Another AV Security Suite infection

No worries. Disabling the AV is just a precaution so ComboFix isn't blocked. You can safely run the fix without doing so.

Here it is...

ComboFix 10-06-20.01 - Eric 06/20/2010 15:03:17.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1458 [GMT -5:00]
Running from: c:\downloads\ComboFix\ComboFix.exe
Command switches used :: c:\documents and settings\Eric\Desktop\CFscript.txt.lnk
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Eric\Recent\HikingAndCampingStuff.url
c:\documents and settings\Eric\Recent\MSDN Forum - Entity and LINQ to Entities Forum.url
C:\Thumbs.db
c:\windows\system32\Thumbs.db
H:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-05-20 to 2010-06-20 )))))))))))))))))))))))))))))))
.

2010-06-20 19:19 . 2010-06-20 19:19 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-18 12:50 . 2010-06-18 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\documents and settings\Eric\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-04-20 09:13 24440 ----a-w- c:\windows\system32\drivers\OAmon.sys
2010-06-18 12:50 . 2010-04-20 09:13 29560 ----a-w- c:\windows\system32\drivers\OAnet.sys
2010-06-18 12:50 . 2010-04-20 09:13 228216 ----a-w- c:\windows\system32\drivers\OADriver.sys
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\program files\Tall Emu
2010-06-18 12:46 . 2010-06-18 12:46 -------- d-----w- c:\program files\SpywareBlaster
2010-06-18 09:11 . 2010-06-18 09:11 -------- d-----w- c:\program files\ESET
2010-06-18 04:25 . 2010-06-18 04:25 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-17 17:10 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-06-17 17:10 . 2010-03-29 15:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-17 17:10 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-06-17 17:10 . 2010-04-08 19:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\Eric\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Spyware Doctor
2010-06-17 15:53 . 2010-06-18 10:09 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\ukcpenhtj
2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\program files\Voxengo
2010-06-17 12:01 . 2010-06-17 12:01 -------- d-----w- c:\program files\Audacity
2010-06-14 10:28 . 1993-07-23 05:00 210944 ----a-w- c:\windows\system32\Msvcrt10.dll
2010-06-14 10:27 . 1999-10-22 06:11 52736 ----a-w- c:\windows\system32\Pdfshell.dll
2010-06-14 10:25 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-06-08 08:03 . 2010-06-08 08:03 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2010-06-08 08:01 . 2010-06-08 08:01 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2010-06-07 15:38 . 2010-06-07 15:38 3584 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-06-07 15:38 . 2010-06-07 15:38 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-06-07 14:40 . 2010-06-07 15:37 -------- d-----w- c:\program files\MSECACHE
2010-06-07 12:13 . 2010-06-07 12:13 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Irony
2010-06-01 13:43 . 2010-06-01 13:43 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-01 13:43 . 2010-06-01 13:43 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-05-25 02:27 . 2010-05-25 02:27 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-sse.dll
2010-05-25 02:27 . 2010-05-25 02:27 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcp71.dll
2010-05-25 02:27 . 2010-05-25 02:27 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\jmc.dll
2010-05-25 02:27 . 2010-05-25 02:27 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcr71.dll
2010-05-25 02:27 . 2010-05-25 02:27 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-20 19:45 . 2009-10-25 23:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-06-19 05:48 . 2008-12-07 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-17 17:32 . 2009-10-28 13:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-17 16:55 . 2009-08-08 09:49 -------- d-----w- c:\program files\Free Offers from Freeze.com
2010-06-17 15:52 . 2008-12-07 16:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-15 18:29 . 2008-12-13 23:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-14 16:06 . 2008-11-16 13:22 70696 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 10:22 . 2010-02-03 09:43 -------- d-----w- c:\program files\Free Easy Burner
2010-06-11 08:12 . 2008-11-16 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 08:03 . 2008-11-16 13:51 -------- d-----w- c:\program files\Microsoft SQL Server
2010-06-07 15:45 . 2008-11-16 13:07 -------- d-----w- c:\program files\Microsoft.NET
2010-06-07 13:38 . 2008-11-16 14:55 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-06-07 13:26 . 2009-04-15 19:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 13:43 . 2009-04-03 14:12 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-01 13:43 . 2008-11-16 17:23 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-17 14:31 . 2010-05-17 14:31 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-05-15 13:50 . 2008-12-07 16:45 -------- d-----w- c:\program files\Google
2010-05-02 05:22 . 2003-03-31 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 20:39 . 2009-10-28 13:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-10-28 13:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2003-03-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_5B1774D2E3075CCF328EDA.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_E3DB97A5850DBC128D7B65.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_8E66822E457E550010289E.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_60FA5A9483A6EBA443B57C.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_4CAAF08408C8FEDDEDE6F6.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_12DBA35940918FB93254F3.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F6DB2D7CC108D7C7EC0674.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_23898BB06D60197612CEBF.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_DAFD234B6DD27FDD55C9DB.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F38630FC83CCA1F7DDDF3B.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_152E1AB519A70F234DA294.exe
2010-04-05 17:44 . 2010-03-04 13:28 1078 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_6FEFF9B68218417F98F549.exe
2010-04-04 03:55 . 2010-04-04 03:55 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-04 03:55 . 2010-04-04 03:55 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-04 03:55 . 2010-04-04 03:55 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-04 03:55 . 2010-04-04 03:55 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-04 03:55 . 2010-04-04 03:55 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-04 03:55 . 2010-04-04 03:55 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-04-04 03:55 . 2010-04-04 03:55 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-04 03:55 . 2010-04-04 03:55 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-04 03:55 . 2010-04-04 03:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-04 03:55 . 2010-04-04 03:55 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-04 03:55 . 2004-08-04 05:29 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-03-30 18:59 . 2010-03-30 18:59 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-sse.dll
2010-03-30 18:59 . 2010-03-30 18:59 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcp71.dll
2010-03-30 18:59 . 2010-03-30 18:59 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\jmc.dll
2010-03-30 18:59 . 2010-03-30 18:59 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcr71.dll
2010-03-30 18:59 . 2010-03-30 18:59 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-d3d.dll
2010-03-29 14:37 . 2010-03-29 14:37 38344 ----a-w- c:\windows\system32\drivers\CO_Mon.sys
2010-03-29 14:37 . 2010-03-29 14:37 58632 ----a-w- c:\documents and settings\Eric\Application Data\WholeSecurity\CAT\WSUIEE.exe
2010-03-29 14:36 . 2010-03-29 14:36 36939 ----a-w- c:\documents and settings\Eric\Application Data\Juniper Networks\setup\uninstall.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-06-18_15.19.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-20 19:44 . 2010-06-20 19:44 16384 c:\windows\Temp\Perflib_Perfdata_240.dat
+ 2010-06-20 19:19 . 2008-04-13 18:31 35840 c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\processr.sys
+ 2007-04-17 02:46 . 2007-04-17 02:46 33792 c:\windows\system32\drivers\AmdPPM.sys
+ 2004-08-04 07:56 . 2008-04-13 23:12 4274816 c:\windows\system32\nv4_disp.dll
- 2004-08-04 07:56 . 2008-04-14 00:12 4274816 c:\windows\system32\nv4_disp.dll
+ 2004-08-04 07:56 . 2008-04-13 23:12 4274816 c:\windows\system32\dllcache\nv4_disp.dll
+ 2004-08-04 05:29 . 2010-04-04 03:55 10232128 c:\windows\system32\dllcache\nv4_mini.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-07 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-01 2065248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-11 1287120]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-04-20 6678008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-3 113664]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-4-30 6144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-4-28 122880]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-04-20 925688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-05 15:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3713959246-320310600-2471480639-1178\Scripts\Logon\0\0]
"Script"=logon.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DevServer\\9.0\\WebDev.WebServer.EXE"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Expression\\Media 2\\Media.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/3/2009 9:12 AM 52872]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/17/2010 12:10 PM 218592]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/3/2009 9:12 AM 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/3/2009 9:12 AM 242896]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [6/18/2010 7:50 AM 228216]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [6/18/2010 7:50 AM 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [6/18/2010 7:50 AM 29560]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/5/2010 10:47 AM 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/5/2010 10:47 AM 308064]
R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [6/22/2007 9:22 AM 95592]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [6/18/2010 7:50 AM 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [6/18/2010 7:50 AM 3364856]
S2 gupdate1c95cab836b518e;Google Update Service (gupdate1c95cab836b518e);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 5:46 PM 133104]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/29/2010 3:36 AM 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-06-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-07 10:55]

2010-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]

2010-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:1038
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: aig.com\na.connect
DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://na.connect.aig.com/llclient/Neoteris/winxp/,DanaInfo=10.249.14.102+AXXPEE.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://na.connect.aig.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\y8rdhq3a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-20 15:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"=""c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:SQLEXPRESS"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\CSGina.dll
.
Completion time: 2010-06-20 15:19:09
ComboFix-quarantined-files.txt 2010-06-20 20:18

Pre-Run: 167,725,568,000 bytes free
Post-Run: 167,717,781,504 bytes free

- - End Of File - - A577C13FCFA3C791ADDBBC08D1311BA8

Hi Eric,

That fix didn't take. Let's just do it manually

Remove the Proxy setting in Internet explorer and/or in FireFox.

In IE: Tools Menu ->Internet Options -> Connections Tab ->Lan Settings -> uncheck use a proxy server or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu>Options...Advanced Tab. Network Tab -Settings under Connection Choose No Proxy


Click the apply button and restart that computer in normal mode.

Hi Chris,

A couple of things before I reboot. Both IE and Firefox settings were already set the way you wanted them to be. I am going to reboot now.

I had turned the system off earlier (am I not suppose to do that? When I turned it back on and went to GeekPolice.net my browser took me to another site. and would not go to your site. I rebooted again and was able to get to your site and check the proxy setting as I mentioned above. I will reboot now.

Then what would you like me to do?

Eric

Hi Eric,

That's really odd. Let's try the fix again. But first, there are a few issues apparent in the last run that might have prevented it from working correctly

Running from: c:\downloads\ComboFix\ComboFix.exe


This should be running from the desktop for pure convenience. It makes the fix easier to do

Command switches used :: c:\documents and settings\Eric\Desktop\CFscript.txt.lnk


Also, please make sure you save the file as CFScript.txt in Notepad.
on to your Desktop. Below are the rest of the instructions

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   DDS::
   uInternet Settings,ProxyServer = http=127.0.0.1:1038
   
   

4. Save this as CFscript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFscript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

Hi Chris, Log is below... A couple of things during the process.

I have the Online Armor on, should I have turned this off or does it matter?
I got a popup that stated NirCmd.cfxxe is blocked to get list of files h:\*.* (my eternal drive is H:) Should I have that disconnected?
Last, I got another popup that stated Google has blocked attempts to change default search setttings.

Not sure if any of the above matter but thought I would mention them.

Eric

ComboFix 10-06-20.03 - Eric 06/20/2010 21:14:19.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1473 [GMT -5:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric\Desktop\CFscript.txt
.

((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))
.

2010-06-20 19:19 . 2010-06-20 19:19 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-18 12:50 . 2010-06-18 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\documents and settings\Eric\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-04-20 09:13 24440 ----a-w- c:\windows\system32\drivers\OAmon.sys
2010-06-18 12:50 . 2010-04-20 09:13 29560 ----a-w- c:\windows\system32\drivers\OAnet.sys
2010-06-18 12:50 . 2010-04-20 09:13 228216 ----a-w- c:\windows\system32\drivers\OADriver.sys
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\program files\Tall Emu
2010-06-18 12:46 . 2010-06-18 12:46 -------- d-----w- c:\program files\SpywareBlaster
2010-06-18 09:11 . 2010-06-18 09:11 -------- d-----w- c:\program files\ESET
2010-06-18 04:25 . 2010-06-18 04:25 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-17 17:10 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-06-17 17:10 . 2010-03-29 15:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-17 17:10 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-06-17 17:10 . 2010-04-08 19:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\Eric\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Spyware Doctor
2010-06-17 15:53 . 2010-06-18 10:09 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\ukcpenhtj
2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\program files\Voxengo
2010-06-17 12:01 . 2010-06-17 12:01 -------- d-----w- c:\program files\Audacity
2010-06-14 10:28 . 1993-07-23 05:00 210944 ----a-w- c:\windows\system32\Msvcrt10.dll
2010-06-14 10:27 . 1999-10-22 06:11 52736 ----a-w- c:\windows\system32\Pdfshell.dll
2010-06-14 10:25 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-06-08 08:03 . 2010-06-08 08:03 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2010-06-08 08:01 . 2010-06-08 08:01 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2010-06-07 15:38 . 2010-06-07 15:38 3584 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-06-07 15:38 . 2010-06-07 15:38 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-06-07 14:40 . 2010-06-07 15:37 -------- d-----w- c:\program files\MSECACHE
2010-06-07 12:13 . 2010-06-07 12:13 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Irony
2010-06-01 13:43 . 2010-06-01 13:43 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-01 13:43 . 2010-06-01 13:43 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-05-25 02:27 . 2010-05-25 02:27 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-sse.dll
2010-05-25 02:27 . 2010-05-25 02:27 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcp71.dll
2010-05-25 02:27 . 2010-05-25 02:27 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\jmc.dll
2010-05-25 02:27 . 2010-05-25 02:27 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcr71.dll
2010-05-25 02:27 . 2010-05-25 02:27 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-21 01:33 . 2009-10-25 23:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-06-19 05:48 . 2008-12-07 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-17 17:32 . 2009-10-28 13:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-17 16:55 . 2009-08-08 09:49 -------- d-----w- c:\program files\Free Offers from Freeze.com
2010-06-17 15:52 . 2008-12-07 16:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-15 18:29 . 2008-12-13 23:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-14 16:06 . 2008-11-16 13:22 70696 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 10:22 . 2010-02-03 09:43 -------- d-----w- c:\program files\Free Easy Burner
2010-06-11 08:12 . 2008-11-16 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 08:03 . 2008-11-16 13:51 -------- d-----w- c:\program files\Microsoft SQL Server
2010-06-07 15:45 . 2008-11-16 13:07 -------- d-----w- c:\program files\Microsoft.NET
2010-06-07 13:38 . 2008-11-16 14:55 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-06-07 13:26 . 2009-04-15 19:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 13:43 . 2009-04-03 14:12 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-01 13:43 . 2008-11-16 17:23 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-17 14:31 . 2010-05-17 14:31 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-05-15 13:50 . 2008-12-07 16:45 -------- d-----w- c:\program files\Google
2010-05-02 05:22 . 2003-03-31 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 20:39 . 2009-10-28 13:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-10-28 13:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2003-03-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_5B1774D2E3075CCF328EDA.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_E3DB97A5850DBC128D7B65.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_8E66822E457E550010289E.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_60FA5A9483A6EBA443B57C.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_4CAAF08408C8FEDDEDE6F6.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_12DBA35940918FB93254F3.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F6DB2D7CC108D7C7EC0674.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_23898BB06D60197612CEBF.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_DAFD234B6DD27FDD55C9DB.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F38630FC83CCA1F7DDDF3B.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_152E1AB519A70F234DA294.exe
2010-04-05 17:44 . 2010-03-04 13:28 1078 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_6FEFF9B68218417F98F549.exe
2010-04-04 03:55 . 2010-04-04 03:55 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-04 03:55 . 2010-04-04 03:55 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-04 03:55 . 2010-04-04 03:55 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-04 03:55 . 2010-04-04 03:55 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-04 03:55 . 2010-04-04 03:55 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-04 03:55 . 2010-04-04 03:55 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-04-04 03:55 . 2010-04-04 03:55 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-04 03:55 . 2010-04-04 03:55 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-04 03:55 . 2010-04-04 03:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-04 03:55 . 2010-04-04 03:55 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-04 03:55 . 2004-08-04 05:29 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-03-30 18:59 . 2010-03-30 18:59 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-sse.dll
2010-03-30 18:59 . 2010-03-30 18:59 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcp71.dll
2010-03-30 18:59 . 2010-03-30 18:59 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\jmc.dll
2010-03-30 18:59 . 2010-03-30 18:59 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcr71.dll
2010-03-30 18:59 . 2010-03-30 18:59 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-d3d.dll
2010-03-29 14:37 . 2010-03-29 14:37 38344 ----a-w- c:\windows\system32\drivers\CO_Mon.sys
2010-03-29 14:37 . 2010-03-29 14:37 58632 ----a-w- c:\documents and settings\Eric\Application Data\WholeSecurity\CAT\WSUIEE.exe
2010-03-29 14:36 . 2010-03-29 14:36 36939 ----a-w- c:\documents and settings\Eric\Application Data\Juniper Networks\setup\uninstall.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-07 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-01 2065248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-11 1287120]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-04-20 6678008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-3 113664]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-4-30 6144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-4-28 122880]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-04-20 925688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-05 15:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3713959246-320310600-2471480639-1178\Scripts\Logon\0\0]
"Script"=logon.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DevServer\\9.0\\WebDev.WebServer.EXE"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Expression\\Media 2\\Media.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/3/2009 9:12 AM 52872]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/17/2010 12:10 PM 218592]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/3/2009 9:12 AM 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/3/2009 9:12 AM 242896]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [6/18/2010 7:50 AM 228216]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [6/18/2010 7:50 AM 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [6/18/2010 7:50 AM 29560]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/5/2010 10:47 AM 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/5/2010 10:47 AM 308064]
R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [6/22/2007 9:22 AM 95592]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [6/18/2010 7:50 AM 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [6/18/2010 7:50 AM 3364856]
S2 gupdate1c95cab836b518e;Google Update Service (gupdate1c95cab836b518e);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 5:46 PM 133104]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/29/2010 3:36 AM 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-06-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-07 10:55]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: aig.com\na.connect
DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://na.connect.aig.com/llclient/Neoteris/winxp/,DanaInfo=10.249.14.102+AXXPEE.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://na.connect.aig.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\y8rdhq3a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-20 21:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"=""c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:SQLEXPRESS"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\CSGina.dll

- - - - - - - > 'explorer.exe'(2628)
c:\program files\Tall Emu\Online Armor\OAwatch.dll
c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui
.
Completion time: 2010-06-20 21:40:45
ComboFix-quarantined-files.txt 2010-06-21 02:39
ComboFix2.txt 2010-06-20 20:19

Pre-Run: 167,707,070,464 bytes free
Post-Run: 167,700,606,976 bytes free

- - End Of File - - 5DA0CA7FA0CD95DB7F5B1F9CB1F45081

That last one is the issue. Can you reproduce that popup from Google please?

It happened during the ComboFix run, the error displayed as an icon in my tray in the lower right of the screen. the icon is currntly not there.

I don't know how I would reproduce it. I expect it would pop up if I ran Comboxix again.

Your thoughts...

Eric

I also need to delete my temporary Internet files each time you or I post to the forum for me to see the updates.

Eric

Hi Eric,

I think i've got an answer for you. See this link:
http://www.google.com/support/toolbar/bin/answer.py?answer=45491

and the steps regarding approving the change

Hi Chris,

I am not sure why I should change this. I want to keep Google as my default search engine (don't I?)

Eric

You've got a proxy infection that's preventing you from changing it. You'll just need to confirm the change to remedy the infection

Okay, I turned off the "Set and keep Google as my default Search Engine" Should I rerun the ComboFix?

Eric

Try the fix posted in Post 14, yes

Hi Chris,

No Goggle popup... Here is the log.

ComboFix 10-06-20.03 - Eric 06/20/2010 23:57:36.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1368 [GMT -5:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric\Desktop\CFscript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))
.

2010-06-20 19:19 . 2010-06-20 19:19 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-18 12:50 . 2010-06-18 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\documents and settings\Eric\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-04-20 09:13 24440 ----a-w- c:\windows\system32\drivers\OAmon.sys
2010-06-18 12:50 . 2010-04-20 09:13 29560 ----a-w- c:\windows\system32\drivers\OAnet.sys
2010-06-18 12:50 . 2010-04-20 09:13 228216 ----a-w- c:\windows\system32\drivers\OADriver.sys
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\program files\Tall Emu
2010-06-18 12:46 . 2010-06-18 12:46 -------- d-----w- c:\program files\SpywareBlaster
2010-06-18 09:11 . 2010-06-18 09:11 -------- d-----w- c:\program files\ESET
2010-06-18 04:25 . 2010-06-18 04:25 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-17 17:10 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-06-17 17:10 . 2010-03-29 15:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-17 17:10 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-06-17 17:10 . 2010-04-08 19:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\Eric\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Spyware Doctor
2010-06-17 15:53 . 2010-06-18 10:09 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\ukcpenhtj
2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\program files\Voxengo
2010-06-17 12:01 . 2010-06-17 12:01 -------- d-----w- c:\program files\Audacity
2010-06-14 10:28 . 1993-07-23 05:00 210944 ----a-w- c:\windows\system32\Msvcrt10.dll
2010-06-14 10:27 . 1999-10-22 06:11 52736 ----a-w- c:\windows\system32\Pdfshell.dll
2010-06-14 10:25 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-06-08 08:03 . 2010-06-08 08:03 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2010-06-08 08:01 . 2010-06-08 08:01 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2010-06-07 15:38 . 2010-06-07 15:38 3584 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-06-07 15:38 . 2010-06-07 15:38 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-06-07 14:40 . 2010-06-07 15:37 -------- d-----w- c:\program files\MSECACHE
2010-06-07 12:13 . 2010-06-07 12:13 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Irony
2010-06-01 13:43 . 2010-06-01 13:43 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-01 13:43 . 2010-06-01 13:43 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-05-25 02:27 . 2010-05-25 02:27 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-sse.dll
2010-05-25 02:27 . 2010-05-25 02:27 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcp71.dll
2010-05-25 02:27 . 2010-05-25 02:27 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\jmc.dll
2010-05-25 02:27 . 2010-05-25 02:27 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcr71.dll
2010-05-25 02:27 . 2010-05-25 02:27 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-21 01:33 . 2009-10-25 23:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-06-19 05:48 . 2008-12-07 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-17 17:32 . 2009-10-28 13:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-17 16:55 . 2009-08-08 09:49 -------- d-----w- c:\program files\Free Offers from Freeze.com
2010-06-17 15:52 . 2008-12-07 16:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-15 18:29 . 2008-12-13 23:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-14 16:06 . 2008-11-16 13:22 70696 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 10:22 . 2010-02-03 09:43 -------- d-----w- c:\program files\Free Easy Burner
2010-06-11 08:12 . 2008-11-16 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 08:03 . 2008-11-16 13:51 -------- d-----w- c:\program files\Microsoft SQL Server
2010-06-07 15:45 . 2008-11-16 13:07 -------- d-----w- c:\program files\Microsoft.NET
2010-06-07 13:38 . 2008-11-16 14:55 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-06-07 13:26 . 2009-04-15 19:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 13:43 . 2009-04-03 14:12 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-01 13:43 . 2008-11-16 17:23 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-17 14:31 . 2010-05-17 14:31 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-05-15 13:50 . 2008-12-07 16:45 -------- d-----w- c:\program files\Google
2010-05-02 05:22 . 2003-03-31 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 20:39 . 2009-10-28 13:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-10-28 13:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2003-03-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_5B1774D2E3075CCF328EDA.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_E3DB97A5850DBC128D7B65.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_8E66822E457E550010289E.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_60FA5A9483A6EBA443B57C.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_4CAAF08408C8FEDDEDE6F6.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_12DBA35940918FB93254F3.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F6DB2D7CC108D7C7EC0674.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_23898BB06D60197612CEBF.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_DAFD234B6DD27FDD55C9DB.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F38630FC83CCA1F7DDDF3B.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_152E1AB519A70F234DA294.exe
2010-04-05 17:44 . 2010-03-04 13:28 1078 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_6FEFF9B68218417F98F549.exe
2010-04-04 03:55 . 2010-04-04 03:55 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-04 03:55 . 2010-04-04 03:55 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-04 03:55 . 2010-04-04 03:55 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-04 03:55 . 2010-04-04 03:55 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-04 03:55 . 2010-04-04 03:55 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-04 03:55 . 2010-04-04 03:55 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-04-04 03:55 . 2010-04-04 03:55 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-04 03:55 . 2010-04-04 03:55 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-04 03:55 . 2010-04-04 03:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-04 03:55 . 2010-04-04 03:55 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-04 03:55 . 2004-08-04 05:29 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-03-30 18:59 . 2010-03-30 18:59 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-sse.dll
2010-03-30 18:59 . 2010-03-30 18:59 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcp71.dll
2010-03-30 18:59 . 2010-03-30 18:59 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\jmc.dll
2010-03-30 18:59 . 2010-03-30 18:59 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcr71.dll
2010-03-30 18:59 . 2010-03-30 18:59 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-d3d.dll
2010-03-29 14:37 . 2010-03-29 14:37 38344 ----a-w- c:\windows\system32\drivers\CO_Mon.sys
2010-03-29 14:37 . 2010-03-29 14:37 58632 ----a-w- c:\documents and settings\Eric\Application Data\WholeSecurity\CAT\WSUIEE.exe
2010-03-29 14:36 . 2010-03-29 14:36 36939 ----a-w- c:\documents and settings\Eric\Application Data\Juniper Networks\setup\uninstall.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-01 2065248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-11 1287120]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-04-20 6678008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-3 113664]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-4-30 6144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-4-28 122880]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-04-20 925688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-05 15:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3713959246-320310600-2471480639-1178\Scripts\Logon\0\0]
"Script"=logon.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DevServer\\9.0\\WebDev.WebServer.EXE"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Expression\\Media 2\\Media.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/3/2009 9:12 AM 52872]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/17/2010 12:10 PM 218592]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/3/2009 9:12 AM 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/3/2009 9:12 AM 242896]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [6/18/2010 7:50 AM 228216]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [6/18/2010 7:50 AM 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [6/18/2010 7:50 AM 29560]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/5/2010 10:47 AM 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/5/2010 10:47 AM 308064]
R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [6/22/2007 9:22 AM 95592]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [6/18/2010 7:50 AM 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [6/18/2010 7:50 AM 3364856]
S2 gupdate1c95cab836b518e;Google Update Service (gupdate1c95cab836b518e);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 5:46 PM 133104]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/29/2010 3:36 AM 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-06-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-07 10:55]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: aig.com\na.connect
DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://na.connect.aig.com/llclient/Neoteris/winxp/,DanaInfo=10.249.14.102+AXXPEE.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://na.connect.aig.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\y8rdhq3a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-21 00:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"=""c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:SQLEXPRESS"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\CSGina.dll
.
Completion time: 2010-06-21 00:12:40
ComboFix-quarantined-files.txt 2010-06-21 05:12
ComboFix2.txt 2010-06-20 20:19

Pre-Run: 167,702,372,352 bytes free
Post-Run: 167,696,740,352 bytes free

- - End Of File - - EBA1C5E904842A9560510F8089A93926

Hi,

I'm going to get someone else's opinion on this. Be back ASAP

Hi again.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  
• Back at the main window, mark the drives that you want to scan.
  
• Select all drives. A red dot shows which drives have been chosen.
  
• Click the green arrow at the right, and the scan will start.
  
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can click next icon next to the files found:
  
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
  
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
  

Hi Chris,

Scan finally finished... a couple of things.

When I first started the Full scan (after the express) the system rebooted on me. Told me ...

OA Crash dump. and a folder and filename of the dump file. I attempted to look at it with notepad but it not a text file. I of course can send it if needed.

Also when I rebooted (after Dr. Web) the PC ran a chkdsk process (completed successfully).

Dr. Web found one virus it cured. nothing else.

BTW. Dr. Webs screens have changed and a few of the steps above are not the same...FYI

Here if the contents of the csv file... Thanks again!

Eric


avgldx86.sys;C:\Qoobox\32788R22FWJFW;BackDoor.Tdss.2459;Cured.;

I cannot open the CureIt log file. I tried Noepad, WordPad, and Word. The filesize is 331,959 KB (huge). Your thoughts...

Scan was large and took about 24 hours to complete I can't remember the number of files but close to 2 million I think (I scanned the external drive as well).

Hey Eric,

Thanks. Those instructions must be a bit dated. Anyway, the only thing it picked up was a file quarantined by combofix. Are things running any better now?

Hi Chris,

You know, I have not been using the system much because I didn't want to do something that would taint any scan results.

In general the system is the same as before the last scan (where it found the last virus) . The problem with the system going to the wrong internet page seems to be cleared up (with the small few tests I just tried).

It seems that I am able to re-install my audio and video drivers.

All of my favorites are still shortcuts (is there an application that would convert those back?).

So for the little I have used it and on the surface it seems ok.

What would be your next step for me to do?

On a side note, I have two other systems that don't seem to be infected but was wondering if I should run one or more of the applications that I ran on this system. Your thoughts?

Should I go ahead and start working on the "previously" infected system now?

Thanks again,

Eric

A problem that still seems to be here is when I post to the forum and the screen comes back. I ca't see the newest post. If I go into IE and delete my temp files then I see the updated posts.

Do you have any ideas what might cause this?

Eric

A problem that still seems to be here is when I post to the forum and the screen comes back. I ca't see the newest post. If I go into IE and delete my temp files then I see the updated posts.

Do you have any ideas what might cause this?

This might be a forum issue. I'll see what I can do

All of my favorites are still shortcuts (is there an application that would convert those back?).

What do you mean by shortcut? Do they take you to the site? What about when you add a new one?

On a side note, I have two other systems that don't seem to be infected but was wondering if I should run one or more of the applications that I ran on this system. Your thoughts?

We could check those machines in separate threads

Hi Chris, Sorry I am not up on doing quotes.

Item 1 - I don't think it is your site because I bring up the forum on my other system and the new posts are always there. All I need to do is refresh the browser if it is already on your site..

Item 2 - The shortcusts are not Internet short cuts but exploer (file) shortcuts. The icon is a square box with the little squares inside. Like a file. If you double click on them they do nothing. They have a file type of Internet shortcut. It appears that they may NOT be associated with a browser (ie) I have been looking around at this since the last post but have not found anything.

Item 3 - Yes, once this thing settles down I would appreciate opening up an additional thread to handle the two other systems. Thank you.

I will continue to look for this association or whatever it is.

Thanks,

Eric

I don't think it is your site because I bring up the forum on my other system and the new posts are always there. All I need to do is refresh the browser if it is already on your site..

Which browser does your issue occur in?

The shortcusts are not Internet short cuts but exploer (file) shortcuts. The icon is a square box with the little squares inside. Like a file. If you double click on them they do nothing. They have a file type of Internet shortcut. It appears that they may NOT be associated with a browser (ie) I have been looking around at this since the last post but have not found anything.

You might have to just re-create your favorites. I'll see if anyone else has some other ideas though.

As far as Malware goes, I think we're almost done here.


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

Item -1
I am using IE 6 (I know but I don't like 7 and 8) I do like Firefox but have nor made the leap.

Item-2
When I create a new favorite it is the "wrong" type. I copied one of the bad links to my other system and it came up as an IE favorite and worked great.

So it is the way my "infected" system is looking at these files. Kinda like an association issue but I can't find how to associate these files. Still looking.

I will run the scan you requested and post the log file.

Eric

I am using IE 6 (I know but I don't like 7 and 8) I do like Firefox but have nor made the leap.

Therein is likely the cause of your issues. IE7 and 8 include a multitude of Security updates to protect you from this kind of stuff. I strongly recommend updating when we're done here.

When I create a new favorite it is the "wrong" type. I copied one of the bad links to my other system and it came up as an IE favorite and worked great.

So it is the way my "infected" system is looking at these files. Kinda like an association issue but I can't find how to associate these files. Still looking.

They are all stored here c:\documents and settings\%userprofile%\favorites

If there's an association issue this will pick it up


Please download SREng

• Extract it to Desktop and double click SREngLdr.EXE to run it
  
• Select System Repair from the left pane.
  
• Click on File Association
  
• Select all entries that has an Error status click [Repair]
  
• Refer to this image for an example:
  
  
• In your case, it would be .EXE
  
• Close SREng now.
  

Hi Chris,

ESET found the same Trojan as before. Thanks for the link above. I may wait until this is all clean before I run it.

What do you think my next step is?

Eric

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=72df6bb2859a2249a1bb4db882f240d4
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-18 11:28:06
# local_time=2010-06-18 06:28:06 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1029 16777213 100 98 0 19376246 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=254162
# found=1
# cleaned=1
# scan_time=8041
C:\Documents and Settings\Eric\Local Settings\Application Data\ukcpenhtj\oengniu.exe a variant of Win32/Kryptik.ETK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=72df6bb2859a2249a1bb4db882f240d4
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-23 01:22:11
# local_time=2010-06-22 08:22:11 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1029 16777213 100 98 0 19759158 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=6401 16777213 66 100 0 4557229 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=917188
# found=0
# cleaned=0
# scan_time=20774

Hi grasshopper,

That's odd. We deleted that folder a couple pages ago

Anyway, using Windows Explorer see if you can navigate to the following folder


C:\Documents and Settings\Eric\Local Settings\Application Data\ukcpenhtj\

Once there, please delete it
======

Did you run SReng to check for a file associations issue on those favorites links?

Hi Chris, Deleted folder above.

Ran System Repair Engineer. Found one error .CHM. Rebooted , Still have probelms with internet shortcut associations.

System Repair engineer keep displaying a blue box with a Warning "reminding me that following functions have mdified to abnormal values by unknown reasons

Entrypoint Error LoadLibraryExW
EntryPoint Error: FreeLibrary"

I click on details it lists the two entries

I attempt to fix but they don;t go away... even after rebooting.

Any ideas?

Thanks again,

Eric

Hi Eric,

I'm talking to a few colleagues of mine, trying to get a "meeting of the minds" For now, could you try this please?

http://www.malwarehelp.org/how-to-reset-internet-explorer-6-to.html

Hey Chris....

First spot of sunshine. My Internet shortcuts are working now. WOW that is a relief!!!!

Thanks so much.

I scanned using ESET last night and was clean. Is there anything else I should run?

If not, should I run ESET (or something else) in the evenings to confirm the Trojan has not come back?

Eric

WOOHOO!!

I'm pretty confident you're clean but give it a day or so, and if you experience any more errors like in your first post please let me know.

If not, we'll just do some cleanup and you can be on your way with a clean machine

Thanks Chris,

One last thing. I have Online Armor running and I went to a site (emploment site) that I for the most part trust. It popped up wanting me to allow access to

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe

I thought why would they need that and I blocked it. Now I have left the site and have only email and explorer up (now ie explorer as well) and I keep getting an information bubble (from the tray) with this information

aspnet_wp.exe, 1.1.4322.2463, (1.1.4322.2463)
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
Hash(MD5): 44EB2854E8A23A72BEAB9DAAB1A6E0CF

Can you shead some light on this? Should I allow it?

Thanks,

Eric

Lastly, we had talked about me scanning the other two systems I have. Is there a first step that I could do and if it finds anything then I will open another thread?

Hi Eric,

That's a legitimate file. You can safely allow it . As for your other two machines, if you read the link in my signature entitled Pre-Posting Instructions that will guide you through the proper steps to get things rolling. Please create separate threads for the two machines so we can fix one in one thread and one in the other. I'll keep an eye out for them and if I'm not beaten to it by one of the other staff I'll guide you through the removal process in those two threads. You've been a pleasure to work with so far.

Thanks Chris,

I will look at the link Friday. I thank you and enjoyed working with you as well!!!

Eric