Page 4 of 5 FirstFirst 12345 LastLast
Results 46 to 60 of 63
  1. #46
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    Ok thanks.

    Alright, so heres what happened

    I logged into recover console and saw windows installations F: & D: instead of C: & H:

    I mapped it and saw that F/D was 200/100gb, which matches C/H so I worked under the assumption that F: = C:

    I tried to use the command "del F:\windows\system32\drivers\gaopd*.sys" since I didnt know how to "navigate" in there.

    It says I couldnt delete wildcards, so I turned that on and retyped the command. I didnt see any log of the deletion, so I retyped it and it says file not found. So Im guessing it was deleted.

    Booted back into windows. Updated combofix. Used the CFscript and ran it again. This is the new log -

    ComboFix 09-01-17.02 - Force Commander 2009-01-17 13:27:24.4 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1683 [GMT -8:00]
    Running from: c:\documents and settings\Force Commander\Desktop\ComboFix.exe
    Command switches used :: c:\docume~1\FORCEC~1\LOCALS~1\Temp\Rar$DR00.406\CFScript
    * Created a new restore point

    FILE ::
    c:\documents and settings\Force Commander\Local Settings\Temp\tmpD.tmp
    c:\windows\system32\drivers\gaopdxdltimrsv.sys
    c:\windows\Tasks\Antispyware Scheduled Scan.job
    .

    ((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
    .

