Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with gaopdx, help please


  • Please log in to reply
26 replies to this topic

#1 weeman252

weeman252

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 09 March 2009 - 03:46 PM

Hi, somewhere on my travels throught the internet i've managed to pick up a nice little rootkit gaopdx. I cant get rid of it no matter what i try. So far it's managed to hijack google searches taking me to different pages on clicking the results, and has shut down every update i try, be it for antivirus, windows updates et al. So far I've used malware bytes anti-malaware, which cleaned out 11 infections, but still hasnt fixed it. As per a different topic I've also tried ATF cleaner combined with superantispyware in safe mode but all superantispyware seems to be picking up is tracking cookies. Any advice greatly appreciated, thanks.

thought i'd post the logs i got, only i thought of it after i'd finished posting lol sorry, they are as follows:

Malwarebytes' Anti-Malware 1.34
Database version: 1826
Windows 6.0.6001 Service Pack 1

09/03/2009 19:33:51
mbam-log-2009-03-09 (19-33-51).txt

Scan type: Quick Scan
Objects scanned: 54284
Time elapsed: 3 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.184,85.255.112.75 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98bfe9c0-e16e-4d44-a14e-3bfdec03da2e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.184,85.255.112.75 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.184,85.255.112.75 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{98bfe9c0-e16e-4d44-a14e-3bfdec03da2e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.184,85.255.112.75 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.184,85.255.112.75 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{98bfe9c0-e16e-4d44-a14e-3bfdec03da2e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.184,85.255.112.75 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\thingmy\Desktop\Paving.Design.Expert.1.3.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-4-7-20-100004512-100032467-100002774-7120.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\thingmy\Desktop\services.gif (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


scan 2:

Malwarebytes' Anti-Malware 1.34
Database version: 1826
Windows 6.0.6001 Service Pack 1

09/03/2009 19:40:47
mbam-log-2009-03-09 (19-40-47).txt

Scan type: Quick Scan
Objects scanned: 53886
Time elapsed: 3 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


then i did superspyware:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/09/2009 at 08:22 PM

Application Version : 4.25.1014

Core Rules Database Version : 3773
Trace Rules Database Version: 1732

Scan type : Complete Scan
Total Scan Time : 00:14:34

Memory items scanned : 290
Memory threats detected : 0
Registry items scanned : 6140
Registry threats detected : 0
File items scanned : 15251
File threats detected : 31

Adware.Tracking Cookie
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@pcstats[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@popup.yieldmanager[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@indoormedia.co[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@bannersng.yell[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@ad.zanox[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@clicks.smartbizsearch[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@login.tracktor.co[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@eas.apm.emediate[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@avgtechnologies.112.2o7[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@kontera[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@www.pcstats[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@stopzilla[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@clickcash[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@ad2.yieldmanager[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@richmedia.yahoo[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@statse.webtrendslive[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@www.stopzilla[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@www.virginmedia[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@media6degrees[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@stats.paypal[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@ads.escalatemedia[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@atdmt[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@uk.findstuff[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@imrworldwide[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@chitika[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@p.media-servers[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@ads.widgetbucks[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@revsci[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@bridge2.admarketplace[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@collective-media[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@virginmedia[1].txt



then back to malware:


Malwarebytes' Anti-Malware 1.34
Database version: 1826
Windows 6.0.6001 Service Pack 1

09/03/2009 20:26:44
mbam-log-2009-03-09 (20-26-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 27851
Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



superantispyware again:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/09/2009 at 08:50 PM

Application Version : 4.25.1014

Core Rules Database Version : 3773
Trace Rules Database Version: 1732

Scan type : Complete Scan
Total Scan Time : 00:17:31

Memory items scanned : 293
Memory threats detected : 0
Registry items scanned : 6140
Registry threats detected : 0
File items scanned : 18704
File threats detected : 31

Adware.Tracking Cookie
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@pcstats[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@popup.yieldmanager[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@indoormedia.co[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@bannersng.yell[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@ad.zanox[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@clicks.smartbizsearch[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@login.tracktor.co[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@eas.apm.emediate[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@avgtechnologies.112.2o7[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@kontera[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@www.pcstats[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@stopzilla[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@clickcash[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@ad2.yieldmanager[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@richmedia.yahoo[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@statse.webtrendslive[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@www.stopzilla[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@www.virginmedia[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@media6degrees[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@stats.paypal[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@ads.escalatemedia[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@atdmt[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@uk.findstuff[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@imrworldwide[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@chitika[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@p.media-servers[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@ads.widgetbucks[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@revsci[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@bridge2.admarketplace[1].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@collective-media[2].txt
C:\Users\thingmy\AppData\Roaming\Microsoft\Windows\Cookies\Low\thingmy@virginmedia[1].txt


and finally a malware again, still not fixed the problem though, things are getting worse, explorer freezing etc


Malwarebytes' Anti-Malware 1.34
Database version: 1826
Windows 6.0.6001 Service Pack 1

09/03/2009 21:08:45
mbam-log-2009-03-09 (21-08-45).txt

Scan type: Quick Scan
Objects scanned: 52128
Time elapsed: 2 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

Edited by weeman252, 09 March 2009 - 04:22 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:03 AM

Posted 09 March 2009 - 04:58 PM

Hi,let;s run a rootkit scan.
Before performing a Anti rootkit scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.

Disconnect from the Internet or physically unplug you Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • Do NOT click scan. GMER does an automatic quick scan when run.
  • Click the copy button on the right side of GMER and then paste into your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 weeman252

weeman252
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 09 March 2009 - 06:14 PM

Hi, thanks for your response, the gmer log is as follows:

GMER 1.0.15.14878 - http://www.gmer.net
Rootkit scan 2009-03-09 23:09:49
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

Code 86C03348 ZwEnumerateKey
Code 86B99858 ZwFlushInstructionCache
Code 86B86340 ZwQueryValueKey
Code 85BC1525 IofCallDriver
Code 86B8E2BE IofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\gaopdxdewnwkpiiquksgfyextbpqfthcxysgxe.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

I note there are AVG entries, i think i followed the instructions to shut down the firewall etc, hope thats ok. thanks, weeman

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:03 AM

Posted 09 March 2009 - 08:26 PM

Good that was productive. Please Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 weeman252

weeman252
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 10 March 2009 - 02:09 PM

Hi, sorry for the delay, i'm on uk time and had to sleep lol, first, a minor point, my comp wont let me update mbam at all (infected comp) so i've completely isolated it from the net, using another comp. I tried to get round the update by getting MBAM on the working comp and copying the program files across, but i come across a problem, it wont copy mbamext.dll which i presume is the updated definitions file, perhaps wrongly, it says "the action can't be completed because the file is open in another program" and gives options try again, skip, cancel. Just thought that may be relevant. Anyway, log is as follows:
Malwarebytes' Anti-Malware 1.34
Database version: 1826
Windows 6.0.6001 Service Pack 1

10/03/2009 19:07:36
mbam-log-2009-03-10 (19-07-36).txt

Scan type: Quick Scan
Objects scanned: 53678
Time elapsed: 2 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.


thanks again

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:03 AM

Posted 10 March 2009 - 02:22 PM

Ok, there's no sleeping in malware removal. :thumbsup:
I see it found it so lets's rerun MBAM select Full scan this time. we'll update later unless it let's you now.
Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Lets' scan for rootkits with GMER.
Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

Edited by boopme, 10 March 2009 - 02:34 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 weeman252

weeman252
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 10 March 2009 - 02:58 PM

hi, just found ur edit when i came to post this mbam log lol GMER scan log'll follow in due course. mbam:

Malwarebytes' Anti-Malware 1.34
Database version: 1826
Windows 6.0.6001 Service Pack 1

10/03/2009 19:52:47
mbam-log-2009-03-10 (19-52-47).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 165172
Time elapsed: 20 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:03 AM

Posted 10 March 2009 - 03:04 PM

Ok I remembered I wanted to run it after I replied. Can you update MBAM yet?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 weeman252

weeman252
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 10 March 2009 - 03:13 PM

i cant update MBAM yet, no, GMER looks to be finding quite a few gaopdx entries, but i'll post the log when its done, thanks for all ur help so far.

#10 weeman252

weeman252
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 10 March 2009 - 03:18 PM

GMER Log:

GMER 1.0.15.14878 - http://www.gmer.net
Rootkit scan 2009-03-10 20:16:08
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0x8BB0FF20]

Code 86B2F340 ZwEnumerateKey
Code 86B33338 ZwFlushInstructionCache
Code 86B3B300 ZwQueryValueKey
Code 86B353A5 IofCallDriver
Code 86B3A2BE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCompleteRequest 81A49FE2 5 Bytes JMP 86B3A2C3
.text ntkrnlpa.exe!KeSetTimerEx + 854 81AC8E18 4 Bytes [20, FF, B0, 8B] {AND BH, BH; MOV AL, 0x8b}
.text ntkrnlpa.exe!IofCallDriver 81ACBF6F 5 Bytes JMP 86B353AA
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 81BC230B 1 Byte [E9]
PAGE ntkrnlpa.exe!ZwFlushInstructionCache + 2 81BC230D 3 Bytes JMP 86B3333E
PAGE ntkrnlpa.exe!ZwQueryValueKey 81C15B57 5 Bytes JMP 86B3B304
PAGE ntkrnlpa.exe!ZwEnumerateKey 81C17BB4 5 Bytes JMP 86B2F344

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74C27BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74C698C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74C2D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74C1F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74C27599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74C1E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74C5B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74C2D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74C2012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74C20095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74C171F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74CAD802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74C475E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74C1DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74C1668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74C166BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1920] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74C21E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\gaopdxdewnwkpiiquksgfyextbpqfthcxysgxe.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxdewnwkpiiquksgfyextbpqfthcxysgxe.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxdewnwkpiiquksgfyextbpqfthcxysgxe.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxcntdrtarkrsknfralckdqbovevymxtwi.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxdewnwkpiiquksgfyextbpqfthcxysgxe.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxdewnwkpiiquksgfyextbpqfthcxysgxe.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxcntdrtarkrsknfralckdqbovevymxtwi.dll

---- Files - GMER 1.0.15 ----

File C:\Users\thingmy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P9YA0B03\gaopdx-and-gaopdxservsys-and-bleep-pill-extension-ads[1].htm 22408 bytes
File C:\Windows\System32\drivers\gaopdxdewnwkpiiquksgfyextbpqfthcxysgxe.sys 34816 bytes executable <-- ROOTKIT !!!
File C:\Windows\System32\gaopdxcntdrtarkrsknfralckdqbovevymxtwi.dll 10752 bytes executable
File C:\Windows\System32\gaopdxcounter 4 bytes

---- EOF - GMER 1.0.15 ----

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:03 AM

Posted 10 March 2009 - 04:06 PM

This looks much better. Hopefully we can update and run MBAM now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 weeman252

weeman252
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 10 March 2009 - 04:10 PM

Sorry if this is a silly question, but did GMER do anything? i thought it was just a scan, trying to learn as i go here, sorry. MBAM still wont update either.

Edited by weeman252, 10 March 2009 - 04:18 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:03 AM

Posted 10 March 2009 - 06:25 PM

When GMER detects hidden service click "Delete the service" and answer YES to all questions.
see http://www.gmer.net/faq.php

Your rootkit from your log.
File C:\Windows\System32\drivers\gaopdxdewnwkpiiquksgfyextbpqfthcxysgxe.sys 34816 bytes executable <-- ROOTKIT !!!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 gdfather13

gdfather13

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 10 March 2009 - 11:59 PM

I've got what appears to be the same problem on my computer. I'm following your steps but have a question. should the other gaopdx files and registry keys be deleted as well? or just the hidden sys files?

#15 weeman252

weeman252
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:03 AM

Posted 11 March 2009 - 06:17 AM

Hi, I dont think you can delete the other files in GMER, it doesnt let you, or at least it didnt let me. I got rid of the system file first, perhaps wrongly, then went for the file File C:\Windows\System32\drivers\gaopdxdewnwkpiiquksgfyextbpqfthcxysgxe.sys 34816 bytes executable to delete it, but it said it couldnt find it after i'd got rid of the service. And now I can update everything, so I presume it has worked. Running a full MBAM scan now, will post the log soon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users