I got a bug...

**jholland1964** · 02-03-2009, 06:16 PM

Run the LSPFix

**jholland1964** · 02-03-2009, 06:23 PM

Run SDFix

double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
A window will now open showing SDFix being extracted into the C:\SDFix folder. Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions as show below

please reboot your computer into Safe Mode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
5. When you are at the logon prompt, log in as the same user that you had performed the previous steps as.
When your computer has started in safe mode, and you see the desktop, close all open Windows.
Click on the Start button, click on the Run menu option, and type the following into the Open: field:

C:\SDFix\RunThis.bat

Then press the OK button.
The SDFix window will open containing some brief info and a disclaimer on the use of the tool.

please press the Y key then press Enter.
It will then begin scanning the computer. This may take awhile so just be patient.
When the scanning process has finished you will see a new screen stating that you need to restart your computer in order to continue.

At this point you should press any key on your computer's keyboard in order to restart the computer.
After your computer reboots SDFix will automatically start and perform a last check.

You will now be presented with a screen stating that SDFix has finished.

At this point you should press any key on your computer's keyboard in order to continue to your desktop.
When you are back at your Windows desktop, the SDFix log will automatically be opened in notepad.
Please post back here with that log.

**sandpaper600** · 02-03-2009, 08:52 PM

SDFix completed. Here is the log...

SDFix: Version 1.240
Run by Mark on Tue 02/03/2009 at 07:22 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\autorun.inf - Deleted
C:\DOCUME~1\MARK~1.BAR\LOCALS~1\Temp\tmp2.tmp - Deleted
C:\DOCUME~1\MARK~1.BAR\LOCALS~1\Temp\tmp3.tmp - Deleted
C:\DOCUME~1\MARK~1.BAR\LOCALS~1\Temp\tmp4.tmp - Deleted
C:\DOCUME~1\MARK~1.BAR\LOCALS~1\Temp\tmp5.tmp - Deleted
C:\DOCUME~1\MARK~1.BAR\LOCALS~1\Temp\tmp6.tmp - Deleted
C:\DOCUME~1\MARK~1.BAR\LOCALS~1\Temp\tmp7.tmp - Deleted
C:\DOCUME~1\MARK~1.BAR\LOCALS~1\Temp\tmp8.tmp - Deleted
C:\DOCUME~1\MARK~1.BAR\LOCALS~1\Temp\tmp9.tmp - Deleted
C:\DOCUME~1\MARK~1.BAR\LOCALS~1\Temp\tmpA.tmp - Deleted
C:\DOCUME~1\MARK~1.BAR\LOCALS~1\Temp\tmpB.tmp - Deleted
C:\DOCUME~1\MARK~1.BAR\LOCALS~1\Temp\tmpC.tmp - Deleted
C:\DOCUME~1\MARK~1.BAR\LOCALS~1\Temp\tmpD.tmp - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 19:37:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\gaopdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\g aopdxoqodsril.sys"
"group"="file system"
"userdata"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\gaopdxserv.sys\modules]
"gaopdxserv"="\\?\globalroot\systemroot\system32\d rivers\gaopdxoqodsril.sys"
"gaopdxl"="\\?\globalroot\systemroot\system32\gaop dxmtebukpb.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:37,6a,09,6e,3c,9f,07,96,c9,42,d1,15,c4 ,8d,25,52,b5,5f,0c,0f,10,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000 001]
"a0"=hex:20,01,00,00,2d,43,96,01,4a,1f,98,0b,fd,e1 ,23,f6,bb,3e,ff,44,53,..
"khjeh"=hex:78,74,de,ac,f8,cd,d4,68,41,35,f2,b3,ca ,34,5d,3c,f4,e6,38,55,48,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000 001\0Jf40]
"khjeh"=hex:9d,04,b1,3f,ad,3b,bd,2e,ce,a6,1a,9c,39 ,e7,3c,bd,8f,63,53,36,31,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000 001\0Jf41]
"khjeh"=hex:80,f9,d9,71,f1,81,bd,91,57,5e,ec,b0,15 ,10,4c,d6,0f,a8,52,d6,46,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000 001\0Jf42]
"khjeh"=hex:ee,39,74,e4,89,6b,38,c8,59,51,0b,ef,2c ,cc,58,bd,ce,d0,14,55,26,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000 001\0Jf43]
"khjeh"=hex:ee,39,74,e4,89,6b,38,c8,59,51,0b,ef,2c ,cc,58,bd,ce,d0,14,55,26,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\g aopdxserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\g aopdxoqodsril.sys"
"group"="file system"
"userdata"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\g aopdxserv.sys\modules]
"gaopdxserv"="\\?\globalroot\systemroot\system32\d rivers\gaopdxoqodsril.sys"
"gaopdxl"="\\?\globalroot\systemroot\system32\gaop dxmtebukpb.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:37,6a,09,6e,3c,9f,07,96,c9,42,d1,15,c4 ,8d,25,52,b5,5f,0c,0f,10,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,2d,43,96,01,4a,1f,98,0b,fd,e1 ,23,f6,bb,3e,ff,44,53,..
"khjeh"=hex:78,74,de,ac,f8,cd,d4,68,41,35,f2,b3,ca ,34,5d,3c,f4,e6,38,55,48,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\ 0Jf40]
"khjeh"=hex:9d,04,b1,3f,ad,3b,bd,2e,ce,a6,1a,9c,39 ,e7,3c,bd,8f,63,53,36,31,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\ 0Jf41]
"khjeh"=hex:80,f9,d9,71,f1,81,bd,91,57,5e,ec,b0,15 ,10,4c,d6,0f,a8,52,d6,46,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\ 0Jf42]
"khjeh"=hex:ee,39,74,e4,89,6b,38,c8,59,51,0b,ef,2c ,cc,58,bd,ce,d0,14,55,26,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\s ptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\ 0Jf43]
"khjeh"=hex:ee,39,74,e4,89,6b,38,c8,59,51,0b,ef,2c ,cc,58,bd,ce,d0,14,55,26,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="zvnmsi.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"LoadAppInit_DLLs"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"="C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe:*:Enabled:Apache HTTP Server"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avgine t.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgam svr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.ex e"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS \\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Microsoft Hardware\\Game Voice\\GameVoice.exe"="C:\\Program Files\\Microsoft Hardware\\Game Voice\\GameVoice.exe:*:Enabled:Game Voice"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS \\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Shareaza\\Shareaza.exe"="C:\\Program Files\\Shareaza\\Shareaza.exe:*:Enabled:Shareaza"
"C:\\Program Files\\Microsoft Games\\Links 2003 Demo\\LinksMMIII.exe"="C:\\Program Files\\Microsoft Games\\Links 2003 Demo\\LinksMMIII.exe:*:Enabled:Links 2003"
"D:\\Installation\\Setupx.exe"="D:\\Installation\\ Setupx.exe:*:Enabled:Nero ProductSetup"
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\1701 A.D\\1701.exe"="C:\\Program Files\\1701 A.D\\1701.exe:*:Enabled:1701 A.D."
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"G:\\Program Files\\Microsoft Games\\Crimson Skies Trial\\crimson.exe"="G:\\Program Files\\Microsoft Games\\Crimson Skies Trial\\crimson.exe:*

