Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DDS log for "still hidden files" problem


  • This topic is locked This topic is locked
21 replies to this topic

#1 JoJim

JoJim

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 06 July 2012 - 04:28 PM

I followed steps 6 to 9 in the Preparation Guide, as instructed by boopme (see topic "still hidden folders").

Mod EDIT: AII topic~~ boopme
http://www.bleepingcomputer.com/forums/topic457004.html/page__pid__2754393#entry2754393
OP had difficulty using tools.


I observed the following:
- Defogger did not do item 6, step 6 (asking me to reboot). Therefore I continued with item 7 without rebooting my computer.
- GMER hung up at a certain file. I couldn´t control the computer anymore, not even use the mouse or ctrl-alt-del. I had to kill it by the main switch.

Everything else was done as instructed.

Here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Joachim Scherer at 22:17:41 on 2012-07-06
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.1023.352 [GMT 2:00]
.
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00D2-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Outdated* {00000000-0000-0000-0000-000000000000}
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00DA-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00EB-0D24-347CA8A3377C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\Programme\ICQ6Toolbar\ICQ Service.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Secunia\PSI\sua.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Programme\Canon\CAL\CALMAIN.exe
C:\Programme\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Dit.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\DitExp.exe
C:\T-Online\BSW4\ISDNSP~1\Tomcat.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Hama Maus\mouse32a.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\GMX\LiveUpdate\m2LUTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Programme\Steganos Safe Home\SteganosHotKeyService.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE
C:\Programme\FRITZ!DSL\FwebProt.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Programme\FRITZ!DSL\StCenter.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\PROGRA~1\SEARCH~1\Datamngr\DATAMN~1.EXE
C:\Programme\iLivid\iLivid.exe
C:\Programme\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://go.gmx.net/start_ie
uSearch Page = hxxp://google.icq.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer
uDefault_Page_URL = hxxp://go.gmx.net/home
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
mSearchAssistant =
uURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\programme\icq6toolbar\ICQToolBar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: H - No File
uURLSearchHooks: WiseConvert Toolbar: {ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} - c:\programme\wiseconvert\prxtbWise.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\search~1\datamngr\toolbar\searchqudtx.dll
BHO: DataMngr: {9d717f81-9148-4f12-8568-69135f087db0} - c:\progra~1\search~1\datamngr\BROWSE~1.DLL
BHO: GMX Browser Configuration by mquadr.at: {d48ff4b4-e68f-47d1-8e25-81a0f0eeb341} - c:\windows\system32\ieconfig_1und1.dll
BHO: WiseConvert Toolbar: {ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} - c:\programme\wiseconvert\prxtbWise.dll
TB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\programme\icq6toolbar\ICQToolBar.dll
TB: WiseConvert Toolbar: {ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} - c:\programme\wiseconvert\prxtbWise.dll
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\search~1\datamngr\toolbar\searchqudtx.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
EB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\programme\icq6toolbar\ICQToolBar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus DX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticde.exe /fu "c:\windows\temp\E_SA3.tmp" /EF "HKCU"
uRun: [H/PC Connection Agent] c:\progra~1\mi3aa1~1\wcescomm.exe
uRun: [AVMUSBFernanschluss] "c:\dokumente und einstellungen\joachim scherer\lokale einstellungen\apps\2.0\n44wpz04.9mh\m7az54tx.gcm\frit..tion_8488884cfbcefd60_0002.0002_8541bf1f4a1c673d\AVMAutoStart.exe"
uRun: [EPSON Stylus DX7400 Series (über FritzBox)] c:\windows\system32\spool\drivers\w32x86\3\e_faticde.exe /fu "c:\windows\temp\E_S2B4.tmp" /EF "HKCU"
mRun: [Dit] Dit.exe
mRun: [Microsoft Works Update Detection] c:\programme\gemeinsame dateien\microsoft shared\works shared\WkUFind.exe
mRun: [REGSHAVE] c:\programme\regshave\REGSHAVE.EXE /AUTORUN
mRun: [ISDN SpeedManager] "c:\t-online\bsw4\isdnsp~1\Tomcat.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [FLMOFFICE4DMOUSE] c:\programme\hama maus\mouse32a.exe
mRun: [GMX Update] c:\programme\gmx\liveupdate\m2LUTray.exe
mRun: [SAFEHOME HotKeys] "c:\programme\steganos safe home\SteganosHotKeyService.exe"
mRun: [avgnt] "c:\programme\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe ARM] "c:\programme\gemeinsame dateien\adobe\arm\1.0\AdobeARM.exe"
mRun: [DATAMNGR] c:\progra~1\search~1\datamngr\DATAMN~1.EXE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\dokume~1\joachi~1\startm~1\progra~1\autost~1\fritz!~1.lnk - c:\programme\fritz!dsl\FwebProt.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\adober~1.lnk - c:\programme\adobe\acrobat 7.0\reader\reader_sl.exe
IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\programme\partygaming.net\partypokernet\RunPF.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\programme\fritz!dsl\sarah.dll
Trusted Zone: gmx.net\service
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38141.4919444444
DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} - hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://static.pe.schuelervz.net/photouploader/ImageUploader5.cab?nocache=1206019464
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.178.1
TCP: Interfaces\{34EC202F-3798-41A7-95C0-CEB388DECBB8} : NameServer = 192.168.122.252,192.168.122.253
TCP: Interfaces\{39438E78-54F3-4AE4-8F7C-9D89C504A2DA} : DhcpNameServer = 192.168.178.1
TCP: Interfaces\{87881E28-8FE7-4B20-9F57-F4BFCD57CCD2} : NameServer = 192.168.121.252,192.168.121.253
AppInit_DLLs: c:\progra~1\search~1\datamngr\datamngr.dll c:\progra~1\search~1\datamngr\IEBHO.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-15 36000]
R1 NETDSL;AVM PPP over Ethernet;c:\windows\system32\drivers\netdsl.sys [2006-11-12 11264]
R1 SLEE_15_DRIVER;Steganos Live Encryption Engine 15 [Driver];c:\windows\system32\drivers\sleen15.sys [2007-2-21 80232]
R2 AntiVirSchedulerService;Avira Planer;c:\programme\avira\antivir desktop\sched.exe [2011-10-15 86224]
R2 AntiVirService;Avira Echtzeit Scanner;c:\programme\avira\antivir desktop\avguard.exe [2011-10-15 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-15 83392]
R2 AVMPORT;AVMPORT;c:\windows\system32\drivers\avmport.sys [2005-5-21 59520]
R2 drhard;drhard;c:\windows\system32\drivers\drhard.sys [2007-11-17 23600]
R2 ICQ Service;ICQ Service;c:\programme\icq6toolbar\ICQ Service.exe [2010-6-2 246520]
R2 MZCCntrl;T-Online WLAN Adapter Steuerungsdienst;c:\programme\gemeinsame dateien\marmiko shared\MZCCntrl.exe [2006-12-3 61440]
R2 Secunia Update Agent;Secunia Update Agent;c:\programme\secunia\psi\sua.exe --start-service --> c:\programme\secunia\psi\sua.exe --start-service [?]
R3 avmaudio;AVM Audio;c:\windows\system32\drivers\avmaudio.sys [2011-6-12 101248]
R3 AVMCOWAN;AVMCOWAN;c:\windows\system32\drivers\avmcowan.sys [2004-11-29 53248]
R3 FXUSBASE;Eumex 400 (WinXP/2000);c:\windows\system32\drivers\fxusbase.sys [2004-11-29 547968]
R3 NETFWDSL;AVM FRITZ!web DSL PPP;c:\windows\system32\drivers\NETFWDSL.SYS [2006-11-12 367104]
R3 NETPPPOI;PPP over ISDN;c:\windows\system32\drivers\NETPPPOI.SYS [2005-5-21 319488]
R3 pctvvbi;PCTVVBI;c:\windows\system32\drivers\pctvvbi.sys [2005-1-2 6369]
R3 TOMCATWAN;T-Online DynamicISDN (WDM);c:\windows\system32\drivers\WTOMCAT.sys [2002-12-12 168182]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\flashplayerupdateservice.exe --> c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [?]
S3 DTV_Capture_2X0;DVB-T Receiver;c:\windows\system32\drivers\DTV_Capture_2X0.sys [2005-11-27 18432]
S3 DTV_Loader_2X1;DVB-T Loader;c:\windows\system32\drivers\DTV_Loader_2X1.sys [2005-11-27 19328]
S3 IIUSBISP;USB Mass Storage for USB ISP;c:\windows\system32\drivers\iiusbisp.sys --> c:\windows\system32\drivers\iiusbisp.sys [?]
S3 MACNDIS5;MACNDIS5 NDIS Protocol Driver;c:\progra~1\gemein~1\marmik~1\MACNDIS5.SYS [2006-12-3 17280]
S3 MIINPazX;MIINPazX NDIS Protocol Driver;c:\progra~1\gemein~1\marmik~1\minfrais\MIINPazX.SYS [2006-12-3 17152]
S3 MTOnlPktAlyX;MTOnlPktAlyX NDIS Protocol Driver;c:\progra~1\t-online\t-onli~1\basis-~1\basis1\MTOnlPktAlyX.SYS [2006-12-3 17664]
S3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;c:\windows\system32\drivers\PhTVTune.sys [2002-9-5 24288]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\programme\secunia\psi\psia.exe --start-service --> c:\programme\secunia\psi\PSIA.exe --start-service [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-5-3 392824]
S4 Boonty Games;Boonty Games;c:\programme\gemeinsame dateien\boonty shared\service\Boonty.exe [2007-5-14 69120]
.
=============== Created Last 30 ================
.
2012-07-06 20:07:01 -------- d-----w- c:\dokumente und einstellungen\joachim scherer\lokale einstellungen\anwendungsdaten\Ilivid Player
2012-07-06 20:06:45 -------- d-----w- c:\dokumente und einstellungen\joachim scherer\AppData
2012-07-06 20:06:43 -------- d-----w- c:\dokumente und einstellungen\joachim scherer\anwendungsdaten\searchquband
2012-07-06 20:05:19 -------- d-----w- c:\programme\iLivid
2012-07-06 20:03:14 -------- d-----w- c:\dokumente und einstellungen\joachim scherer\anwendungsdaten\searchqutoolbar
2012-07-06 20:03:00 -------- d-----w- c:\programme\Searchqu Toolbar
2012-07-06 20:01:07 -------- d-----w- c:\programme\Conduit
2012-07-06 20:01:01 -------- d-----w- c:\dokumente und einstellungen\joachim scherer\lokale einstellungen\anwendungsdaten\WiseConvert
2012-07-06 20:01:00 -------- d-----w- c:\dokumente und einstellungen\joachim scherer\lokale einstellungen\anwendungsdaten\Conduit
2012-07-06 20:00:37 -------- d-----w- c:\programme\WiseConvert
2012-07-02 13:10:00 -------- d-----w- c:\dokumente und einstellungen\joachim scherer\lokale einstellungen\anwendungsdaten\Temp
2012-07-02 13:06:48 -------- d-----w- c:\dokumente und einstellungen\joachim scherer\lokale einstellungen\anwendungsdaten\Secunia PSI
2012-06-12 19:20:11 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-10 17:39:03 -------- d-----w- c:\programme\Aurigma
2012-06-10 16:34:40 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2012-06-10 16:00:12 -------- d-----w- c:\programme\GIMP 2
2012-06-10 15:33:40 -------- d-----w- c:\windows\system32\Adobe
2012-06-10 14:32:38 -------- d-----w- c:\programme\Secunia
2012-06-10 07:58:51 -------- d-----w- c:\dokumente und einstellungen\joachim scherer\anwendungsdaten\Malwarebytes
2012-06-10 07:58:33 -------- d-----w- c:\dokumente und einstellungen\all users\anwendungsdaten\Malwarebytes
2012-06-10 07:58:32 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-10 07:58:32 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2012-06-02 13:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 13:19:38 18456 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 13:19:38 15896 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 13:19:34 15896 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:19:28 23576 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 13:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 13:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 13:18:58 18160 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:01 604160 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:07:03 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:56:00 1863296 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:40:24 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:40:24 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
2012-05-09 05:38:26 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-05-05 08:43:12 70304 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-05 08:43:12 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-05 03:14:34 2194944 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-05 03:14:34 2071424 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:30 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2007-02-18 13:46:19 774144 -c--a-w- c:\programme\RngInterstitial.dll
.
============= FINISH: 22:19:56,50 ===============

