We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
HijackThis output from PC which is infected. Can anyone help please?
Comments
-
That looks to have sorted it. The log file is below.
The HijackThis report is now clean, the WindowsFirewall is now on when I reboot and Googling seems to be back to normal. Many, many thanks!! :beer:
I know you didn't recommend ESET. What would you recommend?
Thanks for the other suggestion from Reluctant_Spender about changing the router password. I'll ring O2 and check with them about it.... the router is protected but it was all set up from CD and I am pretty sure I didn't enter any passwords.
LOGFILE.
ComboFix 09-03-23.01 - Mark 2009-03-24 14:02:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.962 [GMT 0:00]
Running from: c:\hijackthis\QWERTY.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Mark\LOCALS~1\Temp\E_4
c:\docume~1\Mark\LOCALS~1\Temp\E_4\krnln.fne
c:\docume~1\Mark\LOCALS~1\Temp\E_4\krnln.fnr
c:\docume~1\Mark\LOCALS~1\Temp\E_4\shell.fne
c:\docume~1\Mark\LOCALS~1\Temp\E_4\spec.fne
c:\windows\system32\drivers\gaopdxsanswextqokwpuwqbitljwxnsvparmpx.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxudpqxovydvaufvphltfmwrrillggytgq.dll
F:\Autorun.inf
f:\recycler\S-8-0-20-100032708-100022877-100025364-5494.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Service_gaopdxserv.sys
((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.
2009-03-24 10:00 . 2009-03-24 10:00 <DIR> d
c:\program files\Malwarebytes' Anti-Malware 2
2009-03-24 09:54 . 2009-03-24 09:54 <DIR> d
c:\windows\system32\LogFiles
2009-03-23 22:48 . 2009-03-24 13:53 <DIR> d
C:\HiJackThis
2009-03-23 22:47 . 2009-03-23 22:47 <DIR> d
c:\program files\Trend Micro
2009-03-23 22:22 . 2009-03-23 23:13 <DIR> d
c:\documents and settings\Mark\.housecall6.6
2009-03-23 22:21 . 2009-03-23 22:20 410,984 --a
c:\windows\system32\deploytk.dll
2009-03-23 22:21 . 2009-03-23 22:20 73,728 --a
c:\windows\system32\javacpl.cpl
2009-03-23 22:20 . 2009-03-23 22:20 <DIR> d
c:\program files\Java
2009-03-23 22:03 . 2009-03-23 22:03 <DIR> d
c:\program files\Panda Security
2009-03-23 22:03 . 2008-06-19 16:24 28,544 --a
c:\windows\system32\drivers\pavboot.sys
2009-03-23 21:56 . 2009-03-23 21:56 <DIR> d
c:\program files\CCleaner
2009-03-23 13:16 . 2009-03-24 10:20 <DIR> d
c:\program files\Spyware Doctor
2009-03-23 13:16 . 2009-03-23 13:16 <DIR> d
c:\documents and settings\Mark\Application Data\PC Tools
2009-03-23 13:16 . 2008-08-25 12:36 81,288 --a
c:\windows\system32\drivers\iksyssec.sys
2009-03-23 13:16 . 2008-08-25 12:36 66,952 --a
c:\windows\system32\drivers\iksysflt.sys
2009-03-23 13:16 . 2008-08-25 12:36 40,840 --a
c:\windows\system32\drivers\ikfilesec.sys
2009-03-23 13:16 . 2008-06-02 16:19 29,576 --a
c:\windows\system32\drivers\kcom.sys
2009-03-23 12:22 . 2009-03-09 19:06 15,688 --a
c:\windows\system32\lsdelete.exe
2009-03-23 12:11 . 2009-03-09 19:06 64,160 --a
c:\windows\system32\drivers\Lbd.sys
2009-03-23 12:10 . 2009-03-23 12:10 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\!!7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-23 11:49 . 2009-03-23 11:49 <DIR> d
c:\documents and settings\Administrator
2009-03-23 09:44 . 2009-03-24 11:00 <DIR> d
c:\program files\Malwarebytes' Anti-Malware
2009-03-23 09:44 . 2009-02-11 10:19 38,496 --a
c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-23 09:44 . 2009-02-11 10:19 15,504 --a
c:\windows\system32\drivers\mbam.sys
2009-03-12 14:20 . 2009-03-12 14:20 <DIR> d
c:\program files\Sony Ericsson
2009-03-11 19:52 . 2009-03-11 19:52 <DIR> d
c:\program files\TVAnts
2009-03-10 14:17 . 2009-03-10 14:17 <DIR> d-a
C:\TTN7
2009-03-10 09:11 . 2009-03-10 09:44 18,073 --a
c:\windows\CSTBox.INI
2009-03-02 11:40 . 2009-03-02 11:40 <DIR> d
c:\documents and settings\Mark\Application Data\Malwarebytes
2009-03-02 11:40 . 2009-03-02 11:40 <DIR> d
c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-01 13:50 . 2009-03-01 13:50 <DIR> d
c:\program files\SopCast
2009-03-01 13:29 . 2009-03-01 13:29 <DIR> d
c:\documents and settings\All Users\Application Data\Graboid Inc
2009-03-01 13:28 . 2009-03-01 13:28 <DIR> d
c:\documents and settings\Mark\Application Data\MozillaControl
2009-03-01 13:27 . 2009-03-02 22:49 <DIR> d
c:\program files\VideoLAN
2009-03-01 13:27 . 2009-03-02 22:48 <DIR> d
c:\program files\Graboid
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-24 14:01
d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-24 14:00
d
w c:\documents and settings\Mark\Application Data\DNA
2009-03-24 11:50
d
w c:\program files\DNA
2009-03-23 12:10
d
w c:\program files\Lavasoft
2009-03-23 12:10
d
w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-23 10:03
d
w c:\program files\RegCure
2009-03-23 09:34
d
w c:\program files\Pistonsoft MP3 Tags Editor
2009-03-22 22:55
d
w c:\documents and settings\Mark\Application Data\BitTorrent
2009-03-16 23:06
d
w c:\documents and settings\Mark\Application Data\MyPhoneExplorer
2009-03-16 22:52
d
w c:\documents and settings\Mark\Application Data\Canon
2009-02-27 14:44
d
w c:\program files\EPSON Print CD
2009-02-17 19:02
d
w c:\program files\Common Files\Wise Installation Wizard
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 02:01
d
w c:\program files\MFInstall
2009-01-05 13:29 24,824 ----a-w c:\documents and settings\Mark\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"!!6dfc55bb-bfff-485a-9709-90c3fdf6db58}"= "c:\program files\Wisdom-soft\tbWisd.dll" [2007-07-17 1379352]
[HKEY_CLASSES_ROOT\clsid\!!6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\!!6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
2007-07-17 14:59 1379352 --a
c:\program files\Wisdom-soft\tbWisd.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"!!6dfc55bb-bfff-485a-9709-90c3fdf6db58}"= "c:\program files\Wisdom-soft\tbWisd.dll" [2007-07-17 1379352]
[HKEY_CLASSES_ROOT\clsid\!!6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"!!6DFC55BB-BFFF-485A-9709-90C3FDF6DB58}"= "c:\program files\Wisdom-soft\tbWisd.dll" [2007-07-17 1379352]
[HKEY_CLASSES_ROOT\clsid\!!6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"BgMonitor_!!79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-24 342848]
"SansaDispatch"="c:\documents and settings\Mark\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-01-14 79872]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 1447168]
"O2"="c:\program files\O2\bin\sprtcmd.exe" [2008-03-28 198184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-23 148888]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 c:\windows\KHALMNPR.Exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-09-09 113664]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-01-03 809488]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 16:41 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R220 Series]
--a
2006-12-25 04:00 177664 c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIE.EXE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-23 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-03-23 28544]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-06-10 34312]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-06-10 468224]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-01-03 10384]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-23 356920]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [2007-06-07 202280]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2003-03-31 3584]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
2009-03-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
2009-03-23 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 08:20]
2009-03-23 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 08:20]
.
