Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Pro 2010 - Post-trauma


  • This topic is locked This topic is locked
10 replies to this topic

#1 Woozlez

Woozlez

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 08 October 2009 - 06:19 PM

My theory of my current situation: it's a clb driver and the reason is that I have a file appearing when I run a Hidden Services scaj in RootRepeal (Files scan won't run) called geykerqsiilxmc.sys. Key-point being GEYEKR (Read this: http://www.malwarebytes.org/forums/index.p...howtopic=12709) Problem is it won't let me wipe or delete it and I can't find it otherwise.

Ok, I got infected, got rid of all the stuff most any legit site said to do for Antivirus Pro 2010 and managed to get rid of any sign of it on my PC.

It released some trojans onto my machine though.

I got rid of all the ones AVG would allow me to because mbam.exe renamed to lolwut.exe (after being installed and with the installer and all .exe files renamed) still only lets me run it for 11 seconds into any scan (Average).

I also ran CCleaner and deleted everything it automatically checkmarked.
Symptoms:
  • Not so frequent pop-ups as before removal of trojans but still pop-ups
  • Google redirects (Have been clicking on the links of cached versions to get places)
  • Half of Macromedia Flash items do not work correctly in Firefox
  • Firefox-Downloaded .Exe files and .exe files inside .rar files become corrupted into DOS boxes that run for 2 seconds
  • Websites sometimes loaded improperly
  • Facebook, Lockerz, and some other log-in systems not working
Give me the program you want me to run and I'll run it.

Edited by Woozlez, 08 October 2009 - 06:20 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:10:52 PM

Posted 09 October 2009 - 09:51 PM

Now that you were successful in creating a Root Repeal log you need to post it in our HJT forum Their they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that the Root Repeal log was all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Woozlez

Woozlez
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 11 October 2009 - 08:56 PM

I just tried everything and suddenly windows cannot access the specified... for Rootrepeal, Mbam, dds, and hijackthis.

None of them will work

I'm dealing with some highly powerful virus aren't I?

EDIT: I really just need to know a way to delete the GEYEKR file before I get too damaged.

Edited by Woozlez, 11 October 2009 - 09:01 PM.


#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:10:52 PM

Posted 12 October 2009 - 04:43 PM

I misunderstood you. I thought you ran Root Repeal

geykerqsiilxmc.sys.

MBAM has a built-in FileAssassin feature for removing stubborn malware or other malicious files that it did not detect.
  • Go to the "More Tools" tab and click on the "Run Tool" button
  • Browse to the location of the file (C:\xxxx.exe) to remove using the drop down box next to "Look in:" at the top.
  • When you find the file(s), click "Open".
  • You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
  • If removal did not require a reboot, you will receive a message indicating the file was deleted successfully, however, I recommend you reboot anyway.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to move highly persistent files. Using it incorrectly could lead to serious problems with your operating system.


If the file returns, then you probably still have malware on your system which is protecting or regenerating it.
=========================================


The HJT forum uses a special script tailored to your machine, but they need to view a couple of things:




Please download peek.bat and save it to your Desktop. Double-click on peek.bat to run it. A black Command Prompt window will appear indicating the program is running. Once it is finished, copy and paste the entire contents of the Log.txt file it creates in your next reply.

If you encounter a problem downloading or getting peek.bat to run, go to Posted Image > Run..., and in the open box, type: Notepad
  • Click OK.
  • Copy and paste everything in the code box below into the Untitled - Notepad.
@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0
  • Go to File > Save As, click the drop-down box to change the Save As Type to *All Files and save it as "peek.bat" on your desktop.
  • Double-click peek.bat to run the script.
  • A window will open and close quickly, this is normal.
  • A file called log.txt should be created on your Desktop.
  • Open that file and copy/paste the contents in your next reply.
-- Vista users, users can refer to these instructions to Run a Batch File as an Administrator.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Woozlez

Woozlez
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 13 October 2009 - 09:16 PM

Volume in drive C has no label.
Volume Serial Number is 847C-5CAA

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 04:00 PM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 04:00 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 04:00 PM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:11 PM 61,952 eventlog.dll
3 File(s) 650,240 bytes

Total Files Listed:
9 File(s) 1,937,920 bytes
0 Dir(s) 9,256,529,920 bytes free

#6 Woozlez

Woozlez
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 13 October 2009 - 09:22 PM

I also I got wscsvc32.exe on my computer somehow and now yahoo and google search are completely not working. I've been having to use Swagbucks search.

I used that BFG of a program you gave me and obliterated it and the visible geyekr files in system32.

Will check results in morning

#7 Woozlez

Woozlez
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 14 October 2009 - 05:13 PM

I deleted all geyekr files that were visible in system32 and system32/drivers but when I ran rootrepeal, it still only found one file: hiberfil.sys. When running the files scan that is all it found and then crashed after ending the scan. I then proceeded to try running a renamed copy of mbam.exe which crashed after 4 seconds.




After this, I ran the Hidden Services scan on RootRepeal again and found another clb driver!:


Uacd.sys/UACkbmbqtkqvv.sys (Same file, 2 names) was wiped succesfully

geyekrqsiilxmc/geyekrwvjbpfux.sys was not found on disk and could not be force deleted




Scanned again and they were visible again but this time:


Uacd.sys/UACkbmbqtkqvv.sys was not found on disk and could not be force deleted

geyekrqsiilxmc/geyekrwvjbpfux.sys was not found on disk and could not be force deleted





Also I keep hearing clicking noises for some reason... :thumbsup:


EDIT: I've been using procexp to suspend virus processes for this whole time. Also, I have a scan of everything but files from rootrepeal:





ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/10/14 17:25
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9E2CE000 Size: 876544 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xB6ECC000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9C887000 Size: 49152 File Visible: No Signed: -
Status: -

Name: UACkbmbqtkqvv.sys
Image Path: C:\WINDOWS\system32\drivers\UACkbmbqtkqvv.sys
Address: 0x9E5A9000 Size: 241664 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xA3F97000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0x9EED5000 Size: 61440 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: UACwmbwwkmpmu.dll]
Process: svchost.exe (PID: 1160) Address: 0x00c60000 Size: 167936

Object: Hidden Module [Name: UACegiltehrqc.dll]
Process: svchost.exe (PID: 1160) Address: 0x00e50000 Size: 180224

Object: Hidden Module [Name: UACwmbwwkmpmu.dll]
Process: Iexplore.exe (PID: 1908) Address: 0x00ec0000 Size: 167936

Object: Hidden Module [Name: UACwmbwwkmpmu.dll]
Process: explorer.exe (PID: 2432) Address: 0x00e90000 Size: 167936

Object: Hidden Module [Name: UACwmbwwkmpmu.dll]
Process: Iexplore.exe (PID: 2408) Address: 0x010c0000 Size: 167936

Object: Hidden Code [Driver: sys, IRP_MJ_CREATE]
Process: System Address: 0xe1f013e0 Size: 1854

Object: Hidden Code [Driver: sys, IRP_MJ_CLOSE]
Process: System Address: 0xe1f013e0 Size: 1854

Object: Hidden Code [Driver: sys, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xe1f013e0 Size: 1854

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CREATE]
Process: System Address: 0xe1afef20 Size: 225

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CLOSE]
Process: System Address: 0xe1afef20 Size: 225

Object: Hidden Code [Driver: prohlp02, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xe1afef20 Size: 225

Hidden Services
-------------------
Service Name: geyekrqsiilxmc
Image Path: C:\WINDOWS\system32\drivers\geyekrwvjbpfux.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACkbmbqtkqvv.sys

==EOF==

Edited by Woozlez, 14 October 2009 - 05:31 PM.


#8 Woozlez

Woozlez
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 14 October 2009 - 05:30 PM

If I can figure out how to delete all UAC-involved files included in my last post, I can most likely run mbam.exe and get rid of the rest as stated in the post.

But because I cannot wipe/delete any stealth objects or hidden services, I am in quite a predicament.



Also, I am suspending all processes with PID 1160, 1908, 2432, and 2408.

Edit: Of course because process with PID 2432 is explorer.exe, there is nothing I can do about it.


Thank you so much for reading all of that garmanma, you're a life-saver (Or a computer-saver)



Edit 2: Turns out suspending those processes wasn't a good idea, it made windows not be able to shut down and when restarted it made it check disk.

Also the virus won't let me start an AVG scan.



Edit 3: I was actually able to navigate to system32 and delete all UAC and geyekr related files YAY! (Didn't really at this point, see Edit 5)

Edit 4: Oh, also, rundll32.exe has been running random dlls like nnopmm.dll

Edit 5: Following the picture in the CLB driver removal walkthrough I was able to delete all UAC and geyekr related files.

Edit 6: After removal of those files, when I tried to install mbam-setup.exe (Renamed to hopefullythisworks.exe during internet explorer download), the virus actually found a way to delete mbam.exe inside the installer file. This absolutely blows.

Edited by Woozlez, 14 October 2009 - 06:48 PM.


#9 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:10:52 PM

Posted 14 October 2009 - 07:26 PM

All I can suggest to you is to submit a DDS / HJT log



Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

There will also be instructions to create a Root Repeal Log

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

The HJT team is very busy and it will take awhile to get to your post
Please be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#10 Woozlez

Woozlez
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 15 October 2009 - 04:46 PM

DDS crashed... RootRepeal would have crashed if I hadn't stopped the files scan so it only has hiberfil.sys for that portion.

List of visible antivirus viruses I've had:

Antivirus Pro 2010
Protection System
Security Center
And Now System Tool which I am about to delete so I don't have to mess with it later (I know it can be found sometimes in system32 if it is stubborn as with protection system)

Posted a topic and told them to look at this topic for any and all possible extra info http://www.bleepingcomputer.com/forums/t/264638/damned-clb-drivers/

Edited by Woozlez, 15 October 2009 - 04:54 PM.


#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:52 PM

Posted 23 October 2009 - 08:43 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/264638/damned-clb-drivers/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks from posting date perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users