Another AV Security Suite infection

View previous topic View next topic Go down

Solved Re: Another AV Security Suite infection

Post by grasshopper on 21st June 2010, 3:32 am

Hi Chris,

I am not sure why I should change this. I want to keep Google as my default search engine (don't I?)

Eric

grasshopper
Novice
Novice

Posts Posts : 46
Joined Joined : 2010-06-18
OS OS : Windows XP
Points Points : 24326
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by Crush on 21st June 2010, 4:10 am

You've got a proxy infection that's preventing you from changing it. You'll just need to confirm the change to remedy the infection Smile

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by grasshopper on 21st June 2010, 4:17 am

Okay, I turned off the "Set and keep Google as my default Search Engine" Should I rerun the ComboFix?

Eric

grasshopper
Novice
Novice

Posts Posts : 46
Joined Joined : 2010-06-18
OS OS : Windows XP
Points Points : 24326
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by Crush on 21st June 2010, 4:47 am

Try the fix posted in Post 14, yes Smile

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by grasshopper on 21st June 2010, 5:14 am

Hi Chris,

No Goggle popup... Here is the log.

ComboFix 10-06-20.03 - Eric 06/20/2010 23:57:36.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1368 [GMT -5:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric\Desktop\CFscript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))
.

2010-06-20 19:19 . 2010-06-20 19:19 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-18 12:50 . 2010-06-18 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\documents and settings\Eric\Application Data\OnlineArmor
2010-06-18 12:50 . 2010-04-20 09:13 24440 ----a-w- c:\windows\system32\drivers\OAmon.sys
2010-06-18 12:50 . 2010-04-20 09:13 29560 ----a-w- c:\windows\system32\drivers\OAnet.sys
2010-06-18 12:50 . 2010-04-20 09:13 228216 ----a-w- c:\windows\system32\drivers\OADriver.sys
2010-06-18 12:50 . 2010-06-18 12:50 -------- d-----w- c:\program files\Tall Emu
2010-06-18 12:46 . 2010-06-18 12:46 -------- d-----w- c:\program files\SpywareBlaster
2010-06-18 09:11 . 2010-06-18 09:11 -------- d-----w- c:\program files\ESET
2010-06-18 04:25 . 2010-06-18 04:25 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-17 17:10 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-06-17 17:10 . 2010-03-29 15:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-17 17:10 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-06-17 17:10 . 2010-04-08 19:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\Eric\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-06-17 17:10 . 2010-06-17 17:10 -------- d-----w- c:\program files\Spyware Doctor
2010-06-17 15:53 . 2010-06-18 10:09 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\ukcpenhtj
2010-06-17 14:32 . 2010-06-17 14:32 -------- d-----w- c:\program files\Voxengo
2010-06-17 12:01 . 2010-06-17 12:01 -------- d-----w- c:\program files\Audacity
2010-06-14 10:28 . 1993-07-23 05:00 210944 ----a-w- c:\windows\system32\Msvcrt10.dll
2010-06-14 10:27 . 1999-10-22 06:11 52736 ----a-w- c:\windows\system32\Pdfshell.dll
2010-06-14 10:25 . 1998-10-29 20:45 306688 ----a-w- c:\windows\IsUninst.exe
2010-06-08 08:03 . 2010-06-08 08:03 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2010-06-08 08:01 . 2010-06-08 08:01 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2010-06-07 15:38 . 2010-06-07 15:38 3584 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-06-07 15:38 . 2010-06-07 15:38 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-06-07 14:40 . 2010-06-07 15:37 -------- d-----w- c:\program files\MSECACHE
2010-06-07 12:13 . 2010-06-07 12:13 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\Irony
2010-06-01 13:43 . 2010-06-01 13:43 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-01 13:43 . 2010-06-01 13:43 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-05-25 02:27 . 2010-05-25 02:27 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-sse.dll
2010-05-25 02:27 . 2010-05-25 02:27 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcp71.dll
2010-05-25 02:27 . 2010-05-25 02:27 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\jmc.dll
2010-05-25 02:27 . 2010-05-25 02:27 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-26bf0192-n\msvcr71.dll
2010-05-25 02:27 . 2010-05-25 02:27 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-439fdc55-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-21 01:33 . 2009-10-25 23:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-06-19 05:48 . 2008-12-07 16:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-17 17:32 . 2009-10-28 13:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-17 16:55 . 2009-08-08 09:49 -------- d-----w- c:\program files\Free Offers from Freeze.com
2010-06-17 15:52 . 2008-12-07 16:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-15 18:29 . 2008-12-13 23:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-14 16:06 . 2008-11-16 13:22 70696 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 10:22 . 2010-02-03 09:43 -------- d-----w- c:\program files\Free Easy Burner
2010-06-11 08:12 . 2008-11-16 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 08:03 . 2008-11-16 13:51 -------- d-----w- c:\program files\Microsoft SQL Server
2010-06-07 15:45 . 2008-11-16 13:07 -------- d-----w- c:\program files\Microsoft.NET
2010-06-07 13:38 . 2008-11-16 14:55 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-06-07 13:26 . 2009-04-15 19:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-01 13:43 . 2009-04-03 14:12 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-01 13:43 . 2008-11-16 17:23 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-17 14:31 . 2010-05-17 14:31 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-05-15 13:50 . 2008-12-07 16:45 -------- d-----w- c:\program files\Google
2010-05-02 05:22 . 2003-03-31 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 20:39 . 2009-10-28 13:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-10-28 13:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2003-03-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 16:09 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_5B1774D2E3075CCF328EDA.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_E3DB97A5850DBC128D7B65.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_8E66822E457E550010289E.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_60FA5A9483A6EBA443B57C.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_4CAAF08408C8FEDDEDE6F6.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_12DBA35940918FB93254F3.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F6DB2D7CC108D7C7EC0674.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_23898BB06D60197612CEBF.exe
2010-04-05 17:44 . 2010-03-04 13:28 4846 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_DAFD234B6DD27FDD55C9DB.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_F38630FC83CCA1F7DDDF3B.exe
2010-04-05 17:44 . 2010-03-04 13:28 4710 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_152E1AB519A70F234DA294.exe
2010-04-05 17:44 . 2010-03-04 13:28 1078 ----a-r- c:\documents and settings\Eric\Application Data\Microsoft\Installer\{FCD7C22E-06CE-4F29-8CCD-55A7B4D0B087}\_6FEFF9B68218417F98F549.exe
2010-04-04 03:55 . 2010-04-04 03:55 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-04 03:55 . 2010-04-04 03:55 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-04 03:55 . 2010-04-04 03:55 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-04 03:55 . 2010-04-04 03:55 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-04 03:55 . 2010-04-04 03:55 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-04 03:55 . 2010-04-04 03:55 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-04-04 03:55 . 2010-04-04 03:55 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-04 03:55 . 2010-04-04 03:55 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2010-04-04 03:55 . 2010-04-04 03:55 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-04 03:55 . 2010-04-04 03:55 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-04-04 03:55 . 2004-08-04 05:29 10232128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-03-30 18:59 . 2010-03-30 18:59 61440 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-sse.dll
2010-03-30 18:59 . 2010-03-30 18:59 503808 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcp71.dll
2010-03-30 18:59 . 2010-03-30 18:59 499712 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\jmc.dll
2010-03-30 18:59 . 2010-03-30 18:59 348160 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3742d89b-n\msvcr71.dll
2010-03-30 18:59 . 2010-03-30 18:59 12800 ----a-w- c:\documents and settings\Eric\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-349c8116-n\decora-d3d.dll
2010-03-29 14:37 . 2010-03-29 14:37 38344 ----a-w- c:\windows\system32\drivers\CO_Mon.sys
2010-03-29 14:37 . 2010-03-29 14:37 58632 ----a-w- c:\documents and settings\Eric\Application Data\WholeSecurity\CAT\WSUIEE.exe
2010-03-29 14:36 . 2010-03-29 14:36 36939 ----a-w- c:\documents and settings\Eric\Application Data\Juniper Networks\setup\uninstall.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDTSysTrayApp"="sttray.exe" [2007-09-06 405504]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-01 2065248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2010-05-11 1287120]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2010-04-20 6678008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-3-3 113664]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-4-30 6144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-4-28 122880]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-04-20 925688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-05 15:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3713959246-320310600-2471480639-1178\Scripts\Logon\0\0]
"Script"=logon.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DevServer\\9.0\\WebDev.WebServer.EXE"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Expression\\Media 2\\Media.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/3/2009 9:12 AM 52872]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [6/17/2010 12:10 PM 218592]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/3/2009 9:12 AM 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/3/2009 9:12 AM 242896]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [6/18/2010 7:50 AM 228216]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [6/18/2010 7:50 AM 24440]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [6/18/2010 7:50 AM 29560]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [3/5/2010 10:47 AM 916760]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/5/2010 10:47 AM 308064]
R2 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [6/22/2007 9:22 AM 95592]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [6/18/2010 7:50 AM 1284600]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [6/18/2010 7:50 AM 3364856]
S2 gupdate1c95cab836b518e;Google Update Service (gupdate1c95cab836b518e);c:\program files\Google\Update\GoogleUpdate.exe [12/12/2008 5:46 PM 133104]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/29/2010 3:36 AM 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-06-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-07 10:55]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]

2010-06-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: aig.com\na.connect
DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - [You must be registered and logged in to see this link.]
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\y8rdhq3a.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-06-21 00:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"=""c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:SQLEXPRESS"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\CSGina.dll
.
Completion time: 2010-06-21 00:12:40
ComboFix-quarantined-files.txt 2010-06-21 05:12
ComboFix2.txt 2010-06-20 20:19

Pre-Run: 167,702,372,352 bytes free
Post-Run: 167,696,740,352 bytes free

- - End Of File - - EBA1C5E904842A9560510F8089A93926

grasshopper
Novice
Novice

Posts Posts : 46
Joined Joined : 2010-06-18
OS OS : Windows XP
Points Points : 24326
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by Crush on 21st June 2010, 5:29 am

Hi,

I'm going to get someone else's opinion on this. Be back ASAP

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by Crush on 21st June 2010, 5:50 am

Hi again.

* Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]


  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by grasshopper on 22nd June 2010, 10:25 am

Hi Chris,

Scan finally finished... a couple of things.

When I first started the Full scan (after the express) the system rebooted on me. Told me ...

OA Crash dump. and a folder and filename of the dump file. I attempted to look at it with notepad but it not a text file. I of course can send it if needed.

Also when I rebooted (after Dr. Web) the PC ran a chkdsk process (completed successfully).

Dr. Web found one virus it cured. nothing else.

BTW. Dr. Webs screens have changed and a few of the steps above are not the same...FYI

Here if the contents of the csv file... Thanks again!

Eric


avgldx86.sys;C:\Qoobox\32788R22FWJFW;BackDoor.Tdss.2459;Cured.;

I cannot open the CureIt log file. I tried Noepad, WordPad, and Word. The filesize is 331,959 KB (huge). Your thoughts...

Scan was large and took about 24 hours to complete I can't remember the number of files but close to 2 million I think (I scanned the external drive as well).

grasshopper
Novice
Novice

Posts Posts : 46
Joined Joined : 2010-06-18
OS OS : Windows XP
Points Points : 24326
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by Crush on 22nd June 2010, 5:31 pm

Hey Eric,

Thanks. Those instructions must be a bit dated. Anyway, the only thing it picked up was a file quarantined by combofix. Are things running any better now?


Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by grasshopper on 22nd June 2010, 5:59 pm

Hi Chris,

You know, I have not been using the system much because I didn't want to do something that would taint any scan results.

In general the system is the same as before the last scan (where it found the last virus) . The problem with the system going to the wrong internet page seems to be cleared up (with the small few tests I just tried).

It seems that I am able to re-install my audio and video drivers.

All of my favorites are still shortcuts (is there an application that would convert those back?).

So for the little I have used it and on the surface it seems ok.

What would be your next step for me to do?

On a side note, I have two other systems that don't seem to be infected but was wondering if I should run one or more of the applications that I ran on this system. Your thoughts?

Should I go ahead and start working on the "previously" infected system now?

Thanks again,

Eric

grasshopper
Novice
Novice

Posts Posts : 46
Joined Joined : 2010-06-18
OS OS : Windows XP
Points Points : 24326
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by grasshopper on 22nd June 2010, 6:02 pm

A problem that still seems to be here is when I post to the forum and the screen comes back. I ca't see the newest post. If I go into IE and delete my temp files then I see the updated posts.

Do you have any ideas what might cause this?

Eric

grasshopper
Novice
Novice

Posts Posts : 46
Joined Joined : 2010-06-18
OS OS : Windows XP
Points Points : 24326
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by Crush on 22nd June 2010, 6:51 pm

A problem that still seems to be here is when I post to the forum and the screen comes back. I ca't see the newest post. If I go into IE and delete my temp files then I see the updated posts.

Do you have any ideas what might cause this?

This might be a forum issue. I'll see what I can do

All of my favorites are still shortcuts (is there an application that would convert those back?).

What do you mean by shortcut? Do they take you to the site? What about when you add a new one?

On a side note, I have two other systems that don't seem to be infected but was wondering if I should run one or more of the applications that I ran on this system. Your thoughts?

We could check those machines in separate threads

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by grasshopper on 22nd June 2010, 7:09 pm

Hi Chris, Sorry I am not up on doing quotes.

Item 1 - I don't think it is your site because I bring up the forum on my other system and the new posts are always there. All I need to do is refresh the browser if it is already on your site..

Item 2 - The shortcusts are not Internet short cuts but exploer (file) shortcuts. The icon is a square box with the little squares inside. Like a file. If you double click on them they do nothing. They have a file type of Internet shortcut. It appears that they may NOT be associated with a browser (ie) I have been looking around at this since the last post but have not found anything.

Item 3 - Yes, once this thing settles down I would appreciate opening up an additional thread to handle the two other systems. Thank you.

I will continue to look for this association or whatever it is.

Thanks,

Eric

grasshopper
Novice
Novice

Posts Posts : 46
Joined Joined : 2010-06-18
OS OS : Windows XP
Points Points : 24326
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by Crush on 22nd June 2010, 7:19 pm

I don't think it is your site because I bring up the forum on my other system and the new posts are always there. All I need to do is refresh the browser if it is already on your site..

Which browser does your issue occur in?

The shortcusts are not Internet short cuts but exploer (file) shortcuts. The icon is a square box with the little squares inside. Like a file. If you double click on them they do nothing. They have a file type of Internet shortcut. It appears that they may NOT be associated with a browser (ie) I have been looking around at this since the last post but have not found anything.

You might have to just re-create your favorites. I'll see if anyone else has some other ideas though.

As far as Malware goes, I think we're almost done here.


Please run a free online scan with the [You must be registered and logged in to see this link.]
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by grasshopper on 22nd June 2010, 7:31 pm

Item -1
I am using IE 6 (I know but I don't like 7 and 8) I do like Firefox but have nor made the leap.

Item-2
When I create a new favorite it is the "wrong" type. I copied one of the bad links to my other system and it came up as an IE favorite and worked great.

So it is the way my "infected" system is looking at these files. Kinda like an association issue but I can't find how to associate these files. Still looking.

I will run the scan you requested and post the log file.

Eric

grasshopper
Novice
Novice

Posts Posts : 46
Joined Joined : 2010-06-18
OS OS : Windows XP
Points Points : 24326
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by Crush on 22nd June 2010, 8:41 pm

I am using IE 6 (I know but I don't like 7 and 8) I do like Firefox but have nor made the leap.

Therein is likely the cause of your issues. IE7 and 8 include a multitude of Security updates to protect you from this kind of stuff. I strongly recommend updating when we're done here.


When I create a new favorite it is the "wrong" type. I copied one of the bad links to my other system and it came up as an IE favorite and worked great.

So it is the way my "infected" system is looking at these files. Kinda like an association issue but I can't find how to associate these files. Still looking.

They are all stored here c:\documents and settings\%userprofile%\favorites

If there's an association issue this will pick it up


Please download [You must be registered and logged in to see this link.]

  • Extract it to Desktop and double click SREngLdr.EXE to run it
  • Select System Repair from the left pane.
  • Click on File Association
  • Select all entries that has an Error status click [Repair]
  • Refer to this image for an example:

  • In your case, it would be .EXE
  • Close SREng now.


Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by grasshopper on 23rd June 2010, 10:26 am

Hi Chris,

ESET found the same Trojan as before. Thanks for the link above. I may wait until this is all clean before I run it.

What do you think my next step is?

Eric

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=72df6bb2859a2249a1bb4db882f240d4
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-18 11:28:06
# local_time=2010-06-18 06:28:06 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1029 16777213 100 98 0 19376246 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=254162
# found=1
# cleaned=1
# scan_time=8041
C:\Documents and Settings\Eric\Local Settings\Application Data\ukcpenhtj\oengniu.exe a variant of Win32/Kryptik.ETK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=72df6bb2859a2249a1bb4db882f240d4
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-23 01:22:11
# local_time=2010-06-22 08:22:11 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1029 16777213 100 98 0 19759158 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=6401 16777213 66 100 0 4557229 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=917188
# found=0
# cleaned=0
# scan_time=20774

grasshopper
Novice
Novice

Posts Posts : 46
Joined Joined : 2010-06-18
OS OS : Windows XP
Points Points : 24326
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by Crush on 23rd June 2010, 5:05 pm

Hi grasshopper,

That's odd. We deleted that folder a couple pages ago

Anyway, using Windows Explorer see if you can navigate to the following folder


C:\Documents and Settings\Eric\Local Settings\Application Data\ukcpenhtj\

Once there, please delete it
======

Did you run SReng to check for a file associations issue on those favorites links?

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by grasshopper on 24th June 2010, 1:59 am

Hi Chris, Deleted folder above.

Ran System Repair Engineer. Found one error .CHM. Rebooted , Still have probelms with internet shortcut associations.

System Repair engineer keep displaying a blue box with a Warning "reminding me that following functions have mdified to abnormal values by unknown reasons

Entrypoint Error LoadLibraryExW
EntryPoint Error: FreeLibrary"

I click on details it lists the two entries

I attempt to fix but they don;t go away... even after rebooting.

Any ideas?

Thanks again,

Eric

grasshopper
Novice
Novice

Posts Posts : 46
Joined Joined : 2010-06-18
OS OS : Windows XP
Points Points : 24326
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by Crush on 24th June 2010, 4:01 am

Hi Eric,

I'm talking to a few colleagues of mine, trying to get a "meeting of the minds" For now, could you try this please?

[You must be registered and logged in to see this link.]

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by grasshopper on 24th June 2010, 10:26 am

Hey Chris....

First spot of sunshine. My Internet shortcuts are working now. WOW that is a relief!!!!

Thanks so much.

I scanned using ESET last night and was clean. Is there anything else I should run?

If not, should I run ESET (or something else) in the evenings to confirm the Trojan has not come back?

Eric

grasshopper
Novice
Novice

Posts Posts : 46
Joined Joined : 2010-06-18
OS OS : Windows XP
Points Points : 24326
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by Crush on 24th June 2010, 6:59 pm

WOOHOO!! Hooray!

I'm pretty confident you're clean but give it a day or so, and if you experience any more errors like in your first post please let me know.

If not, we'll just do some cleanup and you can be on your way with a clean machine

Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by grasshopper on 24th June 2010, 7:31 pm

Thanks Chris,

One last thing. I have Online Armor running and I went to a site (emploment site) that I for the most part trust. It popped up wanting me to allow access to

C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe

I thought why would they need that and I blocked it. Now I have left the site and have only email and explorer up (now ie explorer as well) and I keep getting an information bubble (from the tray) with this information

aspnet_wp.exe, 1.1.4322.2463, (1.1.4322.2463)
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
Hash(MD5): 44EB2854E8A23A72BEAB9DAAB1A6E0CF

Can you shead some light on this? Should I allow it?

Thanks,

Eric

Lastly, we had talked about me scanning the other two systems I have. Is there a first step that I could do and if it finds anything then I will open another thread?



grasshopper
Novice
Novice

Posts Posts : 46
Joined Joined : 2010-06-18
OS OS : Windows XP
Points Points : 24326
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by Crush on 25th June 2010, 12:14 am

Hi Eric,

That's a legitimate file. You can safely allow it Smile. As for your other two machines, if you read the link in my signature entitled Pre-Posting Instructions that will guide you through the proper steps to get things rolling. Please create separate threads for the two machines so we can fix one in one thread and one in the other. I'll keep an eye out for them and if I'm not beaten to it by one of the other staff I'll guide you through the removal process in those two threads. You've been a pleasure to work with so far.


Crush
Master
Master

Posts Posts : 3889
Joined Joined : 2010-01-27
Gender Gender : Male
Points Points : 42128
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Another AV Security Suite infection

Post by grasshopper on 25th June 2010, 1:24 am

Thanks Chris,

I will look at the link Friday. I thank you and enjoyed working with you as well!!!

Eric

grasshopper
Novice
Novice

Posts Posts : 46
Joined Joined : 2010-06-18
OS OS : Windows XP
Points Points : 24326
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum