Jump to content

Google Redirect Script - I give up!


Recommended Posts

Okay, so I've always prided myself on avoiding or getting rid of viruses, but I'm at my wits end with this one.

Briefly, I had an older version of Norton that crapped out on me and I didn't realize it for about two weeks. I figured it out when I got a fake virus infection message from some malware suite. I got rid of that with MBAM pretty quickly. I also upgraded my AV protection to something stronger and chose ESET NOD32. That went fine, but I still have a symptom that neither MBAM or ESET can detect or fix. I also tried Hit Man, SuperAntiSpyware, a few rootkit scanners and other things I can't even recall at this point.

Like other posts I see, any link I click on in a Google search list sends me to some random site. Addresses I type out are fine. I know it's some sort of rogue java script because I frequently also get a Just-In-Time Debugging message asking me if I want to debug the script (even when I'm just sitting on google and no script should be running). If I say yes, the script editor opens and I can actually see the script code, which usually claims to be from some random IP address in the Netherlands or a site like golfdigest.com that I would have never visited in a million years. About half the time, ESET blocks the script from contacting the bad site, so that's an improvement.

I'm pasting the DDS log and attaching the BMAM and Attach logs. I'm having trouble with GMER - after running for about 4 hours it blue screen'ed me, which is very odd, probably the first time I've seen that on this PC. I'm going to try running it again after this post, but I figured I'd get this to you to get things moving in the meantime.

Help! Thanks in advance.

DDS (Ver_10-03-17.01) - NTFSx86

Run by djdonohu at 15:50:26.29 on Wed 06/09/2010

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1990 [GMT -4:00]

AV: ESET NOD32 Antivirus 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\PDF Complete\pdfsty.exe

C:\WINDOWS\system32\taskswitch.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\system32\hphmon04.exe

C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe

C:\Program Files\Funk Software\Proxy Host\phtray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\PDF Complete\pdfsaver.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Funk Software\Proxy Host\phsvc.exe

C:\Program Files\TiVo\Desktop\TranscodingService.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\TiVo\Desktop\TiVoNotify.exe

C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgAgt.exe

C:\Program Files\TiVo\Desktop\TiVoServer.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Documents and Settings\djdonohu\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.coasttocoastam.com/shows/2009/08/01

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: NXIECatcher Class: {83b80a9c-d91a-4f22-8dcf-ea7204039f79} - c:\program files\xi\netxfer\NXIEHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll

TB: NetXfer: {c16cbaac-a75c-4db5-a0dd-cdf5cafcdd3a} - c:\program files\xi\netxfer\NXToolBar.dll

uRun: [MoneyAgent] "c:\program files\microsoft money\system\Money Express.exe"

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

uRun: [NetXfer] "c:\program files\xi\netxfer\NetTransport.exe"

uRun: [TranscodingService] "c:\program files\tivo\desktop\TranscodingService.exe" /auto

uRun: [TivoNotify] "c:\program files\tivo\desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

uRun: [TivoServer] "c:\program files\tivo\desktop\TiVoServer.exe" /service /registry /auto:TivoServer

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"

mRun: [setRefresh] c:\program files\compaq\setrefresh\\SetRefresh.exe

mRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"

mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe

mRun: [HPHmon04] c:\windows\system32\hphmon04.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 8\drag to disc\DrgToDsc.exe"

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\sharedcom8\RoxWatchTray.exe"

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"

mRun: [ProxyHostTrayIcon] "c:\program files\funk software\proxy host\phtray.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [NapsterShell] c:\program files\napster\napster.exe /systray

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

StartupFolder: c:\docume~1\djdonohu\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

IE: Download all by NetXfer - c:\program files\xi\netxfer\NXAddList.html

IE: Download by NetXfer - c:\program files\xi\netxfer\NXAddLink.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm

IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133082166688

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133127964546

DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} - hxxp://secure2.comned.com/signuptemplates/securelogin-devel.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} - hxxp://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab

DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: igfxcui - igfxdev.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2005-2-15 7680]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-3-29 114984]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-3-29 95872]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]

R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-3-29 810120]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]

R3 FTEventService;FTEVTBDG;c:\program files\promise technology, inc\promise array management\FTEVTBDG.sys [2005-12-19 3873]

R3 ProxyHostInputFilter;Proxy Host Input Filter;c:\windows\system32\drivers\ph32ifil.sys [2005-4-25 13328]

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S2 yhdjmscdaloaxux;yhdjmscdaloaxux;\??\c:\windows\system32\drivers\awcrthnlcx.sys --> c:\windows\system32\drivers\awcrthnlcx.sys [?]

S3 ProxyHostHIDFilter;Proxy Host HID Filter;c:\windows\system32\drivers\ph32ihid.sys [2005-4-25 14736]

=============== Created Last 30 ================

2010-06-09 15:01:25 0 ----a-w- c:\documents and settings\djdonohu\defogger_reenable

2010-06-09 13:48:36 0 d-sha-r- C:\cmdcons

2010-06-09 13:44:48 77312 ----a-w- c:\windows\MBR.exe

2010-06-08 20:26:31 0 d-----w- c:\docume~1\djdonohu\applic~1\SUPERAntiSpyware.com

2010-06-08 20:26:31 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-06-08 20:26:18 0 d-----w- c:\program files\SUPERAntiSpyware

2010-06-08 19:54:51 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-06-08 15:49:34 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-06-08 15:49:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

2010-06-08 15:49:13 0 d-----w- c:\program files\Hitman Pro 3.5

2010-06-08 15:32:17 0 d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan

2010-06-08 14:37:52 0 d-----w- c:\program files\ESET

2010-05-30 15:33:46 1015 ----a-r- C:\logFile.xsl

2010-05-30 15:32:22 0 d-----w- c:\program files\Flip Video

==================== Find3M ====================

2010-05-08 20:30:07 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll

2010-05-08 20:30:07 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe

2010-04-29 19:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-26 19:58:12 256512 ----a-w- c:\windows\PEV.exe

2010-04-12 21:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2009-12-25 06:35:53 30 ----a-w- c:\program files\Exiferupdate.ini

2008-09-15 03:55:53 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat

============= FINISH: 15:52:38.70 ===============

Attach.zip

mbam_log_2010_06_08__16_07_24_.txt

Link to post
Share on other sites

Hello PullingMyHairOut! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me I then I'll tell you what to do.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed of any changes.

Step 1

Please, uninstall the following applications:

  1. Adobe Reader 7.0.8

You can read, how to this here:

Step 2

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply
    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java

Step 3

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

In your next reply, please include these log(s) in this sequence:

  1. JavaRa log
  2. ComboFix log

Link to post
Share on other sites

Okay, I've done all that, took a few hours. When removing Java, I assumed that you also meant J2SE. I basically removed everything with a coffee cup icon. JavaRa failed the first time I ran it, but was okay the second time. ESET didn't seem to be running any more after ComboFix was done (it had required a restart due to rootkit) but came back up when I restarted again.

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Jun 10 09:18:19 2010

Found and removed: C:\Documents and Settings\djdonohu\Application Data\Sun\Java\jre1.6.0_11

Found and removed: C:\Documents and Settings\djdonohu\Application Data\Sun\Java\jre1.6.0_12

Found and removed: C:\Documents and Settings\djdonohu\Application Data\Sun\Java\jre1.6.0_13

Found and removed: C:\Documents and Settings\djdonohu\Application Data\Sun\Java\jre1.6.0_14

Found and removed: C:\Documents and Settings\djdonohu\Application Data\Sun\Java\jre1.6.0_15

Found and removed: C:\Documents and Settings\djdonohu\Application Data\Sun\Java\jre1.6.0_19

Found and removed: Software\JavaSoft\Java2D\1.5.0_06

Found and removed: Software\JavaSoft\Java2D\1.5.0_09

Found and removed: Software\JavaSoft\Java2D\1.5.0_10

Found and removed: Software\JavaSoft\Java2D\1.5.0_11

Found and removed: SOFTWARE\Classes\JavaPlugin.150_06

Found and removed: SOFTWARE\Classes\JavaPlugin.150_09

Found and removed: SOFTWARE\Classes\JavaPlugin.150_10

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

Found and removed: SOFTWARE\Classes\JavaPlugin.142_03

Found and removed: Software\Classes\JavaPlugin.160_01

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Jun 10 09:19:16 2010

------------------------------------

Finished reporting.

ComboFix 10-06-09.02 - djdonohu 06/10/2010 9:40.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2124 [GMT -4:00]

Running from: c:\documents and settings\djdonohu\Desktop\Combo-Fix.exe

AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected

Restored copy from - Kitty had a snack ;)

.

((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))

.

2010-06-10 06:18 . 2010-06-10 06:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET

2010-06-08 20:27 . 2010-06-08 20:27 63488 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-06-08 20:27 . 2010-06-08 20:27 52224 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-06-08 20:27 . 2010-06-08 20:27 117760 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com

2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-06-08 19:54 . 2010-06-08 19:54 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-06-08 16:48 . 2010-06-08 16:48 -------- d-----w- c:\documents and settings\djdonohu\Local Settings\Application Data\ESET

2010-06-08 15:49 . 2010-06-08 20:15 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-06-08 15:49 . 2010-06-08 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-06-08 15:49 . 2010-06-08 15:49 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-06-08 14:37 . 2010-06-08 14:37 -------- d-----w- c:\program files\ESET

2010-06-08 14:37 . 2010-06-08 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2010-05-30 15:32 . 2010-05-30 15:32 -------- d-----w- c:\program files\Flip Video

2010-05-14 16:38 . 2010-05-14 16:38 4732800 ----a-w- c:\documents and settings\All Users\Application Data\Flip Video\FlipShare\Updates\FirmwareExec_Windows_en-US_83.06_83.07\FlipVideoFWUpdate.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-09 13:29 . 2010-06-08 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan

2010-06-08 14:04 . 2005-11-27 08:59 -------- d-----w- c:\program files\Symantec

2010-06-08 02:04 . 2006-10-09 19:39 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-04 17:22 . 2009-03-15 18:36 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-04 17:22 . 2009-02-09 02:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-14 01:52 . 2007-04-08 21:03 -------- d-----w- c:\documents and settings\djdonohu\Application Data\VideoReDoPlus

2010-05-14 01:39 . 2007-04-08 21:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-13 00:28 . 2005-12-23 03:55 -------- d-----w- c:\program files\Common Files\Real

2010-05-13 00:23 . 2010-05-08 20:29 -------- d-----w- c:\program files\Replay Media Catcher

2010-05-09 01:47 . 2010-05-09 01:17 20854256 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe

2010-05-08 20:30 . 2010-05-08 20:30 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll

2010-05-08 20:30 . 2010-05-08 20:30 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe

2010-05-08 19:42 . 2008-07-08 19:33 -------- d-----w- c:\program files\URLSnooper2

2010-05-08 18:48 . 2008-07-08 19:33 -------- d-----w- c:\program files\WinPcap

2010-05-04 05:25 . 2010-05-04 05:24 -------- d-----w- c:\program files\iTunes

2010-05-04 05:24 . 2010-05-04 05:24 -------- d-----w- c:\program files\iPod

2010-05-04 05:24 . 2007-07-01 03:49 -------- d-----w- c:\program files\Common Files\Apple

2010-05-04 05:19 . 2010-03-03 09:17 439816 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\setup.exe

2010-05-04 05:13 . 2010-05-04 05:13 -------- d-----w- c:\program files\Bonjour

2010-05-04 04:26 . 2010-05-04 04:26 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-05-02 01:17 . 2010-05-02 01:17 13407072 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe

2010-04-29 19:39 . 2009-06-18 21:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-06-18 21:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-12 21:29 . 2010-04-17 21:42 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-03-29 21:13 . 2010-03-29 21:13 95872 ----a-w- c:\windows\system32\drivers\epfwtdir.sys

2010-03-29 21:12 . 2010-03-29 21:12 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys

2010-03-29 21:07 . 2010-03-29 21:07 140216 ----a-w- c:\windows\system32\drivers\eamon.sys

2009-12-25 06:35 . 2009-12-25 06:35 30 ----a-w- c:\program files\Exiferupdate.ini

.

((((((((((((((((((((((((((((( SnapShot_2010-06-09_14.13.48 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-06-10 13:37 . 2010-06-10 13:37 16384 c:\windows\Temp\Perflib_Perfdata_898.dat

+ 2004-08-09 20:44 . 2010-06-10 13:42 71904 c:\windows\system32\perfc009.dat

- 2004-08-09 20:44 . 2010-06-09 14:14 71904 c:\windows\system32\perfc009.dat

+ 2004-08-09 20:44 . 2010-06-10 13:42 444028 c:\windows\system32\perfh009.dat

- 2004-08-09 20:44 . 2010-06-09 14:14 444028 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]

"NetXfer"="c:\program files\Xi\NetXfer\NetTransport.exe" [2010-04-24 1853952]

"TranscodingService"="c:\program files\TiVo\Desktop\TranscodingService.exe" [2009-01-27 520192]

"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-01-27 425472]

"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-01-27 2143232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2006-01-04 219648]

"SetRefresh"="c:\program files\COMPAQ\SetRefresh\\SetRefresh.exe" [2003-11-20 525824]

"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]

"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-11-22 348160]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-02 339968]

"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-10-21 1687552]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 163840]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]

"ProxyHostTrayIcon"="c:\program files\Funk Software\Proxy Host\phtray.exe" [2005-04-25 263184]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]

"NapsterShell"="c:\program files\Napster\napster.exe" [2006-06-29 319488]

"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-29 2145000]

c:\documents and settings\djdonohu\Start Menu\Programs\Startup\

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\SIERRA\\SIGSPAT.EXE"=

"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=

"c:\\Program Files\\Xi\\NetXfer\\NetTransport.exe"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

"c:\\Program Files\\GoldWave\\GoldWave.exe"=

"c:\\Program Files\\Roxio\\Easy Media Creator 8\\Creator Classic\\creator8.exe"=

"c:\\Program Files\\Common Files\\Roxio Shared\\SharedCom\\RoxUpnpRenderer.exe"=

"c:\\Program Files\\Funk Software\\Proxy Master\\Proxy.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Money\\System\\urlmap.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1505:TCP"= 1505:TCP:proxy

R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2/15/2005 4:22 PM 7680]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/29/2010 5:12 PM 114984]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/29/2010 5:13 PM 95872]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/29/2010 5:12 PM 810120]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704]

R3 FTEventService;FTEVTBDG;c:\program files\Promise Technology, Inc\Promise Array Management\FTEVTBDG.sys [12/19/2005 1:23 AM 3873]

R3 ProxyHostInputFilter;Proxy Host Input Filter;c:\windows\system32\drivers\ph32ifil.sys [4/25/2005 12:55 PM 13328]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 5:47 AM 98304]

S2 yhdjmscdaloaxux;yhdjmscdaloaxux;\??\c:\windows\system32\drivers\awcrthnlcx.sys --> c:\windows\system32\drivers\awcrthnlcx.sys [?]

S3 ProxyHostHIDFilter;Proxy Host HID Filter;c:\windows\system32\drivers\ph32ihid.sys [4/25/2005 12:55 PM 14736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

gcnvcugg

.

Contents of the 'Scheduled Tasks' folder

2010-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-06 c:\windows\Tasks\ParetoLogic Registration.job

- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 17:25]

2010-06-09 c:\windows\Tasks\ParetoLogic Update Version2.job

- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 17:25]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.coasttocoastam.com/shows/2009/08/01

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Download all by NetXfer - c:\program files\Xi\NetXfer\NXAddList.html

IE: Download by NetXfer - c:\program files\Xi\NetXfer\NXAddLink.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-10 09:51

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89F8AEC5]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28

\Driver\ACPI -> ACPI.sys @ 0xf75aecb8

\Driver\atapi -> atapi.sys @ 0xf74a0852

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a

ParseProcedure -> ntoskrnl.exe @ 0x80578f7a

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a

ParseProcedure -> ntoskrnl.exe @ 0x80578f7a

NDIS: Broadcom NetXtreme Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xf7853bb0

PacketIndicateHandler -> NDIS.sys @ 0xf7860a21

SendHandler -> NDIS.sys @ 0xf783e87b

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1893879213-397398424-1457653958-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EED80E61-38D4-693F-2531-13C8946D43FE}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)

c:\windows\system32\WININET.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\NavLogon.dll

- - - - - - - > 'lsass.exe'(860)

c:\windows\system32\WININET.dll

.

Completion time: 2010-06-10 09:56:11

ComboFix-quarantined-files.txt 2010-06-10 13:56

ComboFix2.txt 2010-06-09 14:21

ComboFix3.txt 2009-09-22 11:43

Pre-Run: 10,032,607,232 bytes free

Post-Run: 10,318,938,112 bytes free

- - End Of File - - 6791275959728A43B7601AA4AF47DBD5

Link to post
Share on other sites

Yes, it was a rootkit and yes, I know that the problem still presents. ;)

Please read the following through carefully so that you understand what to do.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Link to post
Share on other sites

Okay, didn't seem to find anything, but here it is.

10:28:29:906 3700 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48

10:28:29:906 3700 ================================================================================

10:28:29:906 3700 SystemInfo:

10:28:29:906 3700 OS Version: 5.1.2600 ServicePack: 3.0

10:28:29:906 3700 Product type: Workstation

10:28:29:906 3700 ComputerName: BASEMENT

10:28:29:906 3700 UserName: djdonohu

10:28:29:906 3700 Windows directory: C:\WINDOWS

10:28:29:906 3700 Processor architecture: Intel x86

10:28:29:906 3700 Number of processors: 2

10:28:29:906 3700 Page size: 0x1000

10:28:29:906 3700 Boot type: Normal boot

10:28:29:906 3700 ================================================================================

10:28:31:562 3700 Initialize success

10:28:31:562 3700

10:28:31:562 3700 Scanning Services ...

10:28:32:046 3700 Raw services enum returned 402 services

10:28:32:062 3700

10:28:32:062 3700 Scanning Drivers ...

10:28:32:375 3700

10:28:32:375 3700 Completed

10:28:32:375 3700

10:28:32:375 3700 Results:

10:28:32:375 3700 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

10:28:32:375 3700 File objects infected / cured / cured on reboot: 0 / 0 / 0

10:28:32:375 3700

10:28:32:375 3700 KLMD(ARK) unloaded successfully

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=53417

KillAll::

Collect::[8]
c:\windows\system32\drivers\awcrthnlcx.sys
c:\windows\system32\drivers\yhdjmscdaloaxux.sys

NetSvc::
gcnvcugg

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Okay, I said yes to the update, it downloaded and continued to run. Here's the log. The only thing I wasn't clear on was whether I should have run it again since I started it by dragging the CFScript file to it. I wasn't sure that the CFScript would still run after the update when ComboFix ran the new version automatically.

ComboFix 10-06-09.04 - djdonohu 06/10/2010 11:25:29.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1972 [GMT -4:00]

Running from: c:\documents and settings\djdonohu\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\djdonohu\Desktop\CFScript.txt

AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected

Restored copy from - Kitty had a snack ;)

.

((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))

.

2010-06-10 13:30 . 2010-06-10 13:56 -------- d-----w- C:\Combo-Fix

2010-06-10 06:18 . 2010-06-10 06:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET

2010-06-08 20:27 . 2010-06-08 20:27 63488 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-06-08 20:27 . 2010-06-08 20:27 52224 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-06-08 20:27 . 2010-06-08 20:27 117760 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com

2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-06-08 19:54 . 2010-06-08 19:54 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-06-08 16:48 . 2010-06-08 16:48 -------- d-----w- c:\documents and settings\djdonohu\Local Settings\Application Data\ESET

2010-06-08 15:49 . 2010-06-08 20:15 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-06-08 15:49 . 2010-06-08 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-06-08 15:49 . 2010-06-08 15:49 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-06-08 14:37 . 2010-06-08 14:37 -------- d-----w- c:\program files\ESET

2010-06-08 14:37 . 2010-06-08 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2010-05-30 15:32 . 2010-05-30 15:32 -------- d-----w- c:\program files\Flip Video

2010-05-14 16:38 . 2010-05-14 16:38 4732800 ----a-w- c:\documents and settings\All Users\Application Data\Flip Video\FlipShare\Updates\FirmwareExec_Windows_en-US_83.06_83.07\FlipVideoFWUpdate.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-10 15:24 . 2005-12-23 04:14 -------- d-----w- c:\documents and settings\djdonohu\Application Data\Apple Computer

2010-06-09 13:29 . 2010-06-08 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan

2010-06-08 14:04 . 2005-11-27 08:59 -------- d-----w- c:\program files\Symantec

2010-06-08 02:04 . 2006-10-09 19:39 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-04 17:22 . 2009-03-15 18:36 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-04 17:22 . 2009-02-09 02:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-14 01:52 . 2007-04-08 21:03 -------- d-----w- c:\documents and settings\djdonohu\Application Data\VideoReDoPlus

2010-05-14 01:39 . 2007-04-08 21:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-13 00:28 . 2005-12-23 03:55 -------- d-----w- c:\program files\Common Files\Real

2010-05-13 00:23 . 2010-05-08 20:29 -------- d-----w- c:\program files\Replay Media Catcher

2010-05-09 01:47 . 2010-05-09 01:17 20854256 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe

2010-05-08 20:30 . 2010-05-08 20:30 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll

2010-05-08 20:30 . 2010-05-08 20:30 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe

2010-05-08 19:42 . 2008-07-08 19:33 -------- d-----w- c:\program files\URLSnooper2

2010-05-08 18:48 . 2008-07-08 19:33 -------- d-----w- c:\program files\WinPcap

2010-05-04 05:25 . 2010-05-04 05:24 -------- d-----w- c:\program files\iTunes

2010-05-04 05:24 . 2010-05-04 05:24 -------- d-----w- c:\program files\iPod

2010-05-04 05:24 . 2007-07-01 03:49 -------- d-----w- c:\program files\Common Files\Apple

2010-05-04 05:19 . 2010-03-03 09:17 439816 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\setup.exe

2010-05-04 05:13 . 2010-05-04 05:13 -------- d-----w- c:\program files\Bonjour

2010-05-04 04:26 . 2010-05-04 04:26 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-05-02 01:17 . 2010-05-02 01:17 13407072 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe

2010-04-29 19:39 . 2009-06-18 21:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-06-18 21:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-12 21:29 . 2010-04-17 21:42 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-03-29 21:13 . 2010-03-29 21:13 95872 ----a-w- c:\windows\system32\drivers\epfwtdir.sys

2010-03-29 21:12 . 2010-03-29 21:12 114984 ----a-w- c:\windows\system32\drivers\ehdrv.sys

2010-03-29 21:07 . 2010-03-29 21:07 140216 ----a-w- c:\windows\system32\drivers\eamon.sys

2009-12-25 06:35 . 2009-12-25 06:35 30 ----a-w- c:\program files\Exiferupdate.ini

.

((((((((((((((((((((((((((((( SnapShot_2010-06-09_14.13.48 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-06-10 15:21 . 2010-06-10 15:21 16384 c:\windows\Temp\Perflib_Perfdata_8d4.dat

- 2010-06-09 13:53 . 2010-06-09 13:53 16384 c:\windows\Temp\Perflib_Perfdata_8d4.dat

+ 2010-06-10 15:38 . 2010-06-10 15:38 16384 c:\windows\Temp\Perflib_Perfdata_888.dat

+ 2004-08-09 20:44 . 2010-06-10 15:42 71904 c:\windows\system32\perfc009.dat

- 2004-08-09 20:44 . 2010-06-09 14:14 71904 c:\windows\system32\perfc009.dat

+ 2004-08-09 20:44 . 2010-06-10 15:42 444028 c:\windows\system32\perfh009.dat

- 2004-08-09 20:44 . 2010-06-09 14:14 444028 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]

"NetXfer"="c:\program files\Xi\NetXfer\NetTransport.exe" [2010-04-24 1853952]

"TranscodingService"="c:\program files\TiVo\Desktop\TranscodingService.exe" [2009-01-27 520192]

"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-01-27 425472]

"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-01-27 2143232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2006-01-04 219648]

"SetRefresh"="c:\program files\COMPAQ\SetRefresh\\SetRefresh.exe" [2003-11-20 525824]

"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]

"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-11-22 348160]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-02 339968]

"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-10-21 1687552]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 163840]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]

"ProxyHostTrayIcon"="c:\program files\Funk Software\Proxy Host\phtray.exe" [2005-04-25 263184]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]

"NapsterShell"="c:\program files\Napster\napster.exe" [2006-06-29 319488]

"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-29 2145000]

c:\documents and settings\djdonohu\Start Menu\Programs\Startup\

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\SIERRA\\SIGSPAT.EXE"=

"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=

"c:\\Program Files\\Xi\\NetXfer\\NetTransport.exe"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

"c:\\Program Files\\GoldWave\\GoldWave.exe"=

"c:\\Program Files\\Roxio\\Easy Media Creator 8\\Creator Classic\\creator8.exe"=

"c:\\Program Files\\Common Files\\Roxio Shared\\SharedCom\\RoxUpnpRenderer.exe"=

"c:\\Program Files\\Funk Software\\Proxy Master\\Proxy.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Money\\System\\urlmap.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1505:TCP"= 1505:TCP:proxy

R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2/15/2005 4:22 PM 7680]

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/29/2010 5:12 PM 114984]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/29/2010 5:13 PM 95872]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 5:47 AM 98304]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/29/2010 5:12 PM 810120]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704]

R3 FTEventService;FTEVTBDG;c:\program files\Promise Technology, Inc\Promise Array Management\FTEVTBDG.sys [12/19/2005 1:23 AM 3873]

R3 ProxyHostInputFilter;Proxy Host Input Filter;c:\windows\system32\drivers\ph32ifil.sys [4/25/2005 12:55 PM 13328]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S2 yhdjmscdaloaxux;yhdjmscdaloaxux;\??\c:\windows\system32\drivers\awcrthnlcx.sys --> c:\windows\system32\drivers\awcrthnlcx.sys [?]

S3 ProxyHostHIDFilter;Proxy Host HID Filter;c:\windows\system32\drivers\ph32ihid.sys [4/25/2005 12:55 PM 14736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2010-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-06 c:\windows\Tasks\ParetoLogic Registration.job

- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 17:25]

2010-06-09 c:\windows\Tasks\ParetoLogic Update Version2.job

- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 17:25]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.coasttocoastam.com/shows/2009/08/01

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Download all by NetXfer - c:\program files\Xi\NetXfer\NXAddList.html

IE: Download by NetXfer - c:\program files\Xi\NetXfer\NXAddLink.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-10 11:38

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89E96EC5]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28

\Driver\ACPI -> ACPI.sys @ 0xf75aecb8

\Driver\atapi -> atapi.sys @ 0xf74a0852

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a

ParseProcedure -> ntoskrnl.exe @ 0x80578f7a

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a

ParseProcedure -> ntoskrnl.exe @ 0x80578f7a

NDIS: Broadcom NetXtreme Gigabit Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xf7853bb0

PacketIndicateHandler -> NDIS.sys @ 0xf7860a21

SendHandler -> NDIS.sys @ 0xf783e87b

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1893879213-397398424-1457653958-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EED80E61-38D4-693F-2531-13C8946D43FE}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)

c:\windows\system32\WININET.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\NavLogon.dll

- - - - - - - > 'lsass.exe'(868)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3392)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\Shellex.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Flip Video\FlipShare\FlipShareService.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Funk Software\Proxy Host\phsvc.exe

c:\program files\Promise Technology, Inc\Promise Array Management\MsgAgt.exe

c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\PDF Complete\pdfsaver.exe

c:\program files\ATI Technologies\ATI.ACE\CLI.EXE

c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe

c:\program files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

c:\program files\ATI Technologies\ATI.ACE\cli.exe

c:\program files\ATI Technologies\ATI.ACE\cli.exe

.

**************************************************************************

.

Completion time: 2010-06-10 11:48:26 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-10 15:48

ComboFix2.txt 2010-06-10 13:56

ComboFix3.txt 2010-06-09 14:21

ComboFix4.txt 2009-09-22 11:43

Pre-Run: 10,331,209,728 bytes free

Post-Run: 10,234,118,144 bytes free

- - End Of File - - 512C2A4B42265B4E63B3C7D99854EE98

Link to post
Share on other sites

It's working! :)

Step 1

  1. Please visit this website: Submit Malware Sample
  2. Against the inscription: "Link to topic where this file was requested:", insert links pointing to this topic in our forum.
  3. Against the inscription: "Browse to the file you want to submit:", click on the Choose... button.
  4. Navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
  5. Against the inscription: "Leave any comments, further information about this file, or contact information:" should be written as follows:
    Sent at the request of Borislav.
  6. Once you're ready, click the Send File button.

Step 2

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

TDL::
c:\windows\system32\drivers\rdpcdd.sys

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Okay, a few problems. First of all, it seems the problem of the missing CF quarantine file might be related to ESET antivirus. What's happening is that I disable it, then CF says it needs to reboot. But when it restarts, CF runs immediately, but the rest of the normal startup also occurs, while CF is still running, including the antivirus starting up. ESET is then interfering with the CF scan. I might be wrong, but it seems to me that the previous version of CF, before the update today, would run after the reboot but would just sit there on a blank desktop and not let the startup proceed until CF was finished.

Next, on the last step, when CF restarts on its own then prints the report, it failed. The restart happened, I think CF was starting up, then I got a blue screen. The only thing I could make out was the cause of it was eamon.sys, then it rebooted. CF did not restart this time, so no log file. Should I run it again? What about the AV?

Link to post
Share on other sites

I'll let you know when finish our work, how to help ESET to find the problem with BSOD.

Step 1

Uninstall your ESET NOD32 Antivirus.

Step 2

Please download The Avenger2 by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to disable:
yhdjmscdaloaxux
awcrthnlcx

Drivers to delete:
yhdjmscdaloaxux
awcrthnlcx

Files to delete:
c:\windows\system32\drivers\awcrthnlcx.sys
c:\windows\system32\drivers\yhdjmscdaloaxux.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)

[*]On reboot, it will briefly open a black command window on your desktop, this is normal.

[*]After the restart, it creates a log file that should open with the results of Avenger

Link to post
Share on other sites

Okay, did that. Here the Avenger log. Your instructions said to include a Highjack This log, but we haven't run that before. Should I use something else I already have, or can you tell me where to find HJT?

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Driver "yhdjmscdaloaxux" disabled successfully.

Error: could not open driver "awcrthnlcx"

Disablement of driver "awcrthnlcx" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Driver "yhdjmscdaloaxux" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\awcrthnlcx" not found!

Deletion of driver "awcrthnlcx" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\drivers\awcrthnlcx.sys" not found!

Deletion of file "c:\windows\system32\drivers\awcrthnlcx.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\drivers\yhdjmscdaloaxux.sys" not found!

Deletion of file "c:\windows\system32\drivers\yhdjmscdaloaxux.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

No, thanks! Sorry about that!

Please manually delete your copy of ComboFix and then:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Ran without a problem this time. Thanks for all your help, BTW. What's next?

ComboFix 10-06-09.04 - djdonohu 06/10/2010 13:30:44.6.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1972 [GMT -4:00]

Running from: c:\documents and settings\djdonohu\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))

.

2010-06-10 13:30 . 2010-06-10 13:56 -------- d-----w- C:\Combo-Fix

2010-06-10 06:18 . 2010-06-10 06:18 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET

2010-06-08 20:27 . 2010-06-08 20:27 63488 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-06-08 20:27 . 2010-06-08 20:27 52224 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-06-08 20:27 . 2010-06-08 20:27 117760 ----a-w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\documents and settings\djdonohu\Application Data\SUPERAntiSpyware.com

2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-06-08 20:26 . 2010-06-08 20:26 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-06-08 19:54 . 2010-06-08 19:54 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-06-08 16:48 . 2010-06-08 16:48 -------- d-----w- c:\documents and settings\djdonohu\Local Settings\Application Data\ESET

2010-06-08 15:49 . 2010-06-08 20:15 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-06-08 15:49 . 2010-06-08 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-06-08 15:49 . 2010-06-08 15:49 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-05-30 15:32 . 2010-05-30 15:32 -------- d-----w- c:\program files\Flip Video

2010-05-14 16:38 . 2010-05-14 16:38 4732800 ----a-w- c:\documents and settings\All Users\Application Data\Flip Video\FlipShare\Updates\FirmwareExec_Windows_en-US_83.06_83.07\FlipVideoFWUpdate.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-10 15:24 . 2005-12-23 04:14 -------- d-----w- c:\documents and settings\djdonohu\Application Data\Apple Computer

2010-06-09 13:29 . 2010-06-08 15:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan

2010-06-08 14:04 . 2005-11-27 08:59 -------- d-----w- c:\program files\Symantec

2010-06-08 02:04 . 2006-10-09 19:39 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-04 17:22 . 2009-03-15 18:36 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-04 17:22 . 2009-02-09 02:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-14 01:52 . 2007-04-08 21:03 -------- d-----w- c:\documents and settings\djdonohu\Application Data\VideoReDoPlus

2010-05-14 01:39 . 2007-04-08 21:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-13 00:28 . 2005-12-23 03:55 -------- d-----w- c:\program files\Common Files\Real

2010-05-13 00:23 . 2010-05-08 20:29 -------- d-----w- c:\program files\Replay Media Catcher

2010-05-09 01:47 . 2010-05-09 01:17 20854256 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe

2010-05-08 20:30 . 2010-05-08 20:30 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll

2010-05-08 20:30 . 2010-05-08 20:30 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe

2010-05-08 19:42 . 2008-07-08 19:33 -------- d-----w- c:\program files\URLSnooper2

2010-05-08 18:48 . 2008-07-08 19:33 -------- d-----w- c:\program files\WinPcap

2010-05-04 05:25 . 2010-05-04 05:24 -------- d-----w- c:\program files\iTunes

2010-05-04 05:24 . 2010-05-04 05:24 -------- d-----w- c:\program files\iPod

2010-05-04 05:24 . 2007-07-01 03:49 -------- d-----w- c:\program files\Common Files\Apple

2010-05-04 05:19 . 2010-03-03 09:17 439816 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\setup.exe

2010-05-04 05:13 . 2010-05-04 05:13 -------- d-----w- c:\program files\Bonjour

2010-05-04 04:26 . 2010-05-04 04:26 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-05-02 01:17 . 2010-05-02 01:17 13407072 ----a-w- c:\documents and settings\djdonohu\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe

2010-04-29 19:39 . 2009-06-18 21:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-06-18 21:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-12 21:29 . 2010-04-17 21:42 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2009-12-25 06:35 . 2009-12-25 06:35 30 ----a-w- c:\program files\Exiferupdate.ini

.

((((((((((((((((((((((((((((( SnapShot_2010-06-09_14.13.48 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-06-10 17:15 . 2010-06-10 17:15 16384 c:\windows\Temp\Perflib_Perfdata_808.dat

+ 2004-08-09 20:44 . 2010-06-10 17:19 71904 c:\windows\system32\perfc009.dat

- 2004-08-09 20:44 . 2010-06-09 14:14 71904 c:\windows\system32\perfc009.dat

+ 2001-08-17 20:46 . 2001-08-17 20:46 4224 c:\windows\system32\dllcache\rdpcdd.sys

+ 2004-08-09 20:44 . 2010-06-10 17:19 444028 c:\windows\system32\perfh009.dat

- 2004-08-09 20:44 . 2010-06-09 14:14 444028 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]

"NetXfer"="c:\program files\Xi\NetXfer\NetTransport.exe" [2010-04-24 1853952]

"TranscodingService"="c:\program files\TiVo\Desktop\TranscodingService.exe" [2009-01-27 520192]

"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2009-01-27 425472]

"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2009-01-27 2143232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2006-01-04 219648]

"SetRefresh"="c:\program files\COMPAQ\SetRefresh\\SetRefresh.exe" [2003-11-20 525824]

"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]

"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-11-22 348160]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-02 339968]

"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-10-21 1687552]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 163840]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]

"ProxyHostTrayIcon"="c:\program files\Funk Software\Proxy Host\phtray.exe" [2005-04-25 263184]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]

"NapsterShell"="c:\program files\Napster\napster.exe" [2006-06-29 319488]

"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\djdonohu\Start Menu\Programs\Startup\

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\SIERRA\\SIGSPAT.EXE"=

"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=

"c:\\Program Files\\Xi\\NetXfer\\NetTransport.exe"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

"c:\\Program Files\\GoldWave\\GoldWave.exe"=

"c:\\Program Files\\Roxio\\Easy Media Creator 8\\Creator Classic\\creator8.exe"=

"c:\\Program Files\\Common Files\\Roxio Shared\\SharedCom\\RoxUpnpRenderer.exe"=

"c:\\Program Files\\Funk Software\\Proxy Master\\Proxy.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Money\\System\\urlmap.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1505:TCP"= 1505:TCP:proxy

R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\drivers\dontgo.sys [2/15/2005 4:22 PM 7680]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704]

R3 FTEventService;FTEVTBDG;c:\program files\Promise Technology, Inc\Promise Array Management\FTEVTBDG.sys [12/19/2005 1:23 AM 3873]

R3 ProxyHostInputFilter;Proxy Host Input Filter;c:\windows\system32\drivers\ph32ifil.sys [4/25/2005 12:55 PM 13328]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 5:47 AM 98304]

S3 ProxyHostHIDFilter;Proxy Host HID Filter;c:\windows\system32\drivers\ph32ihid.sys [4/25/2005 12:55 PM 14736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2010-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-06 c:\windows\Tasks\ParetoLogic Registration.job

- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 17:25]

2010-06-09 c:\windows\Tasks\ParetoLogic Update Version2.job

- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 17:25]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.coasttocoastam.com/shows/2009/08/01

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: Download all by NetXfer - c:\program files\Xi\NetXfer\NXAddList.html

IE: Download by NetXfer - c:\program files\Xi\NetXfer\NXAddLink.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-10 13:36

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1893879213-397398424-1457653958-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EED80E61-38D4-693F-2531-13C8946D43FE}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\NavLogon.dll

- - - - - - - > 'explorer.exe'(252)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-06-10 13:38:30

ComboFix-quarantined-files.txt 2010-06-10 17:38

ComboFix2.txt 2010-06-10 15:48

ComboFix3.txt 2010-06-10 13:56

ComboFix4.txt 2010-06-09 14:21

ComboFix5.txt 2010-06-10 16:27

Pre-Run: 10,297,065,472 bytes free

Post-Run: 10,259,484,672 bytes free

- - End Of File - - 31108C49EE532F3174BCBFF17709B0B7

Link to post
Share on other sites

I see no annoying debugging messages, and Google works fine. Yay!

As for avenger, when I unzipped it there was nothing in the zip file but the exe. It did not create a folder on the desktop. There is a c:\avenger folder since it ran that contains a backup.zip. Is that what you want? Also, what do I do about the submission to bleepingcomputer that I couldn't do before?

Link to post
Share on other sites

These are the last steps.

Step 1

* Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step 2

To enable CD Emulation programs using DeFogger please perform these steps:

  1. Please download DeFogger to your desktop.
  2. Once downloaded, double-click on the DeFogger icon to start the tool.
  3. The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
  4. When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. If CD Emulation programs are present and have been enabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

Step 3

Please manually delete Defogger, TDSSKiller, JavaRa and The Avenger.

Step 4

Please download and install the latest version of Adobe Reader from:

www.adobe.com

About Java:

www.java.com/en

Step 5

Please contact with ESET Technical Support and let them know about your BSOD.

http://www.eset.com/support/contact#home

They will tell you what to do. Give them all the information.

Step 6

Some malware preventions:

http://miekiemoes.blogspot.com/2008/02/how...nt-malware.html

Safe surfing! :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.