Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

systemroot\globalroot\system32 trojan


  • This topic is locked This topic is locked
4 replies to this topic

#1 Sphinx_30

Sphinx_30

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 21 August 2009 - 02:03 AM

Good day all,

I recently installed a program given to by my friend, unfortunately it contained what I believe to be a rootkit trojan.
I am running:

Vista x86 Service Pack 2
Kaspersky IS 2009 (which found the trojan)

I have already ran the Combofix and have included the results in this post. As well I have already tried deleting this file via Kaspersky by rebooting my system
of which nothing happens. I still get the trojan alert. Kaspersky tells me that I cannot delete this file (windows\system32\geyekrbbdxqefi.dll--Trojan.Win32.Agent2.lav)
becauase it is being used by another program. I do get the an alert box whenever I try to open any program which says: globalroot\systemroot\system32\geyekrbbdxqefi.dll
is either not designed to run on Windows or it contains an eroor. Try installing the program again using the original installation media or contact your system administrator or
software vendor for support.

Thanks in advance....

Combofix log removed. ~ OB

Edited by Orange Blossom, 21 August 2009 - 09:13 AM.


BC AdBot (Login to Remove)

 


#2 Sphinx_30

Sphinx_30
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 21 August 2009 - 02:07 AM

apologies this should have been posted in Security...could you please move it there so i won't have to retype it. Thanks

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:01 PM

Posted 21 August 2009 - 09:18 AM

Hello Sphinx_30,

ComboFix logs should not be posted outside the HijackThis forums and then only when asked. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Given what you have written, I'm going to direct you to the HiJack This forum which is why I have deleted the Combofix log. That way, if you run into problems in preparing to post there, this topic will still be open.

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== and post back here with the link to the new topic.

If you cannot produce the DDS logs, then post back here and we will provide you with further instructions.

Please keep the Combofix log in case your helper requests it later.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 Sphinx_30

Sphinx_30
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 21 August 2009 - 01:55 PM

OB, I have created the required DDS log file and posted it >>HERE<<

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:01 PM

Posted 21 August 2009 - 01:55 PM

Hello,

I see that you now have your DDS log posted here: http://www.bleepingcomputer.com/forums/t/251353/globalrootsystemrootsystem32-trojan/.

Now comes the hard part: waiting.

Now that you have posted a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users