Solved Unable to remove Win32/Heur

[vbakis]

Hello everyone!

New member here!

Unfortunately my first post has to be asking for help...My pc got infected by Win32/Heur virus according my Free AVG Anti-virus I tried several times to scan and clean but it keeps coming back, any feedback will be appreciated!

Thank you in advance

EDIT: i just read the 8-step Removal instructions, and it seems that the system is cleaned, at least thats what MBAM says on log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5863

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

24/2/2011 12:24:01 μμ
mbam-log-2011-02-24 (12-24-01).txt

Scan type: Quick scan
Objects scanned: 136222
Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Bobbye]

I tried several times to scan and clean but it keeps coming back, any feedback will be appreciated!

You cannot assume it's clean because one log doesn't show anything. The Win32Heur finding by AVG is particularly important because it often means there is a Virus or Ramnit malware infection.- both of which are considered not curable.

I'd like you to run the following online scan. We'll go from there after I see the log:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the cli[board, you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

 

[vbakis]

ESET Online Scanner just finished and these are the results:

H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_18174360.exe a variant of Win32/Kryptik.AAQ trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_52609881.exe a variant of Win32/Conficker.Y worm
H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe a variant of Win32/TrojanDownloader.FakeAlert.GO trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_63078584.exe a variant of Win32/Kryptik.AY trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe a variant of Win32/Kryptik.AAQ trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe a variant of Win32/Kryptik.AAQ trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe a variant of Win32/Kryptik.AAQ trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe a variant of Win32/Kryptik.AAQ trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe a variant of Win32/Kryptik.AAQ trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe a variant of Win32/Kryptik.AAQ trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe a variant of Win32/Kryptik.AAQ trojan

 

[Bobbye]

What is Drive H? What did you do with 'office recovery'?

Your system is not clean. Please answer my questions and then go on with the rest of the preliminary steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[vbakis]

I connected a hard drive on my computer but windows wouldnt be able to recognise it, I had to format it and then used a software to recover the files and saved them on an external usb hard drive ( H: )

 

[Bobbye]

Unfortunately those files had malware. You will have to disinfect the flash drive:

1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
   Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
4. Wait until it has finished scanning and then exit the program.
5. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
6. Wait until it has finished scanning and then exit the program.
7. Reboot your computer when done.

==========================================
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=======================================
If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[vbakis]

Ok did download Flash_Disinfector run it and after 10 sec i got a screen message Done! and clicked ok, after that I reboot my computer. What shall I do next?

P.S. Flash_Disinfector didnt create any hidden folder or file named autorun.inf

 

[Bobbye]

Please go ahead with the steps in the in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

 

[vbakis]

Please go ahead with the steps in the in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Hello again I followed the 8- step guide but am having trouble at step 5 where i need to run the DDS script, windows recognize it as an AutoCad script, when i double click it opens a notepad file and thats it, no log files...

 

[Bobbye]

Please download this file: xp_scr_fix.

Unpack (unzip) the file onto your desktop and double-click it. You will be asked if you wish to merge the file with you registry, say Yes.

You should then be able to run DDS.scr.

It's the .scr file extension cauing the problem.
l

 

[vbakis]

ok DDS worked fine after the scr fix, thanx alot! these are the log files from the scans i performed:

GMER Log
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-28 10:35:37
Windows 5.1.2600 Service Pack 2 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-e ST3250318AS rev.CC37
Running: ikz0n6lh.exe; Driver: G:\DOCUME~1\Vasilis\LOCALS~1\Temp\kwniqfob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----




DDS Log

DDS (Ver_10-12-12.02) - NTFSx86
Run by Vasilis at 11:41:19,92 on ’¨* 01/03/2011
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1253.30.1033.18.1535.855 [GMT 2:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

G:\PROGRA~1\AVG\AVG10\avgchsvx.exe
G:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
G:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\SOUNDMAN.EXE
G:\Program Files\AVG\AVG10\avgtray.exe
G:\Program Files\HP\HP Software Update\HPWuSchd2.exe
svchost.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
G:\Program Files\AVG\AVG10\avgwdsvc.exe
G:\Program Files\Bonjour\mDNSResponder.exe
G:\WINDOWS\system32\svchost.exe -k imgsvc
G:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
G:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
G:\Program Files\AVG\AVG10\avgnsx.exe
G:\Program Files\AVG\AVG10\avgemcx.exe
G:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\Windows Live\Mail\wlmail.exe
G:\Program Files\Windows Live\Contacts\wlcomm.exe
G:\PROGRA~1\AVG\AVG10\avgrsx.exe
G:\Program Files\AVG\AVG10\avgcsrvx.exe
G:\Documents and Settings\Vasilis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
G:\Documents and Settings\Vasilis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
G:\Documents and Settings\Vasilis\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
G:\Documents and Settings\Vasilis\My Documents\Downloads\Protection - Antivirus -Spyware\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - g:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - g:\program files\avg\avg10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - g:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [CTFMON.EXE] g:\windows\system32\ctfmon.exe
uRun: [Google Update] "g:\documents and settings\vasilis\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG_TRAY] g:\program files\avg\avg10\avgtray.exe
mRun: [ATICustomerCare] "g:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [Adobe Reader Speed Launcher] "g:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "g:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] g:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "g:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "g:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] g:\windows\system32\CTFMON.EXE
StartupFolder: g:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - g:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - g:\program files\avg\avg10\avgpp.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;g:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;g:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;g:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;g:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;g:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 AVGIDSAgent;AVGIDSAgent;g:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;g:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R3 AVGIDSDriver;AVGIDSDriver;g:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;g:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;g:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]

=============== Created Last 30 ================

2011-02-28 11:58:54 -------- d-----w- g:\program files\MSXML 4.0
2011-02-25 11:12:32 26600 ----a-w- g:\windows\system32\drivers\GEARAspiWDM.sys
2011-02-25 11:12:32 107368 ----a-w- g:\windows\system32\GEARAspi.dll
2011-02-25 11:11:33 -------- d-----w- g:\program files\iPod
2011-02-25 11:11:30 -------- d-----w- g:\program files\iTunes
2011-02-25 11:11:30 -------- d-----w- g:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-02-25 11:11:05 159744 ----a-w- g:\program files\internet explorer\plugins\npqtplugin7.dll
2011-02-25 11:11:05 159744 ----a-w- g:\program files\internet explorer\plugins\npqtplugin6.dll
2011-02-25 11:11:05 159744 ----a-w- g:\program files\internet explorer\plugins\npqtplugin5.dll
2011-02-25 11:11:05 159744 ----a-w- g:\program files\internet explorer\plugins\npqtplugin4.dll
2011-02-25 11:11:05 159744 ----a-w- g:\program files\internet explorer\plugins\npqtplugin3.dll
2011-02-25 11:11:05 159744 ----a-w- g:\program files\internet explorer\plugins\npqtplugin2.dll
2011-02-25 11:11:05 159744 ----a-w- g:\program files\internet explorer\plugins\npqtplugin.dll
2011-02-25 11:10:25 -------- d-----w- g:\docume~1\vasilis\locals~1\applic~1\Apple
2011-02-25 11:10:13 41984 ----a-w- g:\windows\system32\drivers\usbaapl.sys
2011-02-25 11:10:13 4184352 ----a-w- g:\windows\system32\usbaaplrc.dll
2011-02-25 11:09:29 -------- d-----w- g:\program files\Bonjour
2011-02-25 11:08:39 -------- d-----w- g:\docume~1\vasilis\locals~1\applic~1\Apple Computer
2011-02-24 16:45:40 -------- d-----w- g:\program files\ESET
2011-02-24 08:17:17 -------- d-----w- g:\docume~1\vasilis\applic~1\Malwarebytes
2011-02-24 08:17:02 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2011-02-24 08:17:02 -------- d-----w- g:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-24 08:16:59 20952 ----a-w- g:\windows\system32\drivers\mbam.sys
2011-02-24 08:16:59 -------- d-----w- g:\program files\Malwarebytes' Anti-Malware
2011-02-24 08:03:18 -------- d-----w- g:\program files\Trend Micro
2011-02-22 16:55:28 -------- d-----w- g:\program files\common files\HP
2011-02-22 16:52:42 -------- d-----w- g:\program files\common files\Hewlett-Packard
2011-02-22 16:51:19 74240 ----a-w- g:\windows\system32\spool\prtprocs\w32x86\hpzpp054.dll
2011-02-22 16:51:19 38400 ----a-w- g:\windows\system32\hpz3l054.dll
2011-02-22 16:50:24 94208 ----a-w- g:\windows\system32\HPZipt12.dll
2011-02-22 16:50:24 69632 ----a-w- g:\windows\system32\HPZipm12.exe
2011-02-22 16:50:24 65536 ----a-w- g:\windows\system32\HPZinw12.exe
2011-02-22 16:50:24 57344 ----a-w- g:\windows\system32\HPZisn12.dll
2011-02-22 16:50:24 204800 ----a-w- g:\windows\system32\HPZipr12.dll
2011-02-22 16:50:23 306688 ----a-w- g:\windows\IsUninst.exe
2011-02-22 16:50:23 282680 ----a-w- g:\windows\system32\HPZidr12.dll
2011-02-22 16:49:46 -------- d-----w- g:\program files\HP
2011-02-22 16:46:46 49664 ----a-w- g:\windows\system32\drivers\HPZid412.sys
2011-02-22 16:46:46 21568 ----a-w- g:\windows\system32\drivers\HPZius12.sys
2011-02-22 16:46:46 16496 ----a-w- g:\windows\system32\drivers\HPZipr12.sys
2011-02-22 16:44:22 827392 ----a-w- g:\windows\system32\hpotiop2.dll
2011-02-22 16:44:22 659456 ----a-w- g:\windows\system32\hpowiax2.dll
2011-02-22 16:44:21 282624 ----a-w- g:\windows\system32\HPZc3212.dll
2011-02-22 16:44:21 254026 ----a-w- g:\windows\system32\hpovst09.dll
2011-02-22 16:44:20 98304 ----a-w- g:\windows\system32\hpzjsn01.dll
2011-02-22 16:44:20 77824 ----a-w- g:\windows\system32\HPZIDS01.dll
2011-02-22 12:47:39 25856 -c--a-w- g:\windows\system32\dllcache\usbprint.sys
2011-02-22 12:47:39 25856 ----a-w- g:\windows\system32\drivers\usbprint.sys
2011-02-22 12:46:54 31616 -c--a-w- g:\windows\system32\dllcache\usbccgp.sys
2011-02-22 12:46:54 31616 ----a-w- g:\windows\system32\drivers\usbccgp.sys
2011-02-22 08:04:03 274288 ----a-w- g:\windows\system32\mucltui.dll
2011-02-22 08:04:03 215920 ----a-w- g:\windows\system32\muweb.dll
2011-02-22 08:04:03 16736 ----a-w- g:\windows\system32\mucltui.dll.mui
2011-02-21 11:36:43 -------- d-----w- g:\docume~1\vasilis\locals~1\applic~1\Adobe
2011-02-21 11:25:10 -------- d-----w- g:\documents and settings\vasilis\Tracing
2011-02-21 11:24:02 3426072 ----a-w- g:\windows\system32\d3dx9_32.dll
2011-02-21 11:23:53 -------- d-----w- g:\program files\Microsoft SQL Server Compact Edition
2011-02-21 11:22:25 -------- d-----w- g:\program files\Microsoft
2011-02-21 11:22:07 -------- d-----w- g:\program files\Windows Live SkyDrive
2011-02-21 11:20:37 484632 ----a-w- g:\program files\common files\windows live\.cache\5cf9c4be1cbd1b9\DXSETUP.exe
2011-02-21 11:20:36 74520 ----a-w- g:\program files\common files\windows live\.cache\5cf9c4be1cbd1b9\DSETUP.dll
2011-02-21 11:20:36 1670936 ----a-w- g:\program files\common files\windows live\.cache\5cf9c4be1cbd1b9\dsetup32.dll
2011-02-21 11:20:23 1013800 ----a-w- g:\program files\common files\windows live\.cache\54ab13261cbd1b9\WindowsXP-KB954708-x86-ENU.exe
2011-02-21 11:20:02 1229688 ----a-w- g:\program files\common files\windows live\.cache\48a9dbfc1cbd1b9\wic_x86_enu.exe
2011-02-21 11:13:57 -------- d-----w- g:\program files\common files\Windows Live
2011-02-21 11:07:41 -------- d-----w- g:\program files\ATI
2011-02-21 11:07:09 -------- d-----w- g:\program files\ATI Technologies
2011-02-21 11:05:57 -------- d-----w- G:\ATI
2011-02-21 10:45:49 -------- d--h--w- G:\$AVG
2011-02-21 10:44:29 -------- d-----w- g:\program files\MSXML 6.0
2011-02-21 10:38:42 -------- d-----w- g:\windows\ServicePackFiles
2011-02-21 08:08:42 -------- d-----w- g:\windows\system32\CatRoot_bak
2011-02-21 08:02:21 454016 -c----w- g:\windows\system32\dllcache\mrxsmb.sys
2011-02-21 08:01:46 2137088 -c----w- g:\windows\system32\dllcache\ntkrnlmp.exe
2011-02-21 08:01:45 2181376 -c----w- g:\windows\system32\dllcache\ntoskrnl.exe
2011-02-21 08:01:45 2016768 -c----w- g:\windows\system32\dllcache\ntkrpamp.exe
2011-02-21 08:01:44 2058368 -c----w- g:\windows\system32\dllcache\ntkrnlpa.exe
2011-02-21 08:00:22 272128 -c----w- g:\windows\system32\dllcache\bthport.sys
2011-02-21 08:00:22 272128 ------w- g:\windows\system32\drivers\bthport.sys
2011-02-21 07:58:10 293376 ------w- g:\windows\system32\browserchoice.exe
2011-02-21 07:57:41 12160 -c--a-w- g:\windows\system32\dllcache\mouhid.sys
2011-02-21 07:57:41 12160 ----a-w- g:\windows\system32\drivers\mouhid.sys
2011-02-21 07:57:37 9600 -c--a-w- g:\windows\system32\dllcache\hidusb.sys
2011-02-21 07:57:37 9600 ----a-w- g:\windows\system32\drivers\hidusb.sys
2011-02-18 19:59:30 26488 ----a-w- g:\windows\system32\spupdsvc.exe
2011-02-18 19:59:30 -------- d-----w- g:\windows\system32\PreInstall
2011-02-18 19:47:10 165376 ----a-w- g:\windows\system32\unrar.dll
2011-02-18 19:47:09 839680 ----a-w- g:\windows\system32\lameACM.acm
2011-02-18 19:47:08 810496 ----a-w- g:\windows\system32\xvidcore.dll
2011-02-18 19:47:08 80896 ----a-w- g:\windows\system32\ff_vfw.dll
2011-02-18 19:47:08 237568 ----a-w- g:\windows\system32\yv12vfw.dll
2011-02-18 19:47:08 183808 ----a-w- g:\windows\system32\xvidvfw.dll
2011-02-18 19:47:08 151552 ----a-w- g:\windows\system32\ac3acm.acm
2011-02-18 19:47:05 -------- d-----w- g:\program files\K-Lite Codec Pack
2011-02-18 17:05:43 -------- d-----w- g:\docume~1\alluse~1\applic~1\Blizzard Entertainment
2011-02-18 16:37:33 -------- d-----w- g:\windows\system32\SoftwareDistribution
2011-02-18 16:32:38 -------- d-----w- g:\docume~1\vasilis\applic~1\AVG10
2011-02-18 16:31:28 -------- d--h--w- g:\docume~1\alluse~1\applic~1\Common Files
2011-02-18 16:30:41 -------- d-----w- g:\windows\system32\drivers\AVG
2011-02-18 16:30:41 -------- d-----w- g:\docume~1\alluse~1\applic~1\AVG10
2011-02-18 16:30:24 -------- d-----w- g:\program files\AVG
2011-02-18 16:19:26 -------- d-----w- g:\docume~1\alluse~1\applic~1\MFAData
2011-02-18 16:09:40 -------- d--h--w- g:\windows\$hf_mig$
2011-02-18 12:15:58 -------- d-----w- g:\program files\Realtek Sound Manager
2011-02-18 12:03:43 -------- d-----w- g:\program files\AutoCAD 2008
2011-02-18 12:03:43 -------- d-----w- g:\docume~1\vasilis\applic~1\Autodesk
2011-02-18 12:03:01 409600 ----a-w- g:\program files\common files\installshield\driver\10\intel 32\ISRT.dll
2011-02-18 12:03:01 32768 ----a-w- g:\program files\common files\installshield\driver\10\intel 32\objpscnv.dll
2011-02-18 12:03:01 262144 ----a-w- g:\program files\common files\installshield\driver\10\intel 32\IScrCnv.dll
2011-02-18 12:03:01 180224 ----a-w- g:\program files\common files\installshield\driver\10\intel 32\iGdiCnv.dll
2011-02-18 12:03:01 172032 ----a-w- g:\program files\common files\installshield\driver\10\intel 32\IUserCnv.dll
2011-02-18 12:03:00 761856 ----a-w- g:\program files\common files\installshield\driver\10\intel 32\IDriver.exe
2011-02-18 12:02:59 540772 ----a-w- g:\program files\common files\installshield\driver\10\intel 32\_ISRES1033.dll
2011-02-18 12:02:38 -------- d-----w- g:\program files\common files\Autodesk Shared
2011-02-18 12:02:38 -------- d-----w- g:\program files\Autodesk
2011-02-18 12:02:38 -------- d-----w- g:\docume~1\vasilis\locals~1\applic~1\Autodesk
2011-02-18 11:40:28 28552 ----a-w- g:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
2011-02-18 11:40:28 28040 ----a-w- g:\windows\system32\mdimon.dll
2011-02-18 11:39:51 -------- d-----w- g:\windows\SHELLNEW
2011-02-18 11:36:12 -------- d-----w- g:\docume~1\vasilis\locals~1\applic~1\Temp
2011-02-18 11:36:09 -------- d-----w- g:\docume~1\vasilis\locals~1\applic~1\Google
2011-02-17 17:41:09 -------- d-----w- g:\program files\GetData
2011-02-17 17:36:14 -------- d-----w- G:\GetData Recover My Files Professional Edition v4.6.8.993
2011-02-17 17:31:39 396152 ----a-w- g:\program files\uTorrent.exe
2011-02-17 16:57:38 5632 ----a-w- g:\windows\system32\ptpusb.dll
2011-02-17 16:57:36 159232 ----a-w- g:\windows\system32\ptpusd.dll
2011-02-17 16:57:33 15104 -c--a-w- g:\windows\system32\dllcache\usbscan.sys
2011-02-17 16:57:33 15104 ----a-w- g:\windows\system32\drivers\usbscan.sys

==================== Find3M ====================


============= FINISH: 11:42:23,75 ===============


Attach Log

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 17/2/2011 12:27:28 μμ
System Uptime: 1/3/2011 11:28:03 πμ (0 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | 8IPE775/-G
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Socket 478 | 2813/200mhz
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Socket 478 | 2813/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 233 GiB total, 195,228 GiB free.
D: is Removable
E: is CDROM ()
F: is CDROM ()
G: is FIXED (NTFS) - 112 GiB total, 98,966 GiB free.
H: is FIXED (NTFS) - 233 GiB total, 84,556 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 17/2/2011 12:29:43 μμ - System Checkpoint
RP2: 17/2/2011 12:32:47 μμ - Installed Marvell Miniport Driver
RP3: 18/2/2011 12:33:19 μμ - System Checkpoint
RP4: 18/2/2011 1:39:13 μμ - Εγκατάσταση Microsoft Office Professional Edition 2003
RP5: 18/2/2011 1:57:02 μμ - Installed Windows Installer KB893803v2.
RP6: 18/2/2011 2:02:08 μμ - Installed DirectX
RP7: 18/2/2011 2:15:42 μμ - Εγκατεστημένο Realtek AC'97 Audio
RP8: 18/2/2011 6:09:47 μμ - Installed Windows XP KB914882.
RP9: 18/2/2011 6:30:16 μμ - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
RP10: 18/2/2011 6:30:23 μμ - Installed AVG 2011
RP11: 18/2/2011 6:30:35 μμ - Installed AVG 2011
RP12: 18/2/2011 9:59:24 μμ - Software Distribution Service 3.0
RP13: 21/2/2011 11:59:08 πμ - System Checkpoint
RP14: 21/2/2011 12:36:23 μμ - Software Distribution Service 3.0
RP15: 21/2/2011 1:23:09 μμ - Installed Windows XP WIC.
RP16: 21/2/2011 1:23:45 μμ - Installed Windows XP KB954708.
RP17: 21/2/2011 1:24:01 μμ - Installed DirectX
RP18: 21/2/2011 1:34:42 μμ - Installed Adobe Reader X (10.0.1).
RP19: 22/2/2011 3:46:32 μμ - System Checkpoint
RP20: 22/2/2011 6:54:07 μμ - Installed HPSU306Stub
RP21: 22/2/2011 10:05:41 μμ - Software Distribution Service 3.0
RP22: 24/2/2011 11:48:28 πμ - System Checkpoint
RP23: 25/2/2011 1:11:18 μμ - Installed iTunes
RP24: 26/2/2011 2:15:26 μμ - System Checkpoint
RP25: 28/2/2011 11:06:49 πμ - System Checkpoint
RP26: 28/2/2011 1:58:19 μμ - Software Distribution Service 3.0

==== Installed Programs ======================

µTorrent
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.0.1)
AiO_Scan_CDA
AiOSoftwareNPI
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Install Manager
ATI Catalyst Registration
AutoCAD 2008 - English
Autodesk DWF Viewer 7
AVG 2011
Bonjour
BufferChm
C3100
c3100_Help
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
ESET Online Scanner v3
eSupportQFolder
Fax_CDA
Google Chrome
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB981793)
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevicesMFC
iTunes
Junk Mail filter update
K-Lite Codec Pack 6.9.0 (Full)
Malwarebytes' Anti-Malware
Marvell Miniport Driver
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Live Add-in 1.3
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB973686)
NewCopy_CDA
OCR Software by I.R.I.S 7.0
PanoStandAlone
ProductContextNPI
QuickTime
R-Studio 4.5
Readme
Realtek AC'97 Audio
Recuva
Scan
ScannerCopy
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
Segoe UI
SolutionCenter
Status
Toolbox
TrayApp
Unload
Update for Windows XP (KB898461)
Update for Windows XP (KB914882)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VBA (2627.01)
WebFldrs XP
WebReg
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
WinRAR archiver

==== Event Viewer Messages From Past Week ========

28/2/2011 10:18:06 πμ, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
28/2/2011 10:18:06 πμ, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
28/2/2011 10:18:06 πμ, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

==== End Of File ===========================

 

[Bobbye]

Please run the following:


Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the cli[board, you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

======================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2http://www.forospyware.com/sUBs/ComboFix.exe

• Double click combofix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Query- Recovery Console image
  
  
  
  

  WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes it will open a text window. Please paste that log in your next reply.

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

[vbakis]

here are the log files from eset online scanner and Combofix:

ESET

H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_18174360.exe a variant of Win32/Kryptik.AAQ trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_52609881.exe a variant of Win32/Conficker.Y worm
H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe a variant of Win32/TrojanDownloader.FakeAlert.GO trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_63078584.exe a variant of Win32/Kryptik.AY trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe a variant of Win32/Kryptik.AAQ trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe a variant of Win32/Kryptik.AAQ trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe a variant of Win32/Kryptik.AAQ trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe a variant of Win32/Kryptik.AAQ trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe a variant of Win32/Kryptik.AAQ trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe a variant of Win32/Kryptik.AAQ trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe a variant of Win32/Kryptik.AAQ trojan


Combofix

ComboFix 11-03-01.03 - Vasilis 02/03/2011 12:54:34.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1253.30.1033.18.1535.1248 [GMT 2:00]
Running from: g:\documents and settings\Vasilis\My Documents\Downloads\Protection - Antivirus -Spyware\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2011-02-02 to 2011-03-02 )))))))))))))))))))))))))))))))
.

2011-02-21 11:05 . 2011-02-21 11:05 -------- d-----w- G:\ATI
2011-02-21 10:45 . 2011-02-21 10:45 -------- d-----w- G:\$AVG
2011-02-18 11:38 . 2011-02-18 11:38 -------- d-----r- G:\MSOCache
2011-02-17 17:36 . 2011-02-17 17:37 -------- d-----w- G:\GetData Recover My Files Professional Edition v4.6.8.993

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="g:\documents and settings\Vasilis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-02-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-02 577536]
"ATICustomerCare"="g:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
"Adobe Reader Speed Launcher"="g:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="g:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"HP Software Update"="g:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"QuickTime Task"="g:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="g:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

g:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - g:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\uTorrent.exe"=
"g:\\Program Files\\uTorrent.exe"=
"h:\\World of Warcraft\\Launcher.exe"=
"g:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"g:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"g:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"g:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"g:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\Program Files\\World of Warcraft\\Launcher.exe"=

.
Contents of the 'Scheduled Tasks' folder

2011-02-25 g:\windows\Tasks\AppleSoftwareUpdate.job
- g:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 09:50]

2011-03-01 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1220945662-725345543-1003Core.job
- g:\documents and settings\Vasilis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-18 11:36]

2011-03-02 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1220945662-725345543-1003UA.job
- g:\documents and settings\Vasilis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-18 11:36]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-02 12:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-02 12:59:48
ComboFix-quarantined-files.txt 2011-03-02 10:59

Pre-Run: 85.622.730.752 bytes free
Post-Run: 85.610.295.296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - D3CF96671147BDC76B8DFE7AB3C02E66

 

[Bobbye]

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files  
  H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe 
  H:\office recovery\G\Lost File Results\LostFile_EXE_18174360.exe 
  H:\office recovery\G\Lost File Results\LostFile_EXE_52609881.exe 
  H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe 
  H:\office recovery\G\Lost File Results\LostFile_EXE_63078584.exe 
  H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe 
  H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe 
  H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe 
  H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe 
  H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe 
  H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe 
  H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe 
  H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe 
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===========================================
Go ahead and run the above. The Office Recovery and partitian you loaded were infected. One infection is Conflicker Worm, another Trojan.FakeAlert.

Edit: Go right on to the scan in the next reply.

 

[Bobbye]

I'd like you also to go ahead and run the following- a file infector named Virut is frequently seen with the AVG finds of Win32/Heur:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org free on-line scan service
• Copy and paste each of the following file paths into the "Suspicious files to scan" box on the top of the page, one at a time:
  
  c:\windows\system32\userinit.exe
  
  c:\windows\explorer.exe
  
  c:\window\system32\svchost.exe
  
  
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

 

[vbakis]

ok done everything! here are the log files:

MovIt Log:
All processes killed
========== FILES ==========
H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe moved successfully.
H:\office recovery\G\Lost File Results\LostFile_EXE_18174360.exe moved successfully.
H:\office recovery\G\Lost File Results\LostFile_EXE_52609881.exe moved successfully.
File move failed. H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe scheduled to be moved on reboot.
H:\office recovery\G\Lost File Results\LostFile_EXE_63078584.exe moved successfully.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe moved successfully.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe moved successfully.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe moved successfully.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe moved successfully.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe moved successfully.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe moved successfully.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe moved successfully.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 581013 bytes

User: Vasilis
->Temp folder emptied: 112483 bytes
->Temporary Internet Files folder emptied: 9667247 bytes
->Google Chrome cache emptied: 373749472 bytes
->Flash cache emptied: 6630 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 366,00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 03042011_113550

Files moved on Reboot...
File move failed. H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe scheduled to be moved on reboot.

Registry entries deleted on Reboot...


Log from VirScan.org for the three files you requested:
VirSCAN.org Scanned Report :
Scanned time : 2011/03/04 11:41:10 (EET)
Scanner results: Scanners did not find malware!
File Name : userinit.exe
File Size : 24576 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 39b1ffb03c2296323832acbae50d2aff
SHA1 : e5aedcbe25a97c89101f1f3860ff846e94d70445
Online report : http://virscan.org/report/0e3dc4b29989e18083ada8a9db9043d9.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.2 20110216210205 2011-02-16 0.38 -
AhnLab V3 2011.03.03.00 2011.03.03 2011-03-03 2.61 -
AntiVir 8.2.4.178 7.11.4.59 2011-03-04 1.26 -
Antiy 2.0.18 20110217.7833565 2011-02-17 0.02 -
Arcavir 2010 201103041232 2011-03-04 0.06 -
Authentium 5.1.1 201103040141 2011-03-04 2.82 -
AVAST! 4.7.4 110303-1 2011-03-03 0.08 -
AVG 8.5.850 271.1.1/3480 2011-03-04 0.75 -
BitDefender 7.90123.6764202 7.36495 2011-03-04 6.54 -
ClamAV 0.96.5 12803 2011-03-04 0.01 -
Comodo 4.0 7862 2011-03-03 2.49 -
CP Secure 1.3.0.5 2011.03.04 2011-03-04 0.04 -
Dr.Web 5.0.2.3300 2011.03.04 2011-03-04 11.24 -
F-Prot 4.4.4.56 20110304 2011-03-04 1.76 -
F-Secure 7.02.73807 2011.03.04.02 2011-03-04 0.25 -
Fortinet 4.2.254 12.959 2011-03-03 0.93 -
GData 21.1936/21.725 20110304 2011-03-04 10.66 -
ViRobot 20110303 2011.03.03 2011-03-03 0.52 -
Ikarus T3.1.32.20.0 2011.03.04.77852 2011-03-04 7.44 -
JiangMin 13.0.900 2011.03.03 2011-03-03 1.57 -
Kaspersky 5.5.10 2011.03.04 2011-03-04 0.20 -
KingSoft 2009.2.5.15 2011.3.4.14 2011-03-04 1.75 -
McAfee 5400.1158 6274 2011-03-03 7.81 -
Microsoft 1.6603 2011.03.03 2011-03-03 3.88 -
NOD32 3.0.21 5919 2011-03-02 0.14 -
Norman 6.07.03 6.07.00 2011-03-03 18.20 -
Panda 9.05.01 2011.03.02 2011-03-02 1.20 -
Trend Micro 9.200-1012 7.874.01 2011-03-03 0.04 -
Quick Heal 11.00 2011.03.03 2011-03-03 1.12 -
Rising 20.0 23.47.03.06 2011-03-03 2.71 -
Sophos 3.16.1 4.62 2011-03-04 3.61 -
Sunbelt 3.9.2474.2 8599 2011-03-03 0.66 -
Symantec 1.3.0.24 20110303.008 2011-03-03 0.05 -
nProtect 20110304.03 3221953 2011-03-04 5.80 -
The Hacker 6.7.0.1 v00143 2011-03-02 0.45 -
VBA32 3.12.14.3 20110302.1155 2011-03-02 3.64 -
VirusBuster 5.2.0.28 13.6.233.0/46181252011-03-03 0.00 -


VirSCAN.org Scanned Report :
Scanned time : 2011/03/04 11:45:48 (EET)
Scanner results: Scanners did not find malware!
File Name : explorer.exe
File Size : 1032192 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : a0732187050030ae399b241436565e64
SHA1 : 69f33740413da112630be73ebb805a23b69f2f7f
Online report : http://virscan.org/report/6732b660008e4d14a957db053b7cb88b.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.2 20110216210205 2011-02-16 0.34 -
AhnLab V3 2011.03.03.00 2011.03.03 2011-03-03 1.47 -
AntiVir 8.2.4.178 7.11.4.59 2011-03-04 0.28 -
Antiy 2.0.18 20110217.7833565 2011-02-17 0.02 -
Arcavir 2010 201103041232 2011-03-04 0.13 -
Authentium 5.1.1 201103040141 2011-03-04 2.41 -
AVAST! 4.7.4 110303-1 2011-03-03 0.07 -
AVG 8.5.850 271.1.1/3480 2011-03-04 0.27 -
BitDefender 7.90123.6764202 7.36495 2011-03-04 6.43 -
ClamAV 0.96.5 12803 2011-03-04 0.26 -
Comodo 4.0 7862 2011-03-03 1.08 -
CP Secure 1.3.0.5 2011.03.04 2011-03-04 0.12 -
Dr.Web 5.0.2.3300 2011.03.04 2011-03-04 11.34 -
F-Prot 4.4.4.56 20110304 2011-03-04 2.38 -
F-Secure 7.02.73807 2011.03.04.02 2011-03-04 12.18 -
Fortinet 4.2.254 12.959 2011-03-03 0.24 -
GData 21.1936/21.725 20110304 2011-03-04 8.33 -
ViRobot 20110303 2011.03.03 2011-03-03 0.41 -
Ikarus T3.1.32.20.0 2011.03.04.77852 2011-03-04 4.65 -
JiangMin 13.0.900 2011.03.03 2011-03-03 1.43 -
Kaspersky 5.5.10 2011.03.04 2011-03-04 0.10 -
KingSoft 2009.2.5.15 2011.3.4.14 2011-03-04 0.74 -
McAfee 5400.1158 6274 2011-03-03 7.51 -
Microsoft 1.6603 2011.03.03 2011-03-03 3.72 -
NOD32 3.0.21 5919 2011-03-02 0.01 -
Norman 6.07.03 6.07.00 2011-03-03 12.01 -
Panda 9.05.01 2011.03.02 2011-03-02 0.59 -
Trend Micro 9.200-1012 7.874.01 2011-03-03 0.05 -
Quick Heal 11.00 2011.03.03 2011-03-03 1.27 -
Rising 20.0 23.47.03.06 2011-03-03 2.12 -
Sophos 3.16.1 4.62 2011-03-04 3.10 -
Sunbelt 3.9.2474.2 8599 2011-03-03 0.62 -
Symantec 1.3.0.24 20110303.008 2011-03-03 0.07 -
nProtect 20110304.03 3221953 2011-03-04 5.89 -
The Hacker 6.7.0.1 v00143 2011-03-02 0.50 -
VBA32 3.12.14.3 20110302.1155 2011-03-02 3.84 -
VirusBuster 5.2.0.28 13.6.233.0/46181252011-03-03 0.00 -


VirSCAN.org Scanned Report :
Scanned time : 2011/03/04 11:54:18 (EET)
Scanner results: Scanners did not find malware!
File Name : svchost.exe
File Size : 14336 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 8f078ae4ed187aaabc0a305146de6716
SHA1 : da0ff4006859a7580aba81f486f692dead2014fe
Online report : http://virscan.org/report/d641e056b73d15c6c7e3536e18633e8d.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.2 20110216210205 2011-02-16 0.31 -
AhnLab V3 2011.03.03.00 2011.03.03 2011-03-03 1.65 -
AntiVir 8.2.4.178 7.11.4.59 2011-03-04 0.27 -
Antiy 2.0.18 20110217.7833565 2011-02-17 0.02 -
Arcavir 2010 201103041232 2011-03-04 0.06 -
Authentium 5.1.1 201103040141 2011-03-04 1.44 -
AVAST! 4.7.4 110303-1 2011-03-03 0.01 -
AVG 8.5.850 271.1.1/3480 2011-03-04 0.25 -
BitDefender 7.90123.6764202 7.36495 2011-03-04 6.44 -
ClamAV 0.96.5 12803 2011-03-04 0.01 -
Comodo 4.0 7862 2011-03-03 1.09 -
CP Secure 1.3.0.5 2011.03.04 2011-03-04 0.04 -
Dr.Web 5.0.2.3300 2011.03.04 2011-03-04 10.89 -
F-Prot 4.4.4.56 20110304 2011-03-04 1.46 -
F-Secure 7.02.73807 2011.03.04.02 2011-03-04 11.18 -
Fortinet 4.2.254 12.959 2011-03-03 0.22 -
GData 21.1936/21.725 20110304 2011-03-04 8.36 -
ViRobot 20110303 2011.03.03 2011-03-03 0.41 -
Ikarus T3.1.32.20.0 2011.03.04.77852 2011-03-04 4.68 -
JiangMin 13.0.900 2011.03.03 2011-03-03 1.74 -
Kaspersky 5.5.10 2011.03.04 2011-03-04 0.09 -
KingSoft 2009.2.5.15 2011.3.4.14 2011-03-04 0.78 -
McAfee 5400.1158 6274 2011-03-03 7.51 -
Microsoft 1.6603 2011.03.03 2011-03-03 3.74 -
NOD32 3.0.21 5919 2011-03-02 0.01 -
Norman 6.07.03 6.07.00 2011-03-03 14.02 -
Panda 9.05.01 2011.03.02 2011-03-02 0.62 -
Trend Micro 9.200-1012 7.874.01 2011-03-03 0.03 -
Quick Heal 11.00 2011.03.03 2011-03-03 1.06 -
Rising 20.0 23.47.03.06 2011-03-03 2.43 -
Sophos 3.16.1 4.62 2011-03-04 3.07 -
Sunbelt 3.9.2474.2 8599 2011-03-03 0.60 -
Symantec 1.3.0.24 20110303.008 2011-03-03 0.05 -
nProtect 20110304.03 3221953 2011-03-04 5.95 -
The Hacker 6.7.0.1 v00143 2011-03-02 0.47 -
VBA32 3.12.14.3 20110302.1155 2011-03-02 3.65 -
VirusBuster 5.2.0.28 13.6.233.0/46181252011-03-03 0.01 -

 

[Bobbye]

This is a good thing! That's one log we hope won't find anything.

I see OTM cleaned Total Files Cleaned = 366,00 mb. That is a lot of files. Have you been doing maintenance on the system> disc cleanup, defrag, remove programs and apps you not longer use, etc?

Are you having any problems other than the notice of Win32/Heur in AVG? I don't see any evidence of it here. But you need to understand that the files you loaded either to or from the H driver were infected. Because Conflicker was one of the infections, let's do his scan:

• Download the file TDSSKiller.zip and save to the desktop.
  (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
• Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
• Double click on TDSSKiller.exe. to run the scan
• When the scan is over, the utility outputs a list of detected objects with description.
  The utility automatically selects an action (Cure or Delete) for malicious objects.
  The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
• Select the action Quarantine to quarantine detected objects.
  The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
• After clicking Next, the utility applies selected actions and outputs the result.
• A reboot is required after disinfection.

=============================================
You can find detained information about Conflicker here: http://www.microsoft.com/security/pc-security/conficker.aspx
It's very important that you tell me about any other problems you're having since you did the download.
Conflicker started with "A" and the version you had was "Y", so It's mutated right though the alphabet!

 

[vbakis]

First I'd like to thank you for all the effort and time you given, the story is that the contents on this drive H: are from a hard drive I had since 2001 as a student, which are carried over to a new pc, till one day I wanted to play with the hardware of my pc (failed memory upgrade) which led to use an another pc and connect the hard drive from the old one, but something went wrong and i had to format it and then used a recovery software to get them back, this is where avg found the virus, after the recovery of the files. Now all that time i didnt notice any unusual behaveur of my system appart from being slow but it was an old computer AMD 1600+ XP with 1250MB Ram.
I will now do the TDSS can and return with the results.

P.S. I uninstalled AVG and installed Avira because AVG wont let Combofix run.

TDSSKiller Log:


2011/03/04 18:18:26.0546 1592 TDSS rootkit removing tool 2.4.20.0 Mar 2 2011 10:44:30
2011/03/04 18:18:27.0078 1592 ================================================================================
2011/03/04 18:18:27.0078 1592 SystemInfo:
2011/03/04 18:18:27.0078 1592
2011/03/04 18:18:27.0078 1592 OS Version: 5.1.2600 ServicePack: 2.0
2011/03/04 18:18:27.0078 1592 Product type: Workstation
2011/03/04 18:18:27.0078 1592 ComputerName: VASILIS-45A94C9
2011/03/04 18:18:27.0078 1592 UserName: Vasilis
2011/03/04 18:18:27.0078 1592 Windows directory: G:\WINDOWS
2011/03/04 18:18:27.0078 1592 System windows directory: G:\WINDOWS
2011/03/04 18:18:27.0078 1592 Processor architecture: Intel x86
2011/03/04 18:18:27.0078 1592 Number of processors: 2
2011/03/04 18:18:27.0078 1592 Page size: 0x1000
2011/03/04 18:18:27.0078 1592 Boot type: Normal boot
2011/03/04 18:18:27.0078 1592 ================================================================================
2011/03/04 18:18:31.0078 1592 Initialize success
2011/03/04 18:18:35.0140 2308 ================================================================================
2011/03/04 18:18:35.0140 2308 Scan started
2011/03/04 18:18:35.0140 2308 Mode: Manual;
2011/03/04 18:18:35.0140 2308 ================================================================================
2011/03/04 18:18:36.0859 2308 ACPI (a10c7534f7223f4a73a948967d00e69b) G:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/04 18:18:36.0890 2308 ACPIEC (9859c0f6936e723e4892d7141b1327d5) G:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/04 18:18:37.0000 2308 aec (841f385c6cfaf66b58fbd898722bb4f0) G:\WINDOWS\system32\drivers\aec.sys
2011/03/04 18:18:37.0093 2308 AFD (55e6e1c51b6d30e54335750955453702) G:\WINDOWS\System32\drivers\afd.sys
2011/03/04 18:18:37.0156 2308 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) G:\WINDOWS\system32\DRIVERS\agp440.sys
2011/03/04 18:18:37.0453 2308 ALCXWDM (34149a136b2b7525113950233f259ec1) G:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/03/04 18:18:37.0828 2308 AsyncMac (02000abf34af4c218c35d257024807d6) G:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/04 18:18:37.0875 2308 atapi (cdfe4411a69c224bd1d11b2da92dac51) G:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/04 18:18:37.0984 2308 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) G:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/03/04 18:18:38.0031 2308 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) G:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/04 18:18:38.0078 2308 audstub (d9f724aa26c010a217c97606b160ed68) G:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/04 18:18:38.0171 2308 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) G:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/03/04 18:18:38.0218 2308 avgntflt (47b879406246ffdced59e18d331a0e7d) G:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/03/04 18:18:38.0296 2308 avipbb (da39805e2bad99d37fce9477dd94e7f2) G:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/03/04 18:18:38.0375 2308 Beep (da1f27d85e0d1525f6621372e7b685e9) G:\WINDOWS\system32\drivers\Beep.sys
2011/03/04 18:18:38.0531 2308 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) G:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/04 18:18:38.0593 2308 Cdaudio (c1b486a7658353d33a10cc15211a873b) G:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/04 18:18:38.0656 2308 Cdfs (cd7d5152df32b47f4e36f710b35aae02) G:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/04 18:18:38.0734 2308 Cdrom (af9c19b3100fe010496b1a27181fbf72) G:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/04 18:18:38.0984 2308 Disk (00ca44e4534865f8a3b64f7c0984bff0) G:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/04 18:18:39.0093 2308 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) G:\WINDOWS\system32\drivers\dmboot.sys
2011/03/04 18:18:39.0171 2308 dmio (f5e7b358a732d09f4bcf2824b88b9e28) G:\WINDOWS\system32\drivers\dmio.sys
2011/03/04 18:18:39.0218 2308 dmload (e9317282a63ca4d188c0df5e09c6ac5f) G:\WINDOWS\system32\drivers\dmload.sys
2011/03/04 18:18:39.0296 2308 DMusic (a6f881284ac1150e37d9ae47ff601267) G:\WINDOWS\system32\drivers\DMusic.sys
2011/03/04 18:18:39.0375 2308 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) G:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/04 18:18:39.0437 2308 Fastfat (3117f595e9615e04f05a54fc15a03b20) G:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/04 18:18:39.0484 2308 Fdc (ced2e8396a8838e59d8fd529c680e02c) G:\WINDOWS\system32\DRIVERS\fdc.sys
2011/03/04 18:18:39.0515 2308 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) G:\WINDOWS\system32\drivers\Fips.sys
2011/03/04 18:18:39.0562 2308 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) G:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/03/04 18:18:39.0625 2308 FltMgr (54fd90f0038f07920cb9fb6591bde82f) G:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/03/04 18:18:39.0671 2308 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) G:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/04 18:18:39.0718 2308 Ftdisk (6ac26732762483366c3969c9e4d2259d) G:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/04 18:18:39.0796 2308 gameenum (5f92fd09e5610a5995da7d775eadcd12) G:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/03/04 18:18:39.0875 2308 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) G:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/03/04 18:18:39.0921 2308 Gpc (c0f1d4a21de5a415df8170616703debf) G:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/04 18:18:40.0000 2308 HidUsb (1de6783b918f540149aa69943bdfeba8) G:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/04 18:18:40.0078 2308 HPZid412 (30ca91e657cede2f95359d6ef186f650) G:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/03/04 18:18:40.0140 2308 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) G:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/03/04 18:18:40.0187 2308 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) G:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/03/04 18:18:40.0234 2308 HSFHWBS2 (970178e8e003eb1481293830069624b9) G:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
2011/03/04 18:18:40.0312 2308 HSF_DP (ebb354438a4c5a3327fb97306260714a) G:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
2011/03/04 18:18:40.0437 2308 HTTP (9f8b0f4276f618964fd118be4289b7cd) G:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/04 18:18:40.0562 2308 i8042prt (5502b58eef7486ee6f93f3f164dcb808) G:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/04 18:18:40.0609 2308 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) G:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/04 18:18:40.0687 2308 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) G:\WINDOWS\system32\DRIVERS\intelide.sys
2011/03/04 18:18:40.0781 2308 intelppm (279fb78702454dff2bb445f238c048d2) G:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/04 18:18:40.0828 2308 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) G:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/03/04 18:18:40.0890 2308 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) G:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/04 18:18:40.0921 2308 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) G:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/04 18:18:40.0968 2308 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) G:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/04 18:18:41.0031 2308 IPSec (64537aa5c003a6afeee1df819062d0d1) G:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/04 18:18:41.0093 2308 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) G:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/04 18:18:41.0140 2308 isapnp (e504f706ccb699c2596e9a3da1596e87) G:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/04 18:18:41.0234 2308 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) G:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/04 18:18:41.0296 2308 kmixer (d93cad07c5683db066b0b2d2d3790ead) G:\WINDOWS\system32\drivers\kmixer.sys
2011/03/04 18:18:41.0359 2308 KSecDD (674d3e5a593475915dc6643317192403) G:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/04 18:18:41.0500 2308 mdmxsdk (195741aee20369980796b557358cd774) G:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/03/04 18:18:41.0562 2308 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) G:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/04 18:18:41.0625 2308 Modem (6fc6f9d7acc36dca9b914565a3aeda05) G:\WINDOWS\system32\drivers\Modem.sys
2011/03/04 18:18:41.0640 2308 Mouclass (34e1f0031153e491910e12551400192c) G:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/04 18:18:41.0703 2308 mouhid (b1c303e17fb9d46e87a98e4ba6769685) G:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/04 18:18:41.0781 2308 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) G:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/04 18:18:42.0078 2308 MRxDAV (46edcc8f2db2f322c24f48785cb46366) G:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/04 18:18:42.0203 2308 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) G:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/04 18:18:42.0281 2308 Msfs (561b3a4333ca2dbdba28b5b956822519) G:\WINDOWS\system32\drivers\Msfs.sys
2011/03/04 18:18:42.0343 2308 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) G:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/04 18:18:42.0375 2308 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) G:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/04 18:18:42.0437 2308 MSPQM (1988a33ff19242576c3d0ef9ce785da7) G:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/04 18:18:42.0484 2308 mssmbios (469541f8bfd2b32659d5d463a6714bce) G:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/04 18:18:42.0515 2308 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) G:\WINDOWS\system32\drivers\Mup.sys
2011/03/04 18:18:42.0562 2308 NDIS (558635d3af1c7546d26067d5d9b6959e) G:\WINDOWS\system32\drivers\NDIS.sys
2011/03/04 18:18:42.0625 2308 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) G:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/04 18:18:42.0703 2308 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) G:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/04 18:18:42.0781 2308 NdisWan (0b90e255a9490166ab368cd55a529893) G:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/04 18:18:42.0812 2308 NDProxy (59fc3fb44d2669bc144fd87826bb571f) G:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/04 18:18:42.0875 2308 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) G:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/04 18:18:42.0906 2308 NetBT (0c80e410cd2f47134407ee7dd19cc86b) G:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/04 18:18:42.0968 2308 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) G:\WINDOWS\system32\drivers\Npfs.sys
2011/03/04 18:18:43.0046 2308 Ntfs (b78be402c3f63dd55521f73876951cdd) G:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/04 18:18:43.0109 2308 Null (73c1e1f395918bc2c6dd67af7591a3ad) G:\WINDOWS\system32\drivers\Null.sys
2011/03/04 18:18:43.0171 2308 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) G:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/04 18:18:43.0203 2308 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) G:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/04 18:18:43.0281 2308 Parport (29744eb4ce659dfe3b4122deb45bc478) G:\WINDOWS\system32\DRIVERS\parport.sys
2011/03/04 18:18:43.0406 2308 PartMgr (3334430c29dc338092f79c38ef7b4cd0) G:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/04 18:18:43.0453 2308 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) G:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/04 18:18:43.0546 2308 PCI (8086d9979234b603ad5bc2f5d890b234) G:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/04 18:18:43.0656 2308 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) G:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/04 18:18:43.0718 2308 Pcmcia (82a087207decec8456fbe8537947d579) G:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/04 18:18:43.0953 2308 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) G:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/04 18:18:43.0984 2308 PSched (48671f327553dcf1d27f6197f622a668) G:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/04 18:18:44.0015 2308 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) G:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/04 18:18:44.0218 2308 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) G:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/04 18:18:44.0250 2308 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) G:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/04 18:18:44.0296 2308 RasPppoe (7306eeed8895454cbed4669be9f79faa) G:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/04 18:18:44.0328 2308 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) G:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/04 18:18:44.0406 2308 Rdbss (29d66245adba878fff574cd66abd2884) G:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/04 18:18:44.0453 2308 RDPCDD (4912d5b403614ce99c28420f75353332) G:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/04 18:18:44.0500 2308 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) G:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/04 18:18:44.0593 2308 RDPWD (d4f5643d7714ef499ae9527fdcd50894) G:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/04 18:18:44.0640 2308 redbook (b31b4588e4086d8d84adbf9845c2402b) G:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/04 18:18:44.0750 2308 Secdrv (d26e26ea516450af9d072635c60387f4) G:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/04 18:18:44.0796 2308 serenum (a2d868aeeff612e70e213c451a70cafb) G:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/04 18:18:44.0843 2308 Serial (cd9404d115a00d249f70a371b46d5a26) G:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/04 18:18:44.0906 2308 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) G:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/04 18:18:45.0015 2308 splitter (8e186b8f23295d1e42c573b82b80d548) G:\WINDOWS\system32\drivers\splitter.sys
2011/03/04 18:18:45.0093 2308 sr (e41b6d037d6cd08461470af04500dc24) G:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/04 18:18:45.0203 2308 Srv (7a4f147cc6b133f905f6e65e2f8669fb) G:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/04 18:18:45.0296 2308 ssmdrv (a36ee93698802cd899f98bfd553d8185) G:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/03/04 18:18:45.0359 2308 swenum (03c1bae4766e2450219d20b993d6e046) G:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/04 18:18:45.0406 2308 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) G:\WINDOWS\system32\drivers\swmidi.sys
2011/03/04 18:18:45.0531 2308 sysaudio (650ad082d46bac0e64c9c0e0928492fd) G:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/04 18:18:45.0625 2308 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) G:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/04 18:18:45.0703 2308 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) G:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/04 18:18:45.0765 2308 TDTCP (ed0580af02502d00ad8c4c066b156be9) G:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/04 18:18:45.0812 2308 TermDD (a540a99c281d933f3d69d55e48727f47) G:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/04 18:18:45.0906 2308 Udfs (12f70256f140cd7d52c58c7048fde657) G:\WINDOWS\system32\drivers\Udfs.sys
2011/03/04 18:18:46.0015 2308 Update (aff2e5045961bbc0a602bb6f95eb1345) G:\WINDOWS\system32\DRIVERS\update.sys
2011/03/04 18:18:46.0093 2308 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) G:\WINDOWS\system32\Drivers\usbaapl.sys
2011/03/04 18:18:46.0156 2308 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) G:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/04 18:18:46.0234 2308 usbehci (15e993ba2f6946b2bfbbfcd30398621e) G:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/04 18:18:46.0265 2308 usbhub (c72f40947f92cea56a8fb532edf025f1) G:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/04 18:18:46.0312 2308 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) G:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/03/04 18:18:46.0375 2308 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) G:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/04 18:18:46.0421 2308 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) G:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/04 18:18:46.0468 2308 usbuhci (f8fd1400092e23c8f2f31406ef06167b) G:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/04 18:18:46.0531 2308 VgaSave (8a60edd72b4ea5aea8202daf0e427925) G:\WINDOWS\System32\drivers\vga.sys
2011/03/04 18:18:46.0609 2308 VolSnap (ee4660083deba849ff6c485d944b379b) G:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/04 18:18:46.0656 2308 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) G:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/04 18:18:46.0734 2308 wdmaud (2797f33ebf50466020c430ee4f037933) G:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/04 18:18:46.0843 2308 winachsf (1225ebea76aac3c84df6c54fe5e5d8be) G:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
2011/03/04 18:18:47.0031 2308 yukonwxp (a5d4eae27e68625296d685a786897491) G:\WINDOWS\system32\DRIVERS\yk51x86.sys
2011/03/04 18:18:47.0515 2308 ================================================================================
2011/03/04 18:18:47.0515 2308 Scan finished
2011/03/04 18:18:47.0515 2308 ================================================================================

 

[vbakis]

Avira AntiVir Personal
Report file date: Παρασκευή, 4 Μαρτίου 2011 18:27

Scanning for 2454215 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : Vasilis
Computer name : VASILIS-45A94C9

Version information:
BUILD.DAT : 10.0.0.611 31824 Bytes 14/1/2011 13:42:00
AVSCAN.EXE : 10.0.3.5 435368 Bytes 10/1/2011 12:23:31
AVSCAN.DLL : 10.0.3.0 46440 Bytes 1/4/2010 10:57:04
LUKE.DLL : 10.0.3.2 104296 Bytes 10/1/2011 12:23:40
LUKERES.DLL : 10.0.0.1 12648 Bytes 10/2/2010 21:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 6/11/2009 07:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 12:23:50
VBASE002.VDF : 7.11.3.0 1950720 Bytes 9/2/2011 11:15:09
VBASE003.VDF : 7.11.3.1 2048 Bytes 9/2/2011 11:15:10
VBASE004.VDF : 7.11.3.2 2048 Bytes 9/2/2011 11:15:10
VBASE005.VDF : 7.11.3.3 2048 Bytes 9/2/2011 11:15:10
VBASE006.VDF : 7.11.3.4 2048 Bytes 9/2/2011 11:15:10
VBASE007.VDF : 7.11.3.5 2048 Bytes 9/2/2011 11:15:10
VBASE008.VDF : 7.11.3.6 2048 Bytes 9/2/2011 11:15:10
VBASE009.VDF : 7.11.3.7 2048 Bytes 9/2/2011 11:15:10
VBASE010.VDF : 7.11.3.8 2048 Bytes 9/2/2011 11:15:10
VBASE011.VDF : 7.11.3.9 2048 Bytes 9/2/2011 11:15:11
VBASE012.VDF : 7.11.3.10 2048 Bytes 9/2/2011 11:15:11
VBASE013.VDF : 7.11.3.59 157184 Bytes 14/2/2011 11:15:12
VBASE014.VDF : 7.11.3.97 120320 Bytes 16/2/2011 11:15:13
VBASE015.VDF : 7.11.3.148 128000 Bytes 19/2/2011 11:15:14
VBASE016.VDF : 7.11.3.183 140288 Bytes 22/2/2011 11:15:14
VBASE017.VDF : 7.11.3.216 124416 Bytes 24/2/2011 11:15:14
VBASE018.VDF : 7.11.3.251 159232 Bytes 28/2/2011 11:15:15
VBASE019.VDF : 7.11.4.33 148992 Bytes 2/3/2011 11:14:18
VBASE020.VDF : 7.11.4.34 2048 Bytes 2/3/2011 11:14:18
VBASE021.VDF : 7.11.4.35 2048 Bytes 2/3/2011 11:14:18
VBASE022.VDF : 7.11.4.36 2048 Bytes 2/3/2011 11:14:18
VBASE023.VDF : 7.11.4.37 2048 Bytes 2/3/2011 11:14:19
VBASE024.VDF : 7.11.4.38 2048 Bytes 2/3/2011 11:14:19
VBASE025.VDF : 7.11.4.39 2048 Bytes 2/3/2011 11:14:19
VBASE026.VDF : 7.11.4.40 2048 Bytes 2/3/2011 11:14:19
VBASE027.VDF : 7.11.4.41 2048 Bytes 2/3/2011 11:14:19
VBASE028.VDF : 7.11.4.42 2048 Bytes 2/3/2011 11:14:19
VBASE029.VDF : 7.11.4.43 2048 Bytes 2/3/2011 11:14:19
VBASE030.VDF : 7.11.4.44 2048 Bytes 2/3/2011 11:14:19
VBASE031.VDF : 7.11.4.50 23552 Bytes 3/3/2011 11:14:19
Engineversion : 8.2.4.178
AEVDF.DLL : 8.1.2.1 106868 Bytes 10/1/2011 12:23:26
AESCRIPT.DLL : 8.1.3.55 1282426 Bytes 2/3/2011 11:15:21
AESCN.DLL : 8.1.7.2 127349 Bytes 10/1/2011 12:23:26
AESBX.DLL : 8.1.3.2 254324 Bytes 10/1/2011 12:23:26
AERDL.DLL : 8.1.9.2 635252 Bytes 10/1/2011 12:23:25
AEPACK.DLL : 8.2.4.11 520566 Bytes 3/3/2011 11:14:20
AEOFFICE.DLL : 8.1.1.16 205179 Bytes 2/3/2011 11:15:20
AEHEUR.DLL : 8.1.2.81 3314038 Bytes 2/3/2011 11:15:19
AEHELP.DLL : 8.1.16.1 246134 Bytes 2/3/2011 11:15:17
AEGEN.DLL : 8.1.5.2 397683 Bytes 2/3/2011 11:15:17
AEEMU.DLL : 8.1.3.0 393589 Bytes 10/1/2011 12:23:18
AECORE.DLL : 8.1.19.2 196983 Bytes 2/3/2011 11:15:17
AEBB.DLL : 8.1.1.0 53618 Bytes 10/1/2011 12:23:18
AVWINLL.DLL : 10.0.0.0 19304 Bytes 10/1/2011 12:23:32
AVPREF.DLL : 10.0.0.0 44904 Bytes 10/1/2011 12:23:30
AVREP.DLL : 10.0.0.8 62209 Bytes 17/6/2010 12:27:13
AVREG.DLL : 10.0.3.2 53096 Bytes 10/1/2011 12:23:31
AVSCPLR.DLL : 10.0.3.2 84328 Bytes 10/1/2011 12:23:31
AVARKT.DLL : 10.0.22.6 231784 Bytes 10/1/2011 12:23:27
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 10/1/2011 12:23:28
SQLITE3.DLL : 3.6.19.0 355688 Bytes 17/6/2010 12:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 10/1/2011 12:23:31
NETNT.DLL : 10.0.0.0 11624 Bytes 17/6/2010 12:27:21
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28/1/2010 11:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 10/1/2011 12:23:52

Configuration settings for the scan:
Jobname.............................: ShlExt
Configuration file..................: G:\DOCUME~1\Vasilis\LOCALS~1\Temp\ac035dbb.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: H:,
Process scan........................: off
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Παρασκευή, 4 Μαρτίου 2011 18:27

Starting the file scan:

Begin scan in 'H:\' <My Passport>
H:\office recovery\G\Lost File Results\LostFile_EXE_10378208.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_118411600.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_20610824.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_20989528.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_211302549.exe
--> Object
[WARNING] The file could not be read!
[WARNING] The file could not be read!
H:\office recovery\G\Lost File Results\LostFile_EXE_3196264.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_3611800.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_3646104.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_3657752.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_3658520.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_3969232.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_3982976.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_3983280.exe
[DETECTION] Is the TR/Crypt.ASPM.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_4161800.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_4563384.exe
[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
H:\office recovery\G\Lost File Results\LostFile_EXE_4625091.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_4820056.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_49467864.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_49489040.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_49492064.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_50883129.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_52934616.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_53135592.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_53272136.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_53826984.exe
[DETECTION] Is the TR/Rootkit.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_53830144.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_5399160.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_5432904.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_56015328.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_56055264.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_5652904.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_64019896.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_76514216.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_79056312.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_79060904.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_79081304.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\LostFile_EXE_90698571.exe
[WARNING] The file could not be read!
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10504776.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_106966128.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11661232.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_13285984.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_2171376.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_24368432.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_31253472.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47031632.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47038520.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47041496.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47041640.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47042392.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47054360.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47060880.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47168744.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_49626136.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_49790272.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_49895104.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_49984048.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_50185936.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_50190392.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_50270800.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_50514112.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51103000.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51130448.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51146016.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51150800.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51470352.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51645008.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51789368.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_52364992.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_52559016.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_53939960.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_55035616.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_55322432.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_58597424.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_58727088.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_58828216.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_64791440.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_64937864.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_79339392.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_79377176.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_79538656.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_80263680.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_80675752.exe
[DETECTION] Is the TR/Dropper.Gen2 Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_82118376.exe
[DETECTION] Is the TR/Dropper.Gen2 Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9136848.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_96462728.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9812600.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_JPG_104153744.jpg
[DETECTION] Contains recognition pattern of the DR/FakePic.Gen dropper
H:\office recovery\G\Virtual NTFS Partition @ 0\jquery.tinysort[1].js
[DETECTION] Contains recognition pattern of the DR/FakePic.Gen dropper
H:\office recovery\G\Virtual NTFS Partition @ 0\My Dropbox\Photos\Sample Album\Costa Rican Frog.jpg
[DETECTION] Contains recognition pattern of the DR/FakePic.Gen dropper

========= CONTINUED ON NEXT POST ========

 

[vbakis]

Beginning disinfection:
H:\office recovery\G\Virtual NTFS Partition @ 0\My Dropbox\Photos\Sample Album\Costa Rican Frog.jpg
[DETECTION] Contains recognition pattern of the DR/FakePic.Gen dropper
[NOTE] The file was moved to the quarantine directory under the name '4fa8befe.qua'.
H:\office recovery\G\Virtual NTFS Partition @ 0\jquery.tinysort[1].js
[DETECTION] Contains recognition pattern of the DR/FakePic.Gen dropper
[NOTE] The file was moved to the quarantine directory under the name '573d915b.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_JPG_104153744.jpg
[DETECTION] Contains recognition pattern of the DR/FakePic.Gen dropper
[NOTE] The file was moved to the quarantine directory under the name '0560cbb1.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9812600.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '63578473.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_96462728.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '26d3a94d.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9136848.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '59c89b2c.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_82118376.exe
[DETECTION] Is the TR/Dropper.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '1570b765.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_80675752.exe
[DETECTION] Is the TR/Dropper.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '6968f735.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_80263680.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4432d878.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_79538656.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '5d5ae3e2.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_79377176.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '3106cfd2.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_79339392.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '40bff647.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_64937864.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4ea5c680.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_64791440.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '0b8cbfc2.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_58828216.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '0287bb69.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_58727088.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '5ac6a200.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_58597424.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '7632dbcc.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_55322432.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '48ccbb16.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_55035616.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '2bc29065.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_53939960.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '0d0ad078.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_52559016.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '3f9eabdd.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_52364992.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '35db80a3.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51789368.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '0a88e4e6.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51645008.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '74a4e8c1.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51470352.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '21dcec0b.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51150800.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '2c4a9d23.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51146016.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '3017892a.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51130448.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '01c4c4e4.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_51103000.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '6d92d0d2.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_50514112.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '2408f5d5.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_50270800.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '7f9dfd04.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_50190392.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '192ff1ed.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_50185936.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4ea18345.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_49984048.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '6cd1d431.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_49895104.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '04c1aea7.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_49790272.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '24b7aa22.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_49626136.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '7193ec96.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47168744.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '10b3cd29.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47060880.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '751f8fa2.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47054360.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '10c8fb03.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47042392.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '032cc790.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47041640.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '1195bb2d.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47041496.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '06c5d89f.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47038520.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '5ce7ea0f.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_47031632.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '79ea901b.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_31253472.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '0db1886f.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_24368432.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '2fb3dae3.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_2171376.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '5a20a2fa.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_13285984.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '7177fefa.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11661232.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '1610b645.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_106966128.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '5d608f53.qua'.
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10504776.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '5d9e8502.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_79081304.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '1731d012.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_79060904.exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '7918ffda.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_79056312.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '3438a1aa.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_76514216.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '5c1c8691.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_64019896.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '26adbc58.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_5652904.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '57ffe01d.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_56055264.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '2718ca0d.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_56015328.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '5c68b658.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '1233c532.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_5432904.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '6c48be14.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_5399160.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '18d29667.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_53830144.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '13e6ca0e.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_53826984.exe
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '403ed9cc.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_53272136.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '2557f2a7.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_53135592.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '0daca205.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_52934616.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '790ffbbf.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_50883129.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '36028336.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_49492064.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '09d6da90.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_49489040.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '73e0d926.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_49467864.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '23e8de56.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_4820056.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '75e0d414.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_4625091.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '3250d0c7.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_4563384.exe
[DETECTION] Contains recognition pattern of the DR/Delphi.Gen dropper
[NOTE] The file was moved to the quarantine directory under the name '111cbe45.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_4161800.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '569797ab.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_3983280.exe
[DETECTION] Is the TR/Crypt.ASPM.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '24f3c43f.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_3982976.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '0f9c8729.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_3969232.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '4c058996.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_3658520.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '06cbf0ae.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_3657752.exe
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '0b83ee0e.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_3646104.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '2469a6e0.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_3611800.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '1badef8a.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_3196264.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '244af910.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_20989528.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4193a9c7.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_20610824.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '67b28ead.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_118411600.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '6b1fddd6.qua'.
H:\office recovery\G\Lost File Results\LostFile_EXE_10378208.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The registration for this file was not remedied due to too many multiple detections. For a more exact analysis, please send us this file via Quarantine manager for closer examination.
[NOTE] The file was moved to the quarantine directory under the name '5e75ab0f.qua'.


End of the scan: Παρασκευή, 4 Μαρτίου 2011 18:57
Used time: 29:31 Minute(s)

The scan has been done completely.

3014 Scanned directories
174128 Files were scanned
88 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
88 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
174040 Files not concerned
1375 Archives were scanned
3 Warnings
88 Notes

 

[Bobbye]

Not sure why you ran the Avast scan> those files were moved in OTM. You can delete the contents of the quarantine files in Avast.

Sorry about having to uninstall AVG for Combofix. I have those directions saved separately, but I am going to add them to Combofix.
===============================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it: Be sure to scroll down to include ALL lines.

Folder::
g:\docume~1\vasilis\locals~1\applic~1\Temp
g:\program files\GetData
G:\GetData Recover My Files Professional Edition v4.6.8.993
g:\program files\uTorrent.exe
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\uTorrent.exe"=-
"g:\\Program Files\\uTorrent.exe"=-
Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
P2P or 'file sharing' Warning:
I note you have utorrrent on 2 drives- that doubles the vulnerability from file sharing.
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall uTorrent for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• File sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
=================================
How is the system running now?

 

[vbakis]

Am sorry for the late response I was away the weekend, the system looks fine atm, this is the log from Combofix:


ComboFix 11-03-07.05 - Vasilis 08/03/2011 11:48:32.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1253.30.1033.18.1535.1180 [GMT 2:00]
Running from: g:\documents and settings\Vasilis\My Documents\Downloads\Protection - Antivirus -Spyware\ComboFix.exe
Command switches used :: g:\documents and settings\Vasilis\My Documents\Downloads\Protection - Antivirus -Spyware\CFScript.TXT
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
g:\docume~1\vasilis\locals~1\applic~1\Temp
G:\GetData Recover My Files Professional Edition v4.6.8.993
g:\getdata recover my files professional edition v4.6.8.993\Crack.rar
g:\getdata recover my files professional edition v4.6.8.993\File_id.diz
g:\getdata recover my files professional edition v4.6.8.993\GetData Recover My Files v4.6.8.993.txt
g:\getdata recover my files professional edition v4.6.8.993\INSTALL NOTES.txt
g:\getdata recover my files professional edition v4.6.8.993\RecoverMyFiles-Setup.exe
g:\program files\GetData
g:\program files\GetData\Recover My Files v4\FFF.NFO
g:\program files\GetData\Recover My Files v4\FILE_ID.DIZ
g:\program files\Quicktime\QTTask.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
.
.
2011-03-04 09:35 . 2011-03-04 09:35 -------- d-----w- G:\_OTM
2011-02-21 11:05 . 2011-02-21 11:05 -------- d-----w- G:\ATI
2011-02-21 10:45 . 2011-02-21 10:45 -------- d-----w- G:\$AVG
2011-02-18 11:38 . 2011-02-18 11:38 -------- d-----r- G:\MSOCache
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-02_10.58.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-02 11:13 . 2010-06-17 12:27 28520 g:\windows\system32\drivers\ssmdrv.sys
+ 2011-03-02 11:13 . 2010-06-17 12:27 22360 g:\windows\system32\drivers\avgntmgr.sys
+ 2011-03-02 11:13 . 2011-01-10 12:23 61960 g:\windows\system32\drivers\avgntflt.sys
+ 2011-03-02 11:13 . 2010-06-17 12:27 45416 g:\windows\system32\drivers\avgntdd.sys
+ 2011-03-02 11:13 . 2011-01-10 12:23 135096 g:\windows\system32\drivers\avipbb.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="g:\documents and settings\Vasilis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-02-18 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-02 577536]
"ATICustomerCare"="g:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
"Adobe Reader Speed Launcher"="g:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="g:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"HP Software Update"="g:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"iTunesHelper"="g:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"avgnt"="g:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
.
g:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - g:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\uTorrent.exe"=
"g:\\Program Files\\uTorrent.exe"=
"h:\\World of Warcraft\\Launcher.exe"=
"g:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"g:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"g:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"g:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"g:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\Program Files\\World of Warcraft\\Launcher.exe"=
"g:\\Documents and Settings\\Vasilis\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;g:\program files\Avira\AntiVir Desktop\sched.exe [2/3/2011 1:13 μμ 135336]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-03 g:\windows\Tasks\AppleSoftwareUpdate.job
- g:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 09:50]
.
2011-03-07 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1220945662-725345543-1003Core.job
- g:\documents and settings\Vasilis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-18 11:36]
.
2011-03-08 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1220945662-725345543-1003UA.job
- g:\documents and settings\Vasilis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-18 11:36]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-QuickTime Task - g:\program files\QuickTime\QTTask.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-08 11:53
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-08 11:55:07
ComboFix-quarantined-files.txt 2011-03-08 09:55
ComboFix2.txt 2011-03-02 10:59
.
Pre-Run: 84.435.468.288 bytes free
Post-Run: 84.422.111.232 bytes free
.
- - End Of File - - 11FFF23506C8F50B36E29F0EF7CBF593

 

[Bobbye]

No problem- I frequently run behind, so it gives me a chance to catch up.

The logs show entries from drives C, G, H. I know that the H drive was the hard drive you had as a student in 2001. And the infected files came from the recovery you used. I'm just a bit confused about the following in the Attach.txt log from DDS:
C: is FIXED (NTFS) - 233 GiB total, 195,228 GiB free.
D: is Removable
E: is CDROM ()
F: is CDROM ()
G: is FIXED (NTFS) - 112 GiB total, 98,966 GiB free.
H: is FIXED (NTFS) - 233 GiB total, 84,556 GiB free.
======================================
The only thing I would do is removed these Registry settings:
"c:\\uTorrent.exe"
"g:\\Program Files\\uTorrent.exe"
But I have warned you about the dangers of file sharing. Let me know if you have continue using this program or if you would like me to remove the entries.
=======================================
I'd like you to run the Eset scan once more- let's make sure all of those infected files were found and removed:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the clipboard, you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

If clean, I'll have you remove all the cleaning tools we used.

By the way, If you glance at this forum page, you will see a lot of members with AVG/Win32/Heur!

 

[vbakis]

Ok i;ll try to short things out so you can have a clear view of my drives, G: is the system disk, its where windows are installed and its the disk i had as a student and H: is a flash disk i used to recover the files from G:
What I did is to Format G: and then install windows onto it and then try to recover the files before the format on H:
I deleted the file c:\\uTorrent.exe
anyway I dont use it anymore so feel free to show me how to remove them.

Eset still finds malware on the removable flash drive H: here's the log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=d5531ca7203fe54797e590b518b5db27
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-24 05:41:41
# local_time=2011-02-24 07:41:41 (+0200, GTB Standard Time)
# country="Greece"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 35242 35242 0 0
# compatibility_mode=1032 16777173 100 94 7752 41863832 0 0
# compatibility_mode=8192 67108863 100 0 3900 3900 0 0
# scanned=113439
# found=13
# cleaned=0
# scan_time=3061
H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_18174360.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_52609881.exe a variant of Win32/Conficker.Y worm (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe a variant of Win32/TrojanDownloader.FakeAlert.GO trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_63078584.exe a variant of Win32/Kryptik.AY trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=d5531ca7203fe54797e590b518b5db27
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-02 10:26:57
# local_time=2011-03-02 12:26:57 (+0200, GTB Standard Time)
# country="Greece"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 526576 526576 0 0
# compatibility_mode=1032 16777189 100 94 8612 42355166 0 0
# compatibility_mode=8192 67108863 100 0 495234 495234 0 0
# scanned=118859
# found=13
# cleaned=0
# scan_time=4043
H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_18174360.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_52609881.exe a variant of Win32/Conficker.Y worm (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe a variant of Win32/TrojanDownloader.FakeAlert.GO trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_63078584.exe a variant of Win32/Kryptik.AY trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=d5531ca7203fe54797e590b518b5db27
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-10 09:13:25
# local_time=2011-03-10 11:13:25 (+0200, GTB Standard Time)
# country="Greece"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 1214219 1214219 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 93 0 36285366 188346 0
# compatibility_mode=8192 67108863 100 0 1182877 1182877 0 0
# scanned=142897
# found=12
# cleaned=0
# scan_time=3187
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_18174360.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_52609881.exe a variant of Win32/Conficker.Y worm (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_63078584.exe a variant of Win32/Kryptik.AY trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I

 

[Bobbye]

Eset scans:
First scan: examples
H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean)
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean)
Second scan: examples
H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean)
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 0000000

OTM examples
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe moved successfully.
H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe moved successfully.

Current scan: examples
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean)
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean)
=========================================
All infected files were removed from Drive H by OTL.
I don't know why these driver letters are changing!
==========================================
Delete the contents of the Avast quarantine folder. Please do not run Avast again unless I instruct you to. If you plan to continue using AVG, reinstall it on the system and do an update immediately. Let me know if anything new show-no log please. AVG put out a bad update that is causing legitimate entries to be Win32/Heur If the is you case, the update should handle it.
======================================
I can't tell if you re reinfecting the system or just changing drive letters. Please don't make any more system changes.
=======================================
Please disinfect all movable drives again:

1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
   Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
4. Wait until it has finished scanning and then exit the program.
5. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================