gaopdxserv.sys

View previous topic View next topic Go down

gaopdxserv.sys

Post by Sir $wat on Mon May 18, 2009 2:02 am

I checked device manager today and found this with an exclamation mark next to it.

I googled it and they said it's a virus.

Is it? How to remove?




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Origin on Mon May 18, 2009 2:19 am

Yes it is malware, gaopdxserv.sys is latest version of CLB rootkit, lets remove it:


1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Belahzur on Mon May 18, 2009 2:36 am

Moved to malware removal.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Sir $wat on Mon May 18, 2009 10:37 am

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Origin on Mon May 18, 2009 11:43 pm


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Sir $wat on Tue May 19, 2009 3:01 am

ComboFix 09-05-18.02 - Sir $wat 05/18/2009 22:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.514 [GMT -7:00]
Running from: c:\documents and settings\Sir $wat\My Documents\Downloads\Programs\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090518-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\setting.ini
c:\windows\system32\win32.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-19 to 2009-05-19 )))))))))))))))))))))))))))))))
.

2009-05-17 04:16 . 2009-05-17 04:16 -------- d-----w c:\program files\Photoshop 6.0.1
2009-05-16 15:35 . 2009-05-16 15:35 -------- d-----w c:\windows\Icons
2009-05-14 07:24 . 2009-05-16 15:40 -------- d-----w c:\program files\Button Studio
2009-05-14 07:24 . 1999-03-23 16:12 299520 ----a-w c:\windows\uninst.exe
2009-05-05 07:38 . 2009-05-05 07:38 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-05-05 07:38 . 2009-05-16 21:46 -------- d-----w c:\documents and settings\Sir $wat\Application Data\skypePM
2009-05-05 07:37 . 2009-05-16 21:47 -------- d-----w c:\documents and settings\Sir $wat\Application Data\Skype
2009-05-05 07:37 . 2009-05-05 07:37 -------- d-----w c:\program files\Common Files\Skype
2009-05-05 07:37 . 2009-05-05 07:37 -------- d-----r c:\program files\Skype
2009-05-05 07:36 . 2009-05-05 07:37 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-05-02 19:04 . 2009-05-02 19:26 -------- d-----w c:\program files\NBA 2008
2009-04-26 16:55 . 2009-04-26 16:55 -------- d-----w c:\program files\MSECache
2009-04-21 05:24 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-21 05:24 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-21 05:24 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-21 05:24 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-21 05:24 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-21 05:24 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-21 05:24 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-21 05:24 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-21 05:24 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-19 05:25 . 2009-04-09 04:50 -------- d-----w c:\program files\Trillian
2009-05-19 03:57 . 2009-03-15 16:26 -------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 3
2009-05-17 00:50 . 2009-01-11 07:02 -------- d-----w c:\program files\Common Files\Adobe
2009-05-05 02:43 . 2009-04-03 03:58 -------- d-----w c:\program files\VirtualDJ
2009-05-01 15:38 . 2008-12-12 03:15 47416 ----a-w c:\documents and settings\Sir $wat\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-05 16:39 . 2009-04-05 16:39 -------- d-----w c:\program files\MP3 Cutter
2009-04-05 08:47 . 2009-04-05 04:04 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 04:19 . 2009-04-04 22:37 -------- d-----w c:\program files\The KMPlayer
2009-04-02 14:07 . 2009-04-02 14:07 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-04-02 14:07 . 2009-04-02 14:07 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-02 14:05 . 2009-04-02 14:05 -------- d-----w c:\program files\WIDCOMM
2009-04-02 13:48 . 2009-04-02 13:40 -------- d-----w c:\program files\Avanquest update
2009-04-02 13:40 . 2008-12-11 23:23 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-02 13:39 . 2009-04-02 13:38 -------- d-----w c:\program files\Motorola Phone Tools
2009-04-02 13:38 . 2009-04-02 13:38 24192 ----a-w c:\documents and settings\Sir $wat\usbsermptxp.sys
2009-04-02 13:38 . 2009-04-02 13:38 22768 ----a-w c:\documents and settings\Sir $wat\usbsermpt.sys
2009-04-02 03:03 . 2009-04-02 03:03 2560 ----a-w c:\windows\_MSRSTRT.EXE
2009-04-02 03:03 . 2009-03-31 13:49 -------- d-----w c:\program files\Common Files\Agnitum Shared
2009-03-26 23:49 . 2009-04-05 04:04 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 23:49 . 2009-04-05 04:04 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:22 . 2004-08-04 07:56 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-08-04 07:56 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 07:56 81920 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-10-17 16855552]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RtlWake.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RtlWake.lnk
backup=c:\windows\pss\RtlWake.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
"Google Update"="c:\documents and settings\Sir $wat\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"IDMan"=c:\program files\Internet Download Manager\IDMan.exe /onboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"USB Antivirus"=c:\program files\USB Disk Security\USBGuard.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Malwarebytes Piracy"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /piracy

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/14/2009 10:22 Dre 114768]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [12/11/2008 4:32 Dre 13696]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/14/2009 10:22 Dre 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [12/11/2008 9:49 Dre 8849]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [12/16/2008 12:35 Dre 603904]
S3 ICAM3NT5;Intel USB Video Camera III;c:\windows\system32\drivers\Icam3.sys [2/13/2009 11:11 Dre 141056]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-05-19 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-21 00:28]

2009-05-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1788223648-725345543-1003.job
- c:\documents and settings\Sir $wat\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-12 04:40]

2009-05-19 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-06 05:18]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
mWindow Title = Microsoft Internet Explorer
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {4A260BB3-EAE3-40C9-A254-7E0C4C77F8F1} = 190.80.16.3 190.80.16.4
FF - ProfilePath - c:\documents and settings\Sir $wat\Application Data\Mozilla\Firefox\Profiles\kfi70utn.default\
FF - component: c:\documents and settings\Sir $wat\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\program files\Mozilla Firefox 3.1 Beta 3\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Sir $wat\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: content.notify.interval - 750000
FF - user.js: content.max.tokenizing.time - 2250000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-18 22:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):13,39,10,46,01,a4,a5,49,4b,2f,bd,de,a1,ea,9d,ef,b5,1e,ab,ed,33,
9c,41,72,de,43,3e,65,7d,b4,a7,f3,bf,a0,ec,da,c5,0e,1f,9a,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{d3b39c5d-82bd-4b47-a23d-88e41ffc4745}]
@Denied: (Full) (Everyone)
"Model"=dword:00000056
"Therad"=dword:00000009
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,87,35,5f,72,af,
b6,b8,f9,05,98,32,02,34,2b,da,61,08,fc,27,32,1a,9c,31,5d,71,20,d1,fe,f4,af,\
.
Completion time: 2009-05-19 22:53
ComboFix-quarantined-files.txt 2009-05-19 05:53

Pre-Run: 125,821,865,984 bytes free
Post-Run: 125,813,420,032 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

175 --- E O F --- 2009-05-14 07:28




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Sir $wat on Wed May 20, 2009 12:48 am

dont foget about this plz... cuz i noticed that it's till on the other page...

just reminding u guyz in case u forget about it

thanx




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Origin on Wed May 20, 2009 1:30 am

Don't worry, I check my posts everyday to ensure I didn't miss any Wink


I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If Limewire is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • Limewire 4.18.8




Please close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.

  • Please download RootRepeal.zip from [You must be registered and logged in to see this link.].
  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.


  • Select ALL of the checkboxes and then click OK and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Sir $wat on Wed May 20, 2009 2:16 am

i tried running this scan twice and on both occasions the computer just restarted by itself. I don't think the scan was completed since i was unable to save the report.

Alternative??




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Origin on Wed May 20, 2009 2:20 am


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Sir $wat on Wed May 20, 2009 2:33 am

DDS (Ver_09-05-14.01) - NTFSx86
Run by Sir $wat at 22:32:20.45 on Tue 05/19/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.511 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090519-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe
C:\Documents and Settings\Sir $wat\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = [You must be registered and logged in to see this link.]
mWindow Title = Microsoft Internet Explorer
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {2C688203-7EB3-4327-9995-1CB417BA23F9} - No File
TB: {23B0D39A-E245-41B7-BF86-1238CF62625E} - No File
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
TCP: {4A260BB3-EAE3-40C9-A254-7E0C4C77F8F1} = 190.80.16.3 190.80.16.4
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sir$wa~1\applic~1\mozilla\firefox\profiles\kfi70utn.default\
FF - component: c:\documents and settings\sir $wat\application data\idm\idmmzcc2\components\idmmzcc.dll
FF - plugin: c:\documents and settings\sir $wat\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: content.notify.interval - 750000
FF - user.js: content.max.tokenizing.time - 2250000

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-14 114768]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2008-12-11 13696]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-14 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-14 138680]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-12-11 8849]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2008-12-16 603904]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-14 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-14 352920]
S3 ICAM3NT5;Intel USB Video Camera III;c:\windows\system32\drivers\Icam3.sys [2009-2-13 141056]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2009-05-18 22:51 a-dshr-- C:\cmdcons
2009-05-18 21:22 161,792 a------- c:\windows\SWREG.exe
2009-05-18 21:22 98,816 a------- c:\windows\sed.exe
2009-05-18 21:22 --d----- C:\ComboFix
2009-05-16 21:16 --d----- c:\program files\Photoshop 6.0.1
2009-05-16 08:35 --d----- c:\windows\Icons
2009-05-14 00:27 3,596 a------- c:\windows\system32\buttonstudio.ini
2009-05-14 00:24 4 a------- c:\windows\system32\bs10-32._dl
2009-05-14 00:24 --d----- c:\program files\Button Studio
2009-05-14 00:24 299,520 a------- c:\windows\uninst.exe
2009-05-05 00:38 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-05-05 00:37 --d--r-- c:\program files\Skype
2009-05-02 12:04 --d----- c:\program files\NBA 2008
2009-04-26 09:55 --d----- c:\program files\MSECache
2009-04-20 22:24 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-20 22:24 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-20 22:24 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-20 22:24 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-20 22:24 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-20 22:24 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-20 22:24 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-20 22:24 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-20 22:24 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll

==================== Find3M ====================

2009-04-02 07:07 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-04-02 07:07 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-02 06:38 24,192 a------- c:\documents and settings\sir $wat\usbsermptxp.sys
2009-04-02 06:38 22,768 a------- c:\documents and settings\sir $wat\usbsermpt.sys
2009-04-01 20:03 2,560 a------- c:\windows\_MSRSTRT.EXE
2009-03-26 16:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 16:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 01:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 01:10 81,920 a------- c:\windows\system32\ieencode.dll

============= FINISH: 22:32:41.70 ===============




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Origin on Wed May 20, 2009 11:53 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\sed.exe


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Sir $wat on Thu May 21, 2009 1:09 am

========== FILES ==========
c:\windows\sed.exe moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05202009_210856




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Origin on Thu May 21, 2009 1:15 am

How are things on your end?

