Fake AVG virus

D

donnamv

New Member
Thread author
Aug 16, 2012
49
Laptop is VERY S L O W starting up and it keeps disconnecting from wireless and won't reconnect unless I restart the computer.
The ESET results show 13 threats ....do I click on uninstall application on close?
here is the ESET log:

C:\Temp\air1B08.exe multiple threats
C:\Temp\GetLyrics.exe a variant of Win32/Adware.AddLyrics.B application
C:\Temp\SecondStepInstaller.exe multiple threats
C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\application.js Win32/Conduit.SearchProtect.A application
C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\nsprotector.js Win32/Conduit.SearchProtect.A application
C:\_OTL\MovedFiles\05252013_152118\C_Documents and Settings\pvidulic\Application Data\SearchProtect\bin\ChromeModule.dll a variant of Win32/Conduit.SearchProtect.C application
C:\_OTL\MovedFiles\05252013_152118\C_Documents and Settings\pvidulic\Application Data\SearchProtect\bin\cltmng.exe a variant of Win32/Conduit.SearchProtect.B application
C:\_OTL\MovedFiles\05252013_152118\C_Documents and Settings\pvidulic\Application Data\SearchProtect\bin\CltMngSvc.exe Win32/Conduit.SearchProtect.A application
C:\_OTL\MovedFiles\05252013_152118\C_Documents and Settings\pvidulic\Application Data\SearchProtect\bin\FirefoxModule.dll a variant of Win32/Conduit.SearchProtect.C application
C:\_OTL\MovedFiles\05252013_152118\C_Documents and Settings\pvidulic\Application Data\SearchProtect\bin\InternetExplorerModule.dll a variant of Win32/Conduit.SearchProtect.C application
C:\_OTL\MovedFiles\05252013_152118\C_Documents and Settings\pvidulic\Application Data\SearchProtect\bin\SPHook32.dll probably a variant of Win32/Conduit.SearchProtect.C application
C:\_OTL\MovedFiles\05252013_152118\C_Documents and Settings\pvidulic\Application Data\SearchProtect\ffprotect\application.js Win32/Conduit.SearchProtect.A application
C:\_OTL\MovedFiles\05252013_152118\C_Documents and Settings\pvidulic\Application Data\SearchProtect\Res\SPSetup.exe Win32/Conduit.SearchProtect.A application




Fiery said:
Good! We are almost done. How is your PC? Any other issues?

Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
    • Scan unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
  • The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
Click to expand...
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Please download ComboFix from one of these locations:

<a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a>
<a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a>

<>* IMPORTANT !!! Save ComboFix to your Desktop as ComboFix.exe</>
<ul>
<li>Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See <a title="External link" href="http://www.bleepingcomputer.com/forums/topic114351.html" rel="external">HERE</a> for help</li>
<li>Double click on Combo-Fix & follow the prompts.</li>
<li>As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's ly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.</li>
<li>Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.</li>
</ul>
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

<img src="http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif" alt="Posted Image" />
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

<img src="http://img.photobucket.com/albums/v706/ried7/whatnext.png" alt="Posted Image" />
Click on <>Yes</>, to continue scanning for malware.

When finished, ComboFix will produce a log.

<>Note:</>
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.
 
Last edited by a moderator:
D

donnamv

New Member
Thread author
Aug 16, 2012
49
The laptop is not connected to the internet. I have to restart it but I still have the ESET screen up which says I have 13 threats. Do I have to do something with that first? Can I close all screens without doing anything and restart the laptop? Please advise.
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
You can close ESET. Those threats can be removed by combofix. Most of those threats are already quarantined.
 
D

donnamv

New Member
Thread author
Aug 16, 2012
49
Started Combo fix and got a pop up gray box saying Trend Micro OfficeScan Antivirus is active....I can't deactivate it, shut it down or delete it....help
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Let combofix continue to run. If trend Micro pops up, don't let it delete combofix. Ignore the Trend Micro popups if any.
 
