Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware infection won't go away! TR/Alureon.C.4 Trojan


  • Please log in to reply
14 replies to this topic

#1 genius12

genius12

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:toronto, ON, Canada
  • Local time:03:27 AM

Posted 01 March 2009 - 12:54 PM

Posted Image Malware removal HELP!!
Hi guys. I'm having malware problem. The problem is that some how I don't know what happened but a piece of malware got into my computer somehow. I when open folders a popup appears claiming my computer is infected and that I should download some software. When on the internet I sometimes get redirected to other sites. Avira antivirus detected 2 viruses. It successfully removed one of them which stopped the popups. But was enable to remove the other. It claims that the other virus is called TR/Alureon.C.4' [trojan]. Here is the log:

Avira AntiVir Personal
Report file date: March 1, 2009 02:31
Scanning for 1271369 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: muhammad shariq
Computer name: GENIUS12
Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 2008-11-18 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 2008-11-18 14:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 2008-05-26 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 2008-06-12 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 2008-05-26 13:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 2008-10-27 17:29:38
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2009-02-11 01:32:40
ANTIVIR2.VDF : 7.1.2.55 248832 Bytes 2009-02-20 22:08:46
ANTIVIR3.VDF : 7.1.2.96 190976 Bytes 2009-02-28 16:23:52
Engineversion : 8.2.0.98
AEVDF.DLL : 8.1.1.0 106868 Bytes 2009-01-30 21:56:18
AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2009-02-27 01:56:12
AESCN.DLL : 8.1.1.7 127347 Bytes 2009-02-13 17:49:24
AERDL.DLL : 8.1.1.3 438645 Bytes 2008-11-05 13:43:26
AEPACK.DLL : 8.1.3.8 397684 Bytes 2009-02-04 22:11:32
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2009-02-27 01:56:12
AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2009-02-27 01:56:12
AEHELP.DLL : 8.1.2.2 119158 Bytes 2009-02-27 01:56:12
AEGEN.DLL : 8.1.1.22 336245 Bytes 2009-02-27 01:56:10
AEEMU.DLL : 8.1.0.9 393588 Bytes 2008-10-15 16:49:36
AECORE.DLL : 8.1.6.6 176501 Bytes 2009-02-17 22:00:12
AEBB.DLL : 8.1.0.3 53618 Bytes 2008-10-15 16:49:34
AVWINLL.DLL : 1.0.0.12 15105 Bytes 2008-07-09 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 2008-05-16 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 2009-02-28 16:23:52
AVREG.DLL : 8.0.0.1 33537 Bytes 2008-05-09 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2008-02-12 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 2008-06-12 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 2008-01-22 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 2008-06-12 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 2008-01-25 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 2008-06-12 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 2008-06-27 19:34:37
Configuration settings for the scan:
Jobname..........................: Local Drives
Configuration file...............: c:\program files\avira\antivir personaledition classic\alldrives.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Deviating risk categories........: +APPL,+JOKE,+PCK,+SPR,
Start of the scan: March 1, 2009 02:31
Starting search for hidden objects.
c:\windows\system32\gaopdxcounter
[INFO] The file is not visible.
[NOTE] A backup was created as '4a193af3.qua' ( QUARANTINE )
c:\windows\system32\drivers\gaopdxklvvwwid.sys
[INFO] The file is not visible.
[DETECTION] Is the TR/Alureon.C.4 Trojan
[INFO] No SpecVir entry was found!
[NOTE] A backup was created as '4c3dff8c.qua' ( QUARANTINE )
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys\modules
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys\imagepath
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys\group
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys\userdata
[INFO] The registry entry is invisible.
'28687' objects were checked, '8' hidden objects were found.
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'a2service.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
18 processes with 18 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Starting to scan the registry.
The registry was scanned ( '46' files ).

Starting the file scan:
Begin scan in 'C:\'
Begin scan in 'D:\'
Search path D:\ could not be opened!
System error [21]: The device is not ready.

End of the scan: March 1, 2009 02:56
Used time: 25:14 Minute(s)
The scan has been done completely.
1334 Scanning directories
65918 Files were scanned
1 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
2 files were moved to quarantine
0 files were renamed
0 Files cannot be scanned
65917 Files not concerned
472 Archives were scanned
0 Warnings
2 Notes
28687 Objects were scanned with rootkit scan
8 Hidden objects were found

After reading the log I observed that there was some one file that had created some registry entries and placed 2 files on the hard drive which seems like to be pretty much the problem. But under each one of the hidden registry entries and files that avira found that are associated with the virus are invisible as it's written in the log so I can't manually remove them.

And also it's preventing my antivirus from updating.
ANY HELP WILL BE GREATLY APPRECIATED.Posted ImagePosted ImagePosted Image

AND PLEASE REPLY TO THIS POST!!
I NEED HELP PEOPLE. Posted ImagePosted Image
" Determination is the cause of Intervention."-Muhammad Shariq

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:27 AM

Posted 01 March 2009 - 01:45 PM

Hi and welcome to BleepingComputer :thumbsup:

The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 genius12

genius12
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:toronto, ON, Canada
  • Local time:03:27 AM

Posted 01 March 2009 - 03:30 PM

Here is the log:

Malwarebytes' Anti-Malware 1.34
Database version: 1793
Windows 5.1.2600 Service Pack 3

01/03/2009 3:29:39 PM
mbam-log-2009-03-01 (15-29-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 73516
Time elapsed: 21 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cbaa871d-426d-46a6-bace-3597e2b0ce7b} (Rogue.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d94c46a3-f89b-45c2-962a-76e300dc5c40} (Rogue.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{a8954909-1f0f-41a5-a7fa-3b376d69e226} (Rogue.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.140,85.255.112.135 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.140,85.255.112.135 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.140,85.255.112.135 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\sf.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\m3.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\c.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\m.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\p.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\s.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-3-5-37-100011804-100026094-100009099-3358.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gaopdxuplrdeyf.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxklvvwwid.sys (Trojan.Agent) -> Quarantined and deleted successfully.
" Determination is the cause of Intervention."-Muhammad Shariq

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:27 AM

Posted 01 March 2009 - 06:08 PM

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 genius12

genius12
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:toronto, ON, Canada
  • Local time:03:27 AM

Posted 02 March 2009 - 04:37 PM

Here are the Smitfraud results log:

SmitFraudFix v2.398

Scan done at 16:35:20.19, 02/03/2009
Run from C:\Documents and Settings\muhammad shariq\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mmc.exe
C:\Documents and Settings\muhammad shariq\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\muhammad shariq


C:\DOCUME~1\MUHAMM~1\LOCALS~1\Temp


C:\Documents and Settings\muhammad shariq\Application Data


Start Menu


C:\DOCUME~1\MUHAMM~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: 3Com 3C918 Integrated Fast Ethernet Controller (3C905B-TX Compatible)
DNS Server Search Order: 208.67.222.222
DNS Server Search Order: 208.67.220.220

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A6515777-8B0A-4553-90F6-82279789289D}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A6515777-8B0A-4553-90F6-82279789289D}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A6515777-8B0A-4553-90F6-82279789289D}: NameServer=208.67.222.222,208.67.220.220


Scanning for wininet.dll infection


End

THANKS FOR YOUR HELP SO FAR!
" Determination is the cause of Intervention."-Muhammad Shariq

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:27 AM

Posted 02 March 2009 - 05:57 PM

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 genius12

genius12
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:toronto, ON, Canada
  • Local time:03:27 AM

Posted 02 March 2009 - 07:37 PM

:thumbsup: THANKS ALOT MAN FOR ALL YOUR HELP SO FAR!
AND HERE IS THE SDFix report.txt log :

SDFix: Version 1.240
Run by muhammad shariq on 02/03/2009 at 19:10

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Start Menu

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-02 19:17:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gaopdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\gaopdxklvvwwid.sys"
"group"="file system"
"userdata"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules]
"gaopdxserv"="\\?\globalroot\systemroot\system32\drivers\gaopdxklvvwwid.sys"
"gaopdxl"="\\?\globalroot\systemroot\system32\gaopdxuplrdeyf.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\gaopdxklvvwwid.sys"
"group"="file system"
"userdata"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules]
"gaopdxserv"="\\?\globalroot\systemroot\system32\drivers\gaopdxklvvwwid.sys"
"gaopdxl"="\\?\globalroot\systemroot\system32\gaopdxuplrdeyf.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gaopdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\gaopdxklvvwwid.sys"
"group"="file system"
"userdata"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules]
"gaopdxserv"="\\?\globalroot\systemroot\system32\drivers\gaopdxklvvwwid.sys"
"gaopdxl"="\\?\globalroot\systemroot\system32\gaopdxuplrdeyf.dll"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"

Finished!
" Determination is the cause of Intervention."-Muhammad Shariq

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:27 AM

Posted 02 March 2009 - 08:48 PM

A couple of steps,,,

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe


Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 genius12

genius12
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:toronto, ON, Canada
  • Local time:03:27 AM

Posted 03 March 2009 - 05:01 PM

Here is the gmer.log :

:thumbsup:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-03 16:56:06
Windows 5.1.2600 Service Pack 3


---- Services - GMER 1.0.14 ----

Service system32\drivers\gaopdxklvvwwid.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxklvvwwid.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxklvvwwid.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxuplrdeyf.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxklvvwwid.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxklvvwwid.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxuplrdeyf.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxklvvwwid.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxklvvwwid.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxuplrdeyf.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxklvvwwid.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxklvvwwid.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxuplrdeyf.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxklvvwwid.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxklvvwwid.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxuplrdeyf.dll
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxklvvwwid.sys
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxklvvwwid.sys
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxuplrdeyf.dll

---- EOF - GMER 1.0.14 ----
" Determination is the cause of Intervention."-Muhammad Shariq

#10 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:27 AM

Posted 03 March 2009 - 06:13 PM

Service system32\drivers\gaopdxklvvwwid.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

You do have a rootkit, so the following warning is needed:

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Let me know how you wish to proceed.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 genius12

genius12
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:toronto, ON, Canada
  • Local time:03:27 AM

Posted 03 March 2009 - 07:05 PM

As you must have noticed rigel the gmer log shows the service gaopdxserv.sys is dangerous. And under it is a list of .reg key associated with and I'm definite that it's dangerous because I researched on the internet and found that everywhere it was considered dangerous and a rootkit. So the .reg keys that gmer shows I'll delete them all and will delete all the files associated with it. Because I had just recently reformatted my drive and reinstalled windows last week. And also had to install all the programs,apply all the tweaks and and do everything I needed to everything again. So I don't want to go through all that hussle again. Seeing not only it's alot of work but I usually don't have much time. Rigel you've been the best help ever I've gotten from anyone from bleepingcomputer. You alleviated to and rectified my problem. Not only you've fixed my problem but fixed my problem and my computer is back to it's original state. You're the best. I think I've retolled you enough but you've seriously impressed me. And I'm very grateful. Anyways, I'll delete all the remnants left behind by the service, I'll promise.

THANKS ALOT! :flowers:
SEE YOU LATER! :thumbsup:
" Determination is the cause of Intervention."-Muhammad Shariq

#12 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:27 AM

Posted 03 March 2009 - 07:29 PM

Thank you for the kind words.

When you have removed the items listed, I would flush system restore...

Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#13 genius12

genius12
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:toronto, ON, Canada
  • Local time:03:27 AM

Posted 03 March 2009 - 09:27 PM

I don't think a reinfection can occur through the system restore because there never was on R.P. Because I had system restore disabled long ago. Basically since I had reinstalled windows ehich was last week. So what I was wondering is that what if I enable system restore and make a restore point then disable it again? And when I need to restore I can just enable it again and restore. Is that possible or will the rstore point get deleted? And will the restore point restore my registry as well as well as all the files? Anyways, is there an online FREE backup resource that makes a backup of your computer of all the files and the registry and places it on an online server so it doesn't take space on my computer? That would be alot better. But if there isn't then I guess I'll have to use system restore. :flowers: Also I've had success deleting all the registry key left behind but as the gmer log mentions, the files located folders are not visible and even though from folder options I selected show hidden files and folders it still doesn't. So how am I supposed to delete the left behind files from the rootkit if the files are not visible!!??

Anyways,
THANKS IN ADVANCE! :thumbsup:
Why isn't anyone replying?

Edited by genius12, 04 March 2009 - 04:52 PM.

" Determination is the cause of Intervention."-Muhammad Shariq

#14 genius12

genius12
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:toronto, ON, Canada
  • Local time:03:27 AM

Posted 04 March 2009 - 04:54 PM

Why isn't anyone replying? :thumbsup:
" Determination is the cause of Intervention."-Muhammad Shariq

#15 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:27 AM

Posted 04 March 2009 - 06:37 PM

Well, I wasn't replying because I was at work. The things I do here, I do as a volunteer.


I know of know resource to back up you computer on-line. Depending on the number of files you have on your computer, I would think that the size of that file would be around 3-7Gb. That process is called making an image of your drive. If you have access to an external hard drive, you can use DriveImage XML to make a backup. Norton has a product called Ghost that does the same thing, but I haven't used that in a while.

So how am I supposed to delete the left behind files from the rootkit if the files are not visible!!??

Ahhh you have found the problems with cleanup for rootkits. Their "strength" is to intergrate themselves into the very core of Windows - its kernel. If you really wish to keep running your computer as it is, I would recommend posting a log to the HJT forum. There they have more powerful tools to clean things.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users