Fake AVG virus

[donnamv]

AdwCleaner Log:

# AdwCleaner v2.301 - Logfile created 06/02/2013 at 20:51:27
# Updated 16/05/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : pvidulic - IBMLAP539
# Boot Mode : Normal
# Running from : C:\Documents and Settings\pvidulic\My Documents\Downloads\AdwCleaner.exe
# Option [Delete]


***** [Services] *****

Stopped & Deleted : CltMngSvc

***** [Files / Folders] *****

Deleted on reboot : C:\Documents and Settings\pvidulic\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fdkednngfjmpnljkolbapdednncafhen
Deleted on reboot : C:\Documents and Settings\pvidulic\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fdkednngfjmpnljkolbapdednncafhen
File Deleted : C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\searchplugins\Conduit.xml
File Deleted : C:\END
Folder Deleted : C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\CT3298566
Folder Deleted : C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{1122b43d-30ee-403f-9bfa-3cc99b0caddd}
Folder Deleted : C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\Smartbar
Folder Deleted : C:\Documents and Settings\pvidulic\Application Data\SearchProtect
Folder Deleted : C:\Documents and Settings\pvidulic\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\pvidulic\Local Settings\Application Data\MixiDJ_V30
Folder Deleted : C:\Program Files\MixiDJ_V30
Folder Deleted : C:\Program Files\OApps
Folder Deleted : C:\Program Files\SearchProtect
Folder Deleted : C:\temp\CT3298566

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Google\Chrome\Extensions\fdkednngfjmpnljkolbapdednncafhen
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1122B43D-30EE-403F-9BFA-3CC99B0CADDD}
Key Deleted : HKCU\Software\MixiDJ_V30
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\fdkednngfjmpnljkolbapdednncafhen
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1122B43D-30EE-403F-9BFA-3CC99B0CADDD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MixiDJ_V30 Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Deleted : HKLM\Software\MixiDJ_V30
Key Deleted : HKLM\Software\SearchProtect
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{1122B43D-30EE-403F-9BFA-3CC99B0CADDD}]
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [searchprotect]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{1122B43D-30EE-403F-9BFA-3CC99B0CADDD}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SearchProtectAll]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com?SearchSource=10&CUI=UN19034251672947645&UM=2&ctid=CT3298566 --> hxxp://www.google.com

-\\ Mozilla Firefox v21.0 (en-US)

File : C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\prefs.js

C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\user.js ... Deleted !

Deleted : user_pref("CT3298566.1000082.isPlayDisplay", "true");
Deleted : user_pref("CT3298566.1000082.state", "{\"state\":\"stopped\",\"text\":\"Californi...\",\"description[...]
Deleted : user_pref("CT3298566.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT3298566.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"tru[...]
Deleted : user_pref("CT3298566.FF19Solved", "true");
Deleted : user_pref("CT3298566.FirstTime", "true");
Deleted : user_pref("CT3298566.FirstTimeFF3", "true");
Deleted : user_pref("CT3298566.PG_ENABLE", "dHJ1ZQ==");
Deleted : user_pref("CT3298566.PG_ENABLE.enc", "dHJ1ZQ==");
Deleted : user_pref("CT3298566.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT329[...]
Deleted : user_pref("CT3298566.TopHitsConfig.enc", "ew0KICAgICJzcHJpdGVVcmwiOiAiaHR0cDovL3N0b3JhZ2UuY29uZHVpdC[...]
Deleted : user_pref("CT3298566.UserID", "UN36535174952338531");
Deleted : user_pref("CT3298566.YTbyClickFavorites.enc", "W10=");
Deleted : user_pref("CT3298566.YTbyClickRecent.enc", "W10=");
Deleted : user_pref("CT3298566.addressBarTakeOverEnabledInHidden", "true");
Deleted : user_pref("CT3298566.autoDisableScopes", 0);
Deleted : user_pref("CT3298566.browser.search.defaultthis.engineName", "true");
Deleted : user_pref("CT3298566.cb_experience_000.enc", "MTY=");
Deleted : user_pref("CT3298566.cb_firstuse0100.enc", "MQ==");
Deleted : user_pref("CT3298566.cb_user_id_000.enc", "Q0I0OTY0NjE2ODY5OF8xMzY5OTYxNzU5NzQ5X0ZpcmVmb3g=");
Deleted : user_pref("CT3298566.cbfirsttime.enc", "VGh1IE1heSAzMCAyMDEzIDIwOjU1OjU5IEdNVC0wNDAwIChFYXN0ZXJuIFN0[...]
Deleted : user_pref("CT3298566.defaultSearch", "true");
Deleted : user_pref("CT3298566.embeddedsData", "[{\"appId\":\"130110228003246321\",\"apiPermissions\":{\"cross[...]
Deleted : user_pref("CT3298566.enableAlerts", "true");
Deleted : user_pref("CT3298566.enableFix404ByUser", "TRUE");
Deleted : user_pref("CT3298566.enableSearchFromAddressBar", "true");
Deleted : user_pref("CT3298566.firstTimeDialogOpened", "true");
Deleted : user_pref("CT3298566.fixPageNotFoundError", "true");
Deleted : user_pref("CT3298566.fixPageNotFoundErrorByUser", "true");
Deleted : user_pref("CT3298566.fixPageNotFoundErrorInHidden", "true");
Deleted : user_pref("CT3298566.fixUrls", true);
Deleted : user_pref("CT3298566.installDate", "30/5/2013 20:53:01");
Deleted : user_pref("CT3298566.installId", "cid111");
Deleted : user_pref("CT3298566.installSessionId", "{804B7DF1-72DF-48CA-9DA9-9C73A573C13B}");
Deleted : user_pref("CT3298566.installSp", "TRUE");
Deleted : user_pref("CT3298566.installType", "conduitnsisintegration");
Deleted : user_pref("CT3298566.installUsage", "2013-05-31T03:55:36.7045735+03:00");
Deleted : user_pref("CT3298566.installUsageEarly", "2013-05-31T03:55:34.8171671+03:00");
Deleted : user_pref("CT3298566.installerVersion", "1.4.2.3");
Deleted : user_pref("CT3298566.isCheckedStartAsHidden", true);
Deleted : user_pref("CT3298566.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT3298566.isFirstTimeToolbarLoading", "false");
Deleted : user_pref("CT3298566.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
Deleted : user_pref("CT3298566.keyword", "true");
Deleted : user_pref("CT3298566.lastNewTabSettings", "{\"isEnabled\":false,\"newTabUrl\":\"hxxp://search.condui[...]
Deleted : user_pref("CT3298566.lastVersion", "10.16.1.902");
Deleted : user_pref("CT3298566.mam_gk_appStateReportTime.enc", "MTM3MDAyNzk1NjExOQ==");
Deleted : user_pref("CT3298566.mam_gk_appState_CouponBuddy.enc", "b24=");
Deleted : user_pref("CT3298566.mam_gk_appState_PriceGong.enc", "b24=");
Deleted : user_pref("CT3298566.mam_gk_appsData.enc", "eyJhcHBzIjpbeyJpZCI6IlByaWNlR29uZyIsInVybCI6Imh0dHA6Ly9w[...]
Deleted : user_pref("CT3298566.mam_gk_appsDefaultEnabled.enc", "bnVsbA==");
Deleted : user_pref("CT3298566.mam_gk_configuration.enc", "eyJjb25maWd1cmF0aW9uIjpbeyJpZCI6IlByaWNlR29uZyIsImN[...]
Deleted : user_pref("CT3298566.mam_gk_currentVersion.enc", "MS42LjAuOTk=");
Deleted : user_pref("CT3298566.mam_gk_first_time.enc", "MQ==");
Deleted : user_pref("CT3298566.mam_gk_gadgetOpen.enc", "d2VsY29tZQ==");
Deleted : user_pref("CT3298566.mam_gk_installer_preapproved.enc", "ZmFsc2U=");
Deleted : user_pref("CT3298566.mam_gk_lastLoginTime.enc", "MTM3MDAyNzk1NDQyOA==");
Deleted : user_pref("CT3298566.mam_gk_localization.enc", "eyJnYWRnZXRDb250ZW50UG9saWN5Ijp7IlRleHQiOiJDb250ZW50[...]
Deleted : user_pref("CT3298566.mam_gk_pgUnloadedOnce.enc", "dHJ1ZQ==");
Deleted : user_pref("CT3298566.mam_gk_settings1.6.0.99.enc", "eyJTdGF0dXMiOiJzdWNjZWVkZWQiLCJEYXRhIjp7ImludGVy[...]
Deleted : user_pref("CT3298566.mam_gk_showCloseButton.enc", "dHJ1ZQ==");
Deleted : user_pref("CT3298566.mam_gk_showWelcomeGadget.enc", "ZmFsc2U=");
Deleted : user_pref("CT3298566.mam_gk_userId.enc", "Njk5YjZkNGYtMjlhYy00MjQxLTg5YjktMzU4NDk4YzU2YWZl");
Deleted : user_pref("CT3298566.migrateAppsAndComponents", true);
Deleted : user_pref("CT3298566.navigationAliasesJson", "{\"EB_SEARCH_TERM\":\"\",\"EB_MAIN_FRAME_URL\":\"hxxp%[...]
Deleted : user_pref("CT3298566.openThankYouPage", "false");
Deleted : user_pref("CT3298566.openUninstallPage", "true");
Deleted : user_pref("CT3298566.originalSearchAddressUrl", "");
Deleted : user_pref("CT3298566.originalSearchEngine", "Google");
Deleted : user_pref("CT3298566.price-gong.isManagedApp", "true");
Deleted : user_pref("CT3298566.revertSettingsEnabled", "false");
Deleted : user_pref("CT3298566.search.searchAppId", "130110228003246321");
Deleted : user_pref("CT3298566.search.searchCount", "0");
Deleted : user_pref("CT3298566.searchFromAddressBarEnabledByUser", "true");
Deleted : user_pref("CT3298566.searchInNewTabEnabledByUser", "true");
Deleted : user_pref("CT3298566.searchInNewTabEnabledInHidden", "true");
Deleted : user_pref("CT3298566.searchRevert", "false");
Deleted : user_pref("CT3298566.searchUserMode", "2");
Deleted : user_pref("CT3298566.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT3298566.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"d[...]
Deleted : user_pref("CT3298566.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\[...]
Deleted : user_pref("CT3298566.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"d[...]
Deleted : user_pref("CT3298566.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"strin[...]
Deleted : user_pref("CT3298566.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"strin[...]
Deleted : user_pref("CT3298566.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data[...]
Deleted : user_pref("CT3298566.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1369961741180");
Deleted : user_pref("CT3298566.serviceLayer_services_appsMetadata_lastUpdate", "1369961806783");
Deleted : user_pref("CT3298566.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1369961740937");
Deleted : user_pref("CT3298566.serviceLayer_services_installUsage_ToolbarInstallEarly_lastUpdate", "1369961738[...]
Deleted : user_pref("CT3298566.serviceLayer_services_installUsage_ToolbarInstall_lastUpdate", "1369961741426")[...]
Deleted : user_pref("CT3298566.serviceLayer_services_location_lastUpdate", "1369961738933");
Deleted : user_pref("CT3298566.serviceLayer_services_login_10.16.1.902_lastUpdate", "1369961741438");
Deleted : user_pref("CT3298566.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1369961741070");
Deleted : user_pref("CT3298566.serviceLayer_services_searchAPI_lastUpdate", "1369961738893");
Deleted : user_pref("CT3298566.serviceLayer_services_serviceMap_lastUpdate", "1369961736302");
Deleted : user_pref("CT3298566.serviceLayer_services_toolbarContextMenu_lastUpdate", "1369961740712");
Deleted : user_pref("CT3298566.serviceLayer_services_toolbarSettings_lastUpdate", "1369961806623");
Deleted : user_pref("CT3298566.serviceLayer_services_translation_lastUpdate", "1369961741266");
Deleted : user_pref("CT3298566.settingsINI", true);
Deleted : user_pref("CT3298566.shouldFirstTimeDialog", "false");
Deleted : user_pref("CT3298566.showToolbarPermission", "false");
Deleted : user_pref("CT3298566.smartbar.CTID", "CT3298566");
Deleted : user_pref("CT3298566.smartbar.Uninstall", "0");
Deleted : user_pref("CT3298566.smartbar.homepage", "true");
Deleted : user_pref("CT3298566.smartbar.toolbarName", "MixiDJ V30 ");
Deleted : user_pref("CT3298566.startPage", "true");
Deleted : user_pref("CT3298566.toolbarBornServerTime", "31-5-2013");
Deleted : user_pref("CT3298566.toolbarCurrentServerTime", "31-5-2013");
Deleted : user_pref("CT3298566.toolbarLoginClientTime", "Thu May 30 2013 20:55:41 GMT-0400 (Eastern Standard T[...]
Deleted : user_pref("CT3298566.url_history0001.enc", "aHR0cDovL21hbHdhcmV0aXBzLmNvbS9UaHJlYWQtRmFrZS1BVkctdmly[...]
Deleted : user_pref("CT3298566.versionFromInstaller", "10.16.1.902");
Deleted : user_pref("CT3298566_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]
Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3298566&octid=CT329856[...]
Deleted : user_pref("Smartbar.ConduitSearchEngineList", "MixiDJ V30 Customized Web Search");
Deleted : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3298566[...]
Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3298566");
Deleted : user_pref("browser.search.defaultthis.engineName", "MixiDJ V30 Customized Web Search");
Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3298566&CUI[...]
Deleted : user_pref("browser.search.selectedEngine", "MixiDJ V30 Customized Web Search");
Deleted : user_pref("browser.startup.homepage", "hxxp://search.conduit.com/?ctid=CT3298566&octid=CT3298566&Sea[...]
Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3298566&SearchSource=2&CU[...]
Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3298566");
Deleted : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3298566&CUI=UN365351749[...]
Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT[...]
Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3298566");
Deleted : user_pref("smartbar.homePageOwnerCTID", "CT3298566");
Deleted : user_pref("smartbar.machineId", "SONLSAAWLGQZDSUMOON3AALCNL0OB90CYNK143VFKSQGTLXNGT4GQZFLVVSYZ5GO5PT[...]
Deleted : user_pref("smartbar.originalHomepage", "hxxp://search.conduit.com/?ctid=CT3298566&CUI=UN365351749523[...]

-\\ Google Chrome v27.0.1453.94

File : C:\Documents and Settings\pvidulic\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.2452] : homepage = "hxxp://search.conduit.com/?ctid=CT3298566&SearchSource=48&CUI=UN37761102081653719&UM[...]
Deleted [l.3104] : urls_to_restore_on_startup = [ "hxxp://search.conduit.com/?ctid=CT3298566&SearchSource=48&CUI[...]

*************************

AdwCleaner[R1].txt - [14846 octets] - [02/06/2013 20:48:49]
AdwCleaner[S1].txt - [15083 octets] - [02/06/2013 20:51:27]

########## EOF - C:\AdwCleaner[S1].txt - [15144 octets] ##########

 

[donnamv]

Rouge Killer Log:
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : pvidulic [Admin rights]
Mode : Remove -- Date : 06/02/2013 21:11:06
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] StartHelper.exe -- C:\Documents and Settings\pvidulic\Application Data\HP SimpleSave Application\StartHelper.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 4 ¤¤¤
[STARTUP][SUSP PATH] HP SimpleSave Monitor.lnk @pvidulic : C:\Documents and Settings\pvidulic\Application Data\HP SimpleSave Application\StartHelper.exe [7] -> DELETED
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (10.7.192.2:8080) -> NOT REMOVED, USE PROXYFIX
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[41] : NtCreateKey @ 0x806240F0 -> HOOKED (Unknown @ 0x8761DD60)
SSDT[43] : NtCreateMutant @ 0x8061769E -> HOOKED (Unknown @ 0x8761ED40)
SSDT[47] : NtCreateProcess @ 0x805D1230 -> HOOKED (Unknown @ 0x8761D260)
SSDT[48] : NtCreateProcessEx @ 0x805D117A -> HOOKED (Unknown @ 0x8761D520)
SSDT[53] : NtCreateThread @ 0x805D1018 -> HOOKED (Unknown @ 0x8761EA00)
SSDT[63] : NtDeleteKey @ 0x8062458C -> HOOKED (Unknown @ 0x8761E2E0)
SSDT[65] : NtDeleteValueKey @ 0x8062475C -> HOOKED (Unknown @ 0x8761E5A0)
SSDT[97] : NtLoadDriver @ 0x80584160 -> HOOKED (Unknown @ 0x8761EBA0)
SSDT[122] : NtOpenProcess @ 0x805CB440 -> HOOKED (Unknown @ 0x8761D7E0)
SSDT[240] : NtSetSystemInformation @ 0x8060FD06 -> HOOKED (Unknown @ 0x8761EEE0)
SSDT[247] : NtSetValueKey @ 0x80622662 -> HOOKED (Unknown @ 0x8761E020)
SSDT[257] : NtTerminateProcess @ 0x805D29E2 -> HOOKED (Unknown @ 0x8761DAA0)
SSDT[277] : NtWriteVirtualMemory @ 0x805B43CC -> HOOKED (Unknown @ 0x8761E860)
S_SSDT[548] : NtUserSetWindowsHookAW -> HOOKED (Unknown @ 0x8761F540)
S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8761F360)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HTS541080G9SA00 +++++
--- User ---
[MBR] e3f83c72ff09a4512f8c37e620825edf
[BSP] f4f37b2ef736532be808bea337d4827d : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76316 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_06022013_02d2111.txt >>
RKreport[1]_S_06022013_02d2109.txt ; RKreport[2]_D_06022013_02d2111.txt

 

[donnamv]

And here are the last 2 logs attached

Rouge Killer Log:
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : pvidulic [Admin rights]
Mode : Remove -- Date : 06/02/2013 21:11:06
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] StartHelper.exe -- C:\Documents and Settings\pvidulic\Application Data\HP SimpleSave Application\StartHelper.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 4 ¤¤¤
[STARTUP][SUSP PATH] HP SimpleSave Monitor.lnk @pvidulic : C:\Documents and Settings\pvidulic\Application Data\HP SimpleSave Application\StartHelper.exe [7] -> DELETED
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (10.7.192.2:8080) -> NOT REMOVED, USE PROXYFIX
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[41] : NtCreateKey @ 0x806240F0 -> HOOKED (Unknown @ 0x8761DD60)
SSDT[43] : NtCreateMutant @ 0x8061769E -> HOOKED (Unknown @ 0x8761ED40)
SSDT[47] : NtCreateProcess @ 0x805D1230 -> HOOKED (Unknown @ 0x8761D260)
SSDT[48] : NtCreateProcessEx @ 0x805D117A -> HOOKED (Unknown @ 0x8761D520)
SSDT[53] : NtCreateThread @ 0x805D1018 -> HOOKED (Unknown @ 0x8761EA00)
SSDT[63] : NtDeleteKey @ 0x8062458C -> HOOKED (Unknown @ 0x8761E2E0)
SSDT[65] : NtDeleteValueKey @ 0x8062475C -> HOOKED (Unknown @ 0x8761E5A0)
SSDT[97] : NtLoadDriver @ 0x80584160 -> HOOKED (Unknown @ 0x8761EBA0)
SSDT[122] : NtOpenProcess @ 0x805CB440 -> HOOKED (Unknown @ 0x8761D7E0)
SSDT[240] : NtSetSystemInformation @ 0x8060FD06 -> HOOKED (Unknown @ 0x8761EEE0)
SSDT[247] : NtSetValueKey @ 0x80622662 -> HOOKED (Unknown @ 0x8761E020)
SSDT[257] : NtTerminateProcess @ 0x805D29E2 -> HOOKED (Unknown @ 0x8761DAA0)
SSDT[277] : NtWriteVirtualMemory @ 0x805B43CC -> HOOKED (Unknown @ 0x8761E860)
S_SSDT[548] : NtUserSetWindowsHookAW -> HOOKED (Unknown @ 0x8761F540)
S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8761F360)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HTS541080G9SA00 +++++
--- User ---
[MBR] e3f83c72ff09a4512f8c37e620825edf
[BSP] f4f37b2ef736532be808bea337d4827d : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76316 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_06022013_02d2111.txt >>
RKreport[1]_S_06022013_02d2109.txt ; RKreport[2]_D_06022013_02d2111.txt

 

[Fiery]

Is mixiDJ still there?

 

[donnamv]

no but everytime I go and open a new tab or reply to you I get a pop up from

http://www.updatevideos.com/?ClickID=32fKD758PQAi1kABAAAAANAEUgAAAAAAAAAAAAAAAAAAAA4AAgACCNe9TgAAAAAAcShpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAnIxcAAAAAAAICAgAAgD8AMkzJCT8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=&PubID=264923103

which is from that download i did when I watch the soccer game online....it says to download flash or something....

 

[Fiery]

Please download ComboFix from one of these locations:

<a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a>
<a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a>
<ul>
<li>Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See <a title="External link" href="http://www.bleepingcomputer.com/forums/topic114351.html" rel="external">HERE</a> for help</li>
<li>Double click on Combo-Fix & follow the prompts.</li>
</ul>

When finished, ComboFix will produce a log.

<>Note:</>
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

 

[donnamv]

When I clicked in the reply box I got the same pop up- Istall player.....

here is the Combo Fix Log

ComboFix 13-06-03.06 - pvidulic 06/03/2013 22:55:11.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.606 [GMT -4:00]
Running from: c:\documents and settings\pvidulic\My Documents\Downloads\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {58027DB4-A7D7-4BBF-AFB5-6A5AC1AB795C}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\TPAPSLOG.LOG
c:\windows\system32\TPHDLOG0.LOG
.
.
((((((((((((((((((((((((( Files Created from 2013-05-04 to 2013-06-04 )))))))))))))))))))))))))))))))
.
.
2013-05-31 19:23 . 2013-05-31 19:23 -------- d-----w- c:\documents and settings\pvidulic\Local Settings\Application Data\Sun
2013-05-31 01:16 . 2013-05-31 01:16 -------- d-----w- c:\program files\Common Files\Java
2013-05-31 01:15 . 2013-05-31 01:14 866720 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-05-31 01:15 . 2013-05-31 01:14 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-31 01:11 . 2013-05-31 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2013-05-31 00:57 . 2013-05-31 00:57 -------- d-----w- c:\program files\7-Zip
2013-05-30 02:05 . 2013-05-30 02:05 -------- d-----w- c:\windows\ERUNT
2013-05-30 02:03 . 2013-05-30 02:03 -------- d-----w- C:\JRT
2013-05-28 20:29 . 2013-05-28 20:29 -------- d-----w- c:\program files\ESET
2013-05-25 17:12 . 2013-05-25 17:12 -------- d-----w- c:\documents and settings\pvidulic\Application Data\Malwarebytes
2013-05-25 17:11 . 2013-05-25 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-05-25 17:11 . 2013-05-25 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-25 17:11 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-24 22:32 . 2013-05-24 22:37 -------- d-----w- c:\program files\Common Files\Research in Motion
2013-05-24 22:27 . 2013-05-24 22:27 -------- d-----w- c:\program files\TeamViewer
2013-05-20 00:23 . 2013-05-20 00:23 -------- d-----w- c:\documents and settings\pvidulic\Application Data\AdobeUM
2013-05-20 00:18 . 2013-05-20 00:18 -------- d-----w- c:\program files\Common Files\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-02 03:58 . 2006-11-17 08:59 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2013-05-31 01:14 . 2009-12-17 19:57 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-31 01:14 . 2011-08-04 00:33 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-05-25 01:21 . 2006-11-17 08:58 23552 ----a-w- c:\windows\system32\drivers\psasrv.exe
2013-05-25 01:21 . 2006-07-12 00:52 17536 ----a-w- c:\windows\system32\drivers\psadd.sys
2013-05-22 23:20 . 2013-04-02 12:35 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-22 23:20 . 2011-07-25 00:26 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-21 01:44 . 2013-05-04 00:31 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-05-08 06:10 . 2013-03-26 19:33 770384 ----a-w- c:\windows\system32\msvcr100.dll
2013-05-08 06:10 . 2013-03-26 19:33 421200 ----a-w- c:\windows\system32\msvcp100.dll
2013-04-19 11:14 . 2013-05-04 00:30 139264 ----a-w- c:\windows\system32\bzpdfc.dll
2013-04-19 11:14 . 2013-05-04 00:29 200192 ----a-w- c:\windows\system32\bzpdf.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\Installshield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2009-04-16 417792]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-03-17 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-10-06 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-06 1323008]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-10-08 256576]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"TpShocks"="TpShocks.exe" [2009-02-03 181536]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-31 30192]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2009-01-29 185688]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-10-24 206112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-19 196696]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-08-26 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-08-26 110592]
"PDService.exe"="c:\program files\Lenovo\SafeGuard PrivateDisk\pdservice.exe" [2006-03-14 41472]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-15 2341632]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-04-14 15136]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-08-03 62240]
"AMSG"="c:\progra~1\THINKV~2\AMSG\amsg.exe" [2009-04-29 424512]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"LPMailChecker"="c:\progra~1\THINKV~2\PrdCtr\LPMLCHK.exe" [2009-01-29 124248]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2010-10-16 866592]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-05-12 300472]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-5-31 622653]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-9-15 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Online plug-in.lnk - c:\windows\Installer\{7681A1A9-D865-4DC0-A319-41A49F5E78DB}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [N/A]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"enableinstallerdetection"= 0 (0x0)
"enablesecureuiapaths"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 17:07 49152 ------w- c:\program files\Lenovo\AwayTask\AwayNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2009-05-21 20:54 100104 ------w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 20:37 34344 ------w- c:\program files\Lenovo\HOTKEY\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll scecli
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-17652\Scripts\Logon\0\0]
"Script"=\\olf.com\SYSVOL\olf.com\scripts\asset.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-1893\Scripts\Logon\0\0]
"Script"=LyncNoPrompt.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-1893\Scripts\Logon\1\0]
"Script"=JunkMailImportLists.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-1893\Scripts\Logon\2\0]
"Script"=startup_script.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-1893\Scripts\Logon\3\0]
"Script"=\\olf.com\SYSVOL\olf.com\scripts\asset.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TeamViewer\\Version8\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version8\\TeamViewer_Service.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"53233:TCP"= 53233:TCP:Trend Micro OfficeScan Listener
.
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [1/28/2009 5:57 PM 20520]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [5/3/2013 8:31 PM 37664]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [4/16/2010 5:22 PM 65584]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [9/15/2009 1:55 PM 53248]
R2 PrivateDisk;PrivateDisk;c:\program files\Lenovo\SafeGuard PrivateDisk\privatediskm.sys [3/13/2006 8:05 PM 58368]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/14/2006 7:55 PM 3968]
R2 smihlp2;SMI Helper Driver (smihlp2);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [3/13/2009 2:47 PM 12560]
R2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [5/24/2013 6:27 PM 3574624]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2/18/2010 3:51 PM 52304]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXpflt.sys [9/30/2009 3:38 PM 264504]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreflt.sys [9/30/2009 3:37 PM 36664]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [5/21/2009 8:48 PM 62320]
S2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [11/10/2009 3:27 PM 81920]
S2 BackupService;BackupService;c:\documents and settings\pvidulic\Application Data\HP SimpleSave Application\uUACTokenSvc.exe [8/23/2010 8:11 PM 83512]
S2 gupdate1ca568ffa5b08a4;Google Update Service (gupdate1ca568ffa5b08a4);c:\program files\Google\Update\GoogleUpdate.exe [10/26/2009 6:59 PM 133104]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [5/21/2009 8:48 PM 45424]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [5/25/2013 1:11 PM 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/25/2013 1:11 PM 701512]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/17/2006 4:41 AM 30192]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/25/2013 1:11 PM 22856]
S3 ONDAusbmdm6k;ONDA Proprietary USB Driver;c:\windows\system32\drivers\ONDAusbmdm6k.sys [11/10/2009 3:27 PM 100352]
S3 ONDAusbnmea;ONDA NMEA Port;c:\windows\system32\drivers\ONDAusbnmea.sys [11/10/2009 3:27 PM 100352]
S3 ONDAusbser6k;ONDA Diagnostic Port;c:\windows\system32\drivers\ONDAusbser6k.sys [11/10/2009 3:27 PM 100352]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [7/15/2009 6:37 PM 689416]
S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\covpndrv.sys --> c:\windows\system32\DRIVERS\covpndrv.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-02 23:21]
.
2013-06-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-06-04 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-11-17 17:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = 10.7.192.2:8080
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: google.com\www
Trusted Zone: olf.com\h2o
Trusted Zone: olf.com\oebdsn1
Trusted Zone: olf.com\oebpas1
Trusted Zone: olf.com\olfandex1.andover
Trusted Zone: olf.com\tenrox
Trusted Zone: olf.com\h2o
Trusted Zone: olf.com\tenrox
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {D1610EA9-8DC7-4B2A-80DC-255032022E96} - hxxp://cp-txprod.olf.com/PTWeb/DTFileUploadCtrl.cab
FF - ProfilePath - c:\documents and settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\
FF - prefs.js: network.proxy.type - 2
FF - ExtSQL: 2013-05-30 20:56; {B7245FCB-27B3-4CFC-BAC0-50BCD09BE131}; c:\documents and settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{B7245FCB-27B3-4CFC-BAC0-50BCD09BE131}
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{878B8524-AED5-4870-9A96-A515440DAC75} - (no file)
AddRemove-sl-adk - c:\program files\OApps\sl-adk_uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-03 23:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1420)
c:\windows\system32\Ati2evxx.dll
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\qlbase.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll
.
- - - - - - - > 'lsass.exe'(1476)
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
.
Completion time: 2013-06-03 23:14:30
ComboFix-quarantined-files.txt 2013-06-04 03:14
.
Pre-Run: 3,085,787,136 bytes free
Post-Run: 3,069,640,704 bytes free
.
- - End Of File - - 3889829A29A02010A71A7A257DCD3CF6

 

[Fiery]

Sorry for the delay, I have been really busy.

Does the redirect/ pop up happen in every browser or just one?

Please download Junkware Removal Tool to your desktop from here

• Turn off your antivirus software now to avoid potential conflicts
• Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
• The tool will open and start scanning your system
• Please be patient as this can take a while to complete depending on your system's specifications
• On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
• Post the contents of JRT.txt into your next reply

 

[donnamv]

The pop up happen the most when I use Mozilla. A few with Chrome and so no with Internet Explorer.
Here is the log:


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Microsoft Windows XP x86
Ran by pvidulic on Wed 06/05/2013 at 7:23:00.47
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 06/05/2013 at 7:28:11.71
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[Fiery]

Hi,

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
CHR - Extension: Select-Links = C:\Documents and Settings\pvidulic\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bpgmklnlnckkfjnfajpjenmeiagokmbe\4.3_0\
[2013/05/30 20:56:24 | 000,000,000 | ---D | M] (SelectionLinks) -- C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{B7245FCB-27B3-4CFC-BAC0-50BCD09BE131}
FF - prefs.js..extensions.enabledAddons: %7BB7245FCB-27B3-4CFC-BAC0-50BCD09BE131%7D:1.5

:Commands
[EMPTYTEMP]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

 

[donnamv]

I tried to run the fix but the computer was frozen overnight....so I had to restart it....No log came up....

 

[Fiery]

can you try the fix again in safe mode?

Start your computer in Safe Mode with Networking.

• Remove all floppy disks, CDs, and DVDs from your computer, and then <>restart your computer</>.</li>
  [*]<>Tap the "F8 key" continuously</> until you get the Advanced Boot Options screen.</li>
  [*]On the Advanced Boot Options screen, use the arrow keys to <>highlight Safe Mode with Networking</> , and then <>press ENTER</>.

<br>
<img title="Safe Mode with Networking screen" src="http://malwaretips.com/images/removalguide/safemode.jpg" alt="[Image: Safemode.jpg]" width="539" height="292" border="0" /></li>
</ol>

 

[donnamv]

ok that worked

All processes killed
========== OTL ==========
File C:\Documents and Settings\pvidulic\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bpgmklnlnckkfjnfajpjenmeiagokmbe\4.3_0 not found.
C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{B7245FCB-27B3-4CFC-BAC0-50BCD09BE131}\skin folder moved successfully.
C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{B7245FCB-27B3-4CFC-BAC0-50BCD09BE131}\locale\en-US folder moved successfully.
C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{B7245FCB-27B3-4CFC-BAC0-50BCD09BE131}\locale folder moved successfully.
C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{B7245FCB-27B3-4CFC-BAC0-50BCD09BE131}\defaults\preferences folder moved successfully.
C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{B7245FCB-27B3-4CFC-BAC0-50BCD09BE131}\defaults folder moved successfully.
C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{B7245FCB-27B3-4CFC-BAC0-50BCD09BE131}\content folder moved successfully.
C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{B7245FCB-27B3-4CFC-BAC0-50BCD09BE131} folder moved successfully.
Prefs.js: %7BB7245FCB-27B3-4CFC-BAC0-50BCD09BE131%7D:1.5 removed from extensions.enabledAddons
File PTYTEMP] not found.

OTL by OldTimer - Version 3.2.69.0 log created on 06062013_223012

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

 

[Fiery]

Are you still getting redirects?

 

[donnamv]

Looks like that might have worked

 

[Fiery]

Test drive your PC for abit and let me know

 

[donnamv]

Ok will let you know tomorrow. Appreciste all your help!

 

[donnamv]

Pop up still happen with Mozilla, but not as many. This is one of them:
http://ad.xtendmedia.com/rw?title=&qs=iframe3%3F32fKD66%2EPQBnW0ABAAAAACHETQAAAAAAAgAAAAAAAAAAAP8AAAACFXIRZQAAAAAAyVlkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADfLhcAAAAAAAICAgAAgD8AAAAAAAAAAACamTlhQGXkPwAAAAAAAAAAAABAioir7z8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB3p803rln%2EDd1mORIGLOd4J6VLi22USl9yZp5xAAAAAA%3D%3D%2C%2Chttp%253A%252F%252Fmalwaretips%2Ecom%252Fuser%2Ddonnamv%2CB%253D10%2526I%253D1100%2D1120%2526S%253D1%5Ffirefox%2526Z%253D0x0%2526%5Fsalt%253D2188512104%2526e%253D778373%2526r%253D1%2526y%253D28%2C6ab92ce0%2Dd231%2D11e2%2D9817%2D10604ba6e0bc%2C1370912046028

 

[Fiery]

Please do a new OTL scan.

 

[donnamv]

I ran OTL....attached is the log.