 I think I'm infected with 'gaopdxserv.sys' trojan--, My google redirects sometimes and I have 'Vimax' adds everywhe |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal > Misplaced HJT Logs  |
 Jul 3 2009, 07:30 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 2 Joined: 3-July 09 Member No.: 347,894  |
I think that I have the gaopdxserv.sys Trojan, I'm not sure. My google redirects the first time you click anything (it works the second time), and I get 'Vimax' banners in almost every site that I visit (including CBC). I think that it may have infected my iPod/ flash drive as well, I sometimes can't access them and get a 'recycled' message box. I tried 'flash Disinfector' but I'm not sure if that worked. Here is my DDS log as requested: DDS (Ver_09-06-26.01) - NTFSx86 Run by Nick at 16:19:26.07 on Fri 07/03/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.183 [GMT -7:00] AV: Rogers Online Protection Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755} AV: Norton Security Online *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Rogers Online Protection Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22} FW: Norton Security Online *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exe C:\WINDOWS\Explorer.EXE svchost.exe svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\Program Files\Rogers Online Protection\Rogers Online Protection\rps.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\lg_fwupdate\fwupdate.exe C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe C:\Program Files\Nero\Nero 7\InCD\InCD.exe C:\Program Files\Rogers Online Protection\Rogers Servicepoint Agent\RogersServicepointAgent.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Nick\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\rogers online protection\rogers online protection\pkR.dll BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [SoundMan] SOUNDMAN.EXE mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe" mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe" mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe mRun: [RogersServicepointAgent.exe] "c:\program files\rogers online protection\rogers servicepoint agent\RogersServicepointAgent.exe" /AUTORUN mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1232300051598&h=82bea96d47e5e6defce71b45cc2700d4/&filename=jinstall-6u11-windows-i586-jc.cab DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab TCP: NameServer = 85.255.112.93,85.255.112.15 TCP: {5AE2EF85-E4E4-4409-8F3E-119BCFC6E66A} = 85.255.112.93,85.255.112.15 Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ============= SERVICES / DRIVERS =============== R0 KL1;KL1;c:\windows\system32\drivers\kl1.sys [2009-5-13 112144] R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2009-5-12 61328] R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-5-13 196368] R3 Radialpoint Security Services;Rogers Online Protection;c:\program files\rogers online protection\rogers online protection\RpsSecurityAwareR.exe [2009-2-27 97520] S0 eefwore;eefwore;c:\windows\system32\drivers\sqtrvmt.sys --> c:\windows\system32\drivers\sqtrvmt.sys [?] =============== Created Last 30 ================ 2009-07-02 19:02 <DIR> a-dshr-- C:\autorun.inf 2009-07-02 18:54 <DIR> --d----- c:\program files\STOPzilla! 2009-07-02 18:54 <DIR> --d----- c:\program files\common files\iS3 2009-07-02 18:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla! 2009-07-02 14:37 <DIR> --d----- c:\program files\CCleaner 2009-07-02 13:54 81,920 a------- c:\windows\eSellerateControl350.dll 2009-07-02 13:54 <DIR> --d----- c:\program files\True Sword 5 2009-07-01 16:02 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-07-01 16:02 19,096 a------- c:\windows\system32\drivers\mbam.sys 2009-07-01 16:02 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-07-01 15:36 <DIR> --d----- c:\windows\pss 2009-07-01 14:58 <DIR> --d----- c:\program files\Trend Micro 2009-07-01 13:34 <DIR> --dsh--- c:\documents and settings\nick\PrivacIE 2009-07-01 12:48 <DIR> --dsh--- c:\documents and settings\nick\IETldCache 2009-07-01 12:31 <DIR> -cd-h--- c:\windows\ie8 2009-06-30 22:13 <DIR> --d----- c:\program files\BlueRaTech 2009-06-27 06:19 <DIR> --d----- c:\program files\iTunes 2009-06-23 23:21 244 a---h--- C:\sqmnoopt18.sqm 2009-06-23 23:21 232 a---h--- C:\sqmdata18.sqm 2009-06-23 20:34 232 a---h--- C:\sqmdata17.sqm 2009-06-23 20:34 244 a---h--- C:\sqmnoopt17.sqm 2009-06-08 19:49 244 a---h--- C:\sqmnoopt16.sqm 2009-06-08 19:49 232 a---h--- C:\sqmdata16.sqm 2009-06-08 19:49 232 a---h--- C:\sqmdata15.sqm 2009-06-08 19:49 244 a---h--- C:\sqmnoopt15.sqm 2009-06-08 00:27 244 a---h--- C:\sqmnoopt14.sqm 2009-06-08 00:27 232 a---h--- C:\sqmdata14.sqm 2009-06-08 00:25 232 a---h--- C:\sqmdata13.sqm 2009-06-08 00:25 244 a---h--- C:\sqmnoopt13.sqm 2009-06-07 16:49 244 a---h--- C:\sqmnoopt12.sqm 2009-06-07 16:49 232 a---h--- C:\sqmdata12.sqm 2009-06-07 15:05 232 a---h--- C:\sqmdata11.sqm 2009-06-07 15:05 244 a---h--- C:\sqmnoopt11.sqm 2009-06-07 14:53 244 a---h--- C:\sqmnoopt10.sqm 2009-06-07 14:53 232 a---h--- C:\sqmdata10.sqm 2009-06-07 11:14 244 a---h--- C:\sqmnoopt09.sqm 2009-06-07 11:14 232 a---h--- C:\sqmdata09.sqm 2009-06-07 09:57 244 a---h--- C:\sqmnoopt08.sqm 2009-06-07 09:57 232 a---h--- C:\sqmdata08.sqm 2009-06-06 13:43 244 a---h--- C:\sqmnoopt07.sqm 2009-06-06 13:43 232 a---h--- C:\sqmdata07.sqm 2009-06-06 13:40 244 a---h--- C:\sqmnoopt06.sqm 2009-06-06 13:40 232 a---h--- C:\sqmdata06.sqm 2009-06-04 17:40 244 a---h--- C:\sqmnoopt05.sqm 2009-06-04 17:40 232 a---h--- C:\sqmdata05.sqm ==================== Find3M ==================== 2009-07-03 16:19 135,200 a--sh--- c:\windows\system32\drivers\fidbox2.dat 2009-07-03 16:04 5,221,920 a--sh--- c:\windows\system32\drivers\fidbox.dat 2009-07-03 06:45 70,652 a--sh--- c:\windows\system32\drivers\fidbox.idx 2009-07-03 06:45 13,700 a--sh--- c:\windows\system32\drivers\fidbox2.idx 2009-05-28 14:16 17,408 a----r-- c:\windows\system32\SZIO5.dll 2009-05-28 14:15 294,912 a----r-- c:\windows\system32\SZBase5.dll 2009-05-28 14:14 540,672 a----r-- c:\windows\system32\SZComp5.dll 2009-05-12 14:13 61,328 a----r-- c:\windows\system32\drivers\SZKG.sys 2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll 2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys 2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll 2008-10-15 16:28 134 ac--h--- c:\docume~1\nick\applic~1\lakerda1967.sys 2008-12-17 18:54 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121720081218\index.dat ============= FINISH: 16:20:01.48 ===============
Attached File(s)
|
 |
 
|
|
Jul 3 2009, 09:04 PM
Post
#2
|
|
 To INSANITY and BEYOND !! Group: Moderator Posts: 21,854 Joined: 10-September 04 From: NJ USA Member No.: 2,608 |
I have moved your Topic that included a HijackThis log here to the Misplaced HJT Logs forum. You posted your log in a forum not intended for HijackThis logs analysis. We can only allow topics with such logs in the HijackThis Logs and Malware Removal forum. This restriction is to ensure you get the best help available, from those who specialize in malware anlaysis and removal. It also should prevent you from receiving ineffective or even potentially dangerous advice, whether well meaning or not.
We understand that dealing with malware issues and getting help can be frustrating but improperly posting a log usually happens if you missed the directions we provide to those who require malware removal assistance. Prior to posting a log, we ask that you please read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log. Following the steps in this Guide will allow the HJT Team to quickly help you with specific fixes for what may remain on your system. Please complete all the steps in the Guide. If you can't perform a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log. When you have completed those steps, start a new topic in the HijackThis Logs and Malware Removal forum as directed in the Prep Guide to post a new log. Please do not post any more logs to this topic as it just a placeholder to be used to help you post the information in the proper way and in the proper forum. Going forward, HijackThis logs should only be posted in the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal in order to make it easier for our helpers to respond to your topic The Misplaced HJT Logs forum is strictly a holding area where the BC Staff can assist you with preparations for and to properly post your log. If you have a question or encounter a problem in the Prep Guide, please do post back to this topic; that is what it is here for. When your new DDS/HJT log is posted in the proper forum, please reply to this topic with a link to your new topic. Once that is done, a Member of the HJT Team will analyze your log and assist you with step by step instructions to clean your computer or otherwise advise what needs to be done. Thanks for your cooperation and good luck. The BC Staff -------------------- Can you spare some PC cycles to help FIND A CURE .. BC FOLDING TEAM Click me /info..
ThoughtVent a goodplace to discuss.<<>>>Staying Updated Calendar of Updates. For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear.... Become a BleepingComputer fan: Facebook |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 20th November 2009 - 08:16 PM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.