Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Weird "Survey" virus is taking over my computer - please help&

Started by Talwyn , Mar 27 2013 04:08 PM

  • This topic is locked This topic is locked

#16
Talwyn
Posted 28 March 2013 - 10:16 AM

Talwyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Text attached. There was also an OTL folder made, with "moved files". Should I just delete it?

OTL logfile created on: 28.03.2013 17:04:53 - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = E:\
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000814 | Country: Norge | Language: NON | Date Format: dd.MM.yyyy

7,48 Gb Total Physical Memory | 6,36 Gb Available Physical Memory | 85,06% Memory free
14,95 Gb Paging File | 13,74 Gb Available in Paging File | 91,87% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 447,66 Gb Total Space | 388,67 Gb Free Space | 86,82% Space Free | Partition Type: NTFS
Drive E: | 14,72 Gb Total Space | 14,41 Gb Free Space | 97,92% Space Free | Partition Type: NTFS

Computer Name: markus-PC | User Name: markus | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013.03.28 16:07:04 | 000,602,112 | ---- | M] (OldTimer Tools) -- E:\OTL.exe
PRC - [2012.03.23 10:33:48 | 000,419,408 | ---- | M] (Dritek System Inc.) -- C:\Program Files (x86)\Launch Manager\LMutilps32.exe
PRC - [2012.03.23 10:33:46 | 000,355,920 | ---- | M] (Dritek System Inc.) -- C:\Program Files (x86)\Launch Manager\dsiwmis.exe
PRC - [2012.03.23 10:33:46 | 000,343,632 | ---- | M] (Dritek System Inc.) -- C:\Program Files (x86)\Launch Manager\LMworker.exe
PRC - [2012.03.23 10:33:44 | 001,105,488 | ---- | M] (Dritek System Inc.) -- C:\Program Files (x86)\Launch Manager\LManager.exe
PRC - [2012.02.29 14:49:06 | 000,028,264 | ---- | M] (Acer Incorporated) -- C:\Program Files (x86)\Packard Bell\Registration\GREGsvc.exe
PRC - [2012.02.07 01:54:04 | 000,255,376 | ---- | M] (Acer Incorporated) -- C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe
PRC - [2011.06.06 20:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011.03.29 23:33:08 | 000,598,312 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Nero\Update\NASvc.exe
PRC - [2010.09.30 11:06:46 | 000,169,408 | ---- | M] (Adobe Systems Incorporated) -- c:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe


========== Modules (No Company Name) ==========


========== Services (SafeList) ==========

SRV:64bit: - [2012.02.29 07:41:26 | 000,235,520 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2012.02.08 01:53:48 | 000,871,296 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe -- (ePowerSvc)
SRV:64bit: - [2012.02.07 01:54:04 | 000,255,376 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe -- (Live Updater Service)
SRV:64bit: - [2010.09.23 02:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:64bit: - [2009.07.14 02:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend)
SRV - [2012.04.05 06:34:27 | 000,253,600 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012.03.23 10:33:46 | 000,355,920 | ---- | M] (Dritek System Inc.) [Auto | Running] -- C:\Program Files (x86)\Launch Manager\dsiwmis.exe -- (DsiWMIService)
SRV - [2012.02.29 14:49:06 | 000,028,264 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files (x86)\Packard Bell\Registration\GREGsvc.exe -- (GREGService)
SRV - [2011.06.06 20:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011.03.29 23:33:08 | 000,598,312 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files (x86)\Nero\Update\NASvc.exe -- (NAUpdate)
SRV - [2010.10.12 18:59:12 | 000,206,072 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe -- (GamesAppService)
SRV - [2010.09.30 11:06:46 | 000,169,408 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- c:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor9.0)
SRV - [2010.03.18 21:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009.06.10 22:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2012.03.29 09:26:12 | 000,342,632 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RtsPStor.sys -- (RSPCIESTOR)
DRV:64bit: - [2012.03.19 12:29:16 | 000,244,560 | ---- | M] (ELAN Microelectronics Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ETD.sys -- (ETD)
DRV:64bit: - [2012.03.01 07:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012.02.29 08:01:58 | 010,819,584 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2012.02.29 06:41:08 | 000,328,192 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2012.02.01 05:54:56 | 000,031,872 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdkmpfd.sys -- (amdkmpfd)
DRV:64bit: - [2012.01.16 08:49:16 | 000,103,536 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C)
DRV:64bit: - [2012.01.13 09:05:56 | 000,056,448 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\usbfilter.sys -- (usbfilter)
DRV:64bit: - [2012.01.11 05:38:28 | 002,801,664 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2011.12.05 08:47:30 | 000,095,248 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2011.10.25 16:16:46 | 000,219,776 | ---- | M] (Advanced Micro Devices, INC.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\amdxhc.sys -- (amdxhc)
DRV:64bit: - [2011.10.25 16:16:46 | 000,102,528 | ---- | M] (Advanced Micro Devices, INC.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\amdhub30.sys -- (amdhub30)
DRV:64bit: - [2011.07.14 06:35:47 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011.07.14 06:35:47 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010.11.21 04:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010.11.21 04:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010.11.21 04:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010.03.19 11:00:00 | 000,055,856 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2009.07.14 02:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009.07.14 02:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009.07.14 02:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009.06.10 21:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009.06.10 21:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009.06.10 21:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009.06.10 21:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009.07.14 02:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://packardbell.msn.com
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://packardbell.msn.com
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://packardbell.msn.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKLM\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1156463656-3009297498-3070344828-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://packardbell.msn.com
IE - HKU\S-1-5-21-1156463656-3009297498-3070344828-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKU\S-1-5-21-1156463656-3009297498-3070344828-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1156463656-3009297498-3070344828-1000\..\SearchScopes\{32DBC436-4EA6-423A-BBFC-7617019C654B}: "URL" = http://websearch.ask...D4-15F5269B1ACF
IE - HKU\S-1-5-21-1156463656-3009297498-3070344828-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.10.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.10.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@WildTangent.com/GamesAppPresenceDetector,Version=1.0: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2013.03.28 16:59:51 | 000,000,098 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2:64bit: - BHO: (SteadyVideoBHO Class) - {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll (Advanced Micro Devices)
O2 - BHO: (SteadyVideoBHO Class) - {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll (Advanced Micro Devices)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [ETDCtrl] C:\Program Files\Elantech\ETDCtrl.exe (ELAN Microelectronics Corp.)
O4:64bit: - HKLM..\Run: [Power Management] C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerTray.exe (Acer Incorporated)
O4:64bit: - HKLM..\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1156463656-3009297498-3070344828-1000..\Run: [Cyberlink] C:\Users\markus\AppData\Roaming\Cyberlink.exe File not found
O4 - HKU\S-1-5-21-1156463656-3009297498-3070344828-1000..\Run: [HDAudio32.exe] C:\ProgramData\HotplugDevices\HDAudio32.exe File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - Startup: C:\Users\markus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\USBplug32.exe ()
F3:64bit: - HKU\S-1-5-21-1156463656-3009297498-3070344828-1000 WinNT: Load - (c:\users\markus\dxlainz.exe) - c:\users\markus\dxlainz.exe ()
F3 - HKU\S-1-5-21-1156463656-3009297498-3070344828-1000 WinNT: Load - (c:\users\markus\dxlainz.exe) - c:\users\markus\dxlainz.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 [2013.03.28 16:53:11 | 000,000,000 | ---D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 [2013.03.28 16:53:11 | 000,000,000 | ---D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1 [2013.03.28 16:53:11 | 000,000,000 | ---D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1 [2013.03.28 16:53:11 | 000,000,000 | ---D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1 [2013.03.28 16:53:11 | 000,000,000 | ---D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1 [2013.03.28 16:53:11 | 000,000,000 | ---D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1 [2013.03.28 16:53:11 | 000,000,000 | ---D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 [2013.03.28 16:53:11 | 000,000,000 | ---D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 [2013.03.28 16:53:11 | 000,000,000 | ---D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1 [2013.03.28 16:53:11 | 000,000,000 | ---D | M]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1 [2013.03.28 16:53:11 | 000,000,000 | ---D | M]
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 62.50.161.166
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{64FAB173-31CA-4434-8C04-A6A1B1257C64}: DhcpNameServer = 130.67.15.198 193.213.112.4 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{72A7D04B-6260-4997-A9DF-A886815ABEE8}: DhcpNameServer = 62.50.161.166
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18:64bit: - Protocol\Filter\video/mp4 {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
O18:64bit: - Protocol\Filter\video/x-flv {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
O18 - Protocol\Filter\video/mp4 {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
O18 - Protocol\Filter\video/x-flv {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-1156463656-3009297498-3070344828-1000 Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013.03.29 00:31:21 | 000,000,000 | ---D | C] -- C:\Windows\Microsoft Antimalware
[2013.03.28 16:05:11 | 000,000,000 | ---D | C] -- C:\Users\markus\AppData\Local\{D8D84171-91A6-4F66-9049-B8CA93D02EE1}
[2013.03.04 19:12:24 | 000,000,000 | ---D | C] -- C:\Users\markus\Low_00FEC012

========== Files - Modified Within 30 Days ==========

[2013.03.28 17:02:23 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.03.28 17:02:21 | 1727,029,247 | -HS- | M] () -- C:\hiberfil.sys
[2013.03.28 16:59:51 | 000,000,098 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\Hosts
[2013.03.28 16:16:07 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.03.28 16:13:54 | 003,311,168 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013.03.28 16:13:54 | 000,653,540 | ---- | M] () -- C:\Windows\SysNative\perfh01D.dat
[2013.03.28 16:13:54 | 000,652,148 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013.03.28 16:13:54 | 000,499,098 | ---- | M] () -- C:\Windows\SysNative\perfh006.dat
[2013.03.28 16:13:54 | 000,492,532 | ---- | M] () -- C:\Windows\SysNative\perfh014.dat
[2013.03.28 16:13:54 | 000,471,238 | ---- | M] () -- C:\Windows\SysNative\perfh00B.dat
[2013.03.28 16:13:54 | 000,141,360 | ---- | M] () -- C:\Windows\SysNative\perfc01D.dat
[2013.03.28 16:13:54 | 000,121,080 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013.03.28 16:13:54 | 000,100,018 | ---- | M] () -- C:\Windows\SysNative\perfc00B.dat
[2013.03.28 16:13:54 | 000,097,358 | ---- | M] () -- C:\Windows\SysNative\perfc006.dat
[2013.03.28 16:13:54 | 000,094,290 | ---- | M] () -- C:\Windows\SysNative\perfc014.dat
[2013.03.28 16:11:00 | 000,016,752 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013.03.28 16:11:00 | 000,016,752 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013.03.28 16:09:49 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_09_00.Wdf

========== Files Created - No Company Name ==========

[2013.03.28 16:49:54 | 000,001,272 | ---- | C] () -- C:\Users\markus\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2013.03.28 16:09:49 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2013.02.16 23:21:53 | 000,001,611 | ---- | C] () -- C:\Users\markus\AppData\Roaming\log
[2013.02.02 21:06:55 | 003,241,788 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2013.02.01 21:09:20 | 000,138,240 | ---- | C] () -- C:\Users\markus\OHK Zombie_Hack.dll
[2013.02.01 19:08:18 | 000,000,112 | ---- | C] () -- C:\Users\markus\LanhDiaGame.Com.url
[2013.02.01 19:08:17 | 000,019,968 | ---- | C] () -- C:\Users\markus\G-Force.dll
[2012.05.27 02:40:55 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2012.04.05 05:55:30 | 000,204,960 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat
[2012.04.05 05:55:30 | 000,157,152 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat
[2012.04.05 05:55:29 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2012.02.29 21:57:48 | 000,054,784 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
[2011.12.14 05:44:10 | 000,023,040 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll
[2010.11.21 04:24:28 | 000,133,632 | -HS- | C] () -- C:\Users\markus\dxlainz.exe
[2010.11.21 04:24:28 | 000,118,407 | -HS- | C] () -- C:\Users\markus\dxjcrmg.exe
[2010.11.21 04:24:28 | 000,107,731 | -HS- | C] () -- C:\Users\markus\dxscarc.exe
[2010.11.21 04:24:28 | 000,107,731 | -HS- | C] () -- C:\Users\markus\dxlfuy.exe
[2010.11.21 04:24:28 | 000,095,426 | -HS- | C] () -- C:\Users\markus\dxmvlz.exe
[2010.11.21 04:24:28 | 000,076,240 | -HS- | C] () -- C:\Users\markus\dxjerzoe.exe
[2010.11.21 04:24:28 | 000,041,996 | -HS- | C] () -- C:\Users\markus\dxnywiwwe.exe

========== ZeroAccess Check ==========

[2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 06:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.21 04:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2013.02.10 10:52:05 | 000,000,000 | ---D | M] -- C:\Users\markus\AppData\Roaming\.minecraft
[2013.02.14 15:46:27 | 000,000,000 | -H-D | M] -- C:\Users\markus\AppData\Roaming\02C00000
[2013.03.05 18:48:06 | 000,000,000 | -H-D | M] -- C:\Users\markus\AppData\Roaming\02C40000
[2013.02.19 13:09:16 | 000,000,000 | -H-D | M] -- C:\Users\markus\AppData\Roaming\02C80000
[2013.02.21 22:10:23 | 000,000,000 | -H-D | M] -- C:\Users\markus\AppData\Roaming\02CC0000
[2013.02.19 10:58:24 | 000,000,000 | -H-D | M] -- C:\Users\markus\AppData\Roaming\02CE0000
[2013.03.05 18:34:26 | 000,000,000 | -H-D | M] -- C:\Users\markus\AppData\Roaming\02D00000
[2013.02.21 01:07:56 | 000,000,000 | -H-D | M] -- C:\Users\markus\AppData\Roaming\02D20000
[2005.04.08 03:16:43 | 000,000,000 | -H-D | M] -- C:\Users\markus\AppData\Roaming\02D40000
[2013.03.28 16:10:03 | 000,000,000 | -H-D | M] -- C:\Users\markus\AppData\Roaming\02D60000
[2005.04.08 03:16:43 | 000,000,000 | -H-D | M] -- C:\Users\markus\AppData\Roaming\02D80000
[2005.04.08 03:16:43 | 000,000,000 | -H-D | M] -- C:\Users\markus\AppData\Roaming\02DA0000
[2013.03.01 23:11:43 | 000,000,000 | -H-D | M] -- C:\Users\markus\AppData\Roaming\02DC0000
[2013.02.01 19:18:50 | 000,000,000 | ---D | M] -- C:\Users\markus\AppData\Roaming\Awlud
[2013.02.19 15:29:11 | 000,000,000 | ---D | M] -- C:\Users\markus\AppData\Roaming\Ewon
[2013.02.05 20:59:06 | 000,000,000 | -HSD | M] -- C:\Users\markus\AppData\Roaming\msnmsgr
[2013.02.03 10:10:16 | 000,000,000 | ---D | M] -- C:\Users\markus\AppData\Roaming\NCdownloader
[2012.12.24 20:40:26 | 000,000,000 | ---D | M] -- C:\Users\markus\AppData\Roaming\Screensaver
[2013.01.25 20:32:47 | 000,000,000 | ---D | M] -- C:\Users\markus\AppData\Roaming\SNS
[2013.02.07 08:34:25 | 000,000,000 | ---D | M] -- C:\Users\markus\AppData\Roaming\{35284C7A-C299-4857-9F87-3661D42DB09E}
[2013.02.15 20:57:02 | 000,000,000 | ---D | M] -- C:\Users\markus\AppData\Roaming\{5631CAF2-C1BD-460D-BDF8-19D649F8B344}
[2013.02.06 07:26:20 | 000,000,000 | ---D | M] -- C:\Users\markus\AppData\Roaming\{73B5A423-8510-4CB0-99D1-E8EFDB0A1A7C}
[2013.02.18 14:54:31 | 000,000,000 | ---D | M] -- C:\Users\markus\AppData\Roaming\{843E8A47-CB93-4EB0-9FEC-093EC7233224}
[2013.02.17 11:04:16 | 000,000,000 | ---D | M] -- C:\Users\markus\AppData\Roaming\{AA495104-61E6-4046-A353-D6077AFBA1C6}
[2013.02.22 10:13:07 | 000,000,000 | ---D | M] -- C:\Users\markus\AppData\Roaming\{F11B7CE4-FB80-4FF3-9E06-FD4D6304569A}
[2013.02.02 17:39:25 | 000,000,000 | ---D | M] -- C:\Users\markus\AppData\Roaming\{F908EDE2-33C8-498C-9489-AB3F788021A2}

========== Purity Check ==========



< End of report >

Attached Files

  • Attached File  OTL.Txt   58.15KB   119 downloads

  • 0

Advertisements

#17
Essexboy
Posted 28 March 2013 - 12:09 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Still some rubbish there so I will now use a stronger tool, how is the computer at the moment ?

I will remove all the tools and quarantine folders when we are happy

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#18
Talwyn
Posted 28 March 2013 - 12:28 PM

Talwyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
The folder that was made with "moved files" on my memory-stick made my antivirus go crazy.. I deleted the files quickly and hopefully THIS computer remain unaffected (The folder called itself _OTL though, and appeared after the search with the OTL program. It had several exe-files in it, amongst others one called "Skype".

Right now I'm almost done with a deep scan with an antivirus, and it has found more, it seems. I'll post again when i know the results and have done the scan with combofix as well.

*sigh*
  • 0

#19
Essexboy
Posted 28 March 2013 - 12:32 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
The OTL moved is the quarantine location for OTL, hence the AV going mad about it

Let me know what your AV finds. This looks like an accident waiting to happen, what AV have you installed ?
  • 0

#20
Talwyn
Posted 28 March 2013 - 12:37 PM

Talwyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
The AV on "my" computer (not the infected one) is just a free Panda Cloud.

The infected computer had Avast before it went crazy, (the virus completely mangled it - couldn't search for viruses, firewall was disabled and counldn't activate, etc, so I didn't trust it anymore and uninstalled it). I've been using "Windows Defender Offline" to do both the quickscan (which found the first viruses that I removed) and now the deepscan (which has seemingly found more, but isn't quite done yet). It's run of the memory-stick before booting windows.

I'm hoping that I've not infected my own computer by transfering files with the memstick though. I won't allow the infected computer on the net.
  • 0

#21
Essexboy
Posted 28 March 2013 - 12:39 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I would not have thought so as the files were inert in the quarantine folder
  • 0

#22
Talwyn
Posted 28 March 2013 - 12:39 PM

Talwyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
I can probably get Farbar Recovery Tool to run now, though, since I've removed the viruses that prevented it. Is that something you want me to do?
  • 0

#23
Essexboy
Posted 28 March 2013 - 12:40 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No requirement now as we have access to the system
  • 0

#24
Talwyn
Posted 28 March 2013 - 01:03 PM

Talwyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Deep scan complete: 6 infections

Trojan:Win32/Orsam!rts
Trojan:Win32/Ceatrg.A
Worm:Win32/Gamarue.P
Worm:Win32/Gamarue.I
TrojanClicker:Win32/Rongvhin.A
Trojan:Win32/Vundo.gen!R

... quite the list. I will run Combofix in a minute.
  • 0

#25
Essexboy
Posted 28 March 2013 - 01:10 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Are they located in the quarantine folder for the MS scan that you did
  • 0

Advertisements

#26
Talwyn
Posted 28 March 2013 - 01:16 PM

Talwyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Nope. Most were in Appdata/roaming, or something like that. They are deleted now... though Combofix seems to be deleting a whole bunch itself, as well...
  • 0

#27
Talwyn
Posted 28 March 2013 - 01:31 PM

Talwyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Here you are...

Attached Files


  • 0

#28
Essexboy
Posted 28 March 2013 - 01:38 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Nearly done I think, on completion of this can you let me know how it is behaving

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\users\markus\dxlainz.exe

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"Load"=-



Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#29
Talwyn
Posted 28 March 2013 - 01:54 PM

Talwyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
So far, so good..

Attached Files


  • 0

#30
Essexboy
Posted 28 March 2013 - 02:05 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets now sweep for orphans and see if MBAM can kill that last hanger on

Please download Malwarebytes Anti-Malware to your desktop.

  • Right-click and Run as Administrator mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan as shown below.

    Posted Image
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.


The log can also be found here:

Windows 2000 & Windows XP:
C:\Documents and Settings\<USERNAME>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

Windows Vista & Win7:
C:\Users\<USERNAME>\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs
----------
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP