Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Trojan "gaopdxcounter" Reappears
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 05-18-2009, 12:53 AM   #1 (permalink)
Registered User
 
Join Date: May 2009
Posts: 10
OS: Win XP


Trojan "gaopdxcounter" Reappears
About a week ago I started noticing that my google results would reroute me to ad sites. My husband found viruses called "dnschanger" and "gaopdxcounter". Somehow, he has managed to get rid of dnschanger, and my google results (when using Firefox) no longer reroute. They will still go to ad sites on IE, though.

Also, using Malwarebytes, "gaopdxcounter" is repeatedly coming up. We get rid of it (again, not sure how he did it), but when the computer is restarted and rescanned, it comes up again.

Please find attached the necessary scans.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Admin at 0:23:24.89 on Sun 05/17/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.537 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Drive Space Indicator\DrvSpace.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroDist.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
mWinlogon: SfcDisable=-99 (0xffffff9d)
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybotsd\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\styler\tb\StylerTB.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [DriveSpace] c:\program files\drive space indicator\DrvSpace.exe
mRun: [LogonStudio] "c:\program files\wincustomize\logonstudio\logonstudio.exe" /RANDOM
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\admin\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\admin\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
uPolicies-explorer: NoSMMyDocs = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMMyDocs = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: navnet - {AD6E5643-7B0C-46AA-95AD-9773FF2A857A} - c:\program files\navnetapp\ComUtilities.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\qyuyrlxp.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\admin\application data\mozilla\firefox\profiles\qyuyrlxp.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\opera\program\plugins\npsoestb.dll
FF - plugin: c:\program files\opera\program\plugins\NPTURNMED.dll

============= SERVICES / DRIVERS ===============

R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2009-3-12 54656]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-25 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-25 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-25 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-10 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-10 298776]

=============== Created Last 30 ================

2009-05-13 04:05 <DIR> --d----- c:\program files\NavNetApp
2009-05-13 04:05 <DIR> --d----- c:\docume~1\admin\applic~1\NavNet Solutions
2009-05-11 00:18 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-11 00:18 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-10 19:19 <DIR> --d----- c:\program files\STOPzilla!
2009-05-10 19:19 <DIR> --d----- c:\program files\common files\iS3
2009-05-10 19:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-05-10 00:37 <DIR> --d----- c:\docume~1\admin\applic~1\AVGTOOLBAR
2009-05-10 00:11 <DIR> --d----- c:\program files\Trend Micro
2009-05-10 00:10 <DIR> --d----- C:\!KillBox
2009-05-08 00:09 <DIR> --d----- c:\program files\common files\DivX Shared
2009-05-07 21:50 <DIR> --d----- c:\program files\iPod
2009-05-07 21:50 <DIR> --d----- c:\program files\iTunes
2009-05-07 21:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-29 05:18 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-04-29 05:18 <DIR> --d----- c:\program files\LSoft Technologies Inc
2009-04-29 05:10 116,736 a------- c:\windows\system32\drivers\mcdbus.sys
2009-04-29 05:10 <DIR> --d----- c:\program files\MagicDisc
2009-04-29 05:09 <DIR> --d----- c:\program files\MagicISO
2009-04-18 01:38 <DIR> --d----- c:\program files\Plant Tycoon

==================== Find3M ====================

2009-05-09 18:05 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-09 18:05 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-09 18:05 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-31 14:57 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-03-31 14:56 294,912 a----r-- c:\windows\system32\SZBase5.dll
2009-03-31 14:55 540,672 a----r-- c:\windows\system32\SZComp5.dll
2009-03-27 10:56 126,976 a----r-- c:\windows\system32\IS3HTUI5.dll
2009-03-27 10:55 393,216 a----r-- c:\windows\system32\IS3DBA5.dll
2009-03-27 10:55 372,736 a----r-- c:\windows\system32\IS3UI5.dll
2009-03-27 10:55 61,440 a----r-- c:\windows\system32\IS3Hks5.dll
2009-03-27 10:54 23,040 a----r-- c:\windows\system32\IS3XDat5.dll
2009-03-27 10:54 221,184 a----r-- c:\windows\system32\IS3Win325.dll
2009-03-27 10:54 94,208 a----r-- c:\windows\system32\IS3Inet5.dll
2009-03-27 10:53 90,112 a----r-- c:\windows\system32\IS3Svc5.dll
2009-03-27 10:50 716,800 a----r-- c:\windows\system32\IS3Base5.dll
2009-03-21 09:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-20 19:43 2,724 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-03-20 18:44 87,608 a------- c:\docume~1\admin\applic~1\inst.exe
2009-03-20 18:44 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-03-20 18:44 47,360 a------- c:\docume~1\admin\applic~1\pcouffin.sys
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-19 00:08 139,528 a------- c:\windows\hpoins21.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 18:25 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-06 08:49 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 08:49 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-05 05:00 88 ---shr-- c:\docume~1\alluse~1\applic~1\09389EC51B.sys
2009-03-05 02:14 4,389,888 a------- c:\windows\system32\logonuiX.exe
2009-03-05 01:06 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-03-02 19:17 828,416 a------- c:\windows\system32\wininet.dll
2009-03-02 19:17 828,416 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 23:54 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-21 13:09 3,596,800 -------- c:\windows\system32\dllcache\mshtml.dll
2009-02-20 05:24 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 05:24 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 00:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll

============= FINISH: 0:24:19.26 ===============
Attached Files
File Type: zip Attach.zip (5.5 KB, 3 views)
faythe1215 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 05-18-2009, 05:16 AM   #2 (permalink)
Analyst, Security Team
 
CatByte's Avatar
 
Join Date: Jan 2009
Location: Canada
Posts: 2,174
OS: XP sp3


Re: Trojan "gaopdxcounter" Reappears
Hello, and welcome to TSF.
I am currently reviewing your log. I will be back with a fix for your problem as soon as possible.
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread.
Make sure it is set to Instant Notification, then click Subscribe.
Please be patient with me during this time.
__________________


ASAP & UNITE Member
CatByte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-18-2009, 06:38 AM   #3 (permalink)
Registered User
 
Join Date: May 2009
Posts: 10
OS: Win XP


Re: Trojan "gaopdxcounter" Reappears
Thank you for your help.
faythe1215 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-18-2009, 07:10 AM   #4 (permalink)
Analyst, Security Team
 
CatByte's Avatar
 
Join Date: Jan 2009
Location: Canada
Posts: 2,174
OS: XP sp3


Re: Trojan "gaopdxcounter" Reappears
Hi,

Please do the following:

Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications,(AVG8,Spybot,Stopzilla)usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
__________________


ASAP & UNITE Member
CatByte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-18-2009, 07:55 AM   #5 (permalink)
Registered User
 
Join Date: May 2009
Posts: 10
OS: Win XP


Re: Trojan "gaopdxcounter" Reappears
Here is the requested log:

ComboFix 09-05-17.05 - Admin 05/18/2009 8:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.636 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Admin\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\Admin\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Admin\Application Data\inst.exe
c:\windows\system32\drivers\gaopdxnsthklyabrfqquxewwxymxewswvboexw.sys
c:\windows\system32\drivers\gaopdxnthxymyrodabwuhbbgrfjxkevpapqjxt.sys
c:\windows\system32\drivers\gaopdxtuunlsppjeclxdxtiunpfqrodnhukkmx.sys
c:\windows\system32\drivers\gaopdxudnuklfdbobpaoraxsotnomyilnabvyf.sys
c:\windows\system32\gaopdxbfprfdabcplwaivakcplnreugudyvjom.dll
c:\windows\system32\gaopdxcounter

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-04-18 to 2009-05-18 )))))))))))))))))))))))))))))))
.

2009-05-18 13:45 . 2009-05-18 13:45 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-05-13 09:58 . 2009-05-13 09:58 -------- d-----w c:\documents and settings\Admin\Local Settings\Application Data\Navnet_Solutions
2009-05-13 09:05 . 2009-05-13 09:05 -------- d-----w c:\documents and settings\Admin\Application Data\NavNet Solutions
2009-05-11 05:18 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-11 05:18 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-11 00:19 . 2009-05-11 00:19 -------- d-----w c:\program files\STOPzilla!
2009-05-11 00:19 . 2009-05-11 00:19 -------- d-----w c:\program files\Common Files\iS3
2009-05-11 00:19 . 2009-05-18 13:46 -------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2009-05-10 05:37 . 2009-05-18 06:02 -------- d-----w c:\documents and settings\Admin\Application Data\AVGTOOLBAR
2009-05-10 05:11 . 2009-05-10 05:11 -------- d-----w c:\program files\Trend Micro
2009-05-10 05:10 . 2009-05-10 05:10 -------- d-----w C:\!KillBox
2009-05-08 23:31 . 2009-05-08 23:31 -------- d-----w c:\documents and settings\Admin\Local Settings\Application Data\SCE
2009-05-08 05:09 . 2009-05-08 05:09 -------- d-----w c:\program files\Common Files\DivX Shared
2009-05-08 02:50 . 2009-05-08 02:50 -------- d-----w c:\program files\iPod
2009-05-08 02:50 . 2009-05-08 02:50 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-08 02:50 . 2009-05-08 02:50 -------- d-----w c:\program files\iTunes
2009-05-01 02:45 . 2009-05-01 02:45 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-04-29 10:18 . 2009-04-29 10:18 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-29 10:18 . 2009-04-29 10:18 -------- d-----w c:\program files\LSoft Technologies Inc
2009-04-29 10:10 . 2009-02-24 23:42 116736 ----a-w c:\windows\system32\drivers\mcdbus.sys
2009-04-29 10:10 . 2009-04-29 10:10 -------- d-----w c:\program files\MagicDisc
2009-04-29 10:09 . 2009-04-29 10:09 -------- d-----w c:\program files\MagicISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-11 05:19 . 2009-03-25 04:17 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-11 00:08 . 2009-03-05 08:13 -------- d-----w c:\program files\SpyBotSD
2009-05-10 05:20 . 2009-03-14 19:57 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-09 23:05 . 2009-03-25 16:05 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-09 23:05 . 2009-03-25 16:05 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-09 23:05 . 2009-03-25 16:05 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-08 05:21 . 2009-03-07 05:05 -------- d-----w c:\program files\DivX
2009-05-08 02:50 . 2009-03-13 20:13 -------- d-----w c:\program files\Common Files\Apple
2009-05-04 05:22 . 2009-03-05 08:09 -------- d-----w c:\program files\Java
2009-04-29 11:14 . 2009-03-14 19:01 -------- d-----w c:\program files\EA GAMES
2009-04-18 06:38 . 2009-04-18 06:38 -------- d-----w c:\program files\Plant Tycoon
2009-04-16 12:59 . 2009-03-04 09:32 -------- d-----w c:\program files\Common Files\Adobe
2009-04-08 03:06 . 2009-03-05 06:27 246848 ----a-w c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-03 23:34 . 2009-03-05 08:09 -------- d-----w c:\program files\Opera
2009-03-31 19:57 . 2009-03-31 19:57 17408 ----a-r c:\windows\system32\SZIO5.dll
2009-03-31 19:56 . 2009-03-31 19:56 294912 ----a-r c:\windows\system32\SZBase5.dll
2009-03-31 19:55 . 2009-03-31 19:55 540672 ----a-r c:\windows\system32\SZComp5.dll
2009-03-28 20:28 . 2009-03-28 20:28 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-27 15:56 . 2009-03-27 15:56 126976 ----a-r c:\windows\system32\IS3HTUI5.dll
2009-03-27 15:55 . 2009-03-27 15:55 393216 ----a-r c:\windows\system32\IS3DBA5.dll
2009-03-27 15:55 . 2009-03-27 15:55 372736 ----a-r c:\windows\system32\IS3UI5.dll
2009-03-27 15:55 . 2009-03-27 15:55 61440 ----a-r c:\windows\system32\IS3Hks5.dll
2009-03-27 15:54 . 2009-03-27 15:54 23040 ----a-r c:\windows\system32\IS3XDat5.dll
2009-03-27 15:54 . 2009-03-27 15:54 221184 ----a-r c:\windows\system32\IS3Win325.dll
2009-03-27 15:54 . 2009-03-27 15:54 94208 ----a-r c:\windows\system32\IS3Inet5.dll
2009-03-27 15:53 . 2009-03-27 15:53 90112 ----a-r c:\windows\system32\IS3Svc5.dll
2009-03-27 15:50 . 2009-03-27 15:50 716800 ----a-r c:\windows\system32\IS3Base5.dll
2009-03-26 22:01 . 2009-03-26 22:01 -------- d-----w c:\program files\Common Files\INCA Shared
2009-03-25 16:05 . 2009-03-25 16:05 -------- d-----w c:\program files\AVG
2009-03-25 04:01 . 2009-03-25 04:01 -------- d-----w c:\program files\Tukero[X]Team
2009-03-21 21:01 . 2009-03-21 21:01 -------- d-----w c:\program files\Microsoft Games
2009-03-21 00:43 . 2009-03-05 09:48 2724 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-03-21 00:28 . 2009-03-21 00:27 -------- d-----w c:\program files\Common Files\AVSMedia
2009-03-21 00:27 . 2009-03-21 00:27 -------- d-----w c:\program files\AVSMedia
2009-03-21 00:13 . 2009-03-21 00:13 -------- d-----w c:\program files\Audacity
2009-03-21 00:02 . 2009-03-21 00:01 -------- d-----w c:\program files\AoA Audio Extractor
2009-03-20 23:44 . 2009-03-20 23:44 47360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-03-20 23:44 . 2009-03-20 23:44 47360 ----a-w c:\documents and settings\Admin\Application Data\pcouffin.sys
2009-03-20 23:44 . 2009-03-20 23:44 -------- d-----w c:\program files\VSO
2009-03-20 23:30 . 2009-03-20 23:30 -------- d-----w c:\program files\PowerISO
2009-03-19 21:32 . 2009-03-13 20:15 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-19 05:08 . 2009-03-19 05:04 139528 ----a-w c:\windows\hpoins21.dat
2009-03-12 17:18 . 2009-03-12 17:18 54656 ----a-r c:\windows\system32\drivers\SZKG.sys
2009-03-09 10:19 . 2009-03-05 08:10 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 13:49 . 2008-04-14 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 10:00 . 2009-03-05 09:48 88 --sh--r c:\documents and settings\All Users\Application Data\09389EC51B.sys
2009-03-05 07:14 . 2008-04-14 12:00 4389888 ----a-w c:\windows\system32\logonuiX.exe
2009-03-05 06:36 . 2009-03-05 06:36 0 ----a-w c:\windows\nsreg.dat
2009-03-05 06:21 . 2009-03-05 06:21 335440 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-03-05 06:06 . 2009-03-05 06:06 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-03 00:17 . 2009-02-08 23:40 828416 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2009-02-08 23:40 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\opera\program\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\opera\program\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2009-02-08 23:41 361600 25A740D70E8007814A48D3FA1B34FA34 c:\windows\system32\drivers\tcpip.sys

