malwarebytes didn't run but hijackthis did

richard james · May 19, 2009

Hi

symptoms were/are -

google links get hijacked.

Panda antivirus stopped updating (last auto update was 060409, but I managed to get a manual update 170509 english dates!)

could not create system restore

could not restore to an earlier date.

cannot access most security sites

installed malwarebytes by renaming file as per another post on the forum - however when I click on it on the program menu it does not run

managed to get hijackthis by renaming and emailing it from another pc

Thanks for your help - in advance and in hope! This is my first post ever on a forum.

here are the results of hijack this

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:28:38, on 19/05/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\pavsrv51.exe

C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AVENGINE.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

c:\program files\panda software\panda platinum 2006 internet security\firewall\PNMSRV.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Apps\Softex\OmniPass\Omniserv.exe

C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PavFnSvr.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe

C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PsImSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\Apps\Softex\OmniPass\OPXPApp.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\mHotkey.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Fingerprint Sensor\ATSwpNav.exe

C:\Program Files\MIC\HAWAII\Hawaii.exe

C:\Apps\Softex\OmniPass\scureapp.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\APVXDWIN.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\sm56hlpr.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\APPS\SMP\SmpSys.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\SRVLOAD.EXE

C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\WebProxy.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\system32\SearchFilterHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\system32\nzdd.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NECHotkey] mHotkey.exe

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run

O4 - HKLM\..\Run: [MM_MODULE] C:\Program Files\MIC\HAWAII\Hawaii.exe

O4 - HKLM\..\Run: [OmniPass] C:\Apps\Softex\OmniPass\scureapp.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [sCANINICIO] "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\Inicio.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [sMSERIAL] sm56hlpr.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [smpcSys] C:\APPS\SMP\SmpSys.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160371131500

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1F537533-EB95-47C7-88CF-CCD573F2C354}: NameServer = 85.255.112.129,85.255.112.84

O17 - HKLM\System\CCS\Services\Tcpip\..\{E07DA409-A0D4-487F-9A95-DDDD6B5998DF}: NameServer = 85.255.112.129,85.255.112.84

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.129,85.255.112.84

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.129,85.255.112.84

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.129,85.255.112.84

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel

AdvancedSetup · May 20, 2009

Did you set these DNS NameServer entries? 85.255.112.129

Please take a look at the following posts to see if they help or not.

Potential Malware infection issues to review to get MBAM running

If not then give this a try in both Normal and Safe Mode.

Small util to randomize the name of MBAM.EXE

randmbam.exe

If neither of those work then please let me know.

richard james · May 20, 2009

1. When the Panda Platinum 2006 did not autoupdate I followed a set of instructions on their internet site to resolve by setting to automatically get DNS settings. see link:

http://www.pandasecurity.com/homeusers/sup...=2&pagina=1

This was actually for Panda 2008, so I am not sure if it was the right thing to do - but Panda still doesn't work on autoupdate (I now get error 500) - any ideas - or do I resolve with Panda? latest virus definitions manually downloaded file was from 17th May 2009.

Results:

the first two links did not show anything, however the rootrepeal did identify and successfully wipe "goapx......." which then allowed me to run malwarebytes (although version from yesterday?)

I notice from the Malwarebytes log that a Trojan "DNSchanger" was found (amongst other things).

And I didn't think about the fact that Panda was running while I ran Malwarebytes, so it identified and killed "goapx........dll" whilst the malwarebytes scan was running.

The PC seems to be behaving OK now, apart from Antivirus updates. Should I send the malware logs and run Hijack this again and send those logs to be sure?

Thanks for your help!! I really appreciate it!!

AdvancedSetup · May 20, 2009

Yes please post the following logs.

Update and Scan with Malwarebytes' Anti-Malware

Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
- Update Malwarebytes' Anti-Malware
- Select the Update tab
- Click Update
[*]When the update is complete, select the Scanner tab
[*]Select Perform quick scan, then click Scan.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Be sure that everything is checked, and click Remove Selected.
[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Download

DDS

and save it to your desktop

http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click

dds.scr

to run the tool.

When done, the

DDS.txt

will open.

Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

DDS.txt
Attach.txt

Save both reports to your desktop
Please include the following logs in your next reply:
DDS.txt
and
Attach.txt

You can also check and see if OpenDNS helps to get Panda updates working if it's an actual DNS issue, but if MBAM can now update then Panda should as well. http://www.opendns.com/

richard james · May 21, 2009

Hi there

in this post:

- clean malware bytes log,

- plus hijackthis log

- DDS.TXT but no attach.txt as DDR did not offer me the optional scan.

However I may have messed it up as I ran it and it opened a DOS type window - then I disconnected the internet and panda security, then I inadvertenetly closed the DDR window. and I couldn't run it again as it was in use - hence rebooted and started again! sorry if I messed that up. other possibility is that I have something else running that blocks scripts of which I am not aware.

What does the DDR program do?

Thanks again

Richard

Malwarebytes' Anti-Malware 1.36

Database version: 2161

Windows 5.1.2600 Service Pack 3

21/05/2009 11:30:12

mbam-log-2009-05-21 (11-30-12).txt

Scan type: Quick Scan

Objects scanned: 182227

Time elapsed: 27 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:58:48, on 21/05/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\pavsrv51.exe

C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AVENGINE.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

c:\program files\panda software\panda platinum 2006 internet security\firewall\PNMSRV.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Apps\Softex\OmniPass\Omniserv.exe

C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PavFnSvr.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe

C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PsImSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\Program Files\Intel\IntelDH\Intel

AdvancedSetup · May 22, 2009

DDS allows us to take a deeper look at what is running on the box than HJT does.

Create a NEW folder on your Desktop named: BadFiles

Please download the following scanning tool. GMER

Download the randomly named EXE and copy the file to your Desktop. Remember what its name is.

Double click on

random named exe file

and run it.

It may take a minute to load and become available.

You should see a tab on top with 3

>

richard james · May 22, 2009

Hi

"Unfortunately" file xxifavj.sys doesn't show up

Also "unfortunately", GMER identifies that rootkit activity has taken place and identifies gaopdxserv.sys as the culprit, but I can't find that either!!

I can't grab the info off the screen so I'll type it manually

Type: Service

Name: system32\drivers\gaopdxytkmppjyiqhcoehdfwjkdldgxtbkblqu.sys (*** hidden *** )

Value: [sYSTEM]gaopdxserv.sys.

There is a corresponding set of registry entries which follow it.

As I said, I can't find that particular file under the files tab but there is a similar item gagp30kx.sys. As it is not the same I have left it alone!

This item is the thing we got rid of - or I thought we had - the other day.

Panda have sent me a command line scanner to try so I will give that a go in a minute.

I await your thoughts! _ Thanks as ever.

richard james · May 22, 2009

Hi there

results of panda command line scanning application

It worked. it found an AVKiller, then I restarted and rescanned and it found a few things - I have attached the last three logs including the clear one. I think I left the original panda running too as that also disinfected some stuff (spyware) according to the report file.

Following this Malwarebytes also gave a clear report, reports below...

Thanks for your time - are we getting nearer?

Richard

14.15 today

Panda Check has disabled the AVKILLER. Please run a scan now.

(There was a warning before this to say it had found an AVKiller (no name!!) and to reboot - which i did and then, next log (I thinkk the goa key is about the registry entry, but you will know more!)...

==========================================================

PCHECK IS RUNNING

==========================================================

05/22/2009 14:25

.

-- Didn't see UACD...

-- Didn't see Seneka...

-! One of the GAO keys was present...

-- Didn't see msqpdxserv...

-- Didn't see TDSS

---------------------------------------------------

Date : 22/05/2009

Time : 14:40:43

File checked : D:\Documents and Settings\alexus\My Documents\serial_AutoCAD.2009.exe[bestPlayer.exe]

Found spyware :Adware/SystemGuard2009 File can not be modified

---------------------------------------------------

Date : 22/05/2009

Time : 14:41:11

File checked : D:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.0.1.11\iTunes.msi[unk_0007][)++

AdvancedSetup · May 22, 2009

Looks to be okay now.

Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.

STEP A

Uninstall ComboFix.exe

Click
START
then
RUN
Now type
Combofix /u

(if you renamed Combofix.exe use that name instead)
in the runbox and click OK. Note the
space
between the
X
and the
/U
, it needs to be there.
When shown the disclaimer, Select "2"

Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exe AND check your system time and reset if needed

STEP B

Uninstall GMER

Click on

START - RUN

and type in or copy/paste

%windir%\gmer_uninstall.cmd

to remove GMER.

STEP C

Uninstall other tools

Please

Download

OTMoveIt3

by Old Timer

and save it to your

Desktop

.

Double-click
OTMoveIt3.exe
to run it.
While connected to the Internet, Click on the green
CleanUp!
button and it will populate a list of items to clean from your system that we used or may have used.
It should ask if you want to clean up, select Yes and allow the system to clean up these items.

NOW
please reboot your computer to finish the cleanup process

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Remove all but the most recent Restore Point on Windows XP

You should

Create a New Restore Point

to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to

"roll-back"

to a clean working state.

The easiest and safest way to do this is

:

Go to
Start
>
Programs
>
Accessories
>
System Tools
and click "
System Restore
".
If the shortcut is missing you can also click on
START
>
RUN
> and type in
%SystemRoot%\system32\restore\rstrui.exe
and click OK
Choose the radio button marked "
Create a Restore Point
" on the first screen then click "
Next
".
Give the new Restore Point a name, then click "
Create
".
The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

Then use the
Disk Cleanup
to remove all but the most recently created Restore Point.
Go to
Start
>
Run
and type:
Cleanmgr.exe
Select the drive where Windows is installed and click "
Ok
". Disk Cleanup will scan your files for several minutes, then open.
Click the "
More Options
" tab, then click the "
Clean up
" button under System Restore.
Click Ok. You will be prompted with "
Are you sure you want to delete all but the most recent restore point?
"
Click
Yes
, then click Ok.
Click
Yes
again when prompted with "
Are you sure you want to perform these actions?
"
Disk Cleanup will remove the files and close automatically.
On the
Disk Cleanup
tab, if the
System Restore: Obsolete Data Stores
entry is available remove them also.
These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from here

Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol

Download it from here

Here you can find information about how WinPatrol works here

Install FireTrust SiteHound

You can find information and download it from here

Install hpHosts

Download it from here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.

http://www.update.microsoft.com

Note 1: If you are running Windows XP SP2, you should upgrade to SP3.

Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions

Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help

If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org

richard james · May 23, 2009

Brilliant, thanks for all your help

and thanks for the extra info about prevention for the future - there is a lot to learn!

Thanks

Richard

AdvancedSetup · May 23, 2009

You're quite welcome. Stay safe out there.

malwarebytes didn't run but hijackthis did

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information