Jump to content

PullingMyHairOut

Members
  • Posts

    14
  • Joined

  • Last visited

Everything posted by PullingMyHairOut

  1. I can't thank you enough for your patience and help. Just made a donation. Now I'm off to reinstall a few things and get back to work! Thanks again!
  2. Couple quick things - How should I go about putting Java back? Adobe Reader? And can I go ahead and reinstall ESET NOD32 now?
  3. I see no annoying debugging messages, and Google works fine. Yay! As for avenger, when I unzipped it there was nothing in the zip file but the exe. It did not create a folder on the desktop. There is a c:\avenger folder since it ran that contains a backup.zip. Is that what you want? Also, what do I do about the submission to bleepingcomputer that I couldn't do before?
  4. Ran without a problem this time. Thanks for all your help, BTW. What's next? ComboFix 10-06-09.04 - djdonohu 06/10/2010 13:30:44.6.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1972 [GMT -4:00] Running from: c:\documents and settings\djdonohu\Desktop\Combo-Fix.exe . ((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 ))))))))))))))))))))))))))))))) . 2010-06-10 13:30 . 2010-06-10 13:56 -------- d-----w- C:\Combo-Fix 2010-06-10 06:18 . 2010-06-10 06:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET 2010-06-08 20:27 . 2010-06-08 20:27 63488 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-06-08 20:27 . 2010-06-08 20:27 52224 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-06-08 20:27 . 2010-06-08 20:27 117760 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com 2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-06-08 19:54 . 2010-06-08 19:54 12872 ----a-w- c:\windows\system32\bootdelete.exe 2010-06-08 16:48 . 2010-06-08 16:48 -------- d-----w- c:\documents and settings\djdonohu\Local Settings\Application Data\ESET 2010-06-08 15:49 . 2010-06-08 20:15 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2010-06-08 15:49 . 2010-06-08 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro 2010-06-08 15:49 . 2010-06-08 15:49 -------- d-----w- c:\program files\Hitman Pro 3.5 2010-05-30 15:32 . 2010-05-30 15:32 -------- d-----w- c:\program files\Flip Video 2010-05-14 16:38 . 2010-05-14 16:38 4732800 ----a-w- c:\documents and settings\All Users\Application Data\Flip Video\FlipShare\Updates\FirmwareExec_Windows_en-US_83.06_83.07\FlipVideoFWUpdate.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-10 15:24 . 2005-12-23 04:14 -------- d-----w- c:\documents and settings\djdonohu\Application Data\Apple Computer 2010-06-09 13:29 . 2010-06-08 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan 2010-06-08 14:04 . 2005-11-27 08:59 -------- d-----w- c:\program files\Symantec 2010-06-08 02:04 . 2006-10-09 19:39 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-06-04 17:22 . 2009-03-15 18:36 -------- d-----w- c:\program files\Microsoft Silverlight 2010-06-04 17:22 . 2009-02-09 02:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-14 01:52 . 2007-04-08 21:03 -------- d-----w- c:\documents and settings\djdonohu\Application Data\VideoReDoPlus 2010-05-14 01:39 . 2007-04-08 21:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-13 00:28 . 2005-12-23 03:55 -------- d-----w- c:\program files\Common Files\Real 2010-05-13 00:23 . 2010-05-08 20:29 -------- d-----w- c:\program files\Replay Media Catcher 2010-05-09 01:47 . 2010-05-09 01:17 20854256 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe 2010-05-08 20:30 . 2010-05-08 20:30 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll 2010-05-08 20:30 . 2010-05-08 20:30 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe 2010-05-08 19:42 . 2008-07-08 19:33 -------- d-----w- c:\program files\URLSnooper2 2010-05-08 18:48 . 2008-07-08 19:33 -------- d-----w- c:\program files\WinPcap 2010-05-04 05:25 . 2010-05-04 05:24 -------- d-----w- c:\program files\iTunes 2010-05-04 05:24 . 2010-05-04 05:24 -------- d-----w- c:\program files\iPod 2010-05-04 05:24 . 2007-07-01 03:49 -------- d-----w- c:\program files\Common Files\Apple 2010-05-04 05:19 . 2010-03-03 09:17 439816 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\setup.exe 2010-05-04 05:13 . 2010-05-04 05:13 -------- d-----w- c:\program files\Bonjour 2010-05-04 04:26 . 2010-05-04 04:26 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe 2010-05-02 01:17 . 2010-05-02 01:17 13407072 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe 2010-04-29 19:39 . 2009-06-18 21:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2009-06-18 21:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-12 21:29 . 2010-04-17 21:42 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe 2009-12-25 06:35 . 2009-12-25 06:35 30 ----a-w- c:\program files\Exiferupdate.ini . ((((((((((((((((((((((((((((( SnapShot_2010-06-09_14.13.48 ))))))))))))))))))))))))))))))))))))))))) . + 2010-06-10 17:15 . 2010-06-10 17:15 16384 c:\windows\Temp\Perflib_Perfdata_808.dat + 2004-08-09 20:44 . 2010-06-10 17:19 71904 c:\windows\system32\perfc009.dat - 2004-08-09 20:44 . 2010-06-09 14:14 71904 c:\windows\system32\perfc009.dat + 2001-08-17 20:46 . 2001-08-17 20:46 4224 c:\windows\system32\dllcache\rdpcdd.sys + 2004-08-09 20:44 . 2010-06-10 17:19 444028 c:\windows\system32\perfh009.dat - 2004-08-09 20:44 . 2010-06-09 14:14 444028 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376] "NetXfer"="c:\program files\Xi\NetXfer\NetTransport.exe" [2010-04-24 1853952] "TranscodingService"="c:\program files\TiVo\Desktop\TranscodingService.exe" [2009-01-27 520192] "TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-01-27 425472] "TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-01-27 2143232] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2006-01-04 219648] "SetRefresh"="c:\program files\COMPAQ\SetRefresh\\SetRefresh.exe" [2003-11-20 525824] "MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 241714] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344] "CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632] "HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-11-22 348160] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-02 339968] "RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-10-21 1687552] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 163840] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112] "ProxyHostTrayIcon"="c:\program files\Funk Software\Proxy Host\phtray.exe" [2005-04-25 263184] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392] "NapsterShell"="c:\program files\Napster\napster.exe" [2006-06-29 319488] "QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2010-03-18 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120] c:\documents and settings\djdonohu\Start Menu\Programs\Startup\ Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664] Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\SIERRA\\SIGSPAT.EXE"= "c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"= "c:\\Program Files\\Xi\\NetXfer\\NetTransport.exe"= "c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"= "c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"= "c:\\Program Files\\GoldWave\\GoldWave.exe"= "c:\\Program Files\\Roxio\\Easy Media Creator 8\\Creator Classic\\creator8.exe"= "c:\\Program Files\\Common Files\\Roxio Shared\\SharedCom\\RoxUpnpRenderer.exe"= "c:\\Program Files\\Funk Software\\Proxy Master\\Proxy.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Money\\System\\urlmap.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1505:TCP"= 1505:TCP:proxy R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2/15/2005 4:22 PM 7680] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656] R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704] R3 FTEventService;FTEVTBDG;c:\program files\Promise Technology, Inc\Promise Array Management\FTEVTBDG.sys [12/19/2005 1:23 AM 3873] R3 ProxyHostInputFilter;Proxy Host Input Filter;c:\windows\system32\drivers\ph32ifil.sys [4/25/2005 12:55 PM 13328] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?] S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 5:47 AM 98304] S3 ProxyHostHIDFilter;Proxy Host HID Filter;c:\windows\system32\drivers\ph32ihid.sys [4/25/2005 12:55 PM 14736] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder 2010-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2010-06-06 c:\windows\Tasks\ParetoLogic Registration.job - c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 17:25] 2010-06-09 c:\windows\Tasks\ParetoLogic Update Version2.job - c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 17:25] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.coasttocoastam.com/shows/2009/08/01 uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp uInternet Settings,ProxyOverride = <local> uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: Download all by NetXfer - c:\program files\Xi\NetXfer\NXAddList.html IE: Download by NetXfer - c:\program files\Xi\NetXfer\NXAddLink.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-06-10 13:36 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1893879213-397398424-1457653958-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EED80E61-38D4-693F-2531-13C8946D43FE}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(784) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll c:\windows\system32\NavLogon.dll - - - - - - - > 'explorer.exe'(252) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-06-10 13:38:30 ComboFix-quarantined-files.txt 2010-06-10 17:38 ComboFix2.txt 2010-06-10 15:48 ComboFix3.txt 2010-06-10 13:56 ComboFix4.txt 2010-06-09 14:21 ComboFix5.txt 2010-06-10 16:27 Pre-Run: 10,297,065,472 bytes free Post-Run: 10,259,484,672 bytes free - - End Of File - - 31108C49EE532F3174BCBFF17709B0B7
  5. Okay, did that. Here the Avenger log. Your instructions said to include a Highjack This log, but we haven't run that before. Should I use something else I already have, or can you tell me where to find HJT? Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Driver "yhdjmscdaloaxux" disabled successfully. Error: could not open driver "awcrthnlcx" Disablement of driver "awcrthnlcx" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Driver "yhdjmscdaloaxux" deleted successfully. Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\awcrthnlcx" not found! Deletion of driver "awcrthnlcx" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\drivers\awcrthnlcx.sys" not found! Deletion of file "c:\windows\system32\drivers\awcrthnlcx.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "c:\windows\system32\drivers\yhdjmscdaloaxux.sys" not found! Deletion of file "c:\windows\system32\drivers\yhdjmscdaloaxux.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate.
  6. Okay, a few problems. First of all, it seems the problem of the missing CF quarantine file might be related to ESET antivirus. What's happening is that I disable it, then CF says it needs to reboot. But when it restarts, CF runs immediately, but the rest of the normal startup also occurs, while CF is still running, including the antivirus starting up. ESET is then interfering with the CF scan. I might be wrong, but it seems to me that the previous version of CF, before the update today, would run after the reboot but would just sit there on a blank desktop and not let the startup proceed until CF was finished. Next, on the last step, when CF restarts on its own then prints the report, it failed. The restart happened, I think CF was starting up, then I got a blue screen. The only thing I could make out was the cause of it was eamon.sys, then it rebooted. CF did not restart this time, so no log file. Should I run it again? What about the AV?
  7. Hmmm. Step 1, there is no such file in that directory. There are 3 folders, a log and a txt file. Step 2 is running now.
  8. Okay, I said yes to the update, it downloaded and continued to run. Here's the log. The only thing I wasn't clear on was whether I should have run it again since I started it by dragging the CFScript file to it. I wasn't sure that the CFScript would still run after the update when ComboFix ran the new version automatically. ComboFix 10-06-09.04 - djdonohu 06/10/2010 11:25:29.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1972 [GMT -4:00] Running from: c:\documents and settings\djdonohu\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\djdonohu\Desktop\CFScript.txt AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 ))))))))))))))))))))))))))))))) . 2010-06-10 13:30 . 2010-06-10 13:56 -------- d-----w- C:\Combo-Fix 2010-06-10 06:18 . 2010-06-10 06:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET 2010-06-08 20:27 . 2010-06-08 20:27 63488 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-06-08 20:27 . 2010-06-08 20:27 52224 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-06-08 20:27 . 2010-06-08 20:27 117760 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com 2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-06-08 19:54 . 2010-06-08 19:54 12872 ----a-w- c:\windows\system32\bootdelete.exe 2010-06-08 16:48 . 2010-06-08 16:48 -------- d-----w- c:\documents and settings\djdonohu\Local Settings\Application Data\ESET 2010-06-08 15:49 . 2010-06-08 20:15 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2010-06-08 15:49 . 2010-06-08 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro 2010-06-08 15:49 . 2010-06-08 15:49 -------- d-----w- c:\program files\Hitman Pro 3.5 2010-06-08 14:37 . 2010-06-08 14:37 -------- d-----w- c:\program files\ESET 2010-06-08 14:37 . 2010-06-08 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET 2010-05-30 15:32 . 2010-05-30 15:32 -------- d-----w- c:\program files\Flip Video 2010-05-14 16:38 . 2010-05-14 16:38 4732800 ----a-w- c:\documents and settings\All Users\Application Data\Flip Video\FlipShare\Updates\FirmwareExec_Windows_en-US_83.06_83.07\FlipVideoFWUpdate.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-10 15:24 . 2005-12-23 04:14 -------- d-----w- c:\documents and settings\djdonohu\Application Data\Apple Computer 2010-06-09 13:29 . 2010-06-08 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan 2010-06-08 14:04 . 2005-11-27 08:59 -------- d-----w- c:\program files\Symantec 2010-06-08 02:04 . 2006-10-09 19:39 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-06-04 17:22 . 2009-03-15 18:36 -------- d-----w- c:\program files\Microsoft Silverlight 2010-06-04 17:22 . 2009-02-09 02:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-14 01:52 . 2007-04-08 21:03 -------- d-----w- c:\documents and settings\djdonohu\Application Data\VideoReDoPlus 2010-05-14 01:39 . 2007-04-08 21:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-13 00:28 . 2005-12-23 03:55 -------- d-----w- c:\program files\Common Files\Real 2010-05-13 00:23 . 2010-05-08 20:29 -------- d-----w- c:\program files\Replay Media Catcher 2010-05-09 01:47 . 2010-05-09 01:17 20854256 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe 2010-05-08 20:30 . 2010-05-08 20:30 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll 2010-05-08 20:30 . 2010-05-08 20:30 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe 2010-05-08 19:42 . 2008-07-08 19:33 -------- d-----w- c:\program files\URLSnooper2 2010-05-08 18:48 . 2008-07-08 19:33 -------- d-----w- c:\program files\WinPcap 2010-05-04 05:25 . 2010-05-04 05:24 -------- d-----w- c:\program files\iTunes 2010-05-04 05:24 . 2010-05-04 05:24 -------- d-----w- c:\program files\iPod 2010-05-04 05:24 . 2007-07-01 03:49 -------- d-----w- c:\program files\Common Files\Apple 2010-05-04 05:19 . 2010-03-03 09:17 439816 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\setup.exe 2010-05-04 05:13 . 2010-05-04 05:13 -------- d-----w- c:\program files\Bonjour 2010-05-04 04:26 . 2010-05-04 04:26 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe 2010-05-02 01:17 . 2010-05-02 01:17 13407072 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe 2010-04-29 19:39 . 2009-06-18 21:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2009-06-18 21:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-12 21:29 . 2010-04-17 21:42 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-03-29 21:13 . 2010-03-29 21:13 95872 ----a-w- c:\windows\system32\drivers\epfwtdir.sys 2010-03-29 21:12 . 2010-03-29 21:12 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys 2010-03-29 21:07 . 2010-03-29 21:07 140216 ----a-w- c:\windows\system32\drivers\eamon.sys 2009-12-25 06:35 . 2009-12-25 06:35 30 ----a-w- c:\program files\Exiferupdate.ini . ((((((((((((((((((((((((((((( SnapShot_2010-06-09_14.13.48 ))))))))))))))))))))))))))))))))))))))))) . + 2010-06-10 15:21 . 2010-06-10 15:21 16384 c:\windows\Temp\Perflib_Perfdata_8d4.dat - 2010-06-09 13:53 . 2010-06-09 13:53 16384 c:\windows\Temp\Perflib_Perfdata_8d4.dat + 2010-06-10 15:38 . 2010-06-10 15:38 16384 c:\windows\Temp\Perflib_Perfdata_888.dat + 2004-08-09 20:44 . 2010-06-10 15:42 71904 c:\windows\system32\perfc009.dat - 2004-08-09 20:44 . 2010-06-09 14:14 71904 c:\windows\system32\perfc009.dat + 2004-08-09 20:44 . 2010-06-10 15:42 444028 c:\windows\system32\perfh009.dat - 2004-08-09 20:44 . 2010-06-09 14:14 444028 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376] "NetXfer"="c:\program files\Xi\NetXfer\NetTransport.exe" [2010-04-24 1853952] "TranscodingService"="c:\program files\TiVo\Desktop\TranscodingService.exe" [2009-01-27 520192] "TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-01-27 425472] "TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-01-27 2143232] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2006-01-04 219648] "SetRefresh"="c:\program files\COMPAQ\SetRefresh\\SetRefresh.exe" [2003-11-20 525824] "MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 241714] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344] "CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632] "HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-11-22 348160] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-02 339968] "RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-10-21 1687552] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 163840] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112] "ProxyHostTrayIcon"="c:\program files\Funk Software\Proxy Host\phtray.exe" [2005-04-25 263184] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392] "NapsterShell"="c:\program files\Napster\napster.exe" [2006-06-29 319488] "QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2010-03-18 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-29 2145000] c:\documents and settings\djdonohu\Start Menu\Programs\Startup\ Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664] Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\SIERRA\\SIGSPAT.EXE"= "c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"= "c:\\Program Files\\Xi\\NetXfer\\NetTransport.exe"= "c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"= "c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"= "c:\\Program Files\\GoldWave\\GoldWave.exe"= "c:\\Program Files\\Roxio\\Easy Media Creator 8\\Creator Classic\\creator8.exe"= "c:\\Program Files\\Common Files\\Roxio Shared\\SharedCom\\RoxUpnpRenderer.exe"= "c:\\Program Files\\Funk Software\\Proxy Master\\Proxy.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Money\\System\\urlmap.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1505:TCP"= 1505:TCP:proxy R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2/15/2005 4:22 PM 7680] R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/29/2010 5:12 PM 114984] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/29/2010 5:13 PM 95872] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656] R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 5:47 AM 98304] R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/29/2010 5:12 PM 810120] R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704] R3 FTEventService;FTEVTBDG;c:\program files\Promise Technology, Inc\Promise Array Management\FTEVTBDG.sys [12/19/2005 1:23 AM 3873] R3 ProxyHostInputFilter;Proxy Host Input Filter;c:\windows\system32\drivers\ph32ifil.sys [4/25/2005 12:55 PM 13328] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?] S2 yhdjmscdaloaxux;yhdjmscdaloaxux;\??\c:\windows\system32\drivers\awcrthnlcx.sys --> c:\windows\system32\drivers\awcrthnlcx.sys [?] S3 ProxyHostHIDFilter;Proxy Host HID Filter;c:\windows\system32\drivers\ph32ihid.sys [4/25/2005 12:55 PM 14736] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder 2010-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2010-06-06 c:\windows\Tasks\ParetoLogic Registration.job - c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 17:25] 2010-06-09 c:\windows\Tasks\ParetoLogic Update Version2.job - c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 17:25] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.coasttocoastam.com/shows/2009/08/01 uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp uInternet Settings,ProxyOverride = <local> uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: Download all by NetXfer - c:\program files\Xi\NetXfer\NXAddList.html IE: Download by NetXfer - c:\program files\Xi\NetXfer\NXAddLink.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-06-10 11:38 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89E96EC5]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28 \Driver\ACPI -> ACPI.sys @ 0xf75aecb8 \Driver\atapi -> atapi.sys @ 0xf74a0852 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a ParseProcedure -> ntoskrnl.exe @ 0x80578f7a \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a ParseProcedure -> ntoskrnl.exe @ 0x80578f7a NDIS: Broadcom NetXtreme Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xf7853bb0 PacketIndicateHandler -> NDIS.sys @ 0xf7860a21 SendHandler -> NDIS.sys @ 0xf783e87b user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1893879213-397398424-1457653958-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EED80E61-38D4-693F-2531-13C8946D43FE}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(804) c:\windows\system32\WININET.dll c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\Ati2evxx.dll c:\windows\system32\NavLogon.dll - - - - - - - > 'lsass.exe'(868) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(3392) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\Shellex.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Flip Video\FlipShare\FlipShareService.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Funk Software\Proxy Host\phsvc.exe c:\program files\Promise Technology, Inc\Promise Array Management\MsgAgt.exe c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\windows\system32\wbem\unsecapp.exe c:\program files\PDF Complete\pdfsaver.exe c:\program files\ATI Technologies\ATI.ACE\CLI.EXE c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe c:\program files\ATI Technologies\ATI.ACE\cli.exe c:\program files\ATI Technologies\ATI.ACE\cli.exe . ************************************************************************** . Completion time: 2010-06-10 11:48:26 - machine was rebooted ComboFix-quarantined-files.txt 2010-06-10 15:48 ComboFix2.txt 2010-06-10 13:56 ComboFix3.txt 2010-06-09 14:21 ComboFix4.txt 2009-09-22 11:43 Pre-Run: 10,331,209,728 bytes free Post-Run: 10,234,118,144 bytes free - - End Of File - - 512C2A4B42265B4E63B3C7D99854EE98
  9. ComboFix says there's a newer version available. Should I update it? Also, is it correct to include the URL that's at the top of your code fragment in the CFScript.txt file?
  10. Okay, didn't seem to find anything, but here it is. 10:28:29:906 3700 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48 10:28:29:906 3700 ================================================================================ 10:28:29:906 3700 SystemInfo: 10:28:29:906 3700 OS Version: 5.1.2600 ServicePack: 3.0 10:28:29:906 3700 Product type: Workstation 10:28:29:906 3700 ComputerName: BASEMENT 10:28:29:906 3700 UserName: djdonohu 10:28:29:906 3700 Windows directory: C:\WINDOWS 10:28:29:906 3700 Processor architecture: Intel x86 10:28:29:906 3700 Number of processors: 2 10:28:29:906 3700 Page size: 0x1000 10:28:29:906 3700 Boot type: Normal boot 10:28:29:906 3700 ================================================================================ 10:28:31:562 3700 Initialize success 10:28:31:562 3700 10:28:31:562 3700 Scanning Services ... 10:28:32:046 3700 Raw services enum returned 402 services 10:28:32:062 3700 10:28:32:062 3700 Scanning Drivers ... 10:28:32:375 3700 10:28:32:375 3700 Completed 10:28:32:375 3700 10:28:32:375 3700 Results: 10:28:32:375 3700 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 10:28:32:375 3700 File objects infected / cured / cured on reboot: 0 / 0 / 0 10:28:32:375 3700 10:28:32:375 3700 KLMD(ARK) unloaded successfully
  11. Still getting "ESET has blocked access to [iP address]" and Just-In-Time Debugging messages, by the way. Just FYI.
  12. Okay, I've done all that, took a few hours. When removing Java, I assumed that you also meant J2SE. I basically removed everything with a coffee cup icon. JavaRa failed the first time I ran it, but was okay the second time. ESET didn't seem to be running any more after ComboFix was done (it had required a restart due to rootkit) but came back up when I restarted again. JavaRa 1.15 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Thu Jun 10 09:18:19 2010 Found and removed: C:\Documents and Settings\djdonohu\Application Data\Sun\Java\jre1.6.0_11 Found and removed: C:\Documents and Settings\djdonohu\Application Data\Sun\Java\jre1.6.0_12 Found and removed: C:\Documents and Settings\djdonohu\Application Data\Sun\Java\jre1.6.0_13 Found and removed: C:\Documents and Settings\djdonohu\Application Data\Sun\Java\jre1.6.0_14 Found and removed: C:\Documents and Settings\djdonohu\Application Data\Sun\Java\jre1.6.0_15 Found and removed: C:\Documents and Settings\djdonohu\Application Data\Sun\Java\jre1.6.0_19 Found and removed: Software\JavaSoft\Java2D\1.5.0_06 Found and removed: Software\JavaSoft\Java2D\1.5.0_09 Found and removed: Software\JavaSoft\Java2D\1.5.0_10 Found and removed: Software\JavaSoft\Java2D\1.5.0_11 Found and removed: SOFTWARE\Classes\JavaPlugin.150_06 Found and removed: SOFTWARE\Classes\JavaPlugin.150_09 Found and removed: SOFTWARE\Classes\JavaPlugin.150_10 Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0 Found and removed: SOFTWARE\Classes\JavaPlugin.142_03 Found and removed: Software\Classes\JavaPlugin.160_01 JavaRa 1.15 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Thu Jun 10 09:19:16 2010 ------------------------------------ Finished reporting. ComboFix 10-06-09.02 - djdonohu 06/10/2010 9:40.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2124 [GMT -4:00] Running from: c:\documents and settings\djdonohu\Desktop\Combo-Fix.exe AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 ))))))))))))))))))))))))))))))) . 2010-06-10 06:18 . 2010-06-10 06:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET 2010-06-08 20:27 . 2010-06-08 20:27 63488 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll 2010-06-08 20:27 . 2010-06-08 20:27 52224 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-06-08 20:27 . 2010-06-08 20:27 117760 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com 2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-06-08 19:54 . 2010-06-08 19:54 12872 ----a-w- c:\windows\system32\bootdelete.exe 2010-06-08 16:48 . 2010-06-08 16:48 -------- d-----w- c:\documents and settings\djdonohu\Local Settings\Application Data\ESET 2010-06-08 15:49 . 2010-06-08 20:15 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2010-06-08 15:49 . 2010-06-08 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro 2010-06-08 15:49 . 2010-06-08 15:49 -------- d-----w- c:\program files\Hitman Pro 3.5 2010-06-08 14:37 . 2010-06-08 14:37 -------- d-----w- c:\program files\ESET 2010-06-08 14:37 . 2010-06-08 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET 2010-05-30 15:32 . 2010-05-30 15:32 -------- d-----w- c:\program files\Flip Video 2010-05-14 16:38 . 2010-05-14 16:38 4732800 ----a-w- c:\documents and settings\All Users\Application Data\Flip Video\FlipShare\Updates\FirmwareExec_Windows_en-US_83.06_83.07\FlipVideoFWUpdate.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-06-09 13:29 . 2010-06-08 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan 2010-06-08 14:04 . 2005-11-27 08:59 -------- d-----w- c:\program files\Symantec 2010-06-08 02:04 . 2006-10-09 19:39 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-06-04 17:22 . 2009-03-15 18:36 -------- d-----w- c:\program files\Microsoft Silverlight 2010-06-04 17:22 . 2009-02-09 02:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-14 01:52 . 2007-04-08 21:03 -------- d-----w- c:\documents and settings\djdonohu\Application Data\VideoReDoPlus 2010-05-14 01:39 . 2007-04-08 21:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-13 00:28 . 2005-12-23 03:55 -------- d-----w- c:\program files\Common Files\Real 2010-05-13 00:23 . 2010-05-08 20:29 -------- d-----w- c:\program files\Replay Media Catcher 2010-05-09 01:47 . 2010-05-09 01:17 20854256 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe 2010-05-08 20:30 . 2010-05-08 20:30 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll 2010-05-08 20:30 . 2010-05-08 20:30 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe 2010-05-08 19:42 . 2008-07-08 19:33 -------- d-----w- c:\program files\URLSnooper2 2010-05-08 18:48 . 2008-07-08 19:33 -------- d-----w- c:\program files\WinPcap 2010-05-04 05:25 . 2010-05-04 05:24 -------- d-----w- c:\program files\iTunes 2010-05-04 05:24 . 2010-05-04 05:24 -------- d-----w- c:\program files\iPod 2010-05-04 05:24 . 2007-07-01 03:49 -------- d-----w- c:\program files\Common Files\Apple 2010-05-04 05:19 . 2010-03-03 09:17 439816 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\setup.exe 2010-05-04 05:13 . 2010-05-04 05:13 -------- d-----w- c:\program files\Bonjour 2010-05-04 04:26 . 2010-05-04 04:26 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe 2010-05-02 01:17 . 2010-05-02 01:17 13407072 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe 2010-04-29 19:39 . 2009-06-18 21:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2009-06-18 21:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-12 21:29 . 2010-04-17 21:42 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-03-29 21:13 . 2010-03-29 21:13 95872 ----a-w- c:\windows\system32\drivers\epfwtdir.sys 2010-03-29 21:12 . 2010-03-29 21:12 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys 2010-03-29 21:07 . 2010-03-29 21:07 140216 ----a-w- c:\windows\system32\drivers\eamon.sys 2009-12-25 06:35 . 2009-12-25 06:35 30 ----a-w- c:\program files\Exiferupdate.ini . ((((((((((((((((((((((((((((( SnapShot_2010-06-09_14.13.48 ))))))))))))))))))))))))))))))))))))))))) . + 2010-06-10 13:37 . 2010-06-10 13:37 16384 c:\windows\Temp\Perflib_Perfdata_898.dat + 2004-08-09 20:44 . 2010-06-10 13:42 71904 c:\windows\system32\perfc009.dat - 2004-08-09 20:44 . 2010-06-09 14:14 71904 c:\windows\system32\perfc009.dat + 2004-08-09 20:44 . 2010-06-10 13:42 444028 c:\windows\system32\perfh009.dat - 2004-08-09 20:44 . 2010-06-09 14:14 444028 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376] "NetXfer"="c:\program files\Xi\NetXfer\NetTransport.exe" [2010-04-24 1853952] "TranscodingService"="c:\program files\TiVo\Desktop\TranscodingService.exe" [2009-01-27 520192] "TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-01-27 425472] "TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-01-27 2143232] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2006-01-04 219648] "SetRefresh"="c:\program files\COMPAQ\SetRefresh\\SetRefresh.exe" [2003-11-20 525824] "MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 241714] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344] "CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632] "HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-11-22 348160] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-02 339968] "RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-10-21 1687552] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 163840] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112] "ProxyHostTrayIcon"="c:\program files\Funk Software\Proxy Host\phtray.exe" [2005-04-25 263184] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392] "NapsterShell"="c:\program files\Napster\napster.exe" [2006-06-29 319488] "QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2010-03-18 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-29 2145000] c:\documents and settings\djdonohu\Start Menu\Programs\Startup\ Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664] Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\SIERRA\\SIGSPAT.EXE"= "c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"= "c:\\Program Files\\Xi\\NetXfer\\NetTransport.exe"= "c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"= "c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"= "c:\\Program Files\\GoldWave\\GoldWave.exe"= "c:\\Program Files\\Roxio\\Easy Media Creator 8\\Creator Classic\\creator8.exe"= "c:\\Program Files\\Common Files\\Roxio Shared\\SharedCom\\RoxUpnpRenderer.exe"= "c:\\Program Files\\Funk Software\\Proxy Master\\Proxy.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Money\\System\\urlmap.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1505:TCP"= 1505:TCP:proxy R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2/15/2005 4:22 PM 7680] R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/29/2010 5:12 PM 114984] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/29/2010 5:13 PM 95872] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656] R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/29/2010 5:12 PM 810120] R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704] R3 FTEventService;FTEVTBDG;c:\program files\Promise Technology, Inc\Promise Array Management\FTEVTBDG.sys [12/19/2005 1:23 AM 3873] R3 ProxyHostInputFilter;Proxy Host Input Filter;c:\windows\system32\drivers\ph32ifil.sys [4/25/2005 12:55 PM 13328] S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?] S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 5:47 AM 98304] S2 yhdjmscdaloaxux;yhdjmscdaloaxux;\??\c:\windows\system32\drivers\awcrthnlcx.sys --> c:\windows\system32\drivers\awcrthnlcx.sys [?] S3 ProxyHostHIDFilter;Proxy Host HID Filter;c:\windows\system32\drivers\ph32ihid.sys [4/25/2005 12:55 PM 14736] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs gcnvcugg . Contents of the 'Scheduled Tasks' folder 2010-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2010-06-06 c:\windows\Tasks\ParetoLogic Registration.job - c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 17:25] 2010-06-09 c:\windows\Tasks\ParetoLogic Update Version2.job - c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 17:25] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.coasttocoastam.com/shows/2009/08/01 uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp uInternet Settings,ProxyOverride = <local> uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: Download all by NetXfer - c:\program files\Xi\NetXfer\NXAddList.html IE: Download by NetXfer - c:\program files\Xi\NetXfer\NXAddLink.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm . - - - - ORPHANS REMOVED - - - - HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-06-10 09:51 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89F8AEC5]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28 \Driver\ACPI -> ACPI.sys @ 0xf75aecb8 \Driver\atapi -> atapi.sys @ 0xf74a0852 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a ParseProcedure -> ntoskrnl.exe @ 0x80578f7a \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a ParseProcedure -> ntoskrnl.exe @ 0x80578f7a NDIS: Broadcom NetXtreme Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xf7853bb0 PacketIndicateHandler -> NDIS.sys @ 0xf7860a21 SendHandler -> NDIS.sys @ 0xf783e87b user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1893879213-397398424-1457653958-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EED80E61-38D4-693F-2531-13C8946D43FE}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(800) c:\windows\system32\WININET.dll c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\Ati2evxx.dll c:\windows\system32\NavLogon.dll - - - - - - - > 'lsass.exe'(860) c:\windows\system32\WININET.dll . Completion time: 2010-06-10 09:56:11 ComboFix-quarantined-files.txt 2010-06-10 13:56 ComboFix2.txt 2010-06-09 14:21 ComboFix3.txt 2009-09-22 11:43 Pre-Run: 10,032,607,232 bytes free Post-Run: 10,318,938,112 bytes free - - End Of File - - 6791275959728A43B7601AA4AF47DBD5
  13. Okay, so I've always prided myself on avoiding or getting rid of viruses, but I'm at my wits end with this one. Briefly, I had an older version of Norton that crapped out on me and I didn't realize it for about two weeks. I figured it out when I got a fake virus infection message from some malware suite. I got rid of that with MBAM pretty quickly. I also upgraded my AV protection to something stronger and chose ESET NOD32. That went fine, but I still have a symptom that neither MBAM or ESET can detect or fix. I also tried Hit Man, SuperAntiSpyware, a few rootkit scanners and other things I can't even recall at this point. Like other posts I see, any link I click on in a Google search list sends me to some random site. Addresses I type out are fine. I know it's some sort of rogue java script because I frequently also get a Just-In-Time Debugging message asking me if I want to debug the script (even when I'm just sitting on google and no script should be running). If I say yes, the script editor opens and I can actually see the script code, which usually claims to be from some random IP address in the Netherlands or a site like golfdigest.com that I would have never visited in a million years. About half the time, ESET blocks the script from contacting the bad site, so that's an improvement. I'm pasting the DDS log and attaching the BMAM and Attach logs. I'm having trouble with GMER - after running for about 4 hours it blue screen'ed me, which is very odd, probably the first time I've seen that on this PC. I'm going to try running it again after this post, but I figured I'd get this to you to get things moving in the meantime. Help! Thanks in advance. DDS (Ver_10-03-17.01) - NTFSx86 Run by djdonohu at 15:50:26.29 on Wed 06/09/2010 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1990 [GMT -4:00] AV: ESET NOD32 Antivirus 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe svchost.exe C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\Program Files\Flip Video\FlipShare\FlipShareService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\PDF Complete\pdfsty.exe C:\WINDOWS\system32\taskswitch.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\WINDOWS\system32\hphmon04.exe C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe C:\Program Files\Funk Software\Proxy Host\phtray.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\PDF Complete\pdfsaver.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Program Files\Funk Software\Proxy Host\phsvc.exe C:\Program Files\TiVo\Desktop\TranscodingService.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\TiVo\Desktop\TiVoNotify.exe C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgAgt.exe C:\Program Files\TiVo\Desktop\TiVoServer.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Documents and Settings\djdonohu\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.coasttocoastam.com/shows/2009/08/01 uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp uInternet Settings,ProxyOverride = <local> uSearchURL,(Default) = hxxp://www.google.com/keyword/%s BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: NXIECatcher Class: {83b80a9c-d91a-4f22-8dcf-ea7204039f79} - c:\program files\xi\netxfer\NXIEHelper.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll TB: NetXfer: {c16cbaac-a75c-4db5-a0dd-cdf5cafcdd3a} - c:\program files\xi\netxfer\NXToolBar.dll uRun: [MoneyAgent] "c:\program files\microsoft money\system\Money Express.exe" uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 uRun: [NetXfer] "c:\program files\xi\netxfer\NetTransport.exe" uRun: [TranscodingService] "c:\program files\tivo\desktop\TranscodingService.exe" /auto uRun: [TivoNotify] "c:\program files\tivo\desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify uRun: [TivoServer] "c:\program files\tivo\desktop\TiVoServer.exe" /service /registry /auto:TivoServer uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe" mRun: [setRefresh] c:\program files\compaq\setrefresh\\SetRefresh.exe mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe" mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe" mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe mRun: [HPHmon04] c:\windows\system32\hphmon04.exe mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 8\drag to disc\DrgToDsc.exe" mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\sharedcom8\RoxWatchTray.exe" mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe" mRun: [ProxyHostTrayIcon] "c:\program files\funk software\proxy host\phtray.exe" mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe mRun: [NapsterShell] c:\program files\napster\napster.exe /systray mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice StartupFolder: c:\docume~1\djdonohu\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe IE: Download all by NetXfer - c:\program files\xi\netxfer\NXAddList.html IE: Download by NetXfer - c:\program files\xi\netxfer\NXAddLink.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133082166688 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133127964546 DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} - hxxp://secure2.comned.com/signuptemplates/securelogin-devel.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} - hxxp://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL Notify: AtiExtEvent - Ati2evxx.dll Notify: igfxcui - igfxdev.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ============= SERVICES / DRIVERS =============== R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2005-2-15 7680] R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-3-29 114984] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-3-29 95872] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656] R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304] R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-3-29 810120] R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704] R3 FTEventService;FTEVTBDG;c:\program files\promise technology, inc\promise array management\FTEVTBDG.sys [2005-12-19 3873] R3 ProxyHostInputFilter;Proxy Host Input Filter;c:\windows\system32\drivers\ph32ifil.sys [2005-4-25 13328] S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?] S2 yhdjmscdaloaxux;yhdjmscdaloaxux;\??\c:\windows\system32\drivers\awcrthnlcx.sys --> c:\windows\system32\drivers\awcrthnlcx.sys [?] S3 ProxyHostHIDFilter;Proxy Host HID Filter;c:\windows\system32\drivers\ph32ihid.sys [2005-4-25 14736] =============== Created Last 30 ================ 2010-06-09 15:01:25 0 ----a-w- c:\documents and settings\djdonohu\defogger_reenable 2010-06-09 13:48:36 0 d-sha-r- C:\cmdcons 2010-06-09 13:44:48 77312 ----a-w- c:\windows\MBR.exe 2010-06-08 20:26:31 0 d-----w- c:\docume~1\djdonohu\applic~1\SUPERAntiSpyware.com 2010-06-08 20:26:31 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2010-06-08 20:26:18 0 d-----w- c:\program files\SUPERAntiSpyware 2010-06-08 19:54:51 12872 ----a-w- c:\windows\system32\bootdelete.exe 2010-06-08 15:49:34 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2010-06-08 15:49:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro 2010-06-08 15:49:13 0 d-----w- c:\program files\Hitman Pro 3.5 2010-06-08 15:32:17 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan 2010-06-08 14:37:52 0 d-----w- c:\program files\ESET 2010-05-30 15:33:46 1015 ----a-r- C:\logFile.xsl 2010-05-30 15:32:22 0 d-----w- c:\program files\Flip Video ==================== Find3M ==================== 2010-05-08 20:30:07 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll 2010-05-08 20:30:07 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe 2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-26 19:58:12 256512 ----a-w- c:\windows\PEV.exe 2010-04-12 21:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe 2009-12-25 06:35:53 30 ----a-w- c:\program files\Exiferupdate.ini 2008-09-15 03:55:53 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat ============= FINISH: 15:52:38.70 =============== Attach.zip mbam_log_2010_06_08__16_07_24_.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.