[-] 2004-08-03 21:00 1110528 9A41E77AF64CA976E6F61B55401CBEBB c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"DriveSpace"="c:\program files\Drive Space Indicator\DrvSpace.exe" [2009-01-13 416173]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-04 987187]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-04-10 16861184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"_nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-02-20 124928]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-21 06:57 176128 ----a-w c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-09 23:05 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^GetValidID V2 by DenniZ.vbs]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\GetValidID V2 by DenniZ.vbs
backup=c:\windows\pss\GetValidID V2 by DenniZ.vbsStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [3/12/2009 12:18 PM 54656]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/25/2009 11:05 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/25/2009 11:05 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/10/2009 12:37 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/10/2009 12:37 AM 298776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
Contents of the 'Scheduled Tasks' folder

2009-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
Handler: navnet - {AD6E5643-7B0C-46AA-95AD-9773FF2A857A} -
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\qyuyrlxp.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\qyuyrlxp.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\Opera\program\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-18 08:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(1088)
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
.
Completion time: 2009-05-18 8:52
ComboFix-quarantined-files.txt 2009-05-18 13:52

Pre-Run: 14,434,344,960 bytes free
Post-Run: 16,823,033,856 bytes free

237 --- E O F --- 2009-05-13 08:01
faythe1215 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-18-2009, 09:41 AM   #6 (permalink)
Analyst, Security Team
 
CatByte's Avatar
 
Join Date: Jan 2009
Location: Canada
Posts: 2,174
OS: XP sp3


Re: Trojan "gaopdxcounter" Reappears
Hi,

I would like you to upload a file to be scanned
  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

    c:\windows\explorer.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
__________________


ASAP & UNITE Member
CatByte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-18-2009, 05:01 PM   #7 (permalink)
Registered User
 
Join Date: May 2009
Posts: 10
OS: Win XP


Re: Trojan "gaopdxcounter" Reappears
Thank you for your help!

I tried this numerous times, but the results would not go to the clipboard (though the site said that it did).

No malware was found within that file, however.
faythe1215 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-18-2009, 05:03 PM   #8 (permalink)
Registered User
 
Join Date: May 2009
Posts: 10
OS: Win XP


Re: Trojan "gaopdxcounter" Reappears
I was able to look at the source document and pull a results "log" with some javascript tags on it. If you'd like, I can post that.
faythe1215 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-18-2009, 05:14 PM   #9 (permalink)
Analyst, Security Team
 
CatByte's Avatar
 
Join Date: Jan 2009
Location: Canada
Posts: 2,174
OS: XP sp3


Re: Trojan "gaopdxcounter" Reappears
OK, thanks post what you have, but try the scan at this site as well, just to be certain

Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

c:\windows\explorer.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.
__________________


ASAP & UNITE Member
CatByte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-19-2009, 01:12 PM   #10 (permalink)
Registered User
 
Join Date: May 2009
Posts: 10
OS: Win XP


Re: Trojan "gaopdxcounter" Reappears
Virscan Log:

<script type="text/javascript">
var virinfo_ff="VirSCAN.org Scanned Report :\r\nScanned time : 2009/05/19 06:49:17 (CST)\r\nScanner results: All Scanners reported not find malware!\r\nFile Name : explorer.exe\r\nFile Size : 1110528 byte\r\nFile Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit\r\nMD5 : 9a41e77af64ca976e6f61b55401cbebb\r\nSHA1 : aa657ab2784a4c43d0fc84c1cd029d4e5a334680\r\nOnline report : http://virscan.org/report/ee75b2c5ba...r\n\r\nScanner Engine Ver Sig Ver Sig Date Time Scan result\r\na-squared 4.0.0.32 20090519010230 2009-05-19 2.30 -\r\nAhnLab V3 2009.05.18.02 2009.05.18 2009-05-18 0.76 -\r\nAntiVir 8.2.0.168 7.1.3.223 2009-05-18 0.26 -\r\nAntiy 2.0.18 2.0.18. 0002-18-00 0.02 -\r\nArcavir 2009 200905181517 2009-05-18 0.07 -\r\nAuthentium 5.1.1 200905181934 2009-05-18 2.09 -\r\nAVAST! 4.7.4 090518-0 2009-05-18 0.05 -\r\nAVG 8.5.286 270.12.33/2120 2009-05-18 3.29 -\r\nBitDefender 7.81008.2993161 7.25491 2009-05-19 2.78 -\r\nCA (VET) 9.0.0.143 31.6.6508 2009-05-18 5.87 -\r\nClamAV 0.95 9366 2009-05-18 0.20 -\r\nComodo 3.9 1172 2009-05-18 0.70 -\r\nCP Secure 1.1.0.715 2009.05.18 2009-05-18 9.22 -\r\nDr.Web 4.44.0.9170 2009.05.18 2009-05-18 4.84 -\r\nF-Prot 4.4.4.56 20090518 2009-05-18 2.03 -\r\nF-Secure 5.51.6100 2009.05.18.03 2009-05-18 0.08 -\r\nFortinet 2.81-3.117 10.404 2009-05-18 0.22 -\r\nGData 19.5282/19.335 20090519 2009-05-19 4.04 -\r\nViRobot 20090518 2009.05.18 2009-05-18 0.41 -\r\nIkarus T3.1.01.49 2009.05.18.72736 2009-05-18 3.23 -\r\nJiangMin 11.0.706 2009.05.18 2009-05-18 2.00 -\r\nKaspersky 5.5.10 2009.05.18 2009-05-18 0.05 -\r\nKingSoft 2009.2.5.15 2009.5.18.21 2009-05-18 0.54 -\r\nMcAfee 5.3.00 5619 2009-05-18 2.93 -\r\nMicrosoft 1.4602 2009.05.19 2009-05-19 4.47 -\r\nmks_vir 2.01 2009.05.18 2009-05-18 3.20 -\r\nNorman 6.01.05 6.01.00 2009-05-15 4.00 -\r\nPanda 9.05.01 2009.05.16 2009-05-16 2.12 -\r\nTrend Micro 8.700-1004 6.136.04 2009-05-18 0.03 -\r\nQuick Heal 10.00 2009.05.15 2009-05-15 1.57 -\r\nRising 20.0 21.30.04.00 2009-05-18 0.88 -\r\nSophos 2.86.0 4.41 2009-05-19 2.38 -\r\nSunbelt 5141 5141 2009-05-18 0.96 -\r\nSymantec 1.3.0.24 20090518.004 2009-05-18 0.07 -\r\nnProtect 20090518.02 3715003 2009-05-18 5.40 -\r\nThe Hacker 6.3.4.1 v00326 2009-05-16 0.66 -\r\nVBA32 3.12.10.5 20090517.1716 2009-05-17 1.96 -\r\nVirusBuster 4.5.11.10 10.105.31/1379672 2009-05-18 3.35 -\r\n";
var virinfo_ie="VirSCAN.org Scanned Report :\r\nScanned time : 2009/05/19 06:49:17 (CST)\r\nScanner results: All Scanners reported not find malware!\r\nFile Name : explorer.exe\r\nFile Size : 1110528 byte\r\nFile Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit\r\nMD5 : 9a41e77af64ca976e6f61b55401cbebb\r\nSHA1 : aa657ab2784a4c43d0fc84c1cd029d4e5a334680\r\nOnline report : http://virscan.org/report/ee75b2c5ba...r\n\r\nScanner Engine Ver Sig Ver Sig Date Time Scan result\r\na-squared 4.0.0.32 20090519010230 2009-05-19 2.30 -\r\nAhnLab V3 2009.05.18.02 2009.05.18 2009-05-18 0.76 -\r\nAntiVir 8.2.0.168 7.1.3.223 2009-05-18 0.26 -\r\nAntiy 2.0.18 2.0.18. 0002-18-00 0.02 -\r\nArcavir 2009 200905181517 2009-05-18 0.07 -\r\nAuthentium 5.1.1 200905181934 2009-05-18 2.09 -\r\nAVAST! 4.7.4 090518-0 2009-05-18 0.05 -\r\nAVG 8.5.286 270.12.33/2120 2009-05-18 3.29 -\r\nBitDefender 7.81008.2993161 7.25491 2009-05-19 2.78 -\r\nCA (VET) 9.0.0.143 31.6.6508 2009-05-18 5.87 -\r\nClamAV 0.95 9366 2009-05-18 0.20 -\r\nComodo 3.9 1172 2009-05-18 0.70 -\r\nCP Secure 1.1.0.715 2009.05.18 2009-05-18 9.22 -\r\nDr.Web 4.44.0.9170 2009.05.18 2009-05-18 4.84 -\r\nF-Prot 4.4.4.56 20090518 2009-05-18 2.03 -\r\nF-Secure 5.51.6100 2009.05.18.03 2009-05-18 0.08 -\r\nFortinet 2.81-3.117 10.404 2009-05-18 0.22 -\r\nGData 19.5282/19.335 20090519 2009-05-19 4.04 -\r\nViRobot 20090518 2009.05.18 2009-05-18 0.41 -\r\nIkarus T3.1.01.49 2009.05.18.72736 2009-05-18 3.23 -\r\nJiangMin 11.0.706 2009.05.18 2009-05-18 2.00 -\r\nKaspersky 5.5.10 2009.05.18 2009-05-18 0.05 -\r\nKingSoft 2009.2.5.15 2009.5.18.21 2009-05-18 0.54 -\r\nMcAfee 5.3.00 5619 2009-05-18 2.93 -\r\nMicrosoft 1.4602 2009.05.19 2009-05-19 4.47 -\r\nmks_vir 2.01 2009.05.18 2009-05-18 3.20 -\r\nNorman 6.01.05 6.01.00 2009-05-15 4.00 -\r\nPanda 9.05.01 2009.05.16 2009-05-16 2.12 -\r\nTrend Micro 8.700-1004 6.136.04 2009-05-18 0.03 -\r\nQuick Heal 10.00 2009.05.15 2009-05-15 1.57 -\r\nRising 20.0 21.30.04.00 2009-05-18 0.88 -\r\nSophos 2.86.0 4.41 2009-05-19 2.38 -\r\nSunbelt 5141 5141 2009-05-18 0.96 -\r\nSymantec 1.3.0.24 20090518.004 2009-05-18 0.07 -\r\nnProtect 20090518.02 3715003 2009-05-18 5.40 -\r\nThe Hacker 6.3.4.1 v00326 2009-05-16 0.66 -\r\nVBA32 3.12.10.5 20090517.1716 2009-05-17 1.96 -\r\nVirusBuster 4.5.11.10 10.105.31/1379672 2009-05-18 3.35 -\r\n";



VirusTotal Log:

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.19 -
AhnLab-V3 5.0.0.2 2009.05.19 -
AntiVir 7.9.0.168 2009.05.19 -
Antiy-AVL 2.0.3.1 2009.05.18 -
Authentium 5.1.2.4 2009.05.19 -
Avast 4.8.1335.0 2009.05.18 -
AVG 8.5.0.336 2009.05.18 -
BitDefender 7.2 2009.05.19 -
CAT-QuickHeal 10.00 2009.05.15 -
ClamAV 0.94.1 2009.05.19 -
Comodo 1157 2009.05.08 -
DrWeb 5.0.0.12182 2009.05.19 -
eSafe 7.0.17.0 2009.05.18 -
eTrust-Vet 31.6.6509 2009.05.18 -
F-Prot 4.4.4.56 2009.05.18 -
F-Secure 8.0.14470.0 2009.05.19 -
Fortinet 3.117.0.0 2009.05.18 -
GData 19 2009.05.19 -
Ikarus T3.1.1.49.0 2009.05.19 -
K7AntiVirus 7.10.737 2009.05.16 -
Kaspersky 7.0.0.125 2009.05.19 -
McAfee 5619 2009.05.18 -
McAfee+Artemis 5619 2009.05.18 -
McAfee-GW-Edition 6.7.6 2009.05.19 -
Microsoft 1.4602 2009.05.19 -
NOD32 4085 2009.05.19 -
Norman 6.01.05 2009.05.18 -
nProtect 2009.1.8.0 2009.05.19 -
Panda 10.0.0.14 2009.05.18 Suspicious file
PCTools 4.4.2.0 2009.05.18 -
Prevx 3.0 2009.05.19 -
Rising 21.30.10.00 2009.05.19 -
Sophos 4.41.0 2009.05.19 -
Sunbelt 3.2.1858.2 2009.05.18 -
Symantec 1.4.4.12 2009.05.19 -
TheHacker 6.3.4.1.327 2009.05.19 -
TrendMicro 8.950.0.1092 2009.05.19 -
VBA32 3.12.10.5 2009.05.19 -
ViRobot 2009.5.19.1740 2009.05.19 -
VirusBuster 4.6.5.0 2009.05.18 -
Additional information
File size: 1110528 bytes
MD5...: 9a41e77af64ca976e6f61b55401cbebb
SHA1..: aa657ab2784a4c43d0fc84c1cd029d4e5a334680
SHA256: 9bdf6424317164313b3fe7f73ec5f4498cee38633d1e6206267968992efe7f0f
SHA512: b71adabb12d15abe240f9ece2f8c84510647290f79e99311bdac7702864109e8
7a863f66bc6640b47b064dbff26a887b3bdfbfcd9ccddf491790c4b07bc791bc
ssdeep: 24576:BzEuAwj2fNuIIlqq5Vu8quyeW3xM9yvewn:BzvKfNuIIlqq7umPI3eK
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1e24e
timedatestamp.....: 0x41107ece (Wed Aug 04 06:14:38 2004)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x44689 0x44800 6.38 b257b3cd7102cece46cd7366aff0f34b
.data 0x46000 0x1d90 0x1800 1.29 d0b87d8ce5a34731be197efb73b5d7bf
.rsrc 0x48000 0xc54eb 0xc5600 6.54 d0c9ed80260fc4d52ae1b577f0ae2db9
.reloc 0x10e000 0x36dc 0x3800 6.75 ee49ce3a409d6d28c1d63eabd34499b3

( 13 imports )
> msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf
> ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW
> KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, RegisterWaitForSingleObject, OpenEventW, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, DelayLoadFailureHook, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, GetFileAttributesExW, MulDiv, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, InitializeCriticalSectionAndSpinCount
> GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, SetTextColor, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, CreateRectRgnIndirect, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode
> USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, CopyRect, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, PtInRect, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, ModifyMenuW, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW
> ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess
> SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, StrCmpNW, -, -
> SHELL32.dll: -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, ShellExecuteExW, -, -, -, -, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, SHGetSpecialFolderLocation, -, -, -, -, SHGetSpecialFolderPathW, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -
> ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop
> OLEAUT32.dll: -, -
> BROWSEUI.dll: -, -, -, -
> SHDOCVW.dll: -, -, -
> UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=9a41e77af64ca976e6f61b55401cbebb' target='_blank'>http://research.sunbelt-software.com...f61b55401cbebb</a>
faythe1215 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-19-2009, 07:06 PM   #11 (permalink)
Analyst, Security Team
 
CatByte's Avatar
 
Join Date: Jan 2009
Location: Canada
Posts: 2,174
OS: XP sp3


Re: Trojan "gaopdxcounter" Reappears
Hi,

Your System File Protection is turned off. Was this done by you or your husband?

If so, it is not wise as legitimate files could be lost without that protection/notification mechanism in place.

Explorer.exe has failed Microsoft's signature verification.

Even though the one on your system does not appear to be infected, it does not appear to be the correct version of the file.

Is it possible that when you were fixing this machine prior to posting that this file was deleted and replaced from somewhere else?

If you could explain what specifically was done it would be helpful as we may need to replace this file to make sure your system remains stable.

If it was not touched by yourselves then we need to know that too.

Thank-you
__________________


ASAP & UNITE Member
CatByte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-19-2009, 07:45 PM   #12 (permalink)
Analyst, Security Team
 
CatByte's Avatar
 
Join Date: Jan 2009
Location: Canada
Posts: 2,174
OS: XP sp3


Re: Trojan "gaopdxcounter" Reappears
Hi,

In case we need to replace that file - please do the following:

Press Start->Run, copy/paste the following command (it's one long command) into the run box and press OK:

cmd /c Vfind -ltf "%systemdrive%\explorer.*" >Log.txt&Log.txt&del Log.txt


A small black box will open and nothing will appear to be happening for a few minutes - this is normal.

when the search has been completed a new file called Log.txt should appear on your Desktop, please post the contents with your next response.
__________________


ASAP & UNITE Member
CatByte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-20-2009, 01:00 AM   #13 (permalink)
Registered User
 
Join Date: May 2009
Posts: 10
OS: Win XP


Re: Trojan "gaopdxcounter" Reappears
My husband said that he used Malwarebytes to remove the previous virus. Other than that, nothing else was done that you had not instructed. Anything done previously to this computer may have been done by a friend of mine. I had some trouble with this computer a few months ago, and he had reformatted and done who knows what else to the computer to get it up and running again.

