Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

File recovery virus with logs

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

File recovery virus with logs

Unread postby Helmut13 » September 26th, 2012, 1:49 am

Hello,

when I start my computer with Windows XP pro a programm File Recovery starts automatically and says "Hard drive boot sector reading error" and so on. Also all the Icons on the desktop disappeared and the desktop got black. I found in the internet that this is called File Recovery virus and I tried different instructions, but I did not succed.

Here are my logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 10.5.1
Run by Helmut at 7:39:37 on 2012-09-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.593 [GMT 2:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\FreePDF_XP\fpassist.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\HiJChosD3n2DEw.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
mSearchAssistant = hxxp://dts.search-results.com/sr?src=ie ... 06&sr=0&q={searchTerms}
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
{9d717f81-9148-4f12-8568-69135f087db0}
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [HiJChosD3n2DEw] c:\documents and settings\all users\application data\HiJChosD3n2DEw.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon
mRun: [FreePDF Assistant] c:\program files\freepdf_xp\fpassist.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: d:\helmut\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: d:\helmut\startm~1\programs\startup\PERSBA~1.LNK -
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\helmut\desktop\PartyPoker.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
TCP: Interfaces\{3693541E-112A-489D-A212-F5CE43E2213F} : NameServer = 192.168.0.1
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - d:\helmut\application data\mozilla\firefox\profiles\96cjgmc7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.de
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=406&q=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [2011-4-5 21664]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-17 36000]
R2 AntiVirSchedulerService;Avira Planer;c:\program files\avira\antivir desktop\sched.exe [2011-10-17 86224]
R2 AntiVirService;Avira Echtzeit Scanner;c:\program files\avira\antivir desktop\avguard.exe [2011-10-17 110032]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2005-3-8 61440]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-17 83392]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-9-25 35144]
S2 gupdate;Google Update-Dienst (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-5-13 116648]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-13 250288]
S3 gupdatem;Google Update-Dienst (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-5-13 116648]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-9-25 40776]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-6 114144]
.
=============== Created Last 30 ================
.
2012-09-25 18:23:58 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-09-25 18:23:56 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-09-25 18:21:06 -------- d--h--w- c:\windows\PIF
2012-09-24 17:53:31 252416 ---ha-w- c:\documents and settings\all users\application data\HiJChosD3n2DEw.exe
2012-09-22 06:31:29 9573296 ---ha-w- c:\windows\system32\FlashPlayerInstaller.exe
.
==================== Find3M ====================
.
2012-09-22 06:31:33 73136 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-22 06:31:33 696240 ---ha-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-07 15:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-30 20:29:36 81920 ---ha-w- c:\windows\system32\ieencode.dll
2012-08-30 20:29:36 667136 ---ha-w- c:\windows\system32\wininet.dll
2012-08-30 20:29:36 61952 ---ha-w- c:\windows\system32\tdc.ocx
2012-08-28 13:00:25 369664 ---ha-w- c:\windows\system32\html.iec
2012-07-06 13:58:51 78336 ---ha-w- c:\windows\system32\browser.dll
2012-07-05 20:07:08 143872 ---ha-w- c:\windows\system32\javacpl.cpl
2012-07-05 20:06:30 772544 ---ha-w- c:\windows\system32\npDeployJava1.dll
2012-07-05 20:06:20 687544 ---ha-w- c:\windows\system32\deployJava1.dll
2012-07-04 14:05:18 139784 ---ha-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40:15 1866112 ---ha-w- c:\windows\system32\win32k.sys
.
============= FINISH: 7:46:16,67 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 05.04.2011 19:34:51
System Uptime: 26.09.2012 07:31:28 (0 hours ago)
.
Motherboard: Dell Inc. | | 0HH807
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Microprocessor | 2793/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 74 GiB total, 58,57 GiB free.
D: is FIXED (NTFS) - 346 GiB total, 278,597 GiB free.
E: is FIXED (NTFS) - 293 GiB total, 252,786 GiB free.
F: is FIXED (NTFS) - 293 GiB total, 283,675 GiB free.
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP264: 28.06.2012 08:31:28 - System Checkpoint
RP265: 29.06.2012 18:54:34 - System Checkpoint
RP266: 30.06.2012 19:38:19 - System Checkpoint
RP267: 02.07.2012 17:16:29 - System Checkpoint
RP268: 03.07.2012 18:21:20 - System Checkpoint
RP269: 04.07.2012 20:49:15 - System Checkpoint
RP270: 06.07.2012 18:50:23 - System Checkpoint
RP271: 07.07.2012 19:15:33 - System Checkpoint
RP272: 09.07.2012 15:38:27 - System Checkpoint
RP273: 10.07.2012 18:50:17 - System Checkpoint
RP274: 11.07.2012 16:01:57 - Software Distribution Service 3.0
RP275: 13.07.2012 13:14:40 - System Checkpoint
RP276: 15.07.2012 12:55:51 - System Checkpoint
RP277: 16.07.2012 14:52:12 - System Checkpoint
RP278: 17.07.2012 17:33:59 - System Checkpoint
RP279: 20.07.2012 15:08:05 - System Checkpoint
RP280: 21.07.2012 18:17:45 - System Checkpoint
RP281: 23.07.2012 19:54:08 - System Checkpoint
RP282: 26.07.2012 20:12:17 - System Checkpoint
RP283: 28.07.2012 09:13:34 - System Checkpoint
RP284: 28.07.2012 16:42:15 - Installed Java(TM) 7 Update 5
RP285: 28.07.2012 16:43:15 - Installed JavaFX 2.1.1
RP286: 30.07.2012 16:38:04 - System Checkpoint
RP287: 31.07.2012 18:04:00 - System Checkpoint
RP288: 01.08.2012 20:30:55 - System Checkpoint
RP289: 03.08.2012 10:56:21 - System Checkpoint
RP290: 04.08.2012 11:16:32 - System Checkpoint
RP291: 05.08.2012 16:37:31 - System Checkpoint
RP292: 06.08.2012 19:07:35 - System Checkpoint
RP293: 09.08.2012 14:26:22 - System Checkpoint
RP294: 10.08.2012 17:14:57 - System Checkpoint
RP295: 12.08.2012 10:04:22 - System Checkpoint
RP296: 13.08.2012 12:32:40 - System Checkpoint
RP297: 14.08.2012 13:22:36 - System Checkpoint
RP298: 15.08.2012 15:11:38 - Software Distribution Service 3.0
RP299: 15.08.2012 21:00:38 - Software Distribution Service 3.0
RP300: 17.08.2012 14:33:26 - System Checkpoint
RP301: 19.08.2012 17:46:00 - System Checkpoint
RP302: 20.08.2012 18:59:14 - System Checkpoint
RP303: 21.08.2012 19:58:02 - System Checkpoint
RP304: 23.08.2012 09:39:36 - System Checkpoint
RP305: 24.08.2012 17:45:06 - System Checkpoint
RP306: 27.08.2012 10:18:26 - System Checkpoint
RP307: 29.08.2012 11:03:47 - System Checkpoint
RP308: 30.08.2012 18:42:29 - System Checkpoint
RP309: 31.08.2012 19:08:33 - System Checkpoint
RP310: 02.09.2012 22:06:25 - System Checkpoint
RP311: 04.09.2012 08:33:53 - System Checkpoint
RP312: 05.09.2012 13:32:55 - System Checkpoint
RP313: 06.09.2012 18:23:43 - System Checkpoint
RP314: 07.09.2012 18:27:11 - System Checkpoint
RP315: 09.09.2012 12:42:31 - System Checkpoint
RP316: 10.09.2012 15:50:28 - System Checkpoint
RP317: 12.09.2012 19:48:05 - Software Distribution Service 3.0
RP318: 14.09.2012 09:43:33 - System Checkpoint
RP319: 15.09.2012 11:58:05 - System Checkpoint
RP320: 17.09.2012 09:08:47 - System Checkpoint
RP321: 18.09.2012 09:09:39 - System Checkpoint
RP322: 20.09.2012 09:05:20 - System Checkpoint
RP323: 21.09.2012 18:04:18 - System Checkpoint
RP324: 22.09.2012 19:14:51 - System Checkpoint
RP325: 22.09.2012 20:07:59 - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.4) - Deutsch
ALNO AG Küchenplaner
ArcSoft PhotoStudio 5.5
Avira Free Antivirus
Broadcom Advanced Control Suite
Broadcom ASF Management Applications
Broadcom Gigabit Integrated Controller
Canon iP4300
Canon iP4300 User Registration
Canon MP Navigator EX 2.0
Canon Setup Utility 2.3
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
Canon Utilities Solution Menu
CanoScan LiDE 100 Scanner Driver
CD-LabelPrint
CDBurnerXP
Compatibility Pack für 2007 Office System
Easy-WebPrint
EasyRecovery Professional
EMBASSY Security Center
ERUNT 1.1j
FOTOParadies
FreePDF (Remove only)
Google Earth
Google Update Helper
GPL Ghostscript
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB981793)
ImageJ 1.45s
Intel(R) Graphics Media Accelerator Driver
IZArc 4.1.6
Java Auto Updater
Java(TM) 6 Update 29
Java(TM) 7 Update 5
JavaFX 2.1.1
Konz 2012
Malwarebytes' Anti-Malware Version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office Professional Edition 2003
Microsoft Picture It! Foto 2001
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Works 2001-Setup-Start
Mozilla Firefox 15.0.1 (x86 de)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Network Print Monitor for Windows 2000/XP/2003
NTRU Hybrid TSS v1.05
O&O DiskRecovery
OpenOffice.org 3.3
PartyPoker
PDFCreator
Personal Backup 5.3
Recuva
RedMon - Redirection Port Monitor
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2482017)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2530548)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2559049)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2586448)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618444)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647516)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2675157)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2699988)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2722913)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2744842)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Shockwave
SoundMAX
Spybot - Search & Destroy
Steuer 2011
STMicroelectronics TPM Software Package
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 8.0 CRT (x86) WinSXS MSM
Visual C++ 8.0 CRT.Policy (x86) WinSXS MSM
VLC media player 2.0.3
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows XP Service Pack 3
Works-Synchronisierung
Works Suite-Betriebssystem-Pack
.
==== Event Viewer Messages From Past Week ========
.
25.09.2012 20:17:41, error: Cdrom [11] - The driver detected a controller error on \Device\CdRom0.
25.09.2012 20:17:18, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
25.09.2012 18:40:20, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: avipbb avkmgr Fips intelppm ssmdrv
25.09.2012 18:39:29, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
25.09.2012 14:48:59, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: Access is denied.
25.09.2012 14:48:53, error: SRService [104] - The System Restore initialization process failed.
23.09.2012 17:32:03, error: Service Control Manager [7034] - The NTRU Hybrid TSS v1.05 TCSD service terminated unexpectedly. It has done this 1 time(s).
23.09.2012 17:31:32, error: Service Control Manager [7023] - The Java Quick Starter service terminated with the following error: The class is configured to run as a security id different from the caller
.
==== End Of File ===========================

Thank you very much,

Helmut
Helmut13
Regular Member
 
Posts: 75
Joined: May 30th, 2011, 3:05 pm
Advertisement
Register to Remove

Re: File recovery virus with logs

Unread postby MWR 3 day Mod » September 30th, 2012, 12:37 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: File recovery virus with logs

Unread postby askey127 » October 1st, 2012, 7:34 am

Hi Helmut13,
I don't know whether you will be able to download anything without using a flash drive and transferring form another machine.
---------------------------------------------
Download the OTL Scanner
Please download OTL.exe by OldTimer and save it to your desktop.
---------------------------------------------
Run a Scan with OTL
  • For WinXP, double click on the OTL icon to run it.
  • Check the boxes labeled :
    • Scan All Users
    • LOP check
    • Purity check
    • Extra Registry > Use SafeList
  • Make sure all other windows are closed to let it run uninterrupted.
  • Click on the Run Scan button at the top left hand corner. Do not change any settings unless otherwise told to do so.
    When the scan starts, OTL may appear to be frozen while it runs. Please be patient.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. (desktop)
OTL.txt will be open on your desktop, and Extras.txt will be minimized in your taskbar.
The Extras.txt file will only appear as a running Notepad document the very first time you run OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them as a reply. Use separate replies if more convenient.

So we are looking for the contents of OTL.txt and Extras.txt
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: File recovery virus with logs

Unread postby Helmut13 » October 1st, 2012, 1:18 pm

Hi askey 127,

I downloaded OTL at a separate notebook and started it on the "problem computer". It was not possible to close the window "File Recovery" and the scan stopped relatively fast with the message:

"Acess violation at address CCCC0460. Read of address CCCC0460."

On the bottom of OTL is written:

"Scanning service: AdobeFlashPlayerUpdateSvc..."

Kind regards,
Helmut
Helmut13
Regular Member
 
Posts: 75
Joined: May 30th, 2011, 3:05 pm

Re: File recovery virus with logs

Unread postby askey127 » October 1st, 2012, 3:13 pm

Helmut13,
We have a few ways to get around this issue. Let's try this first.
If the infected machine outright refuses to start for any reason, stop and let me know.

Download the following three utilities, saving them to a flash drive, and copy them to the desktop of the infected machine.
Don't run any of them until called for in the instructions.

RogueKiller: http://tigzy.geekstogo.com/Tools/RogueKiller.exe

TDSSKiller: http://support.kaspersky.com/downloads/ ... killer.exe

ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

-------------------------------------------------
Run RogueKiller
  • First, quit all running programs.
  • Double Click RogueKiller.exe.
  • Note: If the program is blocked, do not hesitate to try several times.
    If it really does not work (it could happen), rename it to winlogon.exe or RogueKiller.com.
  • Wait until prescan has finished.
  • Click on the Scan button in the upper right. Wait for it to finish.
  • When the scan is complete, a file icon named RKreport.txt should appear on your desktop.
  • Please double click that file RKreport.txt and post its contents in your next Reply.
    (You can also open the report by clicking the Report button on the right).
  • When you exit RogueKiller, you may get a popup reporting "None of the Elements have been deleted. Do you want to quit?" Click "Yes".
--------------------------------------------
TDSSKiller - Rootkit Removal Tool
  1. Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
    If you don't see file extensions, please see: How to change the file extension.
    If you try to change the filename and extension, you may get a warning message from Windows because of the change of file extension. OK the change.
  2. Click the Start Scan button. Do not use the computer during the scan!
  3. If the scan completes with nothing found, click Close to exit.
  4. If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
    • Ensure Cure (default) is selected... then click Continue > Reboot now to finish the cleaning process.
    • If Cure is not offered as an option, choose Skip.
  5. A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the main directory of C:
    (the dd.mm.yyyy_hh.mm.ss numbers in the filename represent the time/date stamp)
  6. Copy and paste the contents of that file in your next reply.
If, for some reason,you can't locate the text file to paste into your reply, just tell me, but DO NOT run the program a second time.

When each utility is run, you will need to transfer each report file back to the flash drive.
So we are looking for (in the best case) the reports from RogueKiller and TDSSKiller
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: File recovery virus with logs

Unread postby Helmut13 » October 2nd, 2012, 1:03 am

Hi askey127,

when I started the infected machine Avira Free Antivirus found "TR/Graftor.43733.1" in the file C:\Documents and Settings\All Users\Application\Data\HiJChosD3n2DEW.exe and Anitvirus rejected the acess.

In the following the File recovery do not start, but the other problems are still there.

And here are my logs:

RogueKiller V8.1.0 [09/28/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/fi ... guekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Helmut [Admin rights]
Mode : Scan -- Date : 10/02/2012 06:56:23

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 20 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : HiJChosD3n2DEw (C:\Documents and Settings\All Users\Application Data\HiJChosD3n2DEw.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1004336348-1202660629-682003330-1003[...]\Run : HiJChosD3n2DEw (C:\Documents and Settings\All Users\Application Data\HiJChosD3n2DEw.exe) -> FOUND
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowControlPanel (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[25] : NtClose @ 0x805BC538 -> HOOKED (Unknown @ 0xF7B9EAEC)
SSDT[41] : NtCreateKey @ 0x80623FD6 -> HOOKED (Unknown @ 0xF7B9EAA6)
SSDT[50] : NtCreateSection @ 0x805AB3D0 -> HOOKED (Unknown @ 0xF7B9EAF6)
SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0xF7B9EA9C)
SSDT[63] : NtDeleteKey @ 0x80624472 -> HOOKED (Unknown @ 0xF7B9EAAB)
SSDT[65] : NtDeleteValueKey @ 0x80624642 -> HOOKED (Unknown @ 0xF7B9EAB5)
SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0xF7B9EAE7)
SSDT[98] : NtLoadKey @ 0x806261FA -> HOOKED (Unknown @ 0xF7B9EABA)
SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0xF7B9EA88)
SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0xF7B9EA8D)
SSDT[177] : NtQueryValueKey @ 0x806221FA -> HOOKED (Unknown @ 0xF7B9EB0F)
SSDT[193] : NtReplaceKey @ 0x806260AA -> HOOKED (Unknown @ 0xF7B9EAC4)
SSDT[200] : NtRequestWaitReplyPort @ 0x805A2D7E -> HOOKED (Unknown @ 0xF7B9EB00)
SSDT[204] : NtRestoreKey @ 0x806259B6 -> HOOKED (Unknown @ 0xF7B9EABF)
SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0xF7B9EAFB)
SSDT[237] : NtSetSecurityObject @ 0x805C0636 -> HOOKED (Unknown @ 0xF7B9EB05)
SSDT[247] : NtSetValueKey @ 0x80622548 -> HOOKED (Unknown @ 0xF7B9EAB0)
SSDT[255] : NtSystemDebugControl @ 0x80617FAA -> HOOKED (Unknown @ 0xF7B9EB0A)
SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0xF7B9EA97)
S_SSDT[549] : Unknown -> HOOKED (Unknown @ 0xF7B9EB1E)
S_SSDT[552] : Unknown -> HOOKED (Unknown @ 0xF7B9EB23)

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

ÿþ1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HD080HJ/P +++++
--- User ---
[MBR] d9d563afef07a3281f9a08a24c5e3af2
[BSP] 9c592ff35012ea0308b352410509ed7c : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76285 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: SAMSUNG HD103SJ +++++
--- User ---
[MBR] ea16db349172b5c6734b4f5d48dbbff7
[BSP] 4f0ce7a892be822d9904587220ec4c9b : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 353869 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 724724280 | Size: 300002 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1339130205 | Size: 299995 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: QDI U2DISK USB Device +++++
--- User ---
[MBR] ec7873e4bcdc179fe0c10f41e78ee259
[BSP] aa672bb7d2defa18c82ba459e1a5811c : Standard MBR Code
Partition table:
0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 32 | Size: 123 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt



06:58:10.0343 0284 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24
06:58:10.0593 0284 ============================================================
06:58:10.0593 0284 Current date / time: 2012/10/02 06:58:10.0593
06:58:10.0593 0284 SystemInfo:
06:58:10.0593 0284
06:58:10.0593 0284 OS Version: 5.1.2600 ServicePack: 3.0
06:58:10.0593 0284 Product type: Workstation
06:58:10.0593 0284 ComputerName: COMPUTER
06:58:10.0593 0284 UserName: Helmut
06:58:10.0593 0284 Windows directory: C:\WINDOWS
06:58:10.0593 0284 System windows directory: C:\WINDOWS
06:58:10.0593 0284 Processor architecture: Intel x86
06:58:10.0593 0284 Number of processors: 2
06:58:10.0593 0284 Page size: 0x1000
06:58:10.0593 0284 Boot type: Normal boot
06:58:10.0593 0284 ============================================================
06:58:12.0703 0284 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
06:58:12.0703 0284 Drive \Device\Harddisk1\DR1 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
06:58:12.0703 0284 Drive \Device\Harddisk2\DR6 - Size: 0x7C00000 (0.12 Gb), SectorSize: 0x200, Cylinders: 0xF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
06:58:12.0812 0284 ============================================================
06:58:12.0812 0284 \Device\Harddisk0\DR0:
06:58:12.0812 0284 MBR partitions:
06:58:12.0812 0284 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x94FE97E
06:58:12.0812 0284 \Device\Harddisk1\DR1:
06:58:12.0812 0284 MBR partitions:
06:58:12.0812 0284 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x2B3269F9
06:58:12.0812 0284 \Device\Harddisk1\DR1\Partition2: MBR, Type 0x7, StartLBA 0x2B326A38, BlocksNum 0x249F1725
06:58:12.0812 0284 \Device\Harddisk1\DR1\Partition3: MBR, Type 0x7, StartLBA 0x4FD1815D, BlocksNum 0x249ED864
06:58:12.0812 0284 \Device\Harddisk2\DR6:
06:58:12.0812 0284 MBR partitions:
06:58:12.0812 0284 \Device\Harddisk2\DR6\Partition1: MBR, Type 0xB, StartLBA 0x20, BlocksNum 0x3DFDF
06:58:12.0812 0284 ============================================================
06:58:12.0828 0284 D: <-> \Device\Harddisk1\DR1\Partition1
06:58:12.0875 0284 C: <-> \Device\Harddisk0\DR0\Partition1
06:58:12.0890 0284 E: <-> \Device\Harddisk1\DR1\Partition2
06:58:12.0906 0284 F: <-> \Device\Harddisk1\DR1\Partition3
06:58:12.0906 0284 ============================================================
06:58:12.0906 0284 Initialize success
06:58:12.0906 0284 ============================================================
06:58:39.0531 2428 ============================================================
06:58:39.0531 2428 Scan started
06:58:39.0531 2428 Mode: Manual;
06:58:39.0531 2428 ============================================================
06:58:39.0859 2428 ================ Scan system memory ========================
06:58:39.0859 2428 System memory - ok
06:58:39.0859 2428 ================ Scan services =============================
06:58:39.0968 2428 Abiosdsk - ok
06:58:39.0968 2428 abp480n5 - ok
06:58:40.0015 2428 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
06:58:40.0015 2428 ACPI - ok
06:58:40.0046 2428 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
06:58:40.0046 2428 ACPIEC - ok
06:58:40.0171 2428 [ E12CFCF1DDBFC50948A75E6E38793225 ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
06:58:40.0171 2428 AdobeFlashPlayerUpdateSvc - ok
06:58:40.0187 2428 adpu160m - ok
06:58:40.0218 2428 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
06:58:40.0250 2428 aec - ok
06:58:40.0312 2428 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
06:58:40.0312 2428 AFD - ok
06:58:40.0312 2428 Aha154x - ok
06:58:40.0328 2428 aic78u2 - ok
06:58:40.0328 2428 aic78xx - ok
06:58:40.0390 2428 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
06:58:40.0390 2428 Alerter - ok
06:58:40.0421 2428 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
06:58:40.0421 2428 ALG - ok
06:58:40.0437 2428 AliIde - ok
06:58:40.0437 2428 amsint - ok
06:58:40.0625 2428 [ 466A0D95960DAD3222C896D2CEA99993 ] AntiVirSchedulerService C:\Program Files\Avira\AntiVir Desktop\sched.exe
06:58:40.0625 2428 AntiVirSchedulerService - ok
06:58:40.0640 2428 [ A489BE6BB0AA1FF406B488B60542314B ] AntiVirService C:\Program Files\Avira\AntiVir Desktop\avguard.exe
06:58:40.0640 2428 AntiVirService - ok
06:58:40.0718 2428 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
06:58:40.0734 2428 AppMgmt - ok
06:58:40.0750 2428 asc - ok
06:58:40.0750 2428 asc3350p - ok
06:58:40.0765 2428 asc3550 - ok
06:58:40.0796 2428 [ 00A70BAC21F71E5A1FBF328FF5FFED46 ] ASFIPmon C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
06:58:40.0796 2428 ASFIPmon - ok
06:58:40.0984 2428 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
06:58:41.0015 2428 aspnet_state - ok
06:58:41.0046 2428 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
06:58:41.0046 2428 AsyncMac - ok
06:58:41.0093 2428 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
06:58:41.0093 2428 atapi - ok
06:58:41.0093 2428 Atdisk - ok
06:58:41.0125 2428 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
06:58:41.0140 2428 Atmarpc - ok
06:58:41.0187 2428 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
06:58:41.0187 2428 AudioSrv - ok
06:58:41.0250 2428 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
06:58:41.0250 2428 audstub - ok
06:58:41.0265 2428 [ D5541F0AFB767E85FC412FC609D96A74 ] avgntflt C:\WINDOWS\system32\DRIVERS\avgntflt.sys
06:58:41.0265 2428 avgntflt - ok
06:58:41.0296 2428 [ 7D967A682D4694DF7FA57D63A2DB01FE ] avipbb C:\WINDOWS\system32\DRIVERS\avipbb.sys
06:58:41.0312 2428 avipbb - ok
06:58:41.0312 2428 [ 271CFD1A989209B1964E24D969552BF7 ] avkmgr C:\WINDOWS\system32\DRIVERS\avkmgr.sys
06:58:41.0328 2428 avkmgr - ok
06:58:41.0375 2428 [ 241474D01380E9ED41D4C07F4F5FD401 ] b57w2k C:\WINDOWS\system32\DRIVERS\b57xp32.sys
06:58:41.0375 2428 b57w2k - ok
06:58:41.0390 2428 [ 3D87B0484BE1093C6614062701F375C5 ] BASFND C:\Program Files\Broadcom\ASFIPMon\BASFND.sys
06:58:41.0390 2428 BASFND - ok
06:58:41.0437 2428 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
06:58:41.0437 2428 Beep - ok
06:58:41.0515 2428 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
06:58:41.0593 2428 BITS - ok
06:58:41.0625 2428 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
06:58:41.0625 2428 Browser - ok
06:58:41.0656 2428 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
06:58:41.0656 2428 cbidf2k - ok
06:58:41.0671 2428 cd20xrnt - ok
06:58:41.0718 2428 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
06:58:41.0718 2428 Cdaudio - ok
06:58:41.0796 2428 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
06:58:41.0796 2428 Cdfs - ok
06:58:41.0828 2428 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
06:58:41.0843 2428 Cdrom - ok
06:58:41.0875 2428 [ 84853B3FD012251690570E9E7E43343F ] cercsr6 C:\WINDOWS\system32\drivers\cercsr6.sys
06:58:41.0875 2428 cercsr6 - ok
06:58:41.0890 2428 Changer - ok
06:58:41.0937 2428 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
06:58:41.0937 2428 CiSvc - ok
06:58:41.0953 2428 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
06:58:41.0953 2428 ClipSrv - ok
06:58:42.0000 2428 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
06:58:42.0109 2428 clr_optimization_v2.0.50727_32 - ok
06:58:42.0109 2428 CmdIde - ok
06:58:42.0125 2428 COMSysApp - ok
06:58:42.0140 2428 Cpqarray - ok
06:58:42.0156 2428 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
06:58:42.0171 2428 CryptSvc - ok
06:58:42.0171 2428 dac2w2k - ok
06:58:42.0187 2428 dac960nt - ok
06:58:42.0281 2428 [ 77843EB03B5F6995D6184BD6C4EA139F ] DataSvr C:\Program Files\Wave Systems Corp\Common\DataServer.exe
06:58:42.0281 2428 DataSvr - ok
06:58:42.0343 2428 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
06:58:42.0343 2428 DcomLaunch - ok
06:58:42.0359 2428 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
06:58:42.0375 2428 Dhcp - ok
06:58:42.0375 2428 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
06:58:42.0390 2428 Disk - ok
06:58:42.0390 2428 dmadmin - ok
06:58:42.0437 2428 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
06:58:42.0453 2428 dmboot - ok
06:58:42.0468 2428 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
06:58:42.0484 2428 dmio - ok
06:58:42.0515 2428 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
06:58:42.0515 2428 dmload - ok
06:58:42.0562 2428 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
06:58:42.0562 2428 dmserver - ok
06:58:42.0562 2428 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
06:58:42.0578 2428 DMusic - ok
06:58:42.0625 2428 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
06:58:42.0625 2428 Dnscache - ok
06:58:42.0656 2428 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
06:58:42.0671 2428 Dot3svc - ok
06:58:42.0671 2428 dpti2o - ok
06:58:42.0703 2428 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
06:58:42.0703 2428 drmkaud - ok
06:58:42.0750 2428 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
06:58:42.0750 2428 EapHost - ok
06:58:42.0765 2428 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
06:58:42.0765 2428 ERSvc - ok
06:58:42.0812 2428 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
06:58:42.0812 2428 Eventlog - ok
06:58:42.0875 2428 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
06:58:42.0875 2428 EventSystem - ok
06:58:42.0906 2428 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
06:58:42.0906 2428 Fastfat - ok
06:58:42.0984 2428 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
06:58:42.0984 2428 FastUserSwitchingCompatibility - ok
06:58:42.0984 2428 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
06:58:43.0000 2428 Fdc - ok
06:58:43.0000 2428 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
06:58:43.0015 2428 Fips - ok
06:58:43.0046 2428 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
06:58:43.0046 2428 Flpydisk - ok
06:58:43.0093 2428 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
06:58:43.0093 2428 FltMgr - ok
06:58:43.0203 2428 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
06:58:43.0218 2428 FontCache3.0.0.0 - ok
06:58:43.0234 2428 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
06:58:43.0234 2428 Fs_Rec - ok
06:58:43.0265 2428 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
06:58:43.0281 2428 Ftdisk - ok
06:58:43.0281 2428 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
06:58:43.0296 2428 Gpc - ok
06:58:43.0437 2428 [ 506708142BC63DABA64F2D3AD1DCD5BF ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
06:58:43.0453 2428 gupdate - ok
06:58:43.0468 2428 [ 506708142BC63DABA64F2D3AD1DCD5BF ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
06:58:43.0468 2428 gupdatem - ok
06:58:43.0640 2428 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
06:58:43.0656 2428 helpsvc - ok
06:58:43.0687 2428 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
06:58:43.0687 2428 HidServ - ok
06:58:43.0718 2428 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] hidusb C:\WINDOWS\system32\DRIVERS\hidusb.sys
06:58:43.0718 2428 hidusb - ok
06:58:43.0765 2428 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
06:58:43.0765 2428 hkmsvc - ok
06:58:43.0781 2428 hpn - ok
06:58:43.0812 2428 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
06:58:43.0828 2428 HTTP - ok
06:58:43.0859 2428 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
06:58:43.0875 2428 HTTPFilter - ok
06:58:43.0875 2428 i2omgmt - ok
06:58:43.0890 2428 i2omp - ok
06:58:43.0890 2428 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\drivers\i8042prt.sys
06:58:43.0906 2428 i8042prt - ok
06:58:43.0968 2428 [ 0294A30B302CA71A2C26E582DDA93486 ] ialm C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
06:58:43.0984 2428 ialm - ok
06:58:44.0171 2428 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
06:58:44.0234 2428 idsvc - ok
06:58:44.0234 2428 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
06:58:44.0250 2428 Imapi - ok
06:58:44.0296 2428 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
06:58:44.0296 2428 ImapiService - ok
06:58:44.0312 2428 ini910u - ok
06:58:44.0312 2428 IntelIde - ok
06:58:44.0343 2428 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
06:58:44.0359 2428 intelppm - ok
06:58:44.0359 2428 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
06:58:44.0375 2428 Ip6Fw - ok
06:58:44.0390 2428 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
06:58:44.0390 2428 IpFilterDriver - ok
06:58:44.0406 2428 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
06:58:44.0406 2428 IpInIp - ok
06:58:44.0437 2428 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
06:58:44.0437 2428 IpNat - ok
06:58:44.0453 2428 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
06:58:44.0453 2428 IPSec - ok
06:58:44.0484 2428 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
06:58:44.0484 2428 IRENUM - ok
06:58:44.0531 2428 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
06:58:44.0546 2428 isapnp - ok
06:58:44.0609 2428 [ 4F2143570D2250CA4C4A4C98553C82CD ] JavaQuickStarterService C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
06:58:44.0625 2428 JavaQuickStarterService - ok
06:58:44.0625 2428 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
06:58:44.0625 2428 Kbdclass - ok
06:58:44.0656 2428 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
06:58:44.0656 2428 kbdhid - ok
06:58:44.0687 2428 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
06:58:44.0718 2428 kmixer - ok
06:58:44.0718 2428 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
06:58:44.0718 2428 KSecDD - ok
06:58:44.0781 2428 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
06:58:44.0781 2428 lanmanserver - ok
06:58:44.0828 2428 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
06:58:44.0843 2428 lanmanworkstation - ok
06:58:44.0843 2428 lbrtfdc - ok
06:58:44.0859 2428 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
06:58:44.0875 2428 LmHosts - ok
06:58:44.0890 2428 [ 20856B8A44F41BB42F3F5F03C3BB2B00 ] mbamchameleon C:\WINDOWS\system32\drivers\mbamchameleon.sys
06:58:44.0906 2428 mbamchameleon - ok
06:58:44.0921 2428 [ 0DB7527DB188C7D967A37BB51BBF3963 ] MBAMSwissArmy C:\WINDOWS\system32\drivers\mbamswissarmy.sys
06:58:44.0921 2428 MBAMSwissArmy - ok
06:58:45.0031 2428 [ 11F714F85530A2BD134074DC30E99FCA ] MDM C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
06:58:45.0031 2428 MDM - ok
06:58:45.0062 2428 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
06:58:45.0078 2428 Messenger - ok
06:58:45.0093 2428 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
06:58:45.0093 2428 mnmdd - ok
06:58:45.0125 2428 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
06:58:45.0140 2428 mnmsrvc - ok
06:58:45.0171 2428 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
06:58:45.0171 2428 Modem - ok
06:58:45.0218 2428 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
06:58:45.0218 2428 Mouclass - ok
06:58:45.0265 2428 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
06:58:45.0265 2428 mouhid - ok
06:58:45.0296 2428 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
06:58:45.0296 2428 MountMgr - ok
06:58:45.0406 2428 [ CB8AF049AC9BE419A77ADAE288673359 ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
06:58:45.0421 2428 MozillaMaintenance - ok
06:58:45.0437 2428 mraid35x - ok
06:58:45.0437 2428 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
06:58:45.0453 2428 MRxDAV - ok
06:58:45.0531 2428 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
06:58:45.0546 2428 MRxSmb - ok
06:58:45.0593 2428 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
06:58:45.0593 2428 MSDTC - ok
06:58:45.0609 2428 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
06:58:45.0609 2428 Msfs - ok
06:58:45.0625 2428 MSIServer - ok
06:58:45.0640 2428 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
06:58:45.0640 2428 MSKSSRV - ok
06:58:45.0656 2428 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
06:58:45.0671 2428 MSPCLOCK - ok
06:58:45.0687 2428 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
06:58:45.0687 2428 MSPQM - ok
06:58:45.0718 2428 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
06:58:45.0718 2428 mssmbios - ok
06:58:45.0750 2428 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
06:58:45.0750 2428 Mup - ok
06:58:45.0781 2428 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
06:58:45.0796 2428 napagent - ok
06:58:45.0812 2428 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
06:58:45.0828 2428 NDIS - ok
06:58:45.0890 2428 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
06:58:45.0890 2428 NdisTapi - ok
06:58:45.0906 2428 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
06:58:45.0921 2428 Ndisuio - ok
06:58:45.0953 2428 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
06:58:45.0968 2428 NdisWan - ok
06:58:46.0015 2428 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
06:58:46.0015 2428 NDProxy - ok
06:58:46.0031 2428 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
06:58:46.0031 2428 NetBIOS - ok
06:58:46.0046 2428 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
06:58:46.0062 2428 NetBT - ok
06:58:46.0125 2428 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
06:58:46.0140 2428 NetDDE - ok
06:58:46.0140 2428 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
06:58:46.0140 2428 NetDDEdsdm - ok
06:58:46.0187 2428 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
06:58:46.0187 2428 Netlogon - ok
06:58:46.0218 2428 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
06:58:46.0234 2428 Netman - ok
06:58:46.0312 2428 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
06:58:46.0343 2428 NetTcpPortSharing - ok
06:58:46.0375 2428 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
06:58:46.0375 2428 Nla - ok
06:58:46.0453 2428 [ 7AEA4DF1CA68FD45DD4BBE1F0243CE7F ] NMSAccess C:\Program Files\CDBurnerXP\NMSAccessU.exe
06:58:46.0453 2428 NMSAccess - ok
06:58:46.0484 2428 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
06:58:46.0484 2428 Npfs - ok
06:58:46.0515 2428 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
06:58:46.0546 2428 Ntfs - ok
06:58:46.0546 2428 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
06:58:46.0546 2428 NtLmSsp - ok
06:58:46.0593 2428 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
06:58:46.0609 2428 NtmsSvc - ok
06:58:46.0625 2428 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
06:58:46.0625 2428 Null - ok
06:58:46.0687 2428 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
06:58:46.0687 2428 NwlnkFlt - ok
06:58:46.0718 2428 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
06:58:46.0718 2428 NwlnkFwd - ok
06:58:46.0765 2428 [ 7A56CF3E3F12E8AF599963B16F50FB6A ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
06:58:46.0781 2428 ose - ok
06:58:46.0796 2428 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
06:58:46.0812 2428 Parport - ok
06:58:46.0812 2428 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
06:58:46.0812 2428 PartMgr - ok
06:58:46.0859 2428 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
06:58:46.0875 2428 ParVdm - ok
06:58:46.0890 2428 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
06:58:46.0906 2428 PCI - ok
06:58:46.0906 2428 PCIDump - ok
06:58:46.0921 2428 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
06:58:46.0937 2428 PCIIde - ok
06:58:46.0937 2428 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
06:58:46.0953 2428 Pcmcia - ok
06:58:46.0953 2428 PDCOMP - ok
06:58:46.0968 2428 PDFRAME - ok
06:58:46.0968 2428 PDRELI - ok
06:58:46.0984 2428 PDRFRAME - ok
06:58:46.0984 2428 perc2 - ok
06:58:47.0000 2428 perc2hib - ok
06:58:47.0031 2428 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
06:58:47.0031 2428 PlugPlay - ok
06:58:47.0046 2428 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
06:58:47.0046 2428 PolicyAgent - ok
06:58:47.0046 2428 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
06:58:47.0062 2428 PptpMiniport - ok
06:58:47.0062 2428 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
06:58:47.0062 2428 ProtectedStorage - ok
06:58:47.0078 2428 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
06:58:47.0078 2428 PSched - ok
06:58:47.0109 2428 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
06:58:47.0109 2428 Ptilink - ok
06:58:47.0125 2428 ql1080 - ok
06:58:47.0125 2428 Ql10wnt - ok
06:58:47.0140 2428 ql12160 - ok
06:58:47.0140 2428 ql1240 - ok
06:58:47.0156 2428 ql1280 - ok
06:58:47.0156 2428 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
06:58:47.0171 2428 RasAcd - ok
06:58:47.0187 2428 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
06:58:47.0203 2428 RasAuto - ok
06:58:47.0234 2428 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
06:58:47.0250 2428 Rasl2tp - ok
06:58:47.0312 2428 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
06:58:47.0312 2428 RasMan - ok
06:58:47.0328 2428 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
06:58:47.0328 2428 RasPppoe - ok
06:58:47.0343 2428 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
06:58:47.0343 2428 Raspti - ok
06:58:47.0359 2428 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
06:58:47.0375 2428 Rdbss - ok
06:58:47.0390 2428 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
06:58:47.0390 2428 RDPCDD - ok
06:58:47.0406 2428 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
06:58:47.0421 2428 rdpdr - ok
06:58:47.0484 2428 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
06:58:47.0484 2428 RDPWD - ok
06:58:47.0515 2428 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
06:58:47.0531 2428 RDSessMgr - ok
06:58:47.0531 2428 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
06:58:47.0546 2428 redbook - ok
06:58:47.0593 2428 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
06:58:47.0609 2428 RemoteAccess - ok
06:58:47.0640 2428 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
06:58:47.0640 2428 RemoteRegistry - ok
06:58:47.0656 2428 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
06:58:47.0671 2428 RpcLocator - ok
06:58:47.0718 2428 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\system32\rpcss.dll
06:58:47.0718 2428 RpcSs - ok
06:58:47.0765 2428 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
06:58:47.0765 2428 RSVP - ok
06:58:47.0812 2428 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
06:58:47.0812 2428 SamSs - ok
06:58:47.0812 2428 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
06:58:47.0828 2428 SCardSvr - ok
06:58:47.0859 2428 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
06:58:47.0890 2428 Schedule - ok
06:58:47.0906 2428 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
06:58:47.0921 2428 Secdrv - ok
06:58:47.0968 2428 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
06:58:47.0968 2428 seclogon - ok
06:58:48.0062 2428 [ B9C7617C1E8AB6FDFF75D3C8DAFCB4C8 ] senfilt C:\WINDOWS\system32\drivers\senfilt.sys
06:58:48.0062 2428 senfilt - ok
06:58:48.0078 2428 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
06:58:48.0078 2428 SENS - ok
06:58:48.0093 2428 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
06:58:48.0109 2428 serenum - ok
06:58:48.0125 2428 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
06:58:48.0140 2428 Serial - ok
06:58:48.0171 2428 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
06:58:48.0171 2428 Sfloppy - ok
06:58:48.0234 2428 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
06:58:48.0265 2428 SharedAccess - ok
06:58:48.0296 2428 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
06:58:48.0296 2428 ShellHWDetection - ok
06:58:48.0296 2428 Simbad - ok
06:58:48.0328 2428 [ C6D9959E493682F872A639B6EC1B4A08 ] smwdm C:\WINDOWS\system32\drivers\smwdm.sys
06:58:48.0328 2428 smwdm - ok
06:58:48.0343 2428 Sparrow - ok
06:58:48.0390 2428 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
06:58:48.0406 2428 splitter - ok
06:58:48.0437 2428 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
06:58:48.0437 2428 Spooler - ok
06:58:48.0468 2428 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
06:58:48.0484 2428 sr - ok
06:58:48.0484 2428 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
06:58:48.0500 2428 srservice - ok
06:58:48.0562 2428 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
06:58:48.0562 2428 Srv - ok
06:58:48.0593 2428 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
06:58:48.0593 2428 SSDPSRV - ok
06:58:48.0640 2428 [ A36EE93698802CD899F98BFD553D8185 ] ssmdrv C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
06:58:48.0640 2428 ssmdrv - ok
06:58:48.0671 2428 [ E57B778208C783D8DEBAB320C16A1B82 ] StarOpen C:\WINDOWS\system32\drivers\StarOpen.sys
06:58:48.0671 2428 StarOpen - ok
06:58:48.0718 2428 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
06:58:48.0750 2428 stisvc - ok
06:58:48.0781 2428 [ 3A7106F3C983026652E95CA5302EF512 ] stmtpm C:\WINDOWS\system32\DRIVERS\stm_tpm.sys
06:58:48.0781 2428 stmtpm - ok
06:58:48.0812 2428 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
06:58:48.0812 2428 swenum - ok
06:58:48.0843 2428 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
06:58:48.0843 2428 swmidi - ok
06:58:48.0859 2428 SwPrv - ok
06:58:48.0859 2428 symc810 - ok
06:58:48.0875 2428 symc8xx - ok
06:58:48.0875 2428 sym_hi - ok
06:58:48.0890 2428 sym_u3 - ok
06:58:48.0890 2428 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
06:58:48.0906 2428 sysaudio - ok
06:58:48.0937 2428 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
06:58:48.0937 2428 SysmonLog - ok
06:58:49.0000 2428 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
06:58:49.0015 2428 TapiSrv - ok
06:58:49.0109 2428 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
06:58:49.0109 2428 Tcpip - ok
06:58:49.0171 2428 [ 884999BCF1E73136FA4CC726AFD8B519 ] tcsd_win32.exe C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
06:58:49.0171 2428 tcsd_win32.exe - ok
06:58:49.0203 2428 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
06:58:49.0203 2428 TDPIPE - ok
06:58:49.0203 2428 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
06:58:49.0218 2428 TDTCP - ok
06:58:49.0218 2428 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
06:58:49.0234 2428 TermDD - ok
06:58:49.0250 2428 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
06:58:49.0281 2428 TermService - ok
06:58:49.0328 2428 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
06:58:49.0328 2428 Themes - ok
06:58:49.0375 2428 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
06:58:49.0390 2428 TlntSvr - ok
06:58:49.0390 2428 TosIde - ok
06:58:49.0437 2428 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
06:58:49.0437 2428 TrkWks - ok
06:58:49.0453 2428 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
06:58:49.0468 2428 Udfs - ok
06:58:49.0468 2428 ultra - ok
06:58:49.0500 2428 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
06:58:49.0515 2428 Update - ok
06:58:49.0562 2428 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
06:58:49.0578 2428 upnphost - ok
06:58:49.0578 2428 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
06:58:49.0593 2428 UPS - ok
06:58:49.0625 2428 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
06:58:49.0625 2428 usbccgp - ok
06:58:49.0656 2428 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
06:58:49.0656 2428 usbehci - ok
06:58:49.0687 2428 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
06:58:49.0687 2428 usbhub - ok
06:58:49.0718 2428 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
06:58:49.0734 2428 usbprint - ok
06:58:49.0750 2428 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
06:58:49.0750 2428 usbscan - ok
06:58:49.0765 2428 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
06:58:49.0765 2428 USBSTOR - ok
06:58:49.0796 2428 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
06:58:49.0812 2428 usbuhci - ok
06:58:49.0843 2428 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
06:58:49.0843 2428 VgaSave - ok
06:58:49.0843 2428 ViaIde - ok
06:58:49.0875 2428 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
06:58:49.0890 2428 VolSnap - ok
06:58:49.0937 2428 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
06:58:49.0953 2428 VSS - ok
06:58:49.0984 2428 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
06:58:50.0000 2428 W32Time - ok
06:58:50.0015 2428 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
06:58:50.0031 2428 Wanarp - ok
06:58:50.0031 2428 WDICA - ok
06:58:50.0062 2428 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
06:58:50.0078 2428 wdmaud - ok
06:58:50.0093 2428 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
06:58:50.0109 2428 WebClient - ok
06:58:50.0265 2428 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
06:58:50.0281 2428 winmgmt - ok
06:58:50.0343 2428 [ C7E39EA41233E9F5B86C8DA3A9F1E4A8 ] WmdmPmSN C:\WINDOWS\system32\mspmsnsv.dll
06:58:50.0359 2428 WmdmPmSN - ok
06:58:50.0406 2428 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
06:58:50.0421 2428 Wmi - ok
06:58:50.0453 2428 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
06:58:50.0468 2428 WmiApSrv - ok
06:58:50.0515 2428 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
06:58:50.0531 2428 wscsvc - ok
06:58:50.0546 2428 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
06:58:50.0546 2428 wuauserv - ok
06:58:50.0625 2428 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
06:58:50.0640 2428 WZCSVC - ok
06:58:50.0671 2428 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
06:58:50.0687 2428 xmlprov - ok
06:58:50.0687 2428 ================ Scan global ===============================
06:58:50.0718 2428 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
06:58:50.0765 2428 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
06:58:50.0781 2428 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
06:58:50.0812 2428 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
06:58:50.0812 2428 [Global] - ok
06:58:50.0812 2428 ================ Scan MBR ==================================
06:58:50.0828 2428 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
06:58:51.0093 2428 \Device\Harddisk0\DR0 - ok
06:58:51.0109 2428 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk1\DR1
06:58:51.0109 2428 \Device\Harddisk1\DR1 - ok
06:58:51.0109 2428 [ E5FA06ACA0D60BA9C870D0EF3D9898C9 ] \Device\Harddisk2\DR6
06:58:54.0062 2428 \Device\Harddisk2\DR6 - ok
06:58:54.0062 2428 ================ Scan VBR ==================================
06:58:54.0062 2428 [ 6EF35FED123595DC952D8315B9FD4E71 ] \Device\Harddisk0\DR0\Partition1
06:58:54.0062 2428 \Device\Harddisk0\DR0\Partition1 - ok
06:58:54.0078 2428 [ 7007C81D564F12FAA34412F814D9EBE8 ] \Device\Harddisk1\DR1\Partition1
06:58:54.0078 2428 \Device\Harddisk1\DR1\Partition1 - ok
06:58:54.0078 2428 [ FD91AF826BB393897C19E90453F39B78 ] \Device\Harddisk1\DR1\Partition2
06:58:54.0078 2428 \Device\Harddisk1\DR1\Partition2 - ok
06:58:54.0078 2428 [ 64901CE1ACB370150FAB4002BB9E812B ] \Device\Harddisk1\DR1\Partition3
06:58:54.0078 2428 \Device\Harddisk1\DR1\Partition3 - ok
06:58:54.0093 2428 [ F6E873AC40A8CFEA434A87BB4A9901B1 ] \Device\Harddisk2\DR6\Partition1
06:58:54.0093 2428 \Device\Harddisk2\DR6\Partition1 - ok
06:58:54.0093 2428 ============================================================
06:58:54.0093 2428 Scan finished
06:58:54.0093 2428 ============================================================
06:58:54.0109 2108 Detected object count: 0
06:58:54.0109 2108 Actual detected object count: 0
06:59:10.0218 1728 Deinitialize success
Helmut13
Regular Member
 
Posts: 75
Joined: May 30th, 2011, 3:05 pm

Re: File recovery virus with logs

Unread postby askey127 » October 2nd, 2012, 7:53 am

Helmut13,
You may want to print this out, or save it as a Notepad document on your Desktop, since you won't have Internet access in Safe Mode.
Run RogueKiller
  • First, quit all running programs.
  • Double click RogueKiller.exe.
  • Note: If the program is blocked, do not hesitate to try several times.
    If it really does not work (it could happen), rename it to winlogon.exe or RogueKiller.com.
  • Wait until prescan has finished.
  • Click on the Delete button on the right. Wait for it to finish.
    Please open the report by clicking the Report button on the right and posting or saving its contents to a flash drive.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list. In some systems, this may be the F5 key, so try that if F8 doesn't work. Additional Info is here: http://www.computerhope.com/issues/chsafe.htm
On Dell laptops it is the F12 key.
No matter what you read on the Internet or elsewhere, DO NOT FORCE A SAFE MODE BOOT BY EDITING MSCONFIG
Then see if you are able to manually delete this file:
C:\Documents and Settings\All Users\Application Data\HiJChosD3n2DEw.exe
-----------------------------------------------
Get Last Avira Report
Right click the red umbrella icon in the system tray and click Start Antivir
In the left pane, click Overview, then click Reports
There wil be reports titled Update and reports titled Scan. Find the most recent report in the list titled Scan
Click on the Report File button, or Right click the report and choose Display Report.
The report contents will come up in Notepad. Highlight the entire report (Ctrl+A) and copy to the clipboard (Ctrl+C).
Paste the contents (Ctrl+V) into your next reply.
If there is another Scan report, from the time it reported the TR/Graftor, please post it also.

Let me know how it goes.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: File recovery virus with logs

Unread postby Helmut13 » October 2nd, 2012, 1:17 pm

Hello askey127,

when I started the infected machine now the File Recovery started again and I could not close it. Then I started RogueKiller and this stopped the File Recovery Process, but it was not possible to click on Delete. I started RogueKiller a second time and nothing was found so it was not possible again to click on Delete or Report.

When I started in Safe Mode still everything was hidden but it was possible to show hidden files and I deleted C:\Documents and Settings\All Users\Application Data\HiJChosD3n2DEw.exe

Then I restarted in normal mode. The last Scan report from Antivir is about one week old and has nothing with TR/Graftor. I hope you can find the information you are looking for because it is in german.



Avira Free Antivirus
Erstellungsdatum der Reportdatei: Tuesday, September 25, 2012 16:09

Es wird nach 4263957 Virenstämmen gesucht.

Das Programm läuft als uneingeschränkte Vollversion.
Online-Dienste stehen zur Verfügung.

Lizenznehmer : Avira AntiVir Personal - Free Antivirus
Seriennummer : 0000149996-ADJIE-0000001
Plattform : Microsoft Windows XP
Windowsversion : (Service Pack 3) [5.1.2600]
Boot Modus : Normal gebootet
Benutzername : SYSTEM
Computername : COMPUTER

Versionsinformationen:
BUILD.DAT : 12.0.0.1199 40869 Bytes 9/7/2012 22:14:00
AVSCAN.EXE : 12.3.0.33 468472 Bytes 8/8/2012 17:52:13
AVSCAN.DLL : 12.3.0.15 66256 Bytes 5/8/2012 18:55:17
LUKE.DLL : 12.3.0.15 68304 Bytes 5/8/2012 18:55:17
AVSCPLR.DLL : 12.3.0.14 97032 Bytes 5/8/2012 18:55:18
AVREG.DLL : 12.3.0.17 232200 Bytes 5/12/2012 05:41:48
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 18:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 09:07:39
VBASE002.VDF : 7.11.19.170 14374912 Bytes 12/20/2011 15:48:44
VBASE003.VDF : 7.11.21.238 4472832 Bytes 2/1/2012 18:04:35
VBASE004.VDF : 7.11.26.44 4329472 Bytes 3/28/2012 06:17:24
VBASE005.VDF : 7.11.34.116 4034048 Bytes 6/29/2012 06:44:38
VBASE006.VDF : 7.11.41.250 4902400 Bytes 9/6/2012 05:04:31
VBASE007.VDF : 7.11.41.251 2048 Bytes 9/6/2012 05:04:31
VBASE008.VDF : 7.11.41.252 2048 Bytes 9/6/2012 05:04:31
VBASE009.VDF : 7.11.41.253 2048 Bytes 9/6/2012 05:04:31
VBASE010.VDF : 7.11.41.254 2048 Bytes 9/6/2012 05:04:31
VBASE011.VDF : 7.11.41.255 2048 Bytes 9/6/2012 05:04:31
VBASE012.VDF : 7.11.42.0 2048 Bytes 9/6/2012 05:04:31
VBASE013.VDF : 7.11.42.1 2048 Bytes 9/6/2012 05:04:31
VBASE014.VDF : 7.11.42.65 203264 Bytes 9/9/2012 06:53:47
VBASE015.VDF : 7.11.42.125 156672 Bytes 9/11/2012 16:31:29
VBASE016.VDF : 7.11.42.171 187904 Bytes 9/12/2012 16:31:30
VBASE017.VDF : 7.11.42.235 141312 Bytes 9/13/2012 05:33:09
VBASE018.VDF : 7.11.43.35 133632 Bytes 9/15/2012 07:07:31
VBASE019.VDF : 7.11.43.89 129024 Bytes 9/18/2012 16:23:38
VBASE020.VDF : 7.11.43.141 130560 Bytes 9/19/2012 16:22:51
VBASE021.VDF : 7.11.43.187 121856 Bytes 9/21/2012 22:01:50
VBASE022.VDF : 7.11.43.251 147456 Bytes 9/24/2012 14:06:00
VBASE023.VDF : 7.11.43.252 2048 Bytes 9/24/2012 14:06:00
VBASE024.VDF : 7.11.43.253 2048 Bytes 9/24/2012 14:06:00
VBASE025.VDF : 7.11.43.254 2048 Bytes 9/24/2012 14:06:00
VBASE026.VDF : 7.11.43.255 2048 Bytes 9/24/2012 14:06:00
VBASE027.VDF : 7.11.44.0 2048 Bytes 9/24/2012 14:06:00
VBASE028.VDF : 7.11.44.1 2048 Bytes 9/24/2012 14:06:00
VBASE029.VDF : 7.11.44.2 2048 Bytes 9/24/2012 14:06:00
VBASE030.VDF : 7.11.44.3 2048 Bytes 9/24/2012 14:06:00
VBASE031.VDF : 7.11.44.40 123392 Bytes 9/25/2012 14:06:01
Engineversion : 8.2.10.172
AEVDF.DLL : 8.1.2.10 102772 Bytes 7/10/2012 16:06:07
AESCRIPT.DLL : 8.1.4.56 459131 Bytes 9/25/2012 14:06:07
AESCN.DLL : 8.1.8.2 131444 Bytes 1/27/2012 19:21:39
AESBX.DLL : 8.2.5.12 606578 Bytes 6/14/2012 17:33:10
AERDL.DLL : 8.1.9.15 639348 Bytes 9/8/2011 21:16:06
AEPACK.DLL : 8.3.0.36 811382 Bytes 9/15/2012 05:34:11
AEOFFICE.DLL : 8.1.2.48 201082 Bytes 9/25/2012 14:06:07
AEHEUR.DLL : 8.1.4.104 5280119 Bytes 9/25/2012 14:06:07
AEHELP.DLL : 8.1.23.2 258422 Bytes 6/28/2012 21:02:00
AEGEN.DLL : 8.1.5.36 434549 Bytes 8/25/2012 16:13:28
AEEXP.DLL : 8.1.0.86 90484 Bytes 9/8/2012 06:07:30
AEEMU.DLL : 8.1.3.2 393587 Bytes 7/10/2012 16:06:06
AECORE.DLL : 8.1.27.4 201078 Bytes 8/7/2012 16:34:08
AEBB.DLL : 8.1.1.0 53618 Bytes 9/1/2011 21:46:01
AVWINLL.DLL : 12.3.0.15 27344 Bytes 5/8/2012 18:55:16
AVPREF.DLL : 12.3.0.15 51920 Bytes 5/8/2012 18:55:17
AVREP.DLL : 12.3.0.15 179208 Bytes 5/8/2012 18:55:18
AVARKT.DLL : 12.3.0.15 211408 Bytes 5/8/2012 18:55:17
AVEVTLOG.DLL : 12.3.0.15 169168 Bytes 5/8/2012 18:55:17
SQLITE3.DLL : 3.7.0.1 398288 Bytes 5/8/2012 18:55:17
AVSMTP.DLL : 12.3.0.32 63480 Bytes 8/8/2012 17:52:13
NETNT.DLL : 12.3.0.15 17104 Bytes 5/8/2012 18:55:17
RCIMAGE.DLL : 12.3.0.31 4444408 Bytes 8/8/2012 17:52:09
RCTEXT.DLL : 12.3.0.31 100088 Bytes 8/8/2012 17:52:09

Konfiguration für den aktuellen Suchlauf:
Job Name..............................: Vollständige Systemprüfung
Konfigurationsdatei...................: c:\program files\avira\antivir desktop\sysscan.avp
Protokollierung.......................: standard
Primäre Aktion........................: interaktiv
Sekundäre Aktion......................: ignorieren
Durchsuche Masterbootsektoren.........: ein
Durchsuche Bootsektoren...............: ein
Bootsektoren..........................: C:, D:, E:, F:,
Durchsuche aktive Programme...........: ein
Laufende Programme erweitert..........: ein
Durchsuche Registrierung..............: ein
Suche nach Rootkits...................: ein
Integritätsprüfung von Systemdateien..: aus
Datei Suchmodus.......................: Alle Dateien
Durchsuche Archive....................: ein
Rekursionstiefe einschränken..........: 20
Archiv Smart Extensions...............: ein
Makrovirenheuristik...................: ein
Dateiheuristik........................: erweitert

Beginn des Suchlaufs: Tuesday, September 25, 2012 16:09

Der Suchlauf über die Masterbootsektoren wird begonnen:
Masterbootsektor HD0
[INFO] Es wurde kein Virus gefunden!
Masterbootsektor HD1
[INFO] Es wurde kein Virus gefunden!

Der Suchlauf über die Bootsektoren wird begonnen:
Bootsektor 'C:\'
[INFO] Es wurde kein Virus gefunden!
Bootsektor 'D:\'
[INFO] Es wurde kein Virus gefunden!
Bootsektor 'E:\'
[INFO] Es wurde kein Virus gefunden!
Bootsektor 'F:\'
[INFO] Es wurde kein Virus gefunden!

Der Suchlauf nach versteckten Objekten wird begonnen.
C:\Documents and Settings\All Users\Application Data\rmARWGtDjHvYrkh.exe
[FUND] Ist das Trojanische Pferd TR/Rogue.kdv.739021
Der Registrierungseintrag <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path\Debugger> wurde erfolgreich entfernt.
Der Registrierungseintrag <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rmARWGtDjHvYrkh.exe> wurde erfolgreich entfernt.

Der Suchlauf über gestartete Prozesse wird begonnen:
Durchsuche Prozess 'rsmsink.exe' - '27' Modul(e) wurden durchsucht
Durchsuche Prozess 'msdtc.exe' - '39' Modul(e) wurden durchsucht
Durchsuche Prozess 'dllhost.exe' - '59' Modul(e) wurden durchsucht
Durchsuche Prozess 'dllhost.exe' - '45' Modul(e) wurden durchsucht
Durchsuche Prozess 'vssvc.exe' - '48' Modul(e) wurden durchsucht
Durchsuche Prozess 'avscan.exe' - '70' Modul(e) wurden durchsucht
Durchsuche Prozess 'avcenter.exe' - '66' Modul(e) wurden durchsucht
Durchsuche Prozess 'rmARWGtDjHvYrkh.exe' - '44' Modul(e) wurden durchsucht
Modul ist infiziert -> <C:\Documents and Settings\All Users\Application Data\rmARWGtDjHvYrkh.exe>
[FUND] Ist das Trojanische Pferd TR/Rogue.kdv.739021
[HINWEIS] Prozess 'rmARWGtDjHvYrkh.exe' wurde beendet
[HINWEIS] Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '52f41835.qua' verschoben!
[HINWEIS] Der Registrierungseintrag <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rmARWGtDjHvYrkh.exe> wurde erfolgreich repariert.
Durchsuche Prozess 'HiJChosD3n2DEw.exe' - '65' Modul(e) wurden durchsucht
Durchsuche Prozess 'ctfmon.exe' - '23' Modul(e) wurden durchsucht
Durchsuche Prozess 'jusched.exe' - '22' Modul(e) wurden durchsucht
Durchsuche Prozess 'avgnt.exe' - '61' Modul(e) wurden durchsucht
Durchsuche Prozess 'fpassist.exe' - '18' Modul(e) wurden durchsucht
Durchsuche Prozess 'igfxpers.exe' - '21' Modul(e) wurden durchsucht
Durchsuche Prozess 'hkcmd.exe' - '19' Modul(e) wurden durchsucht
Durchsuche Prozess 'smax4pnp.exe' - '33' Modul(e) wurden durchsucht
Durchsuche Prozess 'Explorer.EXE' - '108' Modul(e) wurden durchsucht
Durchsuche Prozess 'alg.exe' - '32' Modul(e) wurden durchsucht
Durchsuche Prozess 'avshadow.exe' - '25' Modul(e) wurden durchsucht
Durchsuche Prozess 'tcsd_win32.exe' - '20' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '38' Modul(e) wurden durchsucht
Durchsuche Prozess 'NMSAccessU.exe' - '13' Modul(e) wurden durchsucht
Durchsuche Prozess 'MDM.EXE' - '20' Modul(e) wurden durchsucht
Durchsuche Prozess 'jqs.exe' - '32' Modul(e) wurden durchsucht
Durchsuche Prozess 'DataServer.exe' - '43' Modul(e) wurden durchsucht
Durchsuche Prozess 'AsfIpMon.exe' - '25' Modul(e) wurden durchsucht
Durchsuche Prozess 'avguard.exe' - '55' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '33' Modul(e) wurden durchsucht
Durchsuche Prozess 'sched.exe' - '38' Modul(e) wurden durchsucht
Durchsuche Prozess 'spoolsv.exe' - '64' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '37' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '31' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '159' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '37' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '50' Modul(e) wurden durchsucht
Durchsuche Prozess 'lsass.exe' - '57' Modul(e) wurden durchsucht
Durchsuche Prozess 'services.exe' - '26' Modul(e) wurden durchsucht
Durchsuche Prozess 'winlogon.exe' - '65' Modul(e) wurden durchsucht
Durchsuche Prozess 'csrss.exe' - '14' Modul(e) wurden durchsucht
Durchsuche Prozess 'smss.exe' - '2' Modul(e) wurden durchsucht

Der Suchlauf auf Verweise zu ausführbaren Dateien (Registry) wird begonnen:
C:\Documents and Settings\All Users\Application Data\rmARWGtDjHvYrkh.exe
[FUND] Ist das Trojanische Pferd TR/Rogue.kdv.739021
[HINWEIS] Die Datei konnte nicht ins Quarantäneverzeichnis verschoben werden!
[HINWEIS] Die Datei existiert nicht!

Der Suchlauf über die ausgewählten Dateien wird begonnen:

Beginne mit der Suche in 'C:\'
C:\Program Files\gs\gs9.02\uninstgs.exe
[WARNUNG] Unerwartetes Dateiende erreicht
C:\Program Files\PartyGaming\PartyPoker\Temp\PartyPoker.zip
[WARNUNG] Unerwartetes Dateiende erreicht
C:\Program Files\PartyGaming\PartyPoker\Temp\sounds.zip
[WARNUNG] Unerwartetes Dateiende erreicht
C:\Program Files\PartyGaming\PartyPoker\Temp\Images\Images.zip
[WARNUNG] Unerwartetes Dateiende erreicht
C:\Program Files\PartyGaming\PartyPoker\Temp\language\de_DE\de_DE.zip
[WARNUNG] Unerwartetes Dateiende erreicht
C:\Program Files\PartyGaming\Temp\coreassets.zip
[WARNUNG] Unerwartetes Dateiende erreicht
C:\Program Files\PartyGaming\Temp\gecko.zip
[WARNUNG] Unerwartetes Dateiende erreicht
C:\Program Files\PartyGaming\Temp\Party.zip
[WARNUNG] Unerwartetes Dateiende erreicht
C:\Program Files\USM\Konz 2012\Data\UI.aim
[WARNUNG] Die Datei ist kennwortgeschützt
C:\System Volume Information\_restore{B9F2CDFE-899E-40A5-BD5B-00736C7819DB}\RP325\A0063230.exe
[FUND] Ist das Trojanische Pferd TR/Rogue.kdv.739021
Beginne mit der Suche in 'D:\' <Helmut>
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000140
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00024b
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000283
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000284
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0002a8
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0003f9
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00043b
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00043c
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00049f
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0004b7
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000519
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00051c
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000551
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000556
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00055a
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00055e
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0005f9
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00074a
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0008c9
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0009f7
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0009fe
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000a56
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000a5a
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000a78
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000b20
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000b37
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000b3a
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000b56
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000b61
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000b71
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000bdc
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000bdd
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000be2
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\My Documents\Downloads\avira_free_antivirus_de.exe
[WARNUNG] Die Datei ist kennwortgeschützt
D:\Helmut\My Documents\Downloads\pb-setup-5.3.0202.exe
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\My Documents\Installationsdateien\need for speed hot persuit 2.zip
[0] Archivtyp: ZIP
--> Need_for_Speed_Hot_Pursuit_2-CLS/clshp206.zip
[1] Archivtyp: ZIP
--> nfshp2.c04
[2] Archivtyp: ACE
--> RegSetup.exe
[FUND] Ist das Trojanische Pferd TR/Crypt.XPACK.Gen
[WARNUNG] Einige Dateien dieses Archives sind auf mehrere Teilarchive verteilt (multiple volume)
D:\Helmut\My Documents\Installationsdateien\OOo_2.0.0_Win32Intel_install_de.exe
[WARNUNG] Die Version dieses Archives wird nicht unterstützt
D:\Helmut\My Documents\Installationsdateien\OOo_2.3.0_Win32Intel_install_wJRE_en-US.exe
[WARNUNG] Die Version dieses Archives wird nicht unterstützt
D:\Helmut\My Documents\Installationsdateien\Vorbereitungskurs auf die Fischerprüfung\start.exe
[WARNUNG] Die Datei ist kennwortgeschützt
D:\Helmut\My Documents\Installationsdateien\Vorbereitungskurs auf die Fischerprüfung\vorbereitungskurs auf die fischerprüfung. Angelschein NRW.rar
[WARNUNG] Die Datei ist kennwortgeschützt
D:\Helmut\My Documents\Studium\TU München\Physik Praktikum Teil 3\Dopplerfreie Sättigungsspektroskopie\Dopplerfreie Sättigungs.dat
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\My Documents\WSI-Dateien\Sonstiges\TUM_Neue_Helvetica.zip
[WARNUNG] Die Datei ist kennwortgeschützt
Beginne mit der Suche in 'E:\' <Monika>
Beginne mit der Suche in 'F:\' <Rita>

Beginne mit der Desinfektion:
D:\Helmut\My Documents\Installationsdateien\need for speed hot persuit 2.zip
[FUND] Ist das Trojanische Pferd TR/Crypt.XPACK.Gen
[HINWEIS] Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '18580782.qua' verschoben!
C:\System Volume Information\_restore{B9F2CDFE-899E-40A5-BD5B-00736C7819DB}\RP325\A0063230.exe
[FUND] Ist das Trojanische Pferd TR/Rogue.kdv.739021
[HINWEIS] Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '7e384865.qua' verschoben!


Ende des Suchlaufs: Tuesday, September 25, 2012 18:04
Benötigte Zeit: 1:47:52 Stunde(n)

Der Suchlauf wurde vollständig durchgeführt.

21228 Verzeichnisse wurden überprüft
937381 Dateien wurden geprüft
4 Viren bzw. unerwünschte Programme wurden gefunden
0 Dateien wurden als verdächtig eingestuft
0 Dateien wurden gelöscht
0 Viren bzw. unerwünschte Programme wurden repariert
3 Dateien wurden in die Quarantäne verschoben
0 Dateien wurden umbenannt
0 Dateien konnten nicht durchsucht werden
937377 Dateien ohne Befall
12134 Archive wurden durchsucht
51 Warnungen
4 Hinweise
291157 Objekte wurden beim Rootkitscan durchsucht
0 Versteckte Objekte wurden gefunden



The TR/Graftor was found by the realtime scanner and that message is:



In der Datei 'C:\Documents and Settings\All Users\Application Data\HiJChosD3n2DEw.exe'
wurde ein Virus oder unerwünschtes Programm 'TR/Graftor.43733.1' [trojan] gefunden.
Ausgeführte Aktion: Zugriff verweigern



If I look at the different hard discs and partitions all of them are Read-only and hidden. I think I have to uncheck both, or?

Kind regards
Helmut
Helmut13
Regular Member
 
Posts: 75
Joined: May 30th, 2011, 3:05 pm

Re: File recovery virus with logs

Unread postby askey127 » October 2nd, 2012, 3:36 pm

Helmut,
Good work. Deleting that file was important.
Reboot the machine into normal mode if you can.
I would run a System Scan, if you are able, with Antivir, and have it delete or quarantine anything it finds.
It may take an hour or more. Don't bother about the log afterward.

After the Antivir scan, see if you are able to run a quick scan with OTL.exe
I really would prefer to have an OTL.txt log to look at.
You may have disabled the active part of that "File Recovery" nonsense.

If no luck, we will need to take a different approach, and burn a bootable CD on a clean machine to decontaminate the infected one.

Let me know how it goes.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: File recovery virus with logs

Unread postby Helmut13 » October 4th, 2012, 1:02 am

Hi askey127,

Antivir found a lot of (24) bad things:



Avira Free Antivirus
Erstellungsdatum der Reportdatei: Wednesday, October 03, 2012 21:11

Es wird nach 4306259 Virenstämmen gesucht.

Das Programm läuft als uneingeschränkte Vollversion.
Online-Dienste stehen zur Verfügung.

Lizenznehmer : Avira AntiVir Personal - Free Antivirus
Seriennummer : 0000149996-ADJIE-0000001
Plattform : Microsoft Windows XP
Windowsversion : (Service Pack 3) [5.1.2600]
Boot Modus : Normal gebootet
Benutzername : SYSTEM
Computername : COMPUTER

Versionsinformationen:
BUILD.DAT : 12.0.0.1199 40869 Bytes 9/7/2012 22:14:00
AVSCAN.EXE : 12.3.0.33 468472 Bytes 8/8/2012 17:52:13
AVSCAN.DLL : 12.3.0.15 66256 Bytes 5/8/2012 18:55:17
LUKE.DLL : 12.3.0.15 68304 Bytes 5/8/2012 18:55:17
AVSCPLR.DLL : 12.3.0.14 97032 Bytes 5/8/2012 18:55:18
AVREG.DLL : 12.3.0.17 232200 Bytes 5/12/2012 05:41:48
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 18:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 09:07:39
VBASE002.VDF : 7.11.19.170 14374912 Bytes 12/20/2011 15:48:44
VBASE003.VDF : 7.11.21.238 4472832 Bytes 2/1/2012 18:04:35
VBASE004.VDF : 7.11.26.44 4329472 Bytes 3/28/2012 06:17:24
VBASE005.VDF : 7.11.34.116 4034048 Bytes 6/29/2012 06:44:38
VBASE006.VDF : 7.11.41.250 4902400 Bytes 9/6/2012 05:04:31
VBASE007.VDF : 7.11.41.251 2048 Bytes 9/6/2012 05:04:31
VBASE008.VDF : 7.11.41.252 2048 Bytes 9/6/2012 05:04:31
VBASE009.VDF : 7.11.41.253 2048 Bytes 9/6/2012 05:04:31
VBASE010.VDF : 7.11.41.254 2048 Bytes 9/6/2012 05:04:31
VBASE011.VDF : 7.11.41.255 2048 Bytes 9/6/2012 05:04:31
VBASE012.VDF : 7.11.42.0 2048 Bytes 9/6/2012 05:04:31
VBASE013.VDF : 7.11.42.1 2048 Bytes 9/6/2012 05:04:31
VBASE014.VDF : 7.11.42.65 203264 Bytes 9/9/2012 06:53:47
VBASE015.VDF : 7.11.42.125 156672 Bytes 9/11/2012 16:31:29
VBASE016.VDF : 7.11.42.171 187904 Bytes 9/12/2012 16:31:30
VBASE017.VDF : 7.11.42.235 141312 Bytes 9/13/2012 05:33:09
VBASE018.VDF : 7.11.43.35 133632 Bytes 9/15/2012 07:07:31
VBASE019.VDF : 7.11.43.89 129024 Bytes 9/18/2012 16:23:38
VBASE020.VDF : 7.11.43.141 130560 Bytes 9/19/2012 16:22:51
VBASE021.VDF : 7.11.43.187 121856 Bytes 9/21/2012 22:01:50
VBASE022.VDF : 7.11.43.251 147456 Bytes 9/24/2012 14:06:00
VBASE023.VDF : 7.11.44.43 152064 Bytes 9/25/2012 16:50:22
VBASE024.VDF : 7.11.44.103 165888 Bytes 9/27/2012 16:50:22
VBASE025.VDF : 7.11.44.167 160256 Bytes 9/30/2012 16:50:23
VBASE026.VDF : 7.11.44.223 199680 Bytes 10/2/2012 19:10:05
VBASE027.VDF : 7.11.44.224 2048 Bytes 10/2/2012 19:10:06
VBASE028.VDF : 7.11.44.225 2048 Bytes 10/2/2012 19:10:06
VBASE029.VDF : 7.11.44.226 2048 Bytes 10/2/2012 19:10:06
VBASE030.VDF : 7.11.44.227 2048 Bytes 10/2/2012 19:10:06
VBASE031.VDF : 7.11.45.10 119808 Bytes 10/3/2012 19:10:06
Engineversion : 8.2.10.178
AEVDF.DLL : 8.1.2.10 102772 Bytes 7/10/2012 16:06:07
AESCRIPT.DLL : 8.1.4.58 463226 Bytes 10/1/2012 16:50:29
AESCN.DLL : 8.1.9.2 131444 Bytes 10/1/2012 16:50:29
AESBX.DLL : 8.2.5.12 606578 Bytes 6/14/2012 17:33:10
AERDL.DLL : 8.1.9.15 639348 Bytes 9/8/2011 21:16:06
AEPACK.DLL : 8.3.0.38 811382 Bytes 10/1/2012 16:50:29
AEOFFICE.DLL : 8.1.2.48 201082 Bytes 9/25/2012 14:06:07
AEHEUR.DLL : 8.1.4.108 5329272 Bytes 10/1/2012 16:50:28
AEHELP.DLL : 8.1.24.0 258423 Bytes 10/1/2012 16:50:24
AEGEN.DLL : 8.1.5.38 434548 Bytes 10/1/2012 16:50:24
AEEXP.DLL : 8.2.0.2 115060 Bytes 10/1/2012 16:50:29
AEEMU.DLL : 8.1.3.2 393587 Bytes 7/10/2012 16:06:06
AECORE.DLL : 8.1.28.2 201079 Bytes 10/1/2012 16:50:24
AEBB.DLL : 8.1.1.0 53618 Bytes 9/1/2011 21:46:01
AVWINLL.DLL : 12.3.0.15 27344 Bytes 5/8/2012 18:55:16
AVPREF.DLL : 12.3.0.15 51920 Bytes 5/8/2012 18:55:17
AVREP.DLL : 12.3.0.15 179208 Bytes 5/8/2012 18:55:18
AVARKT.DLL : 12.3.0.15 211408 Bytes 5/8/2012 18:55:17
AVEVTLOG.DLL : 12.3.0.15 169168 Bytes 5/8/2012 18:55:17
SQLITE3.DLL : 3.7.0.1 398288 Bytes 5/8/2012 18:55:17
AVSMTP.DLL : 12.3.0.32 63480 Bytes 8/8/2012 17:52:13
NETNT.DLL : 12.3.0.15 17104 Bytes 5/8/2012 18:55:17
RCIMAGE.DLL : 12.3.0.31 4444408 Bytes 8/8/2012 17:52:09
RCTEXT.DLL : 12.3.0.31 100088 Bytes 8/8/2012 17:52:09

Konfiguration für den aktuellen Suchlauf:
Job Name..............................: Vollständige Systemprüfung
Konfigurationsdatei...................: c:\program files\avira\antivir desktop\sysscan.avp
Protokollierung.......................: standard
Primäre Aktion........................: interaktiv
Sekundäre Aktion......................: ignorieren
Durchsuche Masterbootsektoren.........: ein
Durchsuche Bootsektoren...............: ein
Bootsektoren..........................: C:, D:, E:, F:, M:,
Durchsuche aktive Programme...........: ein
Laufende Programme erweitert..........: ein
Durchsuche Registrierung..............: ein
Suche nach Rootkits...................: ein
Integritätsprüfung von Systemdateien..: aus
Datei Suchmodus.......................: Alle Dateien
Durchsuche Archive....................: ein
Rekursionstiefe einschränken..........: 20
Archiv Smart Extensions...............: ein
Makrovirenheuristik...................: ein
Dateiheuristik........................: erweitert

Beginn des Suchlaufs: Wednesday, October 03, 2012 21:11

Der Suchlauf über die Masterbootsektoren wird begonnen:
Masterbootsektor HD0
[INFO] Es wurde kein Virus gefunden!
Masterbootsektor HD1
[INFO] Es wurde kein Virus gefunden!
Masterbootsektor HD2
[INFO] Es wurde kein Virus gefunden!

Der Suchlauf über die Bootsektoren wird begonnen:
Bootsektor 'C:\'
[INFO] Es wurde kein Virus gefunden!
Bootsektor 'D:\'
[INFO] Es wurde kein Virus gefunden!
Bootsektor 'E:\'
[INFO] Es wurde kein Virus gefunden!
Bootsektor 'F:\'
[INFO] Es wurde kein Virus gefunden!
Bootsektor 'M:\'
[INFO] Es wurde kein Virus gefunden!

Der Suchlauf nach versteckten Objekten wird begonnen.

Der Suchlauf über gestartete Prozesse wird begonnen:
Durchsuche Prozess 'AcroRd32.exe' - '26' Modul(e) wurden durchsucht
Durchsuche Prozess 'AcroRd32.exe' - '23' Modul(e) wurden durchsucht
Durchsuche Prozess 'rsmsink.exe' - '27' Modul(e) wurden durchsucht
Durchsuche Prozess 'WINWORD.EXE' - '38' Modul(e) wurden durchsucht
Durchsuche Prozess 'OUTLOOK.EXE' - '93' Modul(e) wurden durchsucht
Durchsuche Prozess 'msdtc.exe' - '39' Modul(e) wurden durchsucht
Durchsuche Prozess 'dllhost.exe' - '59' Modul(e) wurden durchsucht
Durchsuche Prozess 'dllhost.exe' - '45' Modul(e) wurden durchsucht
Durchsuche Prozess 'vssvc.exe' - '48' Modul(e) wurden durchsucht
Durchsuche Prozess 'avscan.exe' - '70' Modul(e) wurden durchsucht
Durchsuche Prozess 'alg.exe' - '32' Modul(e) wurden durchsucht
Durchsuche Prozess 'avshadow.exe' - '25' Modul(e) wurden durchsucht
Durchsuche Prozess 'avcenter.exe' - '66' Modul(e) wurden durchsucht
Durchsuche Prozess 'wuauclt.exe' - '41' Modul(e) wurden durchsucht
Durchsuche Prozess 'soffice.bin' - '80' Modul(e) wurden durchsucht
Durchsuche Prozess 'soffice.exe' - '15' Modul(e) wurden durchsucht
Durchsuche Prozess 'tcsd_win32.exe' - '20' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '37' Modul(e) wurden durchsucht
Durchsuche Prozess 'NMSAccessU.exe' - '13' Modul(e) wurden durchsucht
Durchsuche Prozess 'ctfmon.exe' - '23' Modul(e) wurden durchsucht
Durchsuche Prozess 'jusched.exe' - '20' Modul(e) wurden durchsucht
Durchsuche Prozess 'MDM.EXE' - '21' Modul(e) wurden durchsucht
Durchsuche Prozess 'avgnt.exe' - '60' Modul(e) wurden durchsucht
Durchsuche Prozess 'jqs.exe' - '32' Modul(e) wurden durchsucht
Durchsuche Prozess 'fpassist.exe' - '18' Modul(e) wurden durchsucht
Durchsuche Prozess 'igfxpers.exe' - '21' Modul(e) wurden durchsucht
Durchsuche Prozess 'hkcmd.exe' - '19' Modul(e) wurden durchsucht
Durchsuche Prozess 'smax4pnp.exe' - '33' Modul(e) wurden durchsucht
Durchsuche Prozess 'DataServer.exe' - '43' Modul(e) wurden durchsucht
Durchsuche Prozess 'AsfIpMon.exe' - '25' Modul(e) wurden durchsucht
Durchsuche Prozess 'avguard.exe' - '55' Modul(e) wurden durchsucht
Durchsuche Prozess 'Explorer.EXE' - '80' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '33' Modul(e) wurden durchsucht
Durchsuche Prozess 'sched.exe' - '37' Modul(e) wurden durchsucht
Durchsuche Prozess 'spoolsv.exe' - '64' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '37' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '31' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '164' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '38' Modul(e) wurden durchsucht
Durchsuche Prozess 'svchost.exe' - '51' Modul(e) wurden durchsucht
Durchsuche Prozess 'lsass.exe' - '57' Modul(e) wurden durchsucht
Durchsuche Prozess 'services.exe' - '26' Modul(e) wurden durchsucht
Durchsuche Prozess 'winlogon.exe' - '65' Modul(e) wurden durchsucht
Durchsuche Prozess 'csrss.exe' - '14' Modul(e) wurden durchsucht
Durchsuche Prozess 'smss.exe' - '2' Modul(e) wurden durchsucht

Der Suchlauf auf Verweise zu ausführbaren Dateien (Registry) wird begonnen:
Die Registry wurde durchsucht ( '472' Dateien ).


Der Suchlauf über die ausgewählten Dateien wird begonnen:

Beginne mit der Suche in 'C:\'
C:\Program Files\gs\gs9.02\uninstgs.exe
[WARNUNG] Unerwartetes Dateiende erreicht
C:\Program Files\PartyGaming\PartyPoker\Temp\PartyPoker.zip
[WARNUNG] Unerwartetes Dateiende erreicht
C:\Program Files\PartyGaming\PartyPoker\Temp\sounds.zip
[WARNUNG] Unerwartetes Dateiende erreicht
C:\Program Files\PartyGaming\PartyPoker\Temp\Images\Images.zip
[WARNUNG] Unerwartetes Dateiende erreicht
C:\Program Files\PartyGaming\PartyPoker\Temp\language\de_DE\de_DE.zip
[WARNUNG] Unerwartetes Dateiende erreicht
C:\Program Files\PartyGaming\Temp\coreassets.zip
[WARNUNG] Unerwartetes Dateiende erreicht
C:\Program Files\PartyGaming\Temp\gecko.zip
[WARNUNG] Unerwartetes Dateiende erreicht
C:\Program Files\PartyGaming\Temp\Party.zip
[WARNUNG] Unerwartetes Dateiende erreicht
C:\Program Files\USM\Konz 2012\Data\UI.aim
[WARNUNG] Die Datei ist kennwortgeschützt
C:\System Volume Information\_restore{B9F2CDFE-899E-40A5-BD5B-00736C7819DB}\RP325\A0063275.exe
[FUND] Ist das Trojanische Pferd TR/Graftor.43733.1
Beginne mit der Suche in 'D:\' <Helmut>
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000140
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00024b
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000283
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000284
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0002a8
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0003f9
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00043b
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00043c
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00049f
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0004b7
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000519
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00051c
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000551
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000556
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00055a
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00055e
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0005f9
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00074a
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0008c9
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0009f7
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0009fe
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000a56
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000a5a
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000a78
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000b20
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000b37
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000b3a
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000b56
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000b61
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000b71
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000bdc
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000bdd
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000be2
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\Local Settings\Temp\jar_cache320196147405943364.tmp
[0] Archivtyp: ZIP
--> VzOWFJswBu.class
[FUND] Enthält Erkennungsmuster des Java-Virus JAVA/Dldr.Lamar.JO
--> xrrkgetg.class
[FUND] Enthält Erkennungsmuster des Exploits EXP/2012-4681.AB.3
--> NmzSdGA.class
[FUND] Enthält Erkennungsmuster des Java-Virus JAVA/Dldr.Kara.BA.1
--> bPrjEETMD.class
[FUND] Enthält Erkennungsmuster des Exploits EXP/2012-4681.AC.2
--> jICUzGmGD.class
[FUND] Enthält Erkennungsmuster des Java-Virus JAVA/Dldr.Themod.AK
--> lFNUde.class
[FUND] Enthält Erkennungsmuster des Exploits EXP/2010-0840.CR.3
--> mVE.class
[FUND] Enthält Erkennungsmuster des Java-Virus JAVA/Dldr.Lamar.JP
--> PJrr.class
[FUND] Enthält Erkennungsmuster des Java-Virus JAVA/Dldr.Lamar.JQ
--> SsFK.class
[FUND] Enthält Erkennungsmuster des Exploits EXP/2012-0507.CT.1
--> tBdrpKh.class
[FUND] Enthält Erkennungsmuster des Java-Virus JAVA/Dldr.Kara.BB.1
--> UHaPepzJ.class
[FUND] Enthält Erkennungsmuster des Java-Virus JAVA/Dldr.Dermit.AF
D:\Helmut\Local Settings\Temp\jar_cache7902889001520540287.tmp
[0] Archivtyp: ZIP
--> VzOWFJswBu.class
[FUND] Enthält Erkennungsmuster des Java-Virus JAVA/Dldr.Lamar.JO
--> xrrkgetg.class
[FUND] Enthält Erkennungsmuster des Exploits EXP/2012-4681.AB.3
--> NmzSdGA.class
[FUND] Enthält Erkennungsmuster des Java-Virus JAVA/Dldr.Kara.BA.1
--> bPrjEETMD.class
[FUND] Enthält Erkennungsmuster des Exploits EXP/2012-4681.AC.2
--> jICUzGmGD.class
[FUND] Enthält Erkennungsmuster des Java-Virus JAVA/Dldr.Themod.AK
--> lFNUde.class
[FUND] Enthält Erkennungsmuster des Exploits EXP/2010-0840.CR.3
--> mVE.class
[FUND] Enthält Erkennungsmuster des Java-Virus JAVA/Dldr.Lamar.JP
--> PJrr.class
[FUND] Enthält Erkennungsmuster des Java-Virus JAVA/Dldr.Lamar.JQ
--> SsFK.class
[FUND] Enthält Erkennungsmuster des Exploits EXP/2012-0507.CT.1
--> tBdrpKh.class
[FUND] Enthält Erkennungsmuster des Java-Virus JAVA/Dldr.Kara.BB.1
--> UHaPepzJ.class
[FUND] Enthält Erkennungsmuster des Java-Virus JAVA/Dldr.Dermit.AF
D:\Helmut\My Documents\Downloads\avira_free_antivirus_de.exe
[WARNUNG] Die Datei ist kennwortgeschützt
D:\Helmut\My Documents\Downloads\pb-setup-5.3.0202.exe
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\My Documents\Installationsdateien\OOo_2.0.0_Win32Intel_install_de.exe
[WARNUNG] Die Version dieses Archives wird nicht unterstützt
D:\Helmut\My Documents\Installationsdateien\OOo_2.3.0_Win32Intel_install_wJRE_en-US.exe
[WARNUNG] Die Version dieses Archives wird nicht unterstützt
D:\Helmut\My Documents\Installationsdateien\Vorbereitungskurs auf die Fischerprüfung\start.exe
[WARNUNG] Die Datei ist kennwortgeschützt
D:\Helmut\My Documents\Installationsdateien\Vorbereitungskurs auf die Fischerprüfung\vorbereitungskurs auf die fischerprüfung. Angelschein NRW.rar
[WARNUNG] Die Datei ist kennwortgeschützt
D:\Helmut\My Documents\Studium\TU München\Physik Praktikum Teil 3\Dopplerfreie Sättigungsspektroskopie\Dopplerfreie Sättigungs.dat
[WARNUNG] Unerwartetes Dateiende erreicht
D:\Helmut\My Documents\WSI-Dateien\Sonstiges\TUM_Neue_Helvetica.zip
[WARNUNG] Die Datei ist kennwortgeschützt
Beginne mit der Suche in 'E:\' <Monika>
Beginne mit der Suche in 'F:\' <Rita>
Beginne mit der Suche in 'M:\' <Iomega HDD>
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000140.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00024b.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000283.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000284.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0002a8.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0003f9.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00043b.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00043c.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00049f.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0004b7.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000519.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00051c.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000551.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000556.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000559.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00055a.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00055b.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00055e.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0005f4.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0005f9.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_00074a.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0008c9.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0009f7.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_0009fe.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000a56.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000a5a.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000a78.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000b20.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000b37.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000b3a.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000b56.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000b61.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000b71.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000bdc.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000bdd.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\Local Settings\Application Data\Google\GoogleEarth\webdata\f_000be2.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\My Documents\Downloads\avira_free_antivirus_de.exe.gz
[WARNUNG] Die Datei ist kennwortgeschützt
M:\Backup\LwD\Helmut\My Documents\Downloads\pb-setup-5.3.0202.exe.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\My Documents\Installationsdateien\need for speed hot persuit 2.zip
[0] Archivtyp: ZIP
--> Need_for_Speed_Hot_Pursuit_2-CLS/clshp206.zip
[1] Archivtyp: ZIP
--> nfshp2.c04
[2] Archivtyp: ACE
--> RegSetup.exe
[FUND] Ist das Trojanische Pferd TR/Crypt.XPACK.Gen
[WARNUNG] Einige Dateien dieses Archives sind auf mehrere Teilarchive verteilt (multiple volume)
M:\Backup\LwD\Helmut\My Documents\Installationsdateien\OOo_2.0.0_Win32Intel_install_de.exe.gz
[WARNUNG] Die Version dieses Archives wird nicht unterstützt
M:\Backup\LwD\Helmut\My Documents\Installationsdateien\OOo_2.3.0_Win32Intel_install_wJRE_en-US.exe.gz
[WARNUNG] Die Version dieses Archives wird nicht unterstützt
M:\Backup\LwD\Helmut\My Documents\Installationsdateien\Vorbereitungskurs auf die Fischerprüfung\start.exe.gz
[WARNUNG] Die Datei ist kennwortgeschützt
M:\Backup\LwD\Helmut\My Documents\Installationsdateien\Vorbereitungskurs auf die Fischerprüfung\vorbereitungskurs auf die fischerprüfung. Angelschein NRW.rar.gz
[WARNUNG] Die Datei ist kennwortgeschützt
M:\Backup\LwD\Helmut\My Documents\Studium\TU München\Physik Praktikum Teil 3\Dopplerfreie Sättigungsspektroskopie\Dopplerfreie Sättigungs.dat.gz
[WARNUNG] Unerwartetes Dateiende erreicht
M:\Backup\LwD\Helmut\My Documents\WSI-Dateien\Sonstiges\TUM_Neue_Helvetica.zip
[WARNUNG] Die Datei ist kennwortgeschützt

Beginne mit der Desinfektion:
M:\Backup\LwD\Helmut\My Documents\Installationsdateien\need for speed hot persuit 2.zip
[FUND] Ist das Trojanische Pferd TR/Crypt.XPACK.Gen
[HINWEIS] Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '527ab0dc.qua' verschoben!
D:\Helmut\Local Settings\Temp\jar_cache7902889001520540287.tmp
[FUND] Enthält Erkennungsmuster des Java-Virus JAVA/Dldr.Dermit.AF
[HINWEIS] Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '4ae09f6b.qua' verschoben!
D:\Helmut\Local Settings\Temp\jar_cache320196147405943364.tmp
[FUND] Enthält Erkennungsmuster des Java-Virus JAVA/Dldr.Dermit.AF
[HINWEIS] Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '18bfc583.qua' verschoben!
C:\System Volume Information\_restore{B9F2CDFE-899E-40A5-BD5B-00736C7819DB}\RP325\A0063275.exe
[FUND] Ist das Trojanische Pferd TR/Graftor.43733.1
[HINWEIS] Die Datei wurde ins Quarantäneverzeichnis unter dem Namen '7eca8a70.qua' verschoben!


Ende des Suchlaufs: Thursday, October 04, 2012 06:44
Benötigte Zeit: 5:05:10 Stunde(n)

Der Suchlauf wurde vollständig durchgeführt.

37971 Verzeichnisse wurden überprüft
1882465 Dateien wurden geprüft
24 Viren bzw. unerwünschte Programme wurden gefunden
0 Dateien wurden als verdächtig eingestuft
0 Dateien wurden gelöscht
0 Viren bzw. unerwünschte Programme wurden repariert
4 Dateien wurden in die Quarantäne verschoben
0 Dateien wurden umbenannt
0 Dateien konnten nicht durchsucht werden
1882441 Dateien ohne Befall
251936 Archive wurden durchsucht
95 Warnungen
4 Hinweise
292056 Objekte wurden beim Rootkitscan durchsucht
0 Versteckte Objekte wurden gefunden

A OTL scan was not possible again with the same message:

"Acess violation at address CCCC0460. Read of address CCCC0460."

On the bottom of OTL is written:

"Scanning service: AdobeFlashPlayerUpdateSvc..."


To burn a bootable CD is maybe a problem because for the moment I have no working DVD drive. This is a really strange thing becaus about one year ago my old DVD drive was not working anymore and I bought a new one (LG GH22NS70). I installed it and it says the device is working properly but if i put a CD in the drive it cannot read it. Two weeks ago I bough another one (Samsung SH 222) and it seams that it is also properly installed but for this drive it is even not possible to open the drive. Could be a maleware the origin of this problem?

Best regards
Helmut
Helmut13
Regular Member
 
Posts: 75
Joined: May 30th, 2011, 3:05 pm

Re: File recovery virus with logs

Unread postby askey127 » October 4th, 2012, 7:10 am

Helmut13,
The inability to run OTL may have been caused by a bug in the particular version you have.
Please delete the copy of OTL.exe you have, and download a new copy onto the infected machine.
---------------------------------------------
Download the OTL Scanner
Please download OTL.exe by OldTimer and save it to your desktop.
---------------------------------------------
If you are still using a Flash drive for transfer, please also download this file, which we will use later.
Please download SystemLook from the link below and save it to your Desktop.
Download Mirror #1 (32-bit)
----------------------------------------------
Perform a Custom Fix with OTL
Run OTL
  • In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
    Code: Select all
    :Files
    C:\Documents and Settings\All Users\Application Data\HiJChosD3n2DEw.exe
    
    :Commands
    [emptyjava]
    [emptyflash] 
    [EMPTYTEMP]
    
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, and click to allow the Reboot when it is done.
    When the computer Reboots, and you start your usual account, a Notepad text file will appear.
  • Copy the contents of that file and post it in your next reply.
    The file will also be available and named by timestamp here: C:\_OTL\Moved Files\mmddyyyy_hhmmss.log

Let me know how it goes.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: File recovery virus with logs

Unread postby Helmut13 » October 4th, 2012, 6:12 pm

Hi askey127,

the log is:

All processes killed
========== FILES ==========
File\Folder C:\Documents and Settings\All Users\Application Data\HiJChosD3n2DEw.exe not found.
========== COMMANDS ==========

[EMPTYJAVA]

User: Helmut
->Java cache emptied: 23183 bytes

User: RECYCLER

User: System Volume Information

User: _OTL

Total Java Files Cleaned = 0,00 mb


[EMPTYFLASH]

User: Helmut
->Flash cache emptied: 1116 bytes

User: RECYCLER

User: System Volume Information

User: _OTL

Total Flash Files Cleaned = 0,00 mb


[EMPTYTEMP]

User: Helmut
->Temp folder emptied: 652419337 bytes
->Temporary Internet Files folder emptied: 143890109 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 60467688 bytes
->Flash cache emptied: 0 bytes

User: RECYCLER

User: System Volume Information

User: _OTL

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 9818432 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 265974119 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 598344453 bytes

Total Files Cleaned = 1.651,00 mb


OTL by OldTimer - Version 3.2.70.2 log created on 10052012_000433

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Helmut
Helmut13
Regular Member
 
Posts: 75
Joined: May 30th, 2011, 3:05 pm

Re: File recovery virus with logs

Unread postby askey127 » October 4th, 2012, 6:24 pm

Helmut13,
Good.
---------------------------------------------
Run A SystemLook Scan
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :dir
    C:\Documents and Settings\All Users\Application Data /n*.exe
    
    
  • Click the Look button to start the scan.
    Because of the Registry searches, the scan may take 15 minutes or a bit more to run on a large machine. Please be patient.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The results log can also be found on your Desktop, entitled SystemLook.txt
---------------------------------------------
Run a Scan with OTL
  • For WinXP, double click on the OTL icon to run it.
  • For Vista or Win7, right click the icon and choose "Run as administrator".
  • Check the boxes labeled :
    • Scan All Users
    • LOP check
    • Purity check
    • Extra Registry > Use SafeList
  • Make sure all other windows are closed to let it run uninterrupted.
  • Click on the Run Scan button at the top left hand corner. Do not change any settings unless otherwise told to do so.
    When the scan starts, OTL may appear to be frozen while it runs. Please be patient.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. (desktop)
OTL.txt will be open on your desktop, and Extras.txt MAY be minimized in your taskbar.
The Extras.txt file will only appear as a running Notepad document the very first time you run OTL. If it doesn't show up, it's OK.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them as a reply. Use separate replies if more convenient.

So we are looking for the SystemLook log and the OTL.txt log, along with Extras.txt if available.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: File recovery virus with logs

Unread postby Helmut13 » October 5th, 2012, 12:09 pm

Hi askey127,

the SystemLook took only a few seconds:

SystemLook 30.07.11 by jpshortstuff
Log created at 06:58 on 05/10/2012 by Helmut
Administrator - Elevation successful

========== dir ==========

C:\Documents and Settings\All Users\Application Data - Parameters: "/n*.exe"

---Files---
None found.

---Folders---
Adobe d------ [19:07 05/04/2011]
Avira d------ [17:28 17/10/2011]
boost_interprocess d------ [07:05 12/11/2011]
Buhl Data Service GmbH d------ [12:11 01/01/2012]
Canneverbe Limited d------ [13:13 15/01/2012]
CanonBJ d------ [15:52 22/05/2011]
CanonIJEGV d------ [17:37 19/12/2011]
CanonIJScan d------ [11:37 10/08/2011]
FreePDF d------ [17:10 29/05/2011]
Malwarebytes d------ [18:18 30/05/2011]
Microsoft d---s-- [19:16 05/04/2011]
Mozilla d------ [10:22 06/05/2012]
Spybot - Search & Destroy d------ [18:55 05/04/2011]
Sun d------ [17:18 23/04/2011]
TEMP d-a---- [20:08 14/12/2011]
Windows Genuine Advantage d------ [17:51 08/04/2011]

-= EOF =-

and the OTL logs:

OTL logfile created on: 05.10.2012 07:00:21 - Run 5
OTL by OldTimer - Version 3.2.70.2 Folder = D:\Helmut\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy

1014,07 Mb Total Physical Memory | 618,04 Mb Available Physical Memory | 60,95% Memory free
2,38 Gb Paging File | 2,04 Gb Available in Paging File | 85,58% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,50 Gb Total Space | 58,79 Gb Free Space | 78,91% Space Free | Partition Type: NTFS
Drive D: | 345,58 Gb Total Space | 279,28 Gb Free Space | 80,82% Space Free | Partition Type: NTFS
Drive E: | 292,97 Gb Total Space | 252,78 Gb Free Space | 86,28% Space Free | Partition Type: NTFS
Drive F: | 292,96 Gb Total Space | 283,67 Gb Free Space | 96,83% Space Free | Partition Type: NTFS
Drive M: | 931,51 Gb Total Space | 781,07 Gb Free Space | 83,85% Space Free | Partition Type: NTFS

Computer Name: COMPUTER | User Name: Helmut | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012.10.04 19:30:04 | 000,601,088 | ---- | M] (OldTimer Tools) -- D:\Helmut\Desktop\OTL.exe
PRC - [2012.08.08 19:52:12 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012.07.05 22:07:00 | 000,161,704 | ---- | M] (Oracle Corporation) -- C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
PRC - [2012.05.08 20:55:17 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2012.05.08 20:55:17 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2012.05.08 20:55:17 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2012.01.17 11:07:58 | 000,505,736 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2011.01.17 18:50:34 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2011.01.17 18:50:34 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2010.06.17 21:56:44 | 000,370,176 | ---- | M] (shbox.de) -- C:\Program Files\FreePDF_XP\fpassist.exe
PRC - [2010.03.04 23:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2008.04.14 02:12:19 | 001,033,728 | -H-- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005.08.30 14:54:10 | 000,290,816 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Common\DataServer.exe
PRC - [2005.03.08 19:46:12 | 000,061,440 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
PRC - [2005.03.07 13:30:46 | 000,180,224 | ---- | M] () -- C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe


========== Modules (No Company Name) ==========

MOD - [2012.07.27 22:51:38 | 000,301,056 | ---- | M] () -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.DEU
MOD - [2012.05.08 20:55:17 | 000,398,288 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll
MOD - [2011.06.30 13:29:03 | 000,985,088 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll
MOD - [2011.02.28 21:42:14 | 000,652,800 | ---- | M] () -- C:\Program Files\IZArc\IZArcCM.dll
MOD - [2010.06.17 21:56:52 | 000,116,224 | ---- | M] () -- C:\WINDOWS\system32\redmonnt.dll
MOD - [2010.03.04 23:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
MOD - [2005.04.19 21:52:40 | 000,282,624 | ---- | M] () -- C:\Program Files\Network Print Monitor\Driver.DLL
MOD - [2005.03.07 13:30:46 | 000,348,160 | ---- | M] () -- C:\WINDOWS\system32\Tsp.dll
MOD - [2005.03.07 13:30:46 | 000,180,224 | ---- | M] () -- C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
MOD - [2005.03.07 13:30:46 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\TspPopup_ENU.dll
MOD - [2001.10.28 16:42:30 | 000,116,224 | ---- | M] () -- C:\WINDOWS\system32\pdfcmnnt.dll


========== Services (SafeList) ==========

SRV - [2012.09.22 08:31:34 | 000,250,288 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012.09.08 08:10:59 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012.07.05 22:07:00 | 000,161,704 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012.05.08 20:55:17 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2012.05.08 20:55:17 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010.03.04 23:38:00 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccess)
SRV - [2005.08.30 14:54:10 | 000,290,816 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Wave Systems Corp\Common\DataServer.exe -- (DataSvr)
SRV - [2005.03.08 19:46:12 | 000,061,440 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe -- (ASFIPmon)
SRV - [2005.03.07 13:30:46 | 000,180,224 | ---- | M] () [Auto | Running] -- C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe -- (tcsd_win32.exe)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012.09.25 20:29:51 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2012.09.25 20:23:56 | 000,035,144 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamchameleon.sys -- (mbamchameleon)
DRV - [2012.05.08 20:55:18 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2012.05.08 20:55:18 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2011.10.11 15:00:01 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2010.06.17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009.11.12 14:48:56 | 000,005,504 | ---- | M] () [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\StarOpen.sys -- (StarOpen)
DRV - [2005.05.02 16:51:38 | 000,021,664 | ---- | M] (STMicroelectronics, INC) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\stm_tpm.sys -- (stmtpm)
DRV - [2005.03.17 16:30:10 | 000,132,608 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2004.09.17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2003.04.24 15:21:50 | 000,006,025 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\Program Files\Broadcom\ASFIPMon\BASFND.sys -- (BASFND)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://dts.search-results.com/sr?src=ie ... 06&sr=0&q={searchTerms}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1004336348-1202660629-682003330-1003\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKU\S-1-5-21-1004336348-1202660629-682003330-1003\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2613550
IE - HKU\S-1-5-21-1004336348-1202660629-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: ""
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "www.google.de"
FF - prefs.js..keyword.URL: "http://www.searchqu.com/web?src=ffb&systemid=406&q="
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_4_402_265.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll File not found
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.1: C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.3: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: C:\Documents and Settings\Helmut\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012.09.08 08:10:59 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011.10.02 14:50:21 | 000,000,000 | ---D | M] (No name found) -- D:\Helmut\Application Data\Mozilla\Extensions
[2012.05.02 19:36:59 | 000,000,000 | ---D | M] (No name found) -- D:\Helmut\Application Data\Mozilla\Firefox\Profiles\96cjgmc7.default\extensions
[2012.09.08 08:10:46 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012.09.08 08:10:59 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012.02.06 14:06:05 | 000,001,392 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom-de.xml
[2012.09.02 18:52:33 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012.02.06 14:06:05 | 000,001,153 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-de.xml
[2012.02.06 14:06:05 | 000,006,805 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\leo_ende_de.xml
[2011.11.11 17:44:08 | 000,002,519 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\SearchResults.xml
[2012.02.06 14:06:05 | 000,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-de.xml
[2012.02.06 14:06:04 | 000,001,105 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-de.xml

O1 HOSTS File: ([2011.06.03 10:58:29 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (EWPBrowseObject Class) - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll ()
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (no name) - {9D717F81-9148-4f12-8568-69135F087DB0} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE (CANON INC.)
O4 - HKLM..\Run: [FreePDF Assistant] C:\Program Files\FreePDF_XP\fpassist.exe (shbox.de)
O4 - HKLM..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe File not found
O4 - HKU\S-1-5-21-1004336348-1202660629-682003330-1003..\Run: [HiJChosD3n2DEw] C:\Documents and Settings\All Users\Application Data\HiJChosD3n2DEw.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1004336348-1202660629-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Helmut\Desktop\PartyPoker.lnk ()
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Helmut\Desktop\PartyPoker.lnk ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shoc ... wflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3693541E-112A-489D-A212-F5CE43E2213F}: NameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011.04.05 19:32:12 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012.10.04 19:30:04 | 000,601,088 | ---- | C] (OldTimer Tools) -- D:\Helmut\Desktop\OTL.exe
[2012.10.02 20:02:49 | 000,000,000 | ---D | C] -- C:\Temp
[2012.10.02 06:55:49 | 000,000,000 | ---D | C] -- D:\Helmut\Desktop\RK_Quarantine
[2012.10.02 06:55:34 | 004,759,381 | ---- | C] (Swearware) -- D:\Helmut\Desktop\ComboFix.exe
[2012.10.02 06:55:27 | 002,212,440 | ---- | C] (Kaspersky Lab ZAO) -- D:\Helmut\Desktop\tdsskiller.exe
[2012.09.26 07:39:32 | 000,607,260 | ---- | C] (Swearware) -- D:\Helmut\Desktop\dds.scr
[2012.09.25 20:23:58 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012.09.25 20:21:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\PIF
[2012.09.25 18:38:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2012.09.25 16:09:16 | 000,000,000 | R--D | C] -- D:\Helmut\Recent
[2012.09.22 08:31:29 | 009,573,296 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerInstaller.exe
[2012.09.08 08:10:44 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

========== Files - Modified Within 30 Days ==========

[2012.10.05 06:57:23 | 000,139,264 | ---- | M] () -- D:\Helmut\Desktop\SystemLook(1).exe
[2012.10.05 06:54:17 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012.10.05 06:53:46 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012.10.05 06:53:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012.10.04 23:39:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012.10.04 23:31:00 | 000,001,192 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1202660629-682003330-1003UA.job
[2012.10.04 23:31:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012.10.04 21:31:01 | 000,001,140 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1202660629-682003330-1003Core.job
[2012.10.04 19:30:04 | 000,601,088 | ---- | M] (OldTimer Tools) -- D:\Helmut\Desktop\OTL.exe
[2012.10.04 19:27:56 | 000,001,720 | ---- | M] () -- D:\Helmut\Desktop\Entfernen des Avira DE-Cleaners.lnk
[2012.10.04 19:27:56 | 000,001,649 | ---- | M] () -- D:\Helmut\Desktop\Avira DE-Cleaner.lnk
[2012.10.03 21:25:54 | 000,002,435 | ---- | M] () -- D:\Helmut\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2003 (2).lnk
[2012.10.02 06:48:36 | 004,759,381 | ---- | M] (Swearware) -- D:\Helmut\Desktop\ComboFix.exe
[2012.10.02 06:47:44 | 002,212,440 | ---- | M] (Kaspersky Lab ZAO) -- D:\Helmut\Desktop\tdsskiller.exe
[2012.10.02 06:47:32 | 001,412,096 | ---- | M] () -- D:\Helmut\Desktop\RogueKiller.exe
[2012.09.26 07:39:34 | 000,607,260 | ---- | M] (Swearware) -- D:\Helmut\Desktop\dds.scr
[2012.09.25 20:29:51 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2012.09.25 20:23:56 | 000,035,144 | ---- | M] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2012.09.24 18:04:05 | 000,000,600 | ---- | M] () -- D:\Helmut\Local Settings\Application Data\PUTTY.RND
[2012.09.22 08:31:33 | 000,696,240 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012.09.22 08:31:33 | 000,073,136 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012.09.22 08:31:30 | 009,573,296 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerInstaller.exe
[2012.09.21 17:11:04 | 000,067,712 | ---- | M] () -- D:\Helmut\Desktop\Bestrahlungsmaske.pdf
[2012.09.20 22:10:31 | 000,000,000 | ---- | M] () -- D:\Helmut\Start Menu\Programs\Startup\Persbackup.lnk
[2012.09.12 19:51:51 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012.09.12 18:47:14 | 000,002,403 | ---- | M] () -- D:\Helmut\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003 (2).lnk
[2012.09.07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012.09.07 16:54:36 | 008,054,023 | ---- | M] () -- D:\Helmut\Desktop\Diplomarbeit.pdf
[2012.09.06 21:18:16 | 000,716,043 | ---- | M] () -- D:\Helmut\Desktop\denk_rollkasten_001.pdf

========== Files Created - No Company Name ==========

[2012.10.05 06:57:24 | 000,139,264 | ---- | C] () -- D:\Helmut\Desktop\SystemLook(1).exe
[2012.10.04 19:27:56 | 000,001,720 | ---- | C] () -- D:\Helmut\Desktop\Entfernen des Avira DE-Cleaners.lnk
[2012.10.04 19:27:56 | 000,001,649 | ---- | C] () -- D:\Helmut\Desktop\Avira DE-Cleaner.lnk
[2012.10.02 06:55:31 | 001,412,096 | ---- | C] () -- D:\Helmut\Desktop\RogueKiller.exe
[2012.09.25 20:23:56 | 000,035,144 | ---- | C] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2012.09.21 17:11:04 | 000,067,712 | ---- | C] () -- D:\Helmut\Desktop\Bestrahlungsmaske.pdf
[2012.09.07 16:54:25 | 008,054,023 | ---- | C] () -- D:\Helmut\Desktop\Diplomarbeit.pdf
[2012.09.06 21:18:16 | 000,716,043 | ---- | C] () -- D:\Helmut\Desktop\denk_rollkasten_001.pdf
[2012.02.16 21:35:41 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012.01.15 15:12:25 | 000,005,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\StarOpen.sys
[2012.01.01 17:18:11 | 000,000,018 | ---- | C] () -- C:\WINDOWS\ssetup.ini
[2012.01.01 14:51:35 | 000,000,534 | ---- | C] () -- C:\WINDOWS\wiso.ini
[2011.10.02 14:48:50 | 000,020,480 | ---- | C] () -- D:\Helmut\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011.10.02 14:48:50 | 000,000,600 | ---- | C] () -- D:\Helmut\Local Settings\Application Data\PUTTY.RND
[2011.10.02 14:48:50 | 000,000,129 | ---- | C] () -- D:\Helmut\Local Settings\Application Data\fusioncache.dat
[2011.10.02 13:48:03 | 003,145,728 | ---- | C] () -- D:\Helmut\NTUSER.bak
[2011.05.29 19:10:20 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll
[2011.05.29 19:10:20 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\unredmon.exe
[2011.05.10 20:55:35 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2011.04.05 21:22:36 | 000,000,400 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011.04.05 21:19:44 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011.04.05 21:16:07 | 000,303,624 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011.04.05 21:12:56 | 000,004,212 | ---- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2011.04.05 21:04:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011.04.05 19:34:56 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011.04.05 19:28:55 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat

========== ZeroAccess Check ==========

[2011.04.05 20:56:18 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2012.08.30 22:29:36 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009.02.09 14:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008.04.14 02:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012.01.01 14:52:03 | 000,000,000 | ---D | M] -- D:\Helmut\Application Data\Buhl Data Service
[2012.01.15 15:13:06 | 000,000,000 | ---D | M] -- D:\Helmut\Application Data\Canneverbe Limited
[2011.10.02 14:50:24 | 000,000,000 | ---D | M] -- D:\Helmut\Application Data\Canon
[2011.10.02 14:50:24 | 000,000,000 | ---D | M] -- D:\Helmut\Application Data\CD-LabelPrint
[2011.10.02 14:50:24 | 000,000,000 | ---D | M] -- D:\Helmut\Application Data\CheckPoint
[2012.06.11 16:11:03 | 000,000,000 | ---D | M] -- D:\Helmut\Application Data\OpenOffice.org
[2011.10.02 14:50:18 | 000,000,000 | ---D | M] -- D:\Helmut\Application Data\PersBackup5

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C64BF02A

< End of report >


OTL Extras logfile created on: 05.10.2012 07:00:21 - Run 5
OTL by OldTimer - Version 3.2.70.2 Folder = D:\Helmut\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000407 | Country: Germany | Language: DEU | Date Format: dd.MM.yyyy

1014,07 Mb Total Physical Memory | 618,04 Mb Available Physical Memory | 60,95% Memory free
2,38 Gb Paging File | 2,04 Gb Available in Paging File | 85,58% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,50 Gb Total Space | 58,79 Gb Free Space | 78,91% Space Free | Partition Type: NTFS
Drive D: | 345,58 Gb Total Space | 279,28 Gb Free Space | 80,82% Space Free | Partition Type: NTFS
Drive E: | 292,97 Gb Total Space | 252,78 Gb Free Space | 86,28% Space Free | Partition Type: NTFS
Drive F: | 292,96 Gb Total Space | 283,67 Gb Free Space | 96,83% Space Free | Partition Type: NTFS
Drive M: | 931,51 Gb Total Space | 781,07 Gb Free Space | 83,85% Space Free | Partition Type: NTFS

Computer Name: COMPUTER | User Name: Helmut | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-1004336348-1202660629-682003330-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Unable to open value key
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Unable to open value key
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Documents and Settings\Helmut\Local Settings\Application Data\Google\Google Earth\client\googleearth.exe" = C:\Documents and Settings\Helmut\Local Settings\Application Data\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth
"D:\Helmut\My Documents\Downloads\GauMelder\GauMelder.exe" = D:\Helmut\My Documents\Downloads\GauMelder\GauMelder.exe:*:Enabled:GauMelder.exe - Schützen für die Gaumeisterschaft anmelden -- (Zech Software für den Schützensport)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{058B32E2-6310-4359-B2D4-1988390C3B83}" = Broadcom Advanced Control Suite
"{071B9AFA-EBE8-4ABF-8F4A-9F92612F517E}" = Broadcom ASF Management Applications
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP4300" = Canon iP4300
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ2413" = CanoScan LiDE 100 Scanner Driver
"{1D33BCF7-B5B6-4148-B888-9CC2EC208556}" = Konz 2012
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{268723B7-A994-4286-9F85-B974D5CAFC7B}" = EasyRecovery Professional
"{26A24AE4-039D-4CA4-87B4-2F83216025FF}" = Java(TM) 6 Update 29
"{26A24AE4-039D-4CA4-87B4-2F83217005FF}" = Java(TM) 7 Update 5
"{2804F91A-1F39-4CAE-986A-2C6F88ADE3BE}}_is1" = FOTOParadies
"{28E82311-8616-11E1-BEB0-B8AC6F97B88E}" = Google Earth
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4286716B-1287-48E7-9078-3DC8248DBA96}" = OpenOffice.org 3.3
"{4785CED6-73B3-45FA-AFE6-EDEDFDE67842}" = Steuer 2011
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{63E949F6-03BC-5C40-FF1F-C8B3B9A1E18E}" = Visual C++ 8.0 CRT.Policy (x86) WinSXS MSM
"{725F7446-EAC3-4279-97EF-5A5F6A9F6BF8}" = STMicroelectronics TPM Software Package
"{7e09afc2-65bd-482f-ba8a-501ecc6429bf}" = NTRU Hybrid TSS v1.05
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0407-0000-0000000FF1CE}" = Compatibility Pack für 2007 Office System
"{97C82B44-D408-4F14-9252-47FC1636D23E}_is1" = IZArc 4.1.6
"{98CB24AD-52FB-DB5F-FF1F-C8B3B9A1E18E}" = Visual C++ 8.0 CRT (x86) WinSXS MSM
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A89131FD-3D18-4DA8-84C8-622423011B51}_is1" = ALNO AG Küchenplaner
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1031-7B44-AA1000000001}" = Adobe Reader X (10.1.4) - Deutsch
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7F54262-AB66-44B3-88BF-9FC69941B643}" = Broadcom Gigabit Integrated Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C7B8E06E-EBBC-4210-93AB-DFC8760E3FC9}" = Works Suite-Betriebssystem-Pack
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D28FDA7D-15C6-48A2-9868-6BCB28BE6254}" = Microsoft Picture It! Foto 2001
"{D768EBA6-7C43-4F65-B165-1B1EF9BD5DD8}" = EMBASSY Security Center
"{E9132E61-295C-4377-AF36-CDBE771B7F2D}" = O&O DiskRecovery
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F2260E94-80F2-4CB1-B6B1-6043D9BFFA47}" = Works-Synchronisierung
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Avira AntiVir Desktop" = Avira Free Antivirus
"Canon iP4300 User Registration" = Canon iP4300 User Registration
"Canon Setup Utility 2.3" = Canon Setup Utility 2.3
"CanonSolutionMenu" = Canon Utilities Solution Menu
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-PrintToolBox" = Canon Utilities Easy-PrintToolBox
"Easy-WebPrint" = Easy-WebPrint
"ERUNT_is1" = ERUNT 1.1j
"FreePDF_XP" = FreePDF (Remove only)
"GPL Ghostscript" = GPL Ghostscript
"ImageJ_is1" = ImageJ 1.45s
"InstallShield_{1D33BCF7-B5B6-4148-B888-9CC2EC208556}" = Konz 2012
"InstallShield_{268723B7-A994-4286-9F85-B974D5CAFC7B}" = EasyRecovery Professional
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware Version 1.51.2.1300
"MediaNavigation.CDLabelPrint" = CD-LabelPrint
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 15.0.1 (x86 de)" = Mozilla Firefox 15.0.1 (x86 de)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MP Navigator EX 2.0" = Canon MP Navigator EX 2.0
"Network Print Monitor" = Network Print Monitor for Windows 2000/XP/2003
"PartyPoker" = PartyPoker
"Personal Backup 5_is1" = Personal Backup 5.3
"Recuva" = Recuva
"Redirection Port Monitor" = RedMon - Redirection Port Monitor
"Shockwave" = Shockwave
"VLC media player" = VLC media player 2.0.3
"Windows XP Service Pack" = Windows XP Service Pack 3
"Works2001Setup" = Microsoft Works 2001-Setup-Start

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 13.09.2012 10:55:14 | Computer Name = COMPUTER | Source = Broadcom ASF IP Monitor | ID = 0
Description = !ERROR 53 Refreshing BMAPI data

Error - 17.09.2012 10:53:34 | Computer Name = COMPUTER | Source = Broadcom ASF IP Monitor | ID = 0
Description = !ERROR 53 Refreshing BMAPI data

Error - 18.09.2012 02:08:09 | Computer Name = COMPUTER | Source = Broadcom ASF IP Monitor | ID = 0
Description = !ERROR 53 Refreshing BMAPI data

Error - 20.09.2012 07:12:48 | Computer Name = COMPUTER | Source = Broadcom ASF IP Monitor | ID = 0
Description = !ERROR 53 Refreshing BMAPI data

Error - 21.09.2012 17:57:21 | Computer Name = COMPUTER | Source = Broadcom ASF IP Monitor | ID = 0
Description = !ERROR 53 Refreshing BMAPI data

Error - 22.09.2012 17:09:32 | Computer Name = COMPUTER | Source = Broadcom ASF IP Monitor | ID = 0
Description = !ERROR 53 Refreshing BMAPI data

Error - 24.09.2012 13:43:39 | Computer Name = COMPUTER | Source = Application Error | ID = 1000
Description = Faulting application 91z3khtamxaygk.exe, version 5.1.2600.5512, faulting
module 91z3khtamxaygk.exe, version 5.1.2600.5512, fault address 0x000018eb.

Error - 24.09.2012 13:57:44 | Computer Name = COMPUTER | Source = Application Error | ID = 1000
Description = Faulting application pshtjpxo86bpwv.exe, version 5.1.2600.5512, faulting
module pshtjpxo86bpwv.exe, version 5.1.2600.5512, fault address 0x000018eb.

Error - 25.09.2012 09:57:16 | Computer Name = COMPUTER | Source = Broadcom ASF IP Monitor | ID = 0
Description = !ERROR 53 Refreshing BMAPI data

Error - 25.09.2012 10:09:11 | Computer Name = COMPUTER | Source = MSDTC | ID = 4404
Description = MS DTC Tracing infrastructure : the initialization of the tracing
infrastructure failed. Internal Information : msdtc_trace : File: d:\comxp_sp3\com\com1x\dtc\dtc\trace\src\tracelib.cpp,
Line: 1115, StartTrace Failed, hr=0x800700a1

[ System Events ]
Error - 04.10.2012 18:04:39 | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7034
Description = The NTRU Hybrid TSS v1.05 TCSD service terminated unexpectedly. It
has done this 1 time(s).

Error - 04.10.2012 18:08:01 | Computer Name = COMPUTER | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 04.10.2012 18:08:09 | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%5

Error - 04.10.2012 18:18:18 | Computer Name = COMPUTER | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 04.10.2012 18:18:26 | Computer Name = COMPUTER | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 04.10.2012 18:18:33 | Computer Name = COMPUTER | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 04.10.2012 18:18:40 | Computer Name = COMPUTER | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 04.10.2012 18:18:47 | Computer Name = COMPUTER | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 05.10.2012 00:53:54 | Computer Name = COMPUTER | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 05.10.2012 00:54:17 | Computer Name = COMPUTER | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%5


< End of report >

Yesterday I got a letter from our internet provider and it says that they recognized a trojan ZeuS/ZBot which is dangerous for internet banking. On that account we are using this computer and two laptops. Maybe this has something to do our problem.

Helmut
Helmut13
Regular Member
 
Posts: 75
Joined: May 30th, 2011, 3:05 pm

Re: File recovery virus with logs

Unread postby askey127 » October 5th, 2012, 5:02 pm

Helmut,
We finally got a full scan from OTL; unfortunately, the results are not as we would like:
-----------------------------------------------------------
Your logs show signs of Remote Access Infection(s) on your computer.
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
...and others
These indicate you have this named infection : .... Zero Access Trojan
See these Antivirus analyses :
The Zeus trojan is also a Remote Access trojan. You can read about it here: http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99

A Remote Access Infection will allow the person who infected your computer to use your computer as if he were sitting in front of it, and he may ....
  • Steal bank account details.
  • Steal credit card numbers.
  • Steal your personal details.
  • Modify your computer to make it easier to infect.
  • Use your computer as part of a botnet, to distribute porn or spam.
  • Anything else he cares to think of ..... and most attackers are very inventive people.

You are strongly advised to do the following immediately ....
  • Disconnect the infected computer from the internet and from any networked computers.
  • Call all of your banks, credit card companies, and financial institutions, and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change all your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do not change passwords or do any transactions while using the infected computer, because the attacker will get the new passwords and transaction information.

The only way to remove these type of infections and leave yourself with a secure computer, is to re-format your hard drive and re-install Windows.

It is impossible to discover all of the modifications that your attacker may have made to your computer while he had access to it, and though we may be able to remove all the obvious signs of infection from your computer, and leave you with an apparently fully functioning machine, that does NOT mean it would be Secure.

If you use your computer for any of the following ....
  • Online Banking.
  • Finances or credit of any kind.
  • Filling out your tax forms online or offline.
  • Filling out Social Security or Personal Insurance forms online or offline.
  • Making online purchases or payments of any type.
  • Anything involving the use of confidential data.
.... then a re-format and re-installation should be the only choice you should make.

If you insist, we are prepared to help you "clean" your machine, but we strongly advise you against this course of action, and you must understand that although we may be able to restore your computer to a usable condition, it will NOT be secure until a re-format and Windows re-installation is performed, and should not be used for any of the activities listed above.
To help you decide, please take some time to read the following articles, then let me know how you want to proceed.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware