Help to remove Packed.Generic.200, please

kwalker · ‎06-21-2009

I have been working for the past 2 weeks to remove the Packed.Generic.200 virus from my computer, originally detected on 4 June 2009. Every time I start up my desktop I get a virus alert indicating the Packed.Generic.200 virus that is high risk and requires immediate attention, yet my Norton icon in the system tray shows the green circle with check mark.

Details: globalroot\systemroot\system32\uacjjcfucovholpyxm.dll

Affected Area: 1 file; 1 Browser cache

Initially, I contacted and paid for support from Norton’s Virus and Spyware Removal team. The technician told me at the end of a 2 hour session that my computer was cleaned and I was safe to go back on to the Internet. Next day start up and the virus alert window shows up with the virus still showing in the “Unresolved Security Risks” history. Next, I follow the specific instructions posted by Norton at this link http://www.symantec.com/security_response/writeup.jsp?docid=2009-040809-3630-99&tabid=3; these instructions were unsuccessful; disabling System Restore and running full scan in Safe Mode also did not work.

I have additionally tried the following free downloads/online scans: Malwarebytes, ESET, Kasperkey, TrendMicro HouseCalls, and Super Antivirus, all with no success; only objects found have been cookies. I have been researching the Norton discussion boards, the Yahoo Tech boards, Tech Forums, and the GeeksToGo boards and have yet to find a solution that appears to work. Can anyone help?

delphinium · ‎11-21-2008

Hi Kwalker:

You have joined the elite group of people with a UAC rootkit. Please remove all of the extra antimalware except Malwarebytes and Superantispyware as they do not conflict with Norton.

You will then need to download Rootrepeal from here http://homepages.slingshot.co.nz/~crutches/RootRepel/

Tick the boxes for drivers, stealth objects and hidden services and click okay. Post the log here in two or three posts. Quads, who has become very good at removing these things is in a different time zone and will be available later in the day.

Also run this program http://www.gmer.net/

We ask that you post this log in two or three parts if necessary from "Devices" down to the end of the log. Do NOT do anything else with GMER or you may crash

Message Edited by delphinium on 06-22-2009 06:54 AM

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain

kwalker · ‎06-21-2009

Hi Delphinium,

I've tried to access the link for Root Repel and I get the message: IE cannot display webpage.

My Internet connectivity is working fine, do you know if there is a problem with the link website?

Many thanks for the help,

kwalker

delphinium · ‎11-21-2008

Possibly, let me see if I can get you another link.

Try here. The download is down at the bottom. Do not do anything else with Rootrepeal other than provide a scan. Some forums let it take out the files that it thinks should be removed but it might miss some, which will defeat the purpose, or it might take something that you would rather not lose.

http://rootrepeal.googlepages.com/

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain

kwalker · ‎06-21-2009

Googlepages was successful, thanks! Below is the RootRepeal log:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Time:   2009/06/21 13:16
Program Version:  Version 1.3.0.0
Windows Version:  Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF24FE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BB2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEEF43000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7375000 Size: 323584 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: System.EnterpriseServices.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x04510000 Size: 266240

Object: Hidden Module [Name: System.Transactions.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x04260000 Size: 270336

Object: Hidden Module [Name: Intuit.Spc.Esd.Client.BusinessLogic.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x03e10000 Size: 143360

Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Application.UpdateService.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x00a00000 Size: 36864

Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x00c40000 Size: 28672

Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x00e00000 Size: 61440

Object: Hidden Module [Name: Intuit.Spc.Esd.Client.Common.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x00e40000 Size: 86016

Object: Hidden Module [Name: Intuit.Spc.Esd.Core.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x00ea0000 Size: 258048

Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x00ef0000 Size: 36864

Object: Hidden Module [Name: Intuit.Spc.Foundations.Primary.Logging.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x00f10000 Size: 53248

Object: Hidden Module [Name: Intuit.Spc.Foundations.Primary.ExceptionHandling.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x00fd0000 Size: 77824

Object: Hidden Module [Name: Intuit.Spc.Foundations.Portability.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x03020000 Size: 471040

Object: Hidden Module [Name: System.configuration.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x03240000 Size: 438272

Object: Hidden Module [Name: Intuit.Spc.Foundations.Primary.Config.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x031a0000 Size: 86016

Object: Hidden Module [Name: System.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x034e0000 Size: 3158016

Object: Hidden Module [Name: System.XML.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x032b0000 Size: 2060288

Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Api.Net.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x03c10000 Size: 421888

Object: Hidden Module [Name: Intuit.Spc.Esd.Client.DataAccess.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x03db0000 Size: 135168

Object: Hidden Module [Name: System.Data.SQLite.DLL]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x03e70000 Size: 778240

Object: Hidden Module [Name: System.Data.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x03f30000 Size: 2961408

Object: Hidden Module [Name: Intuit.Spc.Map.Reporter.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x04350000 Size: 479232

Object: Hidden Module [Name: System.Runtime.Remoting.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x04b60000 Size: 307200

Object: Hidden Module [Name: System.Windows.Forms.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x04dc0000 Size: 5033984

Object: Hidden Module [Name: System.Drawing.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x05390000 Size: 634880

Object: Hidden Module [Name: Intuit.Spc.Map.WindowsFirewallUtilities.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x05540000 Size: 1077248

Object: Hidden Module [Name: System.ServiceProcess.dll]
Process: IntuitUpdateService.exe (PID: 1784) Address: 0x056b0000 Size: 126976

==EOF==

gmer scan coming next. . .

delphinium · ‎11-21-2008

Kwalker, clear your browser cache as well. Tools, internet options, browsing history, delete. In Firefox go to tools, clear private data, uncheck all but cache.

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain

kwalker · ‎06-21-2009

Browser cache cleared. Results from gmer scan below, from Devices only:

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip          SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp      SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp      SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat         fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

kw

Quads · ‎07-21-2008

What?? when doing the Malware/rootkit scan the output has no service, reg entries or files.

Quads

kwalker · ‎06-21-2009

My apology Quads, I am very "low tech" you'll have to help me understand your post in basic terms. Is there a step in the process that I might be missing? I only checked the following boxes on the "Reports" tab: Driver, Stealth Objects, Hidden Services".

I just reloaded Rootrepeal and am rescanning with all boxes checked on the Report tab.

Message Edited by kwalker on 06-21-2009 02:28 PM

kwalker · ‎06-21-2009

New scan results from Rootrepeal:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Time:   2009/06/21 14:26
Program Version:  Version 1.3.0.0
Windows Version:  Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF24FE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BB2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: qblauikj.sys
Image Path: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\qblauikj.sys
Address: 0xEEB3D000 Size: 81664 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEF1C8000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7375000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\compaq_owner\local settings\temp\~df90ed.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\compaq_owner\local settings\temp\~dfd832.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8605bef8

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x861f1bd8

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x860cd690

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x860aade0

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x861f3188

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf28b7040

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x86115118

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x86232de0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x860f7d38

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x860e08b0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf28b72c0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf28b7820

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x860bdae8

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x860a8008

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8622ede0

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x86069658

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x86254928

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x860a8120

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x861bb658

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x860cdf38

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x860c5de0

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x860b62b8

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x860cde68

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x86232eb0

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8624f128

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x860dfd30

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8604c440

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x860ffde0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf28b7a70

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x860b6870

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x860b32b8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf27dddf0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x860927d0

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x86129228

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x860cd5c0