Request Help - Malware Infection in XP

XP is infected with malware. IE has been hijacked. Infection originally occurred when installing a small game downloaded from the internet. AVG8 caught several trojans and 1 virus during the initial infection, but not everything...including a rootkit that is causing the problems and which I cannot seem to fix. I have cleaned up XP and then run the 5 programs you have suggested and am attaching the requested 5 log files.

There were problems running 2 of the applications.

First...ComboFix runs and creates a log but does no fixing (I have used it several times successfully before on other computers). I have tried several times (redownloaded CF etc), but with same results. I get the message "Not Enough Main Memory To Complete The Sort" 3 times while it runs. 1) at the beginning 2)at the completed stage_50 point 3)shortly after it displays "Preparing Log Report". Additionally at the "Completed Stage_32A point I receive a message from pev.cfexe that says "The exception unknown software exception (0xc0000417) occurred in the application at location (0x0045dcae." The same exact message has happened at this exact point 4 or 5 times as I have rerun ComboFix.

Also with ComboFix.....during the several times I tried rerunning it, I tried to uninstall it using the /u from the run command. Everthing seems to uninstall ok except in the Qoobox Folder in Quarantine\E\Windows\ERDNT\ The file MoveEx_SysHive_link.vir. This file remains in use by the system and is not deletable.

ComboFix does finish and gives a log...I particularly notice a file it finds but does nothing to remove them or fix the problem associated with the loading of. Name of file is geyekrpqqookne.dll I see this same file(s) listed repeatedly when I have run Malwarebytes. It finds them, claims it fixes them, but they always reappear.

Second...Root Repeal problems with running. When I start this program I receive the error message "Could not read the Boot Sector. Try adjusting the Disk Access Level in the options dialog." I have to click ok 5 times on that message to get to main screen of the program. I have tried every disc access level setting in the options, yet I still receive the same error message. I did go ahead and click the scan button and received a screen of file data. That log will be attached here too.

When I ran MGTools, I noticed in one of the logs it was creating, that same message "Not enough main memory to complete the sort". The computer has 2 gigs of memory....and very little loading and running in the background.

Also, of special note. Because I was having the problems running ComboFix and it continually nagged about AVG still being active, and the fact that I was getting indications that AVG had itself become infected, I uninstalled it. Later when I discovered that I still had the same problems running ComboFix, I decided to reinstall AVG. I have tried that twice, both times the installation finishes but I get errors in the installation that say that ActiveScan did not install properly, but the program then shows ActiveScan working properly, leading me to believe that the malware has somehow been able to hijack that function from AVG, and I don't think there was actually any active scanning going on. I since uninstalled it until I can get this problem fixed and can reinstall it.

Thank you very much for any assistance you can give me.

 

last attachment

Here is the fifth attachment. I forgot to note the subject line...

 

Tim,

Thank you very much for helping me with this problem!

I followed your instructions exactly. The results were not much different.

I made the CFScript.txt file, dragged it onto the ComboFix icon...It started. Fairly quickly I got the "Not enough main memory to complete the sort." error message. And received the message twice more in the same places that I detailed in my first message. I also received the pev.cfexe error same place as last time. Two things different did happen when running it this time....it rebooted once before it began any of the stage checks. Then it went through the 50 stage checks and rebooted again and then finished. It did same...gave me the log, but it did not perform any other tasks as far as I can tell (same files and infection remain).

Anyways....I am attaching the CF log and also the requested new MGToolsLogs.zip file.

This one must really be a booger! I hope you have another thing or two in your arsenal.

Thanks again for your help and your time!

 

Tim,

It just all of a sudden dawned on me, that I did not tell you about the 3 drives....so I logged in to do that.....then found your reply telling about the no logs too...I just totally hazed out!!! Sorry! Thanks for responding back to me so quickly.

The computer is set up as a dual-boot. We held on to Win98SE (C Drive) forever and even kept it on this computer when we finally went to XP (E Drive). We don't use Win98 anymore and probably have not booted to it 9 months or so. I have been meaning to research how to undo that and totally get rid of it. So.....basically the C drive is now only a data drive for pictures, music, video files etc. The D drive has always been a data only drive (accessable by by both op systems). There are no programs/executables run from either of these drives from XP.

OK...now...let me attach those logs! Thanks again!

 

Tim,

First, with regard to the user accounts. There is only one account on the computer...not counting the administrator account. That one is an administrator. Second, yes I have been following your instructions exactly, and yes ComboFix has not been fixing anything.

I ran SAS and MBAM on the one profile. While SAS was running, a new Security Center Malware Screen popped up, then a new Porn Picture Advertisement popped up. Then I started getting pop up windows from Outlook wanting me to configure it...I just kept closing those...finally they stopped. I left the malware screens alone...SAS finished and found nothing. Without touching the malware screens..I launched, updated and ran MalwareBytes. It found more than a dozen things, including 2 instances of that geyekrpqqookne.dll that ComboFix can't seem to fix. It finished, I rebooted. When it came back up in Windows...I started getting a handful of various error windows...related to the tcp/ip transport not being installed. Long story short...after a good bit of research I determined that the Winsock2 was corrupted. LSP fix would not fix it...finally I found an auto fix tool on Microsoft's site that fixed it.

So...then with a fresh boot and network and associated repaired...I decided to first run Malwarebytes again....it found 4 things....2 of course were geyekrpqqookne.dll. I had it fix all...it rebooted.

Next...following your instructions...I ran The Avenger with the script pasted into the box. Log is attached...and tells what it did. Looks like it deleted the folder and that file in too.....but it did nothing to that geyekrpqqookne entity and said it did not exist. The log does however mention finding a hidden driver with another name....see log.

Then I ran CCleaner and only cleaned temp files.

Then I ran ComboFix. Although there might have been a bit of difference in the sequnce of events while it ran, rebooted, ran again, generated the log, etc.....it still had the same "not enough main memory to complete the sort" error messages along the way, and did nothing to fix the problem, just generated the log.

All logs requested are attached. Thanks again for your patience and your continued help and expertise.

 

Tim,

Sorry...did not realize the "Curtis" account was on the system. It has been deleted. The "In Charge" account must be the administrator account...beats heck out of me...I certainly don't remember creating or naming that.

Ok...so inbetween the last time I replied to you and then you replied back, we had run malwarebytes several times to keep the computer half-usable. One of the updates got rid of the whtoncrsc driver and some of its associated files. So they were already gone by the time I got your reply and Avenger did not see them. Avenger did get rid of rtadta.sys, but that was it. Needless to say nothing has really changed.

I am sending you the 2 logs, avenger & mtools.zip that you requested.

In addition...I am including the logs from 2 other rootkit utilities that I have noticed during web research that some others have used to gain more insight into this "gekeyr..." rootkit. I am hoping you can read something in those logs that might help with the scripting in Avenger. It seems some others have some luck doing that....I just don't know how to do it myself. The two logs come from GMER and SysProt. I am feeling like you are probably familiar with what those are.

Thank you again for your continued support.

 

Hi Tim,

Nothing really new to report. I can tell by running malwarebytes that I am still infected same.

I ran the script in Avenger. Log from it and from MGTools is attached.

Thanks again....hope you have a few more tricks up your sleeve

 

...darn I hope this is not a bump...I sure seem to continue to have trouble getting these replies with attachments done and it not blowing me out....lets try again...

Hello Tim,

As always...thank you for your continued help with this Nasty Stuff! Sorry, I have been as slow these past two times replying back, but as this goes with at least a couple days in between each of our replies...I like to see if I can take what your expertise gives me, what I can research and learn on the web and combine the two and try and work the issue a bit myself.

I actually had meant to get back with you (a bump if you will) last time just prior to your last reply and new instructions... Reason why?...THE GOOD NEWS: I managed to KICK THAT GEKEYR OUTTA TOWN. So...I never did any of your last suggestions, because all that stuff was gone. It is possible that your suggestions this last time would have gotten me on my way too, as some of your scripting and mine for Avenger was similar.

I am sending you 3 zip files this time, 1 zip contains a couple each of my avenger scripts, avenger logs, combofix logs (no scripts used there)....2nd zip includes my most recent Malwarebytes, RootRepeal, Gmer & SysProt logs...3rd zip is the usual MGlogs one. I wanted to share the details with you, as that is only fair....you helping me and me taking much of your guidance to figure out how to help myself some.

This is how it went down... The 2 clues to the fix in my case, I now think, along the way has come from (clue 1) My inability to get ComboFix to run properly...to actually fix what it found....but it could not because of the problem it was having when it always gave the messages "Not Enough Main Memory To Complete The Sort" and (clue 2)...Malwarebytes could always keep on cleaning everything up (we continued to have those various fake anti-virus/spyware/system security apps dropped in on us...but always 2 same files were detected, claimed to be removed, but still always remained...a rootkit part and a trojan dropper I think (couple of geyekr... files), and one of those was always described as a "memory module". So, my theory became that the memory module one was prob the cause/directly related to ComboFix's inability to run due to the bad file being loaded in the bulk of that main memory.

So...a whole lot of research using the similar symptoms finally led me to think that I might be able to copy some of another supposed somewhat successful avenger script I found to look at, which attacked the geyekr service in the Control Sets...so I carefully synched my script to that one (attacking every possible file/driver - lots the same as you have had me do too)...another thing noted and I do believe that when as suggested I ran that same avenger script two immediate times in a row...there was some difference in the feel of things on 2nd reboot. Then I immediately ran malwarebytes to see what was detected....amazingly nothing. I ran Gmer...I could see the hidden service still running. I thought...what the heck...no geyekr memory module...wonder if Combo will run??? Downloaded a new one...launched it with no extra script....it ran like a charm...no memory problem...it went to work and I was thrilled watching all those geyekr files get run outta town! A reboot...Combo finished up! I immediately ran Malwarebytes again...expecting either nothing still or some various cleanup... It detected 2 things(files)...I thought no prob now...no geyekr the rest will get it too...

THE BAD NEWS: I have spent hours and hours researching, using these same various tools and methods to get rid of these 2...can't seem to do it so far...so once again I am hoping you might have some knowlege/tricks whatever to help me finish off these last two!

I call this one (WavyDavy)...the 2 files that hang in tandem in similar cases are mrxdavv.sys & kwave.sys. That first one is not to be confused with the legitimate Microsoft file and service MrxDav.sys (note only one "v"). Mbytes identifies those as a "rootkit agent" and a "trojan agent" respectively. Mbytes always acts like it gets rid of them but it does not. ComboFix has that same dillusion! With Gmer & Sysprot I just am not personally, seeing anything much related to attack. So I did manage to write an avenger scipt that successfully got rid of a couple bogus looking things that were in there (you can see that in the 2nd avenger log/script).

There is not much good info out there to help me on this one! There are however, some threads on help sites which say that "WavyDavv" is a really nasty one...designed for identity theft, that anyone that gets it...you are already compromized...you should just throw your hands up in the air...you are broken!...delete the partition on the drive and start over...that you should change your banking, credit card passwords, ebay, paypal, email passwords Immediately...pretty scary! But I also do see several successfully ridding themselves of these 2 files and other bad stuff too.

I have already tried those most common combofix & avenger scrips for simple file and driver removal, with no luck. Something is keeping these guys latched on like leeches, but I am not seeing and picking that out of the data in the logs! I am sure hoping you can read on and inbetween the lines in the handful of logs that I am sending....we need that silver bullet!

BTW...other things I have given a try...I installed newest Unhackme...was pretty worthless best I could tell....I uninstalled that. Someone looked to have gotten rid of the files using the AVZ Tool in safe mode...and that might be true....something won't let me install it though. Of course I am still running and scanning with SAS, but it rarely comes up with anything. And I periodically run CCleaner.

Thanks again!!!

 

Tim,

Go ahead and close this issue. Those last 2 files, mrxdavv.sys & kwave.sys, continued to show up in malwarebytes when we ran it every few days for the past month. Then one day they were gone. We immediately ran combofix, it still found them one time....then never again....so I guess somehow they got cleaned out.

Thank you very much for your help. I would not have gotten rid of the rootkit crap without your help!