Dutch Police ransomware Ukash

[gheetka]

Hi,

I really hope you can help me out. My laptop is locked by the (dutch version) Police ransomware virus. I've already tried the following to unlock and remove it:

• Kaspersky scan & windows unlocker
  
• Hitman pro kickstart
  
• Windows system restore
  
• Boot in safe mode or safe mode with command prompt (got immediately shut down after startup)
  
• Search in regedit manually (through the Recovery menu --> console --> regedit) and look for suspicious keys in Winlogon or Run
  

None of these things worked out, so now I'm really stuck. I read about the FRST tool, so I ran the two scans. Here are the logs:

FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-06-2013 04
Ran by SYSTEM on 13-06-2013 09:38:17
Running from H:\
Windows 7 Ultimate Service Pack 1 (X86) OS Language: Dutch Standard
Internet Explorer Version 9
Boot Mode: Recovery
The current controlset is ControlSet001
[b]ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.[/b]
==================== Registry (Whitelisted) ==================
HKLM\...\Run: [Cmiboot] C:\Windows\cmiboot.exe [65536 2007-02-07] ()
HKLM\...\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe [267632 2010-09-17] (Alps Electric Co., Ltd.)
HKLM\...\Run: [ETDWare] %ProgramFiles%\Elantech\ETDCtrl.exe [1861416 2011-07-28] (ELAN Microelectronics Corp.)
HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [1861416 2011-07-28] (ELAN Microelectronics Corp.)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2274600 2011-06-09] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [11430504 2011-10-17] (Realtek Semiconductor)
HKLM\...\Run: [SAOB Monitor] C:\Program Files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe [2536752 2010-09-02] (Acronis)
HKLM\...\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [5508416 2010-09-22] (Acronis)
HKLM\...\Run: [Acronis Scheduler2Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [391008 2010-09-22] (Acronis)
HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice [3117344 2012-03-07] (ESET)
HKLM\...\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [32768 2004-06-28] (Cyberlink Corp.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [NBAgent] "C:\Program Files\Nero\Nero 11\Nero BackItUp\NBAgent.exe" /WinStart [1493288 2011-09-20] (Nero AG)
HKU\Gebruiker\...\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun [ 2012-04-17] (DT Soft Ltd)
HKU\Gebruiker\...\Winlogon: [Shell] Explorer.exe
HKU\Gebruiker\...\Command Processor: "C:\Users\GEBRUI~1\AppData\Local\Temp\moniragi.exe" <===== ATTENTION!
Startup: C:\Users\Gebruiker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
========================== Services (Whitelisted) =================
S2 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [780224 2010-09-22] (Acronis)
S2 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [3975088 2012-07-21] (Acronis)
S2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [913144 2012-03-07] (ESET)
S3 HitmanPro37Crusader; C:\Program Files\HitmanPro\HitmanPro.exe [9171472 2013-06-04] (SurfRight B.V.)
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [106280 2013-06-04] (SurfRight B.V.)
S2 NAUpdate; C:\Program Files\Nero\Update\NASvc.exe [641832 2011-09-23] (Nero AG)
==================== Drivers (Whitelisted) ====================
S3 2310_00; C:\Windows\system32\drivers\2310_00.sys [135200 2009-06-12] (HighPoint Technologies, Inc.)
S3 272x_1x; C:\Windows\system32\drivers\272x_1x.sys [554080 2011-09-05] (HighPoint Technologies, Inc.)
S3 274x_3x; C:\Windows\system32\drivers\274x_3x.sys [190048 2011-05-27] (HighPoint Technologies, Inc.)
S3 ahcix86; C:\Windows\system32\drivers\ahcix86.sys [214096 2010-09-23] (Advanced Micro Devices, Inc)
S3 ahcix86s; C:\Windows\system32\drivers\ahcix86s.sys [184120 2009-07-14] (Advanced Micro Devices, Inc)
S3 amdhub30; C:\Windows\system32\drivers\amdhub30.sys [70272 2011-03-17] (Advanced Micro Devices, INC.)
S3 amdxhc; C:\Windows\system32\drivers\amdxhc.sys [149632 2011-03-17] (Advanced Micro Devices, INC.)
S3 amd_sata; C:\Windows\system32\drivers\amd_sata.sys [65664 2011-03-04] (Advanced Micro Devices)
S0 amd_xata; C:\Windows\System32\drivers\amd_xata.sys [32896 2011-03-04] (Advanced Micro Devices)
S3 arcm_x86; C:\Windows\system32\drivers\arcm_x86.sys [43552 2009-11-09] (ARECA Technology Corporation)
S3 asahci32; C:\Windows\system32\drivers\asahci32.sys [32864 2011-05-04] (Asmedia Technology)
S3 asmthub3; C:\Windows\system32\drivers\asmthub3.sys [102376 2011-09-28] (ASMedia Technology Inc)
S3 asmtxhci; C:\Windows\system32\drivers\asmtxhci.sys [311784 2011-09-28] (ASMedia Technology Inc)
S3 b06diag; C:\Windows\system32\drivers\bxdiagx.sys [76840 2010-12-16] (Broadcom Corporation)
S3 BFN7x86; C:\Windows\system32\drivers\Xeno7x86.sys [129640 2011-01-14] (Bigfoot Networks, Inc.)
S3 BFNVis32; C:\Windows\system32\drivers\XenoVx86.sys [129640 2011-01-14] (Bigfoot Networks, Inc.)
S3 BXOIS; C:\Windows\system32\drivers\bxois.sys [431144 2010-12-10] (Broadcom Corporation)
S3 cbaf; C:\Windows\System32\Drivers\cbaf.sys [11008 2007-11-03] (Intel Corp.)
S3 CMISTOR; C:\Windows\system32\drivers\cmiucr.SYS [93056 2007-01-12] (C-Media Corporation)
S3 DC133; C:\Windows\system32\drivers\DC133.sys [36328 2011-05-02] (Dawicontrol GmbH)
S3 DC150; C:\Windows\system32\drivers\DC150.sys [36824 2011-05-02] (Dawicontrol GmbH)
S3 DC154; C:\Windows\system32\drivers\DC154.sys [44376 2011-05-02] (Dawicontrol GmbH)
S3 DC300e; C:\Windows\system32\drivers\DC300e.sys [37272 2011-05-02] (Dawicontrol GmbH)
S0 DC324e; C:\Windows\System32\drivers\DC324e.sys [45816 2011-05-02] (Dawicontrol GmbH)
S0 DC3410; C:\Windows\System32\drivers\DC3410.sys [44360 2011-05-02] (Dawicontrol GmbH)
S3 DC4300; C:\Windows\system32\drivers\DC4300.sys [44392 2011-05-02] (Dawicontrol GmbH)
S3 DC600e; C:\Windows\system32\drivers\DC600e.sys [37752 2011-05-02] (Dawicontrol GmbH)
S3 dfuuwb; C:\Windows\System32\Drivers\DfuUWB.sys [500736 2008-09-11] (Intel Corp.)
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [242240 2012-07-20] (DT Soft Ltd)
S1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [169080 2012-03-14] (ESET)
S1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [120152 2012-03-14] (ESET)
S3 enecirhid; C:\Windows\system32\drivers\enecirhid.sys [17232 2009-12-25] (ENE TECHNOLOGY INC.)
S3 enecirhidma; C:\Windows\system32\drivers\enecirhidma.sys [11088 2009-12-25] (ENE TECHNOLOGY INC.)
S2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [103112 2012-03-14] (ESET)
S3 ETD; C:\Windows\system32\drivers\ETD.sys [157480 2011-07-28] (ELAN Microelectronics Corp.)
S3 EtronHub3; C:\Windows\System32\Drivers\EtronHub3.sys [45056 2011-08-17] (Etron Technology Inc)
S3 EtronXHCI; C:\Windows\System32\Drivers\EtronXHCI.sys [64896 2011-08-17] (Etron Technology Inc)
S3 FilterService; C:\Windows\system32\drivers\lvuvcflt.sys [23832 2009-10-07] (Logitech Inc.)
S3 FLxHCIc; C:\Windows\system32\drivers\FLxHCIc.sys [152064 2011-07-06] (Fresco Logic)
S3 FLxHCIh; C:\Windows\system32\drivers\FLxHCIh.sys [47104 2011-07-06] (Fresco Logic)
S3 FTDIBUS; C:\Windows\system32\drivers\ftdibus.sys [61704 2011-03-18] (FTDI Ltd.)
S3 FUJ02B1; C:\Windows\system32\drivers\FUJ02B1.sys [5888 2006-11-01] (FUJITSU LIMITED)
S3 FUJ02E1; C:\Windows\System32\Drivers\FUJ02E1.sys [5632 2004-10-17] (Fujitsu Limited)
S3 hcw99rc; C:\Windows\System32\Drivers\hcw99rc.sys [10368 2007-03-23] (Hauppauge Computer Works, Inc.)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [30464 2013-06-13] ()
S3 hptiop; C:\Windows\system32\drivers\hptiop.sys [15008 2009-04-28] (HighPoint Technologies, Inc.)
S3 hptmv; C:\Windows\system32\drivers\hptmv.sys [71968 2006-09-27] (HighPoint Technologies, Inc.)
S3 hptmv6; C:\Windows\system32\drivers\hptmv6.sys [120352 2007-11-01] (HighPoint Technologies, Inc.)
S3 HWA; C:\Windows\System32\Drivers\HWA.sys [53376 2008-09-29] (Intel Corp.)
S3 IFCoEMP; C:\Windows\system32\drivers\ifM60x32.sys [269584 2011-06-15] (Intel(R) Corporation)
S3 IFCoEVB; C:\Windows\system32\drivers\ifP60X32.sys [61712 2011-06-15] (Intel(R) Corporation)
S3 ioatdma1; C:\Windows\System32\Drivers\qd16032.sys [36552 2009-11-16] (Intel Corporation)
S3 ioatdma2; C:\Windows\System32\Drivers\qd26032.sys [37576 2009-11-16] (Intel Corporation)
S3 iSSetup; C:\Windows\system32\drivers\iSSetup.sys [75672 2007-06-19] (Intel Corporation)
S3 itecir; C:\Windows\system32\drivers\itecir.sys [65640 2010-07-13] (ITE Tech. Inc. )
S3 iteraid; C:\Windows\system32\drivers\iteraid.sys [29184 2007-05-02] (ITE Tech. Inc.)
S3 johci; C:\Windows\system32\drivers\johci.sys [23640 2011-02-09] (JMicron Technology Corp.)
S3 JRAID; C:\Windows\system32\drivers\jraid.sys [103512 2011-05-19] (JMicron Technology Corp.)
S3 m5288; C:\Windows\system32\drivers\m5288.sys [211072 2006-07-19] (ULi Electronics Inc.)
S3 m5289; C:\Windows\system32\drivers\m5289.sys [52480 2005-07-04] (ULi Electronics Inc.)
S3 MegaSR1; C:\Windows\system32\drivers\MegaSR1.sys [407120 2010-06-15] (LSI Corporation, Inc.)
S3 MEI; C:\Windows\system32\drivers\HECI.sys [41216 2011-09-22] (Intel Corporation)
S3 MODRC; C:\Windows\system32\drivers\modrc.sys [13056 2006-11-14] (DiBcom S.A.)
S3 MTsensor; C:\Windows\system32\drivers\ASACPI.sys [7680 2009-06-03] ()
S3 mv61xx; C:\Windows\system32\drivers\mv61xx.sys [159024 2010-10-26] (Marvell Semiconductor, Inc.)
S3 mv91cons; C:\Windows\system32\drivers\mv91cons.sys [21808 2011-06-16] (Marvell Semiconductor Inc.)
S3 mv91xx; C:\Windows\system32\drivers\mv91xx.sys [273712 2011-06-16] (Marvell Semiconductor, Inc.)
S3 MxEF; C:\Windows\system32\drivers\MxEF32.sys [81920 2011-08-15] (Matrox Graphics Inc.)
S3 MxEFLF; C:\Windows\system32\drivers\MxEFLF32.sys [80384 2011-08-15] (Matrox Graphics Inc.)
S3 MxEFUF; C:\Windows\system32\drivers\MxEFUF32.sys [108544 2011-08-15] (Matrox Graphics Inc.)
S3 MxEMgr; C:\Windows\system32\drivers\MxEMgr32.sys [92192 2011-08-16] (Matrox Graphics Inc.)
S3 NETwNs32; C:\Windows\System32\DRIVERS\NETwNs32.sys [7087616 2011-01-19] (Intel Corporation)
S3 nusb3hub; C:\Windows\system32\drivers\nusb3hub.sys [73344 2011-09-13] (Renesas Electronics Corporation)
S3 nusb3xhc; C:\Windows\system32\drivers\nusb3xhc.sys [164736 2011-09-13] (Renesas Electronics Corporation)
S3 nvamacpi; C:\Windows\system32\drivers\NVAMACPI.sys [24608 2009-07-17] (NVIDIA Corporation)
S3 pfc; C:\Windows\System32\drivers\pfc.sys [10368 2003-12-05] (Padus, Inc.)
S3 risdpcie; C:\Windows\system32\drivers\risdpe86.sys [47616 2009-10-28] (REDC)
S3 risdxc; C:\Windows\system32\drivers\risdxc86.sys [72704 2010-12-28] (REDC)
S3 rixdpcie; C:\Windows\system32\drivers\rixdpe86.sys [38912 2009-12-11] (REDC)
S3 rr172x; C:\Windows\system32\drivers\rr172x.sys [101920 2007-11-01] (HighPoint Technologies, Inc.)
S3 rr174x; C:\Windows\system32\drivers\rr174x.sys [126496 2007-11-01] (HighPoint Technologies, Inc.)
S3 rr2210; C:\Windows\system32\drivers\rr2210.sys [122400 2007-11-01] (HighPoint Technologies, Inc.)
S3 rr232x; C:\Windows\system32\drivers\rr232x.sys [120352 2008-05-05] (HighPoint Technologies, Inc.)
S3 rr2340; C:\Windows\system32\drivers\rr2340.sys [128608 2009-12-31] (HighPoint Technologies, Inc.)
S3 rr2522; C:\Windows\system32\drivers\rr2522.sys [132704 2009-12-31] (HighPoint Technologies, Inc.)
S3 rr276x; C:\Windows\system32\drivers\rr276x.sys [184928 2010-10-12] (HighPoint Technologies, Inc.)
S3 rr278x; C:\Windows\system32\drivers\rr278x.sys [186456 2011-05-16] (HighPoint Technologies, Inc.)
S3 rr62x; C:\Windows\system32\drivers\rr62x.sys [123488 2010-06-16] (HighPoint Technologies, Inc.)
S3 rusb3hub; C:\Windows\system32\drivers\rusb3hub.sys [77568 2011-09-15] (Renesas Electronics Corporation)
S3 rusb3xhc; C:\Windows\system32\drivers\rusb3xhc.sys [167680 2011-09-15] (Renesas Electronics Corporation)
S3 SI3112; C:\Windows\system32\drivers\SI3112.sys [69168 2007-01-26] (Silicon Image, Inc.)
S3 SI3112r; C:\Windows\system32\drivers\SI3112r.sys [110128 2007-02-01] (Silicon Image, Inc)
S3 SI3114; C:\Windows\system32\drivers\SI3114.sys [68912 2006-11-10] (Silicon Image, Inc.)
S3 SI3114r; C:\Windows\system32\drivers\SI3114R.sys [110384 2007-04-11] (Silicon Image, Inc)
S3 Si3114r5; C:\Windows\system32\drivers\Si3114r5.sys [209200 2007-02-07] (Silicon Image, Inc)
S3 SI3124; C:\Windows\system32\drivers\SI3124.sys [76208 2006-11-02] (Silicon Image, Inc.)
S3 Si3124r5; C:\Windows\system32\drivers\Si3124r5.sys [207152 2006-09-20] (Silicon Image, Inc)
S3 SI3132; C:\Windows\system32\drivers\SI3132.sys [80424 2007-10-03] (Silicon Image, Inc)
S3 Si3132r5; C:\Windows\system32\drivers\Si3132r5.sys [217128 2008-10-30] (Silicon Image, Inc)
S3 Si3531; C:\Windows\system32\drivers\Si3531.sys [212520 2009-02-05] (Silicon Image, Inc)
S0 SiFilter; C:\Windows\System32\drivers\SiWinAcc.sys [19240 2007-10-03] (Silicon Image, Inc)
S0 SiRemFil; C:\Windows\System32\drivers\SiRemFil.sys [15400 2007-10-03] (Silicon Image, Inc)
S3 TTP7; C:\Windows\system32\drivers\ttp7up.sys [12928 2005-11-09] (TerraTec)
S3 uagp35; C:\Windows\system32\drivers\sisagpx.sys [58400 2009-08-01] (Silicon Integrated Systems Corporation)
S3 uwbusb; C:\Windows\System32\Drivers\usbuwbmini.sys [9600 2008-09-15] (Intel Corp.)
S3 vcrdrx32; C:\Windows\system32\drivers\vcrdrx32.sys [99952 2010-08-13] (VIA Technologies, Inc.)
S3 viamraid; C:\Windows\system32\drivers\viamraid.sys [141424 2010-12-02] (VIA Technologies Inc.,Ltd)
S3 videX32; C:\Windows\system32\drivers\videX32.sys [13976 2010-02-11] (VIA Technologies, Inc.)
S3 winbondcir; C:\Windows\System32\DRIVERS\winbondcir.sys [43008 2007-03-28] (Winbond Electronics Corporation)
S3 WinTVCIUSB; C:\Windows\system32\drivers\hcw11.sys [91136 2008-02-28] (Hauppauge Computer Works, Inc.)
S3 WmBEnum; C:\Windows\system32\drivers\WmBEnum.sys [19336 2008-01-24] (Logitech Inc.)
S3 WmFilter; C:\Windows\system32\drivers\WmFilter.sys [28168 2008-01-24] (Logitech Inc.)
S3 WmHidLo; C:\Windows\system32\drivers\WmHidLo.sys [29192 2008-01-24] (Logitech Inc.)
S3 WmVirHid; C:\Windows\system32\drivers\WmVirHid.sys [14728 2008-01-24] (Logitech Inc.)
S3 WmXlCore; C:\Windows\system32\drivers\WmXlCore.sys [48904 2008-01-24] (Logitech Inc.)
S0 xfilt; C:\Windows\System32\drivers\xfilt.sys [23192 2010-02-11] (VIA Technologies, Inc.)
S3 VGPU; System32\drivers\rdvgkmd.sys [x]
==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========
2013-06-13 09:22 - 2013-06-13 09:22 - 00000000 ____D C:\FRST
2013-06-13 08:31 - 2013-06-13 08:31 - 00003416 ____N C:\bootsqm.dat
2013-06-13 08:30 - 2013-06-13 08:30 - 00000000 __SHD C:\found.000
2013-06-13 00:46 - 2013-06-13 00:46 - 85212644 ____A C:\reback.reg
2013-06-12 23:26 - 2013-06-12 23:26 - 00000000 ____D C:\Windows\pss
2013-06-12 08:02 - 2013-06-13 08:32 - 00030464 ____A C:\Windows\System32\Drivers\hitmanpro37.sys
2013-06-12 01:44 - 2013-06-12 01:44 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\MFAData
2013-06-12 01:44 - 2013-06-12 01:44 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\Avg2013
2013-06-12 01:44 - 2013-06-12 01:44 - 00000000 ____D C:\ProgramData\MFAData
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Roaming\Google
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Roaming\Adobe
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\Google
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\ESET
2013-06-12 00:34 - 2013-06-12 00:34 - 00000020 ___SH C:\Users\timcaslisa.GEBRUIK-0JVN1EO\ntuser.ini
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Netwerkprinteromgeving
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Menu Start
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Documents\Mijn video's
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Documents\Mijn muziek
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\Geschiedenis
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 ____D C:\users\timcaslisa.GEBRUIK-0JVN1EO
2013-06-11 21:09 - 2013-06-11 21:09 - 01090308 ____A C:\ProgramData\2433f433
2013-06-11 21:09 - 2013-06-11 21:09 - 01090252 ____A C:\Users\Gebruiker\AppData\Roaming\2433f433
2013-06-11 21:09 - 2013-06-11 21:09 - 01090229 ____A C:\Users\Gebruiker\AppData\Local\2433f433
==================== One Month Modified Files and Folders ========
2013-06-13 09:24 - 2010-11-21 01:06 - 00000000 ____D C:\Windows\CSC
2013-06-13 09:22 - 2013-06-13 09:22 - 00000000 ____D C:\FRST
2013-06-13 08:36 - 2012-07-20 17:21 - 00009135 ____A C:\Windows\WindowsUpdate.log
2013-06-13 08:32 - 2013-06-12 08:02 - 00030464 ____A C:\Windows\System32\Drivers\hitmanpro37.sys
2013-06-13 08:32 - 2012-07-29 20:57 - 00001046 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-13 08:32 - 2012-07-21 09:50 - 00086694 ____A C:\Windows\setupact.log
2013-06-13 08:32 - 2009-07-14 05:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-13 08:31 - 2013-06-13 08:31 - 00003416 ____N C:\bootsqm.dat
2013-06-13 08:30 - 2013-06-13 08:30 - 00000000 __SHD C:\found.000
2013-06-13 00:46 - 2013-06-13 00:46 - 85212644 ____A C:\reback.reg
2013-06-12 23:59 - 2012-10-04 08:58 - 00000940 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-12 23:26 - 2013-06-12 23:26 - 00000000 ____D C:\Windows\pss
2013-06-12 22:13 - 2012-07-29 20:57 - 00001050 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-12 03:41 - 2009-07-14 00:40 - 00249856 ____A (Microsoft Corporation) C:\Windows\System32\uxtheme.dll
2013-06-12 03:40 - 2009-07-14 00:39 - 00037376 ____A (Microsoft Corporation) C:\Windows\System32\themeservice.dll
2013-06-12 03:34 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\System32\LogFiles
2013-06-12 01:44 - 2013-06-12 01:44 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\MFAData
2013-06-12 01:44 - 2013-06-12 01:44 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\Avg2013
2013-06-12 01:44 - 2013-06-12 01:44 - 00000000 ____D C:\ProgramData\MFAData
2013-06-12 01:38 - 2009-07-14 05:34 - 00019680 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-12 01:38 - 2009-07-14 05:34 - 00019680 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-12 01:35 - 2010-11-21 00:57 - 00701564 ____A C:\Windows\System32\perfh013.dat
2013-06-12 01:35 - 2010-11-21 00:57 - 00133564 ____A C:\Windows\System32\perfc013.dat
2013-06-12 01:35 - 2010-11-20 22:01 - 01549262 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Roaming\Google
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Roaming\Adobe
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\Google
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\ESET
2013-06-12 00:34 - 2013-06-12 00:34 - 00000020 ___SH C:\Users\timcaslisa.GEBRUIK-0JVN1EO\ntuser.ini
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Netwerkprinteromgeving
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Menu Start
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Documents\Mijn video's
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Documents\Mijn muziek
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\Geschiedenis
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 ____D C:\users\timcaslisa.GEBRUIK-0JVN1EO
2013-06-11 21:09 - 2013-06-11 21:09 - 01090308 ____A C:\ProgramData\2433f433
2013-06-11 21:09 - 2013-06-11 21:09 - 01090252 ____A C:\Users\Gebruiker\AppData\Roaming\2433f433
2013-06-11 21:09 - 2013-06-11 21:09 - 01090229 ____A C:\Users\Gebruiker\AppData\Local\2433f433
2013-06-11 11:18 - 2012-07-25 21:56 - 00000000 ___RD C:\Users\Gebruiker\Dropbox
2013-06-11 11:18 - 2012-07-25 21:53 - 00000000 ____D C:\Users\Gebruiker\AppData\Roaming\Dropbox
2013-06-10 13:45 - 2012-08-02 21:21 - 00005632 ____A C:\Users\Gebruiker\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-06-08 00:51 - 2009-07-14 05:53 - 00032626 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-06-07 05:51 - 2012-07-30 08:05 - 00006002 ____A C:\Windows\PFRO.log
2013-06-06 19:22 - 2012-07-29 20:57 - 00002129 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-05-30 08:23 - 2012-07-25 21:56 - 00001036 ____A C:\Users\Gebruiker\Desktop\Dropbox.lnk
2013-05-21 06:11 - 2012-09-02 10:47 - 00000000 ____D C:\Users\Gebruiker\AppData\Local\Nero
2013-05-15 18:51 - 2012-07-20 20:48 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-05-15 18:51 - 2012-07-20 20:48 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe
[2011-11-19 17:25] - [2011-11-19 17:25] - 0287232 ____A (Microsoft Corporation) 7295110E1BF93885D29480D29D967E0F
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe
[2011-11-19 16:57] - [2011-11-19 16:57] - 0021504 ____A (Microsoft Corporation) ECDB182F885292145826C58252B53000
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2011-11-19 17:06] - [2011-11-19 17:06] - 0246144 ____A (Microsoft Corporation) C2232C62CD2E44E40CDADD00BBCFE366

==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
==================== Restore Points  =========================

==================== Memory info ===========================
Percentage of memory in use: 11%
Total physical RAM: 4060.87 MB
Available physical RAM: 3590.55 MB
Total Pagefile: 4059.15 MB
Available Pagefile: 3601.01 MB
Total Virtual: 2047.88 MB
Available Virtual: 1941.66 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:226.38 GB) (Free:98.61 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Datadisk) (Fixed) (Total:465.76 GB) (Free:26.76 GB) NTFS
Drive e: (Backup disk) (Fixed) (Total:13 GB) (Free:12.68 GB) NTFS
Drive f: (Datadisk2) (Fixed) (Total:226.38 GB) (Free:226.28 GB) NTFS
Drive h: (USB) (Removable) (Total:7.44 GB) (Free:7.43 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 50A5B170)
Partition 1: (Not Active) - (Size=13 GB) - (Type=07 NTFS)
Partition 2: (Active) - (Size=226 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=226 GB) - (Type=07 NTFS)
========================================================
Disk: 1 (Size: 466 GB) (Disk ID: 9AFDD31B)
Partition 1: (Not Active) - (Size=466 GB) - (Type=07 NTFS)
========================================================
Disk: 2 (Size: 7 GB) (Disk ID: C126C0BC)
Partition 1: (Active) - (Size=7 GB) - (Type=0B)

LastRegBack: 2013-06-04 09:08
==================== End Of Log ============================

And Search.txt

Farbar Recovery Scan Tool (x86) Version: 12-06-2013 04
Ran by SYSTEM at 2013-06-13 09:39:50
Running from H:\
Boot Mode: Recovery
================== Search: "services.exe" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-14 00:11] - [2009-07-14 02:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6
C:\Windows\System32\services.exe
[2009-07-14 00:11] - [2009-07-14 02:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6
=== End Of Search ===

I hope you guys can help me out! Thanks!!

[Psychotic]

Hi there,

my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

• First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  
• Perform everything in the correct order. Sometimes one step requires the previous one.
  
• If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  
• Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  
• Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  
• Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Fix with FRST

• Open notepad (Start =>All Programs => Accessories => Notepad).
  
• Please copy the entire contents of the code box below.
  (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt
  

  HKU\Gebruiker\...\Command Processor: "C:\Users\GEBRUI~1\AppData\Local\Temp\moniragi.exe" <===== ATTENTION!
  
  C:\Users\GEBRUI~1\AppData\Local\Temp\moniragi.exe
  C:\ProgramData\2433f433
  C:\Users\Gebruiker\AppData\Roaming\2433f433
  C:\Users\Gebruiker\AppData\Local\2433f433

  
  NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  Now please enter System Recovery Options again.
  

• Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  
• The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
  

Boot your machine normally - it should start now. If it doesn´t, report that.

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. Please save it to a convenient location.
  
• The log can also be found here:
  C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  
• Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  
• Post that log back here.
  

[gheetka]

Wow Marius, thanks for your quick reply!

I ran the fixlist.txt with FRST.exe, this is it's log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-06-2013 04
Ran by SYSTEM at 2013-06-13 10:13:02 Run:1
Running from H:\
Boot Mode: Recovery

==============================================

HKU\Gebruiker\Software\Microsoft\Command Processor\\AutoRun => Value deleted successfully.
C:\Users\GEBRUI~1\AppData\Local\Temp\moniragi.exe => Moved successfully.
C:\ProgramData\2433f433 => Moved successfully.
C:\Users\Gebruiker\AppData\Roaming\2433f433 => Moved successfully.
C:\Users\Gebruiker\AppData\Local\2433f433 => Moved successfully.

==== End of Fixlog ====

Unfortanetly, after rebooting the police screen did show up again. Damn, any idea what I should do now?

[Psychotic]

run another scan with FRST.

Check Registry within the "whitelist" section and post the log when finished.

EDIT: UNCHECK I mean...

[gheetka]

Thanks. If you mean by saying 'whitelist section' the group of six checkboxes: Registry is already checked. When I run the scan, this is the log result:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-06-2013 04
Ran by SYSTEM on 13-06-2013 10:48:27
Running from H:\
Windows 7 Ultimate Service Pack 1 (X86) OS Language: Dutch Standard
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
[b]ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.[/b]

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Cmiboot] C:\Windows\cmiboot.exe [65536 2007-02-07] ()
HKLM\...\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe [267632 2010-09-17] (Alps Electric Co., Ltd.)
HKLM\...\Run: [ETDWare] %ProgramFiles%\Elantech\ETDCtrl.exe [1861416 2011-07-28] (ELAN Microelectronics Corp.)
HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [1861416 2011-07-28] (ELAN Microelectronics Corp.)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2274600 2011-06-09] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [11430504 2011-10-17] (Realtek Semiconductor)
HKLM\...\Run: [SAOB Monitor] C:\Program Files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe [2536752 2010-09-02] (Acronis)
HKLM\...\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [5508416 2010-09-22] (Acronis)
HKLM\...\Run: [Acronis Scheduler2Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [391008 2010-09-22] (Acronis)
HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice [3117344 2012-03-07] (ESET)
HKLM\...\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [32768 2004-06-28] (Cyberlink Corp.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [NBAgent] "C:\Program Files\Nero\Nero 11\Nero BackItUp\NBAgent.exe" /WinStart [1493288 2011-09-20] (Nero AG)
HKU\Gebruiker\...\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun [ 2012-04-17] (DT Soft Ltd)
HKU\Gebruiker\...\Winlogon: [Shell] Explorer.exe
Startup: C:\Users\Gebruiker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)

========================== Services (Whitelisted) =================

S2 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [780224 2010-09-22] (Acronis)
S2 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [3975088 2012-07-21] (Acronis)
S2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [913144 2012-03-07] (ESET)
S3 HitmanPro37Crusader; C:\Program Files\HitmanPro\HitmanPro.exe [9171472 2013-06-04] (SurfRight B.V.)
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [106280 2013-06-04] (SurfRight B.V.)
S2 NAUpdate; C:\Program Files\Nero\Update\NASvc.exe [641832 2011-09-23] (Nero AG)

==================== Drivers (Whitelisted) ====================

S3 2310_00; C:\Windows\system32\drivers\2310_00.sys [135200 2009-06-12] (HighPoint Technologies, Inc.)
S3 272x_1x; C:\Windows\system32\drivers\272x_1x.sys [554080 2011-09-05] (HighPoint Technologies, Inc.)
S3 274x_3x; C:\Windows\system32\drivers\274x_3x.sys [190048 2011-05-27] (HighPoint Technologies, Inc.)
S3 ahcix86; C:\Windows\system32\drivers\ahcix86.sys [214096 2010-09-23] (Advanced Micro Devices, Inc)
S3 ahcix86s; C:\Windows\system32\drivers\ahcix86s.sys [184120 2009-07-14] (Advanced Micro Devices, Inc)
S3 amdhub30; C:\Windows\system32\drivers\amdhub30.sys [70272 2011-03-17] (Advanced Micro Devices, INC.)
S3 amdxhc; C:\Windows\system32\drivers\amdxhc.sys [149632 2011-03-17] (Advanced Micro Devices, INC.)
S3 amd_sata; C:\Windows\system32\drivers\amd_sata.sys [65664 2011-03-04] (Advanced Micro Devices)
S0 amd_xata; C:\Windows\System32\drivers\amd_xata.sys [32896 2011-03-04] (Advanced Micro Devices)
S3 arcm_x86; C:\Windows\system32\drivers\arcm_x86.sys [43552 2009-11-09] (ARECA Technology Corporation)
S3 asahci32; C:\Windows\system32\drivers\asahci32.sys [32864 2011-05-04] (Asmedia Technology)
S3 asmthub3; C:\Windows\system32\drivers\asmthub3.sys [102376 2011-09-28] (ASMedia Technology Inc)
S3 asmtxhci; C:\Windows\system32\drivers\asmtxhci.sys [311784 2011-09-28] (ASMedia Technology Inc)
S3 b06diag; C:\Windows\system32\drivers\bxdiagx.sys [76840 2010-12-16] (Broadcom Corporation)
S3 BFN7x86; C:\Windows\system32\drivers\Xeno7x86.sys [129640 2011-01-14] (Bigfoot Networks, Inc.)
S3 BFNVis32; C:\Windows\system32\drivers\XenoVx86.sys [129640 2011-01-14] (Bigfoot Networks, Inc.)
S3 BXOIS; C:\Windows\system32\drivers\bxois.sys [431144 2010-12-10] (Broadcom Corporation)
S3 cbaf; C:\Windows\System32\Drivers\cbaf.sys [11008 2007-11-03] (Intel Corp.)
S3 CMISTOR; C:\Windows\system32\drivers\cmiucr.SYS [93056 2007-01-12] (C-Media Corporation)
S3 DC133; C:\Windows\system32\drivers\DC133.sys [36328 2011-05-02] (Dawicontrol GmbH)
S3 DC150; C:\Windows\system32\drivers\DC150.sys [36824 2011-05-02] (Dawicontrol GmbH)
S3 DC154; C:\Windows\system32\drivers\DC154.sys [44376 2011-05-02] (Dawicontrol GmbH)
S3 DC300e; C:\Windows\system32\drivers\DC300e.sys [37272 2011-05-02] (Dawicontrol GmbH)
S0 DC324e; C:\Windows\System32\drivers\DC324e.sys [45816 2011-05-02] (Dawicontrol GmbH)
S0 DC3410; C:\Windows\System32\drivers\DC3410.sys [44360 2011-05-02] (Dawicontrol GmbH)
S3 DC4300; C:\Windows\system32\drivers\DC4300.sys [44392 2011-05-02] (Dawicontrol GmbH)
S3 DC600e; C:\Windows\system32\drivers\DC600e.sys [37752 2011-05-02] (Dawicontrol GmbH)
S3 dfuuwb; C:\Windows\System32\Drivers\DfuUWB.sys [500736 2008-09-11] (Intel Corp.)
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [242240 2012-07-20] (DT Soft Ltd)
S1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [169080 2012-03-14] (ESET)
S1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [120152 2012-03-14] (ESET)
S3 enecirhid; C:\Windows\system32\drivers\enecirhid.sys [17232 2009-12-25] (ENE TECHNOLOGY INC.)
S3 enecirhidma; C:\Windows\system32\drivers\enecirhidma.sys [11088 2009-12-25] (ENE TECHNOLOGY INC.)
S2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [103112 2012-03-14] (ESET)
S3 ETD; C:\Windows\system32\drivers\ETD.sys [157480 2011-07-28] (ELAN Microelectronics Corp.)
S3 EtronHub3; C:\Windows\System32\Drivers\EtronHub3.sys [45056 2011-08-17] (Etron Technology Inc)
S3 EtronXHCI; C:\Windows\System32\Drivers\EtronXHCI.sys [64896 2011-08-17] (Etron Technology Inc)
S3 FilterService; C:\Windows\system32\drivers\lvuvcflt.sys [23832 2009-10-07] (Logitech Inc.)
S3 FLxHCIc; C:\Windows\system32\drivers\FLxHCIc.sys [152064 2011-07-06] (Fresco Logic)
S3 FLxHCIh; C:\Windows\system32\drivers\FLxHCIh.sys [47104 2011-07-06] (Fresco Logic)
S3 FTDIBUS; C:\Windows\system32\drivers\ftdibus.sys [61704 2011-03-18] (FTDI Ltd.)
S3 FUJ02B1; C:\Windows\system32\drivers\FUJ02B1.sys [5888 2006-11-01] (FUJITSU LIMITED)
S3 FUJ02E1; C:\Windows\System32\Drivers\FUJ02E1.sys [5632 2004-10-17] (Fujitsu Limited)
S3 hcw99rc; C:\Windows\System32\Drivers\hcw99rc.sys [10368 2007-03-23] (Hauppauge Computer Works, Inc.)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [30464 2013-06-13] ()
S3 hptiop; C:\Windows\system32\drivers\hptiop.sys [15008 2009-04-28] (HighPoint Technologies, Inc.)
S3 hptmv; C:\Windows\system32\drivers\hptmv.sys [71968 2006-09-27] (HighPoint Technologies, Inc.)
S3 hptmv6; C:\Windows\system32\drivers\hptmv6.sys [120352 2007-11-01] (HighPoint Technologies, Inc.)
S3 HWA; C:\Windows\System32\Drivers\HWA.sys [53376 2008-09-29] (Intel Corp.)
S3 IFCoEMP; C:\Windows\system32\drivers\ifM60x32.sys [269584 2011-06-15] (Intel(R) Corporation)
S3 IFCoEVB; C:\Windows\system32\drivers\ifP60X32.sys [61712 2011-06-15] (Intel(R) Corporation)
S3 ioatdma1; C:\Windows\System32\Drivers\qd16032.sys [36552 2009-11-16] (Intel Corporation)
S3 ioatdma2; C:\Windows\System32\Drivers\qd26032.sys [37576 2009-11-16] (Intel Corporation)
S3 iSSetup; C:\Windows\system32\drivers\iSSetup.sys [75672 2007-06-19] (Intel Corporation)
S3 itecir; C:\Windows\system32\drivers\itecir.sys [65640 2010-07-13] (ITE Tech. Inc. )
S3 iteraid; C:\Windows\system32\drivers\iteraid.sys [29184 2007-05-02] (ITE Tech. Inc.)
S3 johci; C:\Windows\system32\drivers\johci.sys [23640 2011-02-09] (JMicron Technology Corp.)
S3 JRAID; C:\Windows\system32\drivers\jraid.sys [103512 2011-05-19] (JMicron Technology Corp.)
S3 m5288; C:\Windows\system32\drivers\m5288.sys [211072 2006-07-19] (ULi Electronics Inc.)
S3 m5289; C:\Windows\system32\drivers\m5289.sys [52480 2005-07-04] (ULi Electronics Inc.)
S3 MegaSR1; C:\Windows\system32\drivers\MegaSR1.sys [407120 2010-06-15] (LSI Corporation, Inc.)
S3 MEI; C:\Windows\system32\drivers\HECI.sys [41216 2011-09-22] (Intel Corporation)
S3 MODRC; C:\Windows\system32\drivers\modrc.sys [13056 2006-11-14] (DiBcom S.A.)
S3 MTsensor; C:\Windows\system32\drivers\ASACPI.sys [7680 2009-06-03] ()
S3 mv61xx; C:\Windows\system32\drivers\mv61xx.sys [159024 2010-10-26] (Marvell Semiconductor, Inc.)
S3 mv91cons; C:\Windows\system32\drivers\mv91cons.sys [21808 2011-06-16] (Marvell Semiconductor Inc.)
S3 mv91xx; C:\Windows\system32\drivers\mv91xx.sys [273712 2011-06-16] (Marvell Semiconductor, Inc.)
S3 MxEF; C:\Windows\system32\drivers\MxEF32.sys [81920 2011-08-15] (Matrox Graphics Inc.)
S3 MxEFLF; C:\Windows\system32\drivers\MxEFLF32.sys [80384 2011-08-15] (Matrox Graphics Inc.)
S3 MxEFUF; C:\Windows\system32\drivers\MxEFUF32.sys [108544 2011-08-15] (Matrox Graphics Inc.)
S3 MxEMgr; C:\Windows\system32\drivers\MxEMgr32.sys [92192 2011-08-16] (Matrox Graphics Inc.)
S3 NETwNs32; C:\Windows\System32\DRIVERS\NETwNs32.sys [7087616 2011-01-19] (Intel Corporation)
S3 nusb3hub; C:\Windows\system32\drivers\nusb3hub.sys [73344 2011-09-13] (Renesas Electronics Corporation)
S3 nusb3xhc; C:\Windows\system32\drivers\nusb3xhc.sys [164736 2011-09-13] (Renesas Electronics Corporation)
S3 nvamacpi; C:\Windows\system32\drivers\NVAMACPI.sys [24608 2009-07-17] (NVIDIA Corporation)
S3 pfc; C:\Windows\System32\drivers\pfc.sys [10368 2003-12-05] (Padus, Inc.)
S3 risdpcie; C:\Windows\system32\drivers\risdpe86.sys [47616 2009-10-28] (REDC)
S3 risdxc; C:\Windows\system32\drivers\risdxc86.sys [72704 2010-12-28] (REDC)
S3 rixdpcie; C:\Windows\system32\drivers\rixdpe86.sys [38912 2009-12-11] (REDC)
S3 rr172x; C:\Windows\system32\drivers\rr172x.sys [101920 2007-11-01] (HighPoint Technologies, Inc.)
S3 rr174x; C:\Windows\system32\drivers\rr174x.sys [126496 2007-11-01] (HighPoint Technologies, Inc.)
S3 rr2210; C:\Windows\system32\drivers\rr2210.sys [122400 2007-11-01] (HighPoint Technologies, Inc.)
S3 rr232x; C:\Windows\system32\drivers\rr232x.sys [120352 2008-05-05] (HighPoint Technologies, Inc.)
S3 rr2340; C:\Windows\system32\drivers\rr2340.sys [128608 2009-12-31] (HighPoint Technologies, Inc.)
S3 rr2522; C:\Windows\system32\drivers\rr2522.sys [132704 2009-12-31] (HighPoint Technologies, Inc.)
S3 rr276x; C:\Windows\system32\drivers\rr276x.sys [184928 2010-10-12] (HighPoint Technologies, Inc.)
S3 rr278x; C:\Windows\system32\drivers\rr278x.sys [186456 2011-05-16] (HighPoint Technologies, Inc.)
S3 rr62x; C:\Windows\system32\drivers\rr62x.sys [123488 2010-06-16] (HighPoint Technologies, Inc.)
S3 rusb3hub; C:\Windows\system32\drivers\rusb3hub.sys [77568 2011-09-15] (Renesas Electronics Corporation)
S3 rusb3xhc; C:\Windows\system32\drivers\rusb3xhc.sys [167680 2011-09-15] (Renesas Electronics Corporation)
S3 SI3112; C:\Windows\system32\drivers\SI3112.sys [69168 2007-01-26] (Silicon Image, Inc.)
S3 SI3112r; C:\Windows\system32\drivers\SI3112r.sys [110128 2007-02-01] (Silicon Image, Inc)
S3 SI3114; C:\Windows\system32\drivers\SI3114.sys [68912 2006-11-10] (Silicon Image, Inc.)
S3 SI3114r; C:\Windows\system32\drivers\SI3114R.sys [110384 2007-04-11] (Silicon Image, Inc)
S3 Si3114r5; C:\Windows\system32\drivers\Si3114r5.sys [209200 2007-02-07] (Silicon Image, Inc)
S3 SI3124; C:\Windows\system32\drivers\SI3124.sys [76208 2006-11-02] (Silicon Image, Inc.)
S3 Si3124r5; C:\Windows\system32\drivers\Si3124r5.sys [207152 2006-09-20] (Silicon Image, Inc)
S3 SI3132; C:\Windows\system32\drivers\SI3132.sys [80424 2007-10-03] (Silicon Image, Inc)
S3 Si3132r5; C:\Windows\system32\drivers\Si3132r5.sys [217128 2008-10-30] (Silicon Image, Inc)
S3 Si3531; C:\Windows\system32\drivers\Si3531.sys [212520 2009-02-05] (Silicon Image, Inc)
S0 SiFilter; C:\Windows\System32\drivers\SiWinAcc.sys [19240 2007-10-03] (Silicon Image, Inc)
S0 SiRemFil; C:\Windows\System32\drivers\SiRemFil.sys [15400 2