# Trojan Horse Generic 13.BNJ... please help :)



## vp3434 (Mar 15, 2009)

Hi,

Recently both Firefox and IE starting doing redirects when I clicked on search results in Google and Yahoo.com. Then I noticed that when I started my computer, the Windows Firewall would turn off. Finally, AVG then found "Trojan Horse Generic 13.BJN" in "C:\Windows\System32\gaopdxgfiyxxjibeerwctqveirmlosniipwumr.dll" (That's not a typo ) both in processes "firefox.exe" and "iexplorer.exe." I had AVG move the infections to the vault and then delete them, but when I restart the computer, AVG detects them again.

I just ran a "full scan" with Ad Aware with the latest updates and found Win32TR\.\Agent.dl a malware and removed it, but I still get a virus alert when running Firefox or IE.

Below is my HijackThis logfile. Any help would be much appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:16 AM, on 3/15/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\KMaestro\Kmaestro.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Free Internet Window Washer\Clearpch.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6821
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6821
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT6821
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\KMaestro\KMaestro.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [Free Internet Window Washer] C:\PROGRA~1\FREEIN~1\Clearpch.exe -Start
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O13 - Gopher Prefix: 
O15 - Trusted Zone: http://moneycentral.msn.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1207888939044
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://investools.webex.com/client/T26L10NSP49EP8/event/ieatgpc1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{98710AC8-7FD6-478C-9946-F7175B670993}: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3DA5132-1559-49BF-8BE6-6B54C2C8BB9A}: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.225,85.255.112.199
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 12431 bytes


----------



## vp3434 (Mar 15, 2009)

Update: I just ran a "full scan" in Malwarebytes with the latest updates and found a bunch of stuff that I then removed. Here's the log. 

Malwarebytes' Anti-Malware 1.34
Database version: 1851
Windows 6.0.6001 Service Pack 1

3/15/2009 2:55:22 PM
mbam-log-2009-03-15 (14-55-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 300242
Time elapsed: 2 hour(s), 32 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 3
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\DecodingHQ (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DecodingHQ (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98710ac8-7fd6-478c-9946-f7175b670993}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a3da5132-1559-49bf-8be6-6b54c2c8bb9a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{98710ac8-7fd6-478c-9946-f7175b670993}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{a3da5132-1559-49bf-8be6-6b54c2c8bb9a}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.225,85.255.112.199 -> Quarantined and deleted successfully.

Folders Infected:
C:\Users\Viraj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DecodingHQ (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DecodingHQ (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\DecodingHQ (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\DecodingHQ\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Users\Viraj\AppData\Local\codecsetup.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DecodingHQ\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-6-1-46-100023812-100022970-100020390-2877.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.


----------



## vp3434 (Mar 15, 2009)

Update 2: After running Malwarebytes and selecting remove, it asked me to restart. Upon restarting, a windows error message came up about something causing the host process to close. I tried jotting down the exact message, but then Windows froze and I had to restart. Before Windows froze, I did manage to start up firefox upon which AVG then gave the same alert from before about Trojan Horse Generic 13.BNJ. After restarting, explorer.exe stopped responding, so I then did a hard shutdown and restarted in safe mode. There I ran malwarebytes again which produced this log file:

Malwarebytes' Anti-Malware 1.34
Database version: 1851
Windows 6.0.6001 Service Pack 1
3/15/2009 3:34:15 PM
mbam-log-2009-03-15 (15-34-15).txt
Scan type: Quick Scan
Objects scanned: 64066
Time elapsed: 3 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.


----------



## vp3434 (Mar 15, 2009)

Update 3: I forgot to mention that before when I first downloaded Malwarebytes, I had to rename "mbam.exe" to "mbam2.exe" to get it to run. As mbam.exe, I would click on the exe would see the hourglass cursor and then nothing would happen. Not sure if this is important, but thought I would pass the info along.

Also, I mistyped the name of the virus AVG is reporting. It is called "Trojan Horse Generic 13.BJN" not "Trojan Horse Generic 13.BNJ."

Since the update above, I was able to restart Windows Vista in normal mode. I ran an online Kaspersky critical areas virus scan and it didn't detect any viruses. I restarted Windows and the virus is still being found by AVG when starting Firefox or IE. Also, I have gotten the Windows Host Process has stopped working error a couple times, and I got a DHCP client has closed error after which my internet connection stopped working. I did a networking diagnostic and repair and the internet works again now. Not sure what to do now as it appears the virus is still in the computer.


----------



## vp3434 (Mar 15, 2009)

Update 4: I went ahead and did some additional research while I was waiting for a response. I ran Dr. Web Cure It which found a number of problem items which I then deleted. (Would post the log, but the computer crashed before I could save it). The gaopdxcounter Trojan still remained though. Then ran AVZ 4 which didn't find anything. Finally, I saw in another website that gaopdxcounter is a rootkit so I ran GMER. This identified the rootkit and I deleted it within GMER. Afterwards I ran Malwarebytes again and this time it finally ran clean. I think I am now clean, but if an expert on here can confirm that my computer is now clean, that would be great! Below are the latest logs:

GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-16 21:43:59
Windows 6.0.6001 Service Pack 1

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcConnectPort [0x807D67F8] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0x807D6458] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x807D3886] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x807DE90A] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0x807D6BAE] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0x807DC6B6] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0x807DC8D0] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0x807E023A] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0x807D6C56] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x807D3D66] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x807DF206] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x807DEF82]  <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0x807DC0B6] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x807DF734] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0x807DF7AC] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKeyEx [0x807DF824] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x807D3BFE] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0x807DDAD4] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0x807DFE66] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x807DF89C] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0x807D60E2] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x807DFCA6] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0x807D65F8] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x807D3F54] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x807DEC88] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0x807DD044] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0x807DCF20] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateUserProcess [0x807DCAEE] <-- ROOTKIT !!!

Code 8CD332E0 ZwEnumerateKey
Code 8CCD22D8  ZwFlushInstructionCache
Code 8CD9E420 ZwQueryValueKey
Code 8CD3C73D IofCallDriver
Code 8CDA1346 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCompleteRequest 81C7FFE2 5 Bytes JMP 8CDA134B 
.text ntkrnlpa.exe!KeSetTimerEx + 370 81CFE934 4 Bytes [F8, 67, 7D, 80]
.text ntkrnlpa.exe!KeSetTimerEx + 40C 81CFE9D0 4 Bytes [86, 38, 7D, 80] {XCHG [EAX], BH; JGE 0xffffffffffffff84}
.text ntkrnlpa.exe!KeSetTimerEx + 41C 81CFE9E0 4 Bytes JMP A9CF6A62 
.text ntkrnlpa.exe!KeSetTimerEx + 438 81CFE9FC 12 Bytes [AE, 6B, 7D, 80, B6, C6, 7D, ...]
.text ntkrnlpa.exe!KeSetTimerEx + 448 81CFEA0C 4 Bytes [3A, 02, 7E, 80] {CMP AL, [EDX]; JLE 0xffffffffffffff84}
.text ... 
.text ntkrnlpa.exe!IofCallDriver 81D01F6F 5 Bytes JMP 8CD3C742 
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 81DF830B 5 Bytes JMP 8CCD22DC 
PAGE ntkrnlpa.exe!ZwQueryValueKey 81E4BB57 5 Bytes JMP 8CD9E424 
PAGE ntkrnlpa.exe!ZwEnumerateKey 81E4DBB4 5 Bytes JMP 8CD332E4

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Maestro1.sys (KeyMaestro Sys for Windows NT, 2000, .../BTC)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Maestro1.sys (KeyMaestro Sys for Windows NT, 2000, .../BTC)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys 
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] \systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules 
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\[email protected] \\?\globalroot\systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\[email protected] \\?\globalroot\systemroot\system32\gaopdxgfiyxxjibeerwctqveirmlosniipwumr.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys 
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] \systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules 
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\[email protected] \\?\globalroot\systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\[email protected] \\?\globalroot\systemroot\system32\gaopdxgfiyxxjibeerwctqveirmlosniipwumr.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys 
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] \systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules 
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\[email protected] \\?\globalroot\systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\[email protected] \\?\globalroot\systemroot\system32\gaopdxgfiyxxjibeerwctqveirmlosniipwumr.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys 
Reg HKLM\SYSTEM\ControlSet004\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet004\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet004\Services\[email protected] \systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys
Reg HKLM\SYSTEM\ControlSet004\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules 
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\[email protected] \\?\globalroot\systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\[email protected] \\?\globalroot\systemroot\system32\gaopdxgfiyxxjibeerwctqveirmlosniipwumr.dll
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys 
Reg HKLM\SYSTEM\ControlSet005\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet005\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet005\Services\[email protected] \systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys
Reg HKLM\SYSTEM\ControlSet005\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys\modules 
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys\[email protected] \\?\globalroot\systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys\[email protected] \\?\globalroot\systemroot\system32\gaopdxgfiyxxjibeerwctqveirmlosniipwumr.dll
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys 
Reg HKLM\SYSTEM\ControlSet006\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet006\Services\[email protected] 1
Reg HKLM\SYSTEM\ControlSet006\Services\[email protected] \systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys
Reg HKLM\SYSTEM\ControlSet006\Services\[email protected] file system
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys\modules 
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys\[email protected] \\?\globalroot\systemroot\system32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys
Reg HKLM\SYSTEM\ControlSet006\Services\gaopdxserv.sys\[email protected] \\?\globalroot\systemroot\system32\gaopdxgfiyxxjibeerwctqveirmlosniipwumr.dll

---- Files - GMER 1.0.15 ----

File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiMG0028.000 240 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiMG0028.001 65536 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiMG0028.002 65536 bytes
File C:\Windows\System32\drivers\gaopdxfvosxdwbtnhkhxrpunsrnneduqstmrcb.sys 34816 bytes executable <-- ROOTKIT !!!
File C:\Windows\System32\gaopdxgfiyxxjibeerwctqveirmlosniipwumr.dll 10752 bytes executable

---- EOF - GMER 1.0.15 ----

Malwarebytes' Anti-Malware 1.34
Database version: 1856
Windows 6.0.6001 Service Pack 1

3/16/2009 10:05:41 PM
mbam-log-2009-03-16 (22-05-41).txt

Scan type: Quick Scan
Objects scanned: 65686
Time elapsed: 6 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## vp3434 (Mar 15, 2009)

bump. Hoping to get a quick check from the experts to see if what I did above was correct. Thanks!


----------

