TechSpot

Unable to remove Win32/Heur

By vbakis
Feb 24, 2011
  1. Hello everyone!

    New member here!

    Unfortunately my first post has to be asking for help...My pc got infected by Win32/Heur virus according my Free AVG Anti-virus I tried several times to scan and clean but it keeps coming back, any feedback will be appreciated!

    Thank you in advance

    EDIT: i just read the 8-step Removal instructions, and it seems that the system is cleaned, at least thats what MBAM says on log:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5863

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    24/2/2011 12:24:01 μμ
    mbam-log-2011-02-24 (12-24-01).txt

    Scan type: Quick scan
    Objects scanned: 136222
    Time elapsed: 2 minute(s), 13 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You cannot assume it's clean because one log doesn't show anything. The Win32Heur finding by AVG is particularly important because it often means there is a Virus or Ramnit malware infection.- both of which are considered not curable.

    I'd like you to run the following online scan. We'll go from there after I see the log:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the cli[board, you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
     
  3. vbakis

    vbakis TS Rookie Topic Starter Posts: 17

    ESET Online Scanner just finished and these are the results:

    H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_18174360.exe a variant of Win32/Kryptik.AAQ trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_52609881.exe a variant of Win32/Conficker.Y worm
    H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe a variant of Win32/TrojanDownloader.FakeAlert.GO trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_63078584.exe a variant of Win32/Kryptik.AY trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe a variant of Win32/Kryptik.AAQ trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe a variant of Win32/Kryptik.AAQ trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe a variant of Win32/Kryptik.AAQ trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe a variant of Win32/Kryptik.AAQ trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe a variant of Win32/Kryptik.AAQ trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe a variant of Win32/Kryptik.AAQ trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe a variant of Win32/Kryptik.AAQ trojan
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    What is Drive H? What did you do with 'office recovery'?

    Your system is not clean. Please answer my questions and then go on with the rest of the preliminary steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  5. vbakis

    vbakis TS Rookie Topic Starter Posts: 17

    I connected a hard drive on my computer but windows wouldnt be able to recognise it, I had to format it and then used a software to recover the files and saved them on an external usb hard drive ( H: )
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Unfortunately those files had malware. You will have to disinfect the flash drive:
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    6. Wait until it has finished scanning and then exit the program.
    7. Reboot your computer when done.
    ==========================================
    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =======================================
    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  7. vbakis

    vbakis TS Rookie Topic Starter Posts: 17

    Ok did download Flash_Disinfector run it and after 10 sec i got a screen message Done! and clicked ok, after that I reboot my computer. What shall I do next?

    P.S. Flash_Disinfector didnt create any hidden folder or file named autorun.inf
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please go ahead with the steps in the in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
     
  9. vbakis

    vbakis TS Rookie Topic Starter Posts: 17

    Hello again I followed the 8- step guide but am having trouble at step 5 where i need to run the DDS script, windows recognize it as an AutoCad script, when i double click it opens a notepad file and thats it, no log files...
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please download this file: xp_scr_fix.

    Unpack (unzip) the file onto your desktop and double-click it. You will be asked if you wish to merge the file with you registry, say Yes.

    You should then be able to run DDS.scr.

    It's the .scr file extension cauing the problem.
    l
     
  11. vbakis

    vbakis TS Rookie Topic Starter Posts: 17

    ok DDS worked fine after the scr fix, thanx alot! these are the log files from the scans i performed:

    GMER Log
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-02-28 10:35:37
    Windows 5.1.2600 Service Pack 2 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-e ST3250318AS rev.CC37
    Running: ikz0n6lh.exe; Driver: G:\DOCUME~1\Vasilis\LOCALS~1\Temp\kwniqfob.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----




    DDS Log

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Vasilis at 11:41:19,92 on ’¨* 01/03/2011
    Internet Explorer: 6.0.2900.2180
    Microsoft Windows XP Professional 5.1.2600.2.1253.30.1033.18.1535.855 [GMT 2:00]

    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    G:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    G:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    G:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    G:\WINDOWS\system32\spoolsv.exe
    G:\WINDOWS\Explorer.EXE
    G:\WINDOWS\SOUNDMAN.EXE
    G:\Program Files\AVG\AVG10\avgtray.exe
    G:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    svchost.exe
    G:\Program Files\iTunes\iTunesHelper.exe
    G:\WINDOWS\system32\ctfmon.exe
    G:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    G:\Program Files\AVG\AVG10\avgwdsvc.exe
    G:\Program Files\Bonjour\mDNSResponder.exe
    G:\WINDOWS\system32\svchost.exe -k imgsvc
    G:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    G:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    G:\Program Files\AVG\AVG10\avgnsx.exe
    G:\Program Files\AVG\AVG10\avgemcx.exe
    G:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    G:\Program Files\iPod\bin\iPodService.exe
    G:\WINDOWS\system32\wuauclt.exe
    G:\Program Files\Windows Live\Mail\wlmail.exe
    G:\Program Files\Windows Live\Contacts\wlcomm.exe
    G:\PROGRA~1\AVG\AVG10\avgrsx.exe
    G:\Program Files\AVG\AVG10\avgcsrvx.exe
    G:\Documents and Settings\Vasilis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    G:\Documents and Settings\Vasilis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    G:\Documents and Settings\Vasilis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    G:\Documents and Settings\Vasilis\My Documents\Downloads\Protection - Antivirus -Spyware\dds.scr

    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - g:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - g:\program files\avg\avg10\avgssie.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - g:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    uRun: [CTFMON.EXE] g:\windows\system32\ctfmon.exe
    uRun: [Google Update] "g:\documents and settings\vasilis\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [AVG_TRAY] g:\program files\avg\avg10\avgtray.exe
    mRun: [ATICustomerCare] "g:\program files\ati\aticustomercare\ATICustomerCare.exe"
    mRun: [Adobe Reader Speed Launcher] "g:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "g:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [HP Software Update] g:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [QuickTime Task] "g:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "g:\program files\itunes\iTunesHelper.exe"
    dRun: [CTFMON.EXE] g:\windows\system32\CTFMON.EXE
    StartupFolder: g:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - g:\program files\hp\digital imaging\bin\hpqtra08.exe
    IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - g:\program files\avg\avg10\avgpp.dll

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;g:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;g:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgldx86;AVG AVI Loader Driver;g:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;g:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;g:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
    R2 AVGIDSAgent;AVGIDSAgent;g:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
    R2 avgwd;AVG WatchDog;g:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R3 AVGIDSDriver;AVGIDSDriver;g:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
    R3 AVGIDSFilter;AVGIDSFilter;g:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
    R3 AVGIDSShim;AVGIDSShim;g:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]

    =============== Created Last 30 ================

    2011-02-28 11:58:54 -------- d-----w- g:\program files\MSXML 4.0
    2011-02-25 11:12:32 26600 ----a-w- g:\windows\system32\drivers\GEARAspiWDM.sys
    2011-02-25 11:12:32 107368 ----a-w- g:\windows\system32\GEARAspi.dll
    2011-02-25 11:11:33 -------- d-----w- g:\program files\iPod
    2011-02-25 11:11:30 -------- d-----w- g:\program files\iTunes
    2011-02-25 11:11:30 -------- d-----w- g:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2011-02-25 11:11:05 159744 ----a-w- g:\program files\internet explorer\plugins\npqtplugin7.dll
    2011-02-25 11:11:05 159744 ----a-w- g:\program files\internet explorer\plugins\npqtplugin6.dll
    2011-02-25 11:11:05 159744 ----a-w- g:\program files\internet explorer\plugins\npqtplugin5.dll
    2011-02-25 11:11:05 159744 ----a-w- g:\program files\internet explorer\plugins\npqtplugin4.dll
    2011-02-25 11:11:05 159744 ----a-w- g:\program files\internet explorer\plugins\npqtplugin3.dll
    2011-02-25 11:11:05 159744 ----a-w- g:\program files\internet explorer\plugins\npqtplugin2.dll
    2011-02-25 11:11:05 159744 ----a-w- g:\program files\internet explorer\plugins\npqtplugin.dll
    2011-02-25 11:10:25 -------- d-----w- g:\docume~1\vasilis\locals~1\applic~1\Apple
    2011-02-25 11:10:13 41984 ----a-w- g:\windows\system32\drivers\usbaapl.sys
    2011-02-25 11:10:13 4184352 ----a-w- g:\windows\system32\usbaaplrc.dll
    2011-02-25 11:09:29 -------- d-----w- g:\program files\Bonjour
    2011-02-25 11:08:39 -------- d-----w- g:\docume~1\vasilis\locals~1\applic~1\Apple Computer
    2011-02-24 16:45:40 -------- d-----w- g:\program files\ESET
    2011-02-24 08:17:17 -------- d-----w- g:\docume~1\vasilis\applic~1\Malwarebytes
    2011-02-24 08:17:02 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-24 08:17:02 -------- d-----w- g:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-02-24 08:16:59 20952 ----a-w- g:\windows\system32\drivers\mbam.sys
    2011-02-24 08:16:59 -------- d-----w- g:\program files\Malwarebytes' Anti-Malware
    2011-02-24 08:03:18 -------- d-----w- g:\program files\Trend Micro
    2011-02-22 16:55:28 -------- d-----w- g:\program files\common files\HP
    2011-02-22 16:52:42 -------- d-----w- g:\program files\common files\Hewlett-Packard
    2011-02-22 16:51:19 74240 ----a-w- g:\windows\system32\spool\prtprocs\w32x86\hpzpp054.dll
    2011-02-22 16:51:19 38400 ----a-w- g:\windows\system32\hpz3l054.dll
    2011-02-22 16:50:24 94208 ----a-w- g:\windows\system32\HPZipt12.dll
    2011-02-22 16:50:24 69632 ----a-w- g:\windows\system32\HPZipm12.exe
    2011-02-22 16:50:24 65536 ----a-w- g:\windows\system32\HPZinw12.exe
    2011-02-22 16:50:24 57344 ----a-w- g:\windows\system32\HPZisn12.dll
    2011-02-22 16:50:24 204800 ----a-w- g:\windows\system32\HPZipr12.dll
    2011-02-22 16:50:23 306688 ----a-w- g:\windows\IsUninst.exe
    2011-02-22 16:50:23 282680 ----a-w- g:\windows\system32\HPZidr12.dll
    2011-02-22 16:49:46 -------- d-----w- g:\program files\HP
    2011-02-22 16:46:46 49664 ----a-w- g:\windows\system32\drivers\HPZid412.sys
    2011-02-22 16:46:46 21568 ----a-w- g:\windows\system32\drivers\HPZius12.sys
    2011-02-22 16:46:46 16496 ----a-w- g:\windows\system32\drivers\HPZipr12.sys
    2011-02-22 16:44:22 827392 ----a-w- g:\windows\system32\hpotiop2.dll
    2011-02-22 16:44:22 659456 ----a-w- g:\windows\system32\hpowiax2.dll
    2011-02-22 16:44:21 282624 ----a-w- g:\windows\system32\HPZc3212.dll
    2011-02-22 16:44:21 254026 ----a-w- g:\windows\system32\hpovst09.dll
    2011-02-22 16:44:20 98304 ----a-w- g:\windows\system32\hpzjsn01.dll
    2011-02-22 16:44:20 77824 ----a-w- g:\windows\system32\HPZIDS01.dll
    2011-02-22 12:47:39 25856 -c--a-w- g:\windows\system32\dllcache\usbprint.sys
    2011-02-22 12:47:39 25856 ----a-w- g:\windows\system32\drivers\usbprint.sys
    2011-02-22 12:46:54 31616 -c--a-w- g:\windows\system32\dllcache\usbccgp.sys
    2011-02-22 12:46:54 31616 ----a-w- g:\windows\system32\drivers\usbccgp.sys
    2011-02-22 08:04:03 274288 ----a-w- g:\windows\system32\mucltui.dll
    2011-02-22 08:04:03 215920 ----a-w- g:\windows\system32\muweb.dll
    2011-02-22 08:04:03 16736 ----a-w- g:\windows\system32\mucltui.dll.mui
    2011-02-21 11:36:43 -------- d-----w- g:\docume~1\vasilis\locals~1\applic~1\Adobe
    2011-02-21 11:25:10 -------- d-----w- g:\documents and settings\vasilis\Tracing
    2011-02-21 11:24:02 3426072 ----a-w- g:\windows\system32\d3dx9_32.dll
    2011-02-21 11:23:53 -------- d-----w- g:\program files\Microsoft SQL Server Compact Edition
    2011-02-21 11:22:25 -------- d-----w- g:\program files\Microsoft
    2011-02-21 11:22:07 -------- d-----w- g:\program files\Windows Live SkyDrive
    2011-02-21 11:20:37 484632 ----a-w- g:\program files\common files\windows live\.cache\5cf9c4be1cbd1b9\DXSETUP.exe
    2011-02-21 11:20:36 74520 ----a-w- g:\program files\common files\windows live\.cache\5cf9c4be1cbd1b9\DSETUP.dll
    2011-02-21 11:20:36 1670936 ----a-w- g:\program files\common files\windows live\.cache\5cf9c4be1cbd1b9\dsetup32.dll
    2011-02-21 11:20:23 1013800 ----a-w- g:\program files\common files\windows live\.cache\54ab13261cbd1b9\WindowsXP-KB954708-x86-ENU.exe
    2011-02-21 11:20:02 1229688 ----a-w- g:\program files\common files\windows live\.cache\48a9dbfc1cbd1b9\wic_x86_enu.exe
    2011-02-21 11:13:57 -------- d-----w- g:\program files\common files\Windows Live
    2011-02-21 11:07:41 -------- d-----w- g:\program files\ATI
    2011-02-21 11:07:09 -------- d-----w- g:\program files\ATI Technologies
    2011-02-21 11:05:57 -------- d-----w- G:\ATI
    2011-02-21 10:45:49 -------- d--h--w- G:\$AVG
    2011-02-21 10:44:29 -------- d-----w- g:\program files\MSXML 6.0
    2011-02-21 10:38:42 -------- d-----w- g:\windows\ServicePackFiles
    2011-02-21 08:08:42 -------- d-----w- g:\windows\system32\CatRoot_bak
    2011-02-21 08:02:21 454016 -c----w- g:\windows\system32\dllcache\mrxsmb.sys
    2011-02-21 08:01:46 2137088 -c----w- g:\windows\system32\dllcache\ntkrnlmp.exe
    2011-02-21 08:01:45 2181376 -c----w- g:\windows\system32\dllcache\ntoskrnl.exe
    2011-02-21 08:01:45 2016768 -c----w- g:\windows\system32\dllcache\ntkrpamp.exe
    2011-02-21 08:01:44 2058368 -c----w- g:\windows\system32\dllcache\ntkrnlpa.exe
    2011-02-21 08:00:22 272128 -c----w- g:\windows\system32\dllcache\bthport.sys
    2011-02-21 08:00:22 272128 ------w- g:\windows\system32\drivers\bthport.sys
    2011-02-21 07:58:10 293376 ------w- g:\windows\system32\browserchoice.exe
    2011-02-21 07:57:41 12160 -c--a-w- g:\windows\system32\dllcache\mouhid.sys
    2011-02-21 07:57:41 12160 ----a-w- g:\windows\system32\drivers\mouhid.sys
    2011-02-21 07:57:37 9600 -c--a-w- g:\windows\system32\dllcache\hidusb.sys
    2011-02-21 07:57:37 9600 ----a-w- g:\windows\system32\drivers\hidusb.sys
    2011-02-18 19:59:30 26488 ----a-w- g:\windows\system32\spupdsvc.exe
    2011-02-18 19:59:30 -------- d-----w- g:\windows\system32\PreInstall
    2011-02-18 19:47:10 165376 ----a-w- g:\windows\system32\unrar.dll
    2011-02-18 19:47:09 839680 ----a-w- g:\windows\system32\lameACM.acm
    2011-02-18 19:47:08 810496 ----a-w- g:\windows\system32\xvidcore.dll
    2011-02-18 19:47:08 80896 ----a-w- g:\windows\system32\ff_vfw.dll
    2011-02-18 19:47:08 237568 ----a-w- g:\windows\system32\yv12vfw.dll
    2011-02-18 19:47:08 183808 ----a-w- g:\windows\system32\xvidvfw.dll
    2011-02-18 19:47:08 151552 ----a-w- g:\windows\system32\ac3acm.acm
    2011-02-18 19:47:05 -------- d-----w- g:\program files\K-Lite Codec Pack
    2011-02-18 17:05:43 -------- d-----w- g:\docume~1\alluse~1\applic~1\Blizzard Entertainment
    2011-02-18 16:37:33 -------- d-----w- g:\windows\system32\SoftwareDistribution
    2011-02-18 16:32:38 -------- d-----w- g:\docume~1\vasilis\applic~1\AVG10
    2011-02-18 16:31:28 -------- d--h--w- g:\docume~1\alluse~1\applic~1\Common Files
    2011-02-18 16:30:41 -------- d-----w- g:\windows\system32\drivers\AVG
    2011-02-18 16:30:41 -------- d-----w- g:\docume~1\alluse~1\applic~1\AVG10
    2011-02-18 16:30:24 -------- d-----w- g:\program files\AVG
    2011-02-18 16:19:26 -------- d-----w- g:\docume~1\alluse~1\applic~1\MFAData
    2011-02-18 16:09:40 -------- d--h--w- g:\windows\$hf_mig$
    2011-02-18 12:15:58 -------- d-----w- g:\program files\Realtek Sound Manager
    2011-02-18 12:03:43 -------- d-----w- g:\program files\AutoCAD 2008
    2011-02-18 12:03:43 -------- d-----w- g:\docume~1\vasilis\applic~1\Autodesk
    2011-02-18 12:03:01 409600 ----a-w- g:\program files\common files\installshield\driver\10\intel 32\ISRT.dll
    2011-02-18 12:03:01 32768 ----a-w- g:\program files\common files\installshield\driver\10\intel 32\objpscnv.dll
    2011-02-18 12:03:01 262144 ----a-w- g:\program files\common files\installshield\driver\10\intel 32\IScrCnv.dll
    2011-02-18 12:03:01 180224 ----a-w- g:\program files\common files\installshield\driver\10\intel 32\iGdiCnv.dll
    2011-02-18 12:03:01 172032 ----a-w- g:\program files\common files\installshield\driver\10\intel 32\IUserCnv.dll
    2011-02-18 12:03:00 761856 ----a-w- g:\program files\common files\installshield\driver\10\intel 32\IDriver.exe
    2011-02-18 12:02:59 540772 ----a-w- g:\program files\common files\installshield\driver\10\intel 32\_ISRES1033.dll
    2011-02-18 12:02:38 -------- d-----w- g:\program files\common files\Autodesk Shared
    2011-02-18 12:02:38 -------- d-----w- g:\program files\Autodesk
    2011-02-18 12:02:38 -------- d-----w- g:\docume~1\vasilis\locals~1\applic~1\Autodesk
    2011-02-18 11:40:28 28552 ----a-w- g:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
    2011-02-18 11:40:28 28040 ----a-w- g:\windows\system32\mdimon.dll
    2011-02-18 11:39:51 -------- d-----w- g:\windows\SHELLNEW
    2011-02-18 11:36:12 -------- d-----w- g:\docume~1\vasilis\locals~1\applic~1\Temp
    2011-02-18 11:36:09 -------- d-----w- g:\docume~1\vasilis\locals~1\applic~1\Google
    2011-02-17 17:41:09 -------- d-----w- g:\program files\GetData
    2011-02-17 17:36:14 -------- d-----w- G:\GetData Recover My Files Professional Edition v4.6.8.993
    2011-02-17 17:31:39 396152 ----a-w- g:\program files\uTorrent.exe
    2011-02-17 16:57:38 5632 ----a-w- g:\windows\system32\ptpusb.dll
    2011-02-17 16:57:36 159232 ----a-w- g:\windows\system32\ptpusd.dll
    2011-02-17 16:57:33 15104 -c--a-w- g:\windows\system32\dllcache\usbscan.sys
    2011-02-17 16:57:33 15104 ----a-w- g:\windows\system32\drivers\usbscan.sys

    ==================== Find3M ====================


    ============= FINISH: 11:42:23,75 ===============


    Attach Log

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 17/2/2011 12:27:28 μμ
    System Uptime: 1/3/2011 11:28:03 πμ (0 hours ago)

    Motherboard: Gigabyte Technology Co., Ltd. | | 8IPE775/-G
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Socket 478 | 2813/200mhz
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Socket 478 | 2813/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 233 GiB total, 195,228 GiB free.
    D: is Removable
    E: is CDROM ()
    F: is CDROM ()
    G: is FIXED (NTFS) - 112 GiB total, 98,966 GiB free.
    H: is FIXED (NTFS) - 233 GiB total, 84,556 GiB free.

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1: 17/2/2011 12:29:43 μμ - System Checkpoint
    RP2: 17/2/2011 12:32:47 μμ - Installed Marvell Miniport Driver
    RP3: 18/2/2011 12:33:19 μμ - System Checkpoint
    RP4: 18/2/2011 1:39:13 μμ - Εγκατάσταση Microsoft Office Professional Edition 2003
    RP5: 18/2/2011 1:57:02 μμ - Installed Windows Installer KB893803v2.
    RP6: 18/2/2011 2:02:08 μμ - Installed DirectX
    RP7: 18/2/2011 2:15:42 μμ - Εγκατεστημένο Realtek AC'97 Audio
    RP8: 18/2/2011 6:09:47 μμ - Installed Windows XP KB914882.
    RP9: 18/2/2011 6:30:16 μμ - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    RP10: 18/2/2011 6:30:23 μμ - Installed AVG 2011
    RP11: 18/2/2011 6:30:35 μμ - Installed AVG 2011
    RP12: 18/2/2011 9:59:24 μμ - Software Distribution Service 3.0
    RP13: 21/2/2011 11:59:08 πμ - System Checkpoint
    RP14: 21/2/2011 12:36:23 μμ - Software Distribution Service 3.0
    RP15: 21/2/2011 1:23:09 μμ - Installed Windows XP WIC.
    RP16: 21/2/2011 1:23:45 μμ - Installed Windows XP KB954708.
    RP17: 21/2/2011 1:24:01 μμ - Installed DirectX
    RP18: 21/2/2011 1:34:42 μμ - Installed Adobe Reader X (10.0.1).
    RP19: 22/2/2011 3:46:32 μμ - System Checkpoint
    RP20: 22/2/2011 6:54:07 μμ - Installed HPSU306Stub
    RP21: 22/2/2011 10:05:41 μμ - Software Distribution Service 3.0
    RP22: 24/2/2011 11:48:28 πμ - System Checkpoint
    RP23: 25/2/2011 1:11:18 μμ - Installed iTunes
    RP24: 26/2/2011 2:15:26 μμ - System Checkpoint
    RP25: 28/2/2011 11:06:49 πμ - System Checkpoint
    RP26: 28/2/2011 1:58:19 μμ - Software Distribution Service 3.0

    ==== Installed Programs ======================

    µTorrent
    Adobe Flash Player 10 ActiveX
    Adobe Reader X (10.0.1)
    AiO_Scan_CDA
    AiOSoftwareNPI
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI Catalyst Install Manager
    ATI Catalyst Registration
    AutoCAD 2008 - English
    Autodesk DWF Viewer 7
    AVG 2011
    Bonjour
    BufferChm
    C3100
    c3100_Help
    Destinations
    DeviceManagementQFolder
    DocProc
    DocProcQFolder
    ESET Online Scanner v3
    eSupportQFolder
    Fax_CDA
    Google Chrome
    HijackThis 2.0.2
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB981793)
    HP Imaging Device Functions 7.0
    HP Photosmart Essential
    HP Photosmart, Officejet and Deskjet 7.0.A
    HP Software Update
    HP Solution Center 7.0
    HPPhotoSmartExpress
    HPProductAssistant
    InstantShareDevicesMFC
    iTunes
    Junk Mail filter update
    K-Lite Codec Pack 6.9.0 (Full)
    Malwarebytes' Anti-Malware
    Marvell Miniport Driver
    Microsoft .NET Framework 2.0
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office Live Add-in 1.3
    Microsoft Office Professional Edition 2003
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 6 Service Pack 2 (KB973686)
    NewCopy_CDA
    OCR Software by I.R.I.S 7.0
    PanoStandAlone
    ProductContextNPI
    QuickTime
    R-Studio 4.5
    Readme
    Realtek AC'97 Audio
    Recuva
    Scan
    ScannerCopy
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB944338-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981350)
    Security Update for Windows XP (KB982381)
    Segoe UI
    SolutionCenter
    Status
    Toolbox
    TrayApp
    Unload
    Update for Windows XP (KB898461)
    Update for Windows XP (KB914882)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VBA (2627.01)
    WebFldrs XP
    WebReg
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    WinRAR archiver

    ==== Event Viewer Messages From Past Week ========

    28/2/2011 10:18:06 πμ, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    28/2/2011 10:18:06 πμ, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    28/2/2011 10:18:06 πμ, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

    ==== End Of File ===========================
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run the following:


    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the cli[board, you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ======================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  13. vbakis

    vbakis TS Rookie Topic Starter Posts: 17

    here are the log files from eset online scanner and Combofix:

    ESET

    H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_18174360.exe a variant of Win32/Kryptik.AAQ trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_52609881.exe a variant of Win32/Conficker.Y worm
    H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe a variant of Win32/TrojanDownloader.FakeAlert.GO trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_63078584.exe a variant of Win32/Kryptik.AY trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe a variant of Win32/Kryptik.AAQ trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe a variant of Win32/Kryptik.AAQ trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe a variant of Win32/Kryptik.AAQ trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe a variant of Win32/Kryptik.AAQ trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe a variant of Win32/Kryptik.AAQ trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe a variant of Win32/Kryptik.AAQ trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe a variant of Win32/Kryptik.AAQ trojan


    Combofix

    ComboFix 11-03-01.03 - Vasilis 02/03/2011 12:54:34.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1253.30.1033.18.1535.1248 [GMT 2:00]
    Running from: g:\documents and settings\Vasilis\My Documents\Downloads\Protection - Antivirus -Spyware\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2011-02-02 to 2011-03-02 )))))))))))))))))))))))))))))))
    .

    2011-02-21 11:05 . 2011-02-21 11:05 -------- d-----w- G:\ATI
    2011-02-21 10:45 . 2011-02-21 10:45 -------- d-----w- G:\$AVG
    2011-02-18 11:38 . 2011-02-18 11:38 -------- d-----r- G:\MSOCache
    2011-02-17 17:36 . 2011-02-17 17:37 -------- d-----w- G:\GetData Recover My Files Professional Edition v4.6.8.993

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="g:\documents and settings\Vasilis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-02-18 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2006-08-02 577536]
    "ATICustomerCare"="g:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
    "Adobe Reader Speed Launcher"="g:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM"="g:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "HP Software Update"="g:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "QuickTime Task"="g:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="g:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="g:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

    g:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - g:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\uTorrent.exe"=
    "g:\\Program Files\\uTorrent.exe"=
    "h:\\World of Warcraft\\Launcher.exe"=
    "g:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "g:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "g:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "g:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "g:\\Program Files\\iTunes\\iTunes.exe"=
    "g:\\Program Files\\World of Warcraft\\Launcher.exe"=

    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-25 g:\windows\Tasks\AppleSoftwareUpdate.job
    - g:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 09:50]

    2011-03-01 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1220945662-725345543-1003Core.job
    - g:\documents and settings\Vasilis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-18 11:36]

    2011-03-02 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1220945662-725345543-1003UA.job
    - g:\documents and settings\Vasilis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-18 11:36]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-02 12:58
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-03-02 12:59:48
    ComboFix-quarantined-files.txt 2011-03-02 10:59

    Pre-Run: 85.622.730.752 bytes free
    Post-Run: 85.610.295.296 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - D3CF96671147BDC76B8DFE7AB3C02E66
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe 
      H:\office recovery\G\Lost File Results\LostFile_EXE_18174360.exe 
      H:\office recovery\G\Lost File Results\LostFile_EXE_52609881.exe 
      H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe 
      H:\office recovery\G\Lost File Results\LostFile_EXE_63078584.exe 
      H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe 
      H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe 
      H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe 
      H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe 
      H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe 
      H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe 
      H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe 
      H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ===========================================
    Go ahead and run the above. The Office Recovery and partitian you loaded were infected. One infection is Conflicker Worm, another Trojan.FakeAlert.

    Edit: Go right on to the scan in the next reply.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'd like you also to go ahead and run the following- a file infector named Virut is frequently seen with the AVG finds of Win32/Heur:

    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org free on-line scan service
    • Copy and paste each of the following file paths into the "Suspicious files to scan" box on the top of the page, one at a time:

      c:\windows\system32\userinit.exe

      c:\windows\explorer.exe

      c:\window\system32\svchost.exe


    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
     
  16. vbakis

    vbakis TS Rookie Topic Starter Posts: 17

    ok done everything! here are the log files:

    MovIt Log:
    All processes killed
    ========== FILES ==========
    H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe moved successfully.
    H:\office recovery\G\Lost File Results\LostFile_EXE_18174360.exe moved successfully.
    H:\office recovery\G\Lost File Results\LostFile_EXE_52609881.exe moved successfully.
    File move failed. H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe scheduled to be moved on reboot.
    H:\office recovery\G\Lost File Results\LostFile_EXE_63078584.exe moved successfully.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe moved successfully.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe moved successfully.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe moved successfully.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe moved successfully.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe moved successfully.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe moved successfully.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe moved successfully.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 581013 bytes

    User: Vasilis
    ->Temp folder emptied: 112483 bytes
    ->Temporary Internet Files folder emptied: 9667247 bytes
    ->Google Chrome cache emptied: 373749472 bytes
    ->Flash cache emptied: 6630 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 366,00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 03042011_113550

    Files moved on Reboot...
    File move failed. H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe scheduled to be moved on reboot.

    Registry entries deleted on Reboot...


    Log from VirScan.org for the three files you requested:
    VirSCAN.org Scanned Report :
    Scanned time : 2011/03/04 11:41:10 (EET)
    Scanner results: Scanners did not find malware!
    File Name : userinit.exe
    File Size : 24576 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 39b1ffb03c2296323832acbae50d2aff
    SHA1 : e5aedcbe25a97c89101f1f3860ff846e94d70445
    Online report : http://virscan.org/report/0e3dc4b29989e18083ada8a9db9043d9.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 5.1.0.2 20110216210205 2011-02-16 0.38 -
    AhnLab V3 2011.03.03.00 2011.03.03 2011-03-03 2.61 -
    AntiVir 8.2.4.178 7.11.4.59 2011-03-04 1.26 -
    Antiy 2.0.18 20110217.7833565 2011-02-17 0.02 -
    Arcavir 2010 201103041232 2011-03-04 0.06 -
    Authentium 5.1.1 201103040141 2011-03-04 2.82 -
    AVAST! 4.7.4 110303-1 2011-03-03 0.08 -
    AVG 8.5.850 271.1.1/3480 2011-03-04 0.75 -
    BitDefender 7.90123.6764202 7.36495 2011-03-04 6.54 -
    ClamAV 0.96.5 12803 2011-03-04 0.01 -
    Comodo 4.0 7862 2011-03-03 2.49 -
    CP Secure 1.3.0.5 2011.03.04 2011-03-04 0.04 -
    Dr.Web 5.0.2.3300 2011.03.04 2011-03-04 11.24 -
    F-Prot 4.4.4.56 20110304 2011-03-04 1.76 -
    F-Secure 7.02.73807 2011.03.04.02 2011-03-04 0.25 -
    Fortinet 4.2.254 12.959 2011-03-03 0.93 -
    GData 21.1936/21.725 20110304 2011-03-04 10.66 -
    ViRobot 20110303 2011.03.03 2011-03-03 0.52 -
    Ikarus T3.1.32.20.0 2011.03.04.77852 2011-03-04 7.44 -
    JiangMin 13.0.900 2011.03.03 2011-03-03 1.57 -
    Kaspersky 5.5.10 2011.03.04 2011-03-04 0.20 -
    KingSoft 2009.2.5.15 2011.3.4.14 2011-03-04 1.75 -
    McAfee 5400.1158 6274 2011-03-03 7.81 -
    Microsoft 1.6603 2011.03.03 2011-03-03 3.88 -
    NOD32 3.0.21 5919 2011-03-02 0.14 -
    Norman 6.07.03 6.07.00 2011-03-03 18.20 -
    Panda 9.05.01 2011.03.02 2011-03-02 1.20 -
    Trend Micro 9.200-1012 7.874.01 2011-03-03 0.04 -
    Quick Heal 11.00 2011.03.03 2011-03-03 1.12 -
    Rising 20.0 23.47.03.06 2011-03-03 2.71 -
    Sophos 3.16.1 4.62 2011-03-04 3.61 -
    Sunbelt 3.9.2474.2 8599 2011-03-03 0.66 -
    Symantec 1.3.0.24 20110303.008 2011-03-03 0.05 -
    nProtect 20110304.03 3221953 2011-03-04 5.80 -
    The Hacker 6.7.0.1 v00143 2011-03-02 0.45 -
    VBA32 3.12.14.3 20110302.1155 2011-03-02 3.64 -
    VirusBuster 5.2.0.28 13.6.233.0/46181252011-03-03 0.00 -


    VirSCAN.org Scanned Report :
    Scanned time : 2011/03/04 11:45:48 (EET)
    Scanner results: Scanners did not find malware!
    File Name : explorer.exe
    File Size : 1032192 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : a0732187050030ae399b241436565e64
    SHA1 : 69f33740413da112630be73ebb805a23b69f2f7f
    Online report : http://virscan.org/report/6732b660008e4d14a957db053b7cb88b.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 5.1.0.2 20110216210205 2011-02-16 0.34 -
    AhnLab V3 2011.03.03.00 2011.03.03 2011-03-03 1.47 -
    AntiVir 8.2.4.178 7.11.4.59 2011-03-04 0.28 -
    Antiy 2.0.18 20110217.7833565 2011-02-17 0.02 -
    Arcavir 2010 201103041232 2011-03-04 0.13 -
    Authentium 5.1.1 201103040141 2011-03-04 2.41 -
    AVAST! 4.7.4 110303-1 2011-03-03 0.07 -
    AVG 8.5.850 271.1.1/3480 2011-03-04 0.27 -
    BitDefender 7.90123.6764202 7.36495 2011-03-04 6.43 -
    ClamAV 0.96.5 12803 2011-03-04 0.26 -
    Comodo 4.0 7862 2011-03-03 1.08 -
    CP Secure 1.3.0.5 2011.03.04 2011-03-04 0.12 -
    Dr.Web 5.0.2.3300 2011.03.04 2011-03-04 11.34 -
    F-Prot 4.4.4.56 20110304 2011-03-04 2.38 -
    F-Secure 7.02.73807 2011.03.04.02 2011-03-04 12.18 -
    Fortinet 4.2.254 12.959 2011-03-03 0.24 -
    GData 21.1936/21.725 20110304 2011-03-04 8.33 -
    ViRobot 20110303 2011.03.03 2011-03-03 0.41 -
    Ikarus T3.1.32.20.0 2011.03.04.77852 2011-03-04 4.65 -
    JiangMin 13.0.900 2011.03.03 2011-03-03 1.43 -
    Kaspersky 5.5.10 2011.03.04 2011-03-04 0.10 -
    KingSoft 2009.2.5.15 2011.3.4.14 2011-03-04 0.74 -
    McAfee 5400.1158 6274 2011-03-03 7.51 -
    Microsoft 1.6603 2011.03.03 2011-03-03 3.72 -
    NOD32 3.0.21 5919 2011-03-02 0.01 -
    Norman 6.07.03 6.07.00 2011-03-03 12.01 -
    Panda 9.05.01 2011.03.02 2011-03-02 0.59 -
    Trend Micro 9.200-1012 7.874.01 2011-03-03 0.05 -
    Quick Heal 11.00 2011.03.03 2011-03-03 1.27 -
    Rising 20.0 23.47.03.06 2011-03-03 2.12 -
    Sophos 3.16.1 4.62 2011-03-04 3.10 -
    Sunbelt 3.9.2474.2 8599 2011-03-03 0.62 -
    Symantec 1.3.0.24 20110303.008 2011-03-03 0.07 -
    nProtect 20110304.03 3221953 2011-03-04 5.89 -
    The Hacker 6.7.0.1 v00143 2011-03-02 0.50 -
    VBA32 3.12.14.3 20110302.1155 2011-03-02 3.84 -
    VirusBuster 5.2.0.28 13.6.233.0/46181252011-03-03 0.00 -


    VirSCAN.org Scanned Report :
    Scanned time : 2011/03/04 11:54:18 (EET)
    Scanner results: Scanners did not find malware!
    File Name : svchost.exe
    File Size : 14336 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 8f078ae4ed187aaabc0a305146de6716
    SHA1 : da0ff4006859a7580aba81f486f692dead2014fe
    Online report : http://virscan.org/report/d641e056b73d15c6c7e3536e18633e8d.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 5.1.0.2 20110216210205 2011-02-16 0.31 -
    AhnLab V3 2011.03.03.00 2011.03.03 2011-03-03 1.65 -
    AntiVir 8.2.4.178 7.11.4.59 2011-03-04 0.27 -
    Antiy 2.0.18 20110217.7833565 2011-02-17 0.02 -
    Arcavir 2010 201103041232 2011-03-04 0.06 -
    Authentium 5.1.1 201103040141 2011-03-04 1.44 -
    AVAST! 4.7.4 110303-1 2011-03-03 0.01 -
    AVG 8.5.850 271.1.1/3480 2011-03-04 0.25 -
    BitDefender 7.90123.6764202 7.36495 2011-03-04 6.44 -
    ClamAV 0.96.5 12803 2011-03-04 0.01 -
    Comodo 4.0 7862 2011-03-03 1.09 -
    CP Secure 1.3.0.5 2011.03.04 2011-03-04 0.04 -
    Dr.Web 5.0.2.3300 2011.03.04 2011-03-04 10.89 -
    F-Prot 4.4.4.56 20110304 2011-03-04 1.46 -
    F-Secure 7.02.73807 2011.03.04.02 2011-03-04 11.18 -
    Fortinet 4.2.254 12.959 2011-03-03 0.22 -
    GData 21.1936/21.725 20110304 2011-03-04 8.36 -
    ViRobot 20110303 2011.03.03 2011-03-03 0.41 -
    Ikarus T3.1.32.20.0 2011.03.04.77852 2011-03-04 4.68 -
    JiangMin 13.0.900 2011.03.03 2011-03-03 1.74 -
    Kaspersky 5.5.10 2011.03.04 2011-03-04 0.09 -
    KingSoft 2009.2.5.15 2011.3.4.14 2011-03-04 0.78 -
    McAfee 5400.1158 6274 2011-03-03 7.51 -
    Microsoft 1.6603 2011.03.03 2011-03-03 3.74 -
    NOD32 3.0.21 5919 2011-03-02 0.01 -
    Norman 6.07.03 6.07.00 2011-03-03 14.02 -
    Panda 9.05.01 2011.03.02 2011-03-02 0.62 -
    Trend Micro 9.200-1012 7.874.01 2011-03-03 0.03 -
    Quick Heal 11.00 2011.03.03 2011-03-03 1.06 -
    Rising 20.0 23.47.03.06 2011-03-03 2.43 -
    Sophos 3.16.1 4.62 2011-03-04 3.07 -
    Sunbelt 3.9.2474.2 8599 2011-03-03 0.60 -
    Symantec 1.3.0.24 20110303.008 2011-03-03 0.05 -
    nProtect 20110304.03 3221953 2011-03-04 5.95 -
    The Hacker 6.7.0.1 v00143 2011-03-02 0.47 -
    VBA32 3.12.14.3 20110302.1155 2011-03-02 3.65 -
    VirusBuster 5.2.0.28 13.6.233.0/46181252011-03-03 0.01 -
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This is a good thing! That's one log we hope won't find anything.

    I see OTM cleaned Total Files Cleaned = 366,00 mb. That is a lot of files. Have you been doing maintenance on the system> disc cleanup, defrag, remove programs and apps you not longer use, etc?

    Are you having any problems other than the notice of Win32/Heur in AVG? I don't see any evidence of it here. But you need to understand that the files you loaded either to or from the H driver were infected. Because Conflicker was one of the infections, let's do his scan:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    =============================================
    You can find detained information about Conflicker here: http://www.microsoft.com/security/pc-security/conficker.aspx
    It's very important that you tell me about any other problems you're having since you did the download.
    Conflicker started with "A" and the version you had was "Y", so It's mutated right though the alphabet!
     
  18. vbakis

    vbakis TS Rookie Topic Starter Posts: 17

    First I'd like to thank you for all the effort and time you given, the story is that the contents on this drive H: are from a hard drive I had since 2001 as a student, which are carried over to a new pc, till one day I wanted to play with the hardware of my pc (failed memory upgrade) which led to use an another pc and connect the hard drive from the old one, but something went wrong and i had to format it and then used a recovery software to get them back, this is where avg found the virus, after the recovery of the files. Now all that time i didnt notice any unusual behaveur of my system appart from being slow but it was an old computer AMD 1600+ XP with 1250MB Ram.
    I will now do the TDSS can and return with the results.

    P.S. I uninstalled AVG and installed Avira because AVG wont let Combofix run.

    TDSSKiller Log:


    2011/03/04 18:18:26.0546 1592 TDSS rootkit removing tool 2.4.20.0 Mar 2 2011 10:44:30
    2011/03/04 18:18:27.0078 1592 ================================================================================
    2011/03/04 18:18:27.0078 1592 SystemInfo:
    2011/03/04 18:18:27.0078 1592
    2011/03/04 18:18:27.0078 1592 OS Version: 5.1.2600 ServicePack: 2.0
    2011/03/04 18:18:27.0078 1592 Product type: Workstation
    2011/03/04 18:18:27.0078 1592 ComputerName: VASILIS-45A94C9
    2011/03/04 18:18:27.0078 1592 UserName: Vasilis
    2011/03/04 18:18:27.0078 1592 Windows directory: G:\WINDOWS
    2011/03/04 18:18:27.0078 1592 System windows directory: G:\WINDOWS
    2011/03/04 18:18:27.0078 1592 Processor architecture: Intel x86
    2011/03/04 18:18:27.0078 1592 Number of processors: 2
    2011/03/04 18:18:27.0078 1592 Page size: 0x1000
    2011/03/04 18:18:27.0078 1592 Boot type: Normal boot
    2011/03/04 18:18:27.0078 1592 ================================================================================
    2011/03/04 18:18:31.0078 1592 Initialize success
    2011/03/04 18:18:35.0140 2308 ================================================================================
    2011/03/04 18:18:35.0140 2308 Scan started
    2011/03/04 18:18:35.0140 2308 Mode: Manual;
    2011/03/04 18:18:35.0140 2308 ================================================================================
    2011/03/04 18:18:36.0859 2308 ACPI (a10c7534f7223f4a73a948967d00e69b) G:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/03/04 18:18:36.0890 2308 ACPIEC (9859c0f6936e723e4892d7141b1327d5) G:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/03/04 18:18:37.0000 2308 aec (841f385c6cfaf66b58fbd898722bb4f0) G:\WINDOWS\system32\drivers\aec.sys
    2011/03/04 18:18:37.0093 2308 AFD (55e6e1c51b6d30e54335750955453702) G:\WINDOWS\System32\drivers\afd.sys
    2011/03/04 18:18:37.0156 2308 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) G:\WINDOWS\system32\DRIVERS\agp440.sys
    2011/03/04 18:18:37.0453 2308 ALCXWDM (34149a136b2b7525113950233f259ec1) G:\WINDOWS\system32\drivers\ALCXWDM.SYS
    2011/03/04 18:18:37.0828 2308 AsyncMac (02000abf34af4c218c35d257024807d6) G:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/03/04 18:18:37.0875 2308 atapi (cdfe4411a69c224bd1d11b2da92dac51) G:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/03/04 18:18:37.0984 2308 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) G:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    2011/03/04 18:18:38.0031 2308 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) G:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/03/04 18:18:38.0078 2308 audstub (d9f724aa26c010a217c97606b160ed68) G:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/03/04 18:18:38.0171 2308 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) G:\Program Files\Avira\AntiVir Desktop\avgio.sys
    2011/03/04 18:18:38.0218 2308 avgntflt (47b879406246ffdced59e18d331a0e7d) G:\WINDOWS\system32\DRIVERS\avgntflt.sys
    2011/03/04 18:18:38.0296 2308 avipbb (da39805e2bad99d37fce9477dd94e7f2) G:\WINDOWS\system32\DRIVERS\avipbb.sys
    2011/03/04 18:18:38.0375 2308 Beep (da1f27d85e0d1525f6621372e7b685e9) G:\WINDOWS\system32\drivers\Beep.sys
    2011/03/04 18:18:38.0531 2308 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) G:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/03/04 18:18:38.0593 2308 Cdaudio (c1b486a7658353d33a10cc15211a873b) G:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/03/04 18:18:38.0656 2308 Cdfs (cd7d5152df32b47f4e36f710b35aae02) G:\WINDOWS\system32\drivers\Cdfs.sys
    2011/03/04 18:18:38.0734 2308 Cdrom (af9c19b3100fe010496b1a27181fbf72) G:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/03/04 18:18:38.0984 2308 Disk (00ca44e4534865f8a3b64f7c0984bff0) G:\WINDOWS\system32\DRIVERS\disk.sys
    2011/03/04 18:18:39.0093 2308 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) G:\WINDOWS\system32\drivers\dmboot.sys
    2011/03/04 18:18:39.0171 2308 dmio (f5e7b358a732d09f4bcf2824b88b9e28) G:\WINDOWS\system32\drivers\dmio.sys
    2011/03/04 18:18:39.0218 2308 dmload (e9317282a63ca4d188c0df5e09c6ac5f) G:\WINDOWS\system32\drivers\dmload.sys
    2011/03/04 18:18:39.0296 2308 DMusic (a6f881284ac1150e37d9ae47ff601267) G:\WINDOWS\system32\drivers\DMusic.sys
    2011/03/04 18:18:39.0375 2308 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) G:\WINDOWS\system32\drivers\drmkaud.sys
    2011/03/04 18:18:39.0437 2308 Fastfat (3117f595e9615e04f05a54fc15a03b20) G:\WINDOWS\system32\drivers\Fastfat.sys
    2011/03/04 18:18:39.0484 2308 Fdc (ced2e8396a8838e59d8fd529c680e02c) G:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/03/04 18:18:39.0515 2308 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) G:\WINDOWS\system32\drivers\Fips.sys
    2011/03/04 18:18:39.0562 2308 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) G:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/03/04 18:18:39.0625 2308 FltMgr (54fd90f0038f07920cb9fb6591bde82f) G:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/03/04 18:18:39.0671 2308 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) G:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/03/04 18:18:39.0718 2308 Ftdisk (6ac26732762483366c3969c9e4d2259d) G:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/03/04 18:18:39.0796 2308 gameenum (5f92fd09e5610a5995da7d775eadcd12) G:\WINDOWS\system32\DRIVERS\gameenum.sys
    2011/03/04 18:18:39.0875 2308 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) G:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2011/03/04 18:18:39.0921 2308 Gpc (c0f1d4a21de5a415df8170616703debf) G:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/03/04 18:18:40.0000 2308 HidUsb (1de6783b918f540149aa69943bdfeba8) G:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/03/04 18:18:40.0078 2308 HPZid412 (30ca91e657cede2f95359d6ef186f650) G:\WINDOWS\system32\DRIVERS\HPZid412.sys
    2011/03/04 18:18:40.0140 2308 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) G:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    2011/03/04 18:18:40.0187 2308 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) G:\WINDOWS\system32\DRIVERS\HPZius12.sys
    2011/03/04 18:18:40.0234 2308 HSFHWBS2 (970178e8e003eb1481293830069624b9) G:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
    2011/03/04 18:18:40.0312 2308 HSF_DP (ebb354438a4c5a3327fb97306260714a) G:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
    2011/03/04 18:18:40.0437 2308 HTTP (9f8b0f4276f618964fd118be4289b7cd) G:\WINDOWS\system32\Drivers\HTTP.sys
    2011/03/04 18:18:40.0562 2308 i8042prt (5502b58eef7486ee6f93f3f164dcb808) G:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/03/04 18:18:40.0609 2308 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) G:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/03/04 18:18:40.0687 2308 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) G:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/03/04 18:18:40.0781 2308 intelppm (279fb78702454dff2bb445f238c048d2) G:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/03/04 18:18:40.0828 2308 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) G:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/03/04 18:18:40.0890 2308 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) G:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/03/04 18:18:40.0921 2308 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) G:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/03/04 18:18:40.0968 2308 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) G:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/03/04 18:18:41.0031 2308 IPSec (64537aa5c003a6afeee1df819062d0d1) G:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/03/04 18:18:41.0093 2308 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) G:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/03/04 18:18:41.0140 2308 isapnp (e504f706ccb699c2596e9a3da1596e87) G:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/03/04 18:18:41.0234 2308 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) G:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/03/04 18:18:41.0296 2308 kmixer (d93cad07c5683db066b0b2d2d3790ead) G:\WINDOWS\system32\drivers\kmixer.sys
    2011/03/04 18:18:41.0359 2308 KSecDD (674d3e5a593475915dc6643317192403) G:\WINDOWS\system32\drivers\KSecDD.sys
    2011/03/04 18:18:41.0500 2308 mdmxsdk (195741aee20369980796b557358cd774) G:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    2011/03/04 18:18:41.0562 2308 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) G:\WINDOWS\system32\drivers\mnmdd.sys
    2011/03/04 18:18:41.0625 2308 Modem (6fc6f9d7acc36dca9b914565a3aeda05) G:\WINDOWS\system32\drivers\Modem.sys
    2011/03/04 18:18:41.0640 2308 Mouclass (34e1f0031153e491910e12551400192c) G:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/03/04 18:18:41.0703 2308 mouhid (b1c303e17fb9d46e87a98e4ba6769685) G:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/03/04 18:18:41.0781 2308 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) G:\WINDOWS\system32\drivers\MountMgr.sys
    2011/03/04 18:18:42.0078 2308 MRxDAV (46edcc8f2db2f322c24f48785cb46366) G:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/03/04 18:18:42.0203 2308 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) G:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/03/04 18:18:42.0281 2308 Msfs (561b3a4333ca2dbdba28b5b956822519) G:\WINDOWS\system32\drivers\Msfs.sys
    2011/03/04 18:18:42.0343 2308 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) G:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/03/04 18:18:42.0375 2308 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) G:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/03/04 18:18:42.0437 2308 MSPQM (1988a33ff19242576c3d0ef9ce785da7) G:\WINDOWS\system32\drivers\MSPQM.sys
    2011/03/04 18:18:42.0484 2308 mssmbios (469541f8bfd2b32659d5d463a6714bce) G:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/03/04 18:18:42.0515 2308 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) G:\WINDOWS\system32\drivers\Mup.sys
    2011/03/04 18:18:42.0562 2308 NDIS (558635d3af1c7546d26067d5d9b6959e) G:\WINDOWS\system32\drivers\NDIS.sys
    2011/03/04 18:18:42.0625 2308 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) G:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/03/04 18:18:42.0703 2308 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) G:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/03/04 18:18:42.0781 2308 NdisWan (0b90e255a9490166ab368cd55a529893) G:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/03/04 18:18:42.0812 2308 NDProxy (59fc3fb44d2669bc144fd87826bb571f) G:\WINDOWS\system32\drivers\NDProxy.sys
    2011/03/04 18:18:42.0875 2308 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) G:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/03/04 18:18:42.0906 2308 NetBT (0c80e410cd2f47134407ee7dd19cc86b) G:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/03/04 18:18:42.0968 2308 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) G:\WINDOWS\system32\drivers\Npfs.sys
    2011/03/04 18:18:43.0046 2308 Ntfs (b78be402c3f63dd55521f73876951cdd) G:\WINDOWS\system32\drivers\Ntfs.sys
    2011/03/04 18:18:43.0109 2308 Null (73c1e1f395918bc2c6dd67af7591a3ad) G:\WINDOWS\system32\drivers\Null.sys
    2011/03/04 18:18:43.0171 2308 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) G:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/03/04 18:18:43.0203 2308 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) G:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/03/04 18:18:43.0281 2308 Parport (29744eb4ce659dfe3b4122deb45bc478) G:\WINDOWS\system32\DRIVERS\parport.sys
    2011/03/04 18:18:43.0406 2308 PartMgr (3334430c29dc338092f79c38ef7b4cd0) G:\WINDOWS\system32\drivers\PartMgr.sys
    2011/03/04 18:18:43.0453 2308 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) G:\WINDOWS\system32\drivers\ParVdm.sys
    2011/03/04 18:18:43.0546 2308 PCI (8086d9979234b603ad5bc2f5d890b234) G:\WINDOWS\system32\DRIVERS\pci.sys
    2011/03/04 18:18:43.0656 2308 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) G:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/03/04 18:18:43.0718 2308 Pcmcia (82a087207decec8456fbe8537947d579) G:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/03/04 18:18:43.0953 2308 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) G:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/03/04 18:18:43.0984 2308 PSched (48671f327553dcf1d27f6197f622a668) G:\WINDOWS\system32\DRIVERS\psched.sys
    2011/03/04 18:18:44.0015 2308 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) G:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/03/04 18:18:44.0218 2308 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) G:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/03/04 18:18:44.0250 2308 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) G:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/03/04 18:18:44.0296 2308 RasPppoe (7306eeed8895454cbed4669be9f79faa) G:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/03/04 18:18:44.0328 2308 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) G:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/03/04 18:18:44.0406 2308 Rdbss (29d66245adba878fff574cd66abd2884) G:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/03/04 18:18:44.0453 2308 RDPCDD (4912d5b403614ce99c28420f75353332) G:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/03/04 18:18:44.0500 2308 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) G:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/03/04 18:18:44.0593 2308 RDPWD (d4f5643d7714ef499ae9527fdcd50894) G:\WINDOWS\system32\drivers\RDPWD.sys
    2011/03/04 18:18:44.0640 2308 redbook (b31b4588e4086d8d84adbf9845c2402b) G:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/03/04 18:18:44.0750 2308 Secdrv (d26e26ea516450af9d072635c60387f4) G:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/03/04 18:18:44.0796 2308 serenum (a2d868aeeff612e70e213c451a70cafb) G:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/03/04 18:18:44.0843 2308 Serial (cd9404d115a00d249f70a371b46d5a26) G:\WINDOWS\system32\DRIVERS\serial.sys
    2011/03/04 18:18:44.0906 2308 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) G:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/03/04 18:18:45.0015 2308 splitter (8e186b8f23295d1e42c573b82b80d548) G:\WINDOWS\system32\drivers\splitter.sys
    2011/03/04 18:18:45.0093 2308 sr (e41b6d037d6cd08461470af04500dc24) G:\WINDOWS\system32\DRIVERS\sr.sys
    2011/03/04 18:18:45.0203 2308 Srv (7a4f147cc6b133f905f6e65e2f8669fb) G:\WINDOWS\system32\DRIVERS\srv.sys
    2011/03/04 18:18:45.0296 2308 ssmdrv (a36ee93698802cd899f98bfd553d8185) G:\WINDOWS\system32\DRIVERS\ssmdrv.sys
    2011/03/04 18:18:45.0359 2308 swenum (03c1bae4766e2450219d20b993d6e046) G:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/03/04 18:18:45.0406 2308 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) G:\WINDOWS\system32\drivers\swmidi.sys
    2011/03/04 18:18:45.0531 2308 sysaudio (650ad082d46bac0e64c9c0e0928492fd) G:\WINDOWS\system32\drivers\sysaudio.sys
    2011/03/04 18:18:45.0625 2308 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) G:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/03/04 18:18:45.0703 2308 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) G:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/03/04 18:18:45.0765 2308 TDTCP (ed0580af02502d00ad8c4c066b156be9) G:\WINDOWS\system32\drivers\TDTCP.sys
    2011/03/04 18:18:45.0812 2308 TermDD (a540a99c281d933f3d69d55e48727f47) G:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/03/04 18:18:45.0906 2308 Udfs (12f70256f140cd7d52c58c7048fde657) G:\WINDOWS\system32\drivers\Udfs.sys
    2011/03/04 18:18:46.0015 2308 Update (aff2e5045961bbc0a602bb6f95eb1345) G:\WINDOWS\system32\DRIVERS\update.sys
    2011/03/04 18:18:46.0093 2308 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) G:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/03/04 18:18:46.0156 2308 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) G:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/03/04 18:18:46.0234 2308 usbehci (15e993ba2f6946b2bfbbfcd30398621e) G:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/03/04 18:18:46.0265 2308 usbhub (c72f40947f92cea56a8fb532edf025f1) G:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/03/04 18:18:46.0312 2308 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) G:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/03/04 18:18:46.0375 2308 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) G:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/03/04 18:18:46.0421 2308 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) G:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/03/04 18:18:46.0468 2308 usbuhci (f8fd1400092e23c8f2f31406ef06167b) G:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/03/04 18:18:46.0531 2308 VgaSave (8a60edd72b4ea5aea8202daf0e427925) G:\WINDOWS\System32\drivers\vga.sys
    2011/03/04 18:18:46.0609 2308 VolSnap (ee4660083deba849ff6c485d944b379b) G:\WINDOWS\system32\drivers\VolSnap.sys
    2011/03/04 18:18:46.0656 2308 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) G:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/03/04 18:18:46.0734 2308 wdmaud (2797f33ebf50466020c430ee4f037933) G:\WINDOWS\system32\drivers\wdmaud.sys
    2011/03/04 18:18:46.0843 2308 winachsf (1225ebea76aac3c84df6c54fe5e5d8be) G:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
    2011/03/04 18:18:47.0031 2308 yukonwxp (a5d4eae27e68625296d685a786897491) G:\WINDOWS\system32\DRIVERS\yk51x86.sys
    2011/03/04 18:18:47.0515 2308 ================================================================================
    2011/03/04 18:18:47.0515 2308 Scan finished
    2011/03/04 18:18:47.0515 2308 ================================================================================
     
  19. vbakis

    vbakis TS Rookie Topic Starter Posts: 17

    Avira AntiVir Personal
    Report file date: Παρασκευή, 4 Μαρτίου 2011 18:27

    Scanning for 2454215 virus strains and unwanted programs.

    The program is running as an unrestricted full version.
    Online services are available:

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows XP
    Windows version : (Service Pack 2) [5.1.2600]
    Boot mode : Normally booted
    Username : Vasilis
    Computer name : VASILIS-45A94C9

    Version information:
    BUILD.DAT : 10.0.0.611 31824 Bytes 14/1/2011 13:42:00
    AVSCAN.EXE : 10.0.3.5 435368 Bytes 10/1/2011 12:23:31
    AVSCAN.DLL : 10.0.3.0 46440 Bytes 1/4/2010 10:57:04
    LUKE.DLL : 10.0.3.2 104296 Bytes 10/1/2011 12:23:40
    LUKERES.DLL : 10.0.0.1 12648 Bytes 10/2/2010 21:40:49
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 6/11/2009 07:05:36
    VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 12:23:50
    VBASE002.VDF : 7.11.3.0 1950720 Bytes 9/2/2011 11:15:09
    VBASE003.VDF : 7.11.3.1 2048 Bytes 9/2/2011 11:15:10
    VBASE004.VDF : 7.11.3.2 2048 Bytes 9/2/2011 11:15:10
    VBASE005.VDF : 7.11.3.3 2048 Bytes 9/2/2011 11:15:10
    VBASE006.VDF : 7.11.3.4 2048 Bytes 9/2/2011 11:15:10
    VBASE007.VDF : 7.11.3.5 2048 Bytes 9/2/2011 11:15:10
    VBASE008.VDF : 7.11.3.6 2048 Bytes 9/2/2011 11:15:10
    VBASE009.VDF : 7.11.3.7 2048 Bytes 9/2/2011 11:15:10
    VBASE010.VDF : 7.11.3.8 2048 Bytes 9/2/2011 11:15:10
    VBASE011.VDF : 7.11.3.9 2048 Bytes 9/2/2011 11:15:11
    VBASE012.VDF : 7.11.3.10 2048 Bytes 9/2/2011 11:15:11
    VBASE013.VDF : 7.11.3.59 157184 Bytes 14/2/2011 11:15:12
    VBASE014.VDF : 7.11.3.97 120320 Bytes 16/2/2011 11:15:13
    VBASE015.VDF : 7.11.3.148 128000 Bytes 19/2/2011 11:15:14
    VBASE016.VDF : 7.11.3.183 140288 Bytes 22/2/2011 11:15:14
    VBASE017.VDF : 7.11.3.216 124416 Bytes 24/2/2011 11:15:14
    VBASE018.VDF : 7.11.3.251 159232 Bytes 28/2/2011 11:15:15
    VBASE019.VDF : 7.11.4.33 148992 Bytes 2/3/2011 11:14:18
    VBASE020.VDF : 7.11.4.34 2048 Bytes 2/3/2011 11:14:18
    VBASE021.VDF : 7.11.4.35 2048 Bytes 2/3/2011 11:14:18
    VBASE022.VDF : 7.11.4.36 2048 Bytes 2/3/2011 11:14:18
    VBASE023.VDF : 7.11.4.37 2048 Bytes 2/3/2011 11:14:19
    VBASE024.VDF : 7.11.4.38 2048 Bytes 2/3/2011 11:14:19
    VBASE025.VDF : 7.11.4.39 2048 Bytes 2/3/2011 11:14:19
    VBASE026.VDF : 7.11.4.40 2048 Bytes 2/3/2011 11:14:19
    VBASE027.VDF : 7.11.4.41 2048 Bytes 2/3/2011 11:14:19
    VBASE028.VDF : 7.11.4.42 2048 Bytes 2/3/2011 11:14:19
    VBASE029.VDF : 7.11.4.43 2048 Bytes 2/3/2011 11:14:19
    VBASE030.VDF : 7.11.4.44 2048 Bytes 2/3/2011 11:14:19
    VBASE031.VDF : 7.11.4.50 23552 Bytes 3/3/2011 11:14:19
    Engineversion : 8.2.4.178
    AEVDF.DLL : 8.1.2.1 106868 Bytes 10/1/2011 12:23:26
    AESCRIPT.DLL : 8.1.3.55 1282426 Bytes 2/3/2011 11:15:21
    AESCN.DLL : 8.1.7.2 127349 Bytes 10/1/2011 12:23:26
    AESBX.DLL : 8.1.3.2 254324 Bytes 10/1/2011 12:23:26
    AERDL.DLL : 8.1.9.2 635252 Bytes 10/1/2011 12:23:25
    AEPACK.DLL : 8.2.4.11 520566 Bytes 3/3/2011 11:14:20
    AEOFFICE.DLL : 8.1.1.16 205179 Bytes 2/3/2011 11:15:20
    AEHEUR.DLL : 8.1.2.81 3314038 Bytes 2/3/2011 11:15:19
    AEHELP.DLL : 8.1.16.1 246134 Bytes 2/3/2011 11:15:17
    AEGEN.DLL : 8.1.5.2 397683 Bytes 2/3/2011 11:15:17
    AEEMU.DLL : 8.1.3.0 393589 Bytes 10/1/2011 12:23:18
    AECORE.DLL : 8.1.19.2 196983 Bytes 2/3/2011 11:15:17
    AEBB.DLL : 8.1.1.0 53618 Bytes 10/1/2011 12:23:18
    AVWINLL.DLL : 10.0.0.0 19304 Bytes 10/1/2011 12:23:32
    AVPREF.DLL : 10.0.0.0 44904 Bytes 10/1/2011 12:23:30
    AVREP.DLL : 10.0.0.8 62209 Bytes 17/6/2010 12:27:13
    AVREG.DLL : 10.0.3.2 53096 Bytes 10/1/2011 12:23:31
    AVSCPLR.DLL : 10.0.3.2 84328 Bytes 10/1/2011 12:23:31
    AVARKT.DLL : 10.0.22.6 231784 Bytes 10/1/2011 12:23:27
    AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 10/1/2011 12:23:28
    SQLITE3.DLL : 3.6.19.0 355688 Bytes 17/6/2010 12:27:22
    AVSMTP.DLL : 10.0.0.17 63848 Bytes 10/1/2011 12:23:31
    NETNT.DLL : 10.0.0.0 11624 Bytes 17/6/2010 12:27:21
    RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28/1/2010 11:10:20
    RCTEXT.DLL : 10.0.58.0 97128 Bytes 10/1/2011 12:23:52

    Configuration settings for the scan:
    Jobname.............................: ShlExt
    Configuration file..................: G:\DOCUME~1\Vasilis\LOCALS~1\Temp\ac035dbb.avp
    Logging.............................: low
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Boot sectors........................: H:,
    Process scan........................: off
    Scan registry.......................: off
    Search for rootkits.................: off
    Integrity checking of system files..: off
    Scan all files......................: Intelligent file selection
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: medium

    Start of the scan: Παρασκευή, 4 Μαρτίου 2011 18:27

    Starting the file scan:

    Begin scan in 'H:\' <My Passport>
    H:\office recovery\G\Lost File Results\LostFile_EXE_10378208.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_118411600.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_20610824.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_20989528.exe
    [DETECTION] Is the TR/ATRAPS.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_211302549.exe
    --> Object
    [WARNING] The file could not be read!
    [WARNING] The file could not be read!
    H:\office recovery\G\Lost File Results\LostFile_EXE_3196264.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_3611800.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_3646104.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_3657752.exe
    [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_3658520.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_3969232.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_3982976.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_3983280.exe
    [DETECTION] Is the TR/Crypt.ASPM.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_4161800.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_4563384.exe
    [DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
    H:\office recovery\G\Lost File Results\LostFile_EXE_4625091.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_4820056.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_49467864.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_49489040.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_49492064.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_50883129.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_52934616.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_53135592.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_53272136.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_53826984.exe
    [DETECTION] Is the TR/Rootkit.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_53830144.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_5399160.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_5432904.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe
    [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_56015328.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_56055264.exe
    [DETECTION] Is the TR/ATRAPS.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_5652904.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_64019896.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_76514216.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_79056312.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_79060904.exe
    [DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_79081304.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\LostFile_EXE_90698571.exe
    [WARNING] The file could not be read!
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10504776.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_106966128.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11661232.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_13285984.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_2171376.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_24368432.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_31253472.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47031632.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47038520.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47041496.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47041640.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47042392.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47054360.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47060880.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47168744.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_49626136.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_49790272.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_49895104.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_49984048.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_50185936.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_50190392.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_50270800.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_50514112.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51103000.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51130448.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51146016.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51150800.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51470352.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51645008.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51789368.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_52364992.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_52559016.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_53939960.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_55035616.exe
    [DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_55322432.exe
    [DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_58597424.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_58727088.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_58828216.exe
    [DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_64791440.exe
    [DETECTION] Is the TR/ATRAPS.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_64937864.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_79339392.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_79377176.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_79538656.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_80263680.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_80675752.exe
    [DETECTION] Is the TR/Dropper.Gen2 Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_82118376.exe
    [DETECTION] Is the TR/Dropper.Gen2 Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9136848.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_96462728.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9812600.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_JPG_104153744.jpg
    [DETECTION] Contains recognition pattern of the DR/FakePic.Gen dropper
    H:\office recovery\G\Virtual NTFS Partition @ 0\jquery.tinysort[1].js
    [DETECTION] Contains recognition pattern of the DR/FakePic.Gen dropper
    H:\office recovery\G\Virtual NTFS Partition @ 0\My Dropbox\Photos\Sample Album\Costa Rican Frog.jpg
    [DETECTION] Contains recognition pattern of the DR/FakePic.Gen dropper

    ========= CONTINUED ON NEXT POST ========
     
  20. vbakis

    vbakis TS Rookie Topic Starter Posts: 17

    Beginning disinfection:
    H:\office recovery\G\Virtual NTFS Partition @ 0\My Dropbox\Photos\Sample Album\Costa Rican Frog.jpg
    [DETECTION] Contains recognition pattern of the DR/FakePic.Gen dropper
    [NOTE] The file was moved to the quarantine directory under the name '4fa8befe.qua'.
    H:\office recovery\G\Virtual NTFS Partition @ 0\jquery.tinysort[1].js
    [DETECTION] Contains recognition pattern of the DR/FakePic.Gen dropper
    [NOTE] The file was moved to the quarantine directory under the name '573d915b.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_JPG_104153744.jpg
    [DETECTION] Contains recognition pattern of the DR/FakePic.Gen dropper
    [NOTE] The file was moved to the quarantine directory under the name '0560cbb1.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9812600.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '63578473.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_96462728.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '26d3a94d.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9136848.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '59c89b2c.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_82118376.exe
    [DETECTION] Is the TR/Dropper.Gen2 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '1570b765.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_80675752.exe
    [DETECTION] Is the TR/Dropper.Gen2 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '6968f735.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_80263680.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '4432d878.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_79538656.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '5d5ae3e2.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_79377176.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '3106cfd2.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_79339392.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '40bff647.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_64937864.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '4ea5c680.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_64791440.exe
    [DETECTION] Is the TR/ATRAPS.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '0b8cbfc2.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_58828216.exe
    [DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '0287bb69.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_58727088.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '5ac6a200.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_58597424.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '7632dbcc.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_55322432.exe
    [DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '48ccbb16.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_55035616.exe
    [DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '2bc29065.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_53939960.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '0d0ad078.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_52559016.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '3f9eabdd.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_52364992.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '35db80a3.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51789368.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '0a88e4e6.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51645008.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '74a4e8c1.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51470352.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '21dcec0b.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51150800.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '2c4a9d23.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51146016.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '3017892a.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51130448.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '01c4c4e4.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51103000.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '6d92d0d2.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_50514112.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '2408f5d5.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_50270800.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '7f9dfd04.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_50190392.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '192ff1ed.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_50185936.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '4ea18345.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_49984048.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '6cd1d431.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_49895104.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '04c1aea7.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_49790272.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '24b7aa22.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_49626136.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '7193ec96.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47168744.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '10b3cd29.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47060880.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '751f8fa2.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47054360.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '10c8fb03.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47042392.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '032cc790.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47041640.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '1195bb2d.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47041496.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '06c5d89f.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47038520.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '5ce7ea0f.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47031632.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '79ea901b.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_31253472.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '0db1886f.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_24368432.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '2fb3dae3.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_2171376.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '5a20a2fa.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_13285984.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '7177fefa.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11661232.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '1610b645.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_106966128.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '5d608f53.qua'.
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10504776.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '5d9e8502.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_79081304.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '1731d012.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_79060904.exe
    [DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '7918ffda.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_79056312.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '3438a1aa.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_76514216.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '5c1c8691.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_64019896.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '26adbc58.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_5652904.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '57ffe01d.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_56055264.exe
    [DETECTION] Is the TR/ATRAPS.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '2718ca0d.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_56015328.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '5c68b658.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe
    [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '1233c532.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_5432904.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '6c48be14.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_5399160.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '18d29667.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_53830144.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '13e6ca0e.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_53826984.exe
    [DETECTION] Is the TR/Rootkit.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '403ed9cc.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_53272136.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '2557f2a7.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_53135592.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '0daca205.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_52934616.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '790ffbbf.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_50883129.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '36028336.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_49492064.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '09d6da90.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_49489040.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '73e0d926.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_49467864.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '23e8de56.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_4820056.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '75e0d414.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_4625091.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '3250d0c7.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_4563384.exe
    [DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
    [NOTE] The file was moved to the quarantine directory under the name '111cbe45.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_4161800.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '569797ab.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_3983280.exe
    [DETECTION] Is the TR/Crypt.ASPM.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '24f3c43f.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_3982976.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '0f9c8729.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_3969232.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '4c058996.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_3658520.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '06cbf0ae.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_3657752.exe
    [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '0b83ee0e.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_3646104.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '2469a6e0.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_3611800.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '1badef8a.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_3196264.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '244af910.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_20989528.exe
    [DETECTION] Is the TR/ATRAPS.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '4193a9c7.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_20610824.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '67b28ead.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_118411600.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '6b1fddd6.qua'.
    H:\office recovery\G\Lost File Results\LostFile_EXE_10378208.exe
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
    [NOTE] The file was moved to the quarantine directory under the name '5e75ab0f.qua'.


    End of the scan: Παρασκευή, 4 Μαρτίου 2011 18:57
    Used time: 29:31 Minute(s)

    The scan has been done completely.

    3014 Scanned directories
    174128 Files were scanned
    88 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 files were deleted
    0 Viruses and unwanted programs were repaired
    88 Files were moved to quarantine
    0 Files were renamed
    0 Files cannot be scanned
    174040 Files not concerned
    1375 Archives were scanned
    3 Warnings
    88 Notes
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Not sure why you ran the Avast scan> those files were moved in OTM. You can delete the contents of the quarantine files in Avast.

    Sorry about having to uninstall AVG for Combofix. I have those directions saved separately, but I am going to add them to Combofix.
    ===============================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it: Be sure to scroll down to include ALL lines.
    Code:
    Folder::
    g:\docume~1\vasilis\locals~1\applic~1\Temp
    g:\program files\GetData
    G:\GetData Recover My Files Professional Edition v4.6.8.993
    g:\program files\uTorrent.exe
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\uTorrent.exe"=-
    "g:\\Program Files\\uTorrent.exe"=-
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    P2P or 'file sharing' Warning:
    I note you have utorrrent on 2 drives- that doubles the vulnerability from file sharing.
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall uTorrent for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
    =================================
    How is the system running now?
     
  22. vbakis

    vbakis TS Rookie Topic Starter Posts: 17

    Am sorry for the late response I was away the weekend, the system looks fine atm, this is the log from Combofix:


    ComboFix 11-03-07.05 - Vasilis 08/03/2011 11:48:32.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1253.30.1033.18.1535.1180 [GMT 2:00]
    Running from: g:\documents and settings\Vasilis\My Documents\Downloads\Protection - Antivirus -Spyware\ComboFix.exe
    Command switches used :: g:\documents and settings\Vasilis\My Documents\Downloads\Protection - Antivirus -Spyware\CFScript.TXT
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    g:\docume~1\vasilis\locals~1\applic~1\Temp
    G:\GetData Recover My Files Professional Edition v4.6.8.993
    g:\getdata recover my files professional edition v4.6.8.993\Crack.rar
    g:\getdata recover my files professional edition v4.6.8.993\File_id.diz
    g:\getdata recover my files professional edition v4.6.8.993\GetData Recover My Files v4.6.8.993.txt
    g:\getdata recover my files professional edition v4.6.8.993\INSTALL NOTES.txt
    g:\getdata recover my files professional edition v4.6.8.993\RecoverMyFiles-Setup.exe
    g:\program files\GetData
    g:\program files\GetData\Recover My Files v4\FFF.NFO
    g:\program files\GetData\Recover My Files v4\FILE_ID.DIZ
    g:\program files\Quicktime\QTTask.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-04 09:35 . 2011-03-04 09:35 -------- d-----w- G:\_OTM
    2011-02-21 11:05 . 2011-02-21 11:05 -------- d-----w- G:\ATI
    2011-02-21 10:45 . 2011-02-21 10:45 -------- d-----w- G:\$AVG
    2011-02-18 11:38 . 2011-02-18 11:38 -------- d-----r- G:\MSOCache
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-03-02_10.58.22 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-03-02 11:13 . 2010-06-17 12:27 28520 g:\windows\system32\drivers\ssmdrv.sys
    + 2011-03-02 11:13 . 2010-06-17 12:27 22360 g:\windows\system32\drivers\avgntmgr.sys
    + 2011-03-02 11:13 . 2011-01-10 12:23 61960 g:\windows\system32\drivers\avgntflt.sys
    + 2011-03-02 11:13 . 2010-06-17 12:27 45416 g:\windows\system32\drivers\avgntdd.sys
    + 2011-03-02 11:13 . 2011-01-10 12:23 135096 g:\windows\system32\drivers\avipbb.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="g:\documents and settings\Vasilis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-02-18 136176]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE" [2006-08-02 577536]
    "ATICustomerCare"="g:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
    "Adobe Reader Speed Launcher"="g:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM"="g:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "HP Software Update"="g:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
    "iTunesHelper"="g:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
    "avgnt"="g:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="g:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
    .
    g:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - g:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\uTorrent.exe"=
    "g:\\Program Files\\uTorrent.exe"=
    "h:\\World of Warcraft\\Launcher.exe"=
    "g:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "g:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "g:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
    "g:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "g:\\Program Files\\iTunes\\iTunes.exe"=
    "g:\\Program Files\\World of Warcraft\\Launcher.exe"=
    "g:\\Documents and Settings\\Vasilis\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;g:\program files\Avira\AntiVir Desktop\sched.exe [2/3/2011 1:13 μμ 135336]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-03 g:\windows\Tasks\AppleSoftwareUpdate.job
    - g:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 09:50]
    .
    2011-03-07 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1220945662-725345543-1003Core.job
    - g:\documents and settings\Vasilis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-18 11:36]
    .
    2011-03-08 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1220945662-725345543-1003UA.job
    - g:\documents and settings\Vasilis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-18 11:36]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-QuickTime Task - g:\program files\QuickTime\QTTask.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-08 11:53
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-03-08 11:55:07
    ComboFix-quarantined-files.txt 2011-03-08 09:55
    ComboFix2.txt 2011-03-02 10:59
    .
    Pre-Run: 84.435.468.288 bytes free
    Post-Run: 84.422.111.232 bytes free
    .
    - - End Of File - - 11FFF23506C8F50B36E29F0EF7CBF593
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No problem- I frequently run behind, so it gives me a chance to catch up.

    The logs show entries from drives C, G, H. I know that the H drive was the hard drive you had as a student in 2001. And the infected files came from the recovery you used. I'm just a bit confused about the following in the Attach.txt log from DDS:
    C: is FIXED (NTFS) - 233 GiB total, 195,228 GiB free.
    D: is Removable
    E: is CDROM ()
    F: is CDROM ()
    G: is FIXED (NTFS) - 112 GiB total, 98,966 GiB free.
    H: is FIXED (NTFS) - 233 GiB total, 84,556 GiB free.

    ======================================
    The only thing I would do is removed these Registry settings:
    "c:\\uTorrent.exe"
    "g:\\Program Files\\uTorrent.exe"

    But I have warned you about the dangers of file sharing. Let me know if you have continue using this program or if you would like me to remove the entries.
    =======================================
    I'd like you to run the Eset scan once more- let's make sure all of those infected files were found and removed:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard, you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    If clean, I'll have you remove all the cleaning tools we used.

    By the way, If you glance at this forum page, you will see a lot of members with AVG/Win32/Heur!
     
  24. vbakis

    vbakis TS Rookie Topic Starter Posts: 17

    Ok i;ll try to short things out so you can have a clear view of my drives, G: is the system disk, its where windows are installed and its the disk i had as a student and H: is a flash disk i used to recover the files from G:
    What I did is to Format G: and then install windows onto it and then try to recover the files before the format on H:
    I deleted the file c:\\uTorrent.exe
    anyway I dont use it anymore so feel free to show me how to remove them.

    Eset still finds malware on the removable flash drive H: here's the log:

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=d5531ca7203fe54797e590b518b5db27
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-02-24 05:41:41
    # local_time=2011-02-24 07:41:41 (+0200, GTB Standard Time)
    # country="Greece"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=512 16777215 100 0 35242 35242 0 0
    # compatibility_mode=1032 16777173 100 94 7752 41863832 0 0
    # compatibility_mode=8192 67108863 100 0 3900 3900 0 0
    # scanned=113439
    # found=13
    # cleaned=0
    # scan_time=3061
    H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\LostFile_EXE_18174360.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\LostFile_EXE_52609881.exe a variant of Win32/Conficker.Y worm (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe a variant of Win32/TrojanDownloader.FakeAlert.GO trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\LostFile_EXE_63078584.exe a variant of Win32/Kryptik.AY trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    ESETSmartInstaller@High as downloader log:
    all ok
    ESETSmartInstaller@High as downloader log:
    all ok
    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=d5531ca7203fe54797e590b518b5db27
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-03-02 10:26:57
    # local_time=2011-03-02 12:26:57 (+0200, GTB Standard Time)
    # country="Greece"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=512 16777215 100 0 526576 526576 0 0
    # compatibility_mode=1032 16777189 100 94 8612 42355166 0 0
    # compatibility_mode=8192 67108863 100 0 495234 495234 0 0
    # scanned=118859
    # found=13
    # cleaned=0
    # scan_time=4043
    H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\LostFile_EXE_18174360.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\LostFile_EXE_52609881.exe a variant of Win32/Conficker.Y worm (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe a variant of Win32/TrojanDownloader.FakeAlert.GO trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\LostFile_EXE_63078584.exe a variant of Win32/Kryptik.AY trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=d5531ca7203fe54797e590b518b5db27
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-03-10 09:13:25
    # local_time=2011-03-10 11:13:25 (+0200, GTB Standard Time)
    # country="Greece"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=512 16777215 100 0 1214219 1214219 0 0
    # compatibility_mode=1024 16777215 100 0 0 0 0 0
    # compatibility_mode=1797 16775141 100 93 0 36285366 188346 0
    # compatibility_mode=8192 67108863 100 0 1182877 1182877 0 0
    # scanned=142897
    # found=12
    # cleaned=0
    # scan_time=3187
    G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_18174360.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_52609881.exe a variant of Win32/Conficker.Y worm (unable to clean) 00000000000000000000000000000000 I
    G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_63078584.exe a variant of Win32/Kryptik.AY trojan (unable to clean) 00000000000000000000000000000000 I
    G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
    G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Eset scans:
    First scan: examples
    H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean)
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean)
    Second scan: examples
    H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean)
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 0000000

    OTM examples
    H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe moved successfully.
    H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe moved successfully.

    Current scan: examples
    G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean)
    G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean)
    =========================================
    All infected files were removed from Drive H by OTL.
    I don't know why these driver letters are changing!
    ==========================================
    Delete the contents of the Avast quarantine folder. Please do not run Avast again unless I instruct you to. If you plan to continue using AVG, reinstall it on the system and do an update immediately. Let me know if anything new show-no log please. AVG put out a bad update that is causing legitimate entries to be Win32/Heur If the is you case, the update should handle it.
    ======================================
    I can't tell if you re reinfecting the system or just changing drive letters. Please don't make any more system changes.
    =======================================
    Please disinfect all movable drives again:
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...