN_PRODUCT_VERSION="5.1.2600.3119" PRODUCT_VERSION="5.1.2600.3119" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.3119 (xpsp_sp2_gdr.070416-1301)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xF9293" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.3119" UPTO_BIN_PRODUCT_VERSION="5.1.2600.3119" LINK_DATE="04/16/2007 15:52:53" UPTO_LINK_DATE="04/16/2007 15:52:53" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="984576" CHECKSUM="0xF0B331F6" BIN_FILE_VERSION="5.1.2600.3119" BIN_PRODUCT_VERSION="5.1.2600.3119" PRODUCT_VERSION="5.1.2600.3119" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.3119 (xpsp_sp2_gdr.070416-1301)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xF9293" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.3119" UPTO_BIN_PRODUCT_VERSION="5.1.2600.3119" LINK_DATE="04/16/2007 15:52:53" UPTO_LINK_DATE="04/16/2007 15:52:53" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>


looked on CureIt forums and searched around for releated crashes and couldn't find a solution - closest match was that it might not run with windowblinds loaded (which I do use), unloaded windowblinds and it still crashes. Any advice on getting CureIt working?


SAS LOG

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/19/2009 at 03:57 PM

Application Version : 4.26.1006

Core Rules Database Version : 4003
Trace Rules Database Version: 1943

Scan type : Complete Scan
Total Scan Time : 01:12:34

Memory items scanned : 237
Memory threats detected : 0
Registry items scanned : 7805
Registry threats detected : 0
File items scanned : 174889
File threats detected : 1

Trojan.Agent/Gen-SDRA
D:\WINDOWS\SYSTEM32\SDRA64.EXE



Thanks again

Edited by zarlz, 19 July 2009 - 10:30 AM.


#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:36 PM

Posted 19 July 2009 - 03:40 PM

Try disabling your Scotty watchdog program and if you use Spybot S&D's Teatimer function, disable that also and run your scans
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 zarlz

zarlz
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 21 July 2009 - 05:04 AM

I've tried running CureIt again, with all the above mentioned programs disabled and in and out of safe mode and still just get the same error. Anything else I can try?

Thanks

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:36 PM

Posted 21 July 2009 - 06:27 AM

This is a very nasty infection

http://rootrepeal.googlepages.com/

http://rootrepeal.googlepages.com/RootRepeal.zip

Just use the file tab at the bottom, scan and paste the report into a reply here please

Posted Image
Chewy

No. Try not. Do... or do not. There is no try.

#7 zarlz

zarlz
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 21 July 2009 - 02:23 PM

Thanks, I have done as you've said. Had several error messages (5 in total which corresponds to the number of physical hard drives in this pc) of:
"Could not read the boot sector. Try adjusting the Disk Access Level in the Options Dialog" on statrup of RootRepeal and then again when attempting to run it.

I also got an error message of:
"Could not find module file on disk" Details>>> "Warning - could not read Windows kernel using raw-disk reading!" followed by
Could not find module file on disk another three times

I tried each Disk Access Level in the options and was only able to get it to run on Medium (the other either didn't initialize or in the case of Low actually froze/crached the program/system).

This was the report (note- D:\ is my system drive not C:\ which is why I have run it on this drive)

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/21 20:03
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: Volume D:\
Status: MBR Rootkit Detected!

Path: Volume D:\, Sector 1
Status: Sector mismatch

Path: Volume D:\, Sector 2
Status: Sector mismatch

Path: Volume D:\, Sector 3
Status: Sector mismatch

Path: Volume D:\, Sector 4
Status: Sector mismatch

Path: Volume D:\, Sector 5
Status: Sector mismatch

Path: Volume D:\, Sector 6
Status: Sector mismatch

Path: Volume D:\, Sector 7
Status: Sector mismatch

Path: Volume D:\, Sector 8
Status: Sector mismatch

Path: Volume D:\, Sector 9
Status: Sector mismatch

Path: Volume D:\, Sector 10
Status: Sector mismatch

Path: Volume D:\, Sector 11
Status: Sector mismatch

Path: Volume D:\, Sector 12
Status: Sector mismatch

Path: Volume D:\, Sector 13
Status: Sector mismatch

Path: Volume D:\, Sector 14
Status: Sector mismatch

Path: Volume D:\, Sector 15
Status: Sector mismatch

Path: Volume D:\, Sector 16
Status: Sector mismatch

Path: Volume D:\, Sector 17
Status: Sector mismatch

Path: Volume D:\, Sector 18
Status: Sector mismatch

Path: Volume D:\, Sector 19
Status: Sector mismatch

Path: Volume D:\, Sector 20
Status: Sector mismatch

Path: Volume D:\, Sector 21
Status: Sector mismatch

Path: Volume D:\, Sector 22
Status: Sector mismatch

Path: Volume D:\, Sector 23
Status: Sector mismatch

Path: Volume D:\, Sector 24
Status: Sector mismatch

Path: Volume D:\, Sector 25
Status: Sector mismatch

Path: Volume D:\, Sector 26
Status: Sector mismatch

Path: Volume D:\, Sector 27
Status: Sector mismatch

Path: Volume D:\, Sector 28
Status: Sector mismatch

Path: Volume D:\, Sector 29
Status: Sector mismatch

Path: Volume D:\, Sector 30
Status: Sector mismatch

Path: Volume D:\, Sector 31
Status: Sector mismatch

Path: Volume D:\, Sector 32
Status: Sector mismatch

Path: Volume D:\, Sector 33
Status: Sector mismatch

Path: Volume D:\, Sector 34
Status: Sector mismatch

Path: Volume D:\, Sector 35
Status: Sector mismatch

Path: Volume D:\, Sector 36
Status: Sector mismatch

Path: Volume D:\, Sector 37
Status: Sector mismatch

Path: Volume D:\, Sector 38
Status: Sector mismatch

Path: Volume D:\, Sector 39
Status: Sector mismatch

Path: Volume D:\, Sector 40
Status: Sector mismatch

Path: Volume D:\, Sector 41
Status: Sector mismatch

Path: Volume D:\, Sector 42
Status: Sector mismatch

Path: Volume D:\, Sector 43
Status: Sector mismatch

Path: Volume D:\, Sector 44
Status: Sector mismatch

Path: Volume D:\, Sector 45
Status: Sector mismatch

Path: Volume D:\, Sector 46
Status: Sector mismatch

Path: Volume D:\, Sector 47
Status: Sector mismatch

Path: Volume D:\, Sector 48
Status: Sector mismatch

Path: Volume D:\, Sector 49
Status: Sector mismatch

Path: Volume D:\, Sector 50
Status: Sector mismatch

Path: Volume D:\, Sector 51
Status: Sector mismatch

Path: Volume D:\, Sector 52
Status: Sector mismatch

Path: Volume D:\, Sector 53
Status: Sector mismatch

Path: Volume D:\, Sector 54
Status: Sector mismatch

Path: Volume D:\, Sector 55
Status: Sector mismatch

Path: Volume D:\, Sector 56
Status: Sector mismatch

Path: Volume D:\, Sector 57
Status: Sector mismatch

Path: Volume D:\, Sector 58
Status: Sector mismatch

Path: Volume D:\, Sector 59
Status: Sector mismatch

Path: Volume D:\, Sector 60
Status: Sector mismatch

Path: Volume D:\, Sector 61
Status: Sector mismatch

Path: Volume D:\, Sector 62
Status: Sector mismatch



Thanks for all the assistance

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:36 PM

Posted 21 July 2009 - 09:46 PM

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Chewy

No. Try not. Do... or do not. There is no try.

#9 zarlz

zarlz
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 22 July 2009 - 10:00 AM

Thanks again

Here is the sarscan.log. I only ran it the once because none of the things detected were of the "Yes (clean up recommended)" type so did not remove any.

sarscan.log

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 22/07/2009 at 14:21:15
User "Gavin" on computer "SHARKY"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\geyekrtitpqdrx
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\geyekrtitpqdrx
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\geyekrtitpqdrx
Info: Starting disk scan of C: (NTFS).
Info: Starting disk scan of D: (NTFS).
Hidden: file D:\WINDOWS\TEMP\geyekrevyukulcxc.tmp
Hidden: file D:\WINDOWS\TEMP\geyekrfflptxwfdx.tmp
Hidden: file D:\WINDOWS\TEMP\geyekrexnqvnaibc.tmp
Hidden: file D:\WINDOWS\TEMP\geyekrmilaulsfho.tmp
Hidden: file D:\WINDOWS\TEMP\geyekrivppefbwbg.tmp
Hidden: file D:\Documents and Settings\Gavin\Application Data\SecuROM\UserData\???????????p?????????
Hidden: file D:\Documents and Settings\Gavin\Application Data\SecuROM\UserData\???????????p?????????
Hidden: file D:\WINDOWS\system32\drivers\sptd.sys
Hidden: file D:\WINDOWS\TEMP\geyekrsetemutwgr.tmp
Hidden: file D:\WINDOWS\TEMP\geyekrweyprsxfvo.tmp
Hidden: file D:\WINDOWS\TEMP\geyekrqhtssiycwb.tmp
Hidden: file D:\WINDOWS\TEMP\geyekrrsmcccjwib.tmp
Hidden: file D:\WINDOWS\TEMP\geyekrqwriqlepfb.tmp
Hidden: file D:\WINDOWS\system32\geyekrowkpbsmy.dll
Hidden: file D:\WINDOWS\system32\geyekrvkkorulm.dat
Hidden: file D:\WINDOWS\system32\drivers\geyekrmqrnwgaa.sys
Hidden: file D:\WINDOWS\system32\geyekrwkmcjsuc.dll
Hidden: file D:\WINDOWS\system32\geyekrkboyowta.dat
Info: Starting disk scan of E: (NTFS).
Info: Starting disk scan of F: (NTFS).
Info: Starting disk scan of G: (NTFS).
Info: Starting disk scan of H: (FAT).
Info: Starting disk scan of I: (NTFS).
Info: Starting disk scan of J: (NTFS).
Info: Starting disk scan of L: (NTFS).
Info: Starting disk scan of M: (NTFS).
Info: Starting disk scan of N: (NTFS).
Info: Starting disk scan of P: (NTFS).
Info: Starting disk scan of Q: (NTFS).
Info: Starting disk scan of S: (NTFS).
Info: Starting disk scan of Z: (NTFS).
Stopped logging on 22/07/2009 at 15:46:38



#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:36 PM

Posted 22 July 2009 - 10:10 AM

Hidden: file D:\WINDOWS\system32\drivers\geyekrmqrnwgaa.sys


This is the primary rootkit file, the dll's will replace it as soon as it's deleted, with rootrepeal we wipe the file which fools the dll's and let's MBAM kill the whole mess.

What options does sophos give? You could try to let it try to remove it and run a MBAM scan after rebooting

If not then you will need to move over to our HJT forum which is really backed up at the present.

One or more of the identified infections is a rootkit/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Someone may still be able to clean this machine but we can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Chewy

No. Try not. Do... or do not. There is no try.

#11 zarlz

zarlz
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 22 July 2009 - 07:50 PM

Hi, I'm on a different pc now (clean to the best of my knowledge and not networked with the infected one).

I have re-run Sophos and removed all the geyekr.. parts (the others were SecuRom - which I know I have installed games that used it - and SPTD.sys which googling led me to believe was part of Daemon Tools - which I also use, so I figured that these entries were 'safe' to leave). Following a reboot and now all of the geyrenko elements are gone from Sophos and MBAM is also coming up clear.


I do not do any online banking so that's safe at least. Before deciding what action I should take can someone clarify how information such as passwords would be obtained; would it function as a keylogger, or would it simply be able to obtain/extract passwords already saved?

If it is the former then I am relatively 'safe' as the only passwords I've typed into that machine since the infection are minor ones (such as to this forum). Of course if it is the latter I will be needing to change a much larger number.

Also from your second link the section:

If the computer was connected to the Internet for a long time with the backdoor installed, or if the malware used ICQ to actively contact hackers, then it is more likely the backdoor was used. Therefore there is a high risk if re-formatting and re-installing is not done.

If the backdoor merely opens a port to listen the risk is slightly lower.

If the backdoor merely opens a port to listen and the computer was behind a working firewall or NAT router, then the risk of the backdoor being used is greatly reduced. Therefore there is probably a much lower risk if re-formatting and re-installing is not done.


Is it possible at this stage to determine whether "malware used ICQ to actively contact hackers" or if it "merely opens a port" in this case? I ask because throughout this time I have had a working software firewall in place, also behind a router, and I believe that I blocked all outgoing/connection firewall requests - thought I realise this doesn't rule out things going through browsers which I had already greenlit within the firewall.

In terms of reformating/reinstalling I can do this, (I have all the OS disks and I've reformatted/reinstalled a number of times in the past) however I would ideally prefer not to simply for the downtime combined with having to reinstall software (which although isn't installed on the boot partition (or even the same drive in most cases) will of course lose the relevant registry entries and generally act as though it doesn't know it's installed - at least this is what has happened with previous reinstalls/formats).

In conclusion if someone could answer the questions regarding how passwords/information may have been accessed, and also ICQ vs Ports, then I think I will be able to make an informed decision as to reformatting (or at least when to do so).

Many many thanks

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:36 PM

Posted 22 July 2009 - 08:08 PM

To be safe I would change any sensitive passwords, financial ones are what these infections target/identity theft
Chewy

No. Try not. Do... or do not. There is no try.

#13 zarlz

zarlz
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 25 July 2009 - 03:33 PM

Hi thanks for all the help. Changed all my passwords (fortunately don't use any internet banking so dodged a bullet there), and just backing up files in preparation for a clean format and reinstall. Is there a recommended list of protective programs to avoid this sort of thing in the future? I was already running AVG, Zonealarm, Spybot (Teatimer), and WinPatrol, is there anything else or just anything different I should be using? Thanks

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:36 PM

Posted 25 July 2009 - 03:37 PM

Teatimer and winpatrol overlap trying to protect your system from changes, it's not a good idea to have both running

We have a lot fewer problems from Scotty

Teatimer can be a mess and a lot more dangerous
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users