[Maximum number of secrets that may be stored in a single system has been exceeded]

For those of you still having problems, go to Norton's forum and search "geyekr" and there are whole bunch of posts on this. This guru QUADS there has been providing suggestions to fix the problem. All the files detected so far are simply "result" of some boss file hiding in the background, so even if you can identify them and remove them, it doesn't help the situation.

[Maximum number of secrets that may be stored in a single system has been exceeded]

The past variants of this TDSS rootkit were controlled by sys files in C:\WINDOWS\system32\drivers

 

 

geyekrxxxx.sys

 

Did you run MBAM?

 

MBAM detected nothing. Avast and AVG Free also found nothing. I read somewhere AVG rootkit was able to detect some of the files. Does anybody have the paid version to confirm this?

[Maximum number of secrets that may be stored in a single system has been exceeded]

A few registry entries under HKLM as you see above. There's also an entry called "SAM", which was marked red by GMER. When I tried to delete them, an error poped up and I was unable to. Same problem happened when I tried to delete them under Safe mode. Any idea how to delete these registry keys?

[Maximum number of secrets that may be stored in a single system has been exceeded]

---- Registry - GMER 1.0.15 ----

 

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh@start 1

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh@type 1

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh@group file system

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh@imagepath \systemroot\system32\drivers\geyekracsmpyvt.sys

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\main

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\main@aid 10099

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\main@sid 0

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\main@cmddelay 14400

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\main\delete

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\main\injector

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\main\injector@* geyekrwsp.dll

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\main\tasks

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\modules

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\modules@geyekrrk.sys \systemroot\system32\drivers\geyekracsmpyvt.sys

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\modules@geyekrcmd.dll \systemroot\system32\geyekrrnsqomup.dll

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\modules@geyekrlog.dat \systemroot\system32\geyekrwgdeborr.dat

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\modules@geyekrwsp.dll \systemroot\system32\geyekrvpkyiwrq.dll

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\modules@geyekr.dat \systemroot\system32\geyekrwinijwbq.dat

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\multimedia\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x47 0x4C 0xDF 0xA9 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x25 0xBF 0x6A 0x18 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF3 0xC7 0xC9 0x2A ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\multimedia\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x47 0x4C 0xDF 0xA9 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x25 0xBF 0x6A 0x18 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF3 0xC7 0xC9 0x2A ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\multimedia\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x47 0x4C 0xDF 0xA9 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x25 0xBF 0x6A 0x18 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF3 0xC7 0xC9 0x2A ...

[Maximum number of secrets that may be stored in a single system has been exceeded]

Since these trojan/virus files are hidden, I had another idea. I took the boot drive that was infected, and plugged it into another machine as slave drive. I could now see some of the trojan files, filename all starts with "geyekr" with extension DLL or DAT. I deleted about 6 of them and put the drive back to the original machine, and found these positive changes:

 

(1) I no longer have problem with ImgBurn, it now recognizes the drive as a burner.

 

(2) Disk Management previously showed blank main window, with none of the hard drives listed. The DVD burner was shown as "CDROM0" in the left lower corner. After the clean, Disk Management is displaying all the drives properly.

 

BUT my system is not problem free, and I believe deleting the files was not sufficient:

 

(1) The DVD burner is still listed as "CDROM" under My Computer. I put in a blank DVD+R into the drive, then explore the drive. It opened and showed a blank screen. Under normal operation, clicking the drive should return an error to say something to the effect that the drive or the medium is not assessible.

 

(2) Using Radix, under IRP scan, I could see a spxx.sys file still hooking a lot of drivers, where "xx" are random alphabets (example, splu.sys). Each time I boot up, it's a different spxx.sys name. There's another program somewhere that's generating this file.

 

(3) Under Radix and SDT scan, ZwEnumerateKey, ZwEnumerateValueKey and ZwQueryKey are shown in red and hooked by this spxx.sys file.

 

Now I need some more help to search and destroy whichever file that's generating the spxx.sys.

[Maximum number of secrets that may be stored in a single system has been exceeded]

Hi there,

 

I checked your link and none of them worked. GMER did not show anything red on initial quick scan, nor did two other programs. I did full scan with GMER, and found bunch of library entries with reference to "geyekrvpkyiwrq.dll". I also found a file spxx.sys that's very questionable; a few variations so far are splu.sys, sppk.sys, spvt.sys. None of the files are visible, to no surprise hidden. The question to how to reveal them and hopefully delete them.