Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

i believe i have malware just not sure what


  • This topic is locked This topic is locked
8 replies to this topic

#1 chixdiggit

chixdiggit

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 27 February 2010 - 12:43 PM

Hi my computer has become extremely slow and i keep recieving messages while online asking me to download and install browser protection tools and also i keep getting redirected to a website called upperup.com but nothing appears and none of my spyware or adware scans produce anything or fix it please help with any info or fix you can it would be greatly appreciated here is my dds scanGMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-28 09:33:23
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Brad\LOCALS~1\Temp\kfpyafow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF88D187E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF88D1BFE]

Code 8277ACD0 ZwEnumerateKey
Code 8277AC98 ZwFlushInstructionCache
Code 82485816 IofCallDriver
Code 8247FDF6 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Norton Internet Security Filter/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\gaopdxonfaequwsfyvruaqxrgfmbedsmynqatb.sys (*** hidden *** ) F0087000-F009C000 (86016 bytes)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\gaopdxonfaequwsfyvruaqxrgfmbedsmynqatb.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxonfaequwsfyvruaqxrgfmbedsmynqatb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxonfaequwsfyvruaqxrgfmbedsmynqatb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxdrrodsinawbyponibsqslukosfbwjqnp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxonfaequwsfyvruaqxrgfmbedsmynqatb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxonfaequwsfyvruaqxrgfmbedsmynqatb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxdrrodsinawbyponibsqslukosfbwjqnp.dll

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:25 PM

Posted 27 February 2010 - 12:57 PM

Hello chixdiggit,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case µTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

2.
Uninstalling A Program Through "add/remove"

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

xp-AntiSpy (nur entfernen)

Additional instructions can be found here if needed.

3.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

4.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

5.
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.

Things to include in your next reply:
Combofix.txt
DDS.txt
Attach.txt
How is your machine running now?




" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 chixdiggit

chixdiggit
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 27 February 2010 - 05:49 PM

well i did everything you asked and it did remove some malware i will post the logs you requested. it didn't seem to help much my comp is still ridiculously slow and my browser is being a pain it says i have a conection issue when i first go online but as soon as i hit refresh or go to a favorites site it goes back to normal was fine before i went to ie8 anyway thank you very much for the assistance if there is anything else you can suggest that would be greatly appreciated i think i need to add some ram might help speed things up k thanks again

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:25 PM

Posted 28 February 2010 - 07:59 PM

Hello chixdiggit,

Things are looking alot better but we are not quit done yet.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Killall::

File::
c:\docume~1\Brad\LOCALS~1\Temp\jatmlano.sys

DDS::
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"=-

Driver::
jatmlano


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Things to include in your next reply:
Combofix.txt
Eset log
Any signs of infection?
Any Redirects while using your browser?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 chixdiggit

chixdiggit
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 28 February 2010 - 11:56 PM

everything worked perfect there were 2 infected files that eset found and cleaned i hope thats all of them thank you again here are the logs damn the eset log didn't save for some reason it said it saved it as a .txt on my desktop but i cant find it anywhere well hopefully it's not a huge deal i'm really sorry i did try to save it anyway please let me know if theres anything else i can do thanks

Attached Files

  • Attached File  log.txt   16.77KB   1 downloads


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:25 PM

Posted 01 March 2010 - 07:35 PM

Hello, chixdiggit.
Congratulations! You now appear clean! specool.gif

Are things running okay? Do you have any more questions?



System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall



    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall


  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Recommendations
Below are some recommendations to lower your chances of (re)infection.
  1. Install and maintain an outbound firewall
  2. Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  3. Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  4. Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  5. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    1. Click the "Start Menu" (or Windows Orb)
    2. Click "All Programs"
    3. Click "Windows Update"
    4. On the left, choose "Change Settings"
    5. Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    6. Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    7. Click "Check for Updates" in the upper left corner.
    8. Follow the instructions to install the latest updates.
    9. Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  6. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  7. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 chixdiggit

chixdiggit
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 02 March 2010 - 11:07 AM

wow right on i can't thank you enough everything seems to be running smoothly and i installed some of the software you recommended now hopefully i can keep my comp clean. one more question not sure if you can help but my microsoft office won't open says my proplus.exe file is missing i think i might have somehow erased it when i did a registry cleaning is there anyway to get it back or do i need to buy new sofware? and is it worth it to clean the registry or is it just going to cause me problems? oh and there are no more infections on the computer all scans are clean.

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:25 PM

Posted 02 March 2010 - 07:38 PM

Hello,

QUOTE
wow right on i can't thank you enough everything seems to be running smoothly and i installed some of the software you recommended now hopefully i can keep my comp clean. one more question not sure if you can help but my microsoft office won't open says my proplus.exe file is missing i think i might have somehow erased it when i did a registry cleaning is there anyway to get it back or do i need to buy new sofware? and is it worth it to clean the registry or is it just going to cause me problems? oh and there are no more infections on the computer all scans are clean.


Glad to hear everything is running good. clapping.gif As for Microsoft Office You can start topic here I'm sure they can help you out. thumbup2.gif

Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:25 PM

Posted 05 March 2010 - 07:55 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users