TechSpot

System Check on Vista SP2

By steinson
Feb 1, 2012
  1. Hi!

    I got the system check malware on a Laptop from a friend of mine with Win Vista.
    It appears, that all files were marked as "hidden" and that in the trojan appears in the auto boot. Hence, at every start of windows a lot of fake messages appeared.

    Thus, I deactivated the (random) .exe in the auto boot which came from the trojan and restarted (otherwise the scan would not work, since the laptop is relatively old...). Then I followed your instructions. Disclosed you find the log-files.

    Thanks in advance for helping me!

    steinson

    Malwarebytes Anti-Malware (Trial) 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.30.03

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 8.0.6001.19170
    - :: MOBILE [administrator]

    Protection: Enabled

    31.01.2012 09:45:43
    mbam-log-2012-01-31 (09-45-43).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 407221
    Time elapsed: 2 hour(s), 36 minute(s), 41 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 1
    HKLM\SYSTEM\CurrentControlSet\Services\tdx (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 8
    C:\WINDOWS\System32\drivers\tdx.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\ProgramData\sfiGOoTHfvbW.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Users\-\AppData\Local\Temp\oleda0.99876541177765.exe (Trojan.Downloader.lb) -> Quarantined and deleted successfully.
    C:\Users\-\AppData\Local\Temp\C60D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Users\-\AppData\Local\Temp\ZFGDGu3qodcrKe.exe.tmp (Trojan.FakeMS) -> Quarantined and deleted successfully.
    C:\Users\-\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\29e36f06-3b3105bf (Trojan.Downloader.lb) -> Quarantined and deleted successfully.
    C:\Users\-\AppData\Roaming\ScanDisc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6002.18005_none_ec294157d9377403\tdx.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    (end)



    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-02-01 10:54:11
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 FUJITSU_MHW2120BH rev.8918
    Running: uw3b8evb.exe; Driver: C:\Users\-\AppData\Local\Temp\pxldypod.sys


    ---- System - GMER 1.0.15 ----

    SSDT 88C86BFE ZwCreateSection
    SSDT 88C86C08 ZwRequestWaitReplyPort
    SSDT 88C86C03 ZwSetContextThread
    SSDT 88C86C0D ZwSetSecurityObject
    SSDT 88C86C12 ZwSystemDebugControl
    SSDT 88C86B9F ZwTerminateProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!KeSetEvent + 215 824C4998 4 Bytes [FE, 6B, C8, 88]
    .text ntkrnlpa.exe!KeSetEvent + 539 824C4CBC 4 Bytes [08, 6C, C8, 88] {OR [EAX+ECX*8-0x78], CH}
    .text ntkrnlpa.exe!KeSetEvent + 56D 824C4CF0 4 Bytes [03, 6C, C8, 88] {ADD EBP, [EAX+ECX*8-0x78]}
    .text ntkrnlpa.exe!KeSetEvent + 5D1 824C4D54 4 Bytes [0D, 6C, C8, 88]
    .text ntkrnlpa.exe!KeSetEvent + 619 824C4D9C 4 Bytes [12, 6C, C8, 88] {ADC CH, [EAX+ECX*8-0x78]}
    .text ...

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [746C7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7471A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [746CBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [746BF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [746C75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [746BE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [746F8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [746CDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [746BFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [746BFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [746B71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7474CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [746EC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [746BD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [746B6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [746B687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [746C2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016411f4768
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6b004c1b
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6b2da1b3
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6b2da1b3@001a1651965f 0x92 0xC0 0x6B 0xB2 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016411f4768 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6b004c1b (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6b2da1b3 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6b2da1b3@001a1651965f 0x92 0xC0 0x6B 0xB2 ...

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\$NtUninstallKB315$\3117660392 0 bytes
    File C:\WINDOWS\$NtUninstallKB315$\3117660392\@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB315$\3117660392\bckfg.tmp 854 bytes
    File C:\WINDOWS\$NtUninstallKB315$\3117660392\cfg.ini 335 bytes
    File C:\WINDOWS\$NtUninstallKB315$\3117660392\Desktop.ini 4608 bytes
    File C:\WINDOWS\$NtUninstallKB315$\3117660392\keywords 0 bytes
    File C:\WINDOWS\$NtUninstallKB315$\3117660392\kwrd.dll 223744 bytes
    File C:\WINDOWS\$NtUninstallKB315$\3117660392\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB315$\3117660392\L\vhtmwbun 72192 bytes
    File C:\WINDOWS\$NtUninstallKB315$\3117660392\U 0 bytes
    File C:\WINDOWS\$NtUninstallKB315$\3117660392\U\00000001.@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB315$\3117660392\U\00000002.@ 224768 bytes
    File C:\WINDOWS\$NtUninstallKB315$\3117660392\U\00000004.@ 1024 bytes
    File C:\WINDOWS\$NtUninstallKB315$\3117660392\U\80000000.@ 11264 bytes
    File C:\WINDOWS\$NtUninstallKB315$\3117660392\U\80000004.@ 12800 bytes
    File C:\WINDOWS\$NtUninstallKB315$\3117660392\U\80000032.@ 73216 bytes
    File C:\WINDOWS\$NtUninstallKB315$\3117660392\version 858 bytes
    File C:\WINDOWS\$NtUninstallKB315$\473084469 0 bytes

    ---- EOF - GMER 1.0.15 ----



    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.19170 BrowserJavaVersion: 1.6.0_29
    Run by - at 10:55:17 on 2012-02-01
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.49.1033.18.1015.197 [GMT 1:00]
    .
    AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
    SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\System32\svchost.exe -k Cognizance
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\Dwm.exe
    c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
    C:\Windows\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\igfxpers.exe
    C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHosttr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\MsOffice12\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\E_FATICCE.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Google\Update\1.3.21.79\GoogleCrashHandler.exe
    C:\Windows\system32\agrsmsvc.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Program Files\Microsoft\BingBar\SeaPort.EXE
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\conime.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    mStart Page = hxxp://de.yahoo.com
    mSearch Page =
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://de.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://de.search.yahoo.com
    uURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
    uURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\msoffice12\office12\GrooveShellExtensions.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
    BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
    TB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: SciFinder Scholar Bar: {4e16a8fb-0521-46d1-aa2c-d0fc7abf6af9} - mscoree.dll
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    EB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
    uRun: [EPSON Stylus D120 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticce.exe /fu "c:\users\-\appdata\local\temp\E_S79B1.tmp" /EF "HKCU"
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
    mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
    mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [GrooveMonitor] "c:\program files\msoffice12\office12\GrooveMonitor.exe"
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    StartupFolder: c:\users\-\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\msoffice12\office12\ONENOTEM.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\newsho~1.lnk - c:\program files\usb_video_device\utility\remotetool\BDARemote.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{08b785c1-3893-4154-b53b-f5d341d0aaaa}\Icon3E5562ED7.ico
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Nach Microsoft E&xel exportieren - c:\progra~1\msoffi~1\office12\EXCEL.EXE/3000
    IE: Save YouTube Video as MP3 - c:\program files\common files\dvdvideosoft\dll\IEContextMenuY.dll/scriptY2MP3.htm
    IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - c:\program files\icq7.5\ICQ.exe
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\msoffi~1\office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\msoffi~1\office12\REFIEBAR.DLL
    LSP: mswsock.dll
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/VistaMSNPUpldde-de.cab
    DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} - hxxp://esupport.epson-europe.com/selftest/de/Prg/ESTPTest.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    TCP: DhcpNameServer = 172.17.7.254
    TCP: Interfaces\{120F3131-73C0-4BED-89D1-6E0AFF34328A} : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{B6983C64-5A7E-48E1-B4E6-3E9C40E82CFE} : DhcpNameServer = 172.17.7.254
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\msoffice12\office12\GrooveSystemServices.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    Notify: igfxcui - igfxdev.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\msoffice12\office12\GrooveShellExtensions.dll
    LSA: Notification Packages = scecli ASWLNPkg
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\-\appdata\roaming\mozilla\firefox\profiles\1xunj3qq.default\
    FF - prefs.js: browser.startup.homepage - www.studivz.net
    FF - component: c:\program files\common files\dvdvideosoft\dll\ffcontextmenuy\components\FFContextMenu.dll
    FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
    FF - plugin: c:\program files\cambridgesoft\chemoffice2010\chem3d\npChem3DPlugin.dll
    FF - plugin: c:\program files\cambridgesoft\chemoffice2010\chemdraw\NPCDP32.DLL
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npSfAppM.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\-\appdata\roaming\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\users\-\appdata\roaming\move networks\plugins\071803000001\npqmp071803000001.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-11-26 36000]
    R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2006-12-30 32000]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-25 74640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-30 20464]
    .
    =============== Created Last 30 ================
    .
    2012-01-30 09:25:49 -------- d-----w- c:\users\-\appdata\roaming\Malwarebytes
    2012-01-30 09:25:38 -------- d-----w- c:\programdata\Malwarebytes
    2012-01-30 09:25:36 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-30 09:25:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-27 17:34:23 288 ---ha-w- c:\users\-\appdata\roaming\372DCE54.reg
    2012-01-27 17:06:52 -------- d-----w- c:\program files\iPod
    2012-01-27 17:06:25 -------- d-----w- c:\program files\iTunes
    2012-01-27 16:45:20 6557240 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{b1c66e8a-c36b-4d77-8a3a-0be53e12c76f}\mpengine.dll
    2012-01-19 16:47:12 -------- d--h--w- c:\users\-\appdata\local\{84DF0906-C790-4768-9C2B-2BED302D4F67}
    2012-01-19 16:47:07 -------- d--h--w- c:\users\-\appdata\local\{361F1858-AF1A-4389-9AA7-6633F1CB56A4}
    2012-01-18 17:26:51 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-18 17:26:51 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-01-18 17:26:50 72704 ----a-w- c:\windows\system32\secur32.dll
    2012-01-18 17:26:50 377344 ----a-w- c:\windows\system32\winhttp.dll
    2012-01-18 17:26:50 1259008 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-18 17:26:49 9728 ----a-w- c:\windows\system32\lsass.exe
    2012-01-17 19:44:29 -------- d--h--w- c:\users\-\appdata\local\{354A4C23-3911-4371-899D-DE20D2574000}
    2012-01-17 19:44:18 -------- d--h--w- c:\users\-\appdata\local\{08678E77-2B6F-4744-85AA-FFF13E9EAB17}
    2012-01-13 17:24:21 189952 ----a-w- c:\windows\system32\winmm.dll
    2012-01-13 17:24:20 23552 ----a-w- c:\windows\system32\mciseq.dll
    2012-01-13 17:23:52 1205064 ----a-w- c:\windows\system32\ntdll.dll
    2012-01-13 17:23:35 66560 ----a-w- c:\windows\system32\packager.dll
    2012-01-13 17:23:13 376320 ----a-w- c:\windows\system32\winsrv.dll
    2012-01-13 17:22:58 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2012-01-13 17:22:44 1314816 ----a-w- c:\windows\system32\quartz.dll
    2012-01-13 17:22:43 497152 ----a-w- c:\windows\system32\qdvd.dll
    2012-01-10 19:54:47 -------- d--h--w- c:\users\-\appdata\local\{99D2A15E-52AC-4F9B-BAE0-F98EC96D9B58}
    2012-01-10 19:54:43 -------- d--h--w- c:\users\-\appdata\local\{934F61CF-849D-44F0-B4CF-7B4C97320B57}
    2012-01-07 09:46:03 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
    2012-01-07 09:46:03 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
    2012-01-07 09:46:03 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
    2012-01-07 09:46:02 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
    .
    ==================== Find3M ====================
    .
    2012-01-27 17:33:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-07 09:08:58 236576 ------w- c:\windows\system32\MpSigStub.exe
    2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll
    .
    ============= FINISH: 10:57:54,73 ===============




    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Business
    Boot Device: \Device\HarddiskVolume1
    Install Date: 22.05.2007 01:13:50
    System Uptime: 01.02.2012 09:38:03 (1 hours ago)
    .
    Motherboard: Hewlett-Packard | | 30A2
    Processor: Intel(R) Celeron(R) M CPU 440 @ 1.86GHz | U10 | 1862/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 60 GiB total, 7,207 GiB free.
    D: is FIXED (NTFS) - 40 GiB total, 26,693 GiB free.
    E: is CDROM ()
    F: is FIXED (NTFS) - 11 GiB total, 4,872 GiB free.
    G: is FIXED (NTFS) - 2 GiB total, 1,29 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Cisco Systems VPN Adapter
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco Systems VPN Adapter
    PNP Device ID: ROOT\NET\0000
    Service: CVirtA
    .
    ==== System Restore Points ===================
    .
    RP962: 30.01.2012 14:29:38 - Scheduled Checkpoint
    RP963: 31.01.2012 13:04:56 - Scheduled Checkpoint
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 8.1.3
    Agere Systems HDA Modem
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Application Installer 4.00.B10
    ArcSoft ShowBiz DVD 2
    ASL_HS_Installer32
    Avira Free Antivirus
    Bing Bar
    Bonjour
    CambridgeSoft Activation Client
    CambridgeSoft BioAssay 12.0
    CambridgeSoft ChemBioOffice Ultra 2010
    CambridgeSoft ChemScript 12.0
    CambridgeSoft Desktop Inventory 12.0
    CambridgeSoft ENotebook 12.0.1
    Camera RAW Plug-In for EPSON Creativity Suite
    Cisco Systems VPN Client 5.0.06.0110
    CorelDRAW Essential Edition 3
    D3DX10
    DE
    DivX Plus Web Player
    Dropbox
    EPSON-Drucker-Software
    EPSON Attach To Email
    EPSON Easy Photo Print
    EPSON File Manager
    EPSON Scan Assistant
    EPSON Stylus C110_D120 Handbuch
    EPSON Stylus C90_91_D92 Handbuch
    Essential System Updates for Microsoft Windows Vista
    Express Burn
    Express Rip
    Facebook Plug-In
    Force 2.0
    Free YouTube to Mp3 Converter version 3.2
    GIMP 2.4.1
    Google Gears
    Google SketchUp 6
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hewlett-Packard Active Check
    Hewlett-Packard Asset Agent
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Backup and Recovery Manager Installer
    HP BIOS Configuration for ProtectTools
    HP Credential Manager for ProtectTools
    HP Customer Experience Enhancements
    HP Easy Setup - Core
    HP Easy Setup - Frontend
    HP Help and Support
    HP Integrated Module with Bluetooth wireless technology 6.0.1.3100
    HP MULTIPLE MODEM INSTALLER for VISTA
    HP Notebook Accessories Product Tour
    HP ProtectTools Security Manager 2.00 E4
    HP Quick Launch Buttons 6.10 C1
    HP Update
    HP User Guide 0045
    HP Wireless Assistant
    iCloud
    ICQ Toolbar
    ICQ7.5
    iDump (Freeware) Build:29
    Intel(R) Graphics Media Accelerator Driver
    InterVideo DVD Check
    InterVideo WinDVD
    iPod2PC 3.9.2
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 2
    Java(TM) 6 Update 29
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6
    Junk Mail filter update
    LightScribe 1.4.124.1
    Malwarebytes Anti-Malware version 1.60.0.1800
    MathType 6
    MestReNova LITE 5.2.5-4731
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (German) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (German) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Groove MUI (German) 2007
    Microsoft Office InfoPath MUI (German) 2007
    Microsoft Office OneNote MUI (German) 2007
    Microsoft Office Outlook MUI (German) 2007
    Microsoft Office PowerPoint MUI (German) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (German) 2007
    Microsoft Office Proof (Italian) 2007
    Microsoft Office Proofing (German) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (German) 2007
    Microsoft Office Shared MUI (German) 2007
    Microsoft Office Word MUI (German) 2007
    Microsoft Silverlight
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 (CSSQL05)
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft SQL Server 2005 Tools
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    MobileMe Control Panel
    Move Media Player
    Mozilla Firefox 9.0.1 (x86 de)
    MSVCRT
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nur Deinstallierung der CopyTrans Suite möglich.
    OpenOffice.org 3.0
    Origin85
    OriginPro 8.5G
    Picasa 3
    PLT for Windows V7.1
    Python 2.5
    QuickTime
    Recordpad
    Roxio Creator Audio
    Roxio Creator Basic v9
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio MyDVD Basic v9
    Safari
    SciFinder Scholar 2007
    SciFinder Scholar Toolbar
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Groove 2007 (KB2552997)
    Security Update for Microsoft Office InfoPath 2007 (KB2510061)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Segoe UI
    Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
    Skype Click to Call
    Skype™ 5.5
    Sonic Activation Module
    SoundMAX
    SoundTap
    Spelling Dictionaries Support For Adobe Reader 8
    STARWARS: The Battle of Endor version 2.1
    STATISTICA 8.0.725.0 CS
    STATISTICA CambridgeSoft Integration
    STATNOVAPDF (novaPDF Professional Server 5.4 printer)
    Switch Uninstall
    Synaptics Pointing Device Driver
    TeamViewer 5
    Texas Instruments PCIxx21/x515/xx12 drivers.
    TIPCI
    Uninstall 1.0.0.1
    Update für Microsoft Office Excel 2007 Help (KB963678)
    Update für Microsoft Office Outlook 2007 Help (KB963677)
    Update für Microsoft Office Powerpoint 2007 Help (KB963669)
    Update für Microsoft Office Word 2007 Help (KB963665)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596686) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office Outlook 2007 (KB2583910)
    Update Manager
    USB Audio/Video Driver
    VC80CRTRedist - 8.0.50727.4053
    VideoLAN VLC media player 0.8.6c
    Vista Default Settings
    WavePad Uninstall
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Mail
    Windows Live Messenger
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Windows Media Player Firefox Plugin
    WinRAR
    WinZip 12.1
    .
    ==== Event Viewer Messages From Past Week ========
    .
    30.01.2012 15:44:12, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    30.01.2012 15:44:07, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avipbb avkmgr CSC DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr ssmdrv tdx Wanarpv6
    30.01.2012 15:44:07, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    30.01.2012 15:44:07, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    30.01.2012 15:44:07, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
    30.01.2012 15:44:07, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    30.01.2012 15:44:07, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    30.01.2012 15:44:07, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    30.01.2012 15:44:07, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    30.01.2012 15:44:07, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
    30.01.2012 15:44:07, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    30.01.2012 15:44:07, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    30.01.2012 15:44:07, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    30.01.2012 15:44:07, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    30.01.2012 15:44:05, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    30.01.2012 15:43:20, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    30.01.2012 15:43:20, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    30.01.2012 15:43:18, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    30.01.2012 15:43:12, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    30.01.2012 15:13:48, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Microsoft .NET Framework NGEN v4.0.30319_X86 service to connect.
    30.01.2012 10:25:58, Error: netbt [4307] - Initialization failed because the transport refused to open initial addresses.
    30.01.2012 09:31:01, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    27.01.2012 19:07:01, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.
    27.01.2012 18:46:06, Error: Service Control Manager [7000] - The iPod-Dienst service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    27.01.2012 18:46:00, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the iPod-Dienst service to connect.
    27.01.2012 18:46:00, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
    01.02.2012 10:10:28, Error: Service Control Manager [7003] - The DHCP Client service depends the following service: Tdx. This service might not be installed.
    01.02.2012 10:10:28, Error: Service Control Manager [7001] - The WinHTTP Web Proxy Auto-Discovery Service service depends on the DHCP Client service which failed to start because of the following error: The dependency service does not exist or has been marked for deletion.
    01.02.2012 09:41:14, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    01.02.2012 09:41:14, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    01.02.2012 09:41:14, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    01.02.2012 09:41:14, Error: Service Control Manager [7003] - The DNS Client service depends the following service: Tdx. This service might not be installed.
    01.02.2012 09:41:14, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll be glad to help with the malware.

    You do have a rogue security malware,. but I believe it comes from a different rogue due to your description of the .exe files. So let's do the following:

    1. If the programs, icons, desktop, etc. appear to be 'missing', please run he following:
    Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
    Note 1: This does not remove the malware- only the attribute causing the 'missing' problem.So it is important for you to continue.
    =========================================
    2. This changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.
    To fix you start here: Download a Registry file that will fix these changes.

    Please download FixNCR.reg and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.
    • Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
    • Double click the FixNCR.reg file
    • You should now be able to run the .exe files.

    3. To end the processes that belong to the rogue program:
    Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
    • Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    Note: If you get a message that RKill is malware, ignore it> it's from the malware.
    =======================================
    Do not reboot your computer after running RKill as the malware programs will start again.
    ========================================
    4. Update and rescan with Malwarebytes:
    • Select Perform Full Scan on the Scanner tab
    • Click on the Scan button.
    • When scan has finished, you will see this image:
      [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ==============================
    5. Now run Combofix- we will let this program remove some of the entries for us:
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Expect these- they are normal:
    1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
    2. Before you run the Combofix scan, please disable any security software you have running.
    3. Combofix may need to reboot your computer more than once to do its job this is normal.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =============================================
    Note: If you have any problem with these scan, stop and let me know. Do not attempt a workaround.
    Please leave logs for Mbam Full Scan, Combofix
    ===================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.

    If I haven't replied back to you within 48 hours, you can send a PMwith your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
    Threads are closed after 5 days if there is no reply.
     
  3. steinson

    steinson TS Rookie Topic Starter

    Hi Bobbye!

    Thanks for the help!
    I managed to unhide all files with the proposed tool. Furthermore the step with the new registry entries and rkill worked fine. The log of the subsequent mbam check lead to no alerts, but see by yourself:

    Malwarebytes Anti-Malware (Trial) 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.30.03

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 8.0.6001.19170
    - :: MOBILE [administrator]

    Protection: Enabled

    01.02.2012 18:43:57
    mbam-log-2012-02-01 (18-43-57).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 407227
    Time elapsed: 2 hour(s), 47 minute(s), 23 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    Unfortunately the ComboFix scan is not working for me. Although I deactivated Avira as well as the MBAM, the tool reminded me, that Avira was still running. Nevertheless I started - as you proposed - the scan. The tool suceeded in generating a new restoring point, but the scan would last forever. So I interrupted the scan after approx 24 hours. Any tips how to deal with it?

    Thanks in advance!

    steinson
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, give this a try for Combofix: If #1 works, you don't need to continue with #2.

    NOTE: If, for some reason, Combofix refuses to run, try one of the following:
    1. Run Combofix from Safe Mode. If it won't run, go one to #2.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to
    friday.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    3.See which one of the following runs. You do not need to download all three versions:
    This is a slight variation on the RKill:
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, add the following:

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
    (Directions courtesy bleeping computer)

    4. With both RKill and exehelper on board:
    Go right to the renamed (Combofix) and double click on friday.exe to run
    If it won't run in Normal Mode, run BOTH tools from safe mode, then try the double click on friday.exe to run.

    If successful, please leave RKill, Exehelper and Combofix logs.
    If not successful, we will leave this for now and run a different scan.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Adding: whether you are able or not to run Combofix, you have 6 outdated versions of Java on the system that need to be removed. These are all vulnerabilities and will cause malware in the Java cache. Normally this would be done later, but I don't see ny reason to allow more malware in. Please run the following:

    You have multiple old versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

    Please download JavaRa and unzip it to your desktop.

    Important!***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that
      a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.
    Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
    ===========================================
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
     
  6. steinson

    steinson TS Rookie Topic Starter

    Hi Bobbye!

    Unfortunately I had no success. The rkill and exehelper tool ran succesfully, however the Combofix tool (even after doing all suggestions you have given) won't really work. The scan is running already for 12 hours again...
    [Edit]
    Good news. In the safe mode (after approx. 14 hours...) ComboFix finished and told me that it found rootkit activity in "C:\Documents and Settings\ReleaseEngineer.MACROVISION\Application Data\ntos.exe" and said it must now reboot. Which is already done. However, should I start the scan again?
    [/Edit]

    However I could get rid of the old Java files.

    Any hints how to continue?

    Thanks in advance!

    steinson
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please search system for the log Combofix produced.
     
  8. steinson

    steinson TS Rookie Topic Starter

    Hey!

    The problem was (of course...) sitting in front of the screen ;-)
    Due to the safe mode, the restart "killed" combofix. Hence I started the scan new from "normal mode". Now the scan ended successfully!

    Here are the desired logs:

    RKILL:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 06.02.2012 at 12:52:00.
    Operating System: Windows Vista (TM) Business


    Processes terminated by Rkill or while it was running:

    C:\Windows\system32\WUDFHost.exe
    C:\Users\-\Desktop\rkill.com


    Rkill completed on 06.02.2012 at 12:52:12.

    exehelper:

    exeHelper by Raktor
    Build 20100414
    Run at 12:53:53 on 02/06/12
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    and ComboFix:

    ComboFix 12-02-06.01 - - 07.02.2012 14:18:44.1.1 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.49.1033.18.1015.410 [GMT 1:00]
    ausgeführt von:: c:\users\-\Desktop\friday.exe.exe
    AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
    SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    (((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\64dlls.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\intel64.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\Kernel32.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\localsys64.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\ntos.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\oembios.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\sdra64.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\sdra73.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\swin32.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twex.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twext.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\wsnpoema.exe
    c:\program files\Common Files\Uninstall
    c:\users\-\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
    c:\users\-\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
    c:\users\-\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
    c:\windows\system\GRID32.OCX
    c:\windows\system\olepro32.dll
    c:\windows\system\Stdole2.tlb
    F:\Autorun.inf
    .
    c:\windows\system32\drivers\tdx.sys . . . fehlt!!
    .
    .
    ((((((((((((((((((((((( Dateien erstellt von 2012-01-07 bis 2012-02-07 ))))))))))))))))))))))))))))))
    .
    .
    2012-02-07 13:45 . 2012-02-07 13:45 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-07 13:45 . 2012-02-07 13:45 -------- d-----w- c:\users\Claudio\AppData\Local\temp
    2012-02-07 13:05 . 2012-02-07 13:06 -------- d-----w- C:\ComboFix
    2012-02-03 15:59 . 2008-01-19 05:55 71680 ----a-w- c:\windows\system32\tdx.sys
    2012-01-30 09:25 . 2012-01-30 09:25 -------- d-----w- c:\users\-\AppData\Roaming\Malwarebytes
    2012-01-30 09:25 . 2012-01-30 09:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-30 09:25 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-27 17:34 . 2012-01-27 17:34 288 ----a-w- c:\users\-\AppData\Roaming\372DCE54.reg
    2012-01-27 17:06 . 2012-01-27 17:06 -------- d-----w- c:\program files\iPod
    2012-01-27 17:06 . 2012-01-27 17:09 -------- d-----w- c:\program files\iTunes
    2012-01-18 17:26 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-18 17:26 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-01-18 17:26 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
    2012-01-18 17:26 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
    2012-01-18 17:26 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-18 17:26 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
    2012-01-13 17:24 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
    2012-01-13 17:24 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
    2012-01-13 17:23 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
    2012-01-13 17:23 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
    2012-01-13 17:23 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
    2012-01-13 17:22 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2012-01-13 17:22 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
    2012-01-13 17:22 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-06 11:47 . 2010-04-28 16:57 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-01-27 17:33 . 2011-05-25 13:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-06 04:19 . 2012-01-27 16:45 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{B1C66E8A-C36B-4D77-8A3A-0BE53E12C76F}\mpengine.dll ERROR(0x00000005)
    2012-01-06 04:19 . 2007-10-08 18:23 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll ERROR(0x00000005)
    2011-12-09 07:35 . 2011-11-26 17:46 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-12-07 09:08 . 2009-10-03 11:27 236576 ------w- c:\windows\system32\MpSigStub.exe
    2011-11-23 13:37 . 2011-12-15 14:48 2043904 ----a-w- c:\windows\system32\win32k.sys
    2012-01-07 09:46 . 2011-05-10 15:48 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-18 98304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-18 106496]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-18 81920]
    "PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-11-14 139264]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 815104]
    "WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
    "CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-23 17920]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-05 59240]
    "GrooveMonitor"="c:\program files\MsOffice12\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-19 258512]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\users\-\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\MsOffice12\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
    NewShortcut1.lnk - c:\program files\USB_video_device\Utility\RemoteTool\BDARemote.exe [N/A]
    VPN Client.lnk - c:\windows\Installer\{08B785C1-3893-4154-B53B-F5D341D0AAAA}\Icon3E5562ED7.ico [2010-2-20 6144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DVD Check.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DVD Check.lnk
    backup=c:\windows\pss\DVD Check.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-10-15 00:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-10-24 13:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    bthsvcs REG_MULTI_SZ BthServ
    Cognizance REG_MULTI_SZ ASBroker ASChannel
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Inhalt des "geplante Tasks" Ordners
    .
    2012-02-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 16:06]
    .
    2012-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 16:06]
    .
    .
    ------- Zusätzlicher Suchlauf -------
    .
    mStart Page = hxxp://de.yahoo.com
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://de.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://de.search.yahoo.com
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Nach Microsoft E&xel exportieren - c:\progra~1\MSOFFI~1\Office12\EXCEL.EXE/3000
    IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: {{7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - c:\program files\ICQ7.5\ICQ.exe
    TCP: DhcpNameServer = 172.17.7.254
    FF - ProfilePath -
    .
    - - - - Entfernte verwaiste Registrierungseinträge - - - -
    .
    Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKLM-Run-HP Software Update - c:\program files\Hp\HP Software Update\HPWuSchd2.exe
    MSConfigStartUp-sfiGOoTHfvbW - c:\programdata\sfiGOoTHfvbW.exe
    AddRemove-STARWARS: The Battle of Endor v2.1_is1 - c:\program files\STARWARS_TheBattleOfEndor_v21\unins000.exe
    AddRemove-_{ADDBE07D-95B8-4789-9C76-187FFF9624B4} - c:\program files\Corel\CorelDRAW Essential Edition 3\Programs\MSILauncher {ADDBE07D-95B8-4789-9C76-187FFF9624B4}
    AddRemove-{E8A602BF-C276-4DB2-A9FF-B4C30EA1CB7C}_is1 - c:\program files\iDump (Freeware)\unins000.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-07 14:56
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    Scanne versteckte Prozesse...
    .
    Scanne versteckte Autostarteinträge...
    .
    Scanne versteckte Dateien...
    .
    .
    c:\users\-\AppData\Local\Temp\catchme.dll 53248 bytes executable
    .
    Scan erfolgreich abgeschlossen
    versteckte Dateien: 1
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msftesql$CSSQL05]
    "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:CSSQL05"
    .
    --------------------- Gesperrte Registrierungsschluessel ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- Durch laufende Prozesse gestartete DLLs ---------------------
    .
    - - - - - - - > 'Explorer.exe'(3692)
    c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    c:\program files\Adobe\Reader 8.0\Reader\viewerps.dll
    .
    ------------------------ Weitere laufende Prozesse ------------------------
    .
    c:\program files\Avira\AntiVir Desktop\sched.exe
    c:\program files\Hewlett-Packard\IAM\bin\asghost.exe
    c:\program files\Google\Update\1.3.21.79\GoogleCrashHandler.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\program files\Microsoft\BingBar\SeaPort.EXE
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\TeamViewer\Version5\TeamViewer_Service.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\system32\conime.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
    c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
    c:\program files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
    .
    **************************************************************************
    .
    Zeit der Fertigstellung: 2012-02-07 15:06:42 - PC wurde neu gestartet
    ComboFix-quarantined-files.txt 2012-02-07 14:06
    .
    Vor Suchlauf: 8.030.580.736 bytes free
    Nach Suchlauf: 9.844.678.656 bytes free
    .
    - - End Of File - - 873143EE87BF1C21EC4FE89761498FFC


    Thanks for your patience! What are the next steps?

    Bye,

    steinson
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please note: I will be Offline on Wednesday, 2/8 and Thursday, 2/9. When I return on Friday, 2/10, I will pick up the oldest threads first.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you for your patience.
    Translation from German shows me a driver file is missing. So we need to see if it's somewhere else on the system: Am I correct> fehlt means missing?

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2


    For 64bit: http://jpshortstuff.247fixes.com/SystemLook_x64.exe
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      tdx.*
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    ======================================
    You may have a flash drive infection. (Drive F) These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    DDS::
    IE: {{7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - c:\program files\ICQ7.5\ICQ.exe
    uURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\ICQToolBar.dll
    uURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    
    Clearjavacache::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result. Save and post log.
    • A reboot is required after disinfection.
    ==============================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  11. steinson

    steinson TS Rookie Topic Starter

    Hey, welcome back!

    Yes, you translated completely right. "fehlt" is missing in English.
    The missing file of course leads to trouble, since the file is important for the tcp/ip protocol I think - hence I cannot connect to the internet.

    Regarding flash_disenfector:
    The drive F: is not a flash drive! It is the recovery partition of the laptop...

    Systemlook found the missing .tdx file - I just cannot post the log since I already run the combofix script which lasts again for hours. I will come back on sunday. Then hopefully the scan is done and I can give you the Systemlook log as well as the combofix log.

    As already mentioned I cannot connect to the internet. Hence, the eset online scanner is no possibility in this case... Any hints?

    bye,

    steinson
     
  12. steinson

    steinson TS Rookie Topic Starter

    Hey!

    This time ComboFix was faster than before, hence here are already the logs:

    Systemlook:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 23:21 on 10/02/2012 by -
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "tdx.*"
    C:\WINDOWS\System32\tdx.sys --a---- 71680 bytes [15:59 03/02/2012] [05:55 19/01/2008] D09276B1FAB033CE1D40DCBDF303D10F
    C:\WINDOWS\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6000.16386_none_e807064fdf2a97e3\tdx.sys --a---- 68096 bytes [08:57 02/11/2006] [08:57 02/11/2006] AB4FDE8AF4A0270A46A001C08CBCE1C2
    C:\WINDOWS\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys --a---- 71680 bytes [20:29 06/06/2008] [05:55 19/01/2008] D09276B1FAB033CE1D40DCBDF303D10F

    -= EOF =-


    ComboFix:

    ComboFix 12-02-06.01 - - 10.02.2012 23:49:07.2.1 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.49.1033.18.1015.422 [GMT 1:00]
    ausgeführt von:: c:\users\-\Desktop\friday.exe.exe
    Benutzte Befehlsschalter :: c:\users\-\Desktop\CFscript.txt
    AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
    SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Neuer Wiederherstellungspunkt wurde erstellt
    .
    .
    (((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\64dlls.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\intel64.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\Kernel32.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\localsys64.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\ntos.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\oembios.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\sdra64.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\sdra73.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\swin32.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twex.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twext.exe
    c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\wsnpoema.exe
    C:\friday.exe
    c:\friday.exe\PEV.exe
    c:\friday.exe\snapshot.00.dat
    .
    c:\windows\system32\drivers\tdx.sys . . . fehlt!!
    .
    .
    ((((((((((((((((((((((( Dateien erstellt von 2012-01-10 bis 2012-02-10 ))))))))))))))))))))))))))))))
    .
    .
    2012-02-10 23:15 . 2012-02-10 23:15 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-10 23:15 . 2012-02-10 23:15 -------- d-----w- c:\users\Claudio\AppData\Local\temp
    2012-02-07 13:05 . 2012-02-07 13:06 -------- d-----w- C:\ComboFix
    2012-01-30 09:25 . 2012-01-30 09:25 -------- d-----w- c:\users\-\AppData\Roaming\Malwarebytes
    2012-01-30 09:25 . 2012-01-30 09:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-30 09:25 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-27 17:34 . 2012-01-27 17:34 288 ----a-w- c:\users\-\AppData\Roaming\372DCE54.reg
    2012-01-27 17:06 . 2012-01-27 17:06 -------- d-----w- c:\program files\iPod
    2012-01-27 17:06 . 2012-01-27 17:09 -------- d-----w- c:\program files\iTunes
    2012-01-18 17:26 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-18 17:26 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-18 17:26 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
    2012-01-13 17:24 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
    2012-01-13 17:23 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
    2012-01-13 17:23 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
    2012-01-13 17:22 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    .
    .
    .
    (((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-06 11:47 . 2010-04-28 16:57 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-01-27 17:33 . 2011-05-25 13:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-06 04:19 . 2012-01-27 16:45 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{B1C66E8A-C36B-4D77-8A3A-0BE53E12C76F}\mpengine.dll ERROR(0x00000005)
    2012-01-06 04:19 . 2007-10-08 18:23 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll ERROR(0x00000005)
    2011-12-09 07:35 . 2011-11-26 17:46 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-12-07 09:08 . 2009-10-03 11:27 236576 ------w- c:\windows\system32\MpSigStub.exe
    2011-11-25 15:59 . 2012-01-13 17:23 376320 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:37 . 2011-12-15 14:48 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-11-16 16:23 . 2012-01-18 17:26 377344 ----a-w- c:\windows\system32\winhttp.dll
    2011-11-16 16:23 . 2012-01-18 17:26 72704 ----a-w- c:\windows\system32\secur32.dll
    2011-11-16 16:23 . 2012-01-18 17:26 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-01-07 09:46 . 2011-05-10 15:48 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-18 98304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-18 106496]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-18 81920]
    "PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-11-14 139264]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 815104]
    "WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
    "CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-23 17920]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-05 59240]
    "GrooveMonitor"="c:\program files\MsOffice12\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-19 258512]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\users\-\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\MsOffice12\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
    NewShortcut1.lnk - c:\program files\USB_video_device\Utility\RemoteTool\BDARemote.exe [N/A]
    VPN Client.lnk - c:\windows\Installer\{08B785C1-3893-4154-B53B-F5D341D0AAAA}\Icon3E5562ED7.ico [2010-2-20 6144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DVD Check.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DVD Check.lnk
    backup=c:\windows\pss\DVD Check.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-10-15 00:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-10-24 13:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    bthsvcs REG_MULTI_SZ BthServ
    Cognizance REG_MULTI_SZ ASBroker ASChannel
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Inhalt des "geplante Tasks" Ordners
    .
    2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 16:06]
    .
    2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 16:06]
    .
    .
    ------- Zusätzlicher Suchlauf -------
    .
    mStart Page = hxxp://de.yahoo.com
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://de.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://de.search.yahoo.com
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Nach Microsoft E&xel exportieren - c:\progra~1\MSOFFI~1\Office12\EXCEL.EXE/3000
    IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: {{7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - c:\program files\ICQ7.5\ICQ.exe
    TCP: DhcpNameServer = 172.17.7.254
    FF - ProfilePath -
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-11 00:22
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    Scanne versteckte Prozesse...
    .
    Scanne versteckte Autostarteinträge...
    .
    Scanne versteckte Dateien...
    .
    Scan erfolgreich abgeschlossen
    versteckte Dateien: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msftesql$CSSQL05]
    "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:CSSQL05"
    .
    --------------------- Gesperrte Registrierungsschluessel ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- Durch laufende Prozesse gestartete DLLs ---------------------
    .
    - - - - - - - > 'Explorer.exe'(4028)
    c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    c:\program files\Adobe\Reader 8.0\Reader\viewerps.dll
    .
    ------------------------ Weitere laufende Prozesse ------------------------
    .
    c:\program files\Avira\AntiVir Desktop\sched.exe
    c:\program files\Hewlett-Packard\IAM\bin\asghost.exe
    c:\program files\Google\Update\1.3.21.79\GoogleCrashHandler.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\program files\Microsoft\BingBar\SeaPort.EXE
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\TeamViewer\Version5\TeamViewer_Service.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\system32\conime.exe
    c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
    c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\system32\RacAgent.exe
    .
    **************************************************************************
    .
    Zeit der Fertigstellung: 2012-02-11 00:33:57 - PC wurde neu gestartet
    ComboFix-quarantined-files.txt 2012-02-10 23:33
    ComboFix2.txt 2012-02-07 14:06
    .
    Vor Suchlauf: 9.680.973.824 bytes free
    Nach Suchlauf: 9.558.519.808 bytes free
    .
    - - End Of File - - BE2A2A2272AFE55CDAA448EAA96C375C
     
  13. steinson

    steinson TS Rookie Topic Starter

    and finally TDSSkiller:

    00:51:56.0264 1840 TDSS rootkit removing tool 2.7.11.0 Feb 9 2012 10:12:57
    00:51:57.0871 1840 ============================================================
    00:51:57.0871 1840 Current date / time: 2012/02/11 00:51:57.0871
    00:51:57.0871 1840 SystemInfo:
    00:51:57.0871 1840
    00:51:57.0871 1840 OS Version: 6.0.6002 ServicePack: 2.0
    00:51:57.0871 1840 Product type: Workstation
    00:51:57.0871 1840 ComputerName: MOBILE
    00:51:57.0871 1840 UserName: -
    00:51:57.0871 1840 Windows directory: C:\Windows
    00:51:57.0871 1840 System windows directory: C:\Windows
    00:51:57.0871 1840 Processor architecture: Intel x86
    00:51:57.0871 1840 Number of processors: 1
    00:51:57.0871 1840 Page size: 0x1000
    00:51:57.0871 1840 Boot type: Normal boot
    00:51:57.0871 1840 ============================================================
    00:52:02.0364 1840 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3C91, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000050
    00:52:02.0410 1840 \Device\Harddisk0\DR0:
    00:52:02.0426 1840 MBR used
    00:52:02.0426 1840 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x77587C1
    00:52:02.0426 1840 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xC76B800, BlocksNum 0x150C000
    00:52:02.0457 1840 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x7759000, BlocksNum 0x5012800
    00:52:02.0457 1840 \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0xDC79800, BlocksNum 0x31A800
    00:52:02.0878 1840 Initialize success
    00:52:02.0878 1840 ============================================================
    00:52:19.0352 1724 ============================================================
    00:52:19.0352 1724 Scan started
    00:52:19.0352 1724 Mode: Manual;
    00:52:19.0352 1724 ============================================================
    00:52:26.0606 1724 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
    00:52:26.0793 1724 ACPI - ok
    00:52:27.0417 1724 ADIHdAudAddService (89216a0586b840693c06b13dd9f220b7) C:\Windows\system32\drivers\ADIHdAud.sys
    00:52:27.0589 1724 ADIHdAudAddService - ok
    00:52:28.0197 1724 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
    00:52:28.0353 1724 adp94xx - ok
    00:52:29.0539 1724 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
    00:52:30.0225 1724 adpahci - ok
    00:52:30.0834 1724 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
    00:52:31.0005 1724 adpu160m - ok
    00:52:31.0489 1724 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
    00:52:31.0645 1724 adpu320 - ok
    00:52:32.0191 1724 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\Windows\system32\drivers\Afc.sys
    00:52:32.0331 1724 Afc - ok
    00:52:32.0846 1724 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
    00:52:33.0049 1724 AFD - ok
    00:52:33.0844 1724 AgereSoftModem (2e3abaacbf547abbb5e73a504a56d05a) C:\Windows\system32\DRIVERS\AGRSM.sys
    00:52:34.0734 1724 AgereSoftModem - ok
    00:52:35.0295 1724 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
    00:52:35.0436 1724 agp440 - ok
    00:52:35.0919 1724 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
    00:52:36.0013 1724 aic78xx - ok
    00:52:36.0387 1724 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
    00:52:36.0559 1724 aliide - ok
    00:52:37.0120 1724 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
    00:52:37.0230 1724 amdagp - ok
    00:52:37.0542 1724 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
    00:52:37.0682 1724 amdide - ok
    00:52:38.0010 1724 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
    00:52:38.0041 1724 AmdK7 - ok
    00:52:38.0072 1724 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\DRIVERS\amdk8.sys
    00:52:38.0197 1724 AmdK8 - ok
    00:52:39.0008 1724 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
    00:52:39.0086 1724 arc - ok
    00:52:39.0336 1724 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
    00:52:39.0382 1724 arcsas - ok
    00:52:39.0882 1724 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
    00:52:39.0928 1724 AsyncMac - ok
    00:52:40.0178 1724 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
    00:52:40.0194 1724 atapi - ok
    00:52:40.0459 1724 avgntflt (7713e4eb0276702faa08e52a6e23f2a6) C:\Windows\system32\DRIVERS\avgntflt.sys
    00:52:40.0552 1724 avgntflt - ok
    00:52:40.0942 1724 avipbb (475fbb85956534720858ae72010c0a43) C:\Windows\system32\DRIVERS\avipbb.sys
    00:52:40.0974 1724 avipbb - ok
    00:52:41.0052 1724 avkmgr (271cfd1a989209b1964e24d969552bf7) C:\Windows\system32\DRIVERS\avkmgr.sys
    00:52:41.0083 1724 avkmgr - ok
    00:52:41.0613 1724 BCM43XV (509f672686af40f95859fde67108449b) C:\Windows\system32\DRIVERS\bcmwl6.sys
    00:52:41.0832 1724 BCM43XV - ok
    00:52:41.0878 1724 BCM43XX (509f672686af40f95859fde67108449b) C:\Windows\system32\DRIVERS\bcmwl6.sys
    00:52:41.0878 1724 BCM43XX - ok
    00:52:42.0144 1724 bcm4sbxp (08015d34f6fdd0b355805bad978497c3) C:\Windows\system32\DRIVERS\bcm4sbxp.sys
    00:52:42.0206 1724 bcm4sbxp - ok
    00:52:42.0362 1724 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
    00:52:42.0393 1724 Beep - ok
    00:52:42.0736 1724 blbdrive - ok
    00:52:43.0017 1724 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
    00:52:43.0048 1724 bowser - ok
    00:52:43.0376 1724 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
    00:52:43.0454 1724 BrFiltLo - ok
    00:52:43.0750 1724 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
    00:52:43.0750 1724 BrFiltUp - ok
    00:52:43.0891 1724 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
    00:52:43.0922 1724 Brserid - ok
    00:52:44.0203 1724 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
    00:52:44.0234 1724 BrSerWdm - ok
    00:52:44.0328 1724 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
    00:52:44.0390 1724 BrUsbMdm - ok
    00:52:44.0686 1724 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
    00:52:44.0733 1724 BrUsbSer - ok
    00:52:44.0905 1724 BthEnum (6d39c954799b63ba866910234cf7d726) C:\Windows\system32\DRIVERS\BthEnum.sys
    00:52:44.0936 1724 BthEnum - ok
    00:52:45.0170 1724 BTHMODEM (9a966a8e86d1771911ae34a20d11bff3) C:\Windows\system32\DRIVERS\bthmodem.sys
    00:52:45.0217 1724 BTHMODEM - ok
    00:52:45.0529 1724 BthPan (5904efa25f829bf84ea6fb045134a1d8) C:\Windows\system32\DRIVERS\bthpan.sys
    00:52:45.0607 1724 BthPan - ok
    00:52:45.0934 1724 BTHPORT (611ff3f2f095c8d4a6d4cfd9dcc09793) C:\Windows\system32\Drivers\BTHport.sys
    00:52:46.0012 1724 BTHPORT - ok
    00:52:46.0184 1724 BTHUSB (d330803eab2a15caec7f011f1d4cb30e) C:\Windows\system32\Drivers\BTHUSB.sys
    00:52:46.0215 1724 BTHUSB - ok
    00:52:46.0590 1724 btwaudio (4a28e7bd365377d0512b7ef8c7596d2c) C:\Windows\system32\drivers\btwaudio.sys
    00:52:46.0636 1724 btwaudio - ok
    00:52:47.0136 1724 btwavdt (5ffde57253d665067b0886612817eb11) C:\Windows\system32\drivers\btwavdt.sys
    00:52:47.0214 1724 btwavdt - ok
    00:52:47.0323 1724 btwrchid (ab07dc8b05c31a4f95fc73019be9db15) C:\Windows\system32\DRIVERS\btwrchid.sys
    00:52:47.0370 1724 btwrchid - ok
    00:52:47.0510 1724 catchme - ok
    00:52:47.0760 1724 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
    00:52:47.0838 1724 cdfs - ok
    00:52:48.0072 1724 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
    00:52:48.0150 1724 cdrom - ok
    00:52:48.0696 1724 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
    00:52:48.0758 1724 circlass - ok
    00:52:49.0086 1724 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
    00:52:49.0164 1724 CLFS - ok
    00:52:49.0569 1724 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
    00:52:49.0600 1724 CmBatt - ok
    00:52:49.0881 1724 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
    00:52:49.0928 1724 cmdide - ok
    00:52:50.0162 1724 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
    00:52:50.0240 1724 Compbatt - ok
    00:52:50.0490 1724 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
    00:52:50.0536 1724 crcdisk - ok
    00:52:50.0739 1724 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
    00:52:50.0817 1724 Crusoe - ok
    00:52:51.0160 1724 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys
    00:52:51.0379 1724 CSC - ok
    00:52:51.0722 1724 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\Windows\system32\DRIVERS\CVirtA.sys
    00:52:51.0816 1724 CVirtA - ok
    00:52:52.0299 1724 CVPNDRVA (34c345aaf390c12ae6e51b75198e8564) C:\Windows\system32\Drivers\CVPNDRVA.sys
    00:52:52.0377 1724 CVPNDRVA - ok
    00:52:52.0814 1724 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
    00:52:52.0908 1724 DfsC - ok
    00:52:53.0266 1724 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
    00:52:53.0344 1724 disk - ok
    00:52:53.0625 1724 DNE (b5aa5aa5ac327bd7c1aec0c58f0c1144) C:\Windows\system32\DRIVERS\dne2000.sys
    00:52:53.0625 1724 DNE - ok
    00:52:53.0906 1724 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
    00:52:53.0937 1724 drmkaud - ok
    00:52:54.0374 1724 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
    00:52:54.0436 1724 DXGKrnl - ok
    00:52:54.0733 1724 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
    00:52:54.0780 1724 E1G60 - ok
    00:52:55.0107 1724 eabfiltr (e88b0cfcecf745211bba87f44f85d0dd) C:\Windows\system32\DRIVERS\eabfiltr.sys
    00:52:55.0138 1724 eabfiltr - ok
    00:52:55.0497 1724 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
    00:52:55.0591 1724 Ecache - ok
    00:52:55.0981 1724 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
    00:52:56.0043 1724 elxstor - ok
    00:52:56.0527 1724 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
    00:52:56.0589 1724 exfat - ok
    00:52:56.0823 1724 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
    00:52:56.0964 1724 fastfat - ok
    00:52:57.0276 1724 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
    00:52:57.0307 1724 fdc - ok
    00:52:57.0447 1724 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
    00:52:57.0572 1724 FileInfo - ok
    00:52:57.0837 1724 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
    00:52:57.0884 1724 Filetrace - ok
    00:52:58.0071 1724 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
    00:52:58.0165 1724 flpydisk - ok
    00:52:58.0446 1724 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
    00:52:58.0508 1724 FltMgr - ok
    00:52:58.0836 1724 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
    00:52:58.0898 1724 Fs_Rec - ok
    00:52:59.0070 1724 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
    00:52:59.0132 1724 gagp30kx - ok
    00:52:59.0491 1724 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys
    00:52:59.0553 1724 GEARAspiWDM - ok
    00:53:00.0006 1724 HBtnKey (de15777902a5d9121857d155873a1d1b) C:\Windows\system32\DRIVERS\cpqbttn.sys
    00:53:00.0021 1724 HBtnKey - ok
    00:53:00.0349 1724 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
    00:53:00.0411 1724 HdAudAddService - ok
    00:53:01.0285 1724 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
    00:53:01.0425 1724 HDAudBus - ok
    00:53:01.0706 1724 HidBth (fcb3f4be408f72c1bd81bcaba87fc22f) C:\Windows\system32\DRIVERS\hidbth.sys
    00:53:01.0737 1724 HidBth - ok
    00:53:01.0800 1724 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
    00:53:01.0831 1724 HidIr - ok
    00:53:02.0158 1724 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
    00:53:02.0205 1724 HidUsb - ok
    00:53:02.0985 1724 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
    00:53:03.0157 1724 HpCISSs - ok
    00:53:03.0874 1724 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
    00:53:03.0999 1724 HSFHWAZL - ok
    00:53:04.0701 1724 HSF_DPV (ec36f1d542ed4252390d446bf6d4dfd0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
    00:53:04.0795 1724 HSF_DPV - ok
    00:53:05.0044 1724 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
    00:53:05.0138 1724 HTTP - ok
    00:53:05.0512 1724 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
    00:53:05.0575 1724 i2omp - ok
    00:53:05.0902 1724 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
    00:53:05.0980 1724 i8042prt - ok
    00:53:06.0386 1724 ialm (a4fba5b34e69e46315a7c5223a470a17) C:\Windows\system32\DRIVERS\igdkmd32.sys
    00:53:06.0542 1724 ialm - ok
    00:53:06.0854 1724 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
    00:53:06.0979 1724 iaStorV - ok
    00:53:07.0790 1724 igfx (a4fba5b34e69e46315a7c5223a470a17) C:\Windows\system32\DRIVERS\igdkmd32.sys
    00:53:07.0806 1724 igfx - ok
    00:53:08.0695 1724 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
    00:53:08.0773 1724 iirsp - ok
    00:53:09.0178 1724 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
    00:53:09.0210 1724 intelide - ok
    00:53:09.0272 1724 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
    00:53:09.0272 1724 intelppm - ok
    00:53:09.0678 1724 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    00:53:09.0724 1724 IpFilterDriver - ok
    00:53:09.0880 1724 IpInIp - ok
    00:53:10.0192 1724 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
    00:53:10.0348 1724 IPMIDRV - ok
    00:53:10.0848 1724 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
    00:53:10.0926 1724 IPNAT - ok
    00:53:11.0440 1724 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
    00:53:11.0503 1724 IRENUM - ok
    00:53:11.0955 1724 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
    00:53:12.0033 1724 isapnp - ok
    00:53:12.0236 1724 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
    00:53:12.0252 1724 iScsiPrt - ok
    00:53:12.0454 1724 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
    00:53:12.0532 1724 iteatapi - ok
    00:53:12.0782 1724 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
    00:53:12.0829 1724 iteraid - ok
    00:53:13.0032 1724 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
    00:53:13.0063 1724 kbdclass - ok
    00:53:13.0281 1724 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
    00:53:13.0312 1724 kbdhid - ok
    00:53:13.0671 1724 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
    00:53:13.0734 1724 KSecDD - ok
    00:53:14.0092 1724 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
    00:53:14.0139 1724 lltdio - ok
    00:53:14.0326 1724 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
    00:53:14.0404 1724 LSI_FC - ok
    00:53:14.0607 1724 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
    00:53:14.0623 1724 LSI_SAS - ok
    00:53:14.0826 1724 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
    00:53:14.0888 1724 LSI_SCSI - ok
    00:53:15.0153 1724 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
    00:53:15.0216 1724 luafv - ok
    00:53:15.0528 1724 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\Windows\system32\drivers\mbam.sys
    00:53:15.0543 1724 MBAMProtector - ok
    00:53:15.0808 1724 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
    00:53:15.0840 1724 megasas - ok
    00:53:16.0417 1724 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
    00:53:16.0448 1724 Modem - ok
    00:53:16.0900 1724 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
    00:53:16.0916 1724 monitor - ok
    00:53:17.0212 1724 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
    00:53:17.0322 1724 mouclass - ok
    00:53:17.0696 1724 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
    00:53:17.0790 1724 mouhid - ok
    00:53:18.0148 1724 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
    00:53:18.0226 1724 MountMgr - ok
    00:53:18.0601 1724 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
    00:53:18.0632 1724 mpio - ok
    00:53:18.0960 1724 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
    00:53:19.0038 1724 mpsdrv - ok
    00:53:19.0303 1724 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
    00:53:19.0396 1724 Mraid35x - ok
    00:53:19.0646 1724 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
    00:53:19.0708 1724 MRxDAV - ok
    00:53:20.0067 1724 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
    00:53:20.0176 1724 mrxsmb - ok
    00:53:20.0426 1724 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    00:53:20.0488 1724 mrxsmb10 - ok
    00:53:20.0863 1724 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    00:53:20.0894 1724 mrxsmb20 - ok
    00:53:21.0346 1724 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
    00:53:21.0409 1724 msahci - ok
    00:53:21.0768 1724 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
    00:53:21.0846 1724 msdsm - ok
    00:53:22.0204 1724 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
    00:53:22.0251 1724 Msfs - ok
    00:53:22.0610 1724 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
    00:53:22.0657 1724 msisadrv - ok
    00:53:22.0860 1724 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
    00:53:22.0922 1724 MSKSSRV - ok
    00:53:23.0296 1724 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
    00:53:23.0312 1724 MSPCLOCK - ok
    00:53:23.0655 1724 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
    00:53:23.0686 1724 MSPQM - ok
    00:53:23.0998 1724 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
    00:53:24.0123 1724 MsRPC - ok
    00:53:24.0529 1724 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
    00:53:24.0560 1724 mssmbios - ok
    00:53:24.0888 1724 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
    00:53:24.0903 1724 MSTEE - ok
    00:53:25.0278 1724 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
    00:53:25.0356 1724 Mup - ok
    00:53:25.0808 1724 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
    00:53:25.0839 1724 NativeWifiP - ok
    00:53:26.0307 1724 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
    00:53:26.0354 1724 NDIS - ok
    00:53:26.0775 1724 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
    00:53:26.0822 1724 NdisTapi - ok
    00:53:27.0228 1724 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
    00:53:27.0290 1724 Ndisuio - ok
    00:53:27.0649 1724 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
    00:53:27.0680 1724 NdisWan - ok
    00:53:27.0976 1724 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
    00:53:28.0070 1724 NDProxy - ok
    00:53:28.0444 1724 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
    00:53:28.0507 1724 NetBIOS - ok
    00:53:28.0944 1724 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
    00:53:29.0037 1724 netbt - ok
    00:53:29.0739 1724 NETw3v32 (acc6170d80c69e50145b370023b64ed3) C:\Windows\system32\DRIVERS\NETw3v32.sys
    00:53:30.0348 1724 NETw3v32 - ok
    00:53:32.0032 1724 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
    00:53:32.0719 1724 nfrd960 - ok
    00:53:34.0310 1724 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
    00:53:34.0638 1724 Npfs - ok
    00:53:35.0137 1724 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
    00:53:35.0293 1724 nsiproxy - ok
    00:53:36.0291 1724 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
    00:53:36.0931 1724 Ntfs - ok
    00:53:37.0586 1724 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
    00:53:37.0680 1724 ntrigdigi - ok
    00:53:38.0038 1724 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
    00:53:38.0085 1724 Null - ok
    00:53:38.0678 1724 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
    00:53:38.0740 1724 nvraid - ok
    00:53:39.0084 1724 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
    00:53:39.0177 1724 nvstor - ok
    00:53:39.0614 1724 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
    00:53:39.0770 1724 nv_agp - ok
    00:53:40.0300 1724 NwlnkFlt - ok
    00:53:40.0893 1724 NwlnkFwd - ok
    00:53:41.0829 1724 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
    00:53:41.0845 1724 ohci1394 - ok
    00:53:42.0984 1724 OVT511Plus (c5739be3a8eecdf951955a38e1741f45) C:\Windows\system32\Drivers\omcamvid.sys
    00:53:43.0046 1724 OVT511Plus - ok
    00:53:44.0871 1724 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
    00:53:44.0965 1724 Parport - ok
    00:53:45.0620 1724 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
    00:53:45.0698 1724 partmgr - ok
    00:53:46.0228 1724 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
    00:53:46.0400 1724 Parvdm - ok
    00:53:48.0163 1724 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
    00:53:48.0459 1724 pci - ok
    00:53:49.0255 1724 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
    00:53:49.0941 1724 pciide - ok
    00:53:50.0752 1724 pcmcia (3bb2244f343b610c29c98035504c9b75) C:\Windows\system32\DRIVERS\pcmcia.sys
    00:53:51.0080 1724 pcmcia - ok
    00:53:51.0876 1724 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
    00:53:52.0172 1724 PEAUTH - ok
    00:53:52.0671 1724 PersonalSecureDrive (e5de9f28c583c93339dd628447693468) C:\Windows\System32\drivers\psd.sys
    00:53:52.0718 1724 PersonalSecureDrive - ok
    00:53:53.0202 1724 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
    00:53:53.0233 1724 PptpMiniport - ok
    00:53:53.0326 1724 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
    00:53:53.0389 1724 Processor - ok
    00:53:53.0623 1724 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
    00:53:53.0638 1724 PSched - ok
    00:53:54.0091 1724 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\Windows\system32\Drivers\PxHelp20.sys
    00:53:54.0200 1724 PxHelp20 - ok
    00:53:54.0715 1724 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
    00:53:54.0824 1724 ql2300 - ok
    00:53:55.0136 1724 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
    00:53:55.0183 1724 ql40xx - ok
    00:53:55.0479 1724 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
    00:53:55.0526 1724 QWAVEdrv - ok
    00:53:56.0025 1724 R300 (e642b131fb74caf4bb8a014f31113142) C:\Windows\system32\DRIVERS\atikmdag.sys
    00:53:56.0384 1724 R300 - ok
    00:53:56.0649 1724 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
    00:53:56.0680 1724 RasAcd - ok
    00:53:56.0930 1724 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
    00:53:56.0992 1724 Rasl2tp - ok
    00:53:57.0445 1724 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
    00:53:57.0554 1724 RasPppoe - ok
    00:53:57.0975 1724 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
    00:53:58.0053 1724 RasSstp - ok
    00:53:58.0396 1724 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
    00:53:58.0584 1724 rdbss - ok
    00:53:58.0911 1724 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
    00:53:58.0958 1724 RDPCDD - ok
    00:53:59.0036 1724 rdpdr (943b18305eae3935598a9b4a3d560b4c) C:\Windows\system32\DRIVERS\rdpdr.sys
    00:53:59.0114 1724 rdpdr - ok
    00:53:59.0395 1724 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
    00:53:59.0426 1724 RDPENCDD - ok
    00:53:59.0691 1724 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
    00:53:59.0769 1724 RDPWD - ok
    00:54:00.0066 1724 RFCOMM (6482707f9f4da0ecbab43b2e0398a101) C:\Windows\system32\DRIVERS\rfcomm.sys
    00:54:00.0253 1724 RFCOMM - ok
    00:54:00.0627 1724 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
    00:54:00.0690 1724 rspndr - ok
    00:54:01.0033 1724 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
    00:54:01.0126 1724 sbp2port - ok
    00:54:01.0594 1724 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    00:54:01.0641 1724 secdrv - ok
    00:54:01.0984 1724 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
    00:54:02.0031 1724 Serenum - ok
    00:54:02.0515 1724 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
    00:54:02.0577 1724 Serial - ok
    00:54:03.0014 1724 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
    00:54:03.0061 1724 sermouse - ok
    00:54:03.0357 1724 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
    00:54:03.0404 1724 sffdisk - ok
    00:54:03.0669 1724 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
    00:54:03.0700 1724 sffp_mmc - ok
    00:54:03.0794 1724 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
    00:54:03.0810 1724 sffp_sd - ok
    00:54:04.0262 1724 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
    00:54:04.0293 1724 sfloppy - ok
    00:54:04.0839 1724 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
    00:54:04.0980 1724 sisagp - ok
    00:54:05.0385 1724 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
    00:54:05.0463 1724 SiSRaid2 - ok
    00:54:05.0962 1724 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
    00:54:06.0056 1724 SiSRaid4 - ok
    00:54:06.0306 1724 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
    00:54:06.0368 1724 Smb - ok
    00:54:06.0508 1724 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
    00:54:06.0586 1724 spldr - ok
    00:54:06.0914 1724 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
    00:54:06.0976 1724 srv - ok
    00:54:07.0366 1724 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
    00:54:07.0444 1724 srv2 - ok
    00:54:07.0647 1724 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
    00:54:07.0694 1724 srvnet - ok
    00:54:07.0928 1724 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\Windows\system32\DRIVERS\ssmdrv.sys
    00:54:07.0975 1724 ssmdrv - ok
    00:54:08.0146 1724 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
    00:54:08.0193 1724 swenum - ok
    00:54:08.0365 1724 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
    00:54:08.0412 1724 Symc8xx - ok
    00:54:08.0817 1724 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
    00:54:08.0942 1724 Sym_hi - ok
    00:54:09.0394 1724 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
    00:54:09.0426 1724 Sym_u3 - ok
    00:54:10.0112 1724 SynTP (81cf7aa63bb3cca31e1d1944c0a45fc7) C:\Windows\system32\DRIVERS\SynTP.sys
    00:54:10.0143 1724 SynTP - ok
    00:54:10.0674 1724 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
    00:54:10.0923 1724 Tcpip - ok
    00:54:11.0422 1724 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
    00:54:11.0438 1724 Tcpip6 - ok
    00:54:11.0828 1724 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
    00:54:11.0922 1724 tcpipreg - ok
    00:54:12.0249 1724 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
    00:54:12.0280 1724 TDPIPE - ok
    00:54:12.0655 1724 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
    00:54:12.0702 1724 TDTCP - ok
    00:54:13.0045 1724 tdx - ok
    00:54:13.0170 1724 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
    00:54:13.0185 1724 TermDD - ok
    00:54:13.0341 1724 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
    00:54:13.0357 1724 tssecsrv - ok
    00:54:13.0731 1724 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
    00:54:13.0747 1724 tunmp - ok
    00:54:14.0012 1724 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
    00:54:14.0028 1724 tunnel - ok
    00:54:14.0137 1724 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
    00:54:14.0184 1724 uagp35 - ok
    00:54:14.0496 1724 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
    00:54:14.0558 1724 udfs - ok
    00:54:14.0792 1724 UIUSys - ok
    00:54:15.0104 1724 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
    00:54:15.0229 1724 uliagpkx - ok
    00:54:15.0759 1724 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
    00:54:15.0978 1724 uliahci - ok
    00:54:16.0446 1724 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
    00:54:16.0602 1724 UlSata - ok
    00:54:16.0804 1724 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
    00:54:16.0851 1724 ulsata2 - ok
    00:54:16.0914 1724 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
    00:54:16.0945 1724 umbus - ok
    00:54:17.0257 1724 USB28xxBGA (4c3180982abbc7cfa14dd21c0cbb1c22) C:\Windows\system32\DRIVERS\emBDA.sys
    00:54:17.0319 1724 USB28xxBGA - ok
    00:54:17.0428 1724 USB28xxOEM (49b03351781de98981df0814a15dc992) C:\Windows\system32\DRIVERS\emOEM.sys
    00:54:17.0460 1724 USB28xxOEM - ok
    00:54:17.0865 1724 usbccgp (8bd3ae150d97ba4e633c6c5c51b41ae1) C:\Windows\system32\drivers\usbccgp.sys
    00:54:17.0928 1724 usbccgp - ok
    00:54:18.0193 1724 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
    00:54:18.0224 1724 usbcir - ok
    00:54:18.0427 1724 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
    00:54:18.0536 1724 usbehci - ok
    00:54:18.0957 1724 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
    00:54:18.0988 1724 usbhub - ok
    00:54:19.0222 1724 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\DRIVERS\usbohci.sys
    00:54:19.0254 1724 usbohci - ok
    00:54:19.0363 1724 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
    00:54:19.0394 1724 usbprint - ok
    00:54:19.0612 1724 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    00:54:19.0644 1724 USBSTOR - ok
    00:54:19.0800 1724 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
    00:54:19.0831 1724 usbuhci - ok
    00:54:20.0065 1724 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
    00:54:20.0112 1724 vga - ok
    00:54:20.0517 1724 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
    00:54:20.0533 1724 VgaSave - ok
    00:54:20.0829 1724 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
    00:54:20.0860 1724 viaagp - ok
    00:54:21.0079 1724 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
    00:54:21.0126 1724 ViaC7 - ok
    00:54:21.0406 1724 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
    00:54:21.0438 1724 viaide - ok
    00:54:21.0500 1724 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
    00:54:21.0531 1724 volmgr - ok
    00:54:21.0656 1724 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
    00:54:21.0750 1724 volmgrx - ok
    00:54:22.0249 1724 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
    00:54:22.0264 1724 volsnap - ok
    00:54:22.0608 1724 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
    00:54:22.0639 1724 vsmraid - ok
    00:54:22.0810 1724 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
    00:54:22.0842 1724 WacomPen - ok
    00:54:22.0998 1724 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    00:54:23.0029 1724 Wanarp - ok
    00:54:23.0044 1724 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    00:54:23.0044 1724 Wanarpv6 - ok
    00:54:23.0263 1724 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
    00:54:23.0341 1724 Wd - ok
    00:54:23.0824 1724 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
    00:54:23.0918 1724 Wdf01000 - ok
    00:54:24.0402 1724 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\Windows\system32\DRIVERS\wimfltr.sys
    00:54:24.0448 1724 WimFltr - ok
    00:54:25.0213 1724 winachsf (5c7bdcf5864db00323fe2d90fa26a8a2) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
    00:54:25.0260 1724 winachsf - ok
    00:54:25.0696 1724 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
    00:54:25.0712 1724 WmiAcpi - ok
    00:54:25.0884 1724 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
    00:54:25.0915 1724 WpdUsb - ok
    00:54:26.0227 1724 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
    00:54:26.0274 1724 ws2ifsl - ok
    00:54:26.0492 1724 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
    00:54:26.0523 1724 WUDFRd - ok
    00:54:26.0617 1724 MBR (0x1B8) (264850e33aebef8d6f4410c559f395cd) \Device\Harddisk0\DR0
    00:54:29.0674 1724 \Device\Harddisk0\DR0 - ok
    00:54:29.0706 1724 Boot (0x1200) (b1ce98d0301777a83d1ddea344c859ac) \Device\Harddisk0\DR0\Partition0
    00:54:29.0706 1724 \Device\Harddisk0\DR0\Partition0 - ok
    00:54:29.0737 1724 Boot (0x1200) (56cb6dbdf187ea772042ff78f9982cb4) \Device\Harddisk0\DR0\Partition1
    00:54:29.0752 1724 \Device\Harddisk0\DR0\Partition1 - ok
    00:54:29.0799 1724 Boot (0x1200) (ebdb089e7f3136ca49408c5e9c8ba739) \Device\Harddisk0\DR0\Partition2
    00:54:29.0830 1724 \Device\Harddisk0\DR0\Partition2 - ok
    00:54:29.0862 1724 Boot (0x1200) (b5f6bf8800421c4ea66c6e4b8761e605) \Device\Harddisk0\DR0\Partition3
    00:54:29.0862 1724 \Device\Harddisk0\DR0\Partition3 - ok
    00:54:29.0862 1724 ============================================================
    00:54:29.0862 1724 Scan finished
    00:54:29.0862 1724 ============================================================
    00:54:29.0940 3944 Detected object count: 0
    00:54:29.0940 3944 Actual detected object count: 0




    As mentioned in my last post, now I think we should first fix the internet connection.
    Am I right?

    bye,

    steinson
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, we're getting their. Please disable the security when you run the following. It was not disabled when you run the scan(s):
    Avira Desktop *Enabled
    SP: Avira Desktop *Enabled
    ========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\users\-\AppData\Roaming\372DCE54.reg
    Folder::
    FileLook::
    c:\program files\USB_video_device\Utility\RemoteTool\BDARemote.exe
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=-
    Clearjavacache::
    
    FCopy::
    C:\WINDOWS\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7\tdx.sys | C:\WINDOWS\System32\tdx.sys
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Delightful! Translation of 'Restore Point was created from German to English:
    ""New point of re-establishment was provided." :)
     
  15. steinson

    steinson TS Rookie Topic Starter

    Hi Bobbye!

    I am confused about the status of the virus scanner, since I deactivated it (exactly in the way which is described here: http://www.bleepingcomputer.com/forums/topic114351.html]).
    I even tried to stop the corresponding processes via the taskmanager. But even this didn't work out... Although I am not exactly sure if I ran the taskmanager with administrative rights...

    Any guess how I could really deactivate AVIRA? Or should I perform the scan in the safe mode of windows?

    Thanks in advance!

    bye,

    steinson
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Do the fix in Safe Mode with Networking.
     
  17. steinson

    steinson TS Rookie Topic Starter

    Hi Bobbye!

    Although I did the fix in the safe mode (with networking) avira was running anyway... (see log). Nevertheless networking is working again, since the missing tdx.sys file was re-established.

    Here's the log of Combofix:

    ComboFix 12-02-06.01 - - 13.02.2012 13:25:20.3.1 - x86 NETWORK
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.49.1033.18.1015.405 [GMT 1:00]
    ausgeführt von:: c:\users\-\Desktop\friday.exe.exe
    AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
    SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Neuer Wiederherstellungspunkt wurde erstellt
    .
    - REDUZIERTER FUNKTIONALITÄTSMODUS -
    .
    .
    (((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\drivers\tdx.sys fehlte
    Kopie von - c:\windows\System32\tdx.sys wurde wiederhergestellt
    .
    .
    ((((((((((((((((((((((( Dateien erstellt von 2012-01-13 bis 2012-02-13 ))))))))))))))))))))))))))))))
    .
    .
    2012-02-13 12:28 . 2012-02-13 12:28 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-13 12:28 . 2012-02-13 12:28 -------- d-----w- c:\users\Claudio\AppData\Local\temp
    2012-02-13 12:28 . 2008-01-19 05:55 71680 ----a-w- c:\windows\system32\drivers\tdx.sys
    2012-01-30 09:25 . 2012-01-30 09:25 -------- d-----w- c:\users\-\AppData\Roaming\Malwarebytes
    2012-01-30 09:25 . 2012-01-30 09:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-30 09:25 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-27 17:06 . 2012-01-27 17:06 -------- d-----w- c:\program files\iPod
    2012-01-27 17:06 . 2012-01-27 17:09 -------- d-----w- c:\program files\iTunes
    2012-01-18 17:26 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-01-18 17:26 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
    2012-01-18 17:26 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
    2012-01-18 17:26 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
    2012-01-18 17:26 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-06 11:47 . 2010-04-28 16:57 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-01-27 17:33 . 2011-05-25 13:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-06 04:19 . 2012-01-27 16:45 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{B1C66E8A-C36B-4D77-8A3A-0BE53E12C76F}\mpengine.dll ERROR(0x00000005)
    2012-01-06 04:19 . 2007-10-08 18:23 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll ERROR(0x00000005)
    2011-12-09 07:35 . 2011-11-26 17:46 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-12-07 09:08 . 2009-10-03 11:27 236576 ------w- c:\windows\system32\MpSigStub.exe
    2011-11-25 15:59 . 2012-01-13 17:23 376320 ----a-w- c:\windows\system32\winsrv.dll
    2011-11-23 13:37 . 2011-12-15 14:48 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-11-18 20:23 . 2012-01-13 17:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
    2011-11-18 17:47 . 2012-01-13 17:23 66560 ----a-w- c:\windows\system32\packager.dll
    2011-11-16 16:23 . 2012-01-18 17:26 377344 ----a-w- c:\windows\system32\winhttp.dll
    2012-01-07 09:46 . 2011-05-10 15:48 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-18 98304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-18 106496]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-18 81920]
    "PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-11-14 139264]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 815104]
    "WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
    "hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
    "CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-23 17920]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-05 59240]
    "GrooveMonitor"="c:\program files\MsOffice12\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-19 258512]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\users\-\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\MsOffice12\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
    NewShortcut1.lnk - c:\program files\USB_video_device\Utility\RemoteTool\BDARemote.exe [N/A]
    VPN Client.lnk - c:\windows\Installer\{08B785C1-3893-4154-B53B-F5D341D0AAAA}\Icon3E5562ED7.ico [2010-2-20 6144]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DVD Check.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DVD Check.lnk
    backup=c:\windows\pss\DVD Check.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-10-15 00:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-10-24 13:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    bthsvcs REG_MULTI_SZ BthServ
    Cognizance REG_MULTI_SZ ASBroker ASChannel
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Inhalt des "geplante Tasks" Ordners
    .
    2012-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 16:06]
    .
    2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-20 16:06]
    .
    .
    ------- Zusätzlicher Suchlauf -------
    .
    mStart Page = hxxp://de.yahoo.com
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://de.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://de.search.yahoo.com
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Nach Microsoft E&xel exportieren - c:\progra~1\MSOFFI~1\Office12\EXCEL.EXE/3000
    IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    IE: {{7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - c:\program files\ICQ7.5\ICQ.exe
    TCP: DhcpNameServer = 172.17.7.254
    FF - ProfilePath -
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-13 13:31
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    Scanne versteckte Prozesse...
    .
    Scanne versteckte Autostarteinträge...
    .
    Scanne versteckte Dateien...
    .
    Scan erfolgreich abgeschlossen
    versteckte Dateien: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msftesql$CSSQL05]
    "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:CSSQL05"
    .
    --------------------- Gesperrte Registrierungsschluessel ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- Durch laufende Prozesse gestartete DLLs ---------------------
    .
    - - - - - - - > 'Explorer.exe'(2952)
    c:\users\-\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
    .
    ------------------------ Weitere laufende Prozesse ------------------------
    .
    c:\program files\Avira\AntiVir Desktop\sched.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Hewlett-Packard\IAM\bin\asghost.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\program files\Microsoft\BingBar\SeaPort.EXE
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\TeamViewer\Version5\TeamViewer_Service.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\Google\Update\1.3.21.79\GoogleCrashHandler.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\system32\conime.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\progra~1\HEWLET~1\Shared\HPQTOA~1.EXE
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
    c:\windows\system32\DllHost.exe
    c:\program files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
    .
    **************************************************************************
    .
    Zeit der Fertigstellung: 2012-02-13 13:42:21 - PC wurde neu gestartet
    ComboFix-quarantined-files.txt 2012-02-13 12:41
    ComboFix2.txt 2012-02-13 12:02
    ComboFix3.txt 2012-02-10 23:33
    ComboFix4.txt 2012-02-07 14:06
    .
    Vor Suchlauf: 10.577.760.256 bytes free
    Nach Suchlauf: 9.456.726.016 bytes free
    .
    - - End Of File - - 914AF0218224B621D5FA81D7C551E51A


    This seems to be good progress. What next?

    bye,

    steinson
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    About this Running: c:\windows\system32\RacAgent.exe

    Here is some information about RacAgent.exe:
    • It is a hidden scheduled task
    • RACAgent runs when you start the computer. This scheduled task also runs every hour after you start the computer.
    • This task is a Microsoft Reliability Analysis task that processes events that impact system reliability data.
    • It calculates the Stability Index shown in the System Stability Chart over the lifetime of the system.
    • Reference for info to read: http://technet.microsoft.com/en-us/library/cc766393(WS.10).aspx

    Note: I skipped using Vista and was not familiar with this process. I could not find information about whether it needs to run and/or whether the information is of any use>> or if it's being collected by Microsoft.
    =======================================
    Regarding Avira: I think what is causing the scans to say it's running is because there is a Scheduled Task running. I can stop that is needed.
    =======================================
    Since the internet connection has been restored, please go ahead and run the Eset scan.

    The system is looking good. Are there any remaining problems that we havn't resolved?
     
  19. steinson

    steinson TS Rookie Topic Starter

    I skipped using Vista either, but as I told you, it is the laptop of a friend of mine... So I have to deal with it.
    According to this link here: http://social.technet.microsoft.com.../thread/6208301e-6017-4025-9236-31537b8dd657/
    RacAgent.exe is a Reliability Monitor of Microsoft. Hence, it is ok that it runs, I think. In fact it would be really easy to stop it...
    The AVIRA task do not bother me either...

    Up to now the ESET Scan is running, but not yet finished.
    However in the meantime I would like to discuss another issue. All Files on all drives are marked as "read-only". I already tried to reset that (by hand as well as by a short script), but up to now without success. Any suggestions?

    Thanks in advance!

    bye,

    steinson
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The Read Only attribute may have been caused by the malware. There are ways to change that, but there is some risk. There is also a difference in Red Only for a File and R/O for a Folder.Let's wait until we know the system is clean- then we can address the issue.

    Please post Eset log when ready.
     
  21. steinson

    steinson TS Rookie Topic Starter

    Hey!

    Good news. The scan just finished and reported, that no threats were found!

    So let us switch to the Read-only problem!

    Thanks in advance!

    steinson
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This is a very broad statement:
    1. Is it really all of the files you try to open?
    2. Cold it be .exe files only?
    3. Are any folders marked 'read only'?
    4. When did the 'read only' attribute begin?
    5. Please give me a couple of examples of the 'files marked 'read only'.
     
  23. steinson

    steinson TS Rookie Topic Starter

    Hi!

    Sorry, for the long response time... But I had to go on a rapid business-trip.
    I carefully checked the laptop again, regarding the "read-only issue":

    1. /3. All folders on all drives are marked as "read-only". As far as I know this is common for folders in Windows Vista. Files on the drives D:\, F:\ and G:\ are fine, they can be accessed. But all files on the drive C:\ are marked as "read-only". Of course I didn't look at all files but I did several spot tests.
    2. The "read-only" tag for the files on C:\ is not only persistent for .exe files or restricted to a specific sort of files. It is just there for all files and folders on C:\
    4. I am not exactly sure when it started, but I think it was already there as we started with the disinfection.
    5. Examples are very easy in this case...
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Users\-\Music\Lifehouse\No Name Face\07 Simon.wma
    C:\Intel\Logs\IntelGFX.log
    C:\WINDOWS\zip.exe

    (I could give you many more of course...)

    bye,

    steinson
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry, but I need to pin you down on this. You have mentioned the 'read only' attribute for both files and for folders. There is a difference. For instance, 2 of the examples you gave me are files:
    These are the executable for the process.

    This file is the executable for the Firefox browser: C:\Program Files\Mozilla Firefox\firefox.exe. The folder for it would be Mozilla Firefox if you looked in your list of programs using Windows Explorer> If you clicked on the Mozilla Firefox folder, the contents would then show. In this case, firefox.exe would be the process you would click on to launch

    It looks like Firefox is running- how do you launch it?
    -----------------------------------------------------
    Questions:
    • Are you logged in to administrator account? You may not have the privileges if you are logged onto the administrator's account
    • Did you make any changes on the computer? (other than what malware caused)
    • Did you create the Read-only file?
    • What message are you getting while changing the Read-only attribute?
    • Were you able to change the attributes earlier in your computer?

    According to Microsoft:
     
  25. steinson

    steinson TS Rookie Topic Starter

    Hey Bobbye!

    Sometimes the solution is really easy... Sorry for bothering with this stuff.
    I was just logged in into the wrong account. With the "normal" account everything is fine! No problems with accessing files etc.

    Hence I think everything is fine now. The laptop is behaving very well and I updated already all the software.

    Thanks for your patience and help!

    bye,
    steinson
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...