goimes.exe worm [Solved]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

goimes.exe worm [Solved] Can't get rid of goimes.exe

#1 PaprikaNoctis

Group: Member
Posts: 11
Joined: 25-October 09

Posted 25 October 2009 - 03:51 AM

Got a worm on my computer called 'goimes.exe'.

I can see it running under the windows task manager.

It's also in the registry editor under 'search assistance'

I used both AVG and Prevx to scan my computer but they don't pick it up.

Tried contacting the Prevx forums for help, they told me to send it to them in a file that's a password protected RAR or 7z archive.

I have no idea how to do that.

Any ideas what I should do?

#2 Raktor

Group: Member
Posts: 268
Joined: 30-August 09

Posted 25 October 2009 - 10:22 PM

Hi, welcome to the G2G Forums. My username is Raktor, and I would be glad to help you with your malware issues. I'd be grateful if you would note the following:

Absence of symptoms does not always mean the computer is clean
Please do not run any scans or fixes without my direction.
Finally, stay with this topic until I give you the final 'All clear' post.

1) DDS
Posted Image

Please download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
Save both reports to your desktop.

2) RR
Please download RootRepeal.zip.
Save it to your Desktop. Alternate download links here or here.
Please print these instructions, you will not have an Internet connection!
If you have a 3rd party "unzipping" program...use it to open the zipped file...then skip to Step 5. Otherwise...

Right click on RootRepeal.zip and select "Extract All"....
Click Next on the "Welcome to the Compressed (zipped) Folders Extraction Wizard."
Click on the Browse...button, then click on Desktop, then click OK.
Once done, check (tick) the Show extracted files box and click Finish.
Before running RootRepeal:
Open the RootRepeal folder and double-click on RootRepeal.exe to launch it.
When the program opens, click the Report tab at the bottom, then click the Scan button.
In the Select Scan, dialog which asks What do you want to include in the scan?, check ALL the boxes.
Click OK.
In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
The scan can take some time to finish. Do not use the computer while the scan is running.
When the scan has completed, a list of files will be generated in the RootRepeal window.
Click on the Save Report button and save it as "rootrepeal.txt" to your desktop.
Close and exit RootRepeal
Double-click on the file rootrepeal.txt... Notepad will open... copy/paste the file contents in your next reply.

Make sure to enable your anti-virus, Firewall and any other security programs you disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "safe mode".

3) What You Will Need To Post:

DDS logs
RR log

#3 PaprikaNoctis

Group: Member
Posts: 11
Joined: 25-October 09

Posted 27 October 2009 - 08:50 AM

Thank-you, so sorry for the late reply.

Also sorry but my copy/paste function has stopped working, so I will try to send everything as an attachment.

DDS.txt (33.13K)
Number of downloads: 114

Attach.txt (10.47K)
Number of downloads: 41

RootRepeal_report_01_04_80__00_54_08_.txt (2.02K)
Number of downloads: 39

#4 Raktor

Group: Member
Posts: 268
Joined: 30-August 09

Posted 27 October 2009 - 10:50 PM

Download Combofix from any of the links below.

Link 1
Link 2

==================================

Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt so we can continue cleaning the system.

#5 PaprikaNoctis

Group: Member
Posts: 11
Joined: 25-October 09

Posted 28 October 2009 - 06:41 AM

Thank-you.

ComboFix 09-10-27.07 - HP 28/10/2009 23:25.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1015.651 [GMT 10.5:30]
Running from: c:\documents and settings\HP\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP\Application Data\AntispywareBot
c:\documents and settings\HP\goimes.exe
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\windows\system32\MSVolume.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2009-10-28 12:44 . 2009-10-28 12:45 -------- d-----w- C:\32788R22FWJFW
2009-10-21 16:12 . 2009-10-21 16:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2009-10-21 14:36 . 2009-10-21 14:36 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys
2009-10-21 14:36 . 2009-10-21 14:36 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-10-21 14:35 . 2009-10-21 14:35 -------- d-----w- c:\program files\Prevx
2009-10-21 14:35 . 1980-01-03 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-10-18 08:22 . 2009-10-18 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\pI3demoLicense
2009-10-18 08:22 . 2009-10-18 13:29 -------- d-----w- c:\program files\particleIllusion 3.0 demo
2009-10-07 01:45 . 1980-01-03 13:47 -------- d-----w- C:\$AVG8.VAULT$
2009-10-01 00:30 . 2009-10-01 00:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-01 00:30 . 2009-10-01 00:36 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-01 00:30 . 2009-10-01 00:36 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-01 00:30 . 2009-10-01 00:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-01 00:30 . 2009-10-28 12:41 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-01 00:30 . 2009-10-01 00:30 -------- d-----w- c:\program files\AVG
2009-10-01 00:30 . 2009-10-01 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-01 00:20 . 2009-10-01 00:20 -------- d-----w- c:\documents and settings\HP\Application Data\AVG8
2009-09-29 13:44 . 2009-09-29 13:44 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-29 13:43 . 2009-09-29 13:43 -------- d-----w- c:\documents and settings\HP\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-28 12:52 . 2008-10-08 14:38 -------- d-----w- c:\documents and settings\HP\Application Data\WTablet
2009-10-14 13:44 . 2008-09-17 13:06 31001 ----a-w- c:\windows\nsreg.dat
2009-10-01 02:18 . 2008-05-08 02:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-25 05:37 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 14:46 . 2009-08-30 14:46 -------- d-----w- c:\documents and settings\HP\Application Data\Smith Micro
2009-08-30 14:46 . 2009-08-30 14:46 -------- d-----w- c:\program files\Smith Micro
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 09:54 . 2008-05-08 02:15 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 09:54 . 2008-05-08 02:15 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 09:54 . 2008-05-08 02:15 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 09:54 . 2007-07-30 09:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 09:54 . 2008-05-08 02:15 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 09:54 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 09:53 . 2008-05-08 02:15 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 09:53 . 2008-05-08 02:15 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-04 12:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2006-05-03 09:06 . 2009-06-15 10:04 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-06-15 10:04 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-06-15 10:04 216064 --sh--r- c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 04:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-21 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-10 40048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-06 136600]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-04 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-13 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-04-13 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-01 00:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [22/01/2009 3:39 PM 64160]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [22/10/2009 1:06 AM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [22/10/2009 1:06 AM 27656]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/10/2009 11:00 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/10/2009 11:00 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/10/2009 11:06 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/10/2009 11:06 AM 297752]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [22/10/2009 1:05 AM 4368952]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [9/10/2008 1:07 AM 1373480]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13157&gct=&gc=1&q=%s
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\HP\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\HP\Application Data\Mozilla\Firefox\Profiles\wx7m5t7c.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13157&gct=&gc=1&q=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\HP\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npaudio.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npavi32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdrmv2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdsplay.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nphcd32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npnul32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npswf32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npwmsdrm.dll
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
URLSearchHooks-EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
URLSearchHooks-C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-AdwareProMFCT - c:\program files\AdwarePro\StartApp.exe
HKCU-Run-goimes - c:\documents and settings\HP\goimes.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 23:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-10-28 23:32
ComboFix-quarantined-files.txt 2009-10-28 13:02

Pre-Run: 23,407,521,792 bytes free
Post-Run: 23,401,959,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - FFD6F1E17D5D12E3CB1F80A472633B23

#6 Raktor

Group: Member
Posts: 268
Joined: 30-August 09

Posted 28 October 2009 - 05:03 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

http://www.geekstogo...rm-t256539.html

Suspect::[88]
c:\windows\system32\drivers\pxscan.sys
c:\windows\system32\drivers\pxsec.sys

FCopy::
c:\windows\ServicePackFiles\i386\eventlog.dll | c:\windows\system32\eventlog.dll

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

#7 PaprikaNoctis

Group: Member
Posts: 11
Joined: 25-October 09

Posted 29 October 2009 - 05:10 AM

ComboFix 09-10-28.06 - HP 29/10/2009 21:55.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1015.582 [GMT 10.5:30]
Running from: c:\documents and settings\HP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\windows\system32\drivers\pxscan.sys
file zipped: c:\windows\system32\drivers\pxsec.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-29 11:14 . 2008-04-14 00:11 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-10-29 11:14 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-10-21 16:12 . 2009-10-21 16:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2009-10-21 14:36 . 2009-10-21 14:36 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys
2009-10-21 14:36 . 2009-10-21 14:36 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-10-21 14:35 . 2009-10-21 14:35 -------- d-----w- c:\program files\Prevx
2009-10-21 14:35 . 2009-10-28 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-10-18 08:22 . 2009-10-18 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\pI3demoLicense
2009-10-18 08:22 . 2009-10-18 13:29 -------- d-----w- c:\program files\particleIllusion 3.0 demo
2009-10-07 01:45 . 1980-01-03 13:47 -------- d-----w- C:\$AVG8.VAULT$
2009-10-01 00:30 . 2009-10-01 00:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-01 00:30 . 2009-10-01 00:36 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-01 00:30 . 2009-10-01 00:36 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-01 00:30 . 2009-10-01 00:36 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-01 00:30 . 1980-01-03 13:37 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-01 00:30 . 2009-10-01 00:30 -------- d-----w- c:\program files\AVG
2009-10-01 00:30 . 2009-10-01 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-01 00:20 . 2009-10-01 00:20 -------- d-----w- c:\documents and settings\HP\Application Data\AVG8
2009-09-29 13:44 . 2009-09-29 13:44 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-29 13:43 . 2009-09-29 13:43 -------- d-----w- c:\documents and settings\HP\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-14 13:44 . 2008-09-17 13:06 31001 ----a-w- c:\windows\nsreg.dat
2009-10-01 02:18 . 2008-05-08 02:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-25 05:37 . 2004-08-04 12:00 667136 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 14:46 . 2009-08-30 14:46 -------- d-----w- c:\documents and settings\HP\Application Data\Smith Micro
2009-08-30 14:46 . 2009-08-30 14:46 -------- d-----w- c:\program files\Smith Micro
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 09:54 . 2008-05-08 02:15 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 09:54 . 2008-05-08 02:15 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 09:54 . 2008-05-08 02:15 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 09:54 . 2007-07-30 09:19 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 09:54 . 2008-05-08 02:15 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 09:54 . 2004-08-04 12:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 09:53 . 2008-05-08 02:15 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 09:53 . 2008-05-08 02:15 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-04 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2006-05-03 09:06 . 2009-06-15 10:04 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-06-15 10:04 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-06-15 10:04 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-06 04:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-13 61440]
"smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-04 143360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk.disabled [2009-4-13 1833]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"DrvLsnr"=c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe
"AVG8_TRAY"=c:\progra~1\AVG\AVG8\avgtray.exe
"igfxhkcmd"=c:\windows\system32\hkcmd.exe
"igfxpers"=c:\windows\system32\igfxpers.exe
"igfxtray"=c:\windows\system32\igfxtray.exe
"Smapp"=c:\program files\Analog Devices\SoundMAX\SMTray.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [22/01/2009 3:39 PM 64160]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [22/10/2009 1:06 AM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [22/10/2009 1:06 AM 27656]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/10/2009 11:00 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/10/2009 11:00 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/10/2009 11:06 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/10/2009 11:06 AM 297752]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [9/10/2008 1:07 AM 1373480]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [22/10/2009 1:05 AM 4368952]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - PCIIDEX_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
*Deregistered* - PCIIDEX_2
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\HP\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\HP\Application Data\Mozilla\Firefox\Profiles\wx7m5t7c.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13157&gct=&gc=1&q=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\HP\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npaudio.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npavi32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdrmv2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npdsplay.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\nphcd32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npnul32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npswf32.dll
FF - plugin: c:\program files\Netscape\Communicator\Program\Plugins\npwmsdrm.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 21:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3336)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-29 22:00
ComboFix-quarantined-files.txt 2009-10-29 11:30
ComboFix2.txt 2009-10-29 11:22

Pre-Run: 23,312,355,328 bytes free
Post-Run: 23,302,459,392 bytes free

- - End Of File - - 66D81B8BA2FA945A7E66D63624ED7084
Upload was successful

#8 Raktor

Group: Member
Posts: 268
Joined: 30-August 09

Posted 30 October 2009 - 05:22 PM

1) Update Adobe
Your current version of Adobe Reader is out of date, and may contain security issues. Please uninstall the version you have now from Add/Remove programs, and then download and install the latest Adobe Reader.

2) Update Java
Your version of Java is outdated.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

3) MBAM
Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

4) ESET
You can use either Internet Explorer or Mozilla FireFox for this scan.

Please go here then click on:

Quote
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on:
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Now click on:
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on:
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

5) What You Will Need To Post:

MBAM log
ESET log

#9 PaprikaNoctis

Group: Member
Posts: 11
Joined: 25-October 09

Posted 31 October 2009 - 11:41 PM

MBAM:

Malwarebytes' Anti-Malware 1.41
Database version: 3074
Windows 5.1.2600 Service Pack 3

4/01/1980 1:02:11 AM
mbam-log-1980-01-04 (01-02-11).txt

Scan type: Quick Scan
Objects scanned: 91888
Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

EST:

C:\Qoobox\Quarantine\C\Documents and Settings\HP\goimes.exe.vir Win32/AutoRun.VB.GV worm
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.OF virus
C:\System Volume Information\_restore{74E1BC7A-EDC4-4D49-8B72-1149E2CA01BD}\RP270\A0032764.exe Win32/AutoRun.VB.GV worm

Sorry I couldn't update java.

My internet explorer isn't working.

When I clicked on the Open Webpage button an Internet Explorer message box popped up saying Internet Explorer has encountered a problem and needs to close.

#10 Raktor

Group: Member
Posts: 268
Joined: 30-August 09

Posted 01 November 2009 - 02:16 AM

Please download Dial-A-Fix from one of the following mirrors:
- Primary Mirror
- Secondary Mirror
Extract the zip file to your desktop.
Double click Dial-a-Fix.exe to start the program.
Press the green double checkmark box (Looks like this: )
UNcheck Empty Temp Folders, as well as Adjust Time/Date in the prep section. The prep section should then look like this:
Click on go
Exit/Close Dial-A-Fix

Reboot, and see if that solves your internet issues.

#11 PaprikaNoctis

Group: Member
Posts: 11
Joined: 25-October 09

Posted 02 November 2009 - 01:46 AM

I Downloaded Dial-A-Fix and ran the program but Internet explorers still not running.
I've also been meaning to ask, is it ok to use the computer to surf the web type up documents ,wacom and such?
I've been keeping it off most of the time since it got that worm.

#12 Raktor

Group: Member
Posts: 268
Joined: 30-August 09

Posted 03 November 2009 - 11:22 PM

Yes, you can use the computer - preferably not on the internet if possible.

I'm still researching your Internet Explorer issue, I will get back to you as soon as possible.

#13 PaprikaNoctis

Group: Member
Posts: 11
Joined: 25-October 09

Posted 04 November 2009 - 08:03 AM

Thank-you.

#14 Raktor

Group: Member
Posts: 268
Joined: 30-August 09

Posted 05 November 2009 - 05:58 AM

Please follow the step by step instructions at the below link, and let me know how you go.
http://support.micro.../gp/pc_ie_intro

#15 PaprikaNoctis

Group: Member
Posts: 11
Joined: 25-October 09

Posted 07 November 2009 - 09:35 PM

No luck

Internet Explorer still not working it just keeps saying it has encountered a problem and needs to close.
It does keep asking me though if I'd like to send an error report to Microsoft, I tried it a few times it didn't help but would it help if I posted up what the error report says?

Back to Virus, Spyware, Malware Removal

Share this topic:

2 Pages
1
2
→

Please log in to reply

goimes.exe worm [Solved] - Geeks to Go Forums