.
Supplementary Scan
.
uStart Page = hxxp://uk.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\nopul2hd.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 14:06:17
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Mark\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-1454471165-1275210071-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\!!32CAEB5A-2ACA-24E3-2B03-4225F6D96746}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jaehdnpkokcceklejolj"=hex:6b,61,6c,66,70,6d,6b,64,6f,65,6a,6c,6b,66,67,70,61,
6e,6f,62,63,61,00,00
"iaogbpkcmkpemakklo"=hex:6b,61,6c,66,70,6d,6b,64,6f,65,6a,6c,6b,66,67,70,61,6e,
6f,62,63,61,00,00
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(736)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2009-03-24 14:08:09
ComboFix-quarantined-files.txt 2009-03-24 14:08:05
Pre-Run: 15,390,224,384 bytes free
Post-Run: 17,422,401,536 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
217 --- E O F --- 2009-03-23 13:20:190 -
Ill go through the log laters. Bit busy at the mo
Is it any different?
Download SPYBOT (Make sure you click 'DOWNLOAD LATEST VERSION' ~ make sure TEA TIMER is UNTICKED on installation)
http://www.filehippo.com/download_spybot_search_destroy/
UPDATE and IMMUNISE (Make sure it reads ZERO unprotected) and SCAN:idea:0 -
i had a very similar virus a few weeks ago... backup what you can and re-install windows. the virus is attatching its self to files etc, so if you are on a network lock it down and isolate the infected PC.
i spent weeks trying to do all sorts of things to get rid of it and you cant.0 -
Download KILLBOX
Copy the text in red below
c:\windows\system32\deploytk.dll
C:\WINDOWS\system32\gaopdxcounter
Run the KillBox and choose File -> Paste from Clipboard.
Check the Delete on Reboot option and click the X. Confirm and let it restart.
Can I ask why you have used Killbox and not a CF Script - either will do just curious.0 -
Reluctant_spender wrote: »Can I ask why you have used Killbox and not a CF Script - either will do just curious.
I find its slightly easier to explain than dragging and dropping into combo which might confuse some people:idea:0 -
Never thought of it like that. Cheers0
-
Download KILLBOX
Copy the text in red below
c:\windows\system32\deploytk.dll
C:\WINDOWS\system32\gaopdxcounter
Run the KillBox and choose File -> Paste from Clipboard.
Check the Delete on Reboot option and click the X. Confirm and let it restart.
I'll try this tomorrow... just off out. I thought my problem was sorted. It still seems fine to me. Everything works as it should. Cheers!0 -
Just ran Killbox tonight. As I mentioned... the PC seemed fine after the ComboFix but I guess the Killbox tidied up completely. As per above.. MANY THANKS.
You mentioned that Eset was not as good as many thought and I should review my security. I thought I had done my research when choosing Eset... so (me being lazy) what would you recommend instead?
EDIT : No real need to answer what security I should be using. I found your setup in the 'What Security' sticky i.e.
"If you want an 'all in one' buy Kaspersky
If you want free ones, you need quite a few
Personally I use ~
PCTOOLS FIREWALL
AVIRA (Main av)
Malwarebytes (scan on demand)
Superantispyware (Scan on demand)
Spybot (Including its IMMUNISE feature) ~ (scan on demand)"0 -
If Toms right about what he said. Its possible the infection may NEVER go away.
For now keep Eset and see how it goes.
But if you keep having problems then the only thing you can really do is wipe the drive and start afresh
id suggest one final scan with Kasperskys online scanner ~
http://www.kaspersky.co.uk/kos_trialpay_offer
(May need to be run in internet explorer)
It wont delete anything nasty it finds but it WILL tell us about them. So please scan (will take hours), and post the log it produces please
:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 354.4K Banking & Borrowing
- 254.4K Reduce Debt & Boost Income
- 455.4K Spending & Discounts
- 247.3K Work, Benefits & Business
- 604K Mortgages, Homes & Bills
- 178.4K Life & Family
- 261.5K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards