Hi Folks, Well I am another victim of the AV Security Suite infection.
To recap what I have done over night. I have a registered copy of AVG antivirus installed.
I has full scanned the system twice using Malware with the newest update. Both time is found things that it needed to remove. I removed them of course. However the icon in the tray and popups contnued. I then ran the Online scanner fromeset.com and that found the Kryptik.ETK trojan. After a reboot the AV Security Suite tray icon and the popup stopped.
I thought I was out of the woods... My internet for IE didn't work but the FireFox did. I looked at the settings in Tool, Internet Options, Connections, LAN Settings and noticed that the two top boxes were not checked but both proxy server boxes were (no address or port values). I looked at another system of mine and nothing was check so I unchecked them all and IE cam up fine.
I then took the advise of those on this board and I installed SpywareBlaster and Armor Firewall. Everything was looking good...
I then noticed that my Audio drivers were not installed and when I went to the internet to search for a possible solution the pages that were displayed were not the pages I clicked on. I had read in a forum that this happened to someone else.
I then decided (against the advice of the ComboFix site) toinstall and run ComboFix since it seemed to be the first thing that is asked for. Although it took a number of reboots, it completed and the Log file is below.
I would appreciate any help ya'll could provide me. I am still not out of the woods but I tried as much as I could.
Thank you very much.
Eric
ComboFix 10-06-17.02 - Eric 06/18/2010 10:03:42.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1444 [GMT -5]
Running from: c:\downloads\ComboFix\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Eric\Recent\Thumbs.db
C:\Thumbs.db
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif
c:\windows\system32\Thumbs.db
c:\windows\system32\win.com
.
((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))
.
2010-06-18 12:50 . 2010-06-18 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\documents and settings\Eric\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-04-20 09:13 24440 ----a-w- c:\windows\system32\drivers\OAmon.sys
2010-06-18 12:50 . 2010-04-20 09:13 29560 ----a-w- c:\windows\system32\drivers\OAnet.sys
2010-06-18 12:50 . 2010-04-20 09:13 228216 ----a-w- c:\windows\system32\drivers\OADriver.sys
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\program files\Tall Emu
2010-06-18 12:46 . 2010-06-18 12:46 -------- d-----w- c:\program files\SpywareBlaster
2010-06-18 09:11 . 2010-06-18 09:11 -------- d-----w- c:\program files\ESET
2010-06-18 04:25 . 2010-06-18 04:25 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-17 17:10 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-06-17 17:10 . 2010-03-29 15:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-17 17:10 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-06-17 17:10 . 2010-04-08 19:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\Eric\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Spyware Doctor
2010-06-17 15:53 . 2010-06-18 10:09 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\ukcpenhtj
2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\program files\Voxengo
2010-06-17 12:01 . 2010-06-17 12:01 -------- d-----w- c:\program files\Audacity
2010-06-14 10:28 . 1993-07-23 05:00 210944 ----a-w- c:\windows\system32\Msvcrt10.dll
2010-06-14 10:27 . 1999-10-22 06:11 52736 ----a-w- c:\windows\system32\Pdfshell.dll
2010-06-14 10:25 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-06-08 08:03 . 2010-06-08 08:03 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2010-06-08 08:01 . 2010-06-08 08:01 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2010-06-07 15:38 . 2010-06-07 15:38 3584 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-06-07 15:38 . 2010-06-07 15:38 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-06-07 14:40 . 2010-06-07 15:37 -------- d-----w- c:\program files\MSECACHE
2010-06-07 12:13 . 2010-06-07 12:13 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Irony
2010-06-01 13:43 . 2010-06-01 13:43 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-01 13:43 . 2010-06-01 13:43 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-05-25 02:27 . 2010-05-25 02:27 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-sse.dll
2010-05-25 02:27 . 2010-05-25 02:27 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcp71.dll
2010-05-25 02:27 . 2010-05-25 02:27 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\jmc.dll
2010-05-25 02:27 . 2010-05-25 02:27 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcr71.dll
2010-05-25 02:27 . 2010-05-25 02:27 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-d3d.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-18 14:55 . 2009-10-25 23:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-06-18 04:47 . 2008-12-07 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-17 17:32 . 2009-10-28 13:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-17 16:55 . 2009-08-08 09:49 -------- d-----w- c:\program files\Free Offers from Freeze.com
2010-06-17 15:52 . 2008-12-07 16:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-15 18:29 . 2008-12-13 23:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-14 16:06 . 2008-11-16 13:22 70696 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 10:22 . 2010-02-03 09:43 -------- d-----w- c:\program files\Free Easy Burner
2010-06-11 08:12 . 2008-11-16 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 08:03 . 2008-11-16 13:51 -------- d-----w- c:\program files\Microsoft SQL Server
2010-06-07 15:45 . 2008-11-16 13:07 -------- d-----w- c:\program files\Microsoft.NET
2010-06-07 13:38 . 2008-11-16 14:55 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-06-07 13:26 . 2009-04-15 19:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 13:43 . 2009-04-03 14:12 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-01 13:43 . 2008-11-16 17:23 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-17 14:31 . 2010-05-17 14:31 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-05-15 13:50 . 2008-12-07 16:45 -------- d-----w- c:\program files\Google
2010-05-02 05:22 . 2003-03-31 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 20:39 . 2009-10-28 13:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-10-28 13:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2003-03-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_5B1774D2E3075CCF328EDA.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_E3DB97A5850DBC128D7B65.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_8E66822E457E550010289E.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_60FA5A9483A6EBA443B57C.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_4CAAF08408C8FEDDEDE6F6.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_12DBA35940918FB93254F3.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F6DB2D7CC108D7C7EC0674.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_23898BB06D60197612CEBF.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_DAFD234B6DD27FDD55C9DB.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F38630FC83CCA1F7DDDF3B.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_152E1AB519A70F234DA294.exe
2010-04-05 17:44 . 2010-03-04 13:28 1078 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_6FEFF9B68218417F98F549.exe
2010-03-30 18:59 . 2010-03-30 18:59 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-sse.dll
2010-03-30 18:59 . 2010-03-30 18:59 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcp71.dll
2010-03-30 18:59 . 2010-03-30 18:59 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\jmc.dll
2010-03-30 18:59 . 2010-03-30 18:59 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcr71.dll
2010-03-30 18:59 . 2010-03-30 18:59 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-d3d.dll
2010-03-29 14:37 . 2010-03-29 14:37 38344 ----a-w- c:\windows\system32\drivers\CO_Mon.sys
2010-03-29 14:37 . 2010-03-29 14:37 58632 ----a-w- c:\documents and settings\Eric\Application Data\WholeSecurity\CAT\WSUIEE.exe
2010-03-29 14:36 . 2010-03-29 14:36 36939 ----a-w- c:\documents and settings\Eric\Application Data\Juniper Networks\setup\uninstall.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-07 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-01 2065248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-11 1287120]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-04-20 6678008]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-3 113664]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-4-30 6144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-4-28 122880]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-04-20 925688]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-05 15:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3713959246-320310600-2471480639-1178\scripts\Logon\0\0]
"script"=logon.bat
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DevServer\\9.0\\WebDev.WebServer.EXE"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Expression\\Media 2\\ Media.exe"=
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/3/2009 9:12 AM 52872]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/17/2010 12:10 PM 218592]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/3/2009 9:12 AM 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/3/2009 9:12 AM 242896]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [6/18/2010 7:50 AM 228216]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [6/18/2010 7:50 AM 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [6/18/2010 7:50 AM 29560]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/5/2010 10:47 AM 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/5/2010 10:47 AM 308064]
R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [6/22/2007 9:22 AM 95592]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [6/18/2010 7:50 AM 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [6/18/2010 7:50 AM 3364856]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/29/2010 3:36 AM 717296]
S2 gupdate1c95cab836b518e;Google Update Service (gupdate1c95cab836b518e);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 5:46 PM 133104]
.
Contents of the 'Scheduled Tasks' folder
2010-06-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-07 10:55]
2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]
2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:1038
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: aig.com\na.connect
DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://na.connect.aig.com/llclient/Neoteris/winxp/,DanaInfo=10.249.14.102+AXXPEE.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://na.connect.aig.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\y8rdhq3a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-18 10:19
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"=""c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:SQLEXPRESS"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\CSGina.dll
.
Completion time: 2010-06-18 10:23:36
ComboFix-quarantined-files.txt 2010-06-18 15:23
Pre-Run: 167,228,624,896 bytes free
Post-Run: 168,004,136,960 bytes free
- - End Of File - - 55F387BB9CA730721894D3591907FC22
To recap what I have done over night. I have a registered copy of AVG antivirus installed.
I has full scanned the system twice using Malware with the newest update. Both time is found things that it needed to remove. I removed them of course. However the icon in the tray and popups contnued. I then ran the Online scanner fromeset.com and that found the Kryptik.ETK trojan. After a reboot the AV Security Suite tray icon and the popup stopped.
I thought I was out of the woods... My internet for IE didn't work but the FireFox did. I looked at the settings in Tool, Internet Options, Connections, LAN Settings and noticed that the two top boxes were not checked but both proxy server boxes were (no address or port values). I looked at another system of mine and nothing was check so I unchecked them all and IE cam up fine.
I then took the advise of those on this board and I installed SpywareBlaster and Armor Firewall. Everything was looking good...
I then noticed that my Audio drivers were not installed and when I went to the internet to search for a possible solution the pages that were displayed were not the pages I clicked on. I had read in a forum that this happened to someone else.
I then decided (against the advice of the ComboFix site) toinstall and run ComboFix since it seemed to be the first thing that is asked for. Although it took a number of reboots, it completed and the Log file is below.
I would appreciate any help ya'll could provide me. I am still not out of the woods but I tried as much as I could.
Thank you very much.
Eric
ComboFix 10-06-17.02 - Eric 06/18/2010 10:03:42.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1444 [GMT -5]
Running from: c:\downloads\ComboFix\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Eric\Recent\Thumbs.db
C:\Thumbs.db
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif
c:\windows\system32\Thumbs.db
c:\windows\system32\win.com
.
((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))
.
2010-06-18 12:50 . 2010-06-18 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\documents and settings\Eric\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-04-20 09:13 24440 ----a-w- c:\windows\system32\drivers\OAmon.sys
2010-06-18 12:50 . 2010-04-20 09:13 29560 ----a-w- c:\windows\system32\drivers\OAnet.sys
2010-06-18 12:50 . 2010-04-20 09:13 228216 ----a-w- c:\windows\system32\drivers\OADriver.sys
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\program files\Tall Emu
2010-06-18 12:46 . 2010-06-18 12:46 -------- d-----w- c:\program files\SpywareBlaster
2010-06-18 09:11 . 2010-06-18 09:11 -------- d-----w- c:\program files\ESET
2010-06-18 04:25 . 2010-06-18 04:25 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-17 17:10 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-06-17 17:10 . 2010-03-29 15:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-17 17:10 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-06-17 17:10 . 2010-04-08 19:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\Eric\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Spyware Doctor
2010-06-17 15:53 . 2010-06-18 10:09 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\ukcpenhtj
2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\program files\Voxengo
2010-06-17 12:01 . 2010-06-17 12:01 -------- d-----w- c:\program files\Audacity
2010-06-14 10:28 . 1993-07-23 05:00 210944 ----a-w- c:\windows\system32\Msvcrt10.dll
2010-06-14 10:27 . 1999-10-22 06:11 52736 ----a-w- c:\windows\system32\Pdfshell.dll
2010-06-14 10:25 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-06-08 08:03 . 2010-06-08 08:03 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2010-06-08 08:01 . 2010-06-08 08:01 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2010-06-07 15:38 . 2010-06-07 15:38 3584 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-06-07 15:38 . 2010-06-07 15:38 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-06-07 14:40 . 2010-06-07 15:37 -------- d-----w- c:\program files\MSECACHE
2010-06-07 12:13 . 2010-06-07 12:13 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Irony
2010-06-01 13:43 . 2010-06-01 13:43 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-01 13:43 . 2010-06-01 13:43 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-05-25 02:27 . 2010-05-25 02:27 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-sse.dll
2010-05-25 02:27 . 2010-05-25 02:27 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcp71.dll
2010-05-25 02:27 . 2010-05-25 02:27 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\jmc.dll
2010-05-25 02:27 . 2010-05-25 02:27 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcr71.dll
2010-05-25 02:27 . 2010-05-25 02:27 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-d3d.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-18 14:55 . 2009-10-25 23:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-06-18 04:47 . 2008-12-07 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-17 17:32 . 2009-10-28 13:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-17 16:55 . 2009-08-08 09:49 -------- d-----w- c:\program files\Free Offers from Freeze.com
2010-06-17 15:52 . 2008-12-07 16:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-15 18:29 . 2008-12-13 23:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-14 16:06 . 2008-11-16 13:22 70696 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 10:22 . 2010-02-03 09:43 -------- d-----w- c:\program files\Free Easy Burner
2010-06-11 08:12 . 2008-11-16 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 08:03 . 2008-11-16 13:51 -------- d-----w- c:\program files\Microsoft SQL Server
2010-06-07 15:45 . 2008-11-16 13:07 -------- d-----w- c:\program files\Microsoft.NET
2010-06-07 13:38 . 2008-11-16 14:55 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-06-07 13:26 . 2009-04-15 19:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 13:43 . 2009-04-03 14:12 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-01 13:43 . 2008-11-16 17:23 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-17 14:31 . 2010-05-17 14:31 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-05-15 13:50 . 2008-12-07 16:45 -------- d-----w- c:\program files\Google
2010-05-02 05:22 . 2003-03-31 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 20:39 . 2009-10-28 13:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-10-28 13:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2003-03-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_5B1774D2E3075CCF328EDA.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_E3DB97A5850DBC128D7B65.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_8E66822E457E550010289E.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_60FA5A9483A6EBA443B57C.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_4CAAF08408C8FEDDEDE6F6.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_12DBA35940918FB93254F3.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F6DB2D7CC108D7C7EC0674.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_23898BB06D60197612CEBF.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_DAFD234B6DD27FDD55C9DB.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F38630FC83CCA1F7DDDF3B.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_152E1AB519A70F234DA294.exe
2010-04-05 17:44 . 2010-03-04 13:28 1078 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_6FEFF9B68218417F98F549.exe
2010-03-30 18:59 . 2010-03-30 18:59 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-sse.dll
2010-03-30 18:59 . 2010-03-30 18:59 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcp71.dll
2010-03-30 18:59 . 2010-03-30 18:59 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\jmc.dll
2010-03-30 18:59 . 2010-03-30 18:59 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcr71.dll
2010-03-30 18:59 . 2010-03-30 18:59 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-d3d.dll
2010-03-29 14:37 . 2010-03-29 14:37 38344 ----a-w- c:\windows\system32\drivers\CO_Mon.sys
2010-03-29 14:37 . 2010-03-29 14:37 58632 ----a-w- c:\documents and settings\Eric\Application Data\WholeSecurity\CAT\WSUIEE.exe
2010-03-29 14:36 . 2010-03-29 14:36 36939 ----a-w- c:\documents and settings\Eric\Application Data\Juniper Networks\setup\uninstall.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-07 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-01 2065248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-11 1287120]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-04-20 6678008]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-3 113664]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-4-30 6144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-4-28 122880]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-04-20 925688]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-05 15:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3713959246-320310600-2471480639-1178\scripts\Logon\0\0]
"script"=logon.bat
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DevServer\\9.0\\WebDev.WebServer.EXE"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Expression\\Media 2\\ Media.exe"=
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/3/2009 9:12 AM 52872]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/17/2010 12:10 PM 218592]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/3/2009 9:12 AM 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/3/2009 9:12 AM 242896]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [6/18/2010 7:50 AM 228216]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [6/18/2010 7:50 AM 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [6/18/2010 7:50 AM 29560]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/5/2010 10:47 AM 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/5/2010 10:47 AM 308064]
R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [6/22/2007 9:22 AM 95592]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [6/18/2010 7:50 AM 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [6/18/2010 7:50 AM 3364856]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/29/2010 3:36 AM 717296]
S2 gupdate1c95cab836b518e;Google Update Service (gupdate1c95cab836b518e);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 5:46 PM 133104]
.
Contents of the 'Scheduled Tasks' folder
2010-06-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-07 10:55]
2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]
2010-06-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:1038
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: aig.com\na.connect
DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://na.connect.aig.com/llclient/Neoteris/winxp/,DanaInfo=10.249.14.102+AXXPEE.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://na.connect.aig.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\y8rdhq3a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-18 10:19
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"=""c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:SQLEXPRESS"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\CSGina.dll
.
Completion time: 2010-06-18 10:23:36
ComboFix-quarantined-files.txt 2010-06-18 15:23
Pre-Run: 167,228,624,896 bytes free
Post-Run: 168,004,136,960 bytes free
- - End Of File - - 55F387BB9CA730721894D3591907FC22