Attached Files


Edited by boopme, 06 July 2012 - 07:17 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 AM

Posted 11 July 2012 - 04:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/459575 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:25 AM

Posted 15 July 2012 - 09:09 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Lets start with these scans.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#4 JoJim

JoJim
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 15 July 2012 - 11:12 AM

This is my reply to HelpBot:

Enclosed please find the DDS log (dds.txt and attach.txt).
GMER hung up like it did the last time when I tried it (July 6).

Yes, I do have the original Windows XP Home Edition CD. However, it is not Service Pack 3.

In the meantime I received another reply from nasdaq and I will try to follow it later today.


Best regards,
JoJim

Attached Files



#5 JoJim

JoJim
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 15 July 2012 - 11:29 AM

Hi,

This is my reply to nasdaq.

TDSSKiller didn´t find anything.
aswMBR: response is attached. I couldn´t attach MBR.dat. The system didn´t allow me to do that.


Thanks for all help and best regards,
JoJim

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:25 AM

Posted 15 July 2012 - 12:45 PM

Your logs are clean. You can proceed with these scans.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please post the logs and let me know if the problem persists.

#7 JoJim

JoJim
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 17 July 2012 - 02:57 PM

Hi,

I ran ComboFix and Security Check. The logs follow below. My system is behaving the same as before, i.e. many files and folders are missing.


ComboFix 12-07-16.01 - Joachim Scherer 17.07.2012 20:52:25.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.1023.648 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\Joachim Scherer\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition Classic *Enabled/Outdated* {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00D2-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00DA-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {804E5358-FFA4-00EB-0D24-347CA8A3377C}
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\dokumente und einstellungen\Administrator\WINDOWS
c:\dokumente und einstellungen\All Users\Anwendungsdaten\TEMP
c:\dokumente und einstellungen\All Users\Dokumente\~WRL0003.tmp
c:\dokumente und einstellungen\All Users\Dokumente\~WRL0226.tmp
c:\dokumente und einstellungen\Christina Scherer\WINDOWS
c:\dokumente und einstellungen\Default User\WINDOWS
c:\dokumente und einstellungen\Joachim Scherer\~GLH0000.TMP
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\1.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\15399.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\15887.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\17781.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\2229.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\450.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\8406.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\a.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\b.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\c.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\d.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\e.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\f.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\g.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\h.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\i.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\j.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\k.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\l.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\m.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\mru.xml
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\n.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\o.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\p.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\q.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\r.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\s.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\t.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\u.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\v.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\w.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\wlu.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\x.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\y.txt
c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\PriceGong\Data\z.txt
c:\dokumente und einstellungen\Joachim Scherer\Desktop\Data_Recovery.lnk
c:\dokumente und einstellungen\Joachim Scherer\WINDOWS
c:\dokumente und einstellungen\Lea Scherer\WINDOWS
c:\dokumente und einstellungen\Lea\Eigene Dateien\~WRL2435.tmp
c:\dokumente und einstellungen\Lea\Eigene Dateien\~WRL2805.tmp
c:\dokumente und einstellungen\Lea\Favoriten\Games.url
c:\dokumente und einstellungen\Lea\WINDOWS
c:\dokumente und einstellungen\Leonie Scherer\WINDOWS
c:\programme\INSTALL.LOG
c:\programme\xp-AntiSpy
c:\programme\xp-AntiSpy\uninstall.exe
c:\programme\xp-AntiSpy\xp-AntiSpy.exe
c:\windows\IsUn0407.exe
c:\windows\iun6002.exe
c:\windows\pi.exe
c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\FE05DA0D.dll
c:\windows\system32\FE05EFED.dll
c:\windows\system32\FE05F051.dll
c:\windows\system32\FE05F3D5.dll
c:\windows\system32\FE05F3D6.dll
c:\windows\system32\FE05F3D7.dll
c:\windows\unin0407.exe
.
.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_BOONTY_GAMES
-------\Service_Boonty Games
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-06-17 bis 2012-07-17 ))))))))))))))))))))))))))))))
.
.
2012-07-06 20:07 . 2012-07-06 20:07 -------- d-----w- c:\dokumente und einstellungen\Joachim Scherer\Lokale Einstellungen\Anwendungsdaten\Ilivid Player
2012-07-06 20:06 . 2012-07-06 20:06 -------- d-----w- c:\dokumente und einstellungen\Joachim Scherer\AppData
2012-07-06 20:06 . 2012-07-06 20:06 -------- d-----w- c:\dokumente und einstellungen\Joachim Scherer\Anwendungsdaten\searchquband
2012-07-06 20:01 . 2012-07-06 20:01 -------- d-----w- c:\programme\Conduit
2012-07-06 20:01 . 2012-07-14 11:01 -------- d-----w- c:\dokumente und einstellungen\Joachim Scherer\Lokale Einstellungen\Anwendungsdaten\WiseConvert
2012-07-06 20:01 . 2012-07-06 20:01 -------- d-----w- c:\dokumente und einstellungen\Joachim Scherer\Lokale Einstellungen\Anwendungsdaten\Conduit
2012-07-06 20:00 . 2012-07-06 20:01 -------- d-----w- c:\programme\WiseConvert
2012-07-02 13:10 . 2012-07-06 20:01 -------- d-----w- c:\dokumente und einstellungen\Joachim Scherer\Lokale Einstellungen\Anwendungsdaten\Temp
2012-07-02 13:06 . 2012-07-02 13:06 -------- d-----w- c:\dokumente und einstellungen\Joachim Scherer\Lokale Einstellungen\Anwendungsdaten\Secunia PSI
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-13 13:55 . 2002-02-21 09:35 1866240 ----a-w- c:\windows\system32\win32k.sys
2012-06-10 16:34 . 2012-06-10 16:34 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2012-06-05 15:49 . 2008-09-23 12:26 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:49 . 2002-09-06 09:27 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2002-09-04 23:37 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 13:19 . 2007-05-24 04:48 18456 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 13:19 . 2007-05-24 04:48 15896 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 13:19 . 2004-08-03 12:01 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 13:19 . 2004-08-03 11:59 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 13:19 . 2004-08-03 11:59 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 13:19 . 2007-05-24 04:48 15896 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 13:19 . 2005-07-17 07:51 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 13:19 . 2004-08-03 12:00 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 13:19 . 2002-09-06 09:28 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 13:19 . 2002-09-06 09:27 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 13:19 . 2007-05-24 04:48 23576 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 13:19 . 2004-08-03 12:06 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 13:19 . 2002-09-06 09:27 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 13:18 . 2007-05-25 13:31 18160 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 13:18 . 2005-07-17 07:54 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 13:18 . 2005-07-17 07:54 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2004-06-03 19:19 604160 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:07 . 2002-09-06 09:27 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:40 . 2002-09-06 09:27 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 14:40 . 2002-09-06 09:27 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 11:38 . 2004-08-04 07:42 385024 ----a-w- c:\windows\system32\html.iec
2012-05-09 05:38 . 2011-10-15 07:35 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-05-09 05:38 . 2011-10-15 07:35 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-05-05 08:43 . 2012-03-29 07:16 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-05 08:43 . 2011-09-05 18:32 70304 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-05 03:14 . 2002-09-04 23:37 2194944 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-05 03:14 . 2001-08-18 04:28 2071424 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2002-09-04 23:55 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2007-02-18 13:46 . 2007-02-18 13:46 774144 -c--a-w- c:\programme\RngInterstitial.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}"= "c:\programme\WiseConvert\prxtbWise.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}]
2011-05-09 08:49 176936 ----a-w- c:\programme\WiseConvert\prxtbWise.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}"= "c:\programme\WiseConvert\prxtbWise.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EBD898F8-FCF6-4694-BC3B-EABC7271EEB1}"= "c:\programme\WiseConvert\prxtbWise.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ebd898f8-fcf6-4694-bc3b-eabc7271eeb1}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\progra~1\MI3AA1~1\wcescomm.exe" [2006-11-13 1289000]
"AVMUSBFernanschluss"="c:\dokumente und einstellungen\Joachim Scherer\Lokale Einstellungen\Apps\2.0\N44WPZ04.9MH\M7AZ54TX.GCM\frit..tion_8488884cfbcefd60_0002.0002_8541bf1f4a1c673d\AVMAutoStart.exe" [2011-06-12 147456]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dit"="Dit.exe" [2002-08-28 73728]
"Microsoft Works Update Detection"="c:\programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-24 28672]
"REGSHAVE"="c:\programme\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"ISDN SpeedManager"="c:\t-online\BSW4\ISDNSP~1\Tomcat.exe" [2001-05-11 368640]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"nwiz"="nwiz.exe" [2007-10-04 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"FLMOFFICE4DMOUSE"="c:\programme\Hama Maus\mouse32a.exe" [2008-07-19 360448]
"GMX Update"="c:\programme\GMX\LiveUpdate\m2LUTray.exe" [2009-10-16 2229632]
"SAFEHOME HotKeys"="c:\programme\Steganos Safe Home\SteganosHotKeyService.exe" [2007-03-21 25088]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2012-05-09 348624]
"Adobe ARM"="c:\programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\dokumente und einstellungen\Joachim Scherer\Startmenü\Programme\Autostart\
FRITZ!DSL Protect.lnk - c:\programme\FRITZ!DSL\FwebProt.exe [2006-11-12 917504]
.
c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\
Adobe Reader - Schnellstart.lnk - c:\programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A]
.
[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Microsoft Office.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2002-09-21 07:34 155648 -c----w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2002-08-15 10:46 46592 -c--a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Boonty Games"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\FRITZ!DSL\\IGDCTRL.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\FRITZ!DSL\\FBOXUPD.EXE"=
"c:\\Programme\\Real\\RealPlayer\\realplay.exe"=
"c:\\Programme\\Fotobuch Designer\\Designer 2.0\\Designer.exe"=
"c:\programme\Microsoft ActiveSync\rapimgr.exe"= c:\programme\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\programme\Microsoft ActiveSync\wcescomm.exe"= c:\programme\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\programme\Microsoft ActiveSync\WCESMgr.exe"= c:\programme\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Dokumente und Einstellungen\\Joachim Scherer\\Lokale Einstellungen\\Apps\\2.0\\N44WPZ04.9MH\\M7AZ54TX.GCM\\frit..tion_8488884cfbcefd60_0002.0002_8541bf1f4a1c673d\\fritzbox-usb-fernanschluss.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [15.10.2011 09:35 36000]
R1 NETDSL;AVM PPP over Ethernet;c:\windows\system32\drivers\netdsl.sys [12.11.2006 16:42 11264]
R1 SLEE_15_DRIVER;Steganos Live Encryption Engine 15 [Driver];c:\windows\system32\drivers\sleen15.sys [21.02.2007 14:33 80232]
R2 AntiVirSchedulerService;Avira Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [15.10.2011 09:35 86224]
R2 AVMPORT;AVMPORT;c:\windows\system32\drivers\avmport.sys [21.05.2005 07:41 59520]
R2 drhard;drhard;c:\windows\system32\drivers\drhard.sys [17.11.2007 18:03 23600]
R3 avmaudio;AVM Audio;c:\windows\system32\drivers\avmaudio.sys [12.06.2011 18:24 101248]
R3 AVMCOWAN;AVMCOWAN;c:\windows\system32\drivers\avmcowan.sys [29.11.2004 02:00 53248]
R3 FXUSBASE;Eumex 400 (WinXP/2000);c:\windows\system32\drivers\fxusbase.sys [29.11.2004 02:00 547968]
R3 NETFWDSL;AVM FRITZ!web DSL PPP;c:\windows\system32\drivers\NETFWDSL.SYS [12.11.2006 16:42 367104]
R3 NETPPPOI;PPP over ISDN;c:\windows\system32\drivers\NETPPPOI.SYS [21.05.2005 07:41 319488]
R3 pctvvbi;PCTVVBI;c:\windows\system32\drivers\pctvvbi.sys [02.01.2005 13:16 6369]
R3 TOMCATWAN;T-Online DynamicISDN (WDM);c:\windows\system32\drivers\WTOMCAT.sys [12.12.2002 19:11 168182]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe --> c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [?]
S3 DTV_Capture_2X0;DVB-T Receiver;c:\windows\system32\drivers\DTV_Capture_2X0.sys [27.11.2005 14:30 18432]
S3 DTV_Loader_2X1;DVB-T Loader;c:\windows\system32\drivers\DTV_Loader_2X1.sys [27.11.2005 14:22 19328]
S3 IIUSBISP;USB Mass Storage for USB ISP;c:\windows\system32\Drivers\iiusbisp.sys --> c:\windows\system32\Drivers\iiusbisp.sys [?]
S3 MACNDIS5;MACNDIS5 NDIS Protocol Driver;c:\progra~1\GEMEIN~1\MARMIK~1\MACNDIS5.SYS [03.12.2006 18:37 17280]
S3 MIINPazX;MIINPazX NDIS Protocol Driver;c:\progra~1\GEMEIN~1\MARMIK~1\MInfraIS\MIINPazX.SYS [03.12.2006 18:37 17152]
S3 MTOnlPktAlyX;MTOnlPktAlyX NDIS Protocol Driver;c:\progra~1\T-Online\T-ONLI~1\BASIS-~1\Basis1\MTOnlPktAlyX.SYS [03.12.2006 18:17 17664]
S3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;c:\windows\system32\drivers\PhTVTune.sys [05.09.2002 05:53 24288]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [01.09.2010 10:30 15544]
.
Inhalt des "geplante Tasks" Ordners
.
2012-07-17 c:\windows\Tasks\User_Feed_Synchronization-{3836E1E6-A9B7-465D-82DA-A76CA968CCAA}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://go.gmx.net/start_ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
LSP: c:\programme\FRITZ!DSL\sarah.dll
Trusted Zone: gmx.net\service
TCP: DhcpNameServer = 192.168.178.1
TCP: Interfaces\{34EC202F-3798-41A7-95C0-CEB388DECBB8}: NameServer = 192.168.122.252,192.168.122.253
TCP: Interfaces\{87881E28-8FE7-4B20-9F57-F4BFCD57CCD2}: NameServer = 192.168.121.252,192.168.121.253
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} - hxxp://as.photoprintit.de/ips-opdata/layout/default01/activex/IPSUploader4.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://static.pe.schuelervz.net/photouploader/ImageUploader5.cab?nocache=1206019464
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Toolbar-10 - (no file)
AddRemove-Adobe Flash Player ActiveX - c:\windows\system32\Macromed\Flash\FlashUtil32_11_2_202_235_ActiveX.exe
AddRemove-Adobe Flash Player Plugin - c:\windows\system32\Macromed\Flash\FlashUtil32_11_2_202_235_Plugin.exe
AddRemove-ComCenter 1.0 - c:\windows\IsUn0407.exe
AddRemove-DTV_1.0 - c:\windows\iun6002.exe
AddRemove-FRITZ!DSL - c:\windows\IsUn0407.exe
AddRemove-MediaShow - c:\windows\IsUn0407.exe
AddRemove-Microsoft Interactive Training - c:\windows\IsUn0407.exe
AddRemove-MUSICMATCH Jukebox - c:\windows\IsUn0407.exe
AddRemove-T-Com Konfigurator Eumex 400 - c:\windows\IsUn0407.exe
AddRemove-T-Online 4.0 Hilfe - c:\windows\IsUn0407.exe
AddRemove-T-Online Software 4.0 - c:\windows\IsUn0407.exe
AddRemove-VideoLive Mail - c:\windows\IsUn0407.exe
AddRemove-xp-AntiSpy - c:\programme\xp-AntiSpy\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-17 21:24
Windows 5.1.2600 Service Pack 3 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-334337264-3307144382-2800509490-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'lsass.exe'(712)
c:\programme\FRITZ!DSL\sarah.dll
c:\programme\FRITZ!DSL\block.dll
c:\programme\FRITZ!DSL\avmcsock.dll
c:\programme\FRITZ!DSL\avmufc.dll
.
- - - - - - - > 'explorer.exe'(3732)
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSDE.DLL
c:\programme\Hama Maus\MOUDL32A.DLL
c:\windows\system32\nvwddi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\programme\Avira\AntiVir Desktop\avguard.exe
c:\programme\FRITZ!DSL\IGDCTRL.EXE
c:\programme\ICQ6Toolbar\ICQ Service.exe
c:\programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
c:\programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
c:\windows\system32\nvsvc32.exe
c:\programme\Secunia\PSI\sua.exe
c:\windows\system32\wdfmgr.exe
c:\programme\Canon\CAL\CALMAIN.exe
c:\programme\Avira\AntiVir Desktop\avshadow.exe
c:\windows\Dit.exe
c:\windows\DitExp.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\programme\FRITZ!DSL\StCenter.EXE
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-07-17 21:38:09 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2012-07-17 19:38
.
Vor Suchlauf: 19 Verzeichnis(se), 23.985.106.944 Bytes frei
Nach Suchlauf: 20 Verzeichnis(se), 25.430.167.552 Bytes frei
.
WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 32DCB6263C682BD27C67C288540692B7


Results of screen317's Security Check version 0.99.42
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Avira Free Antivirus
Avira successfully updated!
`````````Anti-malware/Other Utilities Check:`````````
Secunia PSI (2.0.0.4003)
Malwarebytes Anti-Malware Version 1.61.0.1400
Adobe Reader X (10.1.3)
````````Process Check: objlist.exe by Laurent````````
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
BSW4 ISDNSP~1 Tomcat.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C::
````````````````````End of Log``````````````````````


Any more ideas or should I give up?

Best regards,
JoJim

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:25 AM

Posted 18 July 2012 - 08:42 AM

Your comboFix log is clean.

However, a lot of folders are still missing. I was running unhide.exe again and again, with my AV software activated and inactivated, with explorer settings to view hidden files and without...



For those of you who no longer have the %Temp%\Smtmp folder, you will not be able to use Unhide to restore your Start Menu items.

Quoted from this page.
http://www.bleepingcomputer.com/forums/topic405109.html

Have you tried to restore your start Menu items using the problem download found on the page?

===

What are the other hidden files/folders you think are still hidden?

#9 JoJim

JoJim
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 18 July 2012 - 11:32 AM

Maybe there is a misunderstanding:

I did get my Start Menu back, also all my icons on the Desktop.

What I am still missing are many folders under
c:\dokumente und einstellungen\Joachim Scherer\eigene dateien\...

They contain important files about finance, insurance, gas, electricity etc..

I am also missing most of my pictures under
c:\dokumente und einstellungen\Joachim Scherer\eigene bilder\...

I start to think that maybe they are not hidden, but actually got deleted by some instance.


Best regards,
JoJim

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:25 AM

Posted 18 July 2012 - 01:05 PM

This tool with the :filefind function will locate any file with a filename on the computer.
The attibute will also be shown if the file is hidden.

replace the myfilename.xxx below with the exact name of a filename you know exist or existed. and run the scan.
for example abc.txt or dcd.bat


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    myfilename.xxx

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Keep me posted.

#11 JoJim

JoJim
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 19 July 2012 - 12:50 PM

Oh well, I did it with a file name I´m 100% sure about and that´s the result:


SystemLook 30.07.11 by jpshortstuff
Log created at 19:44 on 19/07/2012 by Joachim Scherer
Administrator - Elevation successful

========== filefind ==========

Searching for "Buchungen.xls"
No files found.

-= EOF =-


I guess that´s no good news, is it?


Best regards,
JoJim

#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:25 AM

Posted 20 July 2012 - 07:34 AM

Searching for "Buchungen.xls"
No files found.


If the the files have an .xls extension you can use this string in the search box.

:filefind
*.xls


Is found all files with the .xls extension will be found.

If nothing found the it's not good at all.
===

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

#13 JoJim

JoJim
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 20 July 2012 - 01:51 PM

I did it with *.xls and it found all the files I can see anyway, i.e. all the files on the "top level" of "my documents". Here I am again at the problem that all sub-folders are either hidden or deleted.

In case you´re interested in more details, this is the result:


SystemLook 30.07.11 by jpshortstuff
Log created at 20:41 on 20/07/2012 by Joachim Scherer
Administrator - Elevation successful

========== filefind ==========

Searching for "*.xls"
C:\Dokumente und Einstellungen\Administrator\Vorlagen\excel.xls -----c- 5632 bytes [04:32 11/08/2007] [12:00 18/08/2001] 8C488FA7AAE7091B4AC726679BEE3088
C:\Dokumente und Einstellungen\Administrator\Vorlagen\excel4.xls -----c- 1518 bytes [04:32 11/08/2007] [12:00 18/08/2001] 79BB371793849C47A92BBD86FBC10FFE
C:\Dokumente und Einstellungen\Christina Scherer\Eigene Dateien\Eigene Dokumente\Beruf\checkliste Zi 3.xls -----c- 15360 bytes [15:43 01/05/2008] [16:40 28/07/2008] B2CAEBB986C392BB34D6A63CA1930685
C:\Dokumente und Einstellungen\Christina Scherer\Eigene Dateien\Eigene Dokumente\Beruf\Gehalt Dez11 vs Jan12 vs Feb12.xls --a---- 16896 bytes [17:58 29/02/2012] [18:14 29/02/2012] EFE96B25E87F060537FD4AC5D8C7C0F3
C:\Dokumente und Einstellungen\Christina Scherer\Eigene Dateien\Eigene Dokumente\Burhave\Gästekartei Burhave.xls -----c- 16384 bytes [19:54 29/11/2006] [20:07 29/11/2006] 29A39875D3E1C149818082221BF7A451
C:\Dokumente und Einstellungen\Christina Scherer\Vorlagen\excel.xls -----c- 5632 bytes [14:46 21/11/2002] [12:00 18/08/2001] 8C488FA7AAE7091B4AC726679BEE3088
C:\Dokumente und Einstellungen\Christina Scherer\Vorlagen\excel4.xls -----c- 1518 bytes [14:46 21/11/2002] [12:00 18/08/2001] 79BB371793849C47A92BBD86FBC10FFE
C:\Dokumente und Einstellungen\Default User\Vorlagen\excel.xls -----c- 5632 bytes [23:55 04/09/2002] [12:00 18/08/2001] 8C488FA7AAE7091B4AC726679BEE3088
C:\Dokumente und Einstellungen\Default User\Vorlagen\excel4.xls -----c- 1518 bytes [23:55 04/09/2002] [12:00 18/08/2001] 79BB371793849C47A92BBD86FBC10FFE
C:\Dokumente und Einstellungen\Joachim Scherer\Eigene Dateien\Mappe1.xls -----c- 14848 bytes [21:51 18/03/2007] [21:51 18/03/2007] 2F752092E6E7233C30BF764230144285
C:\Dokumente und Einstellungen\Joachim Scherer\Eigene Dateien\Eigene Dokumente\05 06 23 Zisterne.xls -----c- 15360 bytes [17:52 23/06/2005] [20:05 23/06/2005] 4226A1E5395CD6D42A374CDC2B8BF160
C:\Dokumente und Einstellungen\Joachim Scherer\Eigene Dateien\Eigene Dokumente\Ablagesystem.xls -----c- 16896 bytes [15:21 01/03/2008] [16:57 01/03/2008] 58392CCE1DD79A3FB229A8F0B240D3AB
C:\Dokumente und Einstellungen\Joachim Scherer\Eigene Dateien\Eigene Dokumente\E-Bay Nov 2010.xls -----c- 16384 bytes [18:23 04/11/2010] [18:42 04/11/2010] F0B0622F34E3B56C8B38114C21860CA1
C:\Dokumente und Einstellungen\Joachim Scherer\Eigene Dateien\Eigene Dokumente\Efudix-Creme Runde 2.xls -----c- 15872 bytes [07:10 04/05/2008] [07:11 04/05/2008] A70405EC6B698157A6B491D7FDCD0EF3
C:\Dokumente und Einstellungen\Joachim Scherer\Eigene Dateien\Eigene Dokumente\Efudix-Creme.xls -----c- 15872 bytes [06:13 24/03/2008] [06:13 24/03/2008] E4A11E6EB3F340CEBB6A8BE930ACF770
C:\Dokumente und Einstellungen\Joachim Scherer\Eigene Dateien\Eigene Dokumente\HAWESKO-Weine.xls -----c- 15872 bytes [06:39 03/05/2008] [07:24 03/05/2008] EAFFA71B50A2DFC6700DEA6502A603A3
C:\Dokumente und Einstellungen\Joachim Scherer\Eigene Dateien\Eigene Dokumente\Jo´s offene Punkte.xls -----c- 17408 bytes [18:48 19/03/2006] [10:00 25/12/2008] 7DFE419DFA5F72F5D26BE7DE6E2188D7
C:\Dokumente und Einstellungen\Joachim Scherer\Eigene Dateien\Eigene Dokumente\KALENDER 2003.xls -----c- 70144 bytes [15:17 30/12/2004] [17:49 22/12/2002] D6260A9654BFC75A620F1C9966682AFE
C:\Dokumente und Einstellungen\Joachim Scherer\Eigene Dateien\Eigene Dokumente\To Do Urlaub KW 44_2010.xls -----c- 16896 bytes [05:25 03/11/2010] [05:41 03/11/2010] 157BE5C47C919AB4AEF1474A79B041A0
C:\Dokumente und Einstellungen\Joachim Scherer\Eigene Dateien\Eigene Dokumente\To Do Urlaub KW 44_2010_2.xls -----c- 16384 bytes [17:44 04/11/2010] [17:52 04/11/2010] E35DC0169A3299D327974BC22AE69B8D
C:\Dokumente und Einstellungen\Joachim Scherer\Eigene Dateien\Eigene Dokumente\To Do.xls --a---- 28672 bytes [20:20 08/03/2012] [20:21 21/04/2012] 78E6CF71EDC2DD4BA3A3F3E6477ACC5C
C:\Dokumente und Einstellungen\Joachim Scherer\Eigene Dateien\Eigene Dokumente\Trainingsplan.xls -----c- 35328 bytes [10:22 06/08/2006] [11:52 03/12/2006] 84C29DFCF35877F58542008EE303C1DA
C:\Dokumente und Einstellungen\Joachim Scherer\Vorlagen\excel.xls -----c- 5632 bytes [09:22 21/11/2002] [12:00 18/08/2001] 8C488FA7AAE7091B4AC726679BEE3088
C:\Dokumente und Einstellungen\Joachim Scherer\Vorlagen\excel4.xls -----c- 1518 bytes [09:22 21/11/2002] [12:00 18/08/2001] 79BB371793849C47A92BBD86FBC10FFE
C:\Dokumente und Einstellungen\Lea\Vorlagen\excel.xls -----c- 5632 bytes [13:29 17/09/2007] [12:00 18/08/2001] 8C488FA7AAE7091B4AC726679BEE3088
C:\Dokumente und Einstellungen\Lea\Vorlagen\excel4.xls -----c- 1518 bytes [13:29 17/09/2007] [12:00 18/08/2001] 79BB371793849C47A92BBD86FBC10FFE
C:\Dokumente und Einstellungen\Lea Scherer\Eigene Dateien\Eigene Dokumente\Kalender Sept07.xls -----c- 16384 bytes [15:53 09/09/2007] [15:56 09/09/2007] BC4CA078EDE0326D855E50829D9303DC
C:\Dokumente und Einstellungen\Lea Scherer\Eigene Dateien\Eigene Dokumente\Notenspiegel Klasse 10.xls -----c- 11264 bytes [14:12 16/09/2006] [14:16 16/09/2006] DF4E0C886F2EAC1E431DA3832952F81B
C:\Dokumente und Einstellungen\Lea Scherer\Eigene Dateien\Eigene Dokumente\Notenspiegel Klasse 11.xls -----c- 10752 bytes [11:05 16/09/2007] [11:08 16/09/2007] 28FCEFF685E0AC56DD572E6AAEAB8165
C:\Dokumente und Einstellungen\Lea Scherer\Eigene Dateien\Eigene Dokumente\Notenspiegel Klasse 9.xls -----c- 10752 bytes [16:43 30/09/2005] [16:49 30/09/2005] D6D616B8F93739D9D424E8F564E073A5
C:\Dokumente und Einstellungen\Lea Scherer\Vorlagen\excel.xls -----c- 5632 bytes [15:47 25/03/2004] [12:00 18/08/2001] 8C488FA7AAE7091B4AC726679BEE3088
C:\Dokumente und Einstellungen\Lea Scherer\Vorlagen\excel4.xls -----c- 1518 bytes [15:47 25/03/2004] [12:00 18/08/2001] 79BB371793849C47A92BBD86FBC10FFE
C:\Dokumente und Einstellungen\Leonie Scherer\Eigene Dateien\Eigene Dokumente\Leonie Klassenliste 7e.xls -----c- 23552 bytes [15:24 23/12/2006] [15:24 23/12/2006] 878410A3826340408C7A4D8F67A7DD96
C:\Dokumente und Einstellungen\Leonie Scherer\Eigene Dateien\Eigene Dokumente\Mappe1.xls --a---- 17920 bytes [13:25 13/04/2012] [13:25 13/04/2012] C49C42CEB8788DC625497417636818F1
C:\Dokumente und Einstellungen\Leonie Scherer\Eigene Dateien\Eigene Dokumente\Notenspiegel Klasse 6.xls -----c- 10240 bytes [16:37 30/09/2005] [16:41 30/09/2005] 1D37D506F6A970F85CC42BB81DC4838A
C:\Dokumente und Einstellungen\Leonie Scherer\Eigene Dateien\Eigene Dokumente\Notenspiegel Klasse 7.xls -----c- 10752 bytes [14:01 16/09/2006] [14:10 16/09/2006] 82AB476518B462201A8FDB3885AEC266
C:\Dokumente und Einstellungen\Leonie Scherer\Eigene Dateien\Eigene Dokumente\Notenspiegel Leonie Klasse 8.xls -----c- 10752 bytes [10:58 16/09/2007] [11:03 16/09/2007] D254DC7680BA24BA77BC102583036969
C:\Dokumente und Einstellungen\Leonie Scherer\Vorlagen\excel.xls -----c- 5632 bytes [14:15 07/02/2004] [12:00 18/08/2001] 8C488FA7AAE7091B4AC726679BEE3088
C:\Dokumente und Einstellungen\Leonie Scherer\Vorlagen\excel4.xls -----c- 1518 bytes [14:15 07/02/2004] [12:00 18/08/2001] 79BB371793849C47A92BBD86FBC10FFE
C:\Programme\Microsoft Office\Office10\1031\VBALISTE.XLS --a--c- 210432 bytes [07:37 22/10/1997] [07:37 22/10/1997] 94606DF4073A0FC8BAAE04311171BE21
C:\Programme\Microsoft Office\Office10\1031\XL8GALRY.XLS --a--c- 186368 bytes [11:52 08/11/2000] [11:52 08/11/2000] 4D87E3DE0B60E1AA4AC8EDEB46CF8696
C:\Programme\Microsoft Office\Office10\Samples\SAMPLES.XLS --a--c- 250880 bytes [12:53 08/12/2000] [12:53 08/12/2000] 6B4A09283C28ED2C93146749EDFA6A21
C:\Programme\Microsoft Office\Office10\Samples\SOLVSAMP.XLS --a--c- 107520 bytes [13:52 08/11/2000] [13:52 08/11/2000] 32B18801F373989A1DB3614E2B8F5A26
C:\Programme\Microsoft Office\Office12\1033\PROTTPLN.XLS --a--c- 8704 bytes [16:56 01/11/2004] [16:56 01/11/2004] 9BFF69AA98FE3E0D7EAD3622F4E67B34
C:\Programme\Microsoft Office\Office12\1033\PROTTPLV.XLS --a--c- 8704 bytes [16:56 01/11/2004] [16:56 01/11/2004] D06585F0C1DABE598CB56F2776263401
C:\TDAMP\DS\vorlage.xls --a--c- 13824 bytes [13:25 07/12/2011] [13:25 07/12/2011] E3753B298E7B5A4B423F464F1FCA6052
C:\WINDOWS\ShellNew\EXCEL9.XLS --a--c- 11776 bytes [10:50 15/03/1999] [10:50 15/03/1999] A4420B21053B00EE1451CAE75CD2DC32
C:\WINDOWS\system32\config\systemprofile\Vorlagen\excel.xls --a--c- 5632 bytes [00:00 05/09/2002] [12:00 18/08/2001] 8C488FA7AAE7091B4AC726679BEE3088
C:\WINDOWS\system32\config\systemprofile\Vorlagen\excel4.xls --a--c- 1518 bytes [00:00 05/09/2002] [12:00 18/08/2001] 79BB371793849C47A92BBD86FBC10FFE

-= EOF =-


I´m starting to think going back to my last backup at an external HDD. Well, the last differential backup dates from February this year, the last full backup from the year 2010!


Regards,
JoJim

#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:25 AM

Posted 21 July 2012 - 09:18 AM

This option takes a string (wildcards permitted) and searches the computer for any folder names that match that string (case insensitive). Note that as with :filefind this checks for exact matches, so use wildcards for partial matches. The program will also display attributes and creation dates.


Examples:

:folderfind
*windows*

Look for folders using part of the name you remember. Remember that you can use wildcars such as *

in the example able the * means any character followed by WINDOWS the again any characters after.
===

Run this also from the SystemTool search box.

:reg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer /sub
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /sub


Post the log.

#15 JoJim

JoJim
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:25 AM

Posted 22 July 2012 - 10:21 AM

I ran SystemLook with the folderfind to look for a folder I´m 100% sure about. Result was "no folders found". Here are the details:

SystemLook 30.07.11 by jpshortstuff
Log created at 16:40 on 22/07/2012 by Joachim Scherer
Administrator - Elevation successful

========== folderfind ==========

Searching for "Autos"
No folders found.

-= EOF =-


I than ran SystemLook with the other command you asked me to but the result is too long for posting and the file is too big zu upload. What shall I do?


Regards,
JoJim




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users