Here is the requested log:

----a-w 20,394 2006-03-07 04:48:08 C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip
----a-w 28,616 2007-06-04 13:22:42 C:\Program Files\Styler\TB\skins\Styler's\Frost\explorer.PNG
----a-w 7,718 2007-02-06 21:57:28 C:\Program Files\Styler\TB\skins\Styler's\Royale\explorer.png
----a-w 7,845 2006-09-10 04:17:16 C:\Program Files\Styler\TB\skins\Styler's\Vista Classic\explorer.png
----a-w 10,190 2006-01-16 19:34:00 C:\Program Files\Styler\TB\skins\Styler's\Vista Styler\explorer.png
----a-w 1,110,528 2004-08-03 21:00:00 C:\WINDOWS\explorer.exe
----a-w 80 2008-04-14 12:00:00 C:\WINDOWS\explorer.scf

Entries: 7 (7)
Directories: 0 Files: 7
Bytes: 1,185,371 Blocks: 2,318
faythe1215 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-20-2009, 05:51 AM   #14 (permalink)
Analyst, Security Team
 
CatByte's Avatar
 
Join Date: Jan 2009
Location: Canada
Posts: 2,174
OS: XP sp3


Re: Trojan "gaopdxcounter" Reappears
Hi,

It appears the file has been 'tweaked' - perhaps so your XP will look like Vista?

There is nothing wrong with that, but it will fail the windows signature verification, hence the reason the Windows File Protection has been disabled.

For more information on Windows File Protection see here:

http://www.microsoft.com/whdc/archive/wfp.mspx

(If you want to replace explorer.exe with an MS signed version, you will need your XP Pro disc.)

Let's continue on to ensure your system is completely clean of malware -


Please do the following:

Run an on-line scan with Kaspersky

Please do a scan with Kaspersky Online Scanner
  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.


Also, please advise how your computer is running now and if there are any outstanding issues.
__________________


ASAP & UNITE Member
Last edited by CatByte; 05-20-2009 at 05:57 AM.
CatByte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-21-2009, 02:02 PM   #15 (permalink)
Registered User
 
Join Date: May 2009
Posts: 10
OS: Win XP


Re: Trojan "gaopdxcounter" Reappears
There haven't been any problems. I actually thought I was in the clear. Occasionally (though it's been like this since my friend installed it), MS Word 2007 will error when I close an open Word file. It will ask to restore the file and then restart Word. I chalked it up to a Microsoft thing.

Here is the requested log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, May 21, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, May 21, 2009 06:57:44
Records in database: 2208184
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 168944
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 03:56:56


File name / Threat name / Threats count
C:\Program Files\Windows Sidebar\Shared Gadgets\AutoShutdown.gadget\core\gadget.js Infected: not-a-virus:RiskTool.JS.Shutdown.a 1
C:\Program Files\Windows Sidebar\Shared Gadgets\AutoShutdownR21.gadget\core\gadget.js Infected: not-a-virus:RiskTool.JS.Shutdown.b 1
C:\Qoobox\Quarantine\C\DOCUME~1\Admin\LOCALS~1\Temp\tmp2.tmp.vir Infected: Trojan.Win32.Patched.fw 1

The selected area was scanned.
faythe1215 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-21-2009, 05:12 PM   #16 (permalink)
Analyst, Security Team
 
CatByte's Avatar
 
Join Date: Jan 2009
Location: Canada
Posts: 2,174
OS: XP sp3


Re: Trojan "gaopdxcounter" Reappears
Hi,

The items found by Kaspersky are of no concern. The one is in quarantine and we will clear that out now.

The issues with WORD are probably not malware related. Make sure you download all the latest updates for MS Office from Microsoft. Or uninstall and reinstall, there could have been a corrupt installation due to the malware that was on your system at the time it was loaded.

Now we have some housekeeping to do.

Please do the following:

You can delete the DDS and GMER folders from your desktop.

NEXT

Follow these steps to uninstall Combofix
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.





NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.

  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

  • For Firefox, I highly recommend these add-ons to keep your PC even more secure.
    • NoScript - for blocking ads and other potential website attacks
    • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.
__________________


ASAP & UNITE Member
CatByte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-23-2009, 11:27 PM   #17 (permalink)
Registered User
 
Join Date: May 2009
Posts: 10
OS: Win XP


Re: Trojan "gaopdxcounter" Reappears
This has worked out wonderfully.

Thank you again for all your help.
faythe1215 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 05-24-2009, 01:40 AM   #18 (permalink)
Analyst, Security Team
 
CatByte's Avatar
 
Join Date: Jan 2009
Location: Canada
Posts: 2,174
OS: XP sp3


Re: Trojan "gaopdxcounter" Reappears
You are more than welcome

stay safe

CB
__________________


ASAP & UNITE Member
CatByte is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 12:56 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85