ready to give up!

nylimited · April 6, 2009

Thanks for this forum and any help you might offer!

Am running XP SP3, fully patched with Norton Internet Security 2009. Recently, my web browser (Firefox) started randomly sending me to the 'wrong' sites on a google search. Also, Norton started acting up - disabling parts (i.e. the "sonar" option). Ran a full scan with NIS - nothing found.

Uninstalled Norton, used their removal tool, cleaned registry. Ran AVG, AVIRA and a few other tools. Nothing found. Reinstalled Norton. Same problems.

Downloaded and installed Malwarebytes. Cannot launch it. Tried renaming mbam.exe, running in safe mode to no avail.

Finally got the hijackthis log hoping someone can make some sense out of this (sigh)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:26:17, on 4/6/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\StartupMonitor.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\PROGRA~1\MICROS~4\rapimgr.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\PGPserv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - Startup: PGP Desktop.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1220149573423

O20 - AppInit_DLLs: PGPmapih.dll

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe

--

End of file - 4367 bytes

Any suggestions and ideas would be more than welcome!!

miekiemoes · April 6, 2009

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!

This is somewhat suicidal in today's digital world.

That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/

This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

nylimited · April 7, 2009

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

Hello and thanks for your response! I have been frustrated by this issue for a couple of days so my note was (obviously) incomplete.

I was originally (before all this started) running Norton Internet Security 2009 which includes antivirus and firewall, among others. One of the symptoms of this problem has been that this malware disables parts of NIS. Norton finds nothing even on a full scan. Neither does Avira, AVG, Mcafee and a few others I have run. I have removed and reinstalled NIS several times and I suppose at the moment when I ran the log I did not put it back yet.

I did finally get MBAM to run and it identified "C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent)" and successfully removed it.

However, after a reboot it returns. The XP boot log shows:

Loaded driver \systemroot\system32\drivers\gaopdxpwbmafvkyarsvxbnrsmbiykprnswescx.sys

and Rootkitrevealer (from Sysinternals) shows 3 hidden registry keys relating to GAOP... which, of course, I am unable to remove thus far.

So, I suppose the question now becomes how to prevent this pain in the butt from returning (and of course exterminating it).

Again, thanks for any thoughts and suggestions!

nylimited · April 7, 2009

Thanks for this forum and any help you might offer!
Am running XP SP3, fully patched with Norton Internet Security 2009. Recently, my web browser (Firefox) started randomly sending me to the 'wrong' sites on a google search. Also, Norton started acting up - disabling parts (i.e. the "sonar" option). Ran a full scan with NIS - nothing found.
Uninstalled Norton, used their removal tool, cleaned registry. Ran AVG, AVIRA and a few other tools. Nothing found. Reinstalled Norton. Same problems.

UPDATE:

After I finally got MBAM working it put me on the right track by pointing me to

C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent)

Reading some more I also grabbed a copy of GMER and AVENGER. Between the three I may have been able to get rid of this pest! At this time they are ALL reporting no problems, no problem registry entries, no hidden drivers or rootkits. Also, Norton is stable at the moment - it too was being impacted by this problem.

I will continue to monitor the machine for a couple of days and keep running mbam and gmer to make sure and will report back.

miekiemoes · April 7, 2009

Hi,

Can you start with performing the instructions I posted? Because that's a priority.

nylimited · April 7, 2009

Can you start with performing the instructions I posted? Because that's a priority.

Sure thing. MBAM.EXE now runs under the proper mbam name. The scans come back clean:

Malwarebytes' Anti-Malware 1.36

Database version: 1948

Windows 5.1.2600 Service Pack 3

4/7/2009 12:18:23

mbam-log-2009-04-07 (12-18-23).txt

Scan type: Quick Scan

Objects scanned: 86798

Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Norton full scan also shows zero infections (which it always did). More importantly, however, the "Advanced detection" features are now not turned off after a few minutes as they were during the past few days.

I also ran GMER and the log came back clean (I didn't attach it as it is quite large).

I can also run hijackthis and attach the log if you wish.

miekiemoes · April 7, 2009

Hi,

Please reread my instructions again. You really need an Antivirus, because how are you supposed to prevent malware in the future?

nylimited · April 7, 2009

Please reread my instructions again. You really need an Antivirus, because how are you supposed to prevent malware in the future?

I am sorry but I don't understand what you are pointing me to... First, which instructions do you wish me to read again? I thought I checked the right one but seems I misunderstood.

Second, I have been (before this incident) and I am currently using Norton Internet Security 2009 from Symantec includes antivirus. While I may sometimes question if it is 100% effective or not, according to Symantec the product includes all the following features:

Identity protection

Antiphishing

Two-way firewall

Web site authentication

Network security

Antispam

Antivirus

Antispyware

Botnet protection

Browser protection

I am also using a registered version of mbam.exe in addition to the Norton product. Having said all that, I appreciate your feedback but please clarify when you have a moment. Thank you!

miekiemoes · April 7, 2009

Hi,

First, which instructions do you wish me to read again?

The ones I posted in my first reply to you, because my other replies don't have any instructions.

Let me requote..

Hi,
I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!
* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.
Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

So it would be great if you installed the Avira Antivirus, perform a scan with it, let it delete what it's finding and post the log in your next reply together with a new Hijackthislog

But, you are really confusing me now about the fact that you have Norton installed. I really can't see it in your HijackThislog though. So that's why, please post a new HijackThislog first, because it's now really confusing for me.

nylimited · April 7, 2009

So it would be great if you installed the Avira Antivirus, perform a scan with it, let it delete what it's finding and post the log in your next reply together with a new Hijackthislog

I ran Avira (and many others) when I first started looking for this problem. It found nothing. I have since uninstalled it as I was only using one antivirus software at a time. I also ran AVG, NOD32 and TrendMicro earlier. None are now installed and running except Norton.

Here's the latest log, ran about 2 minutes ago:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:32:46, on 4/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe

C:\WINDOWS\system32\PGPserv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\StartupMonitor.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\MICROS~4\rapimgr.exe

C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe

C:\Program Files\PGP Corporation\PGP Desktop\PGPfsd.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll

O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto