There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Virus & Other Malware Removal
Go to first new post Win32/Mebroot Trojan detected via ESET, ...
Go to first new post Something keeps turning my BitDefender O ...
Go to first new post A couple of problems with my desktop PC
Go to first new post Unable to System Restore
Go to first new post Invisible pop-ups
Go to first new post Background Ads (Sound)
Go to first new post Win32 Mebroot Trojan/Virus Problem :(
Go to first new post GMER says I have a MBR rootkit, safe to ...
Go to first new post JS Generic Virus, HTML Framer & Brow ...
Go to first new post Computer automatically searches for viru ...
Go to first new post Alureon.H virus
Go to first new post WinPatrol Alerts, Mcafee trojan detected ...
Go to first new post Pakes.GDP, can't seem to remove, tries t ...
Go to first new post Cleaning Antivir Solution Pro
Go to first new post google redirecting to k-directory
Tag Cloud
alureon.h audio backup boot broken bsod computer connection cpu crash dell driver drivers dvd error excel firefox google graphics card hardware install internet internet explorer itunes keyboard lan laptop mac malware monitor network networking outlook printer problem router screen security sound spyware trojan video virus vista wifi windows windows 7 windows 7 32-bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Trojan Horse Generic 13.BNJ... please help :) (New)

Closed Thread
 
Thread Tools
vp3434's Avatar
Junior Member with 6 posts.
  
Join Date: Mar 2009
Experience: Advanced
15-Mar-2009, 05:05 AM #1
Trojan Horse Generic 13.BNJ... please help :)
Hi,

Recently both Firefox and IE starting doing redirects when I clicked on search results in Google and Yahoo.com. Then I noticed that when I started my computer, the Windows Firewall would turn off. Finally, AVG then found "Trojan Horse Generic 13.BJN" in "C:\Windows\System32\gaopdxgfiyxxjibeerwctqveirmlosniipwumr.dll" (That's not a typo ) both in processes "firefox.exe" and "iexplorer.exe." I had AVG move the infections to the vault and then delete them, but when I restart the computer, AVG detects them again.

I just ran a "full scan" with Ad Aware with the latest updates and found Win32TR\.\Agent.dl a malware and removed it, but I still get a virus alert when running Firefox or IE.

Below is my HijackThis logfile. Any help would be much appreciated!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:16 AM, on 3/15/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\KMaestro\Kmaestro.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Free Internet Window Washer\Clearpch.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...s=PTB&M=MT6821
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=MT6821
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...s=PTB&M=MT6821
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\KMaestro\KMaestro.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [Free Internet Window Washer] C:\PROGRA~1\FREEIN~1\Clearpch.exe -Start
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O13 - Gopher Prefix:
O15 - Trusted Zone: http://moneycentral.msn.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-24-0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1207888939044
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://investools.webex.com/client/...t/ieatgpc1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{98710AC8-7FD6-478C-9946-F7175B670993}: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3DA5132-1559-49BF-8BE6-6B54C2C8BB9A}: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 12431 bytes
Register for free to hide this ad!
vp3434's Avatar
Junior Member with 6 posts.
  
Join Date: Mar 2009
Experience: Advanced
15-Mar-2009, 02:58 PM #2
Update: I just ran a "full scan" in Malwarebytes with the latest updates and found a bunch of stuff that I then removed. Here's the log.

Malwarebytes' Anti-Malware 1.34
Database version: 1851
Windows 6.0.6001 Service Pack 1

3/15/2009 2:55:22 PM
mbam-log-2009-03-15 (14-55-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 300242
Time elapsed: 2 hour(s), 32 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 3
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f 4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\DecodingHQ (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deco dingHQ (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameS erver (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter faces\{98710ac8-7fd6-478c-9946-f7175b670993}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter faces\{a3da5132-1559-49bf-8be6-6b54c2c8bb9a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServe r (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interface s\{98710ac8-7fd6-478c-9946-f7175b670993}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interface s\{a3da5132-1559-49bf-8be6-6b54c2c8bb9a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.

Folders Infected:
C:\Users\Viraj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DecodingHQ (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DecodingHQ (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\DecodingHQ (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\DecodingHQ\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Users\Viraj\AppData\Local\codecsetup.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DecodingHQ\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-6-1-46-100023812-100022970-100020390-2877.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
vp3434's Avatar
Junior Member with 6 posts.
  
Join Date: Mar 2009
Experience: Advanced
15-Mar-2009, 03:41 PM #3
Update 2: After running Malwarebytes and selecting remove, it asked me to restart. Upon restarting, a windows error message came up about something causing the host process to close. I tried jotting down the exact message, but then Windows froze and I had to restart. Before Windows froze, I did manage to start up firefox upon which AVG then gave the same alert from before about Trojan Horse Generic 13.BNJ. After restarting, explorer.exe stopped responding, so I then did a hard shutdown and restarted in safe mode. There I ran malwarebytes again which produced this log file:

Malwarebytes' Anti-Malware 1.34
Database version: 1851
Windows 6.0.6001 Service Pack 1
3/15/2009 3:34:15 PM
mbam-log-2009-03-15 (15-34-15).txt
Scan type: Quick Scan
Objects scanned: 64066
Time elapsed: 3 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
vp3434's Avatar
Junior Member with 6 posts.
  
Join Date: Mar 2009
Experience: Advanced
15-Mar-2009, 07:19 PM #4
Update 3: I forgot to mention that before when I first downloaded Malwarebytes, I had to rename "mbam.exe" to "mbam2.exe" to get it to run. As mbam.exe, I would click on the exe would see the hourglass cursor and then nothing would happen. Not sure if this is important, but thought I would pass the info along.

Also, I mistyped the name of the virus AVG is reporting. It is called "Trojan Horse Generic 13.BJN" not "Trojan Horse Generic 13.BNJ."

Since the update above, I was able to restart Windows Vista in normal mode. I ran an online Kaspersky critical areas virus scan and it didn't detect any viruses. I restarted Windows and the virus is still being found by AVG when starting Firefox or IE. Also, I have gotten the Windows Host Process has stopped working error a couple times, and I got a DHCP client has closed error after which my internet connection stopped working. I did a networking diagnostic and repair and the internet works again now. Not sure what to do now as it appears the virus is still in the computer.
vp3434's Avatar
Junior Member with 6 posts.
  
Join Date: Mar 2009
Experience: Advanced
16-Mar-2009, 10:29 PM #5
Update 4: I went ahead and did some additional research while I was waiting for a response. I ran Dr. Web Cure It which found a number of problem items which I then deleted. (Would post the log, but the computer crashed before I could save it). The gaopdxcounter Trojan still remained though. Then ran AVZ 4 which didn't find anything. Finally, I saw in another website that gaopdxcounter is a rootkit so I ran GMER. This identified the rootkit and I deleted it within GMER. Afterwards I ran Malwarebytes again and this time it finally ran clean. I think I am now clean, but if an expert on here can confirm that my computer is now clean, that would be great! Below are the latest logs:

GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-16 21:43:59
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcConnectPort [0x807D67F8] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0x807D6458] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x807D3886] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x807DE90A] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0x807D6BAE] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0x807DC6B6] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0x807DC8D0] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0x807E023A] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0x807D6C56] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x807D3D66] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x807DF206] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x807DEF82] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0x807DC0B6] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x807DF734] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0x807DF7AC] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKeyEx [0x807DF824] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x807D3BFE] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0x807DDAD4] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0x807DFE66] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x807DF89C] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0x807D60E2] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x807DFCA6] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0x807D65F8] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x807D3F54] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x807DEC88] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0x807DD044] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0x807DCF20] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateUserProcess [0x807DCAEE] <-- ROOTKIT !!!

Code 8CD332E0 ZwEnumerateKey
Code 8CCD22D8 ZwFlushInstructionCache
Code 8CD9E420 ZwQueryValueKey
Code 8CD3C73D IofCallDriver
Code 8CDA1346 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCompleteRequest 81C7FFE2 5 Bytes JMP 8CDA134B
.text ntkrnlpa.exe!KeSetTimerEx + 370 81CFE934 4 Bytes [F8, 67, 7D, 80]
.text ntkrnlpa.exe!KeSetTimerEx + 40C 81CFE9D0 4 Bytes [86, 38, 7D, 80] {XCHG [EAX], BH; JGE 0xffffffffffffff84}
.text ntkrnlpa.exe!KeSetTimerEx + 41C 81CFE9E0 4 Bytes JMP A9CF6A62
.text ntkrnlpa.exe!KeSetTimerEx + 438 81CFE9FC 12 Bytes [AE, 6B, 7D, 80, B6, C6, 7D, ...]
.text ntkrnlpa.exe!KeSetTimerEx + 448 81CFEA0C 4 Bytes [3A, 02, 7E, 80] {CMP AL, [EDX]; JLE 0xffffffffffffff84}
.text ...
.text ntkrnlpa.exe!IofCallDriver 81D01F6F 5 Bytes JMP 8CD3C742
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 81DF830B 5 Bytes JMP 8CCD22DC
PAGE ntkrnlpa.exe!ZwQueryValueKey 81E4BB57 5 Bytes JMP 8CD9E424
PAGE ntkrnlpa.exe!ZwEnumerateKey 81E4DBB4 5 Bytes JMP 8CD332E4

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Maestro1.sys (KeyMaestro Sys for Windows NT, 2000, .../BTC)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Maestro1.sys (KeyMaestro Sys for Windows NT, 2000, .../BTC)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduq stmrcb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxgfiyxxjibeerwctqveirmlosniipwumr.d ll
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduq stmrcb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxgfiyxxjibeerwctqveirmlosniipwumr.d ll
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduq stmrcb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxgfiyxxjibeerwctqveirmlosniipwumr.d ll
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduq stmrcb.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxgfiyxxjibeerwctqveirmlosniipwumr.d ll
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduq stmrcb.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxgfiyxxjibeerwctqveirmlosniipwumr.d ll
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduq stmrcb.sys
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxgfiyxxjibeerwctqveirmlosniipwumr.d ll

---- Files - GMER 1.0.15 ----

File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIn dex\Indexer\CiFiles\CiMG0028.000 240 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIn dex\Indexer\CiFiles\CiMG0028.001 65536 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIn dex\Indexer\CiFiles\CiMG0028.002 65536 bytes
File C:\Windows\System32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys 34816 bytes executable <-- ROOTKIT !!!
File C:\Windows\System32\gaopdxgfiyxxjibeerwctqveirmlosniipwumr.dll 10752 bytes executable

---- EOF - GMER 1.0.15 ----



Malwarebytes' Anti-Malware 1.34
Database version: 1856
Windows 6.0.6001 Service Pack 1

3/16/2009 10:05:41 PM
mbam-log-2009-03-16 (22-05-41).txt

Scan type: Quick Scan
Objects scanned: 65686
Time elapsed: 6 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
vp3434's Avatar
Junior Member with 6 posts.
  
Join Date: Mar 2009
Experience: Advanced
04-Apr-2009, 03:47 AM #6
bump. Hoping to get a quick check from the experts to see if what I did above was correct. Thanks!
Email  Print  Favorites  | More
Closed Thread

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | TechGuy.TV | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 07:25 AM.
Copyright © 1996 - 2010 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.