sascommando

Help on removing Gen.Trojan!IK virus

Recommended Posts

Hi there,

My PC has recently been riddled with viruses, I've managed to delete most (I think) but still have one particularly nasty one remaining, Gen.Trojan!IK

It's stopping me from downloading pretty much everything from the Internet (except a-squared, hurrah!) and even preventing me from saving anything to my Desktop or anywhere else on my PC. I also can't run any spyware programs or anti-virus software as it seems to be blocking them or automatically deleting them.

The virus is located in \\?\globalroot\Device\_max++>623C895D.x86.dll

Everytime I 'delete' it from a-squared it keeps returning. Many thanks for any help.

Share this post


Link to post
Share on other sites

I can't save the file anywhere, I've been having this problem where the program downloads but when it comes to saving it somewhere (desktop, folder somewhere etc) it appears and disappears in a flash.

Share this post


Link to post
Share on other sites

Aha! I renamed the file and it actually saved and stayed there, however I had to save it in My Documents as it most definitely wouldn't save onto my desktop. Hopefully this is the full report, it seemed to hang for ages so I assumed it was finished. Report attached...

Share this post


Link to post
Share on other sites

Go to start > run and copy and paste the following command in the field:

"%userprofile%\desktop\win32kdiag.exe" -f -r

This should restore permissions on locked files and remove mountpoints.

-----------------------------------------------------------

Post fresh logs for:

  • a-squared Free
  • ISeeYouXP
  • HiJackFree

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Many thanks, I never know when the Win32kDiag has finished, I left it running for ages but it keeps getting to a point where it just stops, so I closed it. Is it meant to close itself?

I'm hoping I did the HiJackFree log correctly.

Share this post


Link to post
Share on other sites

I thought everything was fine but my AVG still won't scan, the box has been greyed out ever since I had this virus. Nor does the email scanner work on it, it says it's enabled but doesn't work.

Also I ran HiJackFree again and it closed down shortly after opening it. I then went to run it again and it had removed itself, saying I don't have permission to run it. I have no idea what is causing these problems but whatever I have on my system doesn't seem to have fully disappeared.

I'm unable to download/run any spyware or anti-virus programs.

Share this post


Link to post
Share on other sites

Repair permissions:

Download to your Desktop

-->> Repair Permissions.exe <<-- self-extracting archive (117,015 bytes) - MD5: f4666e8f2acf6e1a12c655d56030d9e4

  • Double-click Repair Permissions.exe to install Repair Permissions
  • Double-click on !RUNME.BAT

You can safely ignore all errors.

-----------------------------------------------------------

Let me know if that changes anything with AVG and HiJackFree.

Share this post


Link to post
Share on other sites

I ran the file, for both steps I get an error.

Cannot perform this operation on built-in accounts.

Task is completed with error. See log C:\Windows\security\logs\secanalyze.log detail for info.

Also, same with log C:\Windows\security\logs\secrepair.log

AVG still doesn't work, Spybot most definitely doesn't work. I can't even install if anymore as it keeps telling me SpybotSD.exe is a read only file and I can't install. I'm unable to even delete the folder for it in Program Files even though the folder is empty! It's as if all my administrator rights have been taken away from me.

Share this post


Link to post
Share on other sites

Many thanks for all your help so far.

I can't even run the Fix It tool, same with everything I download from the Internet. As soon as I click Run the dialog box disappears and nothing happens.

I tried saving the file to my Desktop or another folder and it appears for a split-second then disappears. Even renaming the file didn't work like it does with some things. Basically I can't run or save any downloads from the Internet.

Share this post


Link to post
Share on other sites

Download RootRepeal.zip and unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, the Save Report button will become available

    [*]Click this and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

Attach the report.

Share this post


Link to post
Share on other sites

I've discovered the cause of why I haven't been able to download anything or save files anywhere on my PC, it was AVG stopping me (for what reason I have no idea). I completely removed AVG and now I can seem to download files just fine.

I still can't remove that empty Spybot folder in Program Files though, which seems to me like I don't have my full admin rights back just yet.

I ran RootRepeal, it did a very very quick scan and a few items appeared saying that the status is "Locked to the Windows API", the program then just automatically closes down.

Share this post


Link to post
Share on other sites

Download and install subinacl.exe.

Copy the text below into a text file called reset.cmd and run reset.cmd with administrative rights (it may take a LONG time):

cd /d "%ProgramFiles%\Windows Resource Kits\Tools"
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

NOTE: when you run reset.cmd, you must run it as administrator (otherwhise it will not succed to fix all the files)

Reboot

Still have permission problems?

Share this post


Link to post
Share on other sites

I ran the file. Not sure what happened because I went away and came back to find that it had closed (I assume it did what it need to do). I'm still not entirely convinced I have full admin rights though because I still can't delete that folder.

Share this post


Link to post
Share on other sites

Also a another problem I've been having and once again it's happened, I tried to install Avast anti-virus because I wanted something other than AVG. Yet again when I try to run it it closes down and removes itself.

The error I get when I try to run it again is:

"Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item".

I'm getting this on nearly all spyware and anti-virus programs.

Share this post


Link to post
Share on other sites

Open notepad

Copy and Paste the below lines of code to notepad:

@echo off
copy C:\Windows\System32\logevent.dll C:\logevent.dll

Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your Desktop.

Double-click on fixes.bat to execute it.

-----------------------------------------------------------

Download Avenger from -->> HERE <<-- and unzip to your desktop.

  • Run Avenger
  • Read the prompt that appears, and press OK
  • Copy & paste the following text in Input script Box:
    Files to Delete:
    C:\Windows\System32\cngaudit.dll
    
    Files to move:
    C:\logevent.dll | C:\Windows\System32\cngaudit.dll


    Then click "Execute".

  • You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  • Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

-----------------------------------------------------------

Go to start > run and copy and paste the following command in the field:

"%userprofile%\desktop\win32kdiag.exe" -f -r

This should restore permissions on locked files and remove mountpoints.

-----------------------------------------------------------

Post fresh logs for:

  • Avenger (C:\avenger.txt)
  • a-squared Free
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Share this post


Link to post
Share on other sites

Your logs look fine.

Unless you are having problems from Malware it is time to do the final steps.

If you used ComboFix, uninstall ComboFix:

  • Click START then RUN and enter the below into the run box and then click OK. (Use only the command of the same name as your copy of combofix.)
  • AvoidTDSS /u or combofix /u
    Note: The space before /u, must be there.
    This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  • Delete the C:\AvoidTDSS or C:\ComboFix folder from combofix.
    Delete everything in C:\!KillBox

Delete the following from your Desktop (If they exist)

Avenger.exe

Avenger.txt

Avenger.zip

DisableAutoRuns.reg

FixMe.reg

FixReg.reg

ISeeYouXP.exe

ISeeYouXP.lnk

ISeeYouXP.txt

Anything else I had you use

Delete the following: (If they exist)

C:\Avenger.txt

C:\Avenger

C:\ComboFix.txt

C:\ComboFix

C:\SDFix

C:\Qoobox

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Empty the Recycle Bin

Run ATF Cleaner

In the ISeeYouXP folder double-click HideIT.bat.

Turn off System restore to flush all your restore points then turn system restore back on.

To manually turn off System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

4 Click Yes when you receive the prompt to the turn off System Restore.

To turn on System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

Delete C:\ISeeYouXP

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

That should take care of everything.

Safe Surfing!

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.