15 replies to this topic

[nylimited]

Thanks for this forum and any help you might offer!

Am running XP SP3, fully patched with Norton Internet Security 2009. Recently, my web browser (Firefox) started randomly sending me to the 'wrong' sites on a google search. Also, Norton started acting up - disabling parts (i.e. the "sonar" option). Ran a full scan with NIS - nothing found.

Uninstalled Norton, used their removal tool, cleaned registry. Ran AVG, AVIRA and a few other tools. Nothing found. Reinstalled Norton. Same problems.

Downloaded and installed Malwarebytes. Cannot launch it. Tried renaming mbam.exe, running in safe mode to no avail.

Finally got the hijackthis log hoping someone can make some sense out of this (sigh)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:26:17, on 4/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: PGP Desktop.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1220149573423
O20 - AppInit_DLLs: PGPmapih.dll
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe

--
End of file - 4367 bytes

Any suggestions and ideas would be more than welcome!!

[miekiemoes]

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

[nylimited]

miekiemoes, on Apr 6 2009, 07:11 PM, said:

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

Hello and thanks for your response! I have been frustrated by this issue for a couple of days so my note was (obviously) incomplete.

I was originally (before all this started) running Norton Internet Security 2009 which includes antivirus and firewall, among others. One of the symptoms of this problem has been that this malware disables parts of NIS. Norton finds nothing even on a full scan. Neither does Avira, AVG, Mcafee and a few others I have run. I have removed and reinstalled NIS several times and I suppose at the moment when I ran the log I did not put it back yet.

I did finally get MBAM to run and it identified "C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent)" and successfully removed it.

However, after a reboot it returns. The XP boot log shows:

Loaded driver \systemroot\system32\drivers\gaopdxpwbmafvkyarsvxbnrsmbiykprnswescx.sys

and Rootkitrevealer (from Sysinternals) shows 3 hidden registry keys relating to GAOP... which, of course, I am unable to remove thus far.


So, I suppose the question now becomes how to prevent this pain in the butt from returning (and of course exterminating it).

Again, thanks for any thoughts and suggestions!

[nylimited]

nylimited, on Apr 6 2009, 04:37 PM, said:

Thanks for this forum and any help you might offer!

Am running XP SP3, fully patched with Norton Internet Security 2009. Recently, my web browser (Firefox) started randomly sending me to the 'wrong' sites on a google search. Also, Norton started acting up - disabling parts (i.e. the "sonar" option). Ran a full scan with NIS - nothing found.

Uninstalled Norton, used their removal tool, cleaned registry. Ran AVG, AVIRA and a few other tools. Nothing found. Reinstalled Norton. Same problems.

UPDATE:

After I finally got MBAM working it put me on the right track by pointing me to
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent)

Reading some more I also grabbed a copy of GMER and AVENGER. Between the three I may have been able to get rid of this pest! At this time they are ALL reporting no problems, no problem registry entries, no hidden drivers or rootkits. Also, Norton is stable at the moment - it too was being impacted by this problem.

I will continue to monitor the machine for a couple of days and keep running mbam and gmer to make sure and will report back.

[miekiemoes]

Hi,

Can you start with performing the instructions I posted? Because that's a priority.

[nylimited]

miekiemoes, on Apr 7 2009, 05:04 AM, said:

Can you start with performing the instructions I posted? Because that's a priority.

Sure thing. MBAM.EXE now runs under the proper mbam name. The scans come back clean:

Malwarebytes' Anti-Malware 1.36
Database version: 1948
Windows 5.1.2600 Service Pack 3

4/7/2009 12:18:23
mbam-log-2009-04-07 (12-18-23).txt

Scan type: Quick Scan
Objects scanned: 86798
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Norton full scan also shows zero infections (which it always did). More importantly, however, the "Advanced detection" features are now not turned off after a few minutes as they were during the past few days.

I also ran GMER and the log came back clean (I didn't attach it as it is quite large).

I can also run hijackthis and attach the log if you wish.

[miekiemoes]

Hi,

Please reread my instructions again. You really need an Antivirus, because how are you supposed to prevent malware in the future?

[nylimited]

miekiemoes, on Apr 7 2009, 12:34 PM, said:

Please reread my instructions again. You really need an Antivirus, because how are you supposed to prevent malware in the future?

I am sorry but I don't understand what you are pointing me to... First, which instructions do you wish me to read again? I thought I checked the right one but seems I misunderstood.

Second, I have been (before this incident) and I am currently using Norton Internet Security 2009 from Symantec includes antivirus. While I may sometimes question if it is 100% effective or not, according to Symantec the product includes all the following features:
[indent] Identity protection
Antiphishing
Two-way firewall
Web site authentication
Network security
Antispam
Antivirus
Antispyware
Botnet protection
Browser protection [/indent]
I am also using a registered version of mbam.exe in addition to the Norton product. Having said all that, I appreciate your feedback but please clarify when you have a moment. Thank you!

[miekiemoes]

Hi,

Quote

First, which instructions do you wish me to read again?

The ones I posted in my first reply to you, because my other replies don't have any instructions.
Let me requote..

Quote

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

So it would be great if you installed the Avira Antivirus, perform a scan with it, let it delete what it's finding and post the log in your next reply together with a new Hijackthislog
But, you are really confusing me now about the fact that you have Norton installed. I really can't see it in your HijackThislog though. So that's why, please post a new HijackThislog first, because it's now really confusing for me.

[nylimited]

miekiemoes, on Apr 7 2009, 04:04 PM, said:

So it would be great if you installed the Avira Antivirus, perform a scan with it, let it delete what it's finding and post the log in your next reply together with a new Hijackthislog

I ran Avira (and many others) when I first started looking for this problem. It found nothing. I have since uninstalled it as I was only using one antivirus software at a time. I also ran AVG, NOD32 and TrendMicro earlier. None are now installed and running except Norton.

Here's the latest log, ran about 2 minutes ago:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:32:46, on 4/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPfsd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: PGP Desktop.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1220149573423
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O20 - AppInit_DLLs: PGPmapih.dll
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe

--
End of file - 5733 bytes

Again, thank you for your time and patience!

[miekiemoes]

Ok,

Now I see Norton installed, so we are OK here.
I just wanted to be sure that there was an Antivirus installed here as well.

How are things now?

[nylimited]

miekiemoes, on Apr 7 2009, 04:44 PM, said:

Now I see Norton installed, so we are OK here.
I just wanted to be sure that there was an Antivirus installed here as well.
How are things now?

All seems 100% normal again for the last 12 hours! Admittedly, I could not easily have resolved this without much info I gathered from your forums which includes the software.

On a different topic according to your profile you are in Belgium. Is this correct? My wife was born and grew up there. If I had a Hennepin I would send you one though it probably is easier for you to find it.

Anyway, off to work now! Thanks again for the help!!

[miekiemoes]

Yes, I'm Belgian

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[nylimited]

miekiemoes, on Apr 7 2009, 05:28 PM, said:

Yes, I'm Belgian

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Thank you for the links. I will review them carefully.

My system seems stable for nearly two days now! Good sign. I have ran saveral additional manual scans during the last day with no further detection. I have also removed my old restore points in case some virus or trojan was picked up during a restore point creation. I have now created a new and hopefully clean restore point.

Happy holidays to you and your family, whatever you may celebrate!

[miekiemoes]

Happy holidays to you too!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.