D

donnamv

New Member
Thread author
Aug 16, 2012
49
ComboFix 13-05-28.02 - pvidulic 05/29/2013 0:07.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.371 [GMT -4:00]
Running from: c:\documents and settings\pvidulic\My Documents\Downloads\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {58027DB4-A7D7-4BBF-AFB5-6A5AC1AB795C}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\program files\GetLyrics\geTLrcs.dll
c:\windows\Installer\{7681A1A9-D865-4DC0-A319-41A49F5E78DB}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\Cache
c:\windows\system32\Cache\075884af680ff6dc.fb
c:\windows\system32\Cache\227113dfa1ca894d.fb
c:\windows\system32\Cache\49fbbc5a8678d502.fb
c:\windows\system32\Cache\4c36f23a2a95eb8e.fb
c:\windows\system32\Cache\5c54eb1a1655b076.fb
c:\windows\system32\Cache\613e8ce7ab7106af.fb
c:\windows\system32\Cache\633a76311867bd11.fb
c:\windows\system32\Cache\691f14230153a9e1.fb
c:\windows\system32\Cache\6cb409d7ac73d9f1.fb
c:\windows\system32\Cache\7614bd6cfa99e546.fb
c:\windows\system32\Cache\77664b6ccc36be9f.fb
c:\windows\system32\Cache\881b3593316772f0.fb
c:\windows\system32\Cache\98657d0579ae1930.fb
c:\windows\system32\Cache\c4e10d1be905349b.fb
c:\windows\system32\Cache\d5c0f4e7bbe35bf3.fb
c:\windows\system32\Cache\d9ca663388d21ec0.fb
c:\windows\system32\Cache\f2cda51fd108941f.fb
c:\windows\system32\Cache\f34d8db84131d925.fb
c:\windows\system32\TPAPSLOG.LOG
c:\windows\system32\TPHDLOG0.LOG
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-04-28 to 2013-05-29 )))))))))))))))))))))))))))))))
.
.
2013-05-28 20:29 . 2013-05-28 20:29 -------- d-----w- c:\program files\ESET
2013-05-25 19:21 . 2013-05-25 19:21 -------- d-----w- C:\_OTL
2013-05-25 17:12 . 2013-05-25 17:12 -------- d-----w- c:\documents and settings\pvidulic\Application Data\Malwarebytes
2013-05-25 17:11 . 2013-05-25 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-05-25 17:11 . 2013-05-25 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-25 17:11 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-24 22:32 . 2013-05-24 22:37 -------- d-----w- c:\program files\Common Files\Research in Motion
2013-05-24 22:27 . 2013-05-24 22:27 -------- d-----w- c:\program files\TeamViewer
2013-05-20 00:23 . 2013-05-20 00:23 -------- d-----w- c:\documents and settings\pvidulic\Application Data\AdobeUM
2013-05-20 00:18 . 2013-05-20 00:18 -------- d-----w- c:\program files\Common Files\Adobe
2013-05-20 00:03 . 2013-05-20 00:03 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SearchProtect
2013-05-04 00:33 . 2013-05-04 00:33 -------- d---a-w- c:\documents and settings\pvidulic\Local Settings\Application Data\AVG SafeGuard toolbar
2013-05-04 00:32 . 2013-05-04 00:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\AVG SafeGuard toolbar
2013-05-04 00:32 . 2013-05-04 00:32 -------- d---a-w- c:\documents and settings\pvidulic\Application Data\AVG SafeGuard toolbar
2013-05-04 00:31 . 2013-05-21 01:44 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-05-04 00:31 . 2013-05-25 02:56 -------- d---a-w- c:\program files\AVG SafeGuard toolbar
2013-05-04 00:30 . 2013-05-04 00:30 -------- d---a-w- c:\program files\Common Files\Bullzip
2013-05-04 00:30 . 2013-05-04 00:30 -------- d---a-w- c:\documents and settings\pvidulic\Application Data\PDF Writer
2013-05-04 00:30 . 2013-05-04 00:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\PDF Writer
2013-05-04 00:30 . 2008-10-30 11:14 227840 ----a-w- c:\windows\system32\bzFlRdr.dll
2013-05-04 00:30 . 2008-07-09 11:14 103424 ----a-w- c:\windows\system32\bzDCT.dll
2013-05-04 00:30 . 2013-04-19 11:14 139264 ----a-w- c:\windows\system32\bzpdfc.dll
2013-05-04 00:29 . 2013-04-19 11:14 200192 ----a-w- c:\windows\system32\bzpdf.dll
2013-05-04 00:29 . 2013-05-04 00:29 -------- d---a-w- c:\program files\Bullzip
2013-05-04 00:29 . 2013-05-04 00:29 -------- d--ha-w- c:\documents and settings\All Users\Application Data\Common Files
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-28 00:58 . 2006-11-17 08:59 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2013-05-25 01:21 . 2006-11-17 08:58 23552 ----a-w- c:\windows\system32\drivers\psasrv.exe
2013-05-25 01:21 . 2006-07-12 00:52 17536 ----a-w- c:\windows\system32\drivers\psadd.sys
2013-05-22 23:20 . 2013-04-02 12:35 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-22 23:20 . 2011-07-25 00:26 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-06 10:38 . 2013-03-26 19:33 770384 ----a-w- c:\windows\system32\msvcr100.dll
2013-03-06 10:38 . 2013-03-26 19:33 421200 ----a-w- c:\windows\system32\msvcp100.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\Installshield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-15 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2009-04-16 417792]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-03-17 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-10-06 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-06 1323008]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-10-08 256576]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"TpShocks"="TpShocks.exe" [2009-02-03 181536]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-31 30192]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2009-01-29 185688]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-10-24 206112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-19 196696]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-08-26 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-08-26 110592]
"PDService.exe"="c:\program files\Lenovo\SafeGuard PrivateDisk\pdservice.exe" [2006-03-14 41472]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-15 2341632]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-04-14 15136]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-08-03 62240]
"AMSG"="c:\progra~1\THINKV~2\AMSG\amsg.exe" [2009-04-29 424512]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"LPMailChecker"="c:\progra~1\THINKV~2\PrdCtr\LPMLCHK.exe" [2009-01-29 124248]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2010-10-16 866592]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-05-12 300472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]
.
c:\documents and settings\pvidulic\Start Menu\Programs\Startup\
HP SimpleSave Monitor.lnk - c:\documents and settings\pvidulic\Application Data\HP SimpleSave Application\StartHelper.exe [2010-8-23 477080]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-5-31 622653]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-9-15 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Online plug-in.lnk - c:\windows\Installer\{7681A1A9-D865-4DC0-A319-41A49F5E78DB}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [N/A]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"enableinstallerdetection"= 0 (0x0)
"enablesecureuiapaths"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 17:07 49152 ------w- c:\program files\Lenovo\AwayTask\AwayNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2009-05-21 20:54 100104 ------w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 20:37 34344 ------w- c:\program files\Lenovo\HOTKEY\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll scecli
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-17652\Scripts\Logon\0\0]
"Script"=\\olf.com\SYSVOL\olf.com\scripts\asset.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-1893\Scripts\Logon\0\0]
"Script"=LyncNoPrompt.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-1893\Scripts\Logon\1\0]
"Script"=JunkMailImportLists.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-1893\Scripts\Logon\2\0]
"Script"=startup_script.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-1893\Scripts\Logon\3\0]
"Script"=\\olf.com\SYSVOL\olf.com\scripts\asset.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TeamViewer\\Version8\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version8\\TeamViewer_Service.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
"53233:TCP"= 53233:TCP:Trend Micro OfficeScan Listener
.
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [1/28/2009 5:57 PM 20520]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [5/3/2013 8:31 PM 37664]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [4/16/2010 5:22 PM 65584]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [11/10/2009 3:27 PM 81920]
R2 BackupService;BackupService;c:\documents and settings\pvidulic\Application Data\HP SimpleSave Application\uUACTokenSvc.exe [8/23/2010 8:11 PM 83512]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [5/25/2013 1:11 PM 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/25/2013 1:11 PM 701512]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [9/15/2009 1:55 PM 53248]
R2 PrivateDisk;PrivateDisk;c:\program files\Lenovo\SafeGuard PrivateDisk\privatediskm.sys [3/13/2006 8:05 PM 58368]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/14/2006 7:55 PM 3968]
R2 smihlp2;SMI Helper Driver (smihlp2);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [3/13/2009 2:47 PM 12560]
R2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [5/24/2013 6:27 PM 3574624]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2/18/2010 3:51 PM 52304]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXpflt.sys [9/30/2009 3:38 PM 264504]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreflt.sys [9/30/2009 3:37 PM 36664]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [5/21/2009 8:48 PM 62320]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/25/2013 1:11 PM 22856]
S2 gupdate1ca568ffa5b08a4;Google Update Service (gupdate1ca568ffa5b08a4);c:\program files\Google\Update\GoogleUpdate.exe [10/26/2009 6:59 PM 133104]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [5/21/2009 8:48 PM 45424]
S2 vToolbarUpdater15.2.0;vToolbarUpdater15.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe --> c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/17/2006 4:41 AM 30192]
S3 ONDAusbmdm6k;ONDA Proprietary USB Driver;c:\windows\system32\drivers\ONDAusbmdm6k.sys [11/10/2009 3:27 PM 100352]
S3 ONDAusbnmea;ONDA NMEA Port;c:\windows\system32\drivers\ONDAusbnmea.sys [11/10/2009 3:27 PM 100352]
S3 ONDAusbser6k;ONDA Diagnostic Port;c:\windows\system32\drivers\ONDAusbser6k.sys [11/10/2009 3:27 PM 100352]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [7/15/2009 6:37 PM 689416]
S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\covpndrv.sys --> c:\windows\system32\DRIVERS\covpndrv.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-05-25 02:27 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.94\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-02 23:21]
.
2013-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-05-29 c:\windows\Tasks\Get Lyrics Update.job
- c:\program files\GetLyrics\GetLyricsUPD.exe [2013-04-25 10:36]
.
2013-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 22:59]
.
2013-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 22:59]
.
2013-05-29 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-11-17 17:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = 10.7.192.2:8080
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: google.com\www
Trusted Zone: olf.com\h2o
Trusted Zone: olf.com\oebdsn1
Trusted Zone: olf.com\oebpas1
Trusted Zone: olf.com\olfandex1.andover
Trusted Zone: olf.com\tenrox
Trusted Zone: olf.com\h2o
Trusted Zone: olf.com\tenrox
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {D1610EA9-8DC7-4B2A-80DC-255032022E96} - hxxp://cp-txprod.olf.com/PTWeb/DTFileUploadCtrl.cab
FF - ProfilePath - c:\documents and settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - gmail.com
FF - prefs.js: network.proxy.type - 2
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{9E00947D-AF88-49BC-B5FE-D1A41B7BDA47} - c:\documents and settings\pvidulic\Local Settings\Application Data\getsavin\ie\getsavin_1364327401.dll
HKLM-Run-hpqSRMon - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
Notify-ACNotify - ACNotify.dll
Notify-NavLogon - (no file)
SafeBoot-66525976.sys
AddRemove-GetSavin - c:\documents and settings\pvidulic\Local Settings\Application Data\getsavin\uninst.exe
AddRemove-sl-cb - c:\program files\OApps\sl-cb_uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-29 00:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
@DACL=(02 0010)
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@DACL=(02 0010)
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1432)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\qlbase.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll
.
- - - - - - - > 'lsass.exe'(1488)
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
.
- - - - - - - > 'explorer.exe'(3772)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\windows\system32\TpKmpSVC.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\TpShocks.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\windows\system32\rundll32.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
c:\program files\Citrix\ICA Client\PNAMain.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2013-05-29 00:44:04 - machine was rebooted
ComboFix-quarantined-files.txt 2013-05-29 04:43
.
Pre-Run: 3,030,388,736 bytes free
Post-Run: 3,561,807,872 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - B8DF7F6E9475731E6CA60E516CB6728F
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Open up Notepad and paste the following:

File::
C:\Temp\air1B08.exe
C:\Temp\GetLyrics.exe
C:\Temp\SecondStepInstaller.exe

Folder::
c:\windows\system32\config\systemprofile\Application Data\SearchProtect

ClearJavaCache::
Click to expand...
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    CFScript.gif
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below

Please download Junkware Removal Tool to your desktop from here
  • Turn off your antivirus software now to avoid potential conflicts
  • Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
  • The tool will open and start scanning your system
  • Please be patient as this can take a while to complete depending on your system's specifications
  • On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
  • Post the contents of JRT.txt into your next reply
 
D

donnamv

New Member
Thread author
Aug 16, 2012
49
COMBOFIX LOG:


ComboFix 13-05-30.01 - pvidulic 05/29/2013 21:37:40.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.465 [GMT -4:00]
Running from: c:\documents and settings\pvidulic\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\pvidulic\Desktop\CFscript.txt
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {58027DB4-A7D7-4BBF-AFB5-6A5AC1AB795C}
* Resident AV is active
.
.
FILE ::
"c:\temp\air1B08.exe"
"c:\temp\GetLyrics.exe"
"c:\temp\SecondStepInstaller.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\EventSystem.log
c:\windows\system32\config\systemprofile\Application Data\SearchProtect
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\abstraction.js
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\application.js
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\Dialogs\dialogsApi.js
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\Dialogs\lib\jquery.min.js
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\Dialogs\lib\json2.js
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.css
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.js
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\information.png
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-LTR.png
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-RTL.png
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-LTR.png
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-RTL.png
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\Dialogs\spbd\main.html
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\ok-button.png
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\separation-line.png
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\warning.png
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\Dialogs\spsd\main.html
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\Dialogs\spsd\SearchProtector.css
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\Dialogs\spsd\settings.js
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\nsprotector.js
c:\windows\system32\config\systemprofile\Application Data\SearchProtect\ffprotect\popupTransparent.xul
c:\windows\system32\TPAPSLOG.LOG
c:\windows\system32\TPHDLOG0.LOG
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((( Files Created from 2013-04-28 to 2013-05-30 )))))))))))))))))))))))))))))))
.
.
2013-05-28 20:29 . 2013-05-28 20:29 -------- d-----w- c:\program files\ESET
2013-05-25 19:21 . 2013-05-25 19:21 -------- d-----w- C:\_OTL
2013-05-25 17:12 . 2013-05-25 17:12 -------- d-----w- c:\documents and settings\pvidulic\Application Data\Malwarebytes
2013-05-25 17:11 . 2013-05-25 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-05-25 17:11 . 2013-05-25 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-25 17:11 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-24 22:32 . 2013-05-24 22:37 -------- d-----w- c:\program files\Common Files\Research in Motion
2013-05-24 22:27 . 2013-05-24 22:27 -------- d-----w- c:\program files\TeamViewer
2013-05-20 00:23 . 2013-05-20 00:23 -------- d-----w- c:\documents and settings\pvidulic\Application Data\AdobeUM
2013-05-20 00:18 . 2013-05-20 00:18 -------- d-----w- c:\program files\Common Files\Adobe
2013-05-04 00:33 . 2013-05-04 00:33 -------- d---a-w- c:\documents and settings\pvidulic\Local Settings\Application Data\AVG SafeGuard toolbar
2013-05-04 00:32 . 2013-05-04 00:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\AVG SafeGuard toolbar
2013-05-04 00:32 . 2013-05-04 00:32 -------- d---a-w- c:\documents and settings\pvidulic\Application Data\AVG SafeGuard toolbar
2013-05-04 00:31 . 2013-05-21 01:44 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-05-04 00:31 . 2013-05-25 02:56 -------- d---a-w- c:\program files\AVG SafeGuard toolbar
2013-05-04 00:30 . 2013-05-04 00:30 -------- d---a-w- c:\program files\Common Files\Bullzip
2013-05-04 00:30 . 2013-05-04 00:30 -------- d---a-w- c:\documents and settings\pvidulic\Application Data\PDF Writer
2013-05-04 00:30 . 2013-05-04 00:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\PDF Writer
2013-05-04 00:30 . 2008-10-30 11:14 227840 ----a-w- c:\windows\system32\bzFlRdr.dll
2013-05-04 00:30 . 2008-07-09 11:14 103424 ----a-w- c:\windows\system32\bzDCT.dll
2013-05-04 00:30 . 2013-04-19 11:14 139264 ----a-w- c:\windows\system32\bzpdfc.dll
2013-05-04 00:29 . 2013-04-19 11:14 200192 ----a-w- c:\windows\system32\bzpdf.dll
2013-05-04 00:29 . 2013-05-04 00:29 -------- d---a-w- c:\program files\Bullzip
2013-05-04 00:29 . 2013-05-04 00:29 -------- d--ha-w- c:\documents and settings\All Users\Application Data\Common Files
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-28 00:58 . 2006-11-17 08:59 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2013-05-25 01:21 . 2006-11-17 08:58 23552 ----a-w- c:\windows\system32\drivers\psasrv.exe
2013-05-25 01:21 . 2006-07-12 00:52 17536 ----a-w- c:\windows\system32\drivers\psadd.sys
2013-05-22 23:20 . 2013-04-02 12:35 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-22 23:20 . 2011-07-25 00:26 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-06 10:38 . 2013-03-26 19:33 770384 ----a-w- c:\windows\system32\msvcr100.dll
2013-03-06 10:38 . 2013-03-26 19:33 421200 ----a-w- c:\windows\system32\msvcp100.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\Installshield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-15 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2009-04-16 417792]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-03-17 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-10-06 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-06 1323008]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-10-08 256576]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"TpShocks"="TpShocks.exe" [2009-02-03 181536]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-31 30192]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2009-01-29 185688]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-10-24 206112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-19 196696]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-08-26 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-08-26 110592]
"PDService.exe"="c:\program files\Lenovo\SafeGuard PrivateDisk\pdservice.exe" [2006-03-14 41472]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-15 2341632]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-04-14 15136]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-08-03 62240]
"AMSG"="c:\progra~1\THINKV~2\AMSG\amsg.exe" [2009-04-29 424512]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"LPMailChecker"="c:\progra~1\THINKV~2\PrdCtr\LPMLCHK.exe" [2009-01-29 124248]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2010-10-16 866592]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-05-12 300472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]
.
c:\documents and settings\pvidulic\Start Menu\Programs\Startup\
HP SimpleSave Monitor.lnk - c:\documents and settings\pvidulic\Application Data\HP SimpleSave Application\StartHelper.exe [2010-8-23 477080]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-5-31 622653]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-9-15 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Online plug-in.lnk - c:\windows\Installer\{7681A1A9-D865-4DC0-A319-41A49F5E78DB}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [N/A]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"enableinstallerdetection"= 0 (0x0)
"enablesecureuiapaths"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 17:07 49152 ------w- c:\program files\Lenovo\AwayTask\AwayNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2009-05-21 20:54 100104 ------w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 20:37 34344 ------w- c:\program files\Lenovo\HOTKEY\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll scecli
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-17652\Scripts\Logon\0\0]
"Script"=\\olf.com\SYSVOL\olf.com\scripts\asset.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-1893\Scripts\Logon\0\0]
"Script"=LyncNoPrompt.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-1893\Scripts\Logon\1\0]
"Script"=JunkMailImportLists.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-1893\Scripts\Logon\2\0]
"Script"=startup_script.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-1893\Scripts\Logon\3\0]
"Script"=\\olf.com\SYSVOL\olf.com\scripts\asset.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TeamViewer\\Version8\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version8\\TeamViewer_Service.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
"53233:TCP"= 53233:TCP:Trend Micro OfficeScan Listener
.
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [1/28/2009 5:57 PM 20520]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [5/3/2013 8:31 PM 37664]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [4/16/2010 5:22 PM 65584]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [5/25/2013 1:11 PM 418376]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/25/2013 1:11 PM 701512]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [9/15/2009 1:55 PM 53248]
R2 PrivateDisk;PrivateDisk;c:\program files\Lenovo\SafeGuard PrivateDisk\privatediskm.sys [3/13/2006 8:05 PM 58368]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/14/2006 7:55 PM 3968]
R2 smihlp2;SMI Helper Driver (smihlp2);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [3/13/2009 2:47 PM 12560]
R2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [5/24/2013 6:27 PM 3574624]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2/18/2010 3:51 PM 52304]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXpflt.sys [9/30/2009 3:38 PM 264504]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreflt.sys [9/30/2009 3:37 PM 36664]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [5/21/2009 8:48 PM 62320]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/25/2013 1:11 PM 22856]
S2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [11/10/2009 3:27 PM 81920]
S2 BackupService;BackupService;c:\documents and settings\pvidulic\Application Data\HP SimpleSave Application\uUACTokenSvc.exe [8/23/2010 8:11 PM 83512]
S2 gupdate1ca568ffa5b08a4;Google Update Service (gupdate1ca568ffa5b08a4);c:\program files\Google\Update\GoogleUpdate.exe [10/26/2009 6:59 PM 133104]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [5/21/2009 8:48 PM 45424]
S2 vToolbarUpdater15.2.0;vToolbarUpdater15.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe --> c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/17/2006 4:41 AM 30192]
S3 ONDAusbmdm6k;ONDA Proprietary USB Driver;c:\windows\system32\drivers\ONDAusbmdm6k.sys [11/10/2009 3:27 PM 100352]
S3 ONDAusbnmea;ONDA NMEA Port;c:\windows\system32\drivers\ONDAusbnmea.sys [11/10/2009 3:27 PM 100352]
S3 ONDAusbser6k;ONDA Diagnostic Port;c:\windows\system32\drivers\ONDAusbser6k.sys [11/10/2009 3:27 PM 100352]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [7/15/2009 6:37 PM 689416]
S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\covpndrv.sys --> c:\windows\system32\DRIVERS\covpndrv.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-05-25 02:27 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.94\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-02 23:21]
.
2013-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-05-30 c:\windows\Tasks\Get Lyrics Update.job
- c:\program files\GetLyrics\GetLyricsUPD.exe [2013-04-25 10:36]
.
2013-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 22:59]
.
2013-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-26 22:59]
.
2013-05-30 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-11-17 17:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = 10.7.192.2:8080
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: google.com\www
Trusted Zone: olf.com\h2o
Trusted Zone: olf.com\oebdsn1
Trusted Zone: olf.com\oebpas1
Trusted Zone: olf.com\olfandex1.andover
Trusted Zone: olf.com\tenrox
Trusted Zone: olf.com\h2o
Trusted Zone: olf.com\tenrox
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {D1610EA9-8DC7-4B2A-80DC-255032022E96} - hxxp://cp-txprod.olf.com/PTWeb/DTFileUploadCtrl.cab
FF - ProfilePath - c:\documents and settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - gmail.com
FF - prefs.js: network.proxy.type - 2
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-29 21:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
@DACL=(02 0010)
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@DACL=(02 0010)
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1428)
c:\windows\system32\Ati2evxx.dll
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\qlbase.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll
.
- - - - - - - > 'lsass.exe'(1484)
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
.
Completion time: 2013-05-29 22:00:12
ComboFix-quarantined-files.txt 2013-05-30 02:00
ComboFix2.txt 2013-05-29 04:44
.
Pre-Run: 3,577,647,104 bytes free
Post-Run: 3,545,698,304 bytes free
.
- - End Of File - - 9DF73061D879AD4BA277094AA042CBA3
 
D

donnamv

New Member
Thread author
Aug 16, 2012
49
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Microsoft Windows XP x86
Ran by pvidulic on Wed 05/29/2013 at 22:05:08.07
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\yt.ytnavassistplugin.1



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted: [Folder] C:\Documents and Settings\pvidulic\Application Data\mozilla\firefox\profiles\1nc1d3r.default\extensions\getsavin@jetpack



~~~ Chrome

Successfully deleted: [Registry Key] hkey_current_user\software\policies\google\chrome\extensioninstallforcelist
Successfully deleted: [Registry Key] hkey_local_machine\software\policies\google\chrome\extensioninstallforcelist





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 05/29/2013 at 22:10:13.18
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
D

donnamv

New Member
Thread author
Aug 16, 2012
49
So far Laptop is running well! Thanks for all your help. Is there something else I need to do with all the logs saved on the desktop?
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
If you are no longer experiencing any other issues, your PC is now clean!

Uninstall Combofix.
  • Turn off all active protection software
  • Goto Start, then Run. (Alternatively, you can press the "windows key" + "R")
  • Copy and past the following into the box ComboFix /Uninstall and click OK.
    Note the space between the X and the /Uninstall, it needs to be there.
Combofix_uninstall_image.jpg


Double click on OTL to run it
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
  • This will remove itself and other tools we may have used.

Also, open adwCleaner and click Uninstall



Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.

For XP
How to create a Restore Point in XP
Delete all restore points except the most recent one


Keep your system updated
Please go to control panel and uninstall the following:

Java(TM) 6 Update 29
Adobe Reader 7.0

Delete older Java version from your computer by downloading JavaRa
  • Run JavaRa.exe, then click Remove JRE.
  • Let the tool run
  • Once it finishes, close JavaRa

Currently, the following programs on your PC are outdated:
  • Java - Update Java here
  • Adobe reader - Update Adobe Reader here
Keeping your programs (especially Adobe and Java products) updated is essential. Outdated programs make your PC more vulnerable to future malware threats. To help you:
  • Download and install Update Checker. It will notify you if any of your programs require an update.
  • Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
  • Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here

I also recommend you to switch your antivirus program to a better one. Here are some suggestions:

In addition to your antivirus, you need additional protection such as a firewall and behavioural blocker. However, adding one of these programs may slow down performance. It is for you to decide the trade off between more security and a faster PC.


Other steps that you may want to do to further protect your system/files:
  • Sandboxie - "Quarantines" your browser so anything that you do in it will be isolated from your system.
  • Backup important files regulary to an external hard-drive or USB

Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.

Should you want to try a product but don't know how it performs, here is a list of current reviews to help you decide.

Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.
  • KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
  • AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
  • NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
  • Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites

Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.

Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.

Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask :)

My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.
 
D

donnamv

New Member
Thread author
Aug 16, 2012
49
I went to continue cleaning up like you said:
Delete older Java version from your computer by downloading JavaRa

Run JavaRa.exe, then click Remove JRE.
Let the tool run
Once it finishes, close JavaRa

Now I have a MIXIDJ toolbar and CONSTANT popups.... I tried to go to add/delete programs and it won't let me uninstall
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Oh that's no good. Please download adwCleaner, RogueKiller and run them. Then run a scan with OTL for me
 
D

donnamv

New Member
Thread author
Aug 16, 2012
49
Sorry but can you post the links for whatever you want me to run...I am having trouble finding them. Thanks!


Fiery said:
Oh that's no good. Please download adwCleaner, RogueKiller and run them. Then run a scan with OTL for me
Click to expand...
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
No problem :)

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
  • Click delete
  • Please post the content of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt

Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select Run as Administrator to start
  • Wait until Prescan has finished, then click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click delete and wait until it saids deleting finished
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
    Exit/Close RogueKiller+

Download OTL by Old Timer from here and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Click the Scan All Users checkbox.
  • Check the boxes beside LOP Check and Purity Check
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Please attach the contents of these 2 Notepad files in your next reply.
 

Similar threads

Brownie2019
    • Like
On Sale! AVG Ultimate 1PC,1Yr, $ 10,92
Replies
0
Views
201
Discounts and Deals
Brownie2019
Brownie2019
Brownie2019
On Sale! AVG Internet Security 2024 [10-D, 1-YR] 12.00 €
Replies
0
Views
133
Discounts and Deals
Brownie2019
Brownie2019
Brownie2019
    • Like
On Sale! AVG Internet Security 1Dev./ 1Yr. / $ 6.40
Replies
1
Views
330
Discounts and Deals
Dave Russo
Dave Russo

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top