Fred Salter Posted July 7, 2009 Share Posted July 7, 2009 I've been working through getting rid of some malware and virus problems on my computer and I think I've got them all cleared out but now I can't burn to the CDs. I can't use either Image burn, Nero or Winamp. I did get this strange message from Image burn but don't know what it means. Any ideas??? This is what happens when I start up. Fred I 14:58:29 ImgBurn Version 2.4.4.0 started! I 14:58:29 Microsoft Windows XP Professional (5.1, Build 2600 : Service Pack 3) I 14:58:29 Total Physical Memory: 3,668,396 KB - Available: 2,821,672 KB W 14:58:29 AnyDVD can interfere with ImgBurn's ability to verify accurately, please ensure it's disabled! I 14:58:29 Initialising SPTI... I 14:58:29 Searching for SCSI / ATAPI devices... E 14:58:31 CreateFile Failed! - Device: '\\.\CdRom0' (I:) E 14:58:31 Reason: The maximum number of secrets that may be stored in a single system has been exceeded. E 14:58:34 CreateFile Failed! - Device: '\\.\CdRom1' (H:) E 14:58:34 Reason: The maximum number of secrets that may be stored in a single system has been exceeded. E 14:58:37 CreateFile Failed! - Device: '\\.\CdRom2' (D:) E 14:58:37 Reason: The maximum number of secrets that may be stored in a single system has been exceeded. E 14:58:39 CreateFile Failed! - Device: '\\.\CdRom6' (N:) E 14:58:39 Reason: The maximum number of secrets that may be stored in a single system has been exceeded. E 14:58:42 CreateFile Failed! - Device: '\\.\CdRom8' (P:) E 14:58:42 Reason: The maximum number of secrets that may be stored in a single system has been exceeded. W 14:58:42 Errors were encountered when trying to access 5 drives. W 14:58:42 These drives will not be visible in the program. W 14:58:42 No devices detected! Link to comment Share on other sites More sharing options...
volvofl10 Posted July 7, 2009 Share Posted July 7, 2009 you still have a virus problem . It is a known issue, although NOT ImgBurns fault, check this search results link out for the resolve http://forum.imgburn.com/index.php?act=Sea...mber+%2Bsecrets Link to comment Share on other sites More sharing options...
mmalves Posted July 7, 2009 Share Posted July 7, 2009 Apparently most people can't tell a pink banner at the top of every page from the rest of the forum's layout Link to comment Share on other sites More sharing options...
LIGHTNING UK! Posted July 7, 2009 Share Posted July 7, 2009 Read -> http://forum.imgburn.com/index.php?showtopic=10650 Link to comment Share on other sites More sharing options...
namsilat Posted July 21, 2009 Share Posted July 21, 2009 Hi there, I checked your link and none of them worked. GMER did not show anything red on initial quick scan, nor did two other programs. I did full scan with GMER, and found bunch of library entries with reference to "geyekrvpkyiwrq.dll". I also found a file spxx.sys that's very questionable; a few variations so far are splu.sys, sppk.sys, spvt.sys. None of the files are visible, to no surprise hidden. The question to how to reveal them and hopefully delete them. Link to comment Share on other sites More sharing options...
chewy Posted July 21, 2009 Share Posted July 21, 2009 Just ran into this new variant of the rootkit yesterday afternoon It's hooking a lot of processes, it will probably take some time for any self help tool to be updated to deal with this Thread System [4:320] 856E4790---- Processes - GMER 1.0.15 ---- Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [148] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [224] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\LightScribe\LSSrvc.exe [388] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [564] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [612] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\savedump.exe [624] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [632] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\Ati2evxx.exe [796] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [928] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [1016] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1024] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1132] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1200] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1336] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\Ati2evxx.exe [1356] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [1396] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1424] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1648] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1820] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [1856] 0x00940000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe [1872] 0x00390000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Cobian Backup 8\cbService.exe [1896] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe [1944] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\eHome\ehRecvr.exe [2000] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\eHome\ehSched.exe [2024] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\wbem\wmiprvse.exe [2256] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\dllhost.exe [2596] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\wbem\wmiprvse.exe [2724] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Documents and Settings\HP_Administrator\Desktop\l2bt81rg.exe [2824] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [3036] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\ehome\ehtray.exe [3240] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe [3268] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\HP\HP Software Update\HPwuSchd2.exe [3312] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe [3320] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Pure Networks\Network Magic\nmapp.exe [3328] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\AOL\1240190955\ee\AOLSoftware.exe [3340] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [3356] 0x00AF0000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Microsoft IntelliPoint\ipoint.exe [3376] 0x003E0000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [3392] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jusched.exe [3440] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\Cobian Backup 8\cbInterface.exe [3464] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [3508] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [3520] 0x04C60000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\wuauclt.exe [3608] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [3612] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\eHome\ehmsas.exe [3652] 0x10000000 Library \\?\globalroot\systemroot\system32\geyekrymrmpjen.dll (*** hidden *** ) @ C:\WINDOWS\system32\wscntfy.exe [3828] 0x10000000 I would just reload Link to comment Share on other sites More sharing options...
namsilat Posted July 22, 2009 Share Posted July 22, 2009 Since these trojan/virus files are hidden, I had another idea. I took the boot drive that was infected, and plugged it into another machine as slave drive. I could now see some of the trojan files, filename all starts with "geyekr" with extension DLL or DAT. I deleted about 6 of them and put the drive back to the original machine, and found these positive changes: (1) I no longer have problem with ImgBurn, it now recognizes the drive as a burner. (2) Disk Management previously showed blank main window, with none of the hard drives listed. The DVD burner was shown as "CDROM0" in the left lower corner. After the clean, Disk Management is displaying all the drives properly. BUT my system is not problem free, and I believe deleting the files was not sufficient: (1) The DVD burner is still listed as "CDROM" under My Computer. I put in a blank DVD+R into the drive, then explore the drive. It opened and showed a blank screen. Under normal operation, clicking the drive should return an error to say something to the effect that the drive or the medium is not assessible. (2) Using Radix, under IRP scan, I could see a spxx.sys file still hooking a lot of drivers, where "xx" are random alphabets (example, splu.sys). Each time I boot up, it's a different spxx.sys name. There's another program somewhere that's generating this file. (3) Under Radix and SDT scan, ZwEnumerateKey, ZwEnumerateValueKey and ZwQueryKey are shown in red and hooked by this spxx.sys file. Now I need some more help to search and destroy whichever file that's generating the spxx.sys. Link to comment Share on other sites More sharing options...
LIGHTNING UK! Posted July 22, 2009 Share Posted July 22, 2009 That might just be from DAEMON Tools / Alcohol. It certainly sounds like SPTD anyway. Link to comment Share on other sites More sharing options...
chewy Posted July 22, 2009 Share Posted July 22, 2009 The past variants of this TDSS rootkit were controlled by sys files in C:\WINDOWS\system32\drivers geyekrxxxx.sys Did you run MBAM? Link to comment Share on other sites More sharing options...
kevinalsop Posted July 22, 2009 Share Posted July 22, 2009 Yeah, there is for sure a new variant to this problem. I had the TDSS rootkit problem about 3 weeks ago, went to forum here, did just what Lighting UK said to do, and boom - no problem, wiped out the bad .sys file and everything worked perfectly. Today - same problem rose up again (so I thought). Malwarebytes 1.39 found the files, deleted them, but THIS time, made zero difference. Same problem is there, can't get to my burner with Nero, ImgBurn, etc. It's a new, way tougher variation of the rootkit problem everybody is discussing here (maximum number of secrets...etc). Sigh. Have no idea what to do now... Link to comment Share on other sites More sharing options...
namsilat Posted July 22, 2009 Share Posted July 22, 2009 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh@start 1 Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh@type 1 Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh@group file system Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh@imagepath \systemroot\system32\drivers\geyekracsmpyvt.sys Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\main Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\main@aid 10099 Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\main@sid 0 Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\main@cmddelay 14400 Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\main\delete Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\main\injector Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\main\injector@* geyekrwsp.dll Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\main\tasks Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\modules Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\modules@geyekrrk.sys \systemroot\system32\drivers\geyekracsmpyvt.sys Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\modules@geyekrcmd.dll \systemroot\system32\geyekrrnsqomup.dll Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\modules@geyekrlog.dat \systemroot\system32\geyekrwgdeborr.dat Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\modules@geyekrwsp.dll \systemroot\system32\geyekrvpkyiwrq.dll Reg HKLM\SYSTEM\ControlSet001\Services\geyekrdqboulhh\modules@geyekr.dat \systemroot\system32\geyekrwinijwbq.dat Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\multimedia\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x47 0x4C 0xDF 0xA9 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x25 0xBF 0x6A 0x18 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF3 0xC7 0xC9 0x2A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\multimedia\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x47 0x4C 0xDF 0xA9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x25 0xBF 0x6A 0x18 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF3 0xC7 0xC9 0x2A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\multimedia\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x47 0x4C 0xDF 0xA9 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x25 0xBF 0x6A 0x18 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF3 0xC7 0xC9 0x2A ... Link to comment Share on other sites More sharing options...
namsilat Posted July 22, 2009 Share Posted July 22, 2009 A few registry entries under HKLM as you see above. There's also an entry called "SAM", which was marked red by GMER. When I tried to delete them, an error poped up and I was unable to. Same problem happened when I tried to delete them under Safe mode. Any idea how to delete these registry keys? Link to comment Share on other sites More sharing options...
namsilat Posted July 22, 2009 Share Posted July 22, 2009 The past variants of this TDSS rootkit were controlled by sys files in C:\WINDOWS\system32\drivers geyekrxxxx.sys Did you run MBAM? MBAM detected nothing. Avast and AVG Free also found nothing. I read somewhere AVG rootkit was able to detect some of the files. Does anybody have the paid version to confirm this? Link to comment Share on other sites More sharing options...
eSkRo Posted July 22, 2009 Share Posted July 22, 2009 A few registry entries under HKLM as you see above. There's also an entry called "SAM", which was marked red by GMER. When I tried to delete them, an error poped up and I was unable to. Same problem happened when I tried to delete them under Safe mode. Any idea how to delete these registry keys? you probably cant delete some registry keys because you dont have the correct privileges to do so... usually u can verify that by right-clicking on the folder and choosing Authorizations.... Link to comment Share on other sites More sharing options...
chewy Posted July 22, 2009 Share Posted July 22, 2009 The author of rootrepeal is said to be working on this issue, might see a fix in a few days, but I wouldn't hold my breath. Sophos will see the rootkit files but cannot remove them, the HJT forums are where removal is being referred. Reload Link to comment Share on other sites More sharing options...
LIGHTNING UK! Posted July 22, 2009 Share Posted July 22, 2009 RootRepeal still crashes instantly on startup with a memory access violation on my pc. Hopefully if I send the author enough crash reports (from each new version), it'll eventually be made to work Link to comment Share on other sites More sharing options...
kevinalsop Posted July 22, 2009 Share Posted July 22, 2009 I have AVG Anti-Virius store-bought. I ran full scan tonight, with Rootkit scan (you have to tell AVG to do this, it's the only option turned off on the scan that you have to manually tell it to do). Anyway, did a full scan, AVG didn't see anything unfortunately. RootRepeal crashes at startup on my computer also. MAN, I wish I was more computer savvy. I am just about ready to backup all, and then format and begin anew, but seems like such an overkill against one virius that "seems" to only want to mess with my burner and nothing else... Kevin The past variants of this TDSS rootkit were controlled by sys files in C:\WINDOWS\system32\drivers geyekrxxxx.sys Did you run MBAM? MBAM detected nothing. Avast and AVG Free also found nothing. I read somewhere AVG rootkit was able to detect some of the files. Does anybody have the paid version to confirm this? Link to comment Share on other sites More sharing options...
LIGHTNING UK! Posted July 22, 2009 Share Posted July 22, 2009 It's not just your burner, it's blocking physical access to all your drives (or so I believe). That's why most tools can't even scan for the virus, they're unable to 'open' the drive and look at it. Have you tried the Sophos anti rootkit tool? You could also scan the hdd in another pc, the virus defs might pick it up when they can actually see the file. Link to comment Share on other sites More sharing options...
chewy Posted July 23, 2009 Share Posted July 23, 2009 My mentor may have misinformed me about Sophos not being able to remove this latest variant http://www.bleepingcomputer.com/forums/topic242666.html Link to comment Share on other sites More sharing options...
kevinalsop Posted July 23, 2009 Share Posted July 23, 2009 Hey, yes you are totally right, it is blocking other access. I did indeed try Sophos, was just as effective as everything else so far (read = zero). Sophos saw some files, but they were in temp directories and it wouldn't let me delete them, and I don't think it would have mattered anyway. Amazing I still have any hair left after trying to fix this the past few days! I started my backup tonight just in case I go that route reformatting. Looking like a good option so far! Currently, don't need to burn anything on my player (I can use it for everything BUT burning), so I am holding out in case someone figures something out in the next day or so. I just don't know where to look for more help and I am not good enough to dig into my own system and be productive... Kevin It's not just your burner, it's blocking physical access to all your drives (or so I believe). That's why most tools can't even scan for the virus, they're unable to 'open' the drive and look at it. Have you tried the Sophos anti rootkit tool? You could also scan the hdd in another pc, the virus defs might pick it up when they can actually see the file. Link to comment Share on other sites More sharing options...
LIGHTNING UK! Posted July 23, 2009 Share Posted July 23, 2009 How about Hirens boot cd - > paragon mount everything -> delete the bad files? Link to comment Share on other sites More sharing options...
kerty213 Posted July 24, 2009 Share Posted July 24, 2009 so far i've tried every single method that was posted in this topic as well as the links provided. But saddly, nothing seems to work. No matter what i try, i get the same resault with my ImgBurner, even my UltraISO isnt working properly. Aside from re-formatting are there any other suggestions XD P.S For some reason I can detect the malwares but I cant disable and remove the files with GMER as shown on the link. Link to comment Share on other sites More sharing options...
kerty213 Posted July 24, 2009 Share Posted July 24, 2009 sorry for double posting but just incase this helps, my computer can detect the DVD and i can burn standard files onto it (i.e drag files to DVD) but the programs i use to burn DVDs can not detect it (i.e ImgBurner, UltraISO, etc...) Link to comment Share on other sites More sharing options...
kerty213 Posted July 24, 2009 Share Posted July 24, 2009 I think i found a way to fix the issue. Well it worked for me at least XD. anyways go to http://www.pcworld.com/downloads/file/fid,...escription.html and download "AVG anti rootkit" and then after installing, run scan and delete the rootkits that have been detected. Then it will prompt you to restart, follow their instructions and after restarting, the rootkit should be removed. NOTE: it will also prompt you to download the AVG rootkit protection program right after restarting. it is up to you to say yes or no. for me i chose no and continued on. hope this helps ^^ Link to comment Share on other sites More sharing options...
namsilat Posted July 24, 2009 Share Posted July 24, 2009 For those of you still having problems, go to Norton's forum and search "geyekr" and there are whole bunch of posts on this. This guru QUADS there has been providing suggestions to fix the problem. All the files detected so far are simply "result" of some boss file hiding in the background, so even if you can identify them and remove them, it doesn't help the situation. Link to comment Share on other sites More sharing options...
Recommended Posts