Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SCSI drv virus persisted after combofix and mbam cleaning


  • Please log in to reply
No replies to this topic

#1 hanfeng

hanfeng

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 21 October 2009 - 01:08 AM

Hello!

Since my window xp pro boots slow, I tried to clean my computer of viruses and trojans. I came across your board and found very helpful suggestions. I have downloaded combofix and mbam and have them scanned and cleaned my computer. There were quite a number deletes.

However, the problem persists, or even worse: now the names in services.msc are changed, eg "Cryptographic Service" to "CryptSvc", etc. And those services that I intentionally set to "Disable" were running again with permission changed to either "Automatic" or "Manual", they are: Cryptographic Servic, Error Reporting Service, Help and Support, Second Logon, Task Scheduler. A few weird name show up: eg zrrrn...

I was able to notice there is always a ghostly driver file shows up in "ntbtlog.txt" during the boot, but gone after boot, eg "Loaded driver \SystemRoot\System32\Drivers\abuqheog.SYS", but not there when I look for it using explorer.exe. rootrepeal does report it as hidden.

After each boot, either in Safe Mode or normal model, system reports an new unknown device found. Later on, it says found a CDRom device and install it automatically. The device profile reports a UK3386L 00T011W SCSI CdRom Device. When I searched UK3386 in regedit, I was able to trace to the driver by the name of the ghost driver file found earlier in ntbtlog.txt, eg. abuqheog.SYS.

There are other symptoms, system restore fails by reporting something like "cannot create a retore point and try it again after rebooting.", explorer.exe restarts itself once a while, component services (comuid.dll) not accessible ...Maybe they are caused by more than one virus.

I suspect the solution is to stop the ghostly SCSI CDROM device to install itself at very early on in the booting sequence. I have no idea of how to do that. Some help would be greatly appreciated!

Hanfeng

Edited by hanfeng, 21 October 2009 - 02:22 AM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users