Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Just followed instructions. I'm the one who thinks I have the conficker worm......


  • This topic is locked This topic is locked
16 replies to this topic

#1 jmccracky

jmccracky

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 07 April 2009 - 01:15 PM

I've been trying to remove gaopdxcounter.




Here are my DDS results-


DDS (Ver_09-03-16.01) - NTFSx86
Run by ccw llama at 14:03:12.46 on Tue 04/07/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.124 [GMT -4:00]

AV: Norton Internet Security Online *On-access scanning enabled* (Updated)
FW: Norton Internet Security Online *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\MALWAR~1\MYSCAN.COM
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\ccw llama\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mDefault_Search_URL =
mSearch Page =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=192.168.0.1:87
uInternet Settings,ProxyOverride = 192.168.0.1;direcwaysupport.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearchAssistant =
uURLSearchHooks: H - No File
uWinlogon: Shell=c:\program files\privacy center\pc.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\spybot~1\SDHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [Auto EPSON Stylus Photo RX580 Series on JUDE] c:\windows\system32\spool\drivers\w32x86\3\e_fatibpa.exe /fu "c:\windows\temp\E_S4F4.tmp" /EF "HKCU"
uRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [EA Core] c:\program files\electronic arts\eadm\Core.exe -silent
uRun: [DriverCure] c:\program files\paretologic\drivercure\DriverCure.exe -scan
mRun: [Auto EPSON Stylus Photo R340 Series on JUDE] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaja.exe /p43 "auto epson stylus photo r340 series on jude" /o15 "\\jude\EPSONSty" /M "Stylus Photo R340"
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [USRpdA]
mRun: [3c1807pd]
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [\JUDE\EPSON Stylus Photo R340 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaja.exe /p37 "\\jude\EPSON Stylus Photo R340 Series" /O6 "USB002" /M "Stylus Photo R340"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\progra~1\malwar~1\MYSCAN.exe" /runcleanupscript
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\ccwlla~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\trendnet\tew-424ub\WlanCU.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165810389140
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205683832618
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ccwlla~1\applic~1\mozilla\firefox\profiles\202ebffw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\ccw llama\application data\mozilla\firefox\profiles\202ebffw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\ccw llama\application data\mozilla\firefox\profiles\202ebffw.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-12-6 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-12-6 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-12-6 149352]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2008-2-1 14976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-25 101936]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-9-3 38496]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090407.003\NAVENG.SYS [2009-4-7 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090407.003\NAVEX15.SYS [2009-4-7 876144]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-12-6 23888]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2007-12-25 29184]
S3 RTL8187B;TRENDnet TEW-424UB Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2007-12-14 189312]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-5-17 1251720]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2009-04-07 13:26 61,440 a------- c:\windows\system32\drivers\puoab.sys
2009-04-05 17:54 <DIR> --d----- c:\program files\Secunia
2009-04-05 17:31 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-05 17:31 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-05 16:51 <DIR> --d----- c:\program files\Enigma Software Group
2009-04-02 15:11 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-04-02 10:54 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-01 18:39 <DIR> --d----- c:\docume~1\ccwlla~1\applic~1\QuickScan
2009-04-01 17:57 <DIR> --d----- c:\windows\system32\XPSViewer
2009-04-01 17:55 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-01 17:55 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-01 17:55 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-01 17:55 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-01 17:55 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-01 17:55 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-01 17:55 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-01 17:55 <DIR> --d----- C:\74adf8c040b5b3b7f90cde4acf
2009-03-24 07:03 7,808 a------- c:\windows\system32\drivers\psi_mf.sys

==================== Find3M ====================

2009-04-06 15:40 6,064 a------- c:\windows\prefetch\myscan.com
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-19 14:11 34 a------- c:\documents and settings\ccw llama\jagex_runescape_preferences.dat
2009-02-19 13:03 579,464 a------- c:\windows\system32\SymNeti.dll
2009-02-19 13:03 207,240 a------- c:\windows\system32\SymRedir.dll
2009-02-19 12:31 31,280 a------- c:\windows\system32\drivers\SymIM.sys
2009-02-19 12:31 9,844 a------- c:\windows\system32\drivers\SymRedir.cat
2009-02-19 12:31 1,611 a------- c:\windows\system32\drivers\SymRedir.inf
2009-02-19 12:31 41,008 a------- c:\windows\system32\drivers\symndisv.sys
2009-02-19 12:31 184,496 a------- c:\windows\system32\drivers\symtdi.sys
2009-02-19 12:31 96,560 a------- c:\windows\system32\drivers\symfw.sys
2009-02-19 12:31 38,576 a------- c:\windows\system32\drivers\symids.sys
2009-02-19 12:31 37,424 a------- c:\windows\system32\drivers\symndis.sys
2009-02-19 12:31 22,320 a------- c:\windows\system32\drivers\symredrv.sys
2009-02-19 12:31 13,616 a------- c:\windows\system32\drivers\symdns.sys
2009-02-10 17:10 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-10 17:10 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-10 17:10 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-10 17:10 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\win32k.sys
2009-02-06 20:03 307,576 a------- c:\windows\WLXPGSS.SCR
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:15 PM

Posted 07 April 2009 - 02:23 PM

Hello, jmccracky

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


I see a few instances of the Rogue Program, Privacy Center. Please do the following:

MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Gmer

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
ReScan

Please rescan with DDS and post DDS.txt


In your next reply, please post:
  • MBAM log
  • Gmer log
  • DDS log

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 jmccracky

jmccracky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 07 April 2009 - 05:42 PM

Ok, did the mbam scan again. Rebooted, scanned one more time. The infection showed back up.

MBAM Log-

Malwarebytes' Anti-Malware 1.36
Database version: 1949
Windows 5.1.2600 Service Pack 3

4/7/2009 3:54:28 PM
mbam-log-2009-04-07 (15-54-28).txt

Scan type: Quick Scan
Objects scanned: 91426
Time elapsed: 7 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.




gmer log-

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-07 18:35:07
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 8239A3F0 ZwAlertResumeThread
SSDT 8239A4B0 ZwAlertThread
SSDT 823854A0 ZwAllocateVirtualMemory
SSDT 823670C0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF77F2020]
SSDT 8239ACF0 ZwCreateMutant
SSDT 82366DD8 ZwCreateThread
SSDT 82350720 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF77F22A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF77F2800]
SSDT 82385880 ZwFreeVirtualMemory
SSDT 8239A818 ZwImpersonateAnonymousToken
SSDT 8239A8D8 ZwImpersonateThread
SSDT 82385D20 ZwMapViewOfSection
SSDT 8239AC30 ZwOpenEvent
SSDT 8234DE78 ZwOpenProcessToken
SSDT 82350258 ZwOpenSection
SSDT 82337600 ZwOpenThreadToken
SSDT 82341350 ZwResumeThread
SSDT 823857C0 ZwSetContextThread
SSDT 823376D0 ZwSetInformationProcess
SSDT 82337A30 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF77F2A50]
SSDT 82350318 ZwSuspendProcess
SSDT 82337D70 ZwSuspendThread
SSDT 82346E28 ZwTerminateProcess
SSDT 823379B0 ZwTerminateThread
SSDT 82385398 ZwUnmapViewOfSection
SSDT 823853D0 ZwWriteVirtualMemory

Code 82373290 ZwEnumerateKey
Code 82324838 ZwFlushInstructionCache
Code 823A7286 IofCallDriver
Code 8234E10E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 238 804E2894 1 Byte [78]
.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 823A728B
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 8234E113
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 82373294
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 8232483C
? puoab.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[2400] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00A3000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2400] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00A6000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2400] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00A4000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2400] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00A5000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows 2000 DDK provider)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat sisidex.sys (SISIDEX Driver/Windows 2000 DDK provider)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\gaopdxkmtquluykdtgbqdoipimvpeejitcyqcn.sys (*** hidden *** ) F87D3000-F87E0000 (53248 bytes)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\gaopdxkmtquluykdtgbqdoipimvpeejitcyqcn.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxkmtquluykdtgbqdoipimvpeejitcyqcn.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxkmtquluykdtgbqdoipimvpeejitcyqcn.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxlxiteiwkjdumkutadggwevhlornqxqpr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxkmtquluykdtgbqdoipimvpeejitcyqcn.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxkmtquluykdtgbqdoipimvpeejitcyqcn.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxlxiteiwkjdumkutadggwevhlornqxqpr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxkmtquluykdtgbqdoipimvpeejitcyqcn.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxkmtquluykdtgbqdoipimvpeejitcyqcn.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxlxiteiwkjdumkutadggwevhlornqxqpr.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxkmtquluykdtgbqdoipimvpeejitcyqcn.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxkmtquluykdtgbqdoipimvpeejitcyqcn.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxlxiteiwkjdumkutadggwevhlornqxqpr.dll

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\gaopdxkmtquluykdtgbqdoipimvpeejitcyqcn.sys 36864 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\gaopdxocvablkkjgvqunwyertfmhctrhnhdcuh.sys 34816 bytes executable
File C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl (size mismatch) 8192/4096 bytes
File C:\WINDOWS\system32\gaopdxlxiteiwkjdumkutadggwevhlornqxqpr.dll


(That doesn't look good) :thumbup2:

Dds log-

Attached Files


Edited by jmccracky, 07 April 2009 - 05:54 PM.


#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:15 PM

Posted 07 April 2009 - 05:53 PM

Hello,

I asked to run MBAM once more to clear all other infections and to confirm that this rootkit was indeed present, Gmer has showed me exactly where it is hiding. Although I must warn you:

:thumbup2: Rootkit Warning

Rootkits are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:Please let me know what you decide to do.

Edited by Jat90, 07 April 2009 - 05:54 PM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 jmccracky

jmccracky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 07 April 2009 - 06:09 PM

I'd like to try to get rid of it, if at all possible. My friend is in California for two weeks visiting with his wife's family (I'm in Ohio). I asked him to mail me my Windows XP reformat disc when he gets back. But that will be an additional week on top of the two weeks. My family doesn't pay bills online, so we have no credit card info floating out there. However, I have friends that have used my computer on SEVERAL occasions to make purchases online. They come over a lot to use my internet service and computer because mine is "faster". I guess I should put a stop to that, because I never had any problems until I decided to be so kind.

What do you think? I need the computer for research purposes and school work that I just started. I can't go 3 weeks without a computer. Hmmmmmm......again thanks for your help. You guys are cool and patient, and I appreciate everything!

#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:15 PM

Posted 07 April 2009 - 06:18 PM

Hello,

This rootkit can be killed and your computer will run like normal but it will be compromised. If you do not intend to use it for any monetary transactions then it won't be too bad, just remember in the future if you do not reinstall, that your pc is not safe for making any online purchases or banking. You should alert all who have used your computer for financial purposes about the situation and tell them to change all their passwords and contact their banks about their situation.

It's up to you really.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 jmccracky

jmccracky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 07 April 2009 - 06:25 PM

Hello,

This rootkit can be killed and your computer will run like normal but it will be compromised. If you do not intend to use it for any monetary transactions then it won't be too bad, just remember in the future if you do not reinstall, that your pc is not safe for making any online purchases or banking. You should alert all who have used your computer for financial purposes about the situation and tell them to change all their passwords and contact their banks about their situation.

It's up to you really.



Ok, I'd like to kill it now, and I will inform the others. I don't use the computer for paying bills or ordering things. I will however reformat when I get my disc back. I've read all of the tutorials on here on how to reformat, and it sounds really simple.

#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:15 PM

Posted 07 April 2009 - 06:38 PM

Hello,

Ok, first I want to see if we can unload the driver successfully before deleting the subsequent registry entries and files.

The Avenger

Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    drivers to disable:
    gaopdxserv.sys
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.

Edited by Jat90, 07 April 2009 - 06:40 PM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 jmccracky

jmccracky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 07 April 2009 - 06:55 PM

Ok, here is the avenger log-

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "gaopdxserv.sys" found!
ImagePath: \systemroot\system32\drivers\gaopdxkmtquluykdtgbqdoipimvpeejitcyqcn.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "gaopdxserv.sys" disabled successfully.

Completed script processing.

#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:15 PM

Posted 07 April 2009 - 07:08 PM

Good, it is disabled, now lets remove it.

The Avenger
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Drivers to delete:
    gaopdxserv.sys
    
    Files to delete:
    C:\WINDOWS\system32\drivers\gaopdxkmtquluykdtgbqdoipimvpeejitcyqcn.sys
    C:\WINDOWS\system32\drivers\gaopdxocvablkkjgvqunwyertfmhctrhnhdcuh.sys
    C:\WINDOWS\system32\gaopdxlxiteiwkjdumkutadggwevhlornqxqpr.dll 
    
    Registry keys to delete:
    HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys
    HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys
    HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys
    HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#11 jmccracky

jmccracky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 07 April 2009 - 07:35 PM

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "gaopdxserv.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\gaopdxkmtquluykdtgbqdoipimvpeejitcyqcn.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\gaopdxocvablkkjgvqunwyertfmhctrhnhdcuh.sys" deleted successfully.
File "C:\WINDOWS\system32\gaopdxlxiteiwkjdumkutadggwevhlornqxqpr.dll" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys" deleted successfully.

Completed script processing.

#12 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:15 PM

Posted 07 April 2009 - 07:44 PM

Hello,

You will be glad to see that you will no longer get that persistent infection appearing in MBAM :thumbup2:

I just want to check that nothing else malicious is on your pc.

ESET Online Scan

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.
  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Uncheck (untick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.
ReScan

Please rescan with DDS and post DDS.txt


In your next reply, please post:
  • ESET log
  • DDS log

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#13 jmccracky

jmccracky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 07 April 2009 - 09:10 PM

EST Log- (I hope this is right, I cannot "purchase" the program because I have no credit card)-

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3994 (20090407)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=03e5d5c62fb09c43bf4d6ed47f6ba920
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-04-08 01:57:40
# local_time=2009-04-07 09:57:40 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=222550
# found=11
# scan_time=3826
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip Win32/Bagle.gen.zip worm 1564C66447BF5A268FDACC2C2437EF8A
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch103.zip Win32/Bagle.gen.zip worm 78BCFAD514C805B435FD64558666ABF5
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch104.zip Win32/Bagle.gen.zip worm 3607CF05FD7CA73B9C45A3405D48BB3A
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch105.zip Win32/Bagle.gen.zip worm E1D025B31B95236D7FFED44F653F414E
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch106.zip Win32/Bagle.gen.zip worm 134D4E4F4F1A9C2A0619E98BC0AA6CD0
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch107.zip Win32/Bagle.gen.zip worm 52FAFC0CFBC18FF99EAB79BD28FC37D0
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch108.zip Win32/Bagle.gen.zip worm 05C689F45BEDBC47303A65895F2299FF
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch109.zip Win32/Bagle.gen.zip worm 4A705771EE909FFD17A55C56EEBC5B11
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch110.zip Win32/Bagle.gen.zip worm C372777CE00BEFB27B696BC7A448EFA7
C:\Documents and Settings\ccw llama\My Documents\LimeWire\Incomplete\T-39456-The Dresden Dolls - Backstabber.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 743B48FD7016ECB1B6EB166C8A027C8C
C:\WINDOWS\Temp\81328234.tmp Win32/AutoRun.Agent.LZ worm F41AEA30042D8F6335300B5E63AD8344



DDS Log-

Attached Files



#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:15 PM

Posted 08 April 2009 - 06:09 AM

Hello,

Let's do this:

Remove Quarantined Files
  • Open Spybot in one of the following ways:
    • If you have a shortcut on your desktop, double click it.
    • Click Start, then All Programs, then Spybot - Search & Destroy and then Spybot - Search & Destroy.
  • On the left side, click "Recovery".
    • NOTE: If this window is empty, you may skip the remaining steps. Exit Spybot.
  • Select (place a check) beside ALL the backup files that contain quarantined items.
  • Click on the Purge Selected Items button.
  • A dialog will appear, stating that the backup will be removed. Click Yes.
  • When the Recovery window is empty, Exit Spybot.
Also I see you have a P2P Program installed, Limewire.

P2P Warning

If you are going to use p2p file sharing, I suggest you choose a safe program from here: http://p2p.malwareremoval.com/.

If you use P2P software, make sure you are careful about what you open and what P2P program you install. Malware is all over the P2P networks and the programs often come bundled with Adware and Spyware.

Further readings of interest in regards to the p2p "issue" are: http://pcpitstop.com/spycheck/p2p.asp and this:
http://pcpitstop.com/spycheck/badtorrent.asp

Limewire is listed in the "clean" list but you must use it with caution, and in any case the downloading of music is illegal.

Please do the following:
  • Open My Computer
  • Click on Local Disk (C:)
  • Go to Documents and Settings
  • Double click on ccw llama
  • Go into My Documents
  • Find the folder named "Limewire"
  • Go into it the folder named "Incomplete"
  • Press Ctrl + a simultaneously to select all items. Now press the delete key on your keyboard.
ATF Cleaner

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".
Close that window and right click the Recycled Bin and click "Empty Recycle Bin"

MalwareBytes' Anti-Malware - Full Scan

Please launch MalwareBytes' Anti-Malware
  • Click the "Update" tab.
  • Click "Check for Updates"
  • Allow it to download and install the updates.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Edited by Jat90, 08 April 2009 - 06:10 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#15 jmccracky

jmccracky
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 08 April 2009 - 12:45 PM

Malwarebytes' Anti-Malware 1.36
Database version: 1952
Windows 5.1.2600 Service Pack 3

4/8/2009 1:41:53 PM
mbam-log-2009-04-08 (13-41-53).txt

Scan type: Full Scan (A:\|C:\|)
Objects scanned: 139157
Time elapsed: 44 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.


It's still there??? Weird.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users