Google Redirect Script - I give up!

PullingMyHairOut · June 9, 2010

Okay, so I've always prided myself on avoiding or getting rid of viruses, but I'm at my wits end with this one.

Briefly, I had an older version of Norton that crapped out on me and I didn't realize it for about two weeks. I figured it out when I got a fake virus infection message from some malware suite. I got rid of that with MBAM pretty quickly. I also upgraded my AV protection to something stronger and chose ESET NOD32. That went fine, but I still have a symptom that neither MBAM or ESET can detect or fix. I also tried Hit Man, SuperAntiSpyware, a few rootkit scanners and other things I can't even recall at this point.

Like other posts I see, any link I click on in a Google search list sends me to some random site. Addresses I type out are fine. I know it's some sort of rogue java script because I frequently also get a Just-In-Time Debugging message asking me if I want to debug the script (even when I'm just sitting on google and no script should be running). If I say yes, the script editor opens and I can actually see the script code, which usually claims to be from some random IP address in the Netherlands or a site like golfdigest.com that I would have never visited in a million years. About half the time, ESET blocks the script from contacting the bad site, so that's an improvement.

I'm pasting the DDS log and attaching the BMAM and Attach logs. I'm having trouble with GMER - after running for about 4 hours it blue screen'ed me, which is very odd, probably the first time I've seen that on this PC. I'm going to try running it again after this post, but I figured I'd get this to you to get things moving in the meantime.

Help! Thanks in advance.

DDS (Ver_10-03-17.01) - NTFSx86

Run by djdonohu at 15:50:26.29 on Wed 06/09/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1990 [GMT -4:00]

AV: ESET NOD32 Antivirus 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\PDF Complete\pdfsty.exe

C:\WINDOWS\system32\taskswitch.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\system32\hphmon04.exe

C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe

C:\Program Files\Funk Software\Proxy Host\phtray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\PDF Complete\pdfsaver.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Funk Software\Proxy Host\phsvc.exe

C:\Program Files\TiVo\Desktop\TranscodingService.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\TiVo\Desktop\TiVoNotify.exe

C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgAgt.exe

C:\Program Files\TiVo\Desktop\TiVoServer.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Documents and Settings\djdonohu\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.coasttocoastam.com/shows/2009/08/01

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: NXIECatcher Class: {83b80a9c-d91a-4f22-8dcf-ea7204039f79} - c:\program files\xi\netxfer\NXIEHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll

TB: NetXfer: {c16cbaac-a75c-4db5-a0dd-cdf5cafcdd3a} - c:\program files\xi\netxfer\NXToolBar.dll

uRun: [MoneyAgent] "c:\program files\microsoft money\system\Money Express.exe"

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

uRun: [NetXfer] "c:\program files\xi\netxfer\NetTransport.exe"

uRun: [TranscodingService] "c:\program files\tivo\desktop\TranscodingService.exe" /auto

uRun: [TivoNotify] "c:\program files\tivo\desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

uRun: [TivoServer] "c:\program files\tivo\desktop\TiVoServer.exe" /service /registry /auto:TivoServer

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"

mRun: [setRefresh] c:\program files\compaq\setrefresh\\SetRefresh.exe

mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"

mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe

mRun: [HPHmon04] c:\windows\system32\hphmon04.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 8\drag to disc\DrgToDsc.exe"

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\sharedcom8\RoxWatchTray.exe"

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"

mRun: [ProxyHostTrayIcon] "c:\program files\funk software\proxy host\phtray.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [NapsterShell] c:\program files\napster\napster.exe /systray

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

StartupFolder: c:\docume~1\djdonohu\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

IE: Download all by NetXfer - c:\program files\xi\netxfer\NXAddList.html

IE: Download by NetXfer - c:\program files\xi\netxfer\NXAddLink.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm

IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133082166688

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133127964546

DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} - hxxp://secure2.comned.com/signuptemplates/securelogin-devel.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} - hxxp://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab

DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2005-2-15 7680]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-3-29 114984]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-3-29 95872]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]

R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-3-29 810120]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R3 FTEventService;FTEVTBDG;c:\program files\promise technology, inc\promise array management\FTEVTBDG.sys [2005-12-19 3873]

R3 ProxyHostInputFilter;Proxy Host Input Filter;c:\windows\system32\drivers\ph32ifil.sys [2005-4-25 13328]

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S2 yhdjmscdaloaxux;yhdjmscdaloaxux;\??\c:\windows\system32\drivers\awcrthnlcx.sys --> c:\windows\system32\drivers\awcrthnlcx.sys [?]

S3 ProxyHostHIDFilter;Proxy Host HID Filter;c:\windows\system32\drivers\ph32ihid.sys [2005-4-25 14736]

=============== Created Last 30 ================

2010-06-09 15:01:25 0 ----a-w- c:\documents and settings\djdonohu\defogger_reenable

2010-06-09 13:48:36 0 d-sha-r- C:\cmdcons

2010-06-09 13:44:48 77312 ----a-w- c:\windows\MBR.exe

2010-06-08 20:26:31 0 d-----w- c:\docume~1\djdonohu\applic~1\SUPERAntiSpyware.com

2010-06-08 20:26:31 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-06-08 20:26:18 0 d-----w- c:\program files\SUPERAntiSpyware

2010-06-08 19:54:51 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-06-08 15:49:34 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-06-08 15:49:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

2010-06-08 15:49:13 0 d-----w- c:\program files\Hitman Pro 3.5

2010-06-08 15:32:17 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan

2010-06-08 14:37:52 0 d-----w- c:\program files\ESET

2010-05-30 15:33:46 1015 ----a-r- C:\logFile.xsl

2010-05-30 15:32:22 0 d-----w- c:\program files\Flip Video

==================== Find3M ====================

2010-05-08 20:30:07 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll

2010-05-08 20:30:07 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-26 19:58:12 256512 ----a-w- c:\windows\PEV.exe

2010-04-12 21:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2009-12-25 06:35:53 30 ----a-w- c:\program files\Exiferupdate.ini

2008-09-15 03:55:53 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat

============= FINISH: 15:52:38.70 ===============

Attach.zip

mbam_log_2010_06_08__16_07_24_.txt

Maniac · June 10, 2010

Hello PullingMyHairOut! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

The process of cleaning your system may take some time, so please be patient.
Follow my instructions step by step if there is a problem somewhere, stop and tell me I then I'll tell you what to do.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
If you don't know or can't understand something please ask.
Do not install or uninstall any software or hardware, while work on.
Keep me informed of any changes.

Step 1

Please, uninstall the following applications:

Adobe Reader 7.0.8

You can read, how to this here:

Step 2

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location and post it back when you reply
Then look for the following Java folders and if found delete them.
C:\Program Files\Java
C:\Program Files\Common Files\Java
C:\Windows\Sun
C:\Documents and Settings\All Users\Application Data\Java
C:\Documents and Settings\All Users\Application Data\Sun\Java
C:\Documents and Settings\username\Application Data\Java
C:\Documents and Settings\username\Application Data\Sun\Java

Step 3

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Open Tools -> Options -> Main tab
- Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

In your next reply, please include these log(s) in this sequence:

JavaRa log
ComboFix log

PullingMyHairOut · June 10, 2010

Okay, I've done all that, took a few hours. When removing Java, I assumed that you also meant J2SE. I basically removed everything with a coffee cup icon. JavaRa failed the first time I ran it, but was okay the second time. ESET didn't seem to be running any more after ComboFix was done (it had required a restart due to rootkit) but came back up when I restarted again.

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Jun 10 09:18:19 2010

Found and removed: C:\Documents and Settings\djdonohu\Application Data\Sun\Java\jre1.6.0_11

Found and removed: C:\Documents and Settings\djdonohu\Application Data\Sun\Java\jre1.6.0_12

Found and removed: C:\Documents and Settings\djdonohu\Application Data\Sun\Java\jre1.6.0_13

Found and removed: C:\Documents and Settings\djdonohu\Application Data\Sun\Java\jre1.6.0_14

Found and removed: C:\Documents and Settings\djdonohu\Application Data\Sun\Java\jre1.6.0_15

Found and removed: C:\Documents and Settings\djdonohu\Application Data\Sun\Java\jre1.6.0_19

Found and removed: Software\JavaSoft\Java2D\1.5.0_06

Found and removed: Software\JavaSoft\Java2D\1.5.0_09

Found and removed: Software\JavaSoft\Java2D\1.5.0_10

Found and removed: Software\JavaSoft\Java2D\1.5.0_11

Found and removed: SOFTWARE\Classes\JavaPlugin.150_06

Found and removed: SOFTWARE\Classes\JavaPlugin.150_09

Found and removed: SOFTWARE\Classes\JavaPlugin.150_10

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

Found and removed: SOFTWARE\Classes\JavaPlugin.142_03

Found and removed: Software\Classes\JavaPlugin.160_01

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Jun 10 09:19:16 2010

------------------------------------

Finished reporting.

ComboFix 10-06-09.02 - djdonohu 06/10/2010 9:40.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2124 [GMT -4:00]

Running from: c:\documents and settings\djdonohu\Desktop\Combo-Fix.exe

AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))

.

2010-06-10 06:18 . 2010-06-10 06:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET

2010-06-08 20:27 . 2010-06-08 20:27 63488 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-06-08 20:27 . 2010-06-08 20:27 52224 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-06-08 20:27 . 2010-06-08 20:27 117760 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com

2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-06-08 19:54 . 2010-06-08 19:54 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-06-08 16:48 . 2010-06-08 16:48 -------- d-----w- c:\documents and settings\djdonohu\Local Settings\Application Data\ESET

2010-06-08 15:49 . 2010-06-08 20:15 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-06-08 15:49 . 2010-06-08 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-06-08 15:49 . 2010-06-08 15:49 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-06-08 14:37 . 2010-06-08 14:37 -------- d-----w- c:\program files\ESET

2010-06-08 14:37 . 2010-06-08 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2010-05-30 15:32 . 2010-05-30 15:32 -------- d-----w- c:\program files\Flip Video

2010-05-14 16:38 . 2010-05-14 16:38 4732800 ----a-w- c:\documents and settings\All Users\Application Data\Flip Video\FlipShare\Updates\FirmwareExec_Windows_en-US_83.06_83.07\FlipVideoFWUpdate.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-09 13:29 . 2010-06-08 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan

2010-06-08 14:04 . 2005-11-27 08:59 -------- d-----w- c:\program files\Symantec

2010-06-08 02:04 . 2006-10-09 19:39 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-04 17:22 . 2009-03-15 18:36 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-04 17:22 . 2009-02-09 02:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-14 01:52 . 2007-04-08 21:03 -------- d-----w- c:\documents and settings\djdonohu\Application Data\VideoReDoPlus

2010-05-14 01:39 . 2007-04-08 21:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-13 00:28 . 2005-12-23 03:55 -------- d-----w- c:\program files\Common Files\Real

2010-05-13 00:23 . 2010-05-08 20:29 -------- d-----w- c:\program files\Replay Media Catcher

2010-05-09 01:47 . 2010-05-09 01:17 20854256 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe

2010-05-08 20:30 . 2010-05-08 20:30 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll

2010-05-08 20:30 . 2010-05-08 20:30 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe

2010-05-08 19:42 . 2008-07-08 19:33 -------- d-----w- c:\program files\URLSnooper2

2010-05-08 18:48 . 2008-07-08 19:33 -------- d-----w- c:\program files\WinPcap

2010-05-04 05:25 . 2010-05-04 05:24 -------- d-----w- c:\program files\iTunes

2010-05-04 05:24 . 2010-05-04 05:24 -------- d-----w- c:\program files\iPod

2010-05-04 05:24 . 2007-07-01 03:49 -------- d-----w- c:\program files\Common Files\Apple

2010-05-04 05:19 . 2010-03-03 09:17 439816 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\setup.exe

2010-05-04 05:13 . 2010-05-04 05:13 -------- d-----w- c:\program files\Bonjour

2010-05-04 04:26 . 2010-05-04 04:26 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-05-02 01:17 . 2010-05-02 01:17 13407072 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe

2010-04-29 19:39 . 2009-06-18 21:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-06-18 21:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-12 21:29 . 2010-04-17 21:42 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-03-29 21:13 . 2010-03-29 21:13 95872 ----a-w- c:\windows\system32\drivers\epfwtdir.sys

2010-03-29 21:12 . 2010-03-29 21:12 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys

2010-03-29 21:07 . 2010-03-29 21:07 140216 ----a-w- c:\windows\system32\drivers\eamon.sys

2009-12-25 06:35 . 2009-12-25 06:35 30 ----a-w- c:\program files\Exiferupdate.ini

.

((((((((((((((((((((((((((((( SnapShot_2010-06-09_14.13.48 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-06-10 13:37 . 2010-06-10 13:37 16384 c:\windows\Temp\Perflib_Perfdata_898.dat

+ 2004-08-09 20:44 . 2010-06-10 13:42 71904 c:\windows\system32\perfc009.dat

- 2004-08-09 20:44 . 2010-06-09 14:14 71904 c:\windows\system32\perfc009.dat

+ 2004-08-09 20:44 . 2010-06-10 13:42 444028 c:\windows\system32\perfh009.dat

- 2004-08-09 20:44 . 2010-06-09 14:14 444028 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]

"NetXfer"="c:\program files\Xi\NetXfer\NetTransport.exe" [2010-04-24 1853952]

"TranscodingService"="c:\program files\TiVo\Desktop\TranscodingService.exe" [2009-01-27 520192]

"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-01-27 425472]

"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-01-27 2143232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2006-01-04 219648]

"SetRefresh"="c:\program files\COMPAQ\SetRefresh\\SetRefresh.exe" [2003-11-20 525824]

"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]

"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-11-22 348160]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-02 339968]

"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-10-21 1687552]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 163840]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]

"ProxyHostTrayIcon"="c:\program files\Funk Software\Proxy Host\phtray.exe" [2005-04-25 263184]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]

"NapsterShell"="c:\program files\Napster\napster.exe" [2006-06-29 319488]

"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-29 2145000]

c:\documents and settings\djdonohu\Start Menu\Programs\Startup\

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\SIERRA\\SIGSPAT.EXE"=

"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=

"c:\\Program Files\\Xi\\NetXfer\\NetTransport.exe"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

"c:\\Program Files\\GoldWave\\GoldWave.exe"=

"c:\\Program Files\\Roxio\\Easy Media Creator 8\\Creator Classic\\creator8.exe"=

"c:\\Program Files\\Common Files\\Roxio Shared\\SharedCom\\RoxUpnpRenderer.exe"=

"c:\\Program Files\\Funk Software\\Proxy Master\\Proxy.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Money\\System\\urlmap.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1505:TCP"= 1505:TCP:proxy

R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2/15/2005 4:22 PM 7680]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/29/2010 5:12 PM 114984]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/29/2010 5:13 PM 95872]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/29/2010 5:12 PM 810120]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704]

R3 FTEventService;FTEVTBDG;c:\program files\Promise Technology, Inc\Promise Array Management\FTEVTBDG.sys [12/19/2005 1:23 AM 3873]

R3 ProxyHostInputFilter;Proxy Host Input Filter;c:\windows\system32\drivers\ph32ifil.sys [4/25/2005 12:55 PM 13328]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 5:47 AM 98304]

S2 yhdjmscdaloaxux;yhdjmscdaloaxux;\??\c:\windows\system32\drivers\awcrthnlcx.sys --> c:\windows\system32\drivers\awcrthnlcx.sys [?]

S3 ProxyHostHIDFilter;Proxy Host HID Filter;c:\windows\system32\drivers\ph32ihid.sys [4/25/2005 12:55 PM 14736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

gcnvcugg

.

Contents of the 'Scheduled Tasks' folder

2010-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-06 c:\windows\Tasks\ParetoLogic Registration.job

- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 17:25]

2010-06-09 c:\windows\Tasks\ParetoLogic Update Version2.job

- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 17:25]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.coasttocoastam.com/shows/2009/08/01

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Download all by NetXfer - c:\program files\Xi\NetXfer\NXAddList.html

IE: Download by NetXfer - c:\program files\Xi\NetXfer\NXAddLink.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-10 09:51

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89F8AEC5]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28

\Driver\ACPI -> ACPI.sys @ 0xf75aecb8

\Driver\atapi -> atapi.sys @ 0xf74a0852

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a

ParseProcedure -> ntoskrnl.exe @ 0x80578f7a

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a

ParseProcedure -> ntoskrnl.exe @ 0x80578f7a

NDIS: Broadcom NetXtreme Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xf7853bb0

PacketIndicateHandler -> NDIS.sys @ 0xf7860a21

SendHandler -> NDIS.sys @ 0xf783e87b

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1893879213-397398424-1457653958-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EED80E61-38D4-693F-2531-13C8946D43FE}*]

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)

c:\windows\system32\WININET.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\NavLogon.dll

- - - - - - - > 'lsass.exe'(860)

c:\windows\system32\WININET.dll

.

Completion time: 2010-06-10 09:56:11

ComboFix-quarantined-files.txt 2010-06-10 13:56

ComboFix2.txt 2010-06-09 14:21

ComboFix3.txt 2009-09-22 11:43

Pre-Run: 10,032,607,232 bytes free

Post-Run: 10,318,938,112 bytes free

- - End Of File - - 6791275959728A43B7601AA4AF47DBD5

PullingMyHairOut · June 10, 2010

Still getting "ESET has blocked access to [iP address]" and Just-In-Time Debugging messages, by the way. Just FYI.

Maniac · June 10, 2010

Yes, it was a rootkit and yes, I know that the problem still presents.

Please read the following through carefully so that you understand what to do.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
It may ask you to reboot the computer to complete the process. Allow it to do so.
When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

PullingMyHairOut · June 10, 2010

Okay, didn't seem to find anything, but here it is.

10:28:29:906 3700 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48

10:28:29:906 3700 ================================================================================

10:28:29:906 3700 SystemInfo:

10:28:29:906 3700 OS Version: 5.1.2600 ServicePack: 3.0

10:28:29:906 3700 Product type: Workstation

10:28:29:906 3700 ComputerName: BASEMENT

10:28:29:906 3700 UserName: djdonohu

10:28:29:906 3700 Windows directory: C:\WINDOWS

10:28:29:906 3700 Processor architecture: Intel x86

10:28:29:906 3700 Number of processors: 2

10:28:29:906 3700 Page size: 0x1000

10:28:29:906 3700 Boot type: Normal boot

10:28:29:906 3700 ================================================================================

10:28:31:562 3700 Initialize success

10:28:31:562 3700

10:28:31:562 3700 Scanning Services ...

10:28:32:046 3700 Raw services enum returned 402 services

10:28:32:062 3700

10:28:32:062 3700 Scanning Drivers ...

10:28:32:375 3700

10:28:32:375 3700 Completed

10:28:32:375 3700

10:28:32:375 3700 Results:

10:28:32:375 3700 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

10:28:32:375 3700 File objects infected / cured / cured on reboot: 0 / 0 / 0

10:28:32:375 3700

10:28:32:375 3700 KLMD(ARK) unloaded successfully

Maniac · June 10, 2010

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=53417

KillAll::

Collect::[8]
c:\windows\system32\drivers\awcrthnlcx.sys
c:\windows\system32\drivers\yhdjmscdaloaxux.sys

NetSvc::
gcnvcugg

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

PullingMyHairOut · June 10, 2010

ComboFix says there's a newer version available. Should I update it? Also, is it correct to include the URL that's at the top of your code fragment in the CFScript.txt file?

Maniac · June 10, 2010

Yes, it is correct.

About ComboFix: You should.

PullingMyHairOut · June 10, 2010

Okay, I said yes to the update, it downloaded and continued to run. Here's the log. The only thing I wasn't clear on was whether I should have run it again since I started it by dragging the CFScript file to it. I wasn't sure that the CFScript would still run after the update when ComboFix ran the new version automatically.

ComboFix 10-06-09.04 - djdonohu 06/10/2010 11:25:29.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1972 [GMT -4:00]

Running from: c:\documents and settings\djdonohu\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\djdonohu\Desktop\CFScript.txt

AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))

.

2010-06-10 13:30 . 2010-06-10 13:56 -------- d-----w- C:\Combo-Fix