Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Vista won't boot after malware infection

Started by Skily , May 01 2011 09:04 AM

  • This topic is locked This topic is locked

#31
Render
Posted 07 May 2011 - 09:10 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Cool. That's great news. :)

Now do the following:

Step 1

  • Please download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it.

    Posted Image
  • Click the Scan button to start scan.

    Posted Image
  • On completion of the scan click Save log, save it to your desktop and post in your next reply.

Step 2

Posted Image OTL Custom Scan

  • Download OTL to your desktop.
  • Double click on the Posted Image icon to run it.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top, make sure Stadard output is selected.
  • Check the boxes beside LOP Check and Purity Check.
  • Copy (select all lines inside quote box and press CTRL+C) and Paste (press CTRL+V) the following code into the Posted Image textbox.

    netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.sys
pw.exe
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT
  • Click the Posted Image button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open OTL.Txt in Notepad window.
  • Please copy (Edit->Select All, Edit->Copy) the content of this file and post it with your next reply.

When completed the above, please post back the following in the order asked for:
  • aswMBR log
  • OTL scan log

  • 0

Advertisements

#32
Skily
Posted 07 May 2011 - 09:47 AM

Skily

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
aswMBR log, OTL follows soon

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-07 17:44:02
-----------------------------
17:44:02.996 OS Version: Windows 6.0.6002 Service Pack 2
17:44:02.997 Number of processors: 2 586 0xF06
17:44:03.001 ComputerName: STAR UserName: Nils
17:44:29.480 Initialize success
17:45:18.801 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
17:45:18.805 Disk 0 Vendor: Hitachi_HTS541616J9SA00 SB4OC70P Size: 152627MB BusType: 3
17:45:20.865 Disk 0 MBR read successfully
17:45:20.868 Disk 0 MBR scan
17:45:20.871 Disk 0 unknown MBR code
17:45:22.875 Disk 0 scanning sectors +312576705
17:45:22.940 Disk 0 scanning C:\Windows\system32\drivers
17:45:30.162 Service scanning
17:45:32.047 Disk 0 trace - called modules:
17:45:32.121 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
17:45:32.126 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x852d58f8]
17:45:32.130 3 CLASSPNP.SYS[881ce8b3] -> nt!IofCallDriver -> [0x84bda950]
17:45:32.134 5 acpi.sys[806966bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84c12030]
17:45:32.138 Scan finished successfully
17:45:57.340 Disk 0 MBR has been saved successfully to "F:\MBR.dat"
17:45:57.352 The log file has been saved successfully to "F:\aswMBR.txt"
  • 0

#33
Skily
Posted 07 May 2011 - 10:10 AM

Skily

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Here are the OTL results.

Noticed one annoying thing. One of the folders in my documents is not up to date, but only contains files created several weeks ago which means that I am missing several documents. This would be quite a bummer. Any way to get these docs back?


OTL logfile created on: 07.05.2011 17:50:23 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Nils\Desktop
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19048)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 49,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 77,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 70,62 Gb Total Space | 8,93 Gb Free Space | 12,65% Space Free | Partition Type: NTFS
Drive D: | 70,61 Gb Total Space | 34,70 Gb Free Space | 49,14% Space Free | Partition Type: NTFS
Drive F: | 316,83 Mb Total Space | 39,05 Mb Free Space | 12,32% Space Free | Partition Type: FAT

Computer Name: STAR | User Name: Nils | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found -- C:\Programme\OrbiCam.exe
PRC - [2011.05.07 17:46:20 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Nils\Desktop\OTL.exe
PRC - [2010.09.30 17:14:22 | 000,743,232 | ---- | M] (TuneUp Software) -- D:\Programme\TuneUp\TuneUpUtilitiesApp32.exe
PRC - [2010.09.30 17:12:34 | 001,051,968 | ---- | M] (TuneUp Software) -- D:\Programme\TuneUp\TuneUpUtilitiesService32.exe
PRC - [2010.05.14 11:44:46 | 000,501,480 | ---- | M] (Sun Microsystems, Inc.) -- C:\Programme\Common Files\Java\Java Update\jucheck.exe
PRC - [2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009.04.11 08:27:28 | 000,069,120 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conime.exe
PRC - [2008.10.16 17:26:20 | 000,860,160 | ---- | M] (Intel® Corporation) -- C:\Programme\Intel\WiFi\bin\EvtEng.exe
PRC - [2008.10.16 16:54:34 | 000,466,944 | ---- | M] (Intel® Corporation) -- C:\Programme\Common Files\Intel\WirelessCommon\RegSrvc.exe
PRC - [2008.03.30 18:42:35 | 001,563,648 | ---- | M] (Insight Software Solutions) -- D:\Programme\Keyboard Express 3\keyexp.exe
PRC - [2008.01.21 04:23:48 | 000,896,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe
PRC - [2008.01.21 04:23:48 | 000,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe
PRC - [2007.08.13 14:41:30 | 001,253,376 | ---- | M] (Steve Murphy) -- D:\Programme\Media\AWC\AWC.exe
PRC - [2007.01.02 09:33:24 | 000,135,168 | ---- | M] (acer) -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
PRC - [2006.11.30 21:37:00 | 004,186,112 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2006.11.20 18:04:46 | 000,244,512 | ---- | M] (Logitech Inc.) -- C:\Programme\Common Files\Logitech\LComMgr\LVComSX.exe
PRC - [2006.10.31 01:06:20 | 000,304,664 | ---- | M] (Acer Inc.) -- C:\Programme\Common Files\Logitech\LComMgr\Communications_Helper.exe


========== Modules (SafeList) ==========

MOD - [2011.05.07 17:46:20 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Nils\Desktop\OTL.exe
MOD - [2010.08.31 17:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll
MOD - [2002.11.18 14:02:04 | 000,044,544 | ---- | M] (Insight Software Solutions) -- D:\Programme\Keyboard Express 3\keyhook.dll


========== Win32 Services (SafeList) ==========

SRV - [2011.04.15 13:36:02 | 001,378,040 | ---- | M] (Lavasoft) [Auto | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010.10.23 17:59:32 | 000,435,008 | ---- | M] (TuneUp Software) [On_Demand | Stopped] -- D:\Programme\TuneUp\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2010.09.30 17:12:34 | 001,051,968 | ---- | M] (TuneUp Software) [Auto | Running] -- D:\Programme\TuneUp\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
SRV - [2010.09.30 17:09:20 | 000,030,016 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Windows\System32\uxtuneup.dll -- (UxTuneUp)
SRV - [2008.10.16 17:26:20 | 000,860,160 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Programme\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV - [2008.10.16 16:54:34 | 000,466,944 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Programme\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV - [2007.01.02 09:33:24 | 000,135,168 | ---- | M] (acer) [Auto | Running] -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe -- (WMIService)
SRV - [2006.11.17 16:56:32 | 000,101,152 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Programme\Common Files\Logitech\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)


========== Driver Services (SafeList) ==========

DRV - [2010.02.25 11:18:08 | 000,010,064 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Running] -- D:\Programme\TuneUp\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
DRV - [2008.11.17 07:40:22 | 003,668,480 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel®
DRV - [2008.01.21 04:21:28 | 002,225,664 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®
DRV - [2007.02.05 18:01:00 | 004,456,320 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2006.11.20 18:02:42 | 000,847,392 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\lv321av.sys -- (lv321av) Logitech USB PC Camera (VC0321)
DRV - [2006.11.17 16:53:30 | 001,962,784 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LVMVdrv.sys -- (LVMVDrv)
DRV - [2006.11.02 09:30:56 | 000,044,544 | ---- | M] (Realtek Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2004.10.08 10:51:08 | 001,270,540 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.openintab: true
FF - prefs.js..extensions.enabledItems: [email protected]:0.19.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.8.0.4280
FF - prefs.js..extensions.enabledItems: {05BF52F6-A4F9-48B9-84ED-F8D83762E619}:0.5.3
FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:2.0.0.0
FF - prefs.js..extensions.enabledItems: {A4732521-77D9-447E-A557-B279AC923F06}:0.6.5
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:3.2
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.3
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.7pre.080830
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.0.3
FF - prefs.js..extensions.enabledItems: {fce36c1e-58d8-498a-b2a5-66ad1cedebbb}:0.75
FF - prefs.js..extensions.enabledItems: {1a45a8a0-3278-11dd-bd11-0800200c9a66}:1.0.1
FF - prefs.js..extensions.enabledItems: {269FB356-C69F-7349-D092-AB28AF836D0E}:3.0.02
FF - prefs.js..extensions.enabledItems: {47e5a66c-0e35-11dc-8314-0800200c9a66}:3.0.1
FF - prefs.js..extensions.enabledItems: {c9c58820-7bd4-11da-a72b-0800200c9a66}:2.071508

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2pre\extensions\\Components: D:\Programme\Online\Firefox\components [2010.12.20 12:39:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2pre\extensions\\Plugins: D:\Programme\Online\Firefox\plugins [2010.12.20 12:39:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: D:\Programme\Online\Firefox 4\components [2011.04.25 19:36:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: D:\Programme\Online\Firefox 4\plugins

[2008.08.30 21:12:47 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Nils\AppData\Roaming\mozilla\Extensions
[2011.04.29 20:10:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\mz979o3j.Standard-Benutzer\extensions
[2011.05.01 22:12:06 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\mz979o3j.Standard-Benutzer\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011.05.01 22:12:06 | 000,000,000 | ---D | M] (Aquatint Redone) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\mz979o3j.Standard-Benutzer\extensions\{47e5a66c-0e35-11dc-8314-0800200c9a66}
[2011.05.01 22:12:06 | 000,000,000 | ---D | M] ("DVDVideoSoft Menu") -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\mz979o3j.Standard-Benutzer\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
[2011.05.01 22:12:06 | 000,000,000 | ---D | M] ("BilderHerunterlader") -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\mz979o3j.Standard-Benutzer\extensions\{af2f0750-c598-4826-8e5f-bb98aab519a5}
[2011.05.01 22:12:06 | 000,000,000 | ---D | M] (iPox) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\mz979o3j.Standard-Benutzer\extensions\{c9c58820-7bd4-11da-a72b-0800200c9a66}
[2011.05.01 22:12:06 | 000,000,000 | ---D | M] (Chromifox Basic) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\mz979o3j.Standard-Benutzer\extensions\[email protected]
[2011.05.01 22:12:06 | 000,000,000 | ---D | M] (TVU Web Player) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\mz979o3j.Standard-Benutzer\extensions\[email protected]
[2011.05.01 22:12:06 | 000,000,000 | ---D | M] (Cooliris) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\mz979o3j.Standard-Benutzer\extensions\[email protected]
[2010.03.13 20:22:38 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\mz979o3j.Standard-Benutzer\extensions\{c9c58820-7bd4-11da-a72b-0800200c9a66}\chrome\mozapps\extensions
[2010.03.13 20:22:38 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\mz979o3j.Standard-Benutzer\extensions\{c9c58820-7bd4-11da-a72b-0800200c9a66}\chrome\mozapps\extensions\CVS
[2010.12.31 19:59:42 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions
[2011.05.01 22:12:06 | 000,000,000 | ---D | M] (New Tab Button on Tab Right) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions\{05BF52F6-A4F9-48B9-84ED-F8D83762E619}
[2011.05.01 22:12:06 | 000,000,000 | ---D | M] (MR Tech Disable XPI Install Delay) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions\{0F25ED9F-9213-422D-9AB9-7DA9BD416FFA}
[2011.05.01 22:12:06 | 000,000,000 | ---D | M] (Just Black (A Cylence theme for Firefox 3)) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions\{1a45a8a0-3278-11dd-bd11-0800200c9a66}
[2011.05.01 22:12:06 | 000,000,000 | ---D | M] (Strata Aero) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions\{269FB356-C69F-7349-D092-AB28AF836D0E}
[2011.05.01 22:12:06 | 000,000,000 | ---D | M] (PDF Download) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2011.05.01 22:12:06 | 000,000,000 | ---D | M] (Aquatint Redone) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions\{47e5a66c-0e35-11dc-8314-0800200c9a66}
[2011.05.01 22:12:06 | 000,000,000 | ---D | M] (DVDVideoSoftTB Toolbar) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
[2011.05.01 22:12:06 | 000,000,000 | ---D | M] (Image Toolbar) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions\{A4732521-77D9-447E-A557-B279AC923F06}
[2011.05.01 22:12:07 | 000,000,000 | ---D | M] ("DVDVideoSoft Menu") -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C}
[2011.05.01 22:12:07 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011.05.01 22:12:07 | 000,000,000 | ---D | M] (iPox) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions\{c9c58820-7bd4-11da-a72b-0800200c9a66}
[2011.05.01 22:12:07 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2011.05.01 22:12:07 | 000,000,000 | ---D | M] ("Tab Mix Plus") -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2011.05.01 22:12:07 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2011.05.01 22:12:08 | 000,000,000 | ---D | M] (CustomizeGoogle) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions\{fce36c1e-58d8-498a-b2a5-66ad1cedebbb}
[2011.05.01 22:12:06 | 000,000,000 | ---D | M] (Ctrl-Tab) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions\[email protected]
[2011.05.01 22:12:06 | 000,000,000 | ---D | M] (PicLens) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions\[email protected]
[2008.08.23 15:28:44 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Nils\AppData\Roaming\mozilla\Firefox\Profiles\nbo4frt5.default\extensions\[email protected]
[2008.06.21 11:18:55 | 000,000,000 | ---D | M] (Java Console) -- D:\PROGRAMME\ONLINE\FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
[2008.07.29 19:33:42 | 000,000,000 | ---D | M] (Java Console) -- D:\PROGRAMME\ONLINE\FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

O1 HOSTS File: ([2011.05.07 07:22:09 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Acrobat\Acrobat 7\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Watch for Browser Events) - {42A7CE31-CEE7-4CCE-A060-A44A7E52E062} - D:\Programme\Keyboard Express 3\kie.dll (Insight Software Solutions)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Programme\Acrobat\Acrobat 7\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Programme\Acrobat\Acrobat 7\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Programme\Acrobat\Acrobat 7\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AcerOrbicamRibbon] C:\Program Files\OrbiCam.exe ()
O4 - HKLM..\Run: [LogitechCommunicationsManager] C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe (Acer Inc.)
O4 - HKLM..\Run: [LVCOMSX] C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe (Logitech Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [NoIE4StubProcessing] File not found
O4 - Startup: C:\Users\Nils\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AWC.lnk = D:\Programme\Media\AWC\AWC.exe (Steve Murphy)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - D:\Programme\Acrobat\Acrobat 7\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - D:\Programme\Acrobat\Acrobat 7\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - D:\Programme\Acrobat\Acrobat 7\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - D:\Programme\Acrobat\Acrobat 7\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Download with Xilisoft YouTube to iPod Converter - D:\Programme\Online\YouTube iPod\upod_link.HTM ()
O8 - Extra context menu item: In Adobe PDF konvertieren - D:\Programme\Acrobat\Acrobat 7\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: In vorhandene PDF-Datei konvertieren - D:\Programme\Acrobat\Acrobat 7\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - D:\Programme\Acrobat\Acrobat 7\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - D:\Programme\Acrobat\Acrobat 7\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: amazon.de ([www] http in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programme\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O22 - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\System32\DreamScene.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Nils\AppData\Local\Temp\AutoWall.bmp
O24 - Desktop BackupWallPaper: C:\Users\Nils\AppData\Local\Temp\AutoWall.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{c4de58cd-60d3-11df-a300-0016d350f8dc}\Shell\AutoRun\command - "" = F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
O33 - MountPoints2\{c4de58cd-60d3-11df-a300-0016d350f8dc}\Shell\open\command - "" = F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- "%1" %*

NetSvcs: UxTuneUp - C:\Windows\System32\uxtuneup.dll (TuneUp Software)
NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011.05.07 17:48:57 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Nils\Desktop\OTL.exe
[2011.05.07 17:33:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
[2011.05.07 17:15:53 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\PC Tools
[2011.05.07 17:04:05 | 000,000,000 | ---D | C] -- C:\Users\Nils\AppData\Roaming\Malwarebytes
[2011.05.07 17:01:48 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011.05.07 17:01:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011.05.07 17:01:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011.05.07 17:01:44 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011.05.07 07:23:35 | 002,234,368 | R--- | C] (OldTimer Tools) -- C:\OTLPE.exe
[2011.05.07 07:22:01 | 000,000,000 | ---D | C] -- C:\_OTL
[2011.04.30 22:19:53 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2011.04.30 16:30:39 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011.04.29 21:50:22 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2011.04.29 21:49:34 | 000,000,000 | -H-D | C] -- C:\Users\Nils\AppData\Roaming\GetRightToGo
[2011.04.29 21:15:12 | 000,348,160 | -HS- | C] (Microsoft Corporation) -- C:\Users\Nils\AppData\Local\kjt_exe_1304270595.arl
[2011.04.15 13:49:19 | 000,292,864 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2011.04.15 13:49:13 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\System32\atmlib.dll
[2011.04.15 13:48:33 | 001,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2011.04.15 13:48:33 | 000,602,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011.04.15 13:48:32 | 000,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2011.04.15 13:48:32 | 000,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2011.04.15 13:48:31 | 000,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2011.04.15 13:48:30 | 000,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2011.04.15 13:48:30 | 000,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011.04.15 13:48:30 | 000,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2011.04.15 13:48:29 | 001,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011.04.15 13:48:29 | 000,173,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2011.04.15 13:48:29 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2011.04.15 13:48:29 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2011.04.15 13:48:29 | 000,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2011.04.15 13:48:29 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2011.04.15 13:48:29 | 000,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2011.04.15 13:48:29 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011.04.15 13:48:29 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2011.04.15 13:48:19 | 001,162,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc42u.dll
[2011.04.15 13:48:18 | 001,136,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mfc42.dll
[2011.04.15 13:48:11 | 000,025,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dnscacheugc.exe
[2011.04.15 13:48:05 | 002,041,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2011.04.15 13:47:56 | 000,726,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2011.04.15 13:47:56 | 000,420,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2011.04.15 13:47:47 | 000,191,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\FXSCOVER.exe
[2008.03.30 20:01:49 | 000,053,248 | ---- | C] ( ) -- C:\Windows\System32\Interop.Shell32.dll
[2006.11.20 18:10:16 | 000,204,824 | ---- | C] (Acer Inc.) -- C:\Programme\VideoControl.dll
[2006.11.20 18:09:20 | 000,079,384 | ---- | C] (Acer Inc.) -- C:\Programme\LogiMail.dll
[2006.11.20 18:09:08 | 000,366,104 | ---- | C] (Acer Inc.) -- C:\Programme\IPPJPEG.dll
[2006.11.20 18:08:58 | 000,280,088 | ---- | C] (Acer Inc.) -- C:\Programme\EFVal.dll
[2001.09.05 21:00:58 | 001,700,352 | ---- | C] (Microsoft Corporation) -- C:\Programme\gdiplus.dll

========== Files - Modified Within 30 Days ==========

[2011.05.07 17:46:20 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Nils\Desktop\OTL.exe
[2011.05.07 17:41:02 | 000,001,098 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011.05.07 17:14:37 | 000,000,370 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2011.05.07 17:14:14 | 000,373,504 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011.05.07 17:13:48 | 000,000,220 | ---- | M] () -- C:\Windows\tasks\OGALogon.job
[2011.05.07 17:13:46 | 000,001,094 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011.05.07 17:13:30 | 000,003,664 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011.05.07 17:13:29 | 000,003,664 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011.05.07 17:13:20 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011.05.07 17:13:05 | 2145,574,912 | -HS- | M] () -- C:\hiberfil.sys
[2011.05.07 17:03:51 | 000,621,952 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2011.05.07 17:03:51 | 000,590,082 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011.05.07 17:03:51 | 000,123,852 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2011.05.07 17:03:51 | 000,102,094 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011.05.07 16:55:39 | 000,012,214 | -HS- | M] () -- C:\ProgramData\1o48v14h3a2tp000028
[2011.05.07 16:55:38 | 000,012,214 | -HS- | M] () -- C:\Users\Nils\AppData\Local\1o48v14h3a2tp000028
[2011.05.07 07:22:09 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
[2011.05.06 11:39:03 | 000,000,512 | ---- | M] () -- C:\Physical0MBR.bin
[2011.04.30 10:39:12 | 000,024,576 | ---- | M] () -- C:\Windows\System32\umstartup.etl
[2011.04.29 21:15:12 | 000,348,160 | -HS- | M] (Microsoft Corporation) -- C:\Users\Nils\AppData\Local\kjt_exe_1304270595.arl
[2011.04.29 21:06:30 | 000,037,210 | -H-- | M] () -- C:\Users\Nils\AppData\Roaming\nvModes.001
[2011.04.29 19:50:37 | 000,037,210 | -H-- | M] () -- C:\Users\Nils\AppData\Roaming\nvModes.dat
[2011.04.29 19:35:51 | 000,000,220 | ---- | M] () -- C:\Windows\tasks\OGADaily.job
[2011.04.27 23:37:21 | 000,000,680 | -H-- | M] () -- C:\Users\Nils\AppData\Local\d3d9caps.dat
[2011.04.25 20:38:51 | 000,241,152 | ---- | M] () -- C:\Users\Nils\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Files Created - No Company Name ==========

[2011.05.08 06:52:51 | 000,226,280 | ---- | C] () -- C:\Windows\System32\drivers\volsnap_old.sys
[2011.05.08 04:54:34 | 2145,574,912 | -HS- | C] () -- C:\hiberfil.sys
[2011.05.07 17:14:34 | 000,000,370 | ---- | C] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2011.05.07 16:55:38 | 000,012,214 | -HS- | C] () -- C:\Users\Nils\AppData\Local\1o48v14h3a2tp000028
[2011.05.07 16:55:38 | 000,012,214 | -HS- | C] () -- C:\ProgramData\1o48v14h3a2tp000028
[2011.05.06 11:39:03 | 000,000,512 | ---- | C] () -- C:\Physical0MBR.bin
[2010.10.24 20:23:08 | 000,015,880 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
[2010.07.04 17:39:01 | 000,121,832 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat
[2010.06.10 22:54:55 | 000,000,127 | ---- | C] () -- C:\Windows\System32\MRT.INI
[2010.01.17 15:20:17 | 000,000,680 | -H-- | C] () -- C:\Users\Nils\AppData\Local\d3d9caps.dat
[2009.11.26 21:57:18 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009.11.26 21:57:18 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009.11.26 21:56:07 | 000,062,976 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2009.06.09 22:26:39 | 000,042,594 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2008.12.31 17:04:42 | 000,691,560 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2008.12.31 17:04:42 | 000,528,744 | ---- | C] () -- C:\Windows\System32\OGAVerify.exe
[2008.09.02 22:55:34 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2008.08.03 01:10:41 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008.06.23 15:46:58 | 000,000,009 | -H-- | C] () -- C:\Users\Nils\AppData\Roaming\mdb.bin
[2008.04.05 12:17:13 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.INI
[2008.04.01 21:18:27 | 000,037,210 | -H-- | C] () -- C:\Users\Nils\AppData\Roaming\nvModes.001
[2008.03.31 20:11:08 | 000,037,210 | -H-- | C] () -- C:\Users\Nils\AppData\Roaming\nvModes.dat
[2008.03.30 20:01:49 | 000,331,776 | ---- | C] () -- C:\Windows\System32\ScrollBarLib.dll
[2008.03.30 19:58:18 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ0.dat
[2008.03.30 19:17:41 | 000,007,168 | ---- | C] () -- C:\Windows\System32\Dtctrace.dll
[2008.03.30 19:07:02 | 000,164,352 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2008.03.30 19:07:00 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008.03.30 19:07:00 | 002,085,376 | ---- | C] () -- C:\Windows\System32\x264vfw.dll
[2008.03.30 19:07:00 | 000,159,839 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2008.03.30 18:14:54 | 000,241,152 | ---- | C] () -- C:\Users\Nils\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008.01.21 10:24:09 | 000,621,952 | ---- | C] () -- C:\Windows\System32\perfh007.dat
[2008.01.21 10:24:09 | 000,290,748 | ---- | C] () -- C:\Windows\System32\perfi007.dat
[2008.01.21 10:24:09 | 000,123,852 | ---- | C] () -- C:\Windows\System32\perfc007.dat
[2008.01.21 10:24:09 | 000,036,916 | ---- | C] () -- C:\Windows\System32\perfd007.dat
[2008.01.21 04:23:41 | 000,081,158 | ---- | C] () -- C:\Windows\System32\manage-bde.ini.en
[2007.09.20 12:33:52 | 003,190,784 | ---- | C] () -- C:\Windows\System32\libavcodec.dll
[2007.09.20 12:33:52 | 000,741,376 | ---- | C] () -- C:\Windows\System32\audxlib.dll
[2007.09.20 12:33:52 | 000,662,016 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2007.09.20 12:33:52 | 000,511,488 | ---- | C] () -- C:\Windows\System32\ff_x264.dll
[2007.09.20 12:33:52 | 000,405,504 | ---- | C] () -- C:\Windows\System32\libmplayer.dll
[2007.09.20 12:33:52 | 000,245,760 | ---- | C] () -- C:\Windows\System32\ff_libfaad2.dll
[2007.09.20 12:33:52 | 000,221,184 | ---- | C] () -- C:\Windows\System32\ff_kernelDeint.dll
[2007.09.20 12:33:52 | 000,200,704 | ---- | C] () -- C:\Windows\System32\TomsMoComp_ff.dll
[2007.09.20 12:33:52 | 000,155,648 | ---- | C] () -- C:\Windows\System32\ff_libdts.dll
[2007.09.20 12:33:52 | 000,143,360 | ---- | C] () -- C:\Windows\System32\ff_theora.dll
[2007.09.20 12:33:52 | 000,122,880 | ---- | C] () -- C:\Windows\System32\ff_samplerate.dll
[2007.09.20 12:33:52 | 000,118,784 | ---- | C] () -- C:\Windows\System32\ff_libmad.dll
[2007.09.20 12:33:52 | 000,114,688 | ---- | C] () -- C:\Windows\System32\libmpeg2_ff.dll
[2007.09.20 12:33:52 | 000,097,280 | ---- | C] () -- C:\Windows\System32\ff_realaac.dll
[2007.09.20 12:33:52 | 000,079,872 | ---- | C] () -- C:\Windows\System32\ff_tremor.dll
[2007.09.20 12:33:52 | 000,040,960 | ---- | C] () -- C:\Windows\System32\ff_liba52.dll
[2007.09.20 12:33:52 | 000,038,400 | ---- | C] () -- C:\Windows\System32\ff_unrar.dll
[2007.09.20 12:33:52 | 000,026,624 | ---- | C] () -- C:\Windows\System32\ff_wmv9.dll
[2007.09.20 12:33:52 | 000,007,680 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2006.11.20 18:11:48 | 000,023,576 | ---- | C] () -- C:\Programme\MSNCmRes.dll
[2006.11.20 18:11:36 | 001,078,808 | ---- | C] () -- C:\Programme\LAppRes.DLL
[2006.11.20 18:11:36 | 000,206,360 | ---- | C] () -- C:\Programme\ATWizardRes.dll
[2006.11.20 18:09:54 | 000,754,712 | ---- | C] () -- C:\Programme\OrbiCam.exe
[2006.11.20 18:09:42 | 000,032,280 | ---- | C] () -- C:\Programme\MSNCam.dll
[2006.11.20 18:09:32 | 000,316,952 | ---- | C] () -- C:\Programme\LogiMailApp.exe
[2006.11.20 18:08:34 | 000,292,888 | ---- | C] () -- C:\Programme\ATWizard.exe
[2006.11.02 14:55:52 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006.11.02 14:46:27 | 000,373,504 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006.11.02 14:34:20 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006.11.02 12:33:01 | 000,590,082 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006.11.02 12:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006.11.02 12:33:01 | 000,102,094 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006.11.02 12:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006.11.02 12:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006.11.02 10:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006.11.02 10:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006.11.02 09:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006.10.30 11:40:18 | 000,246,011 | -H-- | C] () -- C:\Programme\orbicam.chm
[2006.10.25 14:04:00 | 000,008,690 | -H-- | C] () -- C:\Programme\ReadMe_KOR.htm
[2006.10.25 14:00:56 | 000,009,168 | -H-- | C] () -- C:\Programme\ReadMe_JPN.htm
[2006.10.25 14:00:26 | 000,007,909 | -H-- | C] () -- C:\Programme\ReadMe_CHT.htm
[2006.10.25 13:59:54 | 000,007,929 | -H-- | C] () -- C:\Programme\ReadMe_CHS.htm
[2006.10.25 13:58:36 | 000,062,682 | -H-- | C] () -- C:\Programme\readme.htm
[2005.09.29 14:39:40 | 000,011,014 | -H-- | C] () -- C:\Programme\logo.bmp

========== LOP Check ==========

[2008.03.30 18:32:03 | 000,000,000 | -H-D | M] -- C:\Users\Nils\AppData\Roaming\ACD Systems
[2009.06.14 19:57:40 | 000,000,000 | -H-D | M] -- C:\Users\Nils\AppData\Roaming\avidemux
[2011.05.01 22:12:05 | 000,000,000 | ---D | M] -- C:\Users\Nils\AppData\Roaming\BSplayer PRO
[2010.10.22 18:16:57 | 000,000,000 | ---D | M] -- C:\Users\Nils\AppData\Roaming\Dropbox
[2011.04.29 21:50:18 | 000,000,000 | -H-D | M] -- C:\Users\Nils\AppData\Roaming\GetRightToGo
[2009.12.16 02:08:45 | 000,000,000 | -H-D | M] -- C:\Users\Nils\AppData\Roaming\Imaxel
[2011.05.01 22:12:05 | 000,000,000 | ---D | M] -- C:\Users\Nils\AppData\Roaming\Kingston
[2008.06.07 17:02:33 | 000,000,000 | -H-D | M] -- C:\Users\Nils\AppData\Roaming\LEAPS
[2011.05.01 22:12:08 | 000,000,000 | ---D | M] -- C:\Users\Nils\AppData\Roaming\Mp3tag
[2008.06.07 16:47:58 | 000,000,000 | ---D | M] -- C:\Users\Nils\AppData\Roaming\Pegasys Inc
[2010.02.19 18:34:23 | 000,000,000 | ---D | M] -- C:\Users\Nils\AppData\Roaming\SecureTraveler
[2011.05.01 22:12:08 | 000,000,000 | ---D | M] -- C:\Users\Nils\AppData\Roaming\Security_File
[2009.11.28 16:26:40 | 000,000,000 | ---D | M] -- C:\Users\Nils\AppData\Roaming\Thinstall
[2010.10.23 17:58:49 | 000,000,000 | ---D | M] -- C:\Users\Nils\AppData\Roaming\TuneUp Software
[2008.12.22 01:43:21 | 000,000,000 | -H-D | M] -- C:\Users\Nils\AppData\Roaming\Xilisoft Corporation
[2011.05.07 17:14:37 | 000,000,370 | ---- | M] () -- C:\Windows\Tasks\Ad-Aware Update (Weekly).job
[2011.04.29 19:35:51 | 000,000,220 | ---- | M] () -- C:\Windows\Tasks\OGADaily.job
[2011.05.07 17:13:48 | 000,000,220 | ---- | M] () -- C:\Windows\Tasks\OGALogon.job
[2011.05.07 17:12:22 | 000,032,510 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2011.03.07 00:12:59 | 002,234,368 | R--- | M] (OldTimer Tools) -- C:\OTLPE.exe


< MD5 for: EXPLORER.EXE >
[2008.10.29 08:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[2008.10.29 08:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[2008.10.30 05:59:17 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\explorer.exe
[2009.04.11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[2008.10.28 04:15:02 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[2008.01.21 04:22:34 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008.01.21 04:21:53 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\System32\svchost.exe
[2008.01.21 04:21:53 | 000,021,504 | ---- | M] (Microsoft Corporation) MD5=3794B461C45882E06856F282EEF025AF -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.0.6001.18000_none_b5bb59a1054dbde5\svchost.exe

< MD5 for: USERINIT.EXE >
[2008.01.21 04:22:58 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\System32\userinit.exe
[2008.01.21 04:22:58 | 000,025,088 | ---- | M] (Microsoft Corporation) MD5=0E135526E9785D085BCD9AEDE6FBCBF9 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe

< MD5 for: VOLSNAP.SYS >
[2006.11.02 11:51:18 | 000,208,488 | ---- | M] (Microsoft Corporation) MD5=11EF6C1CAEF76B685233450A126125D6 -- C:\Windows\System32\DriverStore\FileRepository\volume.inf_9320b452\volsnap.sys
[2009.04.11 08:32:55 | 000,226,280 | ---- | M] (Microsoft Corporation) MD5=147281C01FCB1DF9252DE2A10D5E7093 -- C:\Windows\System32\drivers\volsnap.sys
[2009.04.11 08:32:55 | 000,226,280 | ---- | M] (Microsoft Corporation) MD5=147281C01FCB1DF9252DE2A10D5E7093 -- C:\Windows\System32\DriverStore\FileRepository\volume.inf_1e6030e4\volsnap.sys
[2009.04.11 08:32:55 | 000,226,280 | ---- | M] (Microsoft Corporation) MD5=147281C01FCB1DF9252DE2A10D5E7093 -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6002.18005_none_17a2308cf936c619\volsnap.sys
[2008.01.21 04:21:29 | 000,227,896 | ---- | M] (Microsoft Corporation) MD5=D8B4A53DD2769F226B3EB374374987C9 -- C:\Windows\System32\DriverStore\FileRepository\volume.inf_f53a1785\volsnap.sys
[2008.01.21 04:21:29 | 000,227,896 | ---- | M] (Microsoft Corporation) MD5=D8B4A53DD2769F226B3EB374374987C9 -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_15b6b780fc14facd\volsnap.sys

< MD5 for: WINLOGON.EXE >
[2009.04.11 08:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\System32\winlogon.exe
[2009.04.11 08:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2008.01.21 04:22:59 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "D:\Programme\Online\Firefox 4\uninstall\helper.exe" /HideShortcuts [2011.04.25 19:36:46 | 000,713,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "D:\Programme\Online\Firefox 4\uninstall\helper.exe" /ShowShortcuts [2011.04.25 19:36:46 | 000,713,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "D:\Programme\Online\Firefox 4\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011.04.25 19:36:46 | 000,713,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "D:\Programme\Online\Firefox 4\firefox.exe" -preferences [2011.04.25 19:36:44 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: firefox.exe -safe-mode
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\system32\ie4uinit.exe" -hide [2011.02.22 06:43:42 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\system32\ie4uinit.exe" -show [2011.02.22 06:43:42 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\system32\ie4uinit.exe" -reinstall [2011.02.22 06:43:42 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2011.02.22 08:21:12 | 000,638,232 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: iexplore.exe

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "D:\Programme\Online\Firefox 4\uninstall\helper.exe" /HideShortcuts [2011.04.25 19:36:46 | 000,713,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "D:\Programme\Online\Firefox 4\uninstall\helper.exe" /ShowShortcuts [2011.04.25 19:36:46 | 000,713,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "D:\Programme\Online\Firefox 4\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011.04.25 19:36:46 | 000,713,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: firefox.exe
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "D:\Programme\Online\Firefox 4\firefox.exe" -preferences [2011.04.25 19:36:44 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: firefox.exe -safe-mode
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\system32\ie4uinit.exe" -hide [2011.02.22 06:43:42 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\system32\ie4uinit.exe" -show [2011.02.22 06:43:42 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\system32\ie4uinit.exe" -reinstall [2011.02.22 06:43:42 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2011.02.22 08:21:12 | 000,638,232 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: iexplore.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8

< End of report >
  • 0

#34
Render
Posted 07 May 2011 - 10:43 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts

One of the folders in my documents is not up to date, but only contains files created several weeks ago which means that I am missing several documents.

Give me a full path to that folder. We didn't do any fixing so far and every file should be intact.
Did you may be performed a system restore in the past few days/weeks?

Please do the following now:

We need to run an OTL Fix

  • Please reopen Posted Image on your desktop.
  • Copy (select all lines inside quote box and press CTRL+C) and Paste (press CTRL+V) the following code into the Posted Image textbox.

    :OTL
    O4 - HKLM..\Run: [] File not found
    O33 - MountPoints2\{c4de58cd-60d3-11df-a300-0016d350f8dc}\Shell\AutoRun\command - "" = F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
    O33 - MountPoints2\{c4de58cd-60d3-11df-a300-0016d350f8dc}\Shell\open\command - "" = F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe
    [2011.05.07 16:55:39 | 000,012,214 | -HS- | M] () -- C:\ProgramData\1o48v14h3a2tp000028
    [2011.05.07 16:55:38 | 000,012,214 | -HS- | M] () -- C:\Users\Nils\AppData\Local\1o48v14h3a2tp000028

    :File
    C:\ProgramData\1o48v14h3a2tp000028
    C:\Users\Nils\AppData\Local\1o48v14h3a2tp000028
    ipconfig /flushdns /c

    :Reg

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Click on Posted Image button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click on Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

  • 0

#35
Render
Posted 07 May 2011 - 11:15 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
In attachment is simple recovery program. Unzip it and run it as administrator. Then select your C drive (or D if you had that missing files there) and click on scan. On finish look if missing files are there (you can also perform deeper scan) and restore them. Attached File  DataRecovery_EN.zip   200.67KB   109 downloads
  • 0

#36
Skily
Posted 07 May 2011 - 11:38 AM

Skily

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
False alert, had folders moved to somewhere else :)

But when Windows starts I get an error message by Windows Defender. Error at initialiazation. 0x80070006, the handle is not valid

Here is the OTL log:
All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c4de58cd-60d3-11df-a300-0016d350f8dc}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c4de58cd-60d3-11df-a300-0016d350f8dc}\ not found.
File F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c4de58cd-60d3-11df-a300-0016d350f8dc}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c4de58cd-60d3-11df-a300-0016d350f8dc}\ not found.
File F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\system32.exe not found.
C:\ProgramData\1o48v14h3a2tp000028 moved successfully.
C:\Users\Nils\AppData\Local\1o48v14h3a2tp000028 moved successfully.
Error: Unable to interpret <:File> in the current context!
Error: Unable to interpret <C:\ProgramData\1o48v14h3a2tp000028> in the current context!
Error: Unable to interpret <C:\Users\Nils\AppData\Local\1o48v14h3a2tp000028> in the current context!
Error: Unable to interpret <ipconfig /flushdns /c> in the current context!
========== REGISTRY ==========
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Nils
->Temp folder emptied: 8120274 bytes
->Temporary Internet Files folder emptied: 29451779 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 47979148 bytes
->Flash cache emptied: 1002 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 141104 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 82,00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Nils
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0,00 mb



OTL by OldTimer - Version 3.2.22.3 log created on 05072011_191108

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
  • 0

#37
Skily
Posted 07 May 2011 - 11:40 AM

Skily

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Ran Malwarebytes, it found 5 infects (2 trojan agents, 3 hijack.startmenuinternet), put all in quarantaine
  • 0

#38
Render
Posted 07 May 2011 - 11:42 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
I would like to see the MBAM log.
  • 0

#39
Skily
Posted 08 May 2011 - 03:39 AM

Skily

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Here you go, in German though

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Datenbank Version: 6526

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19048

07.05.2011 17:11:38
mbam-log-2011-05-07 (17-11-38).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 146524
Laufzeit: 3 Minute(n), 57 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 3
Infizierte Verzeichnisse: 1
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Nils\AppData\Local\kjt.exe" -a "D:\Programme\Online\Firefox 4\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Nils\AppData\Local\kjt.exe" -a "D:\Programme\Online\Firefox 4\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Nils\AppData\Local\kjt.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
c:\SYSTEM\s-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> Quarantined and deleted successfully.

Infizierte Dateien:
c:\SYSTEM\s-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
  • 0

#40
Render
Posted 08 May 2011 - 05:12 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

Here you go, in German though

Das ist ja kein Problem.

First of all what antivirus program are you using? I can't see any.

Please do the following:

Step 1

Download AVPTool from Here to your desktop

Run the program you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan
  • On the first tab select all elements down to Computer and then select start scan
  • Once it has finished select report and post that.

Posted Image

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Now an analysis scan
  • Select the Manual Disinfection tab
  • Press the Gather System Information button
  • Once done Open the last report saved folder then attach the zip file to your next post zip
  • The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

Posted Image

How to add an attachment to a new topic or reply

Step 2

It is very important that your computer has an antivirus software running. This alone can save you a lot of trouble with malware in the future. I recommend you to install one of the following free antivirus solutions:

NOTE: Make sure you only use one, though!


  • 0

Advertisements

#41
Skily
Posted 08 May 2011 - 06:46 AM

Skily

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
The first time the program closed itself after 20 mins and 3%. Will give it a second try
  • 0

#42
Render
Posted 08 May 2011 - 06:57 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Yes please.:)
  • 0

#43
Skily
Posted 09 May 2011 - 03:24 PM

Skily

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
What a day. Same malware hit me again before the Kaspersky ever finished.
As soon as I got the frist error message, I ran MBAM which found 33 errors (see log below). Next I used the AVG rescue disc whcih found another 4 errors.
Finally booted again and the Kaspersky ran through (10h...). Fixed everything but volsnap.sys which I replaced again with the original version. The Kaspersky sysinfo is attached.

What can I do to make sure the same does not happen in 2h again?


MBAM:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Datenbank Version: 6526

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

08.05.2011 15:09:50
mbam-log-2011-05-08 (15-09-50).txt

Art des Suchlaufs: Quick-Scan
Durchsuchte Objekte: 148295
Laufzeit: 12 Minute(n), 49 Sekunde(n)

Infizierte Speicherprozesse: 2
Infizierte Speichermodule: 3
Infizierte Registrierungsschlüssel: 4
Infizierte Registrierungswerte: 4
Infizierte Dateiobjekte der Registrierung: 3
Infizierte Verzeichnisse: 0
Infizierte Dateien: 17

Infizierte Speicherprozesse:
c:\programdata\nuhverxdmtu.exe (Trojan.FakeAlert) -> 2636 -> Unloaded process successfully.
c:\Users\Nils\AppData\Local\Temp\Bdj.exe (Trojan.Downloader.AS) -> 3620 -> Unloaded process successfully.

Infizierte Speichermodule:
c:\Windows\System32\spool\prtprocs\w32x86\119E42A.tmp (Trojan.Agent) -> Delete on reboot.
c:\Users\Nils\AppData\Local\tmnuaxic.dll (Trojan.Hiloti) -> Delete on reboot.
c:\Windows\System32\sshnas21.dll (Trojan.FakeAlert) -> Delete on reboot.

Infizierte Registrierungsschlüssel:
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\R8388QA8U8 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\idgbn5xehg (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ckoqi (Trojan.Hiloti) -> Value: Ckoqi -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NuHveRXdmtu (Trojan.FakeAlert) -> Value: NuHveRXdmtu -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Metropolis (Trojan.FakeAlert) -> Value: Metropolis -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\R8388QA8U8 (Trojan.Downloader.AS) -> Value: R8388QA8U8 -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
c:\Windows\System32\spool\prtprocs\w32x86\119E42A.tmp (Trojan.Agent) -> Delete on reboot.
c:\Users\Nils\AppData\Local\tmnuaxic.dll (Trojan.Hiloti) -> Delete on reboot.
c:\programdata\nuhverxdmtu.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\System32\drivers\107E44A.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\Users\Nils\AppData\Local\Temp\-213E8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Nils\AppData\Local\Temp\1363E8.tmp (Trojan.Agent) -> Delete on reboot.
c:\Users\Nils\AppData\Local\Temp\err.log11904779 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Nils\AppData\Local\Temp\swxcoamnre.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\Users\Nils\AppData\Local\Temp\tmpD194.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Nils\AppData\Local\Temp\tmpDE7F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\System32\sshnas21.dll (Trojan.FakeAlert) -> Delete on reboot.
c:\Users\Nils\AppData\Local\Temp\0.10716223661786284.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\Nils\AppData\Local\Temp\sshnas21.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.
c:\Users\Nils\AppData\Local\Temp\Bdj.exe (Trojan.Downloader.AS) -> Delete on reboot.

Kaspersky:
Automatische Untersuchung: Störung (Ereignis: 1, Objekte: 0, Zeit: Unbekannt)
08.05.2011 14:19:13 Aufgabe wurde gestartet
Automatische Untersuchung: abgeschlossen vor 1 Tag (Ereignis: 2, Objekte: 4884, Zeit: 00:13:05)
08.05.2011 14:58:35 Aufgabe wurde abgeschlossen
08.05.2011 14:45:30 Aufgabe wurde gestartet
Automatische Untersuchung: abgeschlossen vor 21 Stunden (Ereignis: 16, Objekte: 811448, Zeit: 07:05:49)
08.05.2011 17:49:43 Aufgabe wurde gestartet
08.05.2011 17:49:55 Gefunden: MEM:Rootkit.Win32.Sst.a Unbekanntes Programm
08.05.2011 17:50:32 Erstellen von Sicherungskopie unmöglich: MEM:Rootkit.Win32.Sst.a Unbekanntes Programm
08.05.2011 17:52:58 Gefunden: Virus.Win32.TDSS.e C:\Windows\system32\drivers\volsnap.sys
08.05.2011 17:55:19 Nicht desinfizierte Objekte: Virus.Win32.TDSS.e C:\Windows\system32\drivers\volsnap.sys Vom Benutzer übersprungen
08.05.2011 17:57:53 Gefunden: MEM:Rootkit.Win32.Sst.a System Memory
08.05.2011 17:59:39 Aufgabe wurde beendet
08.05.2011 18:21:48 Aufgabe wurde gestartet
08.05.2011 19:17:10 Gefunden: Trojan.Win32.FakeAV.cvao C:\Documents and Settings\Nils\AppData\Local\kjt_exe_1304876256.arl
08.05.2011 19:17:45 Gelöscht: Trojan.Win32.FakeAV.cvao C:\Documents and Settings\Nils\AppData\Local\kjt_exe_1304876256.arl
08.05.2011 19:35:06 Gefunden: Trojan-Downloader.Java.OpenConnection.eg C:\Documents and Settings\Nils\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\4bb6a8a5-2068259f/google/stomp.class
08.05.2011 19:37:45 Gelöscht: Trojan-Downloader.Java.OpenConnection.eg C:\Documents and Settings\Nils\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\4bb6a8a5-2068259f/google/stomp.class
09.05.2011 00:00:56 Gefunden: Virus.Win32.TDSS.e C:\Windows\System32\drivers\volsnap_old2.sys
09.05.2011 00:03:18 Desinfiziert: Virus.Win32.TDSS.e C:\Windows\System32\drivers\volsnap_old2.sys
09.05.2011 00:03:25 Desinfiziert: Virus.Win32.TDSS.e C:\Windows\System32\drivers\volsnap_old2.sys
09.05.2011 01:27:37 Aufgabe wurde abgeschlossen
Aktive Bedrohungen neutralisieren: abgeschlossen vor 1 Tag (Ereignis: 7, Objekte: 4625, Zeit: 00:04:02)
08.05.2011 18:03:41 Aufgabe wurde abgeschlossen
08.05.2011 18:01:37 Nicht desinfizierte Objekte: Virus.Win32.TDSS.e C:\Windows\system32\drivers\volsnap.sys Vom Benutzer übersprungen
08.05.2011 18:01:02 Gefunden: Virus.Win32.TDSS.e C:\Windows\system32\drivers\volsnap.sys
08.05.2011 17:59:39 Desinfiziert: MEM:Rootkit.Win32.Sst.a System Memory
08.05.2011 17:59:39 Desinfiziert: MEM:Rootkit.Win32.Sst.a System Memory
08.05.2011 17:59:39 Gefunden: MEM:Rootkit.Win32.Sst.a System Memory
08.05.2011 17:59:39 Aufgabe wurde gestartet

Attached Files


  • 0

#44
Render
Posted 09 May 2011 - 03:59 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

I'm sorry to hear that. But is there any particular reason you haven't installed any anti-virus program?
  • 0

#45
Skily
Posted 10 May 2011 - 03:46 PM

Skily

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Have installed the Avira now. Never had any virus issues in so many years, so underestimated the threat, I guess.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP