PDA

View Full Version : problem with globalroot\Device\__max++>



DogSoldier
2009-08-30, 19:32
I picked up something surfing with IE and immediately, all my windows minimized as this thing installed itself. VIPRE Rescue5360 was able to log what was wrong but couldn't delete all the bad files. Most of them were sitting in Windows/System32 and were named UACyoultoejtk.dll or such. The names given for these viruses/trojans were Explorer32.Hijacker, Generic MBR Rootkit and Packed.Win32.TDSS.y

I was able to borrow a computer to burn F-Secure ISO onto CD, after booting from this CD I ran the scan and it deleted 6 instances of UAC*** All that remains now is something called globalroot\Device\__max++>\69AEAAFC.x86.dll and this seems to be preventing the other antivirus programs from installing or working. I get a lot of NT Policy errors, like if I kill a process with the 69AEAAFC.x86.dll in it, I get a "System Shutdown" due to a missing RPC or something. I am able to disable the shutdown by typing shutdown -a in Run

I disabled Paging Files (Virual memory) for all drives, switched System Restore off (It was off before so this thing must have turned it back on) and ran the F-Secure CD again over night. It found one virus in the Restore folder and I booted into safe mode but I still have the same problems. Which is globalroot\Device\__max++>\87B7C76E.x86.dll inserting itself into at least 8 processes. Notice the dll renames itself after every reboot.

I ran Gmer's mbr.exe and it comes up clean, evidently, no MBR virus but I don't know...

After I ran the F-Secure CD, I was able to run Gmer but it won't do a full scan, it only gets so far then shuts off and I have to unzip a new fresh version because XP disabled the old one. Before I get to that partial log (Files unchecked), here is a list of programs that will still NOT run, in safe Mode OR normal: HiJackThis, Malwarebytes, ComboFix, RootRepeal, Kaspersky Antivirus - both standalone and browser, Counterspy, BitDefender standalone and browser.. a few others I forgot...

What does work?! F-Secure ISO on CD, Gmer (Up to a point), CCleaner, ATF-Cleaner and VIPRE Rescue5360

Here's the Gmer log:


GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-30 12:17:03
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwCreateKey [0xF79BD4D0]
SSDT \SystemRoot\system32\drivers\sbaphd.sys (Sunbelt ActiveProtection hook driver/Sunbelt Software) ZwSetValueKey [0xF79BD520]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xB6F2A6D0]

---- Kernel code sections - GMER 1.0.15 ----

? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP100.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1072] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1072] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1072] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1324] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1324] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1324] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\87B7C76E.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Mozilla Firefox\firefox.exe[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\87B7C76E.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1072] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1284] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1324] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1440] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1520] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1616] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\acs.exe [1652] 0x35670000
Library \\?\globalroot\Device\__max++>\87B7C76E.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [3848] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----

IE doesn't work and only redirects my searches so I've been using Firefox. I've been looking for solutions for the past 2 days. I never post in these help forums.. I'm usually able to fix things myself, but this bug IS VICIOUS! I'm hoping someone here will help save this computer, it's very valuable with over a decades worth of work files and backups. I'm a graphic designer.

DogSoldier
2009-09-02, 06:27
I didn't get a response to this post but this forum was still very helpful. I read a few threads about similar issues and reverse engineered a solution for my problem using Win32kDiag and Avenger. Once that was done, I was able to run Malwarebytes and Kaspersky. So, to the Expert members who's advice is invaluable here.. Thank you. It's very much appreciated!

tashi
2009-09-02, 06:50
Hello DogSoldier,

Glad you solved the problem, thanks for letting us know. :)

That said now I will post an FYI to all members reading this topic. ;)

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)


Please note that all instructions given are customized for that member's computer only, the tools used may cause damage if run on a computer with different infections. Your symptoms may only appear to be similar. Regardless, please do not take fixes given to another user and apply to your own machine. The Waiting Room (http://forums.spybot.info/forumdisplay.php?f=37)
Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days (http://forums.spybot.info/showthread.php?t=1137)

Best regards.