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Sir $wat on Thu May 21, 2009 1:20 am

it's still showing in device manger under hidden devices




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Origin on Thu May 21, 2009 1:23 am


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Sir $wat on Thu May 21, 2009 1:39 am

ComboFix 09-05-18.02 - Sir $wat 05/20/2009 21:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.458 [GMT -7:00]
Running from: c:\documents and settings\Sir $wat\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090520-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-21 04:08 . 2009-05-21 04:08 -------- d-----w C:\_OTMoveIt
2009-05-17 04:16 . 2009-05-17 04:16 -------- d-----w c:\program files\Photoshop 6.0.1
2009-05-16 15:35 . 2009-05-16 15:35 -------- d-----w c:\windows\Icons
2009-05-14 07:24 . 2009-05-16 15:40 -------- d-----w c:\program files\Button Studio
2009-05-14 07:24 . 1999-03-23 16:12 299520 ----a-w c:\windows\uninst.exe
2009-05-05 07:38 . 2009-05-05 07:38 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-05-05 07:38 . 2009-05-16 21:46 -------- d-----w c:\documents and settings\Sir $wat\Application Data\skypePM
2009-05-05 07:37 . 2009-05-16 21:47 -------- d-----w c:\documents and settings\Sir $wat\Application Data\Skype
2009-05-05 07:37 . 2009-05-05 07:37 -------- d-----w c:\program files\Common Files\Skype
2009-05-05 07:37 . 2009-05-05 07:37 -------- d-----r c:\program files\Skype
2009-05-05 07:36 . 2009-05-05 07:37 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-05-02 19:04 . 2009-05-02 19:26 -------- d-----w c:\program files\NBA 2008
2009-04-26 16:55 . 2009-04-26 16:55 -------- d-----w c:\program files\MSECache
2009-04-21 05:24 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-21 05:24 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-21 05:24 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-21 05:24 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-21 05:24 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-21 05:24 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-21 05:24 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-21 05:24 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-21 05:24 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 04:28 . 2009-04-09 04:50 -------- d-----w c:\program files\Trillian
2009-05-21 04:00 . 2009-03-15 16:26 -------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 3
2009-05-17 00:50 . 2009-01-11 07:02 -------- d-----w c:\program files\Common Files\Adobe
2009-05-05 02:43 . 2009-04-03 03:58 -------- d-----w c:\program files\VirtualDJ
2009-05-01 15:38 . 2008-12-12 03:15 47416 ----a-w c:\documents and settings\Sir $wat\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-05 16:39 . 2009-04-05 16:39 -------- d-----w c:\program files\MP3 Cutter
2009-04-05 08:47 . 2009-04-05 04:04 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 04:19 . 2009-04-04 22:37 -------- d-----w c:\program files\The KMPlayer
2009-04-02 14:07 . 2009-04-02 14:07 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-04-02 14:07 . 2009-04-02 14:07 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-02 14:05 . 2009-04-02 14:05 -------- d-----w c:\program files\WIDCOMM
2009-04-02 13:48 . 2009-04-02 13:40 -------- d-----w c:\program files\Avanquest update
2009-04-02 13:40 . 2008-12-11 23:23 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-02 13:39 . 2009-04-02 13:38 -------- d-----w c:\program files\Motorola Phone Tools
2009-04-02 13:38 . 2009-04-02 13:38 24192 ----a-w c:\documents and settings\Sir $wat\usbsermptxp.sys
2009-04-02 13:38 . 2009-04-02 13:38 22768 ----a-w c:\documents and settings\Sir $wat\usbsermpt.sys
2009-04-02 03:03 . 2009-04-02 03:03 2560 ----a-w c:\windows\_MSRSTRT.EXE
2009-04-02 03:03 . 2009-03-31 13:49 -------- d-----w c:\program files\Common Files\Agnitum Shared
2009-03-26 23:49 . 2009-04-05 04:04 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 23:49 . 2009-04-05 04:04 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:22 . 2004-08-04 07:56 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-08-04 07:56 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 07:56 81920 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-21 02:53 . 2009-05-21 02:53 16384 c:\windows\Temp\Perflib_Perfdata_748.dat
+ 2009-05-21 02:53 . 2009-05-21 02:53 16384 c:\windows\Temp\Perflib_Perfdata_36c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-10-17 16855552]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RtlWake.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RtlWake.lnk
backup=c:\windows\pss\RtlWake.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
"Google Update"="c:\documents and settings\Sir $wat\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"IDMan"=c:\program files\Internet Download Manager\IDMan.exe /onboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"USB Antivirus"=c:\program files\USB Disk Security\USBGuard.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Malwarebytes Piracy"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /piracy

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/14/2009 10:22 Dre 114768]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [12/11/2008 4:32 Dre 13696]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/14/2009 10:22 Dre 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [12/11/2008 9:49 Dre 8849]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [12/16/2008 12:35 Dre 603904]
S3 ICAM3NT5;Intel USB Video Camera III;c:\windows\system32\drivers\Icam3.sys [2/13/2009 11:11 Dre 141056]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-21 00:28]

2009-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1788223648-725345543-1003.job
- c:\documents and settings\Sir $wat\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-12 04:40]

2009-05-21 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-06 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = [You must be registered and logged in to see this link.]
mWindow Title = Microsoft Internet Explorer
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {4A260BB3-EAE3-40C9-A254-7E0C4C77F8F1} = 190.80.16.3 190.80.16.4
FF - ProfilePath - c:\documents and settings\Sir $wat\Application Data\Mozilla\Firefox\Profiles\kfi70utn.default\
FF - component: c:\documents and settings\Sir $wat\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\program files\Mozilla Firefox 3.1 Beta 3\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Sir $wat\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: content.notify.interval - 750000
FF - user.js: content.max.tokenizing.time - 2250000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-20 21:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):13,39,10,46,01,a4,a5,49,4b,2f,bd,de,a1,ea,9d,ef,b5,1e,ab,ed,33,
9c,41,72,de,43,3e,65,7d,b4,a7,f3,bf,a0,ec,da,c5,0e,1f,9a,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{d3b39c5d-82bd-4b47-a23d-88e41ffc4745}]
@Denied: (Full) (Everyone)
"Model"=dword:00000056
"Therad"=dword:00000009
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,87,35,5f,72,af,
b6,b8,f9,05,98,32,02,34,2b,da,61,08,fc,27,32,1a,9c,31,5d,71,20,d1,fe,f4,af,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2244)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-21 21:36
ComboFix-quarantined-files.txt 2009-05-21 04:36

