Fake AVG virus

D

donnamv

New Member
Thread author
Aug 16, 2012
49
AdwCleaner Log:

# AdwCleaner v2.301 - Logfile created 06/02/2013 at 20:51:27
# Updated 16/05/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : pvidulic - IBMLAP539
# Boot Mode : Normal
# Running from : C:\Documents and Settings\pvidulic\My Documents\Downloads\AdwCleaner.exe
# Option [Delete]


***** [Services] *****

Stopped & Deleted : CltMngSvc

***** [Files / Folders] *****

Deleted on reboot : C:\Documents and Settings\pvidulic\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fdkednngfjmpnljkolbapdednncafhen
Deleted on reboot : C:\Documents and Settings\pvidulic\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fdkednngfjmpnljkolbapdednncafhen
File Deleted : C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\searchplugins\Conduit.xml
File Deleted : C:\END
Folder Deleted : C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\CT3298566
Folder Deleted : C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{1122b43d-30ee-403f-9bfa-3cc99b0caddd}
Folder Deleted : C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\Smartbar
Folder Deleted : C:\Documents and Settings\pvidulic\Application Data\SearchProtect
Folder Deleted : C:\Documents and Settings\pvidulic\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\pvidulic\Local Settings\Application Data\MixiDJ_V30
Folder Deleted : C:\Program Files\MixiDJ_V30
Folder Deleted : C:\Program Files\OApps
Folder Deleted : C:\Program Files\SearchProtect
Folder Deleted : C:\temp\CT3298566

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Google\Chrome\Extensions\fdkednngfjmpnljkolbapdednncafhen
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1122B43D-30EE-403F-9BFA-3CC99B0CADDD}
Key Deleted : HKCU\Software\MixiDJ_V30
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\fdkednngfjmpnljkolbapdednncafhen
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1122B43D-30EE-403F-9BFA-3CC99B0CADDD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MixiDJ_V30 Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Deleted : HKLM\Software\MixiDJ_V30
Key Deleted : HKLM\Software\SearchProtect
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{1122B43D-30EE-403F-9BFA-3CC99B0CADDD}]
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [searchprotect]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{1122B43D-30EE-403F-9BFA-3CC99B0CADDD}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SearchProtectAll]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com?SearchSource=10&CUI=UN19034251672947645&UM=2&ctid=CT3298566 --> hxxp://www.google.com

-\\ Mozilla Firefox v21.0 (en-US)

File : C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\prefs.js

C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\user.js ... Deleted !

Deleted : user_pref("CT3298566.1000082.isPlayDisplay", "true");
Deleted : user_pref("CT3298566.1000082.state", "{\"state\":\"stopped\",\"text\":\"Californi...\",\"description[...]
Deleted : user_pref("CT3298566.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT3298566.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"tru[...]
Deleted : user_pref("CT3298566.FF19Solved", "true");
Deleted : user_pref("CT3298566.FirstTime", "true");
Deleted : user_pref("CT3298566.FirstTimeFF3", "true");
Deleted : user_pref("CT3298566.PG_ENABLE", "dHJ1ZQ==");
Deleted : user_pref("CT3298566.PG_ENABLE.enc", "dHJ1ZQ==");
Deleted : user_pref("CT3298566.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT329[...]
Deleted : user_pref("CT3298566.TopHitsConfig.enc", "ew0KICAgICJzcHJpdGVVcmwiOiAiaHR0cDovL3N0b3JhZ2UuY29uZHVpdC[...]
Deleted : user_pref("CT3298566.UserID", "UN36535174952338531");
Deleted : user_pref("CT3298566.YTbyClickFavorites.enc", "W10=");
Deleted : user_pref("CT3298566.YTbyClickRecent.enc", "W10=");
Deleted : user_pref("CT3298566.addressBarTakeOverEnabledInHidden", "true");
Deleted : user_pref("CT3298566.autoDisableScopes", 0);
Deleted : user_pref("CT3298566.browser.search.defaultthis.engineName", "true");
Deleted : user_pref("CT3298566.cb_experience_000.enc", "MTY=");
Deleted : user_pref("CT3298566.cb_firstuse0100.enc", "MQ==");
Deleted : user_pref("CT3298566.cb_user_id_000.enc", "Q0I0OTY0NjE2ODY5OF8xMzY5OTYxNzU5NzQ5X0ZpcmVmb3g=");
Deleted : user_pref("CT3298566.cbfirsttime.enc", "VGh1IE1heSAzMCAyMDEzIDIwOjU1OjU5IEdNVC0wNDAwIChFYXN0ZXJuIFN0[...]
Deleted : user_pref("CT3298566.defaultSearch", "true");
Deleted : user_pref("CT3298566.embeddedsData", "[{\"appId\":\"130110228003246321\",\"apiPermissions\":{\"cross[...]
Deleted : user_pref("CT3298566.enableAlerts", "true");
Deleted : user_pref("CT3298566.enableFix404ByUser", "TRUE");
Deleted : user_pref("CT3298566.enableSearchFromAddressBar", "true");
Deleted : user_pref("CT3298566.firstTimeDialogOpened", "true");
Deleted : user_pref("CT3298566.fixPageNotFoundError", "true");
Deleted : user_pref("CT3298566.fixPageNotFoundErrorByUser", "true");
Deleted : user_pref("CT3298566.fixPageNotFoundErrorInHidden", "true");
Deleted : user_pref("CT3298566.fixUrls", true);
Deleted : user_pref("CT3298566.installDate", "30/5/2013 20:53:01");
Deleted : user_pref("CT3298566.installId", "cid111");
Deleted : user_pref("CT3298566.installSessionId", "{804B7DF1-72DF-48CA-9DA9-9C73A573C13B}");
Deleted : user_pref("CT3298566.installSp", "TRUE");
Deleted : user_pref("CT3298566.installType", "conduitnsisintegration");
Deleted : user_pref("CT3298566.installUsage", "2013-05-31T03:55:36.7045735+03:00");
Deleted : user_pref("CT3298566.installUsageEarly", "2013-05-31T03:55:34.8171671+03:00");
Deleted : user_pref("CT3298566.installerVersion", "1.4.2.3");
Deleted : user_pref("CT3298566.isCheckedStartAsHidden", true);
Deleted : user_pref("CT3298566.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT3298566.isFirstTimeToolbarLoading", "false");
Deleted : user_pref("CT3298566.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
Deleted : user_pref("CT3298566.keyword", "true");
Deleted : user_pref("CT3298566.lastNewTabSettings", "{\"isEnabled\":false,\"newTabUrl\":\"hxxp://search.condui[...]
Deleted : user_pref("CT3298566.lastVersion", "10.16.1.902");
Deleted : user_pref("CT3298566.mam_gk_appStateReportTime.enc", "MTM3MDAyNzk1NjExOQ==");
Deleted : user_pref("CT3298566.mam_gk_appState_CouponBuddy.enc", "b24=");
Deleted : user_pref("CT3298566.mam_gk_appState_PriceGong.enc", "b24=");
Deleted : user_pref("CT3298566.mam_gk_appsData.enc", "eyJhcHBzIjpbeyJpZCI6IlByaWNlR29uZyIsInVybCI6Imh0dHA6Ly9w[...]
Deleted : user_pref("CT3298566.mam_gk_appsDefaultEnabled.enc", "bnVsbA==");
Deleted : user_pref("CT3298566.mam_gk_configuration.enc", "eyJjb25maWd1cmF0aW9uIjpbeyJpZCI6IlByaWNlR29uZyIsImN[...]
Deleted : user_pref("CT3298566.mam_gk_currentVersion.enc", "MS42LjAuOTk=");
Deleted : user_pref("CT3298566.mam_gk_first_time.enc", "MQ==");
Deleted : user_pref("CT3298566.mam_gk_gadgetOpen.enc", "d2VsY29tZQ==");
Deleted : user_pref("CT3298566.mam_gk_installer_preapproved.enc", "ZmFsc2U=");
Deleted : user_pref("CT3298566.mam_gk_lastLoginTime.enc", "MTM3MDAyNzk1NDQyOA==");
Deleted : user_pref("CT3298566.mam_gk_localization.enc", "eyJnYWRnZXRDb250ZW50UG9saWN5Ijp7IlRleHQiOiJDb250ZW50[...]
Deleted : user_pref("CT3298566.mam_gk_pgUnloadedOnce.enc", "dHJ1ZQ==");
Deleted : user_pref("CT3298566.mam_gk_settings1.6.0.99.enc", "eyJTdGF0dXMiOiJzdWNjZWVkZWQiLCJEYXRhIjp7ImludGVy[...]
Deleted : user_pref("CT3298566.mam_gk_showCloseButton.enc", "dHJ1ZQ==");
Deleted : user_pref("CT3298566.mam_gk_showWelcomeGadget.enc", "ZmFsc2U=");
Deleted : user_pref("CT3298566.mam_gk_userId.enc", "Njk5YjZkNGYtMjlhYy00MjQxLTg5YjktMzU4NDk4YzU2YWZl");
Deleted : user_pref("CT3298566.migrateAppsAndComponents", true);
Deleted : user_pref("CT3298566.navigationAliasesJson", "{\"EB_SEARCH_TERM\":\"\",\"EB_MAIN_FRAME_URL\":\"hxxp%[...]
Deleted : user_pref("CT3298566.openThankYouPage", "false");
Deleted : user_pref("CT3298566.openUninstallPage", "true");
Deleted : user_pref("CT3298566.originalSearchAddressUrl", "");
Deleted : user_pref("CT3298566.originalSearchEngine", "Google");
Deleted : user_pref("CT3298566.price-gong.isManagedApp", "true");
Deleted : user_pref("CT3298566.revertSettingsEnabled", "false");
Deleted : user_pref("CT3298566.search.searchAppId", "130110228003246321");
Deleted : user_pref("CT3298566.search.searchCount", "0");
Deleted : user_pref("CT3298566.searchFromAddressBarEnabledByUser", "true");
Deleted : user_pref("CT3298566.searchInNewTabEnabledByUser", "true");
Deleted : user_pref("CT3298566.searchInNewTabEnabledInHidden", "true");
Deleted : user_pref("CT3298566.searchRevert", "false");
Deleted : user_pref("CT3298566.searchUserMode", "2");
Deleted : user_pref("CT3298566.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT3298566.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"d[...]
Deleted : user_pref("CT3298566.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\[...]
Deleted : user_pref("CT3298566.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"d[...]
Deleted : user_pref("CT3298566.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"strin[...]
Deleted : user_pref("CT3298566.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"strin[...]
Deleted : user_pref("CT3298566.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data[...]
Deleted : user_pref("CT3298566.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1369961741180");
Deleted : user_pref("CT3298566.serviceLayer_services_appsMetadata_lastUpdate", "1369961806783");
Deleted : user_pref("CT3298566.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1369961740937");
Deleted : user_pref("CT3298566.serviceLayer_services_installUsage_ToolbarInstallEarly_lastUpdate", "1369961738[...]
Deleted : user_pref("CT3298566.serviceLayer_services_installUsage_ToolbarInstall_lastUpdate", "1369961741426")[...]
Deleted : user_pref("CT3298566.serviceLayer_services_location_lastUpdate", "1369961738933");
Deleted : user_pref("CT3298566.serviceLayer_services_login_10.16.1.902_lastUpdate", "1369961741438");
Deleted : user_pref("CT3298566.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1369961741070");
Deleted : user_pref("CT3298566.serviceLayer_services_searchAPI_lastUpdate", "1369961738893");
Deleted : user_pref("CT3298566.serviceLayer_services_serviceMap_lastUpdate", "1369961736302");
Deleted : user_pref("CT3298566.serviceLayer_services_toolbarContextMenu_lastUpdate", "1369961740712");
Deleted : user_pref("CT3298566.serviceLayer_services_toolbarSettings_lastUpdate", "1369961806623");
Deleted : user_pref("CT3298566.serviceLayer_services_translation_lastUpdate", "1369961741266");
Deleted : user_pref("CT3298566.settingsINI", true);
Deleted : user_pref("CT3298566.shouldFirstTimeDialog", "false");
Deleted : user_pref("CT3298566.showToolbarPermission", "false");
Deleted : user_pref("CT3298566.smartbar.CTID", "CT3298566");
Deleted : user_pref("CT3298566.smartbar.Uninstall", "0");
Deleted : user_pref("CT3298566.smartbar.homepage", "true");
Deleted : user_pref("CT3298566.smartbar.toolbarName", "MixiDJ V30 ");
Deleted : user_pref("CT3298566.startPage", "true");
Deleted : user_pref("CT3298566.toolbarBornServerTime", "31-5-2013");
Deleted : user_pref("CT3298566.toolbarCurrentServerTime", "31-5-2013");
Deleted : user_pref("CT3298566.toolbarLoginClientTime", "Thu May 30 2013 20:55:41 GMT-0400 (Eastern Standard T[...]
Deleted : user_pref("CT3298566.url_history0001.enc", "aHR0cDovL21hbHdhcmV0aXBzLmNvbS9UaHJlYWQtRmFrZS1BVkctdmly[...]
Deleted : user_pref("CT3298566.versionFromInstaller", "10.16.1.902");
Deleted : user_pref("CT3298566_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\"[...]
Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3298566&octid=CT329856[...]
Deleted : user_pref("Smartbar.ConduitSearchEngineList", "MixiDJ V30 Customized Web Search");
Deleted : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3298566[...]
Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3298566");
Deleted : user_pref("browser.search.defaultthis.engineName", "MixiDJ V30 Customized Web Search");
Deleted : user_pref("browser.search.defaulturl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3298566&CUI[...]
Deleted : user_pref("browser.search.selectedEngine", "MixiDJ V30 Customized Web Search");
Deleted : user_pref("browser.startup.homepage", "hxxp://search.conduit.com/?ctid=CT3298566&octid=CT3298566&Sea[...]
Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3298566&SearchSource=2&CU[...]
Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3298566");
Deleted : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3298566&CUI=UN365351749[...]
Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT[...]
Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3298566");
Deleted : user_pref("smartbar.homePageOwnerCTID", "CT3298566");
Deleted : user_pref("smartbar.machineId", "SONLSAAWLGQZDSUMOON3AALCNL0OB90CYNK143VFKSQGTLXNGT4GQZFLVVSYZ5GO5PT[...]
Deleted : user_pref("smartbar.originalHomepage", "hxxp://search.conduit.com/?ctid=CT3298566&CUI=UN365351749523[...]

-\\ Google Chrome v27.0.1453.94

File : C:\Documents and Settings\pvidulic\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.2452] : homepage = "hxxp://search.conduit.com/?ctid=CT3298566&SearchSource=48&CUI=UN37761102081653719&UM[...]
Deleted [l.3104] : urls_to_restore_on_startup = [ "hxxp://search.conduit.com/?ctid=CT3298566&SearchSource=48&CUI[...]

*************************

AdwCleaner[R1].txt - [14846 octets] - [02/06/2013 20:48:49]
AdwCleaner[S1].txt - [15083 octets] - [02/06/2013 20:51:27]

########## EOF - C:\AdwCleaner[S1].txt - [15144 octets] ##########
 
D

donnamv

New Member
Thread author
Aug 16, 2012
49
Rouge Killer Log:
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : pvidulic [Admin rights]
Mode : Remove -- Date : 06/02/2013 21:11:06
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] StartHelper.exe -- C:\Documents and Settings\pvidulic\Application Data\HP SimpleSave Application\StartHelper.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 4 ¤¤¤
[STARTUP][SUSP PATH] HP SimpleSave Monitor.lnk @pvidulic : C:\Documents and Settings\pvidulic\Application Data\HP SimpleSave Application\StartHelper.exe [7] -> DELETED
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (10.7.192.2:8080) -> NOT REMOVED, USE PROXYFIX
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[41] : NtCreateKey @ 0x806240F0 -> HOOKED (Unknown @ 0x8761DD60)
SSDT[43] : NtCreateMutant @ 0x8061769E -> HOOKED (Unknown @ 0x8761ED40)
SSDT[47] : NtCreateProcess @ 0x805D1230 -> HOOKED (Unknown @ 0x8761D260)
SSDT[48] : NtCreateProcessEx @ 0x805D117A -> HOOKED (Unknown @ 0x8761D520)
SSDT[53] : NtCreateThread @ 0x805D1018 -> HOOKED (Unknown @ 0x8761EA00)
SSDT[63] : NtDeleteKey @ 0x8062458C -> HOOKED (Unknown @ 0x8761E2E0)
SSDT[65] : NtDeleteValueKey @ 0x8062475C -> HOOKED (Unknown @ 0x8761E5A0)
SSDT[97] : NtLoadDriver @ 0x80584160 -> HOOKED (Unknown @ 0x8761EBA0)
SSDT[122] : NtOpenProcess @ 0x805CB440 -> HOOKED (Unknown @ 0x8761D7E0)
SSDT[240] : NtSetSystemInformation @ 0x8060FD06 -> HOOKED (Unknown @ 0x8761EEE0)
SSDT[247] : NtSetValueKey @ 0x80622662 -> HOOKED (Unknown @ 0x8761E020)
SSDT[257] : NtTerminateProcess @ 0x805D29E2 -> HOOKED (Unknown @ 0x8761DAA0)
SSDT[277] : NtWriteVirtualMemory @ 0x805B43CC -> HOOKED (Unknown @ 0x8761E860)
S_SSDT[548] : NtUserSetWindowsHookAW -> HOOKED (Unknown @ 0x8761F540)
S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8761F360)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HTS541080G9SA00 +++++
--- User ---
[MBR] e3f83c72ff09a4512f8c37e620825edf
[BSP] f4f37b2ef736532be808bea337d4827d : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76316 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_06022013_02d2111.txt >>
RKreport[1]_S_06022013_02d2109.txt ; RKreport[2]_D_06022013_02d2111.txt
 
D

donnamv

New Member
Thread author
Aug 16, 2012
49
And here are the last 2 logs attached


donnamv said:
Rouge Killer Log:
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : pvidulic [Admin rights]
Mode : Remove -- Date : 06/02/2013 21:11:06
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] StartHelper.exe -- C:\Documents and Settings\pvidulic\Application Data\HP SimpleSave Application\StartHelper.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 4 ¤¤¤
[STARTUP][SUSP PATH] HP SimpleSave Monitor.lnk @pvidulic : C:\Documents and Settings\pvidulic\Application Data\HP SimpleSave Application\StartHelper.exe [7] -> DELETED
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (10.7.192.2:8080) -> NOT REMOVED, USE PROXYFIX
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[41] : NtCreateKey @ 0x806240F0 -> HOOKED (Unknown @ 0x8761DD60)
SSDT[43] : NtCreateMutant @ 0x8061769E -> HOOKED (Unknown @ 0x8761ED40)
SSDT[47] : NtCreateProcess @ 0x805D1230 -> HOOKED (Unknown @ 0x8761D260)
SSDT[48] : NtCreateProcessEx @ 0x805D117A -> HOOKED (Unknown @ 0x8761D520)
SSDT[53] : NtCreateThread @ 0x805D1018 -> HOOKED (Unknown @ 0x8761EA00)
SSDT[63] : NtDeleteKey @ 0x8062458C -> HOOKED (Unknown @ 0x8761E2E0)
SSDT[65] : NtDeleteValueKey @ 0x8062475C -> HOOKED (Unknown @ 0x8761E5A0)
SSDT[97] : NtLoadDriver @ 0x80584160 -> HOOKED (Unknown @ 0x8761EBA0)
SSDT[122] : NtOpenProcess @ 0x805CB440 -> HOOKED (Unknown @ 0x8761D7E0)
SSDT[240] : NtSetSystemInformation @ 0x8060FD06 -> HOOKED (Unknown @ 0x8761EEE0)
SSDT[247] : NtSetValueKey @ 0x80622662 -> HOOKED (Unknown @ 0x8761E020)
SSDT[257] : NtTerminateProcess @ 0x805D29E2 -> HOOKED (Unknown @ 0x8761DAA0)
SSDT[277] : NtWriteVirtualMemory @ 0x805B43CC -> HOOKED (Unknown @ 0x8761E860)
S_SSDT[548] : NtUserSetWindowsHookAW -> HOOKED (Unknown @ 0x8761F540)
S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8761F360)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HTS541080G9SA00 +++++
--- User ---
[MBR] e3f83c72ff09a4512f8c37e620825edf
[BSP] f4f37b2ef736532be808bea337d4827d : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76316 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_06022013_02d2111.txt >>
RKreport[1]_S_06022013_02d2109.txt ; RKreport[2]_D_06022013_02d2111.txt
Click to expand...
 

Attachments

  • OTL.Txt
    150.6 KB · Views: 123
  • Extras.Txt
    69.7 KB · Views: 115
D

donnamv

New Member
Thread author
Aug 16, 2012
49
no but everytime I go and open a new tab or reply to you I get a pop up from

http://www.updatevideos.com/?ClickID=32fKD758PQAi1kABAAAAANAEUgAAAAAAAAAAAAAAAAAAAA4AAgACCNe9TgAAAAAAcShpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAnIxcAAAAAAAICAgAAgD8AMkzJCT8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=&PubID=264923103

which is from that download i did when I watch the soccer game online....it says to download flash or something....
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Please download ComboFix from one of these locations:

<a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a>
<a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a>
<ul>
<li>Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See <a title="External link" href="http://www.bleepingcomputer.com/forums/topic114351.html" rel="external">HERE</a> for help</li>
<li>Double click on Combo-Fix & follow the prompts.</li>
</ul>

When finished, ComboFix will produce a log.

<>Note:</>
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.
 
Last edited by a moderator:
D

donnamv

New Member
Thread author
Aug 16, 2012
49
When I clicked in the reply box I got the same pop up- Istall player.....

here is the Combo Fix Log

ComboFix 13-06-03.06 - pvidulic 06/03/2013 22:55:11.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.606 [GMT -4:00]
Running from: c:\documents and settings\pvidulic\My Documents\Downloads\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {58027DB4-A7D7-4BBF-AFB5-6A5AC1AB795C}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\TPAPSLOG.LOG
c:\windows\system32\TPHDLOG0.LOG
.
.
((((((((((((((((((((((((( Files Created from 2013-05-04 to 2013-06-04 )))))))))))))))))))))))))))))))
.
.
2013-05-31 19:23 . 2013-05-31 19:23 -------- d-----w- c:\documents and settings\pvidulic\Local Settings\Application Data\Sun
2013-05-31 01:16 . 2013-05-31 01:16 -------- d-----w- c:\program files\Common Files\Java
2013-05-31 01:15 . 2013-05-31 01:14 866720 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-05-31 01:15 . 2013-05-31 01:14 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-31 01:11 . 2013-05-31 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2013-05-31 00:57 . 2013-05-31 00:57 -------- d-----w- c:\program files\7-Zip
2013-05-30 02:05 . 2013-05-30 02:05 -------- d-----w- c:\windows\ERUNT
2013-05-30 02:03 . 2013-05-30 02:03 -------- d-----w- C:\JRT
2013-05-28 20:29 . 2013-05-28 20:29 -------- d-----w- c:\program files\ESET
2013-05-25 17:12 . 2013-05-25 17:12 -------- d-----w- c:\documents and settings\pvidulic\Application Data\Malwarebytes
2013-05-25 17:11 . 2013-05-25 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-05-25 17:11 . 2013-05-25 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-25 17:11 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-24 22:32 . 2013-05-24 22:37 -------- d-----w- c:\program files\Common Files\Research in Motion
2013-05-24 22:27 . 2013-05-24 22:27 -------- d-----w- c:\program files\TeamViewer
2013-05-20 00:23 . 2013-05-20 00:23 -------- d-----w- c:\documents and settings\pvidulic\Application Data\AdobeUM
2013-05-20 00:18 . 2013-05-20 00:18 -------- d-----w- c:\program files\Common Files\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-02 03:58 . 2006-11-17 08:59 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2013-05-31 01:14 . 2009-12-17 19:57 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-31 01:14 . 2011-08-04 00:33 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-05-25 01:21 . 2006-11-17 08:58 23552 ----a-w- c:\windows\system32\drivers\psasrv.exe
2013-05-25 01:21 . 2006-07-12 00:52 17536 ----a-w- c:\windows\system32\drivers\psadd.sys
2013-05-22 23:20 . 2013-04-02 12:35 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-22 23:20 . 2011-07-25 00:26 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-21 01:44 . 2013-05-04 00:31 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-05-08 06:10 . 2013-03-26 19:33 770384 ----a-w- c:\windows\system32\msvcr100.dll
2013-05-08 06:10 . 2013-03-26 19:33 421200 ----a-w- c:\windows\system32\msvcp100.dll
2013-04-19 11:14 . 2013-05-04 00:30 139264 ----a-w- c:\windows\system32\bzpdfc.dll
2013-04-19 11:14 . 2013-05-04 00:29 200192 ----a-w- c:\windows\system32\bzpdf.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\Installshield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2009-04-16 417792]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-03-17 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-10-06 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-10-06 1323008]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-10-08 256576]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2007-01-09 868352]
"TpShocks"="TpShocks.exe" [2009-02-03 181536]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-03-13 68976]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-31 30192]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2009-01-29 185688]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-10-24 206112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-19 196696]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-08-26 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-08-26 110592]
"PDService.exe"="c:\program files\Lenovo\SafeGuard PrivateDisk\pdservice.exe" [2006-03-14 41472]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-15 2341632]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"LENOVO.TPFNF6R"="c:\program files\Lenovo\HOTKEY\TPFNF6R.exe" [2009-04-14 15136]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-08-03 62240]
"AMSG"="c:\progra~1\THINKV~2\AMSG\amsg.exe" [2009-04-29 424512]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"LPMailChecker"="c:\progra~1\THINKV~2\PrdCtr\LPMLCHK.exe" [2009-01-29 124248]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2010-10-16 866592]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-05-12 300472]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-5-31 622653]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-9-15 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Online plug-in.lnk - c:\windows\Installer\{7681A1A9-D865-4DC0-A319-41A49F5E78DB}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [N/A]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"enableinstallerdetection"= 0 (0x0)
"enablesecureuiapaths"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLogonScripts"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 17:07 49152 ------w- c:\program files\Lenovo\AwayTask\AwayNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2009-05-21 20:54 100104 ------w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 20:37 34344 ------w- c:\program files\Lenovo\HOTKEY\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll scecli
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-17652\Scripts\Logon\0\0]
"Script"=\\olf.com\SYSVOL\olf.com\scripts\asset.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-1893\Scripts\Logon\0\0]
"Script"=LyncNoPrompt.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-1893\Scripts\Logon\1\0]
"Script"=JunkMailImportLists.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-1893\Scripts\Logon\2\0]
"Script"=startup_script.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1524525210-608246017-11539462-1893\Scripts\Logon\3\0]
"Script"=\\olf.com\SYSVOL\olf.com\scripts\asset.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TeamViewer\\Version8\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version8\\TeamViewer_Service.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
"53233:TCP"= 53233:TCP:Trend Micro OfficeScan Listener
.
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [1/28/2009 5:57 PM 20520]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [5/3/2013 8:31 PM 37664]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [4/16/2010 5:22 PM 65584]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [9/15/2009 1:55 PM 53248]
R2 PrivateDisk;PrivateDisk;c:\program files\Lenovo\SafeGuard PrivateDisk\privatediskm.sys [3/13/2006 8:05 PM 58368]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/14/2006 7:55 PM 3968]
R2 smihlp2;SMI Helper Driver (smihlp2);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [3/13/2009 2:47 PM 12560]
R2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [5/24/2013 6:27 PM 3574624]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2/18/2010 3:51 PM 52304]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXpflt.sys [9/30/2009 3:38 PM 264504]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreflt.sys [9/30/2009 3:37 PM 36664]
R2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [5/21/2009 8:48 PM 62320]
S2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [11/10/2009 3:27 PM 81920]
S2 BackupService;BackupService;c:\documents and settings\pvidulic\Application Data\HP SimpleSave Application\uUACTokenSvc.exe [8/23/2010 8:11 PM 83512]
S2 gupdate1ca568ffa5b08a4;Google Update Service (gupdate1ca568ffa5b08a4);c:\program files\Google\Update\GoogleUpdate.exe [10/26/2009 6:59 PM 133104]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [5/21/2009 8:48 PM 45424]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [5/25/2013 1:11 PM 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/25/2013 1:11 PM 701512]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/17/2006 4:41 AM 30192]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/25/2013 1:11 PM 22856]
S3 ONDAusbmdm6k;ONDA Proprietary USB Driver;c:\windows\system32\drivers\ONDAusbmdm6k.sys [11/10/2009 3:27 PM 100352]
S3 ONDAusbnmea;ONDA NMEA Port;c:\windows\system32\drivers\ONDAusbnmea.sys [11/10/2009 3:27 PM 100352]
S3 ONDAusbser6k;ONDA Diagnostic Port;c:\windows\system32\drivers\ONDAusbser6k.sys [11/10/2009 3:27 PM 100352]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [7/15/2009 6:37 PM 689416]
S3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\DRIVERS\covpndrv.sys --> c:\windows\system32\DRIVERS\covpndrv.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-02 23:21]
.
2013-06-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-06-04 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-11-17 17:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = 10.7.192.2:8080
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: google.com\www
Trusted Zone: olf.com\h2o
Trusted Zone: olf.com\oebdsn1
Trusted Zone: olf.com\oebpas1
Trusted Zone: olf.com\olfandex1.andover
Trusted Zone: olf.com\tenrox
Trusted Zone: olf.com\h2o
Trusted Zone: olf.com\tenrox
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {D1610EA9-8DC7-4B2A-80DC-255032022E96} - hxxp://cp-txprod.olf.com/PTWeb/DTFileUploadCtrl.cab
FF - ProfilePath - c:\documents and settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\
FF - prefs.js: network.proxy.type - 2
FF - ExtSQL: 2013-05-30 20:56; {B7245FCB-27B3-4CFC-BAC0-50BCD09BE131}; c:\documents and settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{B7245FCB-27B3-4CFC-BAC0-50BCD09BE131}
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{878B8524-AED5-4870-9A96-A515440DAC75} - (no file)
AddRemove-sl-adk - c:\program files\OApps\sl-adk_uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-03 23:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1420)
c:\windows\system32\Ati2evxx.dll
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\qlbase.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll
.
- - - - - - - > 'lsass.exe'(1476)
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
.
Completion time: 2013-06-03 23:14:30
ComboFix-quarantined-files.txt 2013-06-04 03:14
.
Pre-Run: 3,085,787,136 bytes free
Post-Run: 3,069,640,704 bytes free
.
- - End Of File - - 3889829A29A02010A71A7A257DCD3CF6
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Sorry for the delay, I have been really busy.

Does the redirect/ pop up happen in every browser or just one?

Please download Junkware Removal Tool to your desktop from here
  • Turn off your antivirus software now to avoid potential conflicts
  • Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
  • The tool will open and start scanning your system
  • Please be patient as this can take a while to complete depending on your system's specifications
  • On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
  • Post the contents of JRT.txt into your next reply
 
D

donnamv

New Member
Thread author
Aug 16, 2012
49
The pop up happen the most when I use Mozilla. A few with Chrome and so no with Internet Explorer.
Here is the log:


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Microsoft Windows XP x86
Ran by pvidulic on Wed 06/05/2013 at 7:23:00.47
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 06/05/2013 at 7:28:11.71
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
Hi,

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
CHR - Extension: Select-Links = C:\Documents and Settings\pvidulic\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bpgmklnlnckkfjnfajpjenmeiagokmbe\4.3_0\
[2013/05/30 20:56:24 | 000,000,000 | ---D | M] (SelectionLinks) -- C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{B7245FCB-27B3-4CFC-BAC0-50BCD09BE131}
FF - prefs.js..extensions.enabledAddons: %7BB7245FCB-27B3-4CFC-BAC0-50BCD09BE131%7D:1.5

:Commands
[EMPTYTEMP]
Click to expand...

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.
 
D

donnamv

New Member
Thread author
Aug 16, 2012
49
I tried to run the fix but the computer was frozen overnight....so I had to restart it....No log came up....
 
Fiery

Fiery

Level 1
Jan 11, 2011
2,007
can you try the fix again in safe mode?

Start your computer in Safe Mode with Networking.

  • Remove all floppy disks, CDs, and DVDs from your computer, and then <>restart your computer</>.</li>
    [*]<>Tap the "F8 key" continuously</> until you get the Advanced Boot Options screen.</li>
    [*]On the Advanced Boot Options screen, use the arrow keys to <>highlight Safe Mode with Networking</> , and then <>press ENTER</>.

<br>
<img title="Safe Mode with Networking screen" src="http://malwaretips.com/images/removalguide/safemode.jpg" alt="[Image: Safemode.jpg]" width="539" height="292" border="0" /></li>
</ol>
 
Last edited by a moderator:
D

donnamv

New Member
Thread author
Aug 16, 2012
49
ok that worked

All processes killed
========== OTL ==========
File C:\Documents and Settings\pvidulic\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bpgmklnlnckkfjnfajpjenmeiagokmbe\4.3_0 not found.
C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{B7245FCB-27B3-4CFC-BAC0-50BCD09BE131}\skin folder moved successfully.
C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{B7245FCB-27B3-4CFC-BAC0-50BCD09BE131}\locale\en-US folder moved successfully.
C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{B7245FCB-27B3-4CFC-BAC0-50BCD09BE131}\locale folder moved successfully.
C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{B7245FCB-27B3-4CFC-BAC0-50BCD09BE131}\defaults\preferences folder moved successfully.
C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{B7245FCB-27B3-4CFC-BAC0-50BCD09BE131}\defaults folder moved successfully.
C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{B7245FCB-27B3-4CFC-BAC0-50BCD09BE131}\content folder moved successfully.
C:\Documents and Settings\pvidulic\Application Data\Mozilla\Firefox\Profiles\1nc1d3r.default\extensions\{B7245FCB-27B3-4CFC-BAC0-50BCD09BE131} folder moved successfully.
Prefs.js: %7BB7245FCB-27B3-4CFC-BAC0-50BCD09BE131%7D:1.5 removed from extensions.enabledAddons
File PTYTEMP] not found.

OTL by OldTimer - Version 3.2.69.0 log created on 06062013_223012

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 
D

donnamv

New Member
Thread author
Aug 16, 2012
49
Pop up still happen with Mozilla, but not as many. This is one of them:
http://ad.xtendmedia.com/rw?title=&qs=iframe3%3F32fKD66%2EPQBnW0ABAAAAACHETQAAAAAAAgAAAAAAAAAAAP8AAAACFXIRZQAAAAAAyVlkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADfLhcAAAAAAAICAgAAgD8AAAAAAAAAAACamTlhQGXkPwAAAAAAAAAAAABAioir7z8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB3p803rln%2EDd1mORIGLOd4J6VLi22USl9yZp5xAAAAAA%3D%3D%2C%2Chttp%253A%252F%252Fmalwaretips%2Ecom%252Fuser%2Ddonnamv%2CB%253D10%2526I%253D1100%2D1120%2526S%253D1%5Ffirefox%2526Z%253D0x0%2526%5Fsalt%253D2188512104%2526e%253D778373%2526r%253D1%2526y%253D28%2C6ab92ce0%2Dd231%2D11e2%2D9817%2D10604ba6e0bc%2C1370912046028
 

Similar threads

Brownie2019
    • Like
On Sale! AVG Ultimate 1PC,1Yr, $ 10,92
Replies
0
Views
204
Discounts and Deals
Brownie2019
Brownie2019
Brownie2019
On Sale! AVG Internet Security 2024 [10-D, 1-YR] 12.00 €
Replies
0
Views
137
Discounts and Deals
Brownie2019
Brownie2019
Brownie2019
    • Like
On Sale! AVG Internet Security 1Dev./ 1Yr. / $ 6.40
Replies
1
Views
336
Discounts and Deals
Dave Russo
Dave Russo

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top