isabled:Crimson"
"C:\\WINDOWS\\system32\\msiexec.exe"="C:\\WINDOWS\ \system32\\msiexec.exe:*:Enabled:Windowsr installer"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Progra m Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:Re alPlayer"
"G:\\Program Files\\Xfire\\Xfire.exe"="G:\\Program Files\\Xfire\\Xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Winamp\\winamp.exe"="C:\\Program Files\\Winamp\\winamp.exe:*:Enabled:winamp"
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"="C:\\Program Files\\Electronic Arts\\EADM\\Core.exe:*:Enabled:EA Download Manager"
"G:\\Program Files\\Games\\Crimson Skies\\crimson.icd"="G:\\Program Files\\Games\\Crimson Skies\\crimson.icd:*:Enabled:Crimson Skies Executable"
"C:\\Program Files\\NBC Direct\\StoreFrontPlayer.exe"="C:\\Program Files\\NBC Direct\\StoreFrontPlayer.exe:*:Enabled:NBC Direct Beta"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\Steam\\steamapps\\meathook\\age of chivalry\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\meathook\\age of chivalry\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\meathook\\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\meathook\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\meathook\\insurgency\\hl2 .exe"="C:\\Program Files\\Steam\\steamapps\\meathook\\insurgency\\hl2 .exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\meathook\\synergy\\hl2.ex e"="C:\\Program Files\\Steam\\steamapps\\meathook\\synergy\\hl2.ex e:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\meathook\\diprip warm up\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\meathook\\diprip warm up\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\meathook\\zombie panic! source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\meathook\\zombie panic! source\\hl2.exe:*:Enabled:hl2"
"E:\\Installation\\Setupx.exe"="E:\\Installation\\ Setupx.exe:*:Enabled:Nero ProductSetup"
"G:\\Program Files\\Nero 7\\Nero Home\\NeroHome.exe"="G:\\Program Files\\Nero 7\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home"
"G:\\Program Files\\FrostWire\\FrostWire.exe"="G:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:FrostWir e"
"G:\\Program Files\\LimeWire\\LimeWire.exe"="G:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\ system32\\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\ system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"G:\\Downloads\\utorrent.exe"="G:\\Downloads\\utor rent.exe:*:Enabled:æTorrent"
"G:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"="G:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs"
"G:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"="G:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe:*:Enabled:Age of Empires III - The Asian Dynasties"
"G:\\Downloads\\Installed Software\\utorrent.exe"="G:\\Downloads\\Installed Software\\utorrent.exe:*:Enabled:æTorrent"
"G:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"="G:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe:*:Enabled:Call of Duty(R) - World at War(TM)"
"G:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"="G:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe:*:Enabled:Call of Duty(R) - World at War(TM)"
"C:\\Program Files\\Graboid\\GraboidVideo\\1.3.0.0\\GraboidClie nt.exe"="C:\\Program Files\\Graboid\\GraboidVideo\\1.3.0.0\\GraboidClie nt.exe:*:Enabled: "
"G:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW_LANFixed.exe"="G:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW_LANFixed.exe:*:Enabled:Call of Duty(R): World at War Campaign/Coop"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 24 Apr 2008 1,613,824 A..H. --- "C:\My Games\Can You See What I See\CanYouSee.exe"
Wed 10 Sep 2008 2,389,320 ...H. --- "C:\Program Files\Atlantis Sky Patrol\AtlantisSkyPatrol.exe"
Thu 10 Jan 2008 2,229,576 ...H. --- "C:\Program Files\Bengal - Game of Gods\Bengal - Game of Gods.exe"
Thu 23 Oct 2008 3,568,976 ...H. --- "C:\Program Files\Dr. Lynch - Grave Secrets\gravesecrets.exe"
Mon 6 Oct 2008 24,450,376 ...H. --- "C:\Program Files\Flip Words 2\Flip Words 2.exe"
Mon 6 Oct 2008 6,509,896 ...H. --- "C:\Program Files\Flip Words\Flip Words.exe"
Thu 17 Jul 2008 43,865,624 ...H. --- "C:\Program Files\Forgotten Riddles - The Moonlight Sonatas\Forgotten Riddles - The Moonlight Sonatas.exe"
Wed 5 Nov 2008 2,368,856 ...H. --- "C:\Program Files\Hawaiian Explorer 2 - Lost Island\LostIsland.exe"
Fri 11 Jan 2008 13,579,592 ...H. --- "C:\Program Files\Hidden Relics\Hidden Relics.exe"
Wed 16 Jul 2008 6,829,384 ...H. --- "C:\Program Files\Hidden Expedition - Amazon\Hidden Expedition Amazon.exe"
Thu 10 Jan 2008 2,159,944 ...H. --- "C:\Program Files\Inca Ball\IncaBall.exe"
Wed 10 Sep 2008 1,070,408 ...H. --- "C:\Program Files\Luxor 2\Luxor 2.exe"
Thu 20 Mar 2008 14,210,376 ...H. --- "C:\Program Files\Mystery Case Files - Madame Fate\Madame Fate.exe"
Fri 11 Jan 2008 1,758,536 ...H. --- "C:\Program Files\Mystery P.I. - The Lottery Ticket\MysteryPI.exe"
Wed 23 Apr 2008 12,330,312 ...H. --- "C:\Program Files\Mystery Case Files - Prime Suspects\PrimeSuspects.exe"
Fri 11 Jan 2008 1,975,624 ...H. --- "C:\Program Files\Mystery in London\MysteryInLondon.exe"
Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Thu 10 Jan 2008 3,489,792 ...H. --- "C:\Program Files\Peggle Deluxe\Peggle.exe"
Mon 23 Jun 2008 2,442,568 ...H. --- "C:\Program Files\PictoWords\PictoWords.exe"
Thu 10 Jan 2008 3,044,680 ...H. --- "C:\Program Files\Pirate Poppers\Pirate Poppers.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Thu 10 Jan 2008 1,783,112 ...H. --- "C:\Program Files\Svetlograd\Svetlograd.exe"
Fri 1 Aug 2008 1,271,112 ...H. --- "C:\Program Files\The Race\TheRace.exe"
Fri 29 Feb 2008 2,848,072 ...H. --- "C:\Program Files\The Count of Monte Cristo\MONTECRISTO.exe"
Mon 9 Jun 2008 1,885,512 ...H. --- "C:\Program Files\The Secret of Margrave Manor\Margrave Manor.exe"
Mon 18 Aug 2008 2,479,432 ...H. --- "C:\Program Files\Yard Sale Hidden Treasures - Sunnyville\yardsale.exe"
Thu 10 Jan 2008 1,955,144 ...H. --- "C:\Program Files\Zuma Deluxe\Zuma Deluxe.exe"
Wed 16 Apr 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 7 Jun 2000 45,056 A..H. --- "C:\Program Files\Microsoft Hardware\Game Voice\WebUpdate.exe"
Sun 6 Apr 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 3 Jan 2009 72,192 ...H. --- "C:\Documents and Settings\Lee\Application Data\Microsoft\Word\~WRL3458.tmp"
Wed 28 Jan 2009 2,158 ...HR --- "C:\Documents and Settings\Lee\Application Data\SecuROM\UserData\securom_v7_01.bak"
Fri 30 Jan 2009 444 ...HR --- "C:\Documents and Settings\Mark.BARTH-TOWER\Application Data\SecuROM\UserData\securom_v7_01.bak"
Fri 4 Jul 2008 17,516 ...H. --- "C:\Documents and Settings\All Users\Application Data\Launcher\Launcher\1.0.0.0\BIT127.tmp"

Finished!

**jholland1964** · 02-03-2009, 09:16 PM

Now try again with combofix

**sandpaper600** · 02-03-2009, 09:24 PM

prep.com

Just to be clear, I download it again every time I try it.

On the plus side, my shortcut to C: works now. F: and G: still give the "RECYCLER" dialog box.

**jholland1964** · 02-03-2009, 11:55 PM

HERE is your "evil" file;gaopdxserv.sys it is a Trojan/Backdoor
From what I see on that SDFix log, there is or has been a LOT of P2P file sharing going on with this computer. Now I can see WHY the computer is so infected.

Download gmer.zip: http://www.gmer.net/files.php
Unzip the file, and double click on gmer.exe, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

**sandpaper600** · 02-04-2009, 12:56 PM

Here is the gmer log...

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-04 11:49:32
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT spmc.sys ZwCreateKey [0xB9EA80E0]
SSDT spmc.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spmc.sys ZwEnumerateValueKey [0xB9EC7030]
SSDT spmc.sys ZwOpenKey [0xB9EA80C0]
SSDT spmc.sys ZwQueryKey [0xB9EC7108]
SSDT spmc.sys ZwQueryValueKey [0xB9EC6F88]
SSDT spmc.sys ZwSetValueKey [0xB9EC719A]

INT 0x62 ? 8AEC6BF8
INT 0x63 ? 8AE52BF8
INT 0x73 ? 8AE52BF8
INT 0x82 ? 8AEC6BF8
INT 0xA4 ? 8AA78F00
INT 0xB4 ? 8AE55BF8

---- Kernel code sections - GMER 1.0.14 ----

? spmc.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B8BDF8AC 5 Bytes JMP 8AA784E0
.text a6t5q9xy.SYS B8AC0386 35 Bytes [ 00, 00, 00, 00, 00, 00, 20, ... ]
.text a6t5q9xy.SYS B8AC03AA 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text a6t5q9xy.SYS B8AC03C4 3 Bytes [ 00, 70, 02 ]
.text a6t5q9xy.SYS B8AC03C9 1 Byte [ 2E ]
.text a6t5q9xy.SYS B8AC03CB 9 Bytes [ 00, 00, 5C, 02, 00, 00, 00, ... ]
.text ...

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spmc.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spmc.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spmc.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spmc.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spmc.sys
IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\a6t5q9xy.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8AEC41F8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)

Device \Driver\usbohci \Device\USBPDO-0 8AA7C500
Device \Driver\usbehci \Device\USBPDO-1 8AAAB500
Device \Driver\PCI_PNP9046 \Device\00000054 spmc.sys

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\prodrv06 \Device\ProDrv06 E1F73C30
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AE531F8
Device \Driver\Cdrom \Device\CdRom0 8AA7E500
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AE531F8
Device \Driver\Cdrom \Device\CdRom1 8AA7E500
Device \Driver\Ftdisk \Device\HarddiskVolume3 8AE531F8
Device \Driver\Cdrom \Device\CdRom2 8AA7E500
Device \Driver\Cdrom \Device\CdRom3 8AA7E500
Device \Driver\Cdrom \Device\CdRom4 8AA7E500
Device \Driver\prohlp02 \Device\ProHlp02 E1842CC0
Device \Driver\Cdrom \Device\CdRom5 8AA7E500
Device \Driver\NetBT \Device\NetBt_Wins_Export 8AA79500
Device \Driver\nvata \Device\00000078 8AE521F8
Device \Driver\USBSTOR \Device\00000092 8A9751F8
Device \Driver\NetBT \Device\NetbiosSmb 8AA79500
Device \Driver\USBSTOR \Device\00000088 8A9751F8

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device \Driver\usbohci \Device\USBFDO-0 8AA7C500
Device \Driver\nvata \Device\NvAta0 8AE521F8
Device \Driver\usbehci \Device\USBFDO-1 8AAAB500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8AB101F8
Device \Driver\nvata \Device\NvAta1 8AE521F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8AB101F8
Device \Driver\Ftdisk \Device\FtControl 8AE531F8
Device \Driver\sptd \Device\3259149046 spmc.sys
Device \Driver\a6t5q9xy \Device\Scsi\a6t5q9xy1Port5Path0Target0Lun0 8AA76500
Device \Driver\a6t5q9xy \Device\Scsi\a6t5q9xy1 8AA76500
Device \Driver\a6t5q9xy \Device\Scsi\a6t5q9xy1Port5Path0Target2Lun0 8AA76500
Device \Driver\JRAID \Device\Scsi\JRAID1 8AEC51F8
Device \Driver\a6t5q9xy \Device\Scsi\a6t5q9xy1Port5Path0Target3Lun0 8AA76500
Device \Driver\a6t5q9xy \Device\Scsi\a6t5q9xy1Port5Path0Target1Lun0 8AA76500
Device \FileSystem\Cdfs \Cdfs 8A998500

---- Services - GMER 1.0.14 ----

Service system32\drivers\gaopdxoqodsril.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv. sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv. sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv. sys@imagepath \systemroot\system32\drivers\gaopdxoqodsril.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv. sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv. sys@userdata -1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv. sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv. sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxo qodsril.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv. sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxmtebukpb. dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4@khjeh 0x37 0x6A 0x09 0x6E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x78 0x74 0xDE 0xAC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khje h 0x9D 0x04 0xB1 0x3F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khje h 0x80 0xF9 0xD9 0x71 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khje h 0xEE 0x39 0x74 0xE4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khje h 0xEE 0x39 0x74 0xE4 ...
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@ start 1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@ type 1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@ imagepath \systemroot\system32\drivers\gaopdxoqodsril.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@ group file system
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@ userdata -1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\ modules
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\ modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxo qodsril.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\ modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxmtebukpb. dll
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4@khjeh 0x37 0x6A 0x09 0x6E ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001@khjeh 0x78 0x74 0xDE 0xAC ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9D 0x04 0xB1 0x3F ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x80 0xF9 0xD9 0x71 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xEE 0x39 0x74 0xE4 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xEE 0x39 0x74 0xE4 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs zvnmsi.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.14 ----

I gotta go out for a couple of hours. I'll check back this afternoon.

**jholland1964** · 02-04-2009, 01:13 PM

Download UnHackMe and save it to the desktop.
Open the compressed folder on your desktop named unhackme.zip and double click unhackme250.exe to begin the installation. When asked if you wish to continue, click Yes.
Select all the default installation options by clicking Next for every step in the installation. When prompted, choose Yes to create a directory.
Select the Check tab at the top of the window and then click on the Check Me Now! button. UnHackMe will begin scanning your operating system for rootkits.
When scan is complete it should show what it has found.
Click on the key that you want to remove

After selecting the key, click on the Delete Key button. A window will appear asking you to verify the deletion.
Click "Yes" to delete the infected key. Do this for all the infected keys in the list. When you're finished deleting all the keys in the list, you may close down UnHackMe.

**sandpaper600** · 02-04-2009, 04:35 PM

I ran unhackme. It found 14 things. only about 5 of them I deleted. Things like Nvidea network manager and ClockX I left on. I saw the gaopdxserv.sys rootkit and deleted it.

I can browse my drives now, but I still get the dialog box "Due to an unidentified problem, Windows cannot display Windows Firewall settings." when I try to set the firewall.

**jholland1964** · 02-04-2009, 05:35 PM

What else didn't you remove? It doesn't list most things on just a "whim".

Thread: I got a bug...

Thread Tools

Display

Thread Information

Users Browsing this Thread

Posting Permissions