Pre-Run: 125,896,347,648 bytes free
Post-Run: 125,933,899,776 bytes free

175 --- E O F --- 2009-05-14 07:28




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Origin on Thu May 21, 2009 11:53 pm


  • Download random's system information tool (RSIT) by random/random from [You must be registered and logged in to see this link.] and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Sir $wat on Fri May 22, 2009 10:25 am

Logfile of random's system information tool 1.06 (written by random/random)
Run by Sir $wat at 2009-05-22 06:24:13
Microsoft Windows XP Professional Service Pack 3
System drive C: has 121 GB (79%) free of 153 GB
Total RAM: 959 MB (57% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:24 Dre, on 5/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 3\firefox.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Documents and Settings\Sir $wat\My Documents\Downloads\Programs\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Sir $wat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A260BB3-EAE3-40C9-A254-7E0C4C77F8F1}: NameServer = 190.80.16.3 190.80.16.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{4A260BB3-EAE3-40C9-A254-7E0C4C77F8F1}: NameServer = 190.80.16.3 190.80.16.4
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 6853 bytes




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Sir $wat on Fri May 22, 2009 10:28 am

======Scheduled tasks folder======

C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1788223648-725345543-1003.job
C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}]
IDMIEHlprObj Class - C:\Program Files\Internet Download Manager\IDMIECC.dll [2009-01-22 161200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-10-30 7634944]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2007-10-16 16855552]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
C:\WINDOWS\AGRSMMSG.exe [2005-06-29 88203]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\Ares\Ares.exe -h []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-03-07 149040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Documents and Settings\Sir $wat\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-11 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2006-02-19 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-07 161328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\system32\NvMcTray.dll [2006-10-30 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RtlWake.lnk]
C:\PROGRA~1\Realtek\Rtl8180\RtlWake.exe [2003-03-06 716800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-06 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe:*:Enabled:Apache HTTP Server"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\Microsoft Games\Age of Empires III\age3.exe"="C:\Program Files\Microsoft Games\Age of Empires III\age3.exe:*:Enabled:Age of Empires 3"
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe"="C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

======List of files/folders created in the last 1 months======

2009-05-22 06:24:13 ----D---- C:\rsit
2009-05-21 11:16:10 ----SHD---- C:\RECYCLER
2009-05-20 21:36:08 ----A---- C:\ComboFix.txt
2009-05-20 21:33:10 ----A---- C:\WINDOWS\sed.exe
2009-05-20 21:08:56 ----D---- C:\_OTMoveIt
2009-05-19 21:41:17 ----D---- C:\WINDOWS\Minidump
2009-05-18 22:51:09 ----RASHD---- C:\cmdcons
2009-05-18 21:22:13 ----A---- C:\WINDOWS\zip.exe
2009-05-18 21:22:13 ----A---- C:\WINDOWS\vFind.exe
2009-05-18 21:22:13 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-05-18 21:22:13 ----A---- C:\WINDOWS\SWSC.exe
2009-05-18 21:22:13 ----A---- C:\WINDOWS\SWREG.exe
2009-05-18 21:22:13 ----A---- C:\WINDOWS\NIRCMD.exe
2009-05-18 21:22:13 ----A---- C:\WINDOWS\grep.exe
2009-05-18 21:21:53 ----D---- C:\Qoobox
2009-05-18 21:03:56 ----D---- C:\WINDOWS\ERDNT
2009-05-16 21:16:07 ----D---- C:\Program Files\Photoshop 6.0.1
2009-05-16 08:35:44 ----D---- C:\WINDOWS\Icons
2009-05-14 00:27:24 ----A---- C:\WINDOWS\system32\buttonstudio.ini
2009-05-14 00:24:23 ----D---- C:\Program Files\Button Studio
2009-05-14 00:24:19 ----A---- C:\WINDOWS\uninst.exe
2009-05-05 00:38:32 ----D---- C:\Documents and Settings\Sir $wat\Application Data\skypePM
2009-05-05 00:37:19 ----D---- C:\Documents and Settings\Sir $wat\Application Data\Skype
2009-05-05 00:37:04 ----D---- C:\Program Files\Common Files\Skype
2009-05-05 00:37:01 ----RD---- C:\Program Files\Skype
2009-05-05 00:36:25 ----D---- C:\Documents and Settings\All Users\Application Data\Skype
2009-05-02 12:04:38 ----D---- C:\Program Files\NBA 2008
2009-05-02 08:06:01 ----HDC---- C:\WINDOWS\$NtUninstallKB961503$
2009-05-01 08:37:30 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2009-04-26 09:55:12 ----D---- C:\Program Files\MSECache

======List of files/folders modified in the last 1 months======

2009-05-22 06:24:18 ----D---- C:\WINDOWS\Prefetch
2009-05-22 06:23:28 ----A---- C:\WINDOWS\ModemLog_Agere Systems PCI Soft Modem.txt
2009-05-22 06:21:16 ----D---- C:\Documents and Settings\Sir $wat\Application Data\DMCache
2009-05-22 06:20:33 ----D---- C:\WINDOWS\Temp
2009-05-22 06:18:52 ----D---- C:\Program Files\Mozilla Firefox 3.1 Beta 3
2009-05-21 23:53:20 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-21 22:36:03 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-21 22:35:57 ----D---- C:\WINDOWS\system32\config
2009-05-21 19:38:03 ----D---- C:\WINDOWS
2009-05-21 13:36:50 ----D---- C:\Downloads
2009-05-20 21:36:10 ----D---- C:\WINDOWS\system32
2009-05-20 21:34:58 ----N---- C:\WINDOWS\system.ini
2009-05-20 21:34:24 ----D---- C:\WINDOWS\system32\drivers
2009-05-20 21:34:24 ----D---- C:\WINDOWS\AppPatch
2009-05-20 21:34:21 ----D---- C:\Program Files\Common Files
2009-05-20 21:28:31 ----D---- C:\Program Files\Trillian
2009-05-20 10:14:58 ----A---- C:\WINDOWS\NeroDigital.ini
2009-05-19 21:33:21 ----RD---- C:\Program Files
2009-05-18 22:51:12 ----RASH---- C:\boot.ini
2009-05-18 20:29:56 ----SHD---- C:\System Volume Information
2009-05-18 20:29:56 ----D---- C:\WINDOWS\system32\Restore
2009-05-17 21:55:48 ----D---- C:\Documents and Settings\Sir $wat\Application Data\U3
2009-05-17 21:18:44 ----SD---- C:\Documents and Settings\Sir $wat\Application Data\Microsoft
2009-05-16 17:50:49 ----D---- C:\Program Files\Common Files\Adobe
2009-05-16 17:50:49 ----D---- C:\Program Files\Adobe
2009-05-16 08:40:43 ----SHD---- C:\WINDOWS\Installer
2009-05-16 08:40:43 ----HD---- C:\Config.Msi
2009-05-13 20:55:04 ----A---- C:\WINDOWS\ModemLog_Motorola USB Modem.txt
2009-05-13 07:00:08 ----D---- C:\WINDOWS\Debug
2009-05-10 20:36:00 ----D---- C:\Documents and Settings\Sir $wat\Application Data\LimeWire
2009-05-09 15:41:00 ----A---- C:\WINDOWS\ModemLog_Standard Modem.txt
2009-05-07 00:16:29 ----A---- C:\WINDOWS\system32\MRT.exe
2009-05-06 23:21:19 ----SD---- C:\WINDOWS\Tasks
2009-05-04 19:43:48 ----D---- C:\Program Files\VirtualDJ
2009-05-04 19:30:23 ----HD---- C:\WINDOWS\inf
2009-05-02 08:06:03 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-01 18:35:04 ----HD---- C:\WINDOWS\$hf_mig$
2009-05-01 10:46:00 ----D---- C:\WINDOWS\SoftwareDistribution
2009-04-26 09:57:04 ----RSD---- C:\WINDOWS\Fonts
2009-04-26 09:56:32 ----D---- C:\Program Files\Microsoft Office
2009-04-26 09:56:18 ----D---- C:\Program Files\Common Files\Microsoft Shared




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Sir $wat on Fri May 22, 2009 10:29 am

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-02-05 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-02-05 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-02-05 51376]
R1 BIOS;BIOS; \??\C:\WINDOWS\system32\drivers\BIOS.sys []
R1 cdrbsdrv;cdrbsdrv; C:\WINDOWS\system32\drivers\cdrbsdrv.sys [2004-03-08 13567]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-02-05 94032]
R2 EAPPkt;Realtek EAPPkt Protocol; C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2002-11-22 8849]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2005-06-29 1094848]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-02-05 23152]
R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2005-07-22 1341466]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-10-16 4615168]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-10-30 3964256]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-11-27 58368]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-11-27 19968]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2003-06-20 5888]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S1 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys []
S1 gaopdxserv.sys;gaopdxserv.sys; C:\WINDOWS\system32\drivers\gaopdxqlnxyfrr.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 ICAM3NT5;Intel USB Video Camera III; C:\WINDOWS\System32\Drivers\Icam3.sys [2001-08-17 141056]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-06-18 23680]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nocashio;nocashio; C:\WINDOWS\system32\drivers\nocashio.sys [2009-01-17 4096]
S3 pctplsg;pctplsg; \??\C:\WINDOWS\system32\drivers\pctplsg.sys []
S3 RimUsb;BlackBerry Smartphone; C:\WINDOWS\System32\Drivers\RimUsb.sys [2008-04-16 22784]
S3 SFilter;PCTools Driver; C:\WINDOWS\system32\DRIVERS\pctfw.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;Usbscan; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 usbser;Motorola USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2008-04-13 26112]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 usbvideo;USB Video Device (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-13 121984]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-06-20 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-05 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-05 138680]
R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2005-07-22 258103]
R2 ForcewareWebInterface;Forceware Web Interface; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe [2006-04-13 20543]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-20 152984]
R2 nSvcIp;ForceWare IP service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe [2006-11-27 135221]
R2 nSvcLog;ForceWare user log service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe [2006-11-27 65593]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-10-30 155715]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2005-11-22 69632]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service; C:\WINDOWS\System32\TUProgSt.exe [2008-12-16 603904]
R2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-05 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-05 352920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-03-07 779824]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-03-07 271920]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service; C:\WINDOWS\System32\TuneUpDefragService.exe [2008-12-16 362240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Sir $wat on Fri May 22, 2009 10:30 am

info.txt logfile of random's system information tool 1.06 2009-05-22 06:24:26

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Lan Driver\Lan Driver\Uninst.isu"
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 6.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 6.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 6.0\Uninst.dll"
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Adobe Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Age of Empires III-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}
Agere Systems PCI Soft Modem-->agrsmdel
Avanquest update-->"C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -runfromtemp -l0x0009 -removeonly
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
CCScore-->MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Cricket Captain 2008-->C:\Program Files\InstallShield Installation Information\{66695FF9-B692-4C90-89EF-42A45AA4CF64}\setup.exe -runfromtemp -l0x0409
EA SPORTS(TM) Cricket 07-->C:\Program Files\EA SPORTS\EA SPORTS(TM) Cricket 07\EAUninstall.exe
ESSBrwr-->MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK-->MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore-->MsiExec.exe /I{42938595-0D83-404D-9F73-F8177FDD531A}
ESSgui-->MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESSini-->MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD-->MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock-->MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC-->MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS-->MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt-->MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
fflink-->MsiExec.exe /I{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}
FIFA 08-->MsiExec.exe /X{0A2A5039-B37F-489D-B1DC-A5258DF9E697}
GTA San Andreas-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D417C96A-FCC7-4590-A1BB-FAF73F5BC98E}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2-->"C:\Documents and Settings\Sir $wat\My Documents\HijackThis.exe" /uninstall
HP Customer Participation Program 7.0-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Imaging Device Functions 7.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart and Deskjet 7.0 Software-->C:\Program Files\HP\Digital Imaging\{76BEC1D7-8A9F-472D-84C7-014BB155E4B2}\setup\hpzscr01.exe -datfile hphscr11.dat -showdisconnect -forcereboot
HP Photosmart Essential-->MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
HP Software Update-->MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP Solution Center 7.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
ImageMixer VCD/DVD2 for OLYMPUS-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F51A0CA-2BDD-474E-BB90-C7FA8EA78F52}\Setup.exe" -l0x9 UNINSTALL
Internet Download Manager-->C:\Program Files\Internet Download Manager\Uninstall.exe
Java(TM) 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
kgcbaby-->MsiExec.exe /I{E18B549C-5D15-45DA-8D8F-8FD2BD946344}
kgcbase-->MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
kgchday-->MsiExec.exe /I{11F3F858-4131-4FFA-A560-3FE282933B6E}
kgchlwn-->MsiExec.exe /I{03EDED24-8375-407D-A721-4643D9768BE1}
kgcinvt-->MsiExec.exe /I{9BD54685-1496-46A5-AB62-357CD140ED8B}
kgckids-->MsiExec.exe /I{693C08A7-9E76-43FF-B11E-9A58175474C4}
kgcmove-->MsiExec.exe /I{A1588373-1D86-4D44-86C9-78ABD190F9CC}
kgcvday-->MsiExec.exe /I{8A8664E1-84C8-4936-891C-BC1F07797549}
K-Lite Codec Pack 4.3.1 (Standard)-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kodak EasyShare software-->C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140002_4e089\Setup.exe /APR-REMOVE
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Motorola Phone Tools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}\setup.exe" -l0x9 -removeonly
Mozilla Firefox (3.0.10)-->C:\Program Files\Mozilla Firefox 3.1 Beta 3\uninstall\helper.exe
MP3 Cutter 1.3-->"C:\Program Files\MP3 Cutter\unins000.exe"
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Need for Speed Underground 2-->C:\Program Files\EA GAMES\Need for Speed Underground 2\EAUninstall.exe
Nero 7 Essentials-->MsiExec.exe /X{70E0C991-2618-4FBB-941F-2C549EA81033}
netbrdg-->MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
NVIDIA ForceWare Network Access Manager-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{1F6423DE-7959-4178-80E0-023C7EAA5347} /l1033
OfotoXMI-->MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OLYMPUS Master-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{BA820A24-704B-428D-9904-71A10DAC1372} /l1033 /zUNINSTALL
QuickTime-->MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
REALTEK GbE & FE Ethernet PCI NIC Driver-->C:\Program Files\InstallShield Installation Information\{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}\setup.exe -runfromtemp -l0x0009 -removeonly
REALTEK GbE & FE Ethernet PCI-E NIC Driver-->C:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Rtl8180-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{01558B00-3F19-4E26-8B56-11CA9F97E81C}\Setup.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
SFR-->MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA-->MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
skin0001-->MsiExec.exe /I{5316DFC9-CE99-4458-9AB3-E8726EDE0210}
SKINXSDK-->MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Skype™ 4.0-->MsiExec.exe /X{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}
Smart Defrag 1.03-->"C:\Program Files\IObit\IObit SmartDefrag\unins000.exe"
staticcr-->MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
Switch-->C:\Program Files\NCH Swift Sound\Switch\uninst.exe
The KMPlayer (remove only)-->"C:\Program Files\The KMPlayer\uninstall.exe"
tooltips-->MsiExec.exe /I{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}
Trillian-->C:\Program Files\Trillian\trillian.exe /uninstall
TuneUp Utilities 2009-->MsiExec.exe /I{55A29068-F2CE-456C-9148-C869879E2357}
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
USB Disk Security 5.1.0.15-->"C:\Program Files\USB Disk Security\unins000.exe"
Virtual DJ - Atomix Productions-->C:\PROGRA~1\VIRTUA~1\UNWISE.EXE C:\PROGRA~1\VIRTUA~1\INSTALL.LOG
VPRINTOL-->MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
WIDCOMM Bluetooth Software-->MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip 11.1-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
WIRELESS-->MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
Yahoo! Install Manager-->C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE

=====HijackThis Backups=====

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file) [2009-02-22]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.90,85.255.112.219 [2009-02-22]
O17 - HKLM\System\CCS\Services\Tcpip\..\{964F6A80-C9BB-43D7-A54E-A47D2A657776}: NameServer = 85.255.116.90,85.255.112.219 [2009-02-22]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank [2009-02-22]
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) [2009-02-22]
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) [2009-02-22]
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - (no file) [2009-02-22]
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - (no file) [2009-02-22]
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file) [2009-02-22]
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.90,85.255.112.219 [2009-02-22]
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file) [2009-02-22]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) [2009-02-22]
F2 - REG:system.ini: Shell=Explorer.exe SSVICHOSST.exe [2009-03-07]
F2 - REG:system.ini: Shell=Explorer.exe SSVICHOSST.exe [2009-03-14]
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) [2009-03-16]
O3 - Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) [2009-04-23]

======Hosts File======

127.0.0.1 mpa.one.microsoft.com

======Security center information======

AV: avast! antivirus 4.8.1335 [VPS 090521-0]

======System event log======

Computer Name: DRELOVESSHA
Event Code: 7
Message: The device, \Device\CdRom0, has a bad block.

Record Number: 62
Source Name: Cdrom
Time Written: 20090430080755.000000-420
Event Type: error
User:

Computer Name: DRELOVESSHA
Event Code: 7
Message: The device, \Device\CdRom0, has a bad block.

Record Number: 61
Source Name: Cdrom
Time Written: 20090430080753.000000-420
Event Type: error
User:

Computer Name: DRELOVESSHA
Event Code: 7
Message: The device, \Device\CdRom0, has a bad block.

Record Number: 60
Source Name: Cdrom
Time Written: 20090430080752.000000-420
Event Type: error
User:

Computer Name: DRELOVESSHA
Event Code: 7
Message: The device, \Device\CdRom0, has a bad block.

Record Number: 59
Source Name: Cdrom
Time Written: 20090430080751.000000-420
Event Type: error
User:

Computer Name: DRELOVESSHA
Event Code: 12
Message: The device 'Optiarc DVD RW AD-7200A' (IDE\CdRomOptiarc_DVD_RW_AD-7200A_________________1.05____\5&f2e0a7b&0&0.0.0) disappeared from the system without first being prepared for removal.

Record Number: 30
Source Name: PlugPlayManager
Time Written: 20090429202851.000000-420
Event Type: error
User:

=====Application event log=====

Computer Name: DRELOVESSHA
Event Code: 1000
Message: Faulting application outpost.exe, version 1.0.242.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

Record Number: 303
Source Name: Application Error
Time Written: 20090331151117.000000-420
Event Type: error
User:

Computer Name: DRELOVESSHA
Event Code: 20
Message:
Record Number: 295
Source Name: Google Update
Time Written: 20090330064632.000000-420
Event Type: error
User: DRELOVESSHA\Sir $wat

Computer Name: DRELOVESSHA
Event Code: 20
Message:
Record Number: 293
Source Name: Google Update
Time Written: 20090329213331.000000-420
Event Type: error
User: DRELOVESSHA\Sir $wat

Computer Name: DRELOVESSHA
Event Code: 20
Message:
Record Number: 292
Source Name: Google Update
Time Written: 20090329203330.000000-420
Event Type: error
User: DRELOVESSHA\Sir $wat

Computer Name: DRELOVESSHA
Event Code: 20
Message:
Record Number: 291
Source Name: Google Update
Time Written: 20090329193331.000000-420
Event Type: error
User: DRELOVESSHA\Sir $wat

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 127 Stepping 1, AuthenticAMD
"PROCESSOR_REVISION"=7f01
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Origin on Sat May 23, 2009 12:46 am

Please close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.

  • Please download RootRepeal.zip from [You must be registered and logged in to see this link.].
  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.


  • Select ALL of the checkboxes and then click OK and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Sir $wat on Sat May 23, 2009 12:30 pm

how long would this scan take cuz i left it for 2 hours and when i checked it, my pc was frozen and the scan still wasnt completed.

It did not restart my pc on this occasion.




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Origin on Sat May 23, 2009 4:54 pm

It shouldn't take that long, oh well good news I have found the infected driver Wink


Now open a new notepad file.
Input this into the notepad file:

Driver::
gaopdxqlnxyfrr

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Sir $wat on Sat May 23, 2009 7:24 pm

ComboFix 09-05-18.02 - Sir $wat 05/23/2009 15:19.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.538 [GMT -7:00]
Running from: c:\documents and settings\Sir $wat\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sir $wat\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090523-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-04-23 to 2009-05-23 )))))))))))))))))))))))))))))))
.

2009-05-22 13:31 . 2009-05-22 13:31 -------- d-----w c:\documents and settings\All Users\Application Data\SPAUN IT
2009-05-22 13:24 . 2009-05-22 13:24 -------- d-----w C:\rsit
2009-05-21 04:08 . 2009-05-21 04:08 -------- d-----w C:\_OTMoveIt
2009-05-17 04:16 . 2009-05-17 04:16 -------- d-----w c:\program files\Photoshop 6.0.1
2009-05-16 15:35 . 2009-05-16 15:35 -------- d-----w c:\windows\Icons
2009-05-14 07:24 . 2009-05-16 15:40 -------- d-----w c:\program files\Button Studio
2009-05-14 07:24 . 1999-03-23 16:12 299520 ----a-w c:\windows\uninst.exe
2009-05-05 07:38 . 2009-05-05 07:38 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-05-05 07:38 . 2009-05-16 21:46 -------- d-----w c:\documents and settings\Sir $wat\Application Data\skypePM
2009-05-05 07:37 . 2009-05-16 21:47 -------- d-----w c:\documents and settings\Sir $wat\Application Data\Skype
2009-05-05 07:37 . 2009-05-05 07:37 -------- d-----w c:\program files\Common Files\Skype
2009-05-05 07:37 . 2009-05-05 07:37 -------- d-----r c:\program files\Skype
2009-05-05 07:36 . 2009-05-05 07:37 -------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-05-02 19:04 . 2009-05-02 19:26 -------- d-----w c:\program files\NBA 2008
2009-04-26 16:55 . 2009-04-26 16:55 -------- d-----w c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-23 22:12 . 2009-03-15 16:26 -------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 3
2009-05-21 04:28 . 2009-04-09 04:50 -------- d-----w c:\program files\Trillian
2009-05-17 00:50 . 2009-01-11 07:02 -------- d-----w c:\program files\Common Files\Adobe
2009-05-05 02:43 . 2009-04-03 03:58 -------- d-----w c:\program files\VirtualDJ
2009-05-01 15:38 . 2008-12-12 03:15 47416 ----a-w c:\documents and settings\Sir $wat\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-05 16:39 . 2009-04-05 16:39 -------- d-----w c:\program files\MP3 Cutter
2009-04-05 08:47 . 2009-04-05 04:04 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 04:19 . 2009-04-04 22:37 -------- d-----w c:\program files\The KMPlayer
2009-04-02 14:07 . 2009-04-02 14:07 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-04-02 14:07 . 2009-04-02 14:07 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-02 14:05 . 2009-04-02 14:05 -------- d-----w c:\program files\WIDCOMM
2009-04-02 13:48 . 2009-04-02 13:40 -------- d-----w c:\program files\Avanquest update
2009-04-02 13:40 . 2008-12-11 23:23 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-02 13:39 . 2009-04-02 13:38 -------- d-----w c:\program files\Motorola Phone Tools
2009-04-02 13:38 . 2009-04-02 13:38 24192 ----a-w c:\documents and settings\Sir $wat\usbsermptxp.sys
2009-04-02 13:38 . 2009-04-02 13:38 22768 ----a-w c:\documents and settings\Sir $wat\usbsermpt.sys
2009-04-02 03:03 . 2009-04-02 03:03 2560 ----a-w c:\windows\_MSRSTRT.EXE
2009-04-02 03:03 . 2009-03-31 13:49 -------- d-----w c:\program files\Common Files\Agnitum Shared
2009-03-26 23:49 . 2009-04-05 04:04 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 23:49 . 2009-04-05 04:04 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-06 14:22 . 2004-08-04 07:56 284160 ----a-w c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-23 22:11 . 2009-05-23 22:11 16384 c:\windows\Temp\Perflib_Perfdata_648.dat
+ 2009-05-23 22:11 . 2009-05-23 22:11 16384 c:\windows\Temp\Perflib_Perfdata_358.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-10-17 16855552]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RtlWake.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RtlWake.lnk
backup=c:\windows\pss\RtlWake.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
"Google Update"="c:\documents and settings\Sir $wat\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"IDMan"=c:\program files\Internet Download Manager\IDMan.exe /onboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"USB Antivirus"=c:\program files\USB Disk Security\USBGuard.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Malwarebytes Piracy"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /piracy

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/14/2009 10:22 Dre 114768]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [12/11/2008 4:32 Dre 13696]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/14/2009 10:22 Dre 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [12/11/2008 9:49 Dre 8849]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [12/16/2008 12:35 Dre 603904]
S3 ICAM3NT5;Intel USB Video Camera III;c:\windows\system32\drivers\Icam3.sys [2/13/2009 11:11 Dre 141056]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-05-23 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-21 00:28]

2009-05-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1788223648-725345543-1003.job
- c:\documents and settings\Sir $wat\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-12 04:40]

2009-05-23 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-06 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = [You must be registered and logged in to see this link.]
mWindow Title = Microsoft Internet Explorer
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {4A260BB3-EAE3-40C9-A254-7E0C4C77F8F1} = 190.80.16.3 190.80.16.4
FF - ProfilePath - c:\documents and settings\Sir $wat\Application Data\Mozilla\Firefox\Profiles\kfi70utn.default\
FF - component: c:\documents and settings\Sir $wat\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\program files\Mozilla Firefox 3.1 Beta 3\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Sir $wat\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: content.notify.interval - 750000
FF - user.js: content.max.tokenizing.time - 2250000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-23 15:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(160)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-23 15:22
ComboFix-quarantined-files.txt 2009-05-23 22:22
ComboFix2.txt 2009-05-21 04:36

Pre-Run: 126,798,376,960 bytes free
Post-Run: 126,840,438,784 bytes free

156 --- E O F --- 2009-05-14 07:28


----------------------------------------

i dont see it in device manager anymore...




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Origin on Sat May 23, 2009 7:39 pm

Is the Driver gone?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Sir $wat on Sat May 23, 2009 7:48 pm

yep.... it's fixed now?




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Origin on Sat May 23, 2009 7:49 pm

Good to know Wink


Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Sir $wat on Sat May 23, 2009 7:54 pm

what was that driver used for anyway?

thanx alot man... keep up the good work!

propz




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Origin on Sat May 23, 2009 8:00 pm

That driver was installed by itself probably by a file that you downloaded that was infected or website that you visited. This driver is a rootkit that is used to compromise your system in order to take control of your network and such. Since it has been removed this will stop but to be sure there are no left overs please do a scan with Malwarebytes just to make sure Wink


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Sir $wat on Sat May 23, 2009 8:05 pm

i will.. thanx again

could it have affected my internet speed?




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Origin on Sat May 23, 2009 8:06 pm

No, this could not have affected your internet speed, is it going slower then usual?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Sir $wat on Sat May 23, 2009 8:10 pm

maybe just a bit... but i dont think its anything to worry about...

thanx again...




Sir $wat
Top Dog
Top Dog

Status :
Online
Offline

Posts : 2078
Joined : 2008-08-16
Gender : Male
OS : Windows XP Professional SP3

View user profile

Back to top Go down

Re: gaopdxserv.sys

Post by Origin on Sat May 23, 2009 8:12 pm

No worries any time Wink


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum