Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Antivirus security Pro virus combined with something else?

Started by SyneDriuM , Oct 17 2013 09:00 AM

  • Please log in to reply

#1
SyneDriuM
Posted 17 October 2013 - 09:00 AM

SyneDriuM

    Member

  • Member
  • PipPip
  • 19 posts
Greetings all,

Today i was working on my laptop running win xp pro sp3 32 bit, when suddenly firefix crashed.
I then got the antivirus security pro screen etc.
Since i had worked around similar stuff in the past, i tried booting in safe mode with networking to get mbam in and clear the laptop.
The minute safemode comes on the same second it gets restarted.
I tried running OTL straight and renamed - it got blocked, so I renamed it to iExplore.exe ran it and have the output
The network cards (Lan and wireless) cannot connect anywhere.
I ran Rkill and it doesnt stop the malwares processes. (i have the utput log if you want me to post it)
I found the path of where it starts (c:\Documents and Settings\All users\ Application Data\gXRXDan3 tried to delete-rename it - access denied


I paste the OTL log here

OTL logfile created on: 17/10/2013 17:54:02 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000408 | Country: Greece | Language: ELL | Date Format: d/M/yyyy

502,05 Mb Total Physical Memory | 102,00 Mb Available Physical Memory | 20,32% Memory free
1,20 Gb Paging File | 0,86 Gb Available in Paging File | 71,69% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 30,00 Gb Total Space | 6,37 Gb Free Space | 21,22% Space Free | Partition Type: NTFS
Drive D: | 44,52 Gb Total Space | 44,27 Gb Free Space | 99,44% Space Free | Partition Type: NTFS

Computer Name: LAZAROS | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/10/17 17:19:57 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\iExplore.exe
PRC - [2013/10/17 15:16:43 | 000,531,096 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\gXRXDan3\gXRXDan3.exe
PRC - [2013/07/08 14:09:10 | 004,153,184 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
PRC - [2008/04/14 03:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/24 11:13:50 | 000,036,955 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
PRC - [2007/05/24 11:13:48 | 000,106,586 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
PRC - [2005/11/28 18:26:04 | 000,726,720 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Ghost\ngserver.exe
PRC - [2005/11/28 18:26:04 | 000,050,880 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Ghost\bin\dbserv.exe
PRC - [2005/11/28 17:29:34 | 000,073,728 | R--- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Symantec\Ghost\bin\rteng9.exe


========== Modules (No Company Name) ==========

MOD - [2013/10/17 15:16:43 | 000,531,096 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\gXRXDan3\gXRXDan3.exe
MOD - [2011/07/19 00:04:08 | 000,296,448 | ---- | M] () -- C:\Program Files\Notepad++\NppShell_04.dll
MOD - [2010/03/15 12:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2007/05/24 11:13:50 | 000,073,808 | ---- | M] () -- C:\Program Files\CheckPoint\SecuRemote\bin\Bind82.dll


========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2013/09/13 19:40:38 | 000,117,656 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/07/08 14:09:10 | 004,153,184 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe -- (TeamViewer8)
SRV - [2013/01/27 12:11:46 | 000,020,456 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2007/05/24 11:13:50 | 000,036,955 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe -- (SR_Watchdog)
SRV - [2007/05/24 11:13:48 | 000,106,586 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe -- (SR_Service)
SRV - [2005/11/28 18:26:04 | 000,726,720 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Ghost\ngserver.exe -- (NGServer)
SRV - [2005/11/28 18:26:04 | 000,050,880 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Program Files\Symantec\Ghost\bin\dbserv.exe -- (ngdbserv)
SRV - [2001/07/24 18:15:53 | 000,241,664 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\r_server.exe -- (r_server)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\UIUSYS.SYS -- (UIUSys)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/11/18 20:22:46 | 000,242,240 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV - [2010/07/12 15:49:18 | 000,060,104 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftdibus.sys -- (FTDIBUS)
DRV - [2010/07/12 15:48:56 | 000,073,032 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftser2k.sys -- (FTSER2K)
DRV - [2009/03/25 18:48:00 | 000,114,728 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018mdm.sys -- (s1018mdm)
DRV - [2009/03/25 18:48:00 | 000,109,864 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018unic.sys -- (s1018unic)
DRV - [2009/03/25 18:48:00 | 000,106,208 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018mgmt.sys -- (s1018mgmt)
DRV - [2009/03/25 18:48:00 | 000,104,744 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018obex.sys -- (s1018obex)
DRV - [2009/03/25 18:48:00 | 000,086,824 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018bus.sys -- (s1018bus)
DRV - [2009/03/25 18:48:00 | 000,026,024 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018nd5.sys -- (s1018nd5)
DRV - [2009/03/25 18:48:00 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018mdfl.sys -- (s1018mdfl)
DRV - [2008/05/06 16:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/01/09 13:28:34 | 000,027,632 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\seehcri.sys -- (seehcri)
DRV - [2007/05/24 11:13:58 | 000,036,368 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\omdrv.sys -- (CP_OMDRV)
DRV - [2007/05/24 11:13:54 | 002,234,800 | ---- | M] (Check Point Software Technologies) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\fw.sys -- (FW1)
DRV - [2007/05/24 11:13:52 | 000,110,032 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vnasc.sys -- (VNASC)
DRV - [2007/05/24 11:13:50 | 000,673,456 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vpn.sys -- (VPN-1)
DRV - [2007/04/05 08:19:20 | 000,546,112 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2006/12/22 12:56:44 | 000,988,800 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/12/22 12:56:00 | 000,209,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/12/22 12:55:56 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/06/28 17:25:24 | 004,304,384 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService)
DRV - [2005/10/31 15:17:00 | 000,045,312 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
IE - HKCU\..\SearchScopes,DefaultScope = {1F2C3181-5081-45BD-A817-E1E64E07C6A6}
IE - HKCU\..\SearchScopes\{1F2C3181-5081-45BD-A817-E1E64E07C6A6}: "URL" = http://www.google.co...rchTerms}&meta=
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = kryoneri-proxy:8080

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: %7B20a82645-c095-46ed-80e3-08825760534b%7D:0.0.0
FF - prefs.js..extensions.enabledAddons: jqs%40sun.com:1.0
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:23.0.1
FF - prefs.js..network.proxy.backup.ftp: ""
FF - prefs.js..network.proxy.backup.ftp_port: 0
FF - prefs.js..network.proxy.backup.socks: ""
FF - prefs.js..network.proxy.backup.socks_port: 0
FF - prefs.js..network.proxy.backup.ssl: ""
FF - prefs.js..network.proxy.backup.ssl_port: 0
FF - prefs.js..network.proxy.ftp: "kryoneri-proxy"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.http: "kryoneri-proxy"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "kryoneri-proxy"
FF - prefs.js..network.proxy.socks_port: 8080
FF - prefs.js..network.proxy.ssl: "kryoneri-proxy"
FF - prefs.js..network.proxy.ssl_port: 8080
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 23.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 23.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/04/18 10:09:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2013/10/17 14:50:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\6wom68rq.default\extensions
[2013/10/17 14:50:58 | 000,915,554 | ---- | M] () (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\6wom68rq.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2012/11/01 15:33:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/09/13 19:40:41 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/09/13 19:40:41 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2012/01/18 15:41:50 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/06/23 10:23:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION

O1 HOSTS File: ([2006/02/28 15:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AS2014] C:\Documents and Settings\All Users\Application Data\gXRXDan3\gXRXDan3.exe ()
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe ()
O4 - HKLM..\Run: [NGServer] C:\Program Files\Symantec\Ghost\ngserver.exe (Symantec Corporation)
O4 - HKCU..\Run: [AS2014] C:\Documents and Settings\All Users\Application Data\gXRXDan3\gXRXDan3.exe ()
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Google Update] Reg Error: Value error. File not found
O4 - HKCU..\Run: [Sony PC Companion] C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe (Sony)
O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1296954416712 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.12.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B69BAEF5-0B7E-47CF-BD67-36030DD952B3}: DhcpNameServer = 192.168.12.11
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\All Users\Application Data\gXRXDan3\gXRXDan3.exe -sm) - C:\Documents and Settings\All Users\Application Data\gXRXDan3\gXRXDan3.exe ()
O20 - Winlogon\Notify\ckpNotify: DllName - (ckpNotify.dll) - C:\WINDOWS\System32\ckpNotify.dll (Check Point Software Technologies)
O24 - Desktop WallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/02/06 03:11:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{9acd42b8-42a9-11e1-8596-54f10f29b807}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9acd42b8-42a9-11e1-8596-54f10f29b807}\Shell\AutoRun\command - "" = F:\fscommand\LS_Start_Launch.cmd
O33 - MountPoints2\{9acd42b8-42a9-11e1-8596-54f10f29b807}\Shell\Launcher\command - "" = F:\fscommand\LS_Start_Launch.cmd
O33 - MountPoints2\{a9ce218d-f0b6-11e0-855d-00197e1017ad}\Shell - "" = AutoRun
O33 - MountPoints2\{a9ce218d-f0b6-11e0-855d-00197e1017ad}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a9ce218d-f0b6-11e0-855d-00197e1017ad}\Shell\AutoRun\command - "" = F:\silkcosmos.exe
O33 - MountPoints2\{b42e027f-4740-11e1-8597-54f10f29b807}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b42e027f-4740-11e1-8597-54f10f29b807}\Shell\AutoRun\command - "" = F:\fscommand\LS_Start_Launch.cmd
O33 - MountPoints2\{b42e027f-4740-11e1-8597-54f10f29b807}\Shell\Launcher\command - "" = F:\fscommand\LS_Start_Launch.cmd
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/10/17 16:53:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\New Folder (4)
[2013/10/17 16:42:33 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\iExplore.exe
[2013/10/17 15:22:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Start Menu\Programs\Antivirus Security Pro
[2013/10/17 15:16:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\gXRXDan3
[2013/10/17 15:16:30 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2013/10/17 15:16:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Google
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/10/17 17:19:57 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\iExplore.exe
[2013/10/17 17:07:02 | 000,001,978 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Antivirus Security Pro.lnk
[2013/10/17 17:07:02 | 000,000,118 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Antivirus Security Pro support.url
[2013/10/17 17:06:58 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/10/17 17:06:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/10/17 11:00:47 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/10/04 12:58:42 | 000,001,764 | -H-- | M] () -- C:\Documents and Settings\user\My Documents\Default.rdp
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/10/17 15:22:43 | 000,001,978 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Antivirus Security Pro.lnk
[2013/10/17 15:22:43 | 000,000,118 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Antivirus Security Pro support.url
[2012/10/26 15:00:19 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\user\Application Data\$_hpcst$.hpc
[2012/09/27 04:55:00 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/08/09 17:04:55 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\PUTTY.RND
[2012/02/17 15:40:07 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/14 16:46:53 | 000,002,516 | ---- | C] () -- C:\WINDOWS\System32\drivers\default.bin
[2012/01/14 16:46:53 | 000,002,516 | ---- | C] () -- C:\WINDOWS\System32\default.bin
[2011/04/15 17:06:28 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2011/06/08 13:39:04 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2010/11/05 08:05:36 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 15:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 03:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/05/24 15:29:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AMMYY
[2012/11/18 20:24:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2013/10/17 17:04:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\gXRXDan3
[2012/03/10 09:08:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony
[2012/11/18 20:24:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\DAEMON Tools Lite
[2012/01/25 14:04:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Notepad++
[2011/10/26 11:22:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\PriceGong
[2011/06/15 14:49:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Radmin
[2012/11/18 21:11:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Sports Interactive
[2011/02/07 20:11:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\TeamViewer
[2013/10/17 16:56:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\uTorrent
[2011/06/08 12:54:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\VanDyke

========== Purity Check ==========



< End of report >


thanks in advance
  • 0

Advertisements

#2
RKinner
Posted 17 October 2013 - 11:52 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Copy the text in the code box by highlighting and Ctrl + c


:OTL
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe ()
O4 - HKCU..\Run: [Google Update] Reg Error: Value error. File not found
O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - HKLM..\Run: [AS2014] C:\Documents and Settings\All Users\Application Data\gXRXDan3\gXRXDan3.exe ()
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\All Users\Application Data\gXRXDan3\gXRXDan3.exe -sm) - C:\Documents and Settings\All Users\Application Data\gXRXDan3\gXRXDan3.exe ()
[2013/10/17 15:22:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Start Menu\Programs\Antivirus Security Pro
[2013/10/17 15:16:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\gXRXDan3
[2013/10/17 17:07:02 | 000,001,978 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Antivirus Security Pro.lnk
[2013/10/17 17:07:02 | 000,000,118 | ---- | M] () -- C:\Documents and Settings\user\Desktop\Antivirus Security Pro support.url
[2013/10/17 15:22:43 | 000,001,978 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Antivirus Security Pro.lnk
[2013/10/17 15:22:43 | 000,000,118 | ---- | C] () -- C:\Documents and Settings\user\Desktop\Antivirus Security Pro support.url
[2013/10/17 17:04:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\gXRXDan3
[2013/10/17 16:56:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\uTorrent

:files
C:\Documents and Settings\All Users\Application Data\gXRXDan3
C:\Program Files\Microsoft Security Client
sc config msmpsvc start= auto /c
sc config wuauserv start= auto /c
sc config wscsvc start= auto /c
sc config luafv start= auto /c

:Commands
[EMPTYFLASH]
[EMPTYJAVA]
[purity]
[Reboot]

then Double on OTL to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it into a reply.


Download aswMBR.exe to your desktop.
Double click aswMBR.exe
uncheck trace disk IO calls
Click the "Scan" button to start scan (Accept the Avast Engine)
On completion of the scan if the Fix button is enabled (not the FixMBR button) press it and then run a new scan and click save log, save it to your desktop and post in your next reply
If the Fix button is not enabled then just click save log, save it to your desktop and post in your next reply

ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Double click on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.


Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe and to start the program.

If TDSSKiller alerts you that the system needs to reboot, please consent.

Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.



Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', make sure it updates
http://www.malwareby...lwarebytes_free

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe to start the program.
* follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.


Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.


Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.
  • 0

#3
SyneDriuM
Posted 17 October 2013 - 12:10 PM

SyneDriuM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I finally managed to get the network cards going, downloaded chameleon and did the trick.
Ran mbam a second time and it shows up clean.
However after seeing the earlier rkill log and noticing some weird behaviour from my laptop i think I might be having leftovers.
Windows explorer is crashing on restart eversince and microsoft security essentials is not working and cannot start and generally it seems to be taking more time to do anything tan it did before.
From the malware-virus (c:\documents and settings\all useres\application data\gXRXDan3) folder i found a batch file named serv.bat which i saved a copy in a note pad.

I am posting the rkill log (while still infected), the mbam first clean log, a new otl log (after clean) and if it could be of any use the batch file from the malware folder.

Should i do anything else?

Thank you for your time.

RKILL log
-----------------------------------------------------------------------------------------------------------
Rkill 2.6.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingc...opic308364.html

Program started at: 10/17/2013 05:36:25 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\WINDOWS\system32\r_server.exe (PID: 1028) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

* ALERT: ZEROACCESS rootkit symptoms found!

* C:\Documents and Settings\user\Local Settings\Application Data\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\ [ZA Dir]
* C:\Documents and Settings\user\Local Settings\Application Data\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\❤≸⋙\ [ZA Dir]
* C:\Documents and Settings\user\Local Settings\Application Data\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\❤≸⋙\Ⱒ☠⍨\ [ZA Dir]
* C:\Documents and Settings\user\Local Settings\Application Data\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\ [ZA Dir]
* C:\Documents and Settings\user\Local Settings\Application Data\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\ [ZA Dir]
* C:\Program Files\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\ [ZA Dir]
* C:\Program Files\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\ \ [ZA Dir]
* C:\Program Files\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\ \ \ [ZA Dir]
* C:\Program Files\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\ \ \ﯹ๛\ [ZA Dir]
* C:\Program Files\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\ \ \ﯹ๛\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\ [ZA Dir]

* ALERT: ZEROACCESS Reparse Point/Junction found!

* C:\Program Files\Microsoft Security Client\Antimalware => c:\windows\system32\config\ [Dir]
* C:\Program Files\Microsoft Security Client\Backup => c:\windows\system32\config\ [Dir]
* C:\Program Files\Microsoft Security Client\DbgHelp.dll => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\Drivers => c:\windows\system32\config\ [Dir]
* C:\Program Files\Microsoft Security Client\en-us => c:\windows\system32\config\ [Dir]
* C:\Program Files\Microsoft Security Client\EppManifest.dll => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\LegitLib.dll => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\MpAsDesc.dll => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\MpClient.dll => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\MpCmdRun.exe => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\MpCommu.dll => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\mpevmsg.dll => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\MpOAv.dll => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\MpRTP.dll => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\MpSvc.dll => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\MsMpCom.dll => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\MsMpEng.exe => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\MsMpLics.dll => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\MsMpRes.dll => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\msseces.exe => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\MsseWat.dll => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\Setup.exe => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\SetupRes.dll => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\shellext.dll => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\sqmapi.dll => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\SymSrv.dll => c:\windows\system32\config [File]
* C:\Program Files\Microsoft Security Client\SymSrv.yes => c:\windows\system32\config [File]

Checking Windows Service Integrity:

* Security Center (wscsvc) is not Running.
Startup Type set to: Disabled

* Automatic Updates (wuauserv) is not Running.
Startup Type set to: Disabled

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 10/17/2013 05:37:39 PM
Execution time: 0 hours(s), 1 minute(s), and 14 seconds(s)

------------------------------------------------------------------------------------------------------------------


MBAM FIRST CLEAN LOG
----------------------------------------------------------
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.17.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
:: LAZAROS [administrator]

17/10/2013 19:34:47
mbam-log-2013-10-17 (19-34-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 221229
Time elapsed: 7 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\WINDOWS\system32\admdll.dll (PUP.RemoteAdmin) -> No action taken.

Registry Keys Detected: 1
HKCU\Software\PriceGong (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|AS2014 (Malware.Packer.PEW) -> Data: C:\Documents and Settings\All Users\Application Data\gXRXDan3\gXRXDan3.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|AS2014 (Malware.Packer.PEW) -> Data: C:\Documents and Settings\All Users\Application Data\gXRXDan3\gXRXDan3.exe -> Quarantined and deleted successfully.
HKCU\Control Panel\don't load|wscui.cpl (Hijack.SecurityCenter) -> Data: No -> Quarantined and deleted successfully.

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 2
C:\Documents and Settings\user\Application Data\PriceGong (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.

Files Detected: 33
C:\WINDOWS\system32\admdll.dll (PUP.RemoteAdmin) -> No action taken.
C:\WINDOWS\system32\raddrv.dll (PUP.RemoteAdmin) -> No action taken.
C:\Documents and Settings\All Users\Application Data\gXRXDan3\gXRXDan3.exe (Malware.Packer.PEW) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Desktop\Antivirus Security Pro support.url (Rogue.AntiVirusSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Desktop\Antivirus Security Pro.lnk (Rogue.AntiVirusSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\1.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\a.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\b.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\c.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\d.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\e.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\f.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\g.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\h.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\i.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\J.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\k.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\l.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\m.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\mru.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\n.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\o.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\p.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\q.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\r.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\s.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\t.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\u.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\v.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\w.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\x.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\y.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Application Data\PriceGong\Data\z.xml (PUP.Optional.PriceGong.A) -> Quarantined and deleted successfully.

(end)
------------------------------------------------------------------------------------------------

OTL LOG AFTER CLEAN

-------------------------------------------------------------------------------------------------
OTL logfile created on: 17/10/2013 20:47:33 - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000408 | Country: Greece | Language: ELL | Date Format: d/M/yyyy

502,05 Mb Total Physical Memory | 222,46 Mb Available Physical Memory | 44,31% Memory free
1,20 Gb Paging File | 0,95 Gb Available in Paging File | 79,55% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 30,00 Gb Total Space | 6,31 Gb Free Space | 21,04% Space Free | Partition Type: NTFS
Drive D: | 44,52 Gb Total Space | 44,27 Gb Free Space | 99,44% Space Free | Partition Type: NTFS
Drive F: | 2,33 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS
Drive G: | 465,73 Gb Total Space | 438,09 Gb Free Space | 94,07% Space Free | Partition Type: NTFS

Computer Name: LAZAROS | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/10/17 17:19:57 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\otl.exe
PRC - [2013/07/08 14:09:10 | 004,153,184 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
PRC - [2011/02/06 03:52:59 | 000,507,904 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Documents and Settings\user\Local Settings\Temp\RtkBtMnt.exe
PRC - [2008/04/14 03:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/24 11:13:54 | 002,691,158 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
PRC - [2007/05/24 11:13:50 | 000,036,955 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
PRC - [2007/05/24 11:13:48 | 000,106,586 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
PRC - [2005/11/28 18:26:04 | 000,726,720 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Ghost\ngserver.exe
PRC - [2005/11/28 18:26:04 | 000,050,880 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Ghost\bin\dbserv.exe
PRC - [2005/11/28 17:29:34 | 000,073,728 | R--- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Symantec\Ghost\bin\rteng9.exe
PRC - [2001/07/24 18:15:53 | 000,241,664 | ---- | M] () -- C:\WINDOWS\system32\r_server.exe


========== Modules (No Company Name) ==========

MOD - [2011/07/19 00:04:08 | 000,296,448 | ---- | M] () -- C:\Program Files\Notepad++\NppShell_04.dll
MOD - [2010/03/15 12:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2007/05/24 11:13:50 | 000,073,808 | ---- | M] () -- C:\Program Files\CheckPoint\SecuRemote\bin\Bind82.dll
MOD - [2001/07/24 18:15:53 | 000,241,664 | ---- | M] () -- C:\WINDOWS\system32\r_server.exe
MOD - [2000/07/10 15:06:14 | 000,090,112 | ---- | M] () -- C:\WINDOWS\system32\admdll.dll


========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - [2013/09/13 19:40:38 | 000,117,656 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/07/08 14:09:10 | 004,153,184 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe -- (TeamViewer8)
SRV - [2013/01/27 12:11:46 | 000,020,456 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2007/05/24 11:13:50 | 000,036,955 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe -- (SR_Watchdog)
SRV - [2007/05/24 11:13:48 | 000,106,586 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe -- (SR_Service)
SRV - [2005/11/28 18:26:04 | 000,726,720 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Ghost\ngserver.exe -- (NGServer)
SRV - [2005/11/28 18:26:04 | 000,050,880 | ---- | M] (Symantec Corporation) [On_Demand | Running] -- C:\Program Files\Symantec\Ghost\bin\dbserv.exe -- (ngdbserv)
SRV - [2001/07/24 18:15:53 | 000,241,664 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\r_server.exe -- (r_server)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\UIUSYS.SYS -- (UIUSys)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2013/10/17 19:24:29 | 000,035,144 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamchameleon.sys -- (mbamchameleon)
DRV - [2012/11/18 20:22:46 | 000,242,240 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV - [2010/07/12 15:49:18 | 000,060,104 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftdibus.sys -- (FTDIBUS)
DRV - [2010/07/12 15:48:56 | 000,073,032 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftser2k.sys -- (FTSER2K)
DRV - [2009/03/25 18:48:00 | 000,114,728 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018mdm.sys -- (s1018mdm)
DRV - [2009/03/25 18:48:00 | 000,109,864 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018unic.sys -- (s1018unic)
DRV - [2009/03/25 18:48:00 | 000,106,208 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018mgmt.sys -- (s1018mgmt)
DRV - [2009/03/25 18:48:00 | 000,104,744 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018obex.sys -- (s1018obex)
DRV - [2009/03/25 18:48:00 | 000,086,824 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018bus.sys -- (s1018bus)
DRV - [2009/03/25 18:48:00 | 000,026,024 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018nd5.sys -- (s1018nd5)
DRV - [2009/03/25 18:48:00 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018mdfl.sys -- (s1018mdfl)
DRV - [2008/05/06 16:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/01/09 13:28:34 | 000,027,632 | ---- | M] (Sony Ericsson Mobile Communications) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\seehcri.sys -- (seehcri)
DRV - [2007/05/24 11:13:58 | 000,036,368 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\omdrv.sys -- (CP_OMDRV)
DRV - [2007/05/24 11:13:54 | 002,234,800 | ---- | M] (Check Point Software Technologies) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\fw.sys -- (FW1)
DRV - [2007/05/24 11:13:52 | 000,110,032 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vnasc.sys -- (VNASC)
DRV - [2007/05/24 11:13:50 | 000,673,456 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\vpn.sys -- (VPN-1)
DRV - [2007/04/05 08:19:20 | 000,546,112 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2006/12/22 12:56:44 | 000,988,800 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/12/22 12:56:00 | 000,209,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/12/22 12:55:56 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/06/28 17:25:24 | 004,304,384 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService)
DRV - [2005/10/31 15:17:00 | 000,045,312 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-57989841-436374069-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
IE - HKU\S-1-5-21-57989841-436374069-839522115-1003\..\SearchScopes,DefaultScope = {1F2C3181-5081-45BD-A817-E1E64E07C6A6}
IE - HKU\S-1-5-21-57989841-436374069-839522115-1003\..\SearchScopes\{1F2C3181-5081-45BD-A817-E1E64E07C6A6}: "URL" = http://www.google.co...rchTerms}&meta=
IE - HKU\S-1-5-21-57989841-436374069-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-57989841-436374069-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-57989841-436374069-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = kryoneri-proxy:8080

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: %7B20a82645-c095-46ed-80e3-08825760534b%7D:0.0.0
FF - prefs.js..extensions.enabledAddons: jqs%40sun.com:1.0
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:23.0.1
FF - prefs.js..network.proxy.backup.ftp: ""
FF - prefs.js..network.proxy.backup.ftp_port: 0
FF - prefs.js..network.proxy.backup.socks: ""
FF - prefs.js..network.proxy.backup.socks_port: 0
FF - prefs.js..network.proxy.backup.ssl: ""
FF - prefs.js..network.proxy.backup.ssl_port: 0
FF - prefs.js..network.proxy.ftp: "kryoneri-proxy"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.http: "kryoneri-proxy"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "kryoneri-proxy"
FF - prefs.js..network.proxy.socks_port: 8080
FF - prefs.js..network.proxy.ssl: "kryoneri-proxy"
FF - prefs.js..network.proxy.ssl_port: 8080
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_6_602_180.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 23.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 23.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/04/18 10:09:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Extensions
[2013/10/17 14:50:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\6wom68rq.default\extensions
[2013/10/17 14:50:58 | 000,915,554 | ---- | M] () (No name found) -- C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\6wom68rq.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2012/11/01 15:33:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/09/13 19:40:41 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/09/13 19:40:41 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2012/01/18 15:41:50 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/06/23 10:23:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION

O1 HOSTS File: ([2006/02/28 15:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe ()
O4 - HKLM..\Run: [NGServer] C:\Program Files\Symantec\Ghost\ngserver.exe (Symantec Corporation)
O4 - HKU\S-1-5-21-57989841-436374069-839522115-1003..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKU\S-1-5-21-57989841-436374069-839522115-1003..\Run: [Google Update] Reg Error: Value error. File not found
O4 - HKU\S-1-5-21-57989841-436374069-839522115-1003..\Run: [Sony PC Companion] C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe (Sony)
O4 - HKU\S-1-5-21-57989841-436374069-839522115-1003..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-57989841-436374069-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1296954416712 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{53E7752F-89E4-4320-BDCA-26BE14F55902}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\All Users\Application Data\gXRXDan3\gXRXDan3.exe -sm) - File not found
O20 - Winlogon\Notify\ckpNotify: DllName - (ckpNotify.dll) - C:\WINDOWS\System32\ckpNotify.dll (Check Point Software Technologies)
O24 - Desktop WallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/02/06 03:11:37 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2012/11/05 18:47:00 | 000,000,071 | R--- | M] () - F:\Autorun.inf -- [ CDFS ]
O33 - MountPoints2\{9acd42b8-42a9-11e1-8596-54f10f29b807}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9acd42b8-42a9-11e1-8596-54f10f29b807}\Shell\AutoRun\command - "" = F:\fscommand\LS_Start_Launch.cmd
O33 - MountPoints2\{9acd42b8-42a9-11e1-8596-54f10f29b807}\Shell\Launcher\command - "" = F:\fscommand\LS_Start_Launch.cmd
O33 - MountPoints2\{a9ce218d-f0b6-11e0-855d-00197e1017ad}\Shell - "" = AutoRun
O33 - MountPoints2\{a9ce218d-f0b6-11e0-855d-00197e1017ad}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a9ce218d-f0b6-11e0-855d-00197e1017ad}\Shell\AutoRun\command - "" = F:\silkcosmos.exe
O33 - MountPoints2\{b42e027f-4740-11e1-8597-54f10f29b807}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b42e027f-4740-11e1-8597-54f10f29b807}\Shell\AutoRun\command - "" = F:\fscommand\LS_Start_Launch.cmd
O33 - MountPoints2\{b42e027f-4740-11e1-8597-54f10f29b807}\Shell\Launcher\command - "" = F:\fscommand\LS_Start_Launch.cmd
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/10/17 19:25:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Application Data\Malwarebytes
[2013/10/17 19:25:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/10/17 19:25:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2013/10/17 19:25:37 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2013/10/17 19:25:37 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/10/17 19:21:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\charm
[2013/10/17 16:53:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Desktop\New Folder (4)
[2013/10/17 16:42:33 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\otl.exe
[2013/10/17 15:16:30 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2013/10/17 15:16:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\user\Local Settings\Application Data\Google
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/10/17 20:46:03 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/10/17 20:45:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/10/17 19:25:40 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/10/17 19:24:29 | 000,035,144 | ---- | M] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2013/10/17 17:19:57 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\user\Desktop\otl.exe
[2013/10/17 11:00:47 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/10/04 12:58:42 | 000,001,764 | -H-- | M] () -- C:\Documents and Settings\user\My Documents\Default.rdp
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/10/17 19:25:40 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/10/17 19:24:29 | 000,035,144 | ---- | C] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2012/10/26 15:00:19 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\user\Application Data\$_hpcst$.hpc
[2012/09/27 04:55:00 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/08/09 17:04:55 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\user\Local Settings\Application Data\PUTTY.RND
[2012/02/17 15:40:07 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/14 16:46:53 | 000,002,516 | ---- | C] () -- C:\WINDOWS\System32\drivers\default.bin
[2012/01/14 16:46:53 | 000,002,516 | ---- | C] () -- C:\WINDOWS\System32\default.bin

========== ZeroAccess Check ==========

[2011/06/08 13:39:04 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2010/11/05 08:05:36 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 15:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 03:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/05/24 15:29:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AMMYY
[2012/11/18 20:24:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
[2012/03/10 09:08:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony
[2012/11/18 20:24:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\DAEMON Tools Lite
[2012/01/25 14:04:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Notepad++
[2011/06/15 14:49:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Radmin
[2012/11/18 21:11:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\Sports Interactive
[2011/02/07 20:11:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\TeamViewer
[2013/10/17 20:46:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\uTorrent
[2011/06/08 12:54:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\user\Application Data\VanDyke

========== Purity Check ==========



< End of report >
------------------------------------------------------------------------------------------------------------------------------

serv.bat (batch file found in malware folder)
(i added the # infront of every line to post it)

-----------------------------------------------------------------------------------------------------------
#reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" /v EnableLUA /t REG_DWORD /d 0 /f
#reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system" /v EnableVirtualization /t REG_DWORD /d 0 /f
#reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v RPSessionInterval /t REG_DWORD /d 0 /f
#reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP\Clients" /va /f
#Sc sToP WinDefend
#sC StOp msmpsvc
#sC StOp wuauserv
#sC StOp wscsvc
#ping localhost -w 1000 -n 3 > nul
#sc config windefend start= disabled
#sc config msmpsvc start= disabled
#sc config wuauserv start= disabled
#sc config wscsvc start= disabled
#sc config luafv start= disabled
#reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v MSASCui /f
#reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /f
#reg add "HKLM\SOFTWARE\Microsoft\Security Center\Svc" /v AntiVirusDisableNotify /t REG_DWORD /d 1 /f
#reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v AntiVirusDisableNotify /t REG_DWORD /d 1 /f
#reg add "HKLM\SOFTWARE\Microsoft\Security Center\Svc" /v AntiVirusOverride /t REG_DWORD /d 1 /f
#reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v AntiVirusOverride /t REG_DWORD /d 1 /f
#reg add "HKLM\SOFTWARE\Microsoft\Security Center\Svc" /v FirewallDisableNotify /t REG_DWORD /d 1 /f
#reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v FirewallDisableNotify /t REG_DWORD /d 1 /f
#reg add "HKLM\SOFTWARE\Microsoft\Security Center\Svc" /v FirewallOverride /t REG_DWORD /d 1 /f
#reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v FirewallOverride /t REG_DWORD /d 1 /f
#reg add "HKLM\SOFTWARE\Microsoft\Security Center\Svc" /v UpdatesDisableNotify /t REG_DWORD /d 1 /f
#reg add "HKLM\SOFTWARE\Microsoft\Security Center" /v UpdatesDisableNotify /t REG_DWORD /d 1 /f
#reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v AS2014 /t REG_SZ /d "C:\Documents and Settings\All Users\Application Data\gXRXDan3\gXRXDan3.exe" /f
  • 0

#4
SyneDriuM
Posted 17 October 2013 - 12:16 PM

SyneDriuM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Sorry i just finished typing my reply and saw yours afterwards. Should i do the steps you suggest now?
  • 0

#5
RKinner
Posted 17 October 2013 - 01:47 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
I just did an edit on my original post to include some stuff from your other logs in the OTL fix so go ahead and try the OTL Run Fix. If you have already run it then run it again. Your Microsoft Security Essentials has been infected so I'm just going to pull it out by the roots.

This actually includes one of the newer zero access infections. Your best bet is to run Combofix twice:

ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Double click on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work. If it reboots and you do not get a log then run combofix a second time. I'll need to see the log in your reply.

We can also get rid of it with FRST:

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

With FRST it's not automatic. I will have to create a fixlist file from your log.
  • 0

#6
SyneDriuM
Posted 17 October 2013 - 03:57 PM

SyneDriuM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Thanx for the reply

Here are the logs

OTL ran with fix
-------------------------------------------------------------------------------------------------------------------------------
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\MSC deleted successfully.
File move failed. C:\Program Files\Microsoft Security Client\msseces.exe scheduled to be moved on reboot.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\uTorrent deleted successfully.
C:\Program Files\uTorrent\uTorrent.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\AS2014 not found.
File C:\Documents and Settings\All Users\Application Data\gXRXDan3\gXRXDan3.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\Documents and Settings\All Users\Application Data\gXRXDan3\gXRXDan3.exe -sm deleted successfully.
File C:\Documents and Settings\All Users\Application Data\gXRXDan3\gXRXDan3.exe not found.
Folder C:\Documents and Settings\user\Start Menu\Programs\Antivirus Security Pro\ not found.
Folder C:\Documents and Settings\All Users\Application Data\gXRXDan3\ not found.
File C:\Documents and Settings\user\Desktop\Antivirus Security Pro.lnk not found.
File C:\Documents and Settings\user\Desktop\Antivirus Security Pro support.url not found.
File C:\Documents and Settings\user\Desktop\Antivirus Security Pro.lnk not found.
File C:\Documents and Settings\user\Desktop\Antivirus Security Pro support.url not found.
Folder C:\Documents and Settings\All Users\Application Data\gXRXDan3\ not found.
C:\Documents and Settings\user\Application Data\uTorrent\dlimagecache folder moved successfully.
C:\Documents and Settings\user\Application Data\uTorrent\apps folder moved successfully.
C:\Documents and Settings\user\Application Data\uTorrent folder moved successfully.
========== FILES ==========
File\Folder C:\Documents and Settings\All Users\Application Data\gXRXDan3 not found.
Folder move failed. C:\Program Files\Microsoft Security Client\en-us scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Microsoft Security Client\Drivers scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Microsoft Security Client\Backup scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Microsoft Security Client\Antimalware scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Microsoft Security Client scheduled to be moved on reboot.
< sc config msmpsvc start= auto /c >
[SC] ChangeServiceConfig SUCCESS
C:\Documents and Settings\user\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\cmd.txt deleted successfully.
< sc config wuauserv start= auto /c >
[SC] ChangeServiceConfig SUCCESS
C:\Documents and Settings\user\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\cmd.txt deleted successfully.
< sc config wscsvc start= auto /c >
[SC] ChangeServiceConfig SUCCESS
C:\Documents and Settings\user\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\cmd.txt deleted successfully.
< sc config luafv start= auto /c >
[SC] OpenService FAILED 1060:
The specified service does not exist as an installed service.
C:\Documents and Settings\user\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\user\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 56502 bytes

User: All Users

User: Default User
->Flash cache emptied: 56502 bytes

User: LocalService

User: NetworkService

User: user
->Flash cache emptied: 506 bytes

Total Flash Files Cleaned = 0,00 mb


[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: user
->Java cache emptied: 94750720 bytes

Total Java Files Cleaned = 90,00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 10172013_233216

Files\Folders moved on Reboot...
File move failed. C:\Program Files\Microsoft Security Client\msseces.exe scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Microsoft Security Client\en-us scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Microsoft Security Client\Drivers scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Microsoft Security Client\Backup scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Microsoft Security Client\Antimalware scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Microsoft Security Client\en-us scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Microsoft Security Client\Drivers scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Microsoft Security Client\Backup scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Microsoft Security Client\Antimalware scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Microsoft Security Client scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

------------------------------------------------------------------------------------------------------------------------------------------


ComboFix Log
-------------------------------------------------------------------------------------------------------------------------------------------
ComboFix 13-10-16.02 - user 17/10/2013 23:57:20.1.1 - x86
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\user\LOCALS~1\APPLIC~1\Google\Desktop\Install
c:\docume~1\user\LOCALS~1\APPLIC~1\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\C3C1~1\01C8~1\CFFE~1\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\@
c:\docume~1\user\LOCALS~1\APPLIC~1\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\C3C1~1\01C8~1\CFFE~1\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\GoogleUpdate.exe
c:\docume~1\user\LOCALS~1\APPLIC~1\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\C3C1~1\01C8~1\CFFE~1\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\U\00000001.@
c:\docume~1\user\LOCALS~1\APPLIC~1\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\C3C1~1\01C8~1\CFFE~1\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\U\00000002.@
c:\docume~1\user\LOCALS~1\APPLIC~1\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\C3C1~1\01C8~1\CFFE~1\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\U\80000000.@
c:\docume~1\user\LOCALS~1\APPLIC~1\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\C3C1~1\01C8~1\CFFE~1\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\U\80000001.@
c:\docume~1\user\LOCALS~1\APPLIC~1\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\C3C1~1\01C8~1\CFFE~1\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\U\800000cb.@
c:\documents and settings\All Users\Application Data\AMMYY
c:\documents and settings\All Users\Application Data\AMMYY\hr
c:\documents and settings\All Users\Application Data\AMMYY\hr3
c:\documents and settings\All Users\Application Data\AMMYY\settings3.bin
c:\program files\Google\Desktop\Install
c:\program files\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\0103~1\0103~1\CFFE~1\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\@
c:\program files\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\0103~1\0103~1\CFFE~1\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\GoogleUpdate.exe
c:\program files\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\0103~1\0103~1\CFFE~1\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\U\00000001.@
c:\program files\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\0103~1\0103~1\CFFE~1\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\U\00000002.@
c:\program files\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\0103~1\0103~1\CFFE~1\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\U\80000000.@
c:\program files\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\0103~1\0103~1\CFFE~1\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\U\80000001.@
c:\program files\Google\Desktop\Install\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\0103~1\0103~1\CFFE~1\{03382b8a-0747-ebb4-cbea-feda86c9cd81}\U\800000cb.@
.
.
((((((((((((((((((((((((( Files Created from 2013-09-17 to 2013-10-17 )))))))))))))))))))))))))))))))
.
.
2013-10-17 20:32 . 2013-10-17 20:32 -------- d-----w- C:\_OTL
2013-10-17 16:25 . 2013-10-17 16:25 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2013-10-17 16:25 . 2013-10-17 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-10-17 16:25 . 2013-10-17 16:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-10-17 16:25 . 2013-04-04 11:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-10-17 16:24 . 2013-10-17 16:24 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-10-17 12:25 . 2013-10-17 12:25 -------- d-----w- c:\documents and settings\Administrator
2013-10-17 12:16 . 2013-10-17 12:16 -------- d-----w- c:\program files\Google
2013-10-17 12:16 . 2013-10-17 12:16 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-05 05:02 . 2013-09-17 11:07 7328304 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EA8592BB-5E39-4634-A75E-E4573F6FC153}\mpengine.dll
2013-08-09 01:56 . 2006-02-28 12:00 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-08 06:05 . 2006-02-28 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-08-08 06:05 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-08-08 06:05 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-08-08 06:05 . 2006-02-28 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-08-08 01:27 . 2006-02-28 12:00 1877760 ----a-w- c:\windows\system32\win32k.sys
2013-08-08 00:02 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
2013-08-06 07:28 . 2013-09-13 08:20 7166848 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-08-05 13:30 . 2006-02-28 12:00 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 11:18 . 2006-10-18 19:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"NGServer"="c:\program files\Symantec\Ghost\ngserver.exe" [2005-11-28 726720]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2007-05-24 08:13 24665 ----a-w- c:\windows\system32\ckpNotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"c:\\Documents and Settings\\user\\Desktop\\ST510v4_R4.3.2.6 upgrade wizard\\UpgradeWizard\\upgradeST.exe"=
"c:\\Program Files\\Symantec\\Ghost\\ngserver.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\TeamViewer\\Version8\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version8\\TeamViewer_Service.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [18/11/2012 20:22 242240]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [24/5/2007 11:13 36368]
R2 TeamViewer8;TeamViewer 8;c:\program files\TeamViewer\Version8\TeamViewer_Service.exe [17/7/2013 00:23 4153184]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [24/5/2007 11:13 110032]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [24/5/2007 11:13 673456]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [24/5/2007 11:13 2234800]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [28/1/2012 14:42 27632]
S2 r_server;Remote Administrator Service;c:\windows\system32\r_server.exe [11/5/2011 14:58 241664]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [17/10/2013 19:24 35144]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [28/1/2012 14:37 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [28/1/2012 14:37 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [28/1/2012 14:37 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [28/1/2012 14:37 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [28/1/2012 14:37 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [28/1/2012 14:37 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [28/1/2012 14:37 109864]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [6/5/2008 16:06 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-17 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 09:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.gr/
uInternet Settings,ProxyServer = kryoneri-proxy:8080
uInternet Settings,ProxyOverride = <local>
IE: E&ξαγωγή στο Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\6wom68rq.default\
FF - prefs.js: network.proxy.ftp - kryoneri-proxy
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.http - kryoneri-proxy
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - kryoneri-proxy
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - kryoneri-proxy
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-18 00:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2013-10-18 00:10:51
ComboFix-quarantined-files.txt 2013-10-17 21:10
.
Pre-Run: 6.783.619.072 bytes free
Post-Run: 7.137.320.960 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 4B9597383BD0929EA5F187F1ABE9F767
8F558EB6672622401DA993E1E865C861

---------------------------------------------------------------------------------------------------------------------------------------
  • 0

#7
RKinner
Posted 17 October 2013 - 04:32 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Looks much better now. Hopefully things are more or less OK now.

I think you need to uninstall MSSE and install the free Avast:

http://www.avast.com/index

You may need the info in this KB in order to remove the remnants of MSSE:
http://support.micro....com/kb/2435760

You can continue my first post instruction starting with tdsskiller
  • 0

#8
SyneDriuM
Posted 20 October 2013 - 01:25 AM

SyneDriuM

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Laptop seems ok now.

Thanx a lot for your time and effort.
  • 0

#9
RKinner
Posted 20 October 2013 - 02:51 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
We need to clean up System Restore.

Copy the following:


:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]
Run OTL. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

You can uninstall or delete any tools we had you download and their logs.


To uninstall combofix if ew ran it, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.



OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Special note on Java. Old Java versions should be removed after first clearing the Java Cache by following the instructions in:
http://www.java.com/...lugin_cache.xml
Then remove the old versions by going to Control Panel, Programs and Features and Uninstall all Java programs which are not Java Version 7 update 25 or better. These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE. Get the latest version from Java.com. They will usually attempt to foist some garbage like the Ask toolbar, Yahoo toolbar or McAfee Security Scan on you as part of the download. Just uncheck the garbage before the download (or install) starts. If you use a 64-bit browser and want the 64-bit version of Java you need to use it to visit java.com.
Due to multiple security problems with Java we are now recommending that it not be installed unless you absolutely know you need it. If that is the case then you should go in to Control panels, Java, Security and set the slider to the highest level.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: http://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.


XP does not automatically run defrag so it needs to be done manually every couple of months or it will slow down. http://support.microsoft.com/kb/314848


XP has been out a long time so most XP computers are starting to get clogged with dust. This makes them overheat which will also slow them down. To clean a desktop, shut it down but leave it plugged in. Remove the lid or open it up and use a vacuum cleaner hose and a small brush to clean the air vents in the front and back and the fins of the heatsink and of the fans - including the fan of the power supply. You may need to unscrew the four screws that hold the fan to the heatsink and lift the fan off to really clean the heatsink. Start it up while the lid is off and watch the fan (after screwing it back down again if you removed it). It should start up right away and be at full speed in no time (it may stop running shortly after starting - this is normal). A fan that is slow starting or which makes noise is worn out and needs to be replaced. Cleaning a laptop is unfortunately major surgery for most brands. Make sure the vents are clear and that it is run on a hard surface. Never on a bed or your lap as that blocks the air vents. Propping up the back with a book without blocking the air vents will make it run a bit cooler. If you think it might be running hot you can get speedfan

http://www.almico.com/sfdownload.php

Download, save and Install it then run it.

It will tell you your temps. If they seem hot (over 50) then check Automatic Fan Speed.
Leave it running and see if the temps drop. If temps are over 80, the CPU will slow down to protect itself. Disassembling a laptop to clean it isn't that hard. There are usually YouTube videos for most brands that show you how to do it if you search for them. Most times you just need some small screwdrivers and maybe a long nose pliers. The hardest part is reassembling it and getting all of the screws in the right places so takes notes or lots of pictures. If you take it apart then you should also pull the heatsink and clean it and replace the old thermal pads with Arctic Silver Thermal compound. Amazon has a kit of cleaner and compound http://www.amazon.co...n/dp/B001FVI91U which I have used.

Make sure you have Windows update working and preferably on Automatic download and install. Go to Internet Explorer, Tools, (or Safety), Windows Updates, Express and see if it has any updates for you.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP