It seems I have a rootkit problem like many others recently which is preventing Norton 360 from scanning and is also hijacking my browser aat times. I did a GMER scan and it brought up a positive result unfortunately (as in a Rootkit found) and I have attached my log below for help.
Out of interest how would I have been infected by this? I haven't had any type of infection for five or six years now since I began using Norton products.
Just an update as I can't seem to edit my original post.
I did a Malware-Bytes scan and got the results on the first attachment below that contained two pieces of malware, before restarting my computer to complete the removal. This seemingly did nothing however as when I rebooted the PC the two pieces of malware remained. I then did a GMER scan again to confirm this. These GMER scans are scans with all the boxes ticked for your information.
Your problem with the geyekrxaevbvtm.dll is a bit different from the basic Tidserv rootkit variants that are common these days and needs to be adressed as such.
On first sight I would say that your problem originates from the C:\Users\Tom\Desktop\n7c3x76k.exe file. Is this a file you know of? If it is visible and you do not know of it I would suggest that you upload it to www.virustotal.com for a scan.
Before doing anything else I would like you to download and run Silent Runners. This is a script that will create a logfile in the same directory as the script. Save it on the desktop and run it, click yes on the question to skip supplementary search and wait for about a minute until the "All Done" box appear. Post the log here.
Could you also provide a bit more info on your operating system, and service pack. Also 64 bit or 32 bit. Your GMER is shortened, we dont' have registry entries or files.
Could you try to run GMER in safe mode with those two boxes checked to see if we can get a few more files for Quads to work with?
He will be along later in the day to assist you due to time zone differences.
Your problem with the geyekrxaevbvtm.dll is a bit different from the basic Tidserv rootkit variants that are common these days and needs to be adressed as such.
On first sight I would say that your problem originates from the C:\Users\Tom\Desktop\n7c3x76k.exe file. Is this a file you know of? If it is visible and you do not know of it I would suggest that you upload it to www.virustotal.com for a scan.
Before doing anything else I would like you to download and run Silent Runners. This is a script that will create a logfile in the same directory as the script. Save it on the desktop and run it, click yes on the question to skip supplementary search and wait for about a minute until the "All Done" box appear. Post the log here.
jAW
n7c3x76k.exe is a copy of GMER.exe :S.
I'll go download a copy of Silent Runners anyway.
delphinium wrote:
Hi TMdaines:
Could you also provide a bit more info on your operating system, and service pack. Also 64 bit or 32 bit. Your GMER is shortened, we dont' have registry entries or files.
Could you try to run GMER in safe mode with those two boxes checked to see if we can get a few more files for Quads to work with?
He will be along later in the day to assist you due to time zone differences.
Some rootkits are able to interfere with the GMER log as well as the Rootrepeal log. Sometimes we require both in order to ensure that the scripting is correct for your machine. Quads is the only member on the forum qualified to safely remediate these kinds of problems. He will be along later to check.
OK. I’ve ran the Silent Runners script but had three different copies of GMER crash when attempting to scan with them, followed by a bluescreen on the fourth. I’ll try again.
If you still have problems running the tools we can create a log manually.
Are you using the F8 method to get into safeboot now? If not this is how you do it.
1. Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when the Boot Menu appears.
2. Select Enable Boot Logging when the Windows Advanced Options menu appears, and then press ENTER.
This will create a logfile called Ntbtlog.txt in C:\Windows
If you still have problems running the tools we can create a log manually.
Are you using the F8 method to get into safeboot now? If not this is how you do it.
1. Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when the Boot Menu appears.
2. Select Enable Boot Logging when the Windows Advanced Options menu appears, and then press ENTER.
This will create a logfile called Ntbtlog.txt in C:\Windows
Post that log here.
Message Edited by jAW on 07-14-2009 10:49 AM
When I do that I only get a menu that allows me to choose which device to boot from i.e. either hard drive or floppy or cd/dvd drive.
Please do nothing more for the time being and wait for Quads for any further instructions. He is a malware specialist and has undoubtedly dealt with this variant before. I will let him know that scans are not proceeding.
Are you running a Toshiba by any chance?
Also, I'm seeing group policy entries. Were you running the scans as administrator?
What you have is a variant of the tidserv and not that different as I first said. It should be as easy to remove as the other versions.
The driver file is the \systemroot\system32\drivers\geyekrerbtrckm.sys and with a little luck the driver is called geyekr.sys. This will show when you get the tools to work..
However, I have worked a lot with these things but not on this forum and is not "known" here, so I suggest that you wait for one of the guys that are as that seem to be the recommendation (understandable). I do belive that there will be no problem cleaning your PC though.
But I also have a couple of questions I could do with having answered regarding this whole matter:
1) Where did this "infection" likely come from? The only thing I remember seeing is Norton 360 giving me alert in the bottom right-hand corner of the screen before saying it has detected a Trojan Horse after which it would no longer scan. I have been doing a fair bit of torrenting lately but of course I have only been using trusted torrents that many users have had zero problems with before so I doubt it was from them. My instinct says it came through my browser (FF 3.5) as I recall being unusually bombared with adds upon opening a page shortly before this begun. This is the first real infection I have had in years as I'm a sensible user online. Norton currently doesn't support FF 3.5 so would this be a logical assumption to make?
2) How did this "infection" bypass Norton? Is it a new piece of malware or is Norton simply incapable of detecting and protecting against malware of this type?
3) Presumably just using Norton 360 isn't enough. What other pieces of anti-malware would you recommend that would give me a reasonable increase in the level of protection over that which I have now? Malwarebytes Anti-Malware is suggested repeatedly here. Anything else that would be consider must have?
I believe the patch is available now for FF 3.5. There may still be an upcoming patch for IPS. I find Noscript very satisfactory for blocking unwanted material that may show up in web pages.
The more popular the site, like Face book, and download sites, and torrents are where the malware will be inserted. There is no profit for them in choosing unpopular sites. The malware is specifically written to bypass antivirus engines, in compressed files or script. It's hard to keep up with it.
While Norton is constantly being updated with new definitions, the malware is as well. In one of Quads' rootkit repairs he was able to recover the disallowed list for that particular rootkit. It included Malwarebytes, Superantispyware, and variations on those names. So they also use a similar approach to stop us from removing them.
It is only in the last couple of weeks that we have seen MBAM even take out rootkit files, but possibly not the whole thing.