WiredWX Hobby Weather ToolsLog in

 


Another AV Security Suite infection

2 posters

descriptionSolvedAnother AV Security Suite infection

more_horiz
Hi Folks, Well I am another victim of the AV Security Suite infection.

To recap what I have done over night. I have a registered copy of AVG antivirus installed.

I has full scanned the system twice using Malware with the newest update. Both time is found things that it needed to remove. I removed them of course. However the icon in the tray and popups contnued. I then ran the Online scanner fromeset.com and that found the Kryptik.ETK trojan. After a reboot the AV Security Suite tray icon and the popup stopped.

I thought I was out of the woods... My internet for IE didn't work but the FireFox did. I looked at the settings in Tool, Internet Options, Connections, LAN Settings and noticed that the two top boxes were not checked but both proxy server boxes were (no address or port values). I looked at another system of mine and nothing was check so I unchecked them all and IE cam up fine.

I then took the advise of those on this board and I installed SpywareBlaster and Armor Firewall. Everything was looking good...

I then noticed that my Audio drivers were not installed and when I went to the internet to search for a possible solution the pages that were displayed were not the pages I clicked on. I had read in a forum that this happened to someone else.

I then decided (against the advice of the ComboFix site) toinstall and run ComboFix since it seemed to be the first thing that is asked for. Although it took a number of reboots, it completed and the Log file is below.

I would appreciate any help ya'll could provide me. I am still not out of the woods but I tried as much as I could.

Thank you very much.

Eric

ComboFix 10-06-17.02 - Eric 06/18/2010 10:03:42.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1444 [GMT -5]
Running from: c:\downloads\ComboFix\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Eric\Recent\Thumbs.db
C:\Thumbs.db
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif
c:\windows\system32\Thumbs.db
c:\windows\system32\win.com

.
((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))
.

2010-06-18 12:50 . 2010-06-18 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\documents and settings\Eric\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-04-20 09:13 24440 ----a-w- c:\windows\system32\drivers\OAmon.sys
2010-06-18 12:50 . 2010-04-20 09:13 29560 ----a-w- c:\windows\system32\drivers\OAnet.sys
2010-06-18 12:50 . 2010-04-20 09:13 228216 ----a-w- c:\windows\system32\drivers\OADriver.sys
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\program files\Tall Emu
2010-06-18 12:46 . 2010-06-18 12:46 -------- d-----w- c:\program files\SpywareBlaster
2010-06-18 09:11 . 2010-06-18 09:11 -------- d-----w- c:\program files\ESET
2010-06-18 04:25 . 2010-06-18 04:25 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-17 17:10 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-06-17 17:10 . 2010-03-29 15:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-17 17:10 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-06-17 17:10 . 2010-04-08 19:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\Eric\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Spyware Doctor
2010-06-17 15:53 . 2010-06-18 10:09 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\ukcpenhtj
2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\program files\Voxengo
2010-06-17 12:01 . 2010-06-17 12:01 -------- d-----w- c:\program files\Audacity
2010-06-14 10:28 . 1993-07-23 05:00 210944 ----a-w- c:\windows\system32\Msvcrt10.dll
2010-06-14 10:27 . 1999-10-22 06:11 52736 ----a-w- c:\windows\system32\Pdfshell.dll
2010-06-14 10:25 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-06-08 08:03 . 2010-06-08 08:03 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2010-06-08 08:01 . 2010-06-08 08:01 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2010-06-07 15:38 . 2010-06-07 15:38 3584 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-06-07 15:38 . 2010-06-07 15:38 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-06-07 14:40 . 2010-06-07 15:37 -------- d-----w- c:\program files\MSECACHE
2010-06-07 12:13 . 2010-06-07 12:13 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Irony
2010-06-01 13:43 . 2010-06-01 13:43 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-01 13:43 . 2010-06-01 13:43 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-05-25 02:27 . 2010-05-25 02:27 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-sse.dll
2010-05-25 02:27 . 2010-05-25 02:27 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcp71.dll
2010-05-25 02:27 . 2010-05-25 02:27 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\jmc.dll
2010-05-25 02:27 . 2010-05-25 02:27 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcr71.dll
2010-05-25 02:27 . 2010-05-25 02:27 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-18 14:55 . 2009-10-25 23:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-06-18 04:47 . 2008-12-07 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-17 17:32 . 2009-10-28 13:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-17 16:55 . 2009-08-08 09:49 -------- d-----w- c:\program files\Free Offers from Freeze.com
2010-06-17 15:52 . 2008-12-07 16:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-15 18:29 . 2008-12-13 23:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-14 16:06 . 2008-11-16 13:22 70696 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 10:22 . 2010-02-03 09:43 -------- d-----w- c:\program files\Free Easy Burner
2010-06-11 08:12 . 2008-11-16 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 08:03 . 2008-11-16 13:51 -------- d-----w- c:\program files\Microsoft SQL Server
2010-06-07 15:45 . 2008-11-16 13:07 -------- d-----w- c:\program files\Microsoft.NET
2010-06-07 13:38 . 2008-11-16 14:55 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-06-07 13:26 . 2009-04-15 19:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 13:43 . 2009-04-03 14:12 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-01 13:43 . 2008-11-16 17:23 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-17 14:31 . 2010-05-17 14:31 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-05-15 13:50 . 2008-12-07 16:45 -------- d-----w- c:\program files\Google
2010-05-02 05:22 . 2003-03-31 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 20:39 . 2009-10-28 13:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-10-28 13:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2003-03-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_5B1774D2E3075CCF328EDA.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_E3DB97A5850DBC128D7B65.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_8E66822E457E550010289E.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_60FA5A9483A6EBA443B57C.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_4CAAF08408C8FEDDEDE6F6.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_12DBA35940918FB93254F3.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F6DB2D7CC108D7C7EC0674.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_23898BB06D60197612CEBF.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_DAFD234B6DD27FDD55C9DB.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F38630FC83CCA1F7DDDF3B.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_152E1AB519A70F234DA294.exe
2010-04-05 17:44 . 2010-03-04 13:28 1078 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_6FEFF9B68218417F98F549.exe
2010-03-30 18:59 . 2010-03-30 18:59 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-sse.dll
2010-03-30 18:59 . 2010-03-30 18:59 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcp71.dll
2010-03-30 18:59 . 2010-03-30 18:59 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\jmc.dll
2010-03-30 18:59 . 2010-03-30 18:59 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcr71.dll
2010-03-30 18:59 . 2010-03-30 18:59 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-d3d.dll
2010-03-29 14:37 . 2010-03-29 14:37 38344 ----a-w- c:\windows\system32\drivers\CO_Mon.sys
2010-03-29 14:37 . 2010-03-29 14:37 58632 ----a-w- c:\documents and settings\Eric\Application Data\WholeSecurity\CAT\WSUIEE.exe
2010-03-29 14:36 . 2010-03-29 14:36 36939 ----a-w- c:\documents and settings\Eric\Application Data\Juniper Networks\setup\uninstall.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-07 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-01 2065248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-11 1287120]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-04-20 6678008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-3 113664]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-4-30 6144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-4-28 122880]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-04-20 925688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-05 15:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3713959246-320310600-2471480639-1178\scripts\Logon\0\0]
"script"=logon.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DevServer\\9.0\\WebDev.WebServer.EXE"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Expression\\Media 2\\ Media.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/3/2009 9:12 AM 52872]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/17/2010 12:10 PM 218592]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/3/2009 9:12 AM 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/3/2009 9:12 AM 242896]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [6/18/2010 7:50 AM 228216]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [6/18/2010 7:50 AM 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [6/18/2010 7:50 AM 29560]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/5/2010 10:47 AM 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/5/2010 10:47 AM 308064]
R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [6/22/2007 9:22 AM 95592]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [6/18/2010 7:50 AM 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [6/18/2010 7:50 AM 3364856]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/29/2010 3:36 AM 717296]
S2 gupdate1c95cab836b518e;Google Update Service (gupdate1c95cab836b518e);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 5:46 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-07 10:55]

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]

2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:1038
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: aig.com\na.connect
DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://na.connect.aig.com/llclient/Neoteris/winxp/,DanaInfo=10.249.14.102+AXXPEE.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://na.connect.aig.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\y8rdhq3a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-18 10:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"=""c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:SQLEXPRESS"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\CSGina.dll
.
Completion time: 2010-06-18 10:23:36
ComboFix-quarantined-files.txt 2010-06-18 15:23

Pre-Run: 167,228,624,896 bytes free
Post-Run: 168,004,136,960 bytes free

- - End Of File - - 55F387BB9CA730721894D3591907FC22

descriptionSolvedRe: Another AV Security Suite infection

more_horiz
Hi User,

Welcome to GeekPolice Forums! I'm Crush but, you can call me Chris too Smile... and I will be helping you with your Malware issues.

A few things to keep in mind as we progress:

1. We are all volunteer staff here so we log in and assess threads when real life, work, family, and other obligations permit. Additionally, we are located all over the world. There may be a bit of a time delay due to this.

2. Malware Removal threads are very time intensive. Each entry must be researched until it can be said with 100% certainty whether or not it can stay or needs to be removed. Sometimes additional work is needed to weed out suspect entries

3. This may turn into a long ordeal but, rest assured we will stay with you until you are completely disinfected.

4. Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer. Do not run any tools unless specifically asked to by a member of one of these usergroups

5. If you are not the original poster of this thread DO NOT run any fixes given to the poster in this thread. They are all custom tailored specifically to this user. It could prove to be disastrous.

6. Please keep responding until I give you the "All Clear". Absence of symptoms does not mean that everything is clear.

7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

8. If you have any questions or issues please stop and ask! We are all here to help.

IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.


If you follow these instructions, everything should go smoothly Smile....

Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

To do this click Another AV Security Suite infection Profil11 , then click Preferences. Make sure Always notify me of replies is set to Yes

With that out of the way:

ComboFix should not be run without the guidance of a helper!

It is a powerful tool and is intended by its creator to be used under the guidance and supervision of an expert", NOT for private or regular use.

See ComboFix's Disclaimer

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please refer to this thread for more information on why you shouldn't use ComboFix without supervision of a trained expert: http://www.bleepingcomputer.com/forums/topic273628.html
======

Another AV Security Suite infection Bf_new Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Full Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Copy and paste the entire report in your next reply.

descriptionSolvedRe: Another AV Security Suite infection

more_horiz
Hi Chris, Thank you so much for your help. Files are backed up to an external drive. My questions is do I need to scan that drive as well? I expect I will eventually. Updated and ran Malware. Log is below.

Thanks again!!! eric

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4213

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

6/19/2010 1:21:18 AM
mbam-log-2010-06-19 (01-21-18).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 536239
Time elapsed: 6 hour(s), 12 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

descriptionSolvedRe: Another AV Security Suite infection

more_horiz
Hi Chris, Thank you so much for your help. Files are backed up to an external drive. My questions is do I need to scan that drive as well? I expect I will eventually. Updated and ran Malware. Log is below.


Yes, please do. Can I see a fresh Combofix log as well please?

descriptionSolvedRe: Another AV Security Suite infection

more_horiz
Hi Chris, I will Malware scan my external drive. Below is the newest ComboFix run.

Another byproduct is In IE I can no longer click on a favorite to go there. IE ignorse the click. I can type in the URL and it works. Just an FYI.

ComboFix 10-06-19.03 - Eric 06/20/2010 7:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1453 [GMT -5:00]
Running from: c:\downloads\ComboFix\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Eric\Recent\Thumbs.db
C:\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-05-20 to 2010-06-20 )))))))))))))))))))))))))))))))
.

2010-06-18 12:50 . 2010-06-18 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\documents and settings\Eric\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-04-20 09:13 24440 ----a-w- c:\windows\system32\drivers\OAmon.sys
2010-06-18 12:50 . 2010-04-20 09:13 29560 ----a-w- c:\windows\system32\drivers\OAnet.sys
2010-06-18 12:50 . 2010-04-20 09:13 228216 ----a-w- c:\windows\system32\drivers\OADriver.sys
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\program files\Tall Emu
2010-06-18 12:46 . 2010-06-18 12:46 -------- d-----w- c:\program files\SpywareBlaster
2010-06-18 09:11 . 2010-06-18 09:11 -------- d-----w- c:\program files\ESET
2010-06-18 04:25 . 2010-06-18 04:25 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-17 17:10 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-06-17 17:10 . 2010-03-29 15:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-17 17:10 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-06-17 17:10 . 2010-04-08 19:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\Eric\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Spyware Doctor
2010-06-17 15:53 . 2010-06-18 10:09 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\ukcpenhtj
2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\program files\Voxengo
2010-06-17 12:01 . 2010-06-17 12:01 -------- d-----w- c:\program files\Audacity
2010-06-14 10:28 . 1993-07-23 05:00 210944 ----a-w- c:\windows\system32\Msvcrt10.dll
2010-06-14 10:27 . 1999-10-22 06:11 52736 ----a-w- c:\windows\system32\Pdfshell.dll
2010-06-14 10:25 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-06-08 08:03 . 2010-06-08 08:03 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2010-06-08 08:01 . 2010-06-08 08:01 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2010-06-07 15:38 . 2010-06-07 15:38 3584 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-06-07 15:38 . 2010-06-07 15:38 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-06-07 14:40 . 2010-06-07 15:37 -------- d-----w- c:\program files\MSECACHE
2010-06-07 12:13 . 2010-06-07 12:13 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Irony
2010-06-01 13:43 . 2010-06-01 13:43 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-01 13:43 . 2010-06-01 13:43 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-05-25 02:27 . 2010-05-25 02:27 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-sse.dll
2010-05-25 02:27 . 2010-05-25 02:27 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcp71.dll
2010-05-25 02:27 . 2010-05-25 02:27 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\jmc.dll
2010-05-25 02:27 . 2010-05-25 02:27 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcr71.dll
2010-05-25 02:27 . 2010-05-25 02:27 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-20 12:17 . 2009-10-25 23:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-06-19 05:48 . 2008-12-07 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-17 17:32 . 2009-10-28 13:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-17 16:55 . 2009-08-08 09:49 -------- d-----w- c:\program files\Free Offers from Freeze.com
2010-06-17 15:52 . 2008-12-07 16:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-15 18:29 . 2008-12-13 23:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-14 16:06 . 2008-11-16 13:22 70696 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 10:22 . 2010-02-03 09:43 -------- d-----w- c:\program files\Free Easy Burner
2010-06-11 08:12 . 2008-11-16 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 08:03 . 2008-11-16 13:51 -------- d-----w- c:\program files\Microsoft SQL Server
2010-06-07 15:45 . 2008-11-16 13:07 -------- d-----w- c:\program files\Microsoft.NET
2010-06-07 13:38 . 2008-11-16 14:55 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-06-07 13:26 . 2009-04-15 19:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 13:43 . 2009-04-03 14:12 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-01 13:43 . 2008-11-16 17:23 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-17 14:31 . 2010-05-17 14:31 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-05-15 13:50 . 2008-12-07 16:45 -------- d-----w- c:\program files\Google
2010-05-02 05:22 . 2003-03-31 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 20:39 . 2009-10-28 13:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-10-28 13:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2003-03-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_5B1774D2E3075CCF328EDA.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_E3DB97A5850DBC128D7B65.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_8E66822E457E550010289E.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_60FA5A9483A6EBA443B57C.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_4CAAF08408C8FEDDEDE6F6.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_12DBA35940918FB93254F3.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F6DB2D7CC108D7C7EC0674.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_23898BB06D60197612CEBF.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_DAFD234B6DD27FDD55C9DB.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F38630FC83CCA1F7DDDF3B.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_152E1AB519A70F234DA294.exe
2010-04-05 17:44 . 2010-03-04 13:28 1078 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_6FEFF9B68218417F98F549.exe
2010-03-30 18:59 . 2010-03-30 18:59 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-sse.dll
2010-03-30 18:59 . 2010-03-30 18:59 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcp71.dll
2010-03-30 18:59 . 2010-03-30 18:59 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\jmc.dll
2010-03-30 18:59 . 2010-03-30 18:59 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcr71.dll
2010-03-30 18:59 . 2010-03-30 18:59 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-d3d.dll
2010-03-29 14:37 . 2010-03-29 14:37 38344 ----a-w- c:\windows\system32\drivers\CO_Mon.sys
2010-03-29 14:37 . 2010-03-29 14:37 58632 ----a-w- c:\documents and settings\Eric\Application Data\WholeSecurity\CAT\WSUIEE.exe
2010-03-29 14:36 . 2010-03-29 14:36 36939 ----a-w- c:\documents and settings\Eric\Application Data\Juniper Networks\setup\uninstall.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-06-18_15.19.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-20 12:16 . 2010-06-20 12:16 16384 c:\windows\Temp\Perflib_Perfdata_3e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-07 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-01 2065248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-11 1287120]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-04-20 6678008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-3 113664]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-4-30 6144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-4-28 122880]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-04-20 925688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-05 15:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3713959246-320310600-2471480639-1178\Scripts\Logon\0\0]
"Script"=logon.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DevServer\\9.0\\WebDev.WebServer.EXE"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Expression\\Media 2\\Media.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/3/2009 9:12 AM 52872]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/17/2010 12:10 PM 218592]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/3/2009 9:12 AM 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/3/2009 9:12 AM 242896]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [6/18/2010 7:50 AM 228216]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [6/18/2010 7:50 AM 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [6/18/2010 7:50 AM 29560]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/5/2010 10:47 AM 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/5/2010 10:47 AM 308064]
R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [6/22/2007 9:22 AM 95592]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [6/18/2010 7:50 AM 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [6/18/2010 7:50 AM 3364856]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/29/2010 3:36 AM 717296]
S2 gupdate1c95cab836b518e;Google Update Service (gupdate1c95cab836b518e);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 5:46 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-06-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-07 10:55]

2010-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]

2010-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:1038
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: aig.com\na.connect
DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://na.connect.aig.com/llclient/Neoteris/winxp/,DanaInfo=10.249.14.102+AXXPEE.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://na.connect.aig.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\y8rdhq3a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-20 07:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"=""c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:SQLEXPRESS"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\CSGina.dll
.
Completion time: 2010-06-20 07:41:40
ComboFix-quarantined-files.txt 2010-06-20 12:41

Pre-Run: 167,961,075,712 bytes free
Post-Run: 167,954,817,024 bytes free

- - End Of File - - AB35E8D8DACC7DB41B2ECBF8105798A8

descriptionSolvedRe: Another AV Security Suite infection

more_horiz
Hi,

Is this PC used in an enterprise environment? It looks like you have some entries that suggest so. If not, please let me know.

descriptionSolvedRe: Another AV Security Suite infection

more_horiz
Hi Chris,

I am not sure what is ment by an enterprise environment.

I have three systems that are networked together (workgroups). The infected system has access to both VPN client (but I have not accessed their system in a few weeks and my VPS server that holds my test website that I am working on.

Does that help?

Also, I used MalewareBytes to scan my exernal drive and also ran my AVG virus checker on that drive both cam back with nothing bad found. I can provide the MalwareBytes log if needed.

Thanks,

Eric

descriptionSolvedRe: Another AV Security Suite infection

more_horiz
Hi Eric Smile...

Thanks. That confirms what I need. Do you have a logon script running?

Looking at this entry prompted me to ask the question about the enterprise environment

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3713959246-320310600-2471480639-1178\scripts\Logon\0\0]
"script"=logon.bat

Do you know what that file it?

descriptionSolvedRe: Another AV Security Suite infection

more_horiz
I do not know what that Bat file is. I don't think it is something I created but the system ia a number of years old and who knows what I have done previously.

Eric

descriptionSolvedRe: Another AV Security Suite infection

more_horiz
I do not know what that Bat file is. Although I could have created sometime ago.

Eric

descriptionSolvedRe: Another AV Security Suite infection

more_horiz
Hi Eric Smile...

After conferring with a fellow Expert that batch file is fine, and should be there. Would you mind posting that MBAM log along with any issues you currently have?

descriptionSolvedRe: Another AV Security Suite infection

more_horiz
I have switched to my other system because I cannot view the last entry I made as well as your newest entry on this topic. But I can see them on my other system.

With respect to the MBAM log, are you looking for the log that was made when I searched my external drive? I only did the external drive and not all drives. The most recent MBAM log for the infect system is the one posted above. Would you like me to run it again? Takes about 6 plus hours.

On the surface my system seems fine but like others have mentioned on the forum when I use IE (not sure firefox has the same issue) I get weird results. Yesterday when I did a search for Installing XP audio drives I got a list of places to click on (normal). However, no matter what I clicked (like I clicked on a Microsoft site link) it would not take me there but take me to another site that was selling some software. This was happening on every link.

I just did some additional checking and the problem above is no longer happening. Or at least on the few sites I clicked on. I closed and reopened the IE browser and I was still unable to see the newest post that you and I had made to this forum. I rebooted, and cleared the cookies and temp files and I am now able to see the new postings. I am still posting this from my other system.

What I have also found is that all of my Favorites in IE (and I have many) are no longer URL links. You know when you go into Organize Favorites and click on a link the link shows the URL. On my system with the virus the link has been changes to a shortcut and the file is listed in a folder in the document area but it is a shortcut and not accessable.

I just tried to create another favorites in a new folder in IE. I went to a site I know click Favoites, Add Favorite and then created a new folder and added the favorite in the new folder. If made the favorite a shortcut file and not a favorite link.

Another thing, Just as a note, as I mentioned initially I have lost both my video and audio drivers. I am still able to view and hear sound but not with the drivers that were installed for my new monitor and Audio setup.

I am so much in pain at this point...

Eric

descriptionSolvedRe: Another AV Security Suite infection

more_horiz
Additional Information:

I just attempted to open the newly created shortcut up with notepad

This is what I see.

[DEFAULT]
BASEURL=http://www.hikingandcampingstuff.com/
[InternetShortcut]
URL=http://www.hikingandcampingstuff.com/
Modified=A037BADCA910CB01F2

Information is correct but it is a shortcut and not a Favorites link.

Eric

descriptionSolvedRe: Another AV Security Suite infection

more_horiz
With respect to the MBAM log, are you looking for the log that was made when I searched my external drive? I only did the external drive and not all drives. The most recent MBAM log for the infect system is the one posted above. Would you like me to run it again? Takes about 6 plus hours.


Nah just looking for the one on your external please Smile...

I found something I glanced over. This is probably the root of you issue

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:1038

  4. Save this as CFscript.txt, in the same location as ComboFix.exe

    Another AV Security Suite infection Cfscriptb4

  5. Referring to the picture above, drag CFscript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionSolvedRe: Another AV Security Suite infection

more_horiz
Okay I'm not too bright here. I looked but I cannpt find where to inactivate my AVG virus or MalwareBytes

I don't have Malwarebytes on anything automatic. Is my AVG a service that I should shut down?

Below is the Log from external drive

Eric

Log from External Drive 1

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4215

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

6/20/2010 9:16:29 AM
mbam-log-2010-06-20 (09-16-29).txt

Scan type: Full scan (H:\|)
Objects scanned: 607018
Time elapsed: 1 hour(s), 26 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

descriptionSolvedRe: Another AV Security Suite infection

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum