Jump to content

I also have the "the maximum amount of secrets.." Virus

Recommended Posts

Hey, I also have the same problem as the user in this thread: http://forums.malwarebytes.org/index.php?showtopic=88966

I apologize in advance if I should just reply to the other thread, but i wasn't sure if they were person specific, as I am new on this forum.

I've been getting a lot of warnings from AVG lately about exe files with names like "ckmu.exe", all of these virus files have random 4 letter titles. I've done my best to put them in avg's vault, but it continues to screw with my programs and opening them. I've already tried the exe fix reg file 3 times and it'll work for a bit but then I'll get problems with opening programs again, saying this like "cannot find specified file" or "open this file with what program?", etc. Then I tired to use taskmanager and i got this message ""the maximum amount of secrets that may be stored in a single system has been exceeded ".

I found the other thread and I followed the steps, but as I was in the process excluding mbam from AVG, avg crashed and the virus wouldn't let me open avg again. So I downloaded DDS and ran it regardless. I'll post the txt files results below. I also will attach a zip containg the 2nd log fro DDS, the attach.txt file. The next step that the admin on the other thread said to do is download and run combofix, however the combo fix page warned not to use it unless an admin told you specifically to. So this is my inquiry: Should I use combofix next? Also what else can I do to remove the viruses, and clean my computer?


DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23

Run by Team Jacob at 14:47:26 on 2011-07-25

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1022.257 [GMT -5:00]


AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


============== Running Processes ===============





C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService


C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork




C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WlanMon.exe

C:\Program Files\X3watch\x3watch.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k termsvc


C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe


C:\Windows\system\svchost.exe -k NetworkService

C:\Program Files\AVG\AVG10\avgui.exe




C:\Windows\System32\svchost.exe -k WerSvcGroup





============== Pseudo HJT Report ===============


uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

uInternet Settings,ProxyServer = http=

uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll

uURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL

BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

uRun: [Google Update] "c:\users\team jacob\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [Airlink101 Airlink101 WLAN Monitor] c:\program files\airlink101\airlink101 wlan monitor\WLANmon.exe

mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe

mRun: [x3watch] c:\program files\x3watch\x3watch.exe

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

uPolicies-explorer: HideSCAHealth = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

TCP: DhcpNameServer =

TCP: Interfaces\{49435551-4E62-4C32-A445-A8E3FD857265} : DhcpNameServer =

TCP: Interfaces\{4F8E06EC-CD3B-44C5-830F-08C93277C45B} : DhcpNameServer =

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Notify: AtiExtEvent - Ati2evxx.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL


================= FIREFOX ===================


FF - ProfilePath -


============= SERVICES / DRIVERS ===============


R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 TermServices;Remote Desktop Service;c:\windows\system32\svchost.exe -k termsvc [2009-7-13 20992]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 21968]

R3 netr28;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\drivers\netr28.sys [2009-6-19 604672]

R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-25 41272]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]

S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-14 1343400]

S4 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]


=============== Created Last 30 ================


2011-07-25 19:29:07 -------- d-----w- c:\users\team jacob\appdata\roaming\Malwarebytes

2011-07-25 19:28:54 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-25 19:28:52 -------- d-----w- c:\programdata\Malwarebytes

2011-07-25 19:28:47 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-25 19:28:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-07-25 18:46:48 7680 ----a-w- c:\windows\system\svchost.exe

2011-07-25 18:42:10 218624 ----a-w- c:\windows\system32\termlw32.dll

2011-07-25 04:58:59 -------- d-----w- c:\program files\MPAccess

2011-07-25 00:13:47 0 ----a-w- c:\users\team jacob\appdata\local\wohx.exe

2011-07-25 00:13:47 0 ----a-w- c:\users\team jacob\appdata\local\vtyp.exe

2011-07-25 00:13:47 0 ----a-w- c:\users\team jacob\appdata\local\mvio.exe

2011-07-25 00:13:47 0 ----a-w- c:\users\team jacob\appdata\local\bltn.exe

2011-07-25 00:13:47 0 ----a-w- c:\programdata\vjlv.exe

2011-07-25 00:13:47 0 ----a-w- c:\programdata\crxw.exe

2011-07-25 00:13:47 0 ----a-w- c:\programdata\ckmu.exe

2011-07-25 00:13:47 0 ----a-w- c:\programdata\bfmv.exe

2011-07-12 18:21:48 2332672 ----a-w- c:\windows\system32\win32k.sys

2011-07-06 18:37:31 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll

2011-07-06 18:37:31 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll

2011-07-05 05:50:02 -------- d-----w- C:\0e89c84be4faa7c84453f67ff29431

2011-07-04 17:35:16 1553920 ----a-w- c:\windows\system32\tquery.dll

2011-07-04 17:35:16 1401856 ----a-w- c:\windows\system32\mssrch.dll

2011-07-04 17:35:03 428032 ----a-w- c:\windows\system32\SearchIndexer.exe

2011-07-04 17:35:02 666624 ----a-w- c:\windows\system32\mssvp.dll

2011-07-04 17:35:02 337408 ----a-w- c:\windows\system32\mssph.dll

2011-07-04 17:34:50 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe

2011-07-04 17:34:50 197120 ----a-w- c:\windows\system32\mssphtb.dll

2011-07-04 17:34:50 164352 ----a-w- c:\windows\system32\SearchProtocolHost.exe

2011-07-04 17:34:49 59392 ----a-w- c:\windows\system32\msscntrs.dll

2011-07-04 17:34:15 294912 ----a-w- c:\windows\system32\umpnpmgr.dll


==================== Find3M ====================


2011-07-05 17:29:40 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-02 05:59:55 169984 ----a-w- c:\windows\system32\winsrv.dll

2011-06-02 05:58:05 290816 ----a-w- c:\windows\system32\KernelBase.dll

2011-06-02 05:55:31 271872 ----a-w- c:\windows\system32\conhost.exe

2011-06-02 03:45:49 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll

2011-06-02 03:45:49 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll

2011-06-02 03:45:49 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll

2011-06-02 03:45:49 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll

2011-05-28 03:00:02 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-05-04 02:43:59 222720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-05-04 02:43:48 96256 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys

2011-05-04 02:43:41 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-05-03 04:50:29 740864 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 02:57:34 311296 ----a-w- c:\windows\system32\drivers\srv.sys

2011-04-29 02:57:21 309760 ----a-w- c:\windows\system32\drivers\srv2.sys

2011-04-29 02:57:13 114176 ----a-w- c:\windows\system32\drivers\srvnet.sys

2011-04-28 22:36:29 45115 ----a-w- c:\windows\system32\ANICtl.dll

2011-04-27 02:33:46 78336 ----a-w- c:\windows\system32\drivers\dfsc.sys


============= FINISH: 14:48:49.29 ===============

Thank you in advance!

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:


  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.


Link to post
Share on other sites

The same day I posted my problem, I ran combofix twice, the first time it went a lot of the stages had a "access is denied" message after them. It also told me that I had the Rookit Zero Access virus. The second time I ran it none of those messages ran up and it finished perfectly. Then i was able to reinstall and update mbam. mbam ran perfectly and removed a backdoor trojan and a few other small viruses. All of the problems stopped. What should I do next then? Would you still like me to post the combofix log? I'll to check but I think I saved it.

Link to post
Share on other sites

  • Staff


I'm afraid I have bad news.

A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

Link to post
Share on other sites

Wow this as awful news, but thank you so much for replying and letting me know! I'll talk to my friend who has helped me reformat before, and I won't make any transactions on this computer. I usually never do on this pc. I'll reformat as soon as possible. I will let you know as soon as I do. Thank you SO much!!!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.