    2009-01-17 02:28 . 2009-01-17 02:28 <DIR> d-------- c:\windows\Sun
    2009-01-17 02:27 . 2009-01-17 02:27 <DIR> d-------- c:\program files\Java
    2009-01-17 02:27 . 2009-01-17 02:27 410,984 --a------ c:\windows\system32\deploytk.dll
    2009-01-17 02:27 . 2009-01-17 02:27 73,728 --a------ c:\windows\system32\javacpl.cpl
    2009-01-17 02:22 . 2009-01-17 02:22 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\vlc
    2009-01-16 20:06 . 2009-01-16 20:06 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Red Alert 3
    2009-01-16 15:58 . 2009-01-16 15:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    2009-01-16 14:36 . 2009-01-17 12:59 <DIR> d-------- C:\TEMP
    2009-01-15 10:50 . 2009-01-16 15:09 <DIR> d-------- c:\program files\Sherlock
    2009-01-14 22:39 . 2009-01-14 22:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
    2009-01-14 00:19 . 2009-01-14 00:19 <DIR> d-------- c:\program files\File Scavenger 3.0
    2009-01-14 00:12 . 2009-01-14 00:12 <DIR> d-------- c:\program files\uTorrent
    2009-01-14 00:12 . 2009-01-14 00:18 <DIR> d-------- c:\documents and settings\David\Application Data\uTorrent
    2009-01-13 11:55 . 2009-01-13 11:55 <DIR> d-------- c:\program files\Promise Technology, Inc
    2009-01-13 11:55 . 2009-01-13 11:55 <DIR> d-------- c:\program files\Promise
    2009-01-13 11:55 . 2003-11-05 18:06 110,592 --a------ c:\windows\system32\ulutil2.dll
    2009-01-13 11:55 . 2006-04-06 17:52 108,544 --a------ c:\windows\system32\drivers\ulsata2.sys
    2009-01-13 11:55 . 2003-11-05 08:45 17,408 --a------ c:\windows\system32\drivers\bb-run.sys
    2009-01-13 11:55 . 2004-06-29 14:25 7,680 --a------ c:\windows\system32\drivers\dontgo.sys
    2009-01-05 21:17 . 2009-01-13 21:57 <DIR> d-------- C:\Downloads
    2009-01-05 16:34 . 2009-01-05 16:34 <DIR> d-------- c:\program files\Western Digital
    2009-01-05 16:24 . 2009-01-14 21:52 <DIR> d-------- c:\windows\system32\NtmsData
    2009-01-04 03:37 . 2009-01-04 04:53 <DIR> d-------- c:\program files\Super DVD Ripper
    2009-01-04 02:36 . 2009-01-04 02:36 <DIR> d-------- C:\WinFast WorkArea
    2009-01-02 13:32 . 2009-01-02 13:33 <DIR> d-------- C:\WFDB
    2009-01-02 13:32 . 2009-01-02 13:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ulead Systems
    2009-01-02 13:32 . 2001-12-19 15:47 49,152 --a------ c:\windows\system32\TempDel.EXE
    2009-01-02 13:32 . 2005-01-06 16:55 9,446 --a------ c:\windows\system32\drivers\WFIOCTL.sys
    2009-01-02 13:25 . 2005-06-28 09:24 163,584 --a------ c:\windows\system32\drivers\cx88vid.sys
    2009-01-02 13:24 . 2009-01-02 13:24 <DIR> d-------- c:\windows\system32\WinFox
    2009-01-02 13:24 . 2009-01-02 13:25 <DIR> d-------- c:\windows\system32\WinFast
    2009-01-02 13:24 . 2005-03-25 18:24 9,600 --a------ c:\windows\system32\drivers\WINFOXIO.sys
    2009-01-02 13:14 . 2009-01-02 13:14 799 --a------ c:\windows\system\Cmicnfgp.ini
    2009-01-02 12:39 . 2009-01-02 12:39 <DIR> d-------- c:\program files\Common Files\Ulead Systems
    2009-01-02 12:37 . 2009-01-02 12:37 <DIR> d-------- c:\program files\WinFast
    2009-01-02 12:33 . 2009-01-02 12:33 <DIR> d-------- C:\WinFast
    2009-01-02 12:33 . 2009-01-02 13:25 <DIR> d-------- c:\windows\system32\DX9
    2009-01-02 00:18 . 2009-01-02 00:18 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\Red Alert 3
    2008-12-29 17:49 . 2008-12-29 17:49 <DIR> d-------- c:\program files\eBay
    2008-12-29 17:49 . 2008-12-29 17:49 <DIR> d-------- c:\documents and settings\All Users\eBay
    2008-12-28 22:52 . 2008-12-28 22:52 <DIR> d-------- c:\program files\Combined Community Codec Pack
    2008-12-28 20:00 . 2009-01-15 15:27 <DIR> d--h----- C:\$AVG8.VAULT$
    2008-12-26 19:57 . 2008-12-26 19:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Seagate
    2008-12-26 19:56 . 2008-12-26 19:56 <DIR> d-------- c:\program files\Seagate
    2008-12-26 19:56 . 2008-12-26 19:56 441,760 --a------ c:\windows\system32\drivers\timntr.sys
    2008-12-26 19:56 . 2008-12-26 19:56 368,480 --a------ c:\windows\system32\drivers\tdrpman.sys
    2008-12-26 19:56 . 2008-12-26 19:56 132,224 --a------ c:\windows\system32\drivers\snapman.sys
    2008-12-26 19:56 . 2008-12-26 19:56 44,384 --a------ c:\windows\system32\drivers\tifsfilt.sys
    2008-12-24 19:41 . 2008-12-24 19:41 <DIR> d---s---- c:\documents and settings\David\UserData
    2008-12-24 19:02 . 2008-12-24 19:02 <DIR> d-------- c:\documents and settings\David\Application Data\FastStone
    2008-12-24 16:42 . 2008-12-24 16:42 <DIR> d-------- c:\documents and settings\David\Application Data\dvdcss
    2008-12-23 19:10 . 2008-12-23 19:10 <DIR> d-------- c:\documents and settings\David\Application Data\Red Alert 3
    2008-12-23 18:54 . 2008-12-23 18:54 <DIR> d-------- c:\windows\Logs
    2008-12-23 18:54 . 2008-12-23 18:54 <DIR> d-------- c:\program files\Electronic Arts
    2008-12-23 18:54 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
    2008-12-23 18:54 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
    2008-12-23 18:54 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
    2008-12-23 18:54 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
    2008-12-23 18:54 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
    2008-12-23 18:54 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
    2008-12-23 18:53 . 2008-12-23 19:04 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\DAEMON Tools
    2008-12-23 18:52 . 2008-12-23 18:52 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\Aim
    2008-12-21 22:32 . 2008-12-21 22:32 <DIR> d-------- c:\program files\Common Files\Adobe
    2008-12-21 22:31 . 2009-01-02 13:00 <DIR> d-------- c:\documents and settings\Administrator
    2008-12-21 22:14 . 2008-12-21 22:14 <DIR> d-------- c:\program files\Common Files\Adobe AIR
    2008-12-21 22:11 . 2008-12-21 22:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Adobe(2)
    2008-12-21 22:10 . 2008-12-21 22:11 <DIR> d-------- c:\program files\Common Files\Adobe(2)
    2008-12-20 21:20 . 2008-12-20 21:20 <DIR> d-------- c:\documents and settings\David\Application Data\Creative
    2008-12-20 11:04 . 2008-12-20 11:04 <DIR> d-------- c:\documents and settings\David\Application Data\vlc
    2008-12-20 11:00 . 2008-12-20 11:00 <DIR> d-------- c:\program files\Winamp
    2008-12-20 11:00 . 2008-12-20 11:02 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\Winamp
    2008-12-20 10:58 . 2008-12-20 11:02 <DIR> d-------- c:\documents and settings\David\Application Data\Winamp
    2008-12-20 01:04 . 2008-12-20 01:04 <DIR> d-------- c:\documents and settings\David\Application Data\Media Player Classic
    2008-12-19 07:52 . 2008-12-21 12:31 <DIR> d-------- c:\windows\system32\CatRoot_bak
    2008-12-18 21:48 . 2008-12-18 21:48 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\FaxCtr
    2008-12-18 21:48 . 2008-12-18 21:48 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\DivX
    2008-12-18 21:48 . 2008-12-18 21:48 <DIR> d-------- c:\documents and settings\Force Commander\Application Data\ASUS
    2008-12-18 21:48 . 2009-01-02 13:00 <DIR> d-------- c:\documents and settings\Force Commander
    2008-12-18 21:48 . 2009-01-16 14:40 116 --a------ c:\windows\NeroDigital.ini
    2008-12-18 19:47 . 2008-12-18 19:47 <DIR> d-------- c:\documents and settings\David\Application Data\FaxCtr
    2008-12-18 19:47 . 2008-12-18 19:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Creative
    2008-12-18 18:51 . 2009-01-15 20:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
    2008-12-18 18:44 . 2009-01-17 13:30 <DIR> d-------- c:\program files\lx_cats
    2008-12-18 18:43 . 2008-12-18 19:41 <DIR> d-------- c:\program files\Lexmark Fax Solutions

  2. #47
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    Continued:
    2008-12-18 18:43 . 2008-12-18 18:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\FaxCtr
    2008-12-18 18:43 . 2008-08-14 02:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
    2008-12-18 18:43 . 2008-08-14 01:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
    2008-12-18 18:43 . 2008-08-14 01:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
    2008-12-18 18:43 . 2008-08-14 01:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
    2008-12-18 18:43 . 2008-10-24 03:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
    2008-12-18 18:43 . 2005-12-23 06:18 339,968 --a------ c:\windows\system32\IMGMAN32.DLL
    2008-12-18 18:43 . 2005-12-23 06:18 98,345 --a------ c:\windows\system32\IMHOST32.DLL
    2008-12-18 18:43 . 2005-12-23 06:18 98,304 --a------ c:\windows\system32\IM31XPNG.DEL
    2008-12-18 18:43 . 2005-12-23 06:18 69,632 --a------ c:\windows\system32\IM31XTIF.DEL
    2008-12-18 18:43 . 2005-12-23 06:18 49,152 --a------ c:\windows\system32\IM31IMG.DIL
    2008-12-18 18:43 . 2006-02-02 00:26 12,288 --a------ c:\windows\system32\LXPMONRC.DLL
    2008-12-18 18:42 . 2008-12-18 18:42 <DIR> d-------- c:\program files\Lexmark Toolbar
    2008-12-18 18:42 . 2008-12-18 18:44 <DIR> d-------- c:\program files\Lexmark 3400 Series
    2008-12-18 18:42 . 2008-12-18 18:42 <DIR> d-------- c:\program files\Abbyy FineReader 6.0 Sprint
    2008-12-18 18:37 . 2005-06-28 10:21 22,752 --a------ c:\windows\system32\spupdsvc.exe
    2008-12-18 18:36 . 2008-12-18 19:36 <DIR> d--h----- c:\windows\$hf_mig$
    2008-12-18 18:30 . 2004-07-20 17:24 1,568,768 --------- c:\windows\system32\ImagX7.dll
    2008-12-18 18:30 . 2004-07-20 17:24 476,320 --------- c:\windows\system32\ImagXpr7.dll
    2008-12-18 18:30 . 2004-07-20 17:24 471,040 --------- c:\windows\system32\ImagXRA7.dll
    2008-12-18 18:30 . 2004-07-09 09:43 364,544 --------- c:\windows\system32\TwnLib4.dll
    2008-12-18 18:30 . 2004-07-20 17:24 262,144 --------- c:\windows\system32\ImagXR7.dll
    2008-12-18 18:30 . 2000-06-26 11:45 106,496 --a------ c:\windows\system32\TwnLib20.dll
    2008-12-18 18:30 . 2001-06-26 08:15 38,912 --------- c:\windows\system32\picn20.dll
    2008-12-18 18:29 . 2008-12-18 18:31 <DIR> d-------- c:\program files\Common Files\Ahead
    2008-12-18 18:29 . 2008-12-18 18:30 <DIR> d-------- c:\program files\Ahead
    2008-12-18 18:29 . 2001-07-09 11:50 155,648 --a------ c:\windows\system32\NeroCheck.exe
    2008-12-18 18:16 . 2008-12-18 18:16 <DIR> d--h----- c:\program files\Creative Installation Information
    2008-12-18 18:16 . 2008-12-18 18:16 <DIR> d-------- c:\program files\Common Files\Creative
    2008-12-18 18:16 . 1999-12-13 09:01 44,032 --------- c:\windows\system32\CTSVCCDA.EXE
    2008-12-18 18:16 . 1999-11-18 09:00 25,088 --------- c:\windows\system32\CTSVCCTL.EXE
    2008-12-18 18:15 . 2008-12-18 18:16 <DIR> d-------- c:\program files\Creative
    2008-12-18 18:14 . 2008-12-20 17:40 <DIR> d-------- c:\documents and settings\David\Application Data\DivX
    2008-12-18 18:13 . 2008-12-18 18:13 <DIR> d-------- c:\program files\Vodei
    2008-12-18 18:13 . 2008-12-18 18:13 <DIR> d-------- c:\program files\DirectVobSub
    2008-12-18 18:12 . 2008-12-18 18:12 <DIR> d-------- c:\program files\VideoLAN
    2008-12-18 18:12 . 2008-12-18 18:12 <DIR> d-------- c:\program files\Gabest
    2008-12-18 18:11 . 2008-12-18 18:11 <DIR> d-------- c:\program files\eRightSoft
    2008-12-18 18:10 . 2009-01-17 12:19 <DIR> d-------- c:\program files\Steam
    2008-12-18 18:10 . 2008-12-18 18:10 <DIR> d-------- c:\program files\Spybot - Search & Destroy
    2008-12-18 18:10 . 2008-12-25 13:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-01-02 21:14 413,696 ----a-w c:\windows\system32\wrap_oal.dll
    2009-01-02 21:14 102,400 ----a-w c:\windows\system32\OpenAL32.dll
    2008-12-19 00:55 --------- d-----w c:\program files\microsoft frontpage
    2008-11-21 21:47 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
    2008-11-21 21:47 9,336 ------w c:\windows\system32\drivers\cdr4_xp.sys
    2008-11-21 21:47 524,288 ----a-w c:\windows\system32\DivXsm.exe
    2008-11-21 21:47 43,528 ------w c:\windows\system32\drivers\PxHelp20.sys
    2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
    2008-11-21 21:47 129,784 ------w c:\windows\system32\pxafs.dll
    2008-11-21 21:47 120,056 ------w c:\windows\system32\pxcpyi64.exe
    2008-11-21 21:47 118,520 ------w c:\windows\system32\pxinsi64.exe
    2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
    2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
    2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
    2008-11-21 21:44 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
    2008-11-05 20:23 49,152 ----a-r c:\windows\system32\inetwh32.dll
    2008-11-05 20:23 1,044,480 ----a-r c:\windows\system32\roboex32.dll
    2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
    2008-12-21 10:49 23,032 ----a-w c:\program files\mozilla firefox\components\browserdirprovider(2).dll
    2008-12-21 10:49 134,648 ----a-w c:\program files\mozilla firefox\components\brwsrcmp(2).dll
    2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
    2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll

  3. #48
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    Last Part

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AIM"="c:\program files\AIM\aim.exe" [2004-03-12 61440]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
    "Cmaudio8788GX"="c:\windows\system\HsMgr.exe" [2008-07-11 200704]
    "DeadAIM"="c:\progra~1\AIM\\DeadAIM.ocm" [2004-02-28 144896]
    "CTCheck"="c:\program files\Creative\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2006-01-25 286720]
    "EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2006-02-06 98304]
    "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 290816]
    "LXCYCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2005-12-01 65536]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "WinFast Schedule"="c:\program files\WinFast\WFTVFM\WFWIZ.exe" [2006-07-07 348160]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-17 136600]
    "nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]
    "PtiuPbmd"="ulutil2.dll" [2003-11-05 c:\windows\system32\ulutil2.dll]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=

    R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2009-01-13 7680]
    R0 ulsata2;ulsata2;c:\windows\system32\drivers\ulsata2.sys [2009-01-13 108544]
    R3 cmudaxp;ASUS Xonar DX Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [2008-12-18 1983424]
    R3 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
    R3 WFIOCTL;WFIOCTL;c:\program files\WinFast\WFTVFM\WFIOCTL.sys [2009-01-02 9446]
    .
    .
    ------- Supplementary Scan -------
    .
    FF - ProfilePath - c:\documents and settings\Force Commander\Application Data\Mozilla\Firefox\Profiles\wlta00p6.default\
    FF - component: c:\program files\Mozilla Firefox\components\browserdirprovider(2).dll
    FF - component: c:\program files\Mozilla Firefox\components\brwsrcmp(2).dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-17 13:30:16
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXCYCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16????????????????????????????? ???????????????????????????????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\CTSVCCDA.EXE
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\lxcycoms.exe
    c:\windows\system32\uwdf.exe
    .
    **************************************************************************
    .
    Completion time: 2009-01-17 13:31:23 - machine was rebooted [Force Commander]
    ComboFix-quarantined-files.txt 2009-01-17 21:31:21
    ComboFix2.txt 2009-01-16 22:51:09

    Pre-Run: 174,528,966,656 bytes free
    Post-Run: 174,573,871,104 bytes free

    243 --- E O F --- 2008-12-19 03:36:44

  4. #49
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    Is it possible for malware to get on my mp3 player? I saw how that "autorun" thing was on every partition and Im pretty sure my creative player was docked the whole time.

  5. #50
    Joined
    Jan 2008
    Posts
    115

    Re: Leave my ••••• alone!

    its possible, but not probable. Can you send me a hijackthis! log? i can take a look at it for you.

    If you need to delete any files, this program will unlock and delete any file regardless of what its being used by. if it cannot delete it from windows, it will tell you that it can do it on your next reboot.

    http://ccollomb.free.fr/unlocker/

    Also, check that you dont have any rundll32.exe programs running.

    Finally, this program is extremely helpful, and very effective at problems like yours(it has helped me a lot!):
    http://www.malwarebytes.org/

    good luck!

  6. #51
    Joined
    Jul 2003
    Location
    Australia
    Posts
    14,223

    Re: Leave my ••••• alone!

    Quote Originally Posted by fatlazyhomer View Post
    Ok thanks.

    Alright, so heres what happened

    I logged into recover console and saw windows installations F: & D: instead of C: & H:

    I mapped it and saw that F/D was 200/100gb, which matches C/H so I worked under the assumption that F: = C:

    I tried to use the command "del F:\windows\system32\drivers\gaopd*.sys" since I didnt know how to "navigate" in there.

    It says I couldnt delete wildcards, so I turned that on and retyped the command. I didnt see any log of the deletion, so I retyped it and it says file not found. So Im guessing it was deleted.

    Booted back into windows. Updated combofix. Used the CFscript and ran it again. This is the new log -
    Excellent. The CF log now appears to be clean Now what you need to do is run a couple of AV scanners on there. If you can't get Kaspersky online Scanner going, try ESET Online Scanner, F-Secure Online Scanner and/or Trend Micro Housecall. It doesn't hurt to have scanned with several scanners. It does become a problem when you have more than one virus removal program installed and they're both/all trying to do realtime scanning.

    Let us know how you go. I'd also like you to read through the Spyware Viruses and Trojans Sticky. It'll give you a better idea of how you can minimise the risk of infection.


    Quote Originally Posted by fatlazyhomer View Post
    Is it possible for malware to get on my mp3 player? I saw how that "autorun" thing was on every partition and Im pretty sure my creative player was docked the whole time.
    Very easily - particularly if you use p2p downloading software and aquire music illegally. These days just about any file type can be infected, including music and image files.

    Quote Originally Posted by masterscape View Post
    its possible, but not probable. Can you send me a hijackthis! log? i can take a look at it for you.
    Already done. See post #40 of this thread. Looks clean to me, despite the fact that there are a large number of programs running. I always welcome another set of eyes cross-checking. I think Ned's already skimmed over these logs too.

    Quote Originally Posted by masterscape View Post
    If you need to delete any files, this program will unlock and delete any file regardless of what its being used by. if it cannot delete it from windows, it will tell you that it can do it on your next reboot.

    http://ccollomb.free.fr/unlocker/

    Also, check that you dont have any rundll32.exe programs running.

    Finally, this program is extremely helpful, and very effective at problems like yours(it has helped me a lot!):
    http://www.malwarebytes.org/

    good luck!
    He's already run MBAM too (see post #26). Provided that the temp directories have been purged properly and System Restore has been disabled and re-enabled, then the infections it found should be gone. I agree that Unlocker is a good program but I have my doubts about it's effectiveness when dealing with memory resident infections and preventing them from proliferating upon deletion (as was the case with the gaopd*.sys files).
    Last edited by Mjölnir; 01-17-2009 at 10:36 PM.

  7. #52
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    I can get kaspersky online going, I just cant install the trial version.

    How do I scan my Mp3 player to make sure nothing is festering on it?

    This ordeal was quite a wake-up call. Thanks for all the help.

    Just wondering, are ad aware and spybot S&D obsolete?

  8. #53
    Joined
    Jul 2003
    Location
    Australia
    Posts
    14,223

    Re: Leave my ••••• alone!

    Quote Originally Posted by fatlazyhomer View Post
    I can get kaspersky online going, I just cant install the trial version.

    How do I scan my Mp3 player to make sure nothing is festering on it?
    Don't worry about the trial version. Just run the online scanner. Leave your MP3 player plugged in before you load online scanners and then set them to scan "My Computer" - it'll scan all storage devices on your PC.

    If you wanted to buy Kaspersky Internet Security Suite (a good choice), worry about not being able to install that when the time comes. You can post errors here.

    Quote Originally Posted by fatlazyhomer View Post
    This ordeal was quite a wake-up call. Thanks for all the help.

    Just wondering, are ad aware and spybot S&D obsolete?
    Yeah it's never nice having this crap on your PC. So many different infection types these days and they're getting harder to remove. As for Ad-Aware and Spybot, they're not really obsolete .. it's more that there are better solutions out there and also many infections are now designed to circumvent them and other AV programs.

    Glad to be of service and thanks for the feedback

  9. #54
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    I have another PC infected with this. The one I was having trouble with in the OP is my main computer which I took to the dorms with me. I did leave an old e-machine back home and I occassionally transfer stuff between them using an external hard drive. It turns out that the e-machine at home has the same malware(it may even be the source), but I have already plugged my external in before I found out. Im afraid that if I were to plug the external into my main when I get back, it would get reinfected. Is there anything I can do? The e-machine is unbearably slow, and it would be miserable to clean it. Since theres no important information this computer, can I jsut leave it infected? And simply sweep the external before plugging it into my main? I have the windows install CD. Instead of sweeping it, can I just reinstall windows to start with a blank slate?

  10. #55
    Joined
    Jul 2003
    Location
    Australia
    Posts
    14,223

    Re: Leave my ••••• alone!

    If you turn off any autoplay options (like Windows Autoplay, image software that scans devices for images, etc), then you can probably get away with plugging it in and running a few antivirus scans on it. I'd start with the AV software that you have installed and then try online scanners like Kaspersky Online Scanner.

    Judging by the infection that we've just cleaned up (and if the other PC has the same stuff), I doubt that they'd infect the USB HDD, but it's possible that the source is on the USB HDD, so it is worth scanning.

  11. #56
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    Ok, but would formatting and reinstalling windows clean everything?

  12. #57
    Joined
    Jul 2003
    Location
    Australia
    Posts
    14,223

    Re: Leave my ••••• alone!

    Quote Originally Posted by fatlazyhomer View Post
    Ok, but would formatting and reinstalling windows clean everything?
    The old PC? Yeah. It's highly unlikely that the old PC has a boot sector virus on it

    Does it only have one drive and one partition? If there's additional partitions, then if you're not formatting those, you should scan them with AV software.

  13. #58
    Joined
    Feb 2001
    Location
    near the sea-port of Antwerp, Belgium
    Posts
    12,856

    Re: Leave my ••••• alone!

    .

    If there's no important data on it, I would certainly delete and format the whole drive ! That eradicates all viruses but the ones in the MBR.

    When you re-install, you can easily format the drive during the Windows install sequence.
    You could also (re-)format a part of the drive, install Windows and after booting the first time, open the Disk Manager and create and format the other partitions you want (from Windows).

    That 's the way I 've always installed with extra partitions.

    This makes the Windows install a bit faster (on a smaller partition / integrity check) and it is very easy to create and format from Windows.


    .


    Fold with what you have, Every Work Unit will make a difference.

  14. #59
    Joined
    Jan 2004
    Posts
    7,499

    Re: Leave my ••••• alone!

    I formatted it and scanned the external with malware bytes. Everything seems ok thus far.

  15. #60
    Joined
    Jul 2003
    Location
    Australia
    Posts
    14,223

    Re: Leave my ••••• alone!

    You should probably also run a virus scanner on there.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •