Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus won't give up the ghost!


  • This topic is locked This topic is locked
11 replies to this topic

#1 sonicslayer

sonicslayer

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 02 February 2009 - 06:23 PM

Ok, so I think a virus has found its way onto my system. I have run McAfee like 10 times and the problem still persists. Nothing is updating! Not windows, not spybot. Basically everything that is used to get rid of it has been disabled. More recently, I went to the microsoft webpage to download updates directly and the windows update page always redirects to Google. I found this entry(http://www.bleepingcomputer.com/forums/topic194759.html) that I think goes hand in hand with mine but I wanted to get some professional help before I started messing with my system. I have followed the instructions and have provided the required information below. Thanks for any and all help.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Riley at 17:16:44.52 on Mon 02/02/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1916.934 [GMT -6:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxdccoms.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DRIVERS\xaudio.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Registry Mechanic\RMTray.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Riley\Desktop\Riley's Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ibs.org/bibles/dailyreading/index.php
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {32C620D6-CC10-4e6a-9715-BACACD5B0E61} - No File
BHO: Parental Control Toolbar: {4e7bd74f-2b8d-469e-9fa5-a33de8dbe931} - c:\progra~1\parent~1\PARENT~1.DLL
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Parental Control Toolbar: {4e7bd74f-2b8d-469e-9fa5-a33de8dbe931} - c:\progra~1\parent~1\PARENT~1.DLL
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\rmtray.exe /H
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [<NO NAME>]
mRun: [WorkFlow] e:\install\WorkFlow.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [lxdcamon] "c:\program files\lexmark 1300 series\lxdcamon.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\riley\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\users\riley\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\users\riley\appdata\roaming\micros~1\windows\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {38423836-BD19-40F9-9050-4DDC6EF47611} = 208.67.220.220,208.67.222.222
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
SSODL: WebProxy - {A744F16C-B2D5-4138-81A2-085CDFCDE83A} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\riley\appdata\roaming\mozilla\firefox\profiles\x377nqhs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\users\riley\appdata\roaming\mozilla\plugins\npPxPlay.dll

============= SERVICES / DRIVERS ===============

R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2008-11-21 72992]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2008-11-21 1078560]
R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
S2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdcserv.exe [2007-5-25 99248]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2007-12-11 21280]

=============== Created Last 30 ================

2009-02-02 08:24 <DIR> --d----- c:\users\riley\.housecall6.6
2009-01-31 10:20 148,069,504 a------- c:\windows\MEMORY.DMP
2009-01-23 17:07 <DIR> --d----- c:\program files\common files\Common Share
2009-01-23 17:07 <DIR> --d----- c:\program files\OJOsoft
2009-01-23 13:12 <DIR> --d----- c:\programdata\Real
2009-01-23 13:12 <DIR> --d----- c:\program files\Real Alternative
2009-01-23 13:06 <DIR> --d----- c:\windows\WinAVI Video Converter 9.0
2009-01-23 13:06 <DIR> --d----- c:\program files\WinAVI Video Converter 9.0
2009-01-23 08:04 <DIR> --d----- c:\program files\AviSynth 2.5
2009-01-23 08:03 <DIR> --d----- c:\program files\Avi2Dvd
2009-01-20 23:23 92 a------- c:\windows\wininit.ini
2009-01-20 12:45 87,608 a------- c:\users\riley\appdata\roaming\inst.exe
2009-01-20 12:45 47,360 a------- c:\users\riley\appdata\roaming\pcouffin.sys
2009-01-20 12:45 <DIR> --d----- c:\users\riley\appdata\roaming\cogad
2009-01-20 12:44 71,168 a------- c:\windows\system32\drivers\gaopdxrbycqibx.sys
2009-01-20 12:44 <DIR> --dshr-- C:\resycled
2009-01-13 21:52 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-10 12:14 <DIR> --d----- c:\program files\Blue Coat K9 Web Protection

==================== Find3M ====================

2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-11-30 08:42 86,016 a------- c:\windows\inf\infstor.dat
2008-11-30 08:42 51,200 a------- c:\windows\inf\infpub.dat
2008-11-30 08:42 143,360 a------- c:\windows\inf\infstrng.dat
2008-06-13 10:07 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 20:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-04-17 22:13 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-04-17 22:13 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-04-17 22:13 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 17:17:22.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:05 AM

Posted 08 February 2009 - 05:21 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable McAfee:
  • Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
    Right-click it -> chose Exit.
  • A popup will warn that protection will now be disabled. Click on Yes to disable the Antivirus guard.
Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 sonicslayer

sonicslayer
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 09 February 2009 - 07:39 PM

Hey Panda. Thanks for getting back to me. I followed your instructions to the letter. Combofix said it found some problems and had to restart. After it was all said and done I thought I would try and see if my programs updated but they are still redirecting to google. Just thought you might like to know. Here are the following logs.

COMBOFIX:
ComboFix 09-02-08.02 - Riley 2009-02-09 18:19:06.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1916.1381 [GMT -6:00]
Running from: c:\users\Riley\Desktop\Riley's Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\resycled
c:\resycled\ntldr.com
c:\users\Riley\AppData\Roaming\inst.exe
c:\windows\system32\drivers\gaopdxrbycqibx.sys
c:\windows\system32\gaopdxdcqrxdkp.dll
D:\resycled
d:\resycled\ntldr.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))
.

2009-02-02 08:24 . 2009-02-02 08:27 <DIR> d-------- c:\users\Riley\.housecall6.6
2009-01-31 10:20 . 2009-01-31 10:20 148,069,504 --a------ c:\windows\MEMORY.DMP
2009-01-23 17:07 . 2009-02-06 21:29 <DIR> d-------- c:\program files\OJOsoft
2009-01-23 17:07 . 2009-01-23 17:07 <DIR> d-------- c:\program files\Common Files\Common Share
2009-01-23 13:12 . 2009-01-23 13:12 <DIR> d-------- c:\users\All Users\Real
2009-01-23 13:12 . 2009-01-23 13:12 <DIR> d-------- c:\program files\Real Alternative
2009-01-23 13:06 . 2009-01-23 13:06 <DIR> d-------- c:\windows\WinAVI Video Converter 9.0
2009-01-23 13:06 . 2009-01-23 13:06 <DIR> d-------- c:\program files\WinAVI Video Converter 9.0
2009-01-23 12:32 . 2009-01-23 12:42 <DIR> d-------- c:\users\Riley\AppData\Roaming\Media Player Classic
2009-01-23 08:04 . 2009-01-23 12:43 <DIR> d-------- c:\program files\AviSynth 2.5
2009-01-23 08:03 . 2009-01-23 12:43 <DIR> d-------- c:\program files\Avi2Dvd
2009-01-20 23:23 . 2009-01-20 23:23 92 --a------ c:\windows\wininit.ini
2009-01-20 12:45 . 2009-01-20 22:05 <DIR> d-------- c:\users\Riley\AppData\Roaming\Vso
2009-01-20 12:45 . 2009-01-24 09:07 <DIR> d-------- c:\users\Riley\AppData\Roaming\cogad
2009-01-20 12:45 . 2009-01-20 22:05 47,360 --a------ c:\users\Riley\AppData\Roaming\pcouffin.sys
2009-01-13 21:52 . 2008-12-15 20:42 288,768 --a------ c:\windows\System32\drivers\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 23:29 --------- d---a-w c:\programdata\TEMP
2009-02-06 14:21 --------- d-----w c:\users\Riley\AppData\Roaming\uTorrent
2009-02-05 05:15 --------- d-----w c:\program files\Lx_cats
2009-02-01 19:11 --------- d-----w c:\users\Riley\AppData\Roaming\LimeWire
2009-01-24 14:27 --------- d-----w c:\programdata\Spybot - Search & Destroy
2009-01-24 14:27 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-23 18:30 --------- d-----w c:\program files\Combined Community Codec Pack
2009-01-14 09:02 --------- d-----w c:\program files\Windows Mail
2009-01-10 17:58 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-23 13:35 --------- d-----w c:\program files\Bonjour
2008-12-12 17:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-12-12 17:11 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
2008-04-18 04:13 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-04-18 04:13 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-04-18 04:13 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-20 125952]
"RegistryMechanic"="c:\program files\Registry Mechanic\rmtray.exe" [2008-07-03 812952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-04-30 20480]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 c:\windows\RtHDVCpl.exe]

c:\users\Riley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-04-22 546816]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-03-18 4742184]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-05-07 1273856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D9D257D3-34D0-4C55-BD39-F8893305AA20}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{F98315EB-DD66-4F61-B6D6-C628E1DAA0A7}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AEE1BDA7-113F-453D-8C52-599DB348F793}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{872CA458-8B17-44BA-9687-A3548F356F9A}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{04A8580E-A106-4505-9978-3F32D13B774F}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1E24DFE5-1FDD-474C-BF5D-A8C989748C97}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{5F89F5FC-E26A-4BB9-A06F-722075B758E1}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F02FA5DF-F717-44E5-8130-32BD27ACB35A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{116266CB-C53D-4354-BD10-B22C29D7EA6E}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{A1C5D216-589E-404D-B4B2-1009BD7A5284}"= UDP:c:\windows\System32\lxdccoms.exe:Lexmark Communications System
"{54F6E2FE-20DE-4BCF-B53D-CB80E7D894D5}"= TCP:c:\windows\System32\lxdccoms.exe:Lexmark Communications System
"{7296C1DB-D1D2-43F6-B07E-7356C699D5D6}"= UDP:c:\program files\Lexmark 1300 Series\lxdcamon.exe:Lexmark Device Monitor
"{67B2E164-BC22-4C93-8056-A3255B7CD7B0}"= TCP:c:\program files\Lexmark 1300 Series\lxdcamon.exe:Lexmark Device Monitor
"{BBF5A050-5C36-4717-AA8D-9D80045E8907}"= UDP:c:\program files\Lexmark 1300 Series\App4R.exe:Lexmark Imaging Studio
"{E11B45A5-224C-468E-A449-C1D9A9EEB1FC}"= TCP:c:\program files\Lexmark 1300 Series\App4R.exe:Lexmark Imaging Studio
"{2D0AC3EC-86F6-44C2-B31C-02E735D19437}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdcpswx.exe:
"{A7286F28-4EAE-4903-A315-93F89D46D294}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdcpswx.exe:
"{BDFE85BE-5223-4D15-94A5-6611479479F3}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdcjswx.exe:
"{2680D635-9ABC-468F-8E1F-437D21CAB01E}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdcjswx.exe:
"{B311A509-66E9-4CAC-93C3-6BA14DEBB402}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdctime.exe:
"{EE0A772B-699A-4EA1-BA45-B11B9EAE8370}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdctime.exe:
"{4A97C061-86BA-463A-B55E-739C6CA561CB}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{751EAAAB-C804-4E54-981E-DAA13A09BDA8}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{45040F90-B1A1-4A7F-9F9B-E70D6EA58B66}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{42F7517F-E193-4B6E-B111-C25A9BB126F9}"= UDP:c:\program files\Azureus\Azureus.exe:Azureus Vuze
"{49F410E9-7324-4A10-B623-CD05C8C16B6E}"= TCP:c:\program files\Azureus\Azureus.exe:Azureus Vuze
"{5419110C-65D6-4145-8435-C207679D36CD}"= UDP:15258:15258
"TCP Query User{8B82C6F8-9791-4A58-BADF-A7DE58050FDB}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{6DDF37E5-F5F8-4DE2-B6CF-D8A94C7ED297}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{D37F9582-3596-4AF7-B96F-D2B7C0774802}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{61691AEA-3603-4B99-96BF-ACF244AF939F}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{EDBE9599-3B17-4A8B-8263-12D6C837700C}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{826AE0F5-DB05-4C0C-A737-E130AEBD90D5}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{310268DA-8F43-4911-B3D8-8611CD7AB2A1}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BEF2A626-8485-487F-81D0-3E28BE74C0DE}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{86DD0005-43D4-4B97-AE02-46F73691FECD}c:\\program files\\lexmark 1300 series\\app4r.exe"= UDP:c:\program files\lexmark 1300 series\app4r.exe:Printing Application
"UDP Query User{4F8F581F-373F-48A1-8C22-33DFCEF180B4}c:\\program files\\lexmark 1300 series\\app4r.exe"= TCP:c:\program files\lexmark 1300 series\app4r.exe:Printing Application
"TCP Query User{AD0384CA-A05A-4A2B-AF3F-4EB8CAD5A7AB}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{D221D044-9C6D-4CC1-A3D8-619C561BEE68}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{959E9AEA-3B60-4FB3-B77A-F984DF504A70}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{F8F88233-E8CE-4906-9BFE-4B2740E31F64}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{4167495C-391C-4122-A444-9CDDE017B142}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E3517CAC-F39F-45B9-AE62-768A962F5702}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{93C83F26-85F2-47AC-9FA1-B1ECAFCFCA77}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{3006B0B2-B44B-4014-8FA0-9BA3DEBD7EFE}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"TCP Query User{497185F7-E994-4AB8-97CD-79668D1058AD}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{8352E596-EA51-42B0-9B52-95C9440B8D17}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"`r4x@}w"= `r4x@}w:*:Enabled:Windows Service Processor

R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
S2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;c:\windows\System32\spool\drivers\w32x86\3\lxdcserv.exe [2007-05-25 99248]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2007-12-11 21280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e855787d-0daf-11dd-99e3-001c25863770}]
\shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}]
rundll32 ,InitModule
.
Contents of the 'Scheduled Tasks' folder

2009-02-09 c:\windows\Tasks\User_Feed_Synchronization-{4149EC58-E3A6-401F-9E43-EA438C5683AD}.job
- c:\windows\system32\msfeedssync.exe [2008-01-20 20:24]
.
- - - - ORPHANS REMOVED - - - -

BHO-{32C620D6-CC10-4e6a-9715-BACACD5B0E61} - (no file)
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
HKLM-Run-WorkFlow - e:\install\WorkFlow.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ibs.org/bibles/dailyreading/index.php
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {38423836-BD19-40F9-9050-4DDC6EF47611} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\users\Riley\AppData\Roaming\Mozilla\Firefox\Profiles\x377nqhs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\users\Riley\AppData\Roaming\Mozilla\plugins\npPxPlay.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 18:21:29
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2009-02-09 18:23:15
ComboFix-quarantined-files.txt 2009-02-10 00:23:13

Pre-Run: 375,252,054,016 bytes free
Post-Run: 375,224,586,240 bytes free

192 --- E O F --- 2009-01-20 00:13:33




And here is the other log:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-09 18:36:05
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.14 ----

Code 85DAF2C8 ZwEnumerateKey
Code 84EFD400 ZwFlushInstructionCache
Code 85878130 ZwQueryValueKey
Code 85D79305 IofCallDriver

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!IofCallDriver 81CEEF6F 5 Bytes JMP 85D7930A
? C:\Windows\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Windows\Explorer.exe[3368] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusShutdown] [6FD57BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3368] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCloneImage] [6FD998C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3368] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDrawImageRectI] [6FD5D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3368] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [6FD4F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3368] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusStartup] [6FD57599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3368] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateFromHDC] [6FD4E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3368] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [6FD8B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3368] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [6FD5D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3368] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageHeight] [6FD5012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3368] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageWidth] [6FD50095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3368] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDisposeImage] [6FD471F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3368] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [6FDDD802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3368] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [6FD775E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3368] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDeleteGraphics] [6FD4DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3368] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipFree] [6FD4668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3368] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipAlloc] [6FD466BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3368] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetCompositingMode] [6FD51E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\gaopdxrbycqibx.sys (*** hidden *** ) 8CAB3000-8CADB000 (163840 bytes)

---- Services - GMER 1.0.14 ----

Service system32\drivers\gaopdxjaotoioi.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxjaotoioi.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxjaotoioi.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxbrhgxgie.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxjaotoioi.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxjaotoioi.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxbrhgxgie.dll

---- EOF - GMER 1.0.14 ----


Thanks again for your help. I have not made any system changes since my last log.

Edited by sonicslayer, 09 February 2009 - 07:45 PM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:05 AM

Posted 09 February 2009 - 08:39 PM

Hello sonicslayer.

Let's see what we can do.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/200173/virus-wont-give-up-the-ghost/
    
    Collect::[59]
    c:\windows\system32\drivers\gaopdxjaotoioi.sys
    
    Driver::
    gaopdxserv.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

At the end of its run ComboFix will attempt to upload some files. Please make sure you are connected to the Internet before clicking "OK". Kindly remind me in you next reply that samples were uploaded.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

Please post back with:
-the ComboFix log
-the MalwareBytes scan log

Are those redirects gone?

With Regards,
The Panda

#5 sonicslayer

sonicslayer
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 09 February 2009 - 10:32 PM

Hey Panda.

So I ran combofix with the script by dragging it and dropping it in the combofix icon. It said that it found detections (the same ones it did the first time) and restarted my computer again. I don't recall clicking and Ok box anywhere so I am not sure if anything was uploaded but I thought I would remind you about it anyways. I ran the Malwarebytes and posted the log aswell. It found 3 items. Thanks again.

ComboFix 09-02-08.02 - Riley 2009-02-09 21:17:44.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1916.1365 [GMT -6:00]
Running from: c:\users\Riley\Desktop\Riley's Downloads\ComboFix.exe
Command switches used :: c:\users\Riley\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gaopdxjaotoioi.sys
c:\windows\system32\drivers\gaopdxrbycqibx.sys
c:\windows\system32\gaopdxbrhgxgie.dll
c:\windows\system32\gaopdxdcqrxdkp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 )))))))))))))))))))))))))))))))
.

2009-02-09 18:26 . 2009-02-09 18:30 250 --a------ c:\windows\gmer.ini
2009-02-02 08:24 . 2009-02-02 08:27 <DIR> d-------- c:\users\Riley\.housecall6.6
2009-01-31 10:20 . 2009-01-31 10:20 148,069,504 --a------ c:\windows\MEMORY.DMP
2009-01-23 17:07 . 2009-02-06 21:29 <DIR> d-------- c:\program files\OJOsoft
2009-01-23 17:07 . 2009-01-23 17:07 <DIR> d-------- c:\program files\Common Files\Common Share
2009-01-23 13:12 . 2009-01-23 13:12 <DIR> d-------- c:\users\All Users\Real
2009-01-23 13:12 . 2009-01-23 13:12 <DIR> d-------- c:\program files\Real Alternative
2009-01-23 13:06 . 2009-01-23 13:06 <DIR> d-------- c:\windows\WinAVI Video Converter 9.0
2009-01-23 13:06 . 2009-01-23 13:06 <DIR> d-------- c:\program files\WinAVI Video Converter 9.0
2009-01-23 12:32 . 2009-01-23 12:42 <DIR> d-------- c:\users\Riley\AppData\Roaming\Media Player Classic
2009-01-23 08:04 . 2009-01-23 12:43 <DIR> d-------- c:\program files\AviSynth 2.5
2009-01-23 08:03 . 2009-01-23 12:43 <DIR> d-------- c:\program files\Avi2Dvd
2009-01-20 23:23 . 2009-01-20 23:23 92 --a------ c:\windows\wininit.ini
2009-01-20 12:45 . 2009-01-20 22:05 <DIR> d-------- c:\users\Riley\AppData\Roaming\Vso
2009-01-20 12:45 . 2009-01-24 09:07 <DIR> d-------- c:\users\Riley\AppData\Roaming\cogad
2009-01-20 12:45 . 2009-01-20 22:05 47,360 --a------ c:\users\Riley\AppData\Roaming\pcouffin.sys
2009-01-13 21:52 . 2008-12-15 20:42 288,768 --a------ c:\windows\System32\drivers\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 23:29 --------- d---a-w c:\programdata\TEMP
2009-02-06 14:21 --------- d-----w c:\users\Riley\AppData\Roaming\uTorrent
2009-02-05 05:15 --------- d-----w c:\program files\Lx_cats
2009-02-01 19:11 --------- d-----w c:\users\Riley\AppData\Roaming\LimeWire
2009-01-24 14:27 --------- d-----w c:\programdata\Spybot - Search & Destroy
2009-01-24 14:27 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-23 18:30 --------- d-----w c:\program files\Combined Community Codec Pack
2009-01-14 09:02 --------- d-----w c:\program files\Windows Mail
2009-01-10 17:58 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-23 13:35 --------- d-----w c:\program files\Bonjour
2008-12-12 17:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-12-12 17:11 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
2008-04-18 04:13 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-04-18 04:13 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-04-18 04:13 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-09_18.21.50.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-10 00:26:04 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 03:13:02 811,008 ----a-w c:\windows\gmer.exe
- 2009-02-10 00:20:35 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-10 03:18:28 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-02-10 00:20:29 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-10 03:18:33 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-10 00:26:04 85,969 ----a-w c:\windows\System32\drivers\gmer.sys
- 2009-02-09 23:22:53 101,144 ----a-w c:\windows\System32\perfc009.dat
+ 2009-02-10 00:23:27 101,144 ----a-w c:\windows\System32\perfc009.dat
- 2009-02-09 23:22:53 595,446 ----a-w c:\windows\System32\perfh009.dat
+ 2009-02-10 00:23:27 595,446 ----a-w c:\windows\System32\perfh009.dat
- 2009-02-10 00:20:30 6,150 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3565369258-75577882-3207709706-1000_UserData.bin
+ 2009-02-10 03:18:41 6,190 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3565369258-75577882-3207709706-1000_UserData.bin
- 2009-02-10 00:20:30 64,420 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-10 03:18:41 64,594 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-10 00:20:25 39,482 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-10 03:18:38 39,818 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-20 125952]
"RegistryMechanic"="c:\program files\Registry Mechanic\rmtray.exe" [2008-07-03 812952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-04-30 20480]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 c:\windows\RtHDVCpl.exe]

c:\users\Riley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-04-22 546816]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-03-18 4742184]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-05-07 1273856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D9D257D3-34D0-4C55-BD39-F8893305AA20}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{F98315EB-DD66-4F61-B6D6-C628E1DAA0A7}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AEE1BDA7-113F-453D-8C52-599DB348F793}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{872CA458-8B17-44BA-9687-A3548F356F9A}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{04A8580E-A106-4505-9978-3F32D13B774F}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1E24DFE5-1FDD-474C-BF5D-A8C989748C97}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{5F89F5FC-E26A-4BB9-A06F-722075B758E1}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F02FA5DF-F717-44E5-8130-32BD27ACB35A}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{116266CB-C53D-4354-BD10-B22C29D7EA6E}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{A1C5D216-589E-404D-B4B2-1009BD7A5284}"= UDP:c:\windows\System32\lxdccoms.exe:Lexmark Communications System
"{54F6E2FE-20DE-4BCF-B53D-CB80E7D894D5}"= TCP:c:\windows\System32\lxdccoms.exe:Lexmark Communications System
"{7296C1DB-D1D2-43F6-B07E-7356C699D5D6}"= UDP:c:\program files\Lexmark 1300 Series\lxdcamon.exe:Lexmark Device Monitor
"{67B2E164-BC22-4C93-8056-A3255B7CD7B0}"= TCP:c:\program files\Lexmark 1300 Series\lxdcamon.exe:Lexmark Device Monitor
"{BBF5A050-5C36-4717-AA8D-9D80045E8907}"= UDP:c:\program files\Lexmark 1300 Series\App4R.exe:Lexmark Imaging Studio
"{E11B45A5-224C-468E-A449-C1D9A9EEB1FC}"= TCP:c:\program files\Lexmark 1300 Series\App4R.exe:Lexmark Imaging Studio
"{2D0AC3EC-86F6-44C2-B31C-02E735D19437}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdcpswx.exe:
"{A7286F28-4EAE-4903-A315-93F89D46D294}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdcpswx.exe:
"{BDFE85BE-5223-4D15-94A5-6611479479F3}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdcjswx.exe:
"{2680D635-9ABC-468F-8E1F-437D21CAB01E}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdcjswx.exe:
"{B311A509-66E9-4CAC-93C3-6BA14DEBB402}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdctime.exe:
"{EE0A772B-699A-4EA1-BA45-B11B9EAE8370}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdctime.exe:
"{4A97C061-86BA-463A-B55E-739C6CA561CB}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{751EAAAB-C804-4E54-981E-DAA13A09BDA8}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{45040F90-B1A1-4A7F-9F9B-E70D6EA58B66}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{42F7517F-E193-4B6E-B111-C25A9BB126F9}"= UDP:c:\program files\Azureus\Azureus.exe:Azureus Vuze
"{49F410E9-7324-4A10-B623-CD05C8C16B6E}"= TCP:c:\program files\Azureus\Azureus.exe:Azureus Vuze
"{5419110C-65D6-4145-8435-C207679D36CD}"= UDP:15258:15258
"TCP Query User{8B82C6F8-9791-4A58-BADF-A7DE58050FDB}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{6DDF37E5-F5F8-4DE2-B6CF-D8A94C7ED297}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{D37F9582-3596-4AF7-B96F-D2B7C0774802}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{61691AEA-3603-4B99-96BF-ACF244AF939F}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{EDBE9599-3B17-4A8B-8263-12D6C837700C}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{826AE0F5-DB05-4C0C-A737-E130AEBD90D5}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{310268DA-8F43-4911-B3D8-8611CD7AB2A1}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BEF2A626-8485-487F-81D0-3E28BE74C0DE}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{86DD0005-43D4-4B97-AE02-46F73691FECD}c:\\program files\\lexmark 1300 series\\app4r.exe"= UDP:c:\program files\lexmark 1300 series\app4r.exe:Printing Application
"UDP Query User{4F8F581F-373F-48A1-8C22-33DFCEF180B4}c:\\program files\\lexmark 1300 series\\app4r.exe"= TCP:c:\program files\lexmark 1300 series\app4r.exe:Printing Application
"TCP Query User{AD0384CA-A05A-4A2B-AF3F-4EB8CAD5A7AB}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{D221D044-9C6D-4CC1-A3D8-619C561BEE68}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{959E9AEA-3B60-4FB3-B77A-F984DF504A70}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{F8F88233-E8CE-4906-9BFE-4B2740E31F64}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{4167495C-391C-4122-A444-9CDDE017B142}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E3517CAC-F39F-45B9-AE62-768A962F5702}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{93C83F26-85F2-47AC-9FA1-B1ECAFCFCA77}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{3006B0B2-B44B-4014-8FA0-9BA3DEBD7EFE}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"TCP Query User{497185F7-E994-4AB8-97CD-79668D1058AD}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{8352E596-EA51-42B0-9B52-95C9440B8D17}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"`r4x@}w"= `r4x@}w:*:Enabled:Windows Service Processor

R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
S2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;c:\windows\System32\spool\drivers\w32x86\3\lxdcserv.exe [2007-05-25 99248]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2007-12-11 21280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e855787d-0daf-11dd-99e3-001c25863770}]
\shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}]
rundll32 ,InitModule
.
Contents of the 'Scheduled Tasks' folder

2009-02-09 c:\windows\Tasks\User_Feed_Synchronization-{4149EC58-E3A6-401F-9E43-EA438C5683AD}.job
- c:\windows\system32\msfeedssync.exe [2008-01-20 20:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ibs.org/bibles/dailyreading/index.php
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {38423836-BD19-40F9-9050-4DDC6EF47611} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\users\Riley\AppData\Roaming\Mozilla\Firefox\Profiles\x377nqhs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\users\Riley\AppData\Roaming\Mozilla\plugins\npPxPlay.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 21:19:57
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000002C6022BDFFDFCD7953 524288 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2009-02-09 21:21:51
ComboFix-quarantined-files.txt 2009-02-10 03:21:49
ComboFix2.txt 2009-02-10 00:23:16

Pre-Run: 375,113,093,120 bytes free
Post-Run: 375,053,574,144 bytes free

209 --- E O F --- 2009-01-20 00:13:33




Malwarebytes log is below:


Malwarebytes' Anti-Malware 1.33
Database version: 1742
Windows 6.0.6001 Service Pack 1

2/9/2009 9:36:01 PM
mbam-log-2009-02-09 (21-35-36).txt

Scan type: Quick Scan
Objects scanned: 49758
Time elapsed: 2 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{a744f16c-b2d5-4138-81a2-085cdfcde83a} (Trojan.BHO) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Users\Riley\AppData\Roaming\cogad (Trojan.Agent) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\aquaplay (Trojan.DNSChanger) -> No action taken.

Files Infected:
(No malicious items detected)

Edited by sonicslayer, 09 February 2009 - 10:38 PM.


#6 sonicslayer

sonicslayer
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 10 February 2009 - 12:28 AM

Update:

Ok, so I went ahead and clicked the "remove files" button or whatever it is called. In doing so it put the identified malware in quarantine. As soon as it did that my computer started updating and has no longer been redirecting me to google when I go to the microsoft update page. I have left the items in quarantine for now and am waiting for further instructions.

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:05 AM

Posted 10 February 2009 - 11:46 AM

Hello.

Looks better.

Update Java to Version 6 Update 12
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows"

Delete the installer after use.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please also include a new DDS log.

Any issues at the moment?

With Regards,
The Panda

#8 sonicslayer

sonicslayer
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 12 February 2009 - 11:17 PM

Hey Panda. I will post to this as soon as I can get to my computer. I had to go out of town but I will be back in the next day or two. I won't leave you hanging. Thanks again for your help.

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:05 AM

Posted 13 February 2009 - 09:40 AM

No problem.

The Panda

#10 sonicslayer

sonicslayer
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:05 AM

Posted 23 February 2009 - 12:25 AM

Hey Panda. Sorry I didn't get to you sooner. I have been moving and haven't had time to set my comp up. I have recently only had time to run the DDS scanner. The Log is below. I wanted to let you know that my comp feels a little slower than I remember...don't know if that will get remedied by this forum or what. I will post again when I can run the scan. Thanks.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Riley at 23:21:35.48 on Sun 02/22/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_12
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1916.785 [GMT -6:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxdccoms.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Registry Mechanic\RMTray.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Riley\Desktop\Riley's Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ibs.org/bibles/dailyreading/index.php
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Parental Control Toolbar: {4e7bd74f-2b8d-469e-9fa5-a33de8dbe931} - c:\progra~1\parent~1\PARENT~1.DLL
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Parental Control Toolbar: {4e7bd74f-2b8d-469e-9fa5-a33de8dbe931} - c:\progra~1\parent~1\PARENT~1.DLL
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\rmtray.exe /H
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [lxdcamon] "c:\program files\lexmark 1300 series\lxdcamon.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe" -delete
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\riley\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\users\riley\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\users\riley\appdata\roaming\micros~1\windows\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
TCP: {38423836-BD19-40F9-9050-4DDC6EF47611} = 208.67.220.220,208.67.222.222
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\riley\appdata\roaming\mozilla\firefox\profiles\x377nqhs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\users\riley\appdata\roaming\mozilla\plugins\npPxPlay.dll

============= SERVICES / DRIVERS ===============

R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
S2 lxdcCATSCustConnectService;lxdcCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdcserv.exe [2007-5-25 99248]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2007-12-11 21280]

=============== Created Last 30 ================

2009-02-22 23:21 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-22 21:53 428,544 a------- c:\windows\system32\EncDec.dll
2009-02-22 21:53 217,088 a------- c:\windows\system32\psisrndr.ax
2009-02-22 21:53 293,376 a------- c:\windows\system32\psisdecd.dll
2009-02-22 21:53 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-02-22 21:53 80,896 a------- c:\windows\system32\MSNP.ax
2009-02-10 17:19 280 a------- c:\windows\system32\epoPGPsdk.dll.sig
2009-02-10 17:19 <DIR> --d----- c:\programdata\McAfee
2009-02-10 17:19 34,152 a------- c:\windows\system32\drivers\mfebopk.sys
2009-02-10 17:19 64,360 a------- c:\windows\system32\drivers\mfeapfk.sys
2009-02-10 17:18 72,264 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-02-10 17:18 52,136 a------- c:\windows\system32\drivers\mfetdik.sys
2009-02-10 17:18 170,408 a------- c:\windows\system32\drivers\mfehidk.sys
2009-02-10 17:18 <DIR> --d----- c:\program files\McAfee
2009-02-10 17:18 <DIR> --d----- c:\program files\common files\McAfee
2009-02-09 23:35 622,080 a------- c:\windows\system32\icardagt.exe
2009-02-09 23:35 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-02-09 23:35 97,800 a------- c:\windows\system32\infocardapi.dll
2009-02-09 23:35 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-02-09 23:35 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-02-09 23:35 11,264 a------- c:\windows\system32\icardres.dll
2009-02-09 23:35 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-02-09 23:35 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-02-09 23:30 96,760 a------- c:\windows\system32\dfshim.dll
2009-02-09 23:30 282,112 a------- c:\windows\system32\mscoree.dll
2009-02-09 23:30 41,984 a------- c:\windows\system32\netfxperf.dll
2009-02-09 23:29 158,720 a------- c:\windows\system32\mscorier.dll
2009-02-09 23:29 83,968 a------- c:\windows\system32\mscories.dll
2009-02-09 21:24 <DIR> --d----- c:\users\riley\appdata\roaming\Malwarebytes
2009-02-09 21:24 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 21:24 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-09 21:24 <DIR> --d----- c:\programdata\Malwarebytes
2009-02-09 21:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-09 21:24 <DIR> --d----- c:\progra~2\Malwarebytes
2009-02-09 18:26 250 a------- c:\windows\gmer.ini
2009-02-09 18:14 161,792 a------- c:\windows\SWREG.exe
2009-02-09 18:14 98,816 a------- c:\windows\sed.exe
2009-02-02 08:24 <DIR> --d----- c:\users\riley\.housecall6.6
2009-01-31 10:20 148,069,504 a------- c:\windows\MEMORY.DMP

==================== Find3M ====================

2009-01-20 22:05 47,360 a------- c:\users\riley\appdata\roaming\pcouffin.sys
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-11-30 08:42 86,016 a------- c:\windows\inf\infstor.dat
2008-11-30 08:42 51,200 a------- c:\windows\inf\infpub.dat
2008-11-30 08:42 143,360 a------- c:\windows\inf\infstrng.dat
2008-06-13 10:07 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 20:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-04-17 22:13 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-04-17 22:13 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-04-17 22:13 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 23:22:56.07 ===============

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:05 AM

Posted 23 February 2009 - 02:44 PM

Okay, go ahead with F-Secure when you can.

Tell me if there are other symptoms.

With Regards,
The Panda

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:05 AM

Posted 07 March 2009 - 04:36 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users