Another AV Security Suite infection
Page 3 of 5
Page 3 of 5 • 1, 2, 3, 4, 5
- grasshopperNovice
-
OS : Windows XP
Posts : 46
Rubies : 3533
Likes : 0
Hi Chris,
I am not sure why I should change this. I want to keep Google as my default search engine (don't I?)
Eric
I am not sure why I should change this. I want to keep Google as my default search engine (don't I?)
Eric
- CrushSecurity Colleague
-
Posts : 3882
Rubies : 20040
Likes : 0
You've got a proxy infection that's preventing you from changing it. You'll just need to confirm the change to remedy the infection 

- grasshopperNovice
-
OS : Windows XP
Posts : 46
Rubies : 3533
Likes : 0
Okay, I turned off the "Set and keep Google as my default Search Engine" Should I rerun the ComboFix?
Eric
Eric
- CrushSecurity Colleague
-
Posts : 3882
Rubies : 20040
Likes : 0
Try the fix posted in Post 14, yes 

- grasshopperNovice
-
OS : Windows XP
Posts : 46
Rubies : 3533
Likes : 0
Hi Chris,
No Goggle popup... Here is the log.
ComboFix 10-06-20.03 - Eric 06/20/2010 23:57:36.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1368 [GMT -5:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric\Desktop\CFscript.txt
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Thumbs.db
.
((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))
.
2010-06-20 19:19 . 2010-06-20 19:19 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-18 12:50 . 2010-06-18 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\documents and settings\Eric\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-04-20 09:13 24440 ----a-w- c:\windows\system32\drivers\OAmon.sys
2010-06-18 12:50 . 2010-04-20 09:13 29560 ----a-w- c:\windows\system32\drivers\OAnet.sys
2010-06-18 12:50 . 2010-04-20 09:13 228216 ----a-w- c:\windows\system32\drivers\OADriver.sys
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\program files\Tall Emu
2010-06-18 12:46 . 2010-06-18 12:46 -------- d-----w- c:\program files\SpywareBlaster
2010-06-18 09:11 . 2010-06-18 09:11 -------- d-----w- c:\program files\ESET
2010-06-18 04:25 . 2010-06-18 04:25 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-17 17:10 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-06-17 17:10 . 2010-03-29 15:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-17 17:10 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-06-17 17:10 . 2010-04-08 19:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\Eric\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Spyware Doctor
2010-06-17 15:53 . 2010-06-18 10:09 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\ukcpenhtj
2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\program files\Voxengo
2010-06-17 12:01 . 2010-06-17 12:01 -------- d-----w- c:\program files\Audacity
2010-06-14 10:28 . 1993-07-23 05:00 210944 ----a-w- c:\windows\system32\Msvcrt10.dll
2010-06-14 10:27 . 1999-10-22 06:11 52736 ----a-w- c:\windows\system32\Pdfshell.dll
2010-06-14 10:25 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-06-08 08:03 . 2010-06-08 08:03 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2010-06-08 08:01 . 2010-06-08 08:01 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2010-06-07 15:38 . 2010-06-07 15:38 3584 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-06-07 15:38 . 2010-06-07 15:38 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-06-07 14:40 . 2010-06-07 15:37 -------- d-----w- c:\program files\MSECACHE
2010-06-07 12:13 . 2010-06-07 12:13 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Irony
2010-06-01 13:43 . 2010-06-01 13:43 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-01 13:43 . 2010-06-01 13:43 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-05-25 02:27 . 2010-05-25 02:27 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-sse.dll
2010-05-25 02:27 . 2010-05-25 02:27 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcp71.dll
2010-05-25 02:27 . 2010-05-25 02:27 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\jmc.dll
2010-05-25 02:27 . 2010-05-25 02:27 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcr71.dll
2010-05-25 02:27 . 2010-05-25 02:27 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-d3d.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-21 01:33 . 2009-10-25 23:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-06-19 05:48 . 2008-12-07 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-17 17:32 . 2009-10-28 13:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-17 16:55 . 2009-08-08 09:49 -------- d-----w- c:\program files\Free Offers from Freeze.com
2010-06-17 15:52 . 2008-12-07 16:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-15 18:29 . 2008-12-13 23:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-14 16:06 . 2008-11-16 13:22 70696 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 10:22 . 2010-02-03 09:43 -------- d-----w- c:\program files\Free Easy Burner
2010-06-11 08:12 . 2008-11-16 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 08:03 . 2008-11-16 13:51 -------- d-----w- c:\program files\Microsoft SQL Server
2010-06-07 15:45 . 2008-11-16 13:07 -------- d-----w- c:\program files\Microsoft.NET
2010-06-07 13:38 . 2008-11-16 14:55 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-06-07 13:26 . 2009-04-15 19:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 13:43 . 2009-04-03 14:12 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-01 13:43 . 2008-11-16 17:23 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-17 14:31 . 2010-05-17 14:31 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-05-15 13:50 . 2008-12-07 16:45 -------- d-----w- c:\program files\Google
2010-05-02 05:22 . 2003-03-31 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 20:39 . 2009-10-28 13:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-10-28 13:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2003-03-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_5B1774D2E3075CCF328EDA.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_E3DB97A5850DBC128D7B65.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_8E66822E457E550010289E.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_60FA5A9483A6EBA443B57C.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_4CAAF08408C8FEDDEDE6F6.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_12DBA35940918FB93254F3.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F6DB2D7CC108D7C7EC0674.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_23898BB06D60197612CEBF.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_DAFD234B6DD27FDD55C9DB.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F38630FC83CCA1F7DDDF3B.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_152E1AB519A70F234DA294.exe
2010-04-05 17:44 . 2010-03-04 13:28 1078 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_6FEFF9B68218417F98F549.exe
2010-04-04 03:55 . 2010-04-04 03:55 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-04 03:55 . 2010-04-04 03:55 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-04 03:55 . 2010-04-04 03:55 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-04 03:55 . 2010-04-04 03:55 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-04 03:55 . 2010-04-04 03:55 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-04 03:55 . 2010-04-04 03:55 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-04-04 03:55 . 2010-04-04 03:55 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-04 03:55 . 2010-04-04 03:55 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-04 03:55 . 2010-04-04 03:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-04 03:55 . 2010-04-04 03:55 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-04 03:55 . 2004-08-04 05:29 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-03-30 18:59 . 2010-03-30 18:59 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-sse.dll
2010-03-30 18:59 . 2010-03-30 18:59 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcp71.dll
2010-03-30 18:59 . 2010-03-30 18:59 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\jmc.dll
2010-03-30 18:59 . 2010-03-30 18:59 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcr71.dll
2010-03-30 18:59 . 2010-03-30 18:59 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-d3d.dll
2010-03-29 14:37 . 2010-03-29 14:37 38344 ----a-w- c:\windows\system32\drivers\CO_Mon.sys
2010-03-29 14:37 . 2010-03-29 14:37 58632 ----a-w- c:\documents and settings\Eric\Application Data\WholeSecurity\CAT\WSUIEE.exe
2010-03-29 14:36 . 2010-03-29 14:36 36939 ----a-w- c:\documents and settings\Eric\Application Data\Juniper Networks\setup\uninstall.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-01 2065248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-11 1287120]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-04-20 6678008]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-3 113664]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-4-30 6144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-4-28 122880]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-04-20 925688]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-05 15:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3713959246-320310600-2471480639-1178\Scripts\Logon\0\0]
"Script"=logon.bat
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DevServer\\9.0\\WebDev.WebServer.EXE"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Expression\\Media 2\\Media.exe"=
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/3/2009 9:12 AM 52872]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/17/2010 12:10 PM 218592]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/3/2009 9:12 AM 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/3/2009 9:12 AM 242896]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [6/18/2010 7:50 AM 228216]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [6/18/2010 7:50 AM 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [6/18/2010 7:50 AM 29560]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/5/2010 10:47 AM 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/5/2010 10:47 AM 308064]
R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [6/22/2007 9:22 AM 95592]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [6/18/2010 7:50 AM 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [6/18/2010 7:50 AM 3364856]
S2 gupdate1c95cab836b518e;Google Update Service (gupdate1c95cab836b518e);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 5:46 PM 133104]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/29/2010 3:36 AM 717296]
.
Contents of the 'Scheduled Tasks' folder
2010-06-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-07 10:55]
2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]
2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: aig.com\na.connect
DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://na.connect.aig.com/llclient/Neoteris/winxp/,DanaInfo=10.249.14.102+AXXPEE.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://na.connect.aig.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\y8rdhq3a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-21 00:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"=""c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:SQLEXPRESS"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\CSGina.dll
.
Completion time: 2010-06-21 00:12:40
ComboFix-quarantined-files.txt 2010-06-21 05:12
ComboFix2.txt 2010-06-20 20:19
Pre-Run: 167,702,372,352 bytes free
Post-Run: 167,696,740,352 bytes free
- - End Of File - - EBA1C5E904842A9560510F8089A93926
No Goggle popup... Here is the log.
ComboFix 10-06-20.03 - Eric 06/20/2010 23:57:36.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1368 [GMT -5:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric\Desktop\CFscript.txt
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Thumbs.db
.
((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))
.
2010-06-20 19:19 . 2010-06-20 19:19 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-18 12:50 . 2010-06-18 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\documents and settings\Eric\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-04-20 09:13 24440 ----a-w- c:\windows\system32\drivers\OAmon.sys
2010-06-18 12:50 . 2010-04-20 09:13 29560 ----a-w- c:\windows\system32\drivers\OAnet.sys
2010-06-18 12:50 . 2010-04-20 09:13 228216 ----a-w- c:\windows\system32\drivers\OADriver.sys
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\program files\Tall Emu
2010-06-18 12:46 . 2010-06-18 12:46 -------- d-----w- c:\program files\SpywareBlaster
2010-06-18 09:11 . 2010-06-18 09:11 -------- d-----w- c:\program files\ESET
2010-06-18 04:25 . 2010-06-18 04:25 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-17 17:10 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-06-17 17:10 . 2010-03-29 15:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-17 17:10 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-06-17 17:10 . 2010-04-08 19:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\Eric\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Spyware Doctor
2010-06-17 15:53 . 2010-06-18 10:09 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\ukcpenhtj
2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\program files\Voxengo
2010-06-17 12:01 . 2010-06-17 12:01 -------- d-----w- c:\program files\Audacity
2010-06-14 10:28 . 1993-07-23 05:00 210944 ----a-w- c:\windows\system32\Msvcrt10.dll
2010-06-14 10:27 . 1999-10-22 06:11 52736 ----a-w- c:\windows\system32\Pdfshell.dll
2010-06-14 10:25 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-06-08 08:03 . 2010-06-08 08:03 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2010-06-08 08:01 . 2010-06-08 08:01 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2010-06-07 15:38 . 2010-06-07 15:38 3584 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-06-07 15:38 . 2010-06-07 15:38 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-06-07 14:40 . 2010-06-07 15:37 -------- d-----w- c:\program files\MSECACHE
2010-06-07 12:13 . 2010-06-07 12:13 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Irony
2010-06-01 13:43 . 2010-06-01 13:43 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-01 13:43 . 2010-06-01 13:43 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-05-25 02:27 . 2010-05-25 02:27 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-sse.dll
2010-05-25 02:27 . 2010-05-25 02:27 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcp71.dll
2010-05-25 02:27 . 2010-05-25 02:27 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\jmc.dll
2010-05-25 02:27 . 2010-05-25 02:27 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcr71.dll
2010-05-25 02:27 . 2010-05-25 02:27 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-d3d.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-21 01:33 . 2009-10-25 23:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-06-19 05:48 . 2008-12-07 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-17 17:32 . 2009-10-28 13:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-17 16:55 . 2009-08-08 09:49 -------- d-----w- c:\program files\Free Offers from Freeze.com
2010-06-17 15:52 . 2008-12-07 16:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-15 18:29 . 2008-12-13 23:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-14 16:06 . 2008-11-16 13:22 70696 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 10:22 . 2010-02-03 09:43 -------- d-----w- c:\program files\Free Easy Burner
2010-06-11 08:12 . 2008-11-16 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 08:03 . 2008-11-16 13:51 -------- d-----w- c:\program files\Microsoft SQL Server
2010-06-07 15:45 . 2008-11-16 13:07 -------- d-----w- c:\program files\Microsoft.NET
2010-06-07 13:38 . 2008-11-16 14:55 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-06-07 13:26 . 2009-04-15 19:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 13:43 . 2009-04-03 14:12 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-01 13:43 . 2008-11-16 17:23 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-17 14:31 . 2010-05-17 14:31 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-05-15 13:50 . 2008-12-07 16:45 -------- d-----w- c:\program files\Google
2010-05-02 05:22 . 2003-03-31 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 20:39 . 2009-10-28 13:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-10-28 13:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2003-03-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_5B1774D2E3075CCF328EDA.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_E3DB97A5850DBC128D7B65.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_8E66822E457E550010289E.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_60FA5A9483A6EBA443B57C.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_4CAAF08408C8FEDDEDE6F6.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_12DBA35940918FB93254F3.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F6DB2D7CC108D7C7EC0674.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_23898BB06D60197612CEBF.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_DAFD234B6DD27FDD55C9DB.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F38630FC83CCA1F7DDDF3B.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_152E1AB519A70F234DA294.exe
2010-04-05 17:44 . 2010-03-04 13:28 1078 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_6FEFF9B68218417F98F549.exe
2010-04-04 03:55 . 2010-04-04 03:55 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-04 03:55 . 2010-04-04 03:55 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-04 03:55 . 2010-04-04 03:55 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-04 03:55 . 2010-04-04 03:55 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-04 03:55 . 2010-04-04 03:55 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-04 03:55 . 2010-04-04 03:55 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-04-04 03:55 . 2010-04-04 03:55 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-04 03:55 . 2010-04-04 03:55 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-04 03:55 . 2010-04-04 03:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-04 03:55 . 2010-04-04 03:55 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-04 03:55 . 2004-08-04 05:29 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-03-30 18:59 . 2010-03-30 18:59 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-sse.dll
2010-03-30 18:59 . 2010-03-30 18:59 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcp71.dll
2010-03-30 18:59 . 2010-03-30 18:59 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\jmc.dll
2010-03-30 18:59 . 2010-03-30 18:59 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcr71.dll
2010-03-30 18:59 . 2010-03-30 18:59 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-d3d.dll
2010-03-29 14:37 . 2010-03-29 14:37 38344 ----a-w- c:\windows\system32\drivers\CO_Mon.sys
2010-03-29 14:37 . 2010-03-29 14:37 58632 ----a-w- c:\documents and settings\Eric\Application Data\WholeSecurity\CAT\WSUIEE.exe
2010-03-29 14:36 . 2010-03-29 14:36 36939 ----a-w- c:\documents and settings\Eric\Application Data\Juniper Networks\setup\uninstall.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-01 2065248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-11 1287120]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-04-20 6678008]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-3 113664]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-4-30 6144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-4-28 122880]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-04-20 925688]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-05 15:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3713959246-320310600-2471480639-1178\Scripts\Logon\0\0]
"Script"=logon.bat
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DevServer\\9.0\\WebDev.WebServer.EXE"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Expression\\Media 2\\Media.exe"=
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/3/2009 9:12 AM 52872]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/17/2010 12:10 PM 218592]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/3/2009 9:12 AM 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/3/2009 9:12 AM 242896]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [6/18/2010 7:50 AM 228216]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [6/18/2010 7:50 AM 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [6/18/2010 7:50 AM 29560]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/5/2010 10:47 AM 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/5/2010 10:47 AM 308064]
R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [6/22/2007 9:22 AM 95592]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [6/18/2010 7:50 AM 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [6/18/2010 7:50 AM 3364856]
S2 gupdate1c95cab836b518e;Google Update Service (gupdate1c95cab836b518e);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 5:46 PM 133104]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/29/2010 3:36 AM 717296]
.
Contents of the 'Scheduled Tasks' folder
2010-06-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-07 10:55]
2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]
2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: aig.com\na.connect
DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - hxxps://na.connect.aig.com/llclient/Neoteris/winxp/,DanaInfo=10.249.14.102+AXXPEE.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://na.connect.aig.com/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\y8rdhq3a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-21 00:07
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"=""c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:SQLEXPRESS"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\CSGina.dll
.
Completion time: 2010-06-21 00:12:40
ComboFix-quarantined-files.txt 2010-06-21 05:12
ComboFix2.txt 2010-06-20 20:19
Pre-Run: 167,702,372,352 bytes free
Post-Run: 167,696,740,352 bytes free
- - End Of File - - EBA1C5E904842A9560510F8089A93926
- CrushSecurity Colleague
-
Posts : 3882
Rubies : 20040
Likes : 0
Hi,
I'm going to get someone else's opinion on this. Be back ASAP
I'm going to get someone else's opinion on this. Be back ASAP
- CrushSecurity Colleague
-
Posts : 3882
Rubies : 20040
Likes : 0
Hi again.
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, Click Options > Change settings
- Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
- Back at the main window, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, look if you can click next icon next to the files found:
- If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) - After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
- grasshopperNovice
-
OS : Windows XP
Posts : 46
Rubies : 3533
Likes : 0
Hi Chris,
Scan finally finished... a couple of things.
When I first started the Full scan (after the express) the system rebooted on me. Told me ...
OA Crash dump. and a folder and filename of the dump file. I attempted to look at it with notepad but it not a text file. I of course can send it if needed.
Also when I rebooted (after Dr. Web) the PC ran a chkdsk process (completed successfully).
Dr. Web found one virus it cured. nothing else.
BTW. Dr. Webs screens have changed and a few of the steps above are not the same...FYI
Here if the contents of the csv file... Thanks again!
Eric
avgldx86.sys;C:\Qoobox\32788R22FWJFW;BackDoor.Tdss.2459;Cured.;
I cannot open the CureIt log file. I tried Noepad, WordPad, and Word. The filesize is 331,959 KB (huge). Your thoughts...
Scan was large and took about 24 hours to complete I can't remember the number of files but close to 2 million I think (I scanned the external drive as well).
Scan finally finished... a couple of things.
When I first started the Full scan (after the express) the system rebooted on me. Told me ...
OA Crash dump. and a folder and filename of the dump file. I attempted to look at it with notepad but it not a text file. I of course can send it if needed.
Also when I rebooted (after Dr. Web) the PC ran a chkdsk process (completed successfully).
Dr. Web found one virus it cured. nothing else.
BTW. Dr. Webs screens have changed and a few of the steps above are not the same...FYI
Here if the contents of the csv file... Thanks again!
Eric
avgldx86.sys;C:\Qoobox\32788R22FWJFW;BackDoor.Tdss.2459;Cured.;
I cannot open the CureIt log file. I tried Noepad, WordPad, and Word. The filesize is 331,959 KB (huge). Your thoughts...
Scan was large and took about 24 hours to complete I can't remember the number of files but close to 2 million I think (I scanned the external drive as well).
- CrushSecurity Colleague
-
Posts : 3882
Rubies : 20040
Likes : 0
Hey Eric,
Thanks. Those instructions must be a bit dated. Anyway, the only thing it picked up was a file quarantined by combofix. Are things running any better now?
Thanks. Those instructions must be a bit dated. Anyway, the only thing it picked up was a file quarantined by combofix. Are things running any better now?
- grasshopperNovice
-
OS : Windows XP
Posts : 46
Rubies : 3533
Likes : 0
Hi Chris,
You know, I have not been using the system much because I didn't want to do something that would taint any scan results.
In general the system is the same as before the last scan (where it found the last virus) . The problem with the system going to the wrong internet page seems to be cleared up (with the small few tests I just tried).
It seems that I am able to re-install my audio and video drivers.
All of my favorites are still shortcuts (is there an application that would convert those back?).
So for the little I have used it and on the surface it seems ok.
What would be your next step for me to do?
On a side note, I have two other systems that don't seem to be infected but was wondering if I should run one or more of the applications that I ran on this system. Your thoughts?
Should I go ahead and start working on the "previously" infected system now?
Thanks again,
Eric
You know, I have not been using the system much because I didn't want to do something that would taint any scan results.
In general the system is the same as before the last scan (where it found the last virus) . The problem with the system going to the wrong internet page seems to be cleared up (with the small few tests I just tried).
It seems that I am able to re-install my audio and video drivers.
All of my favorites are still shortcuts (is there an application that would convert those back?).
So for the little I have used it and on the surface it seems ok.
What would be your next step for me to do?
On a side note, I have two other systems that don't seem to be infected but was wondering if I should run one or more of the applications that I ran on this system. Your thoughts?
Should I go ahead and start working on the "previously" infected system now?
Thanks again,
Eric
Page 3 of 5 • 1, 2, 3, 4, 5
Similar topics
Create an account or log in to leave a reply
You need to be a member in order to leave a reply.
Page 3 of 5
Permissions in this forum:
You cannot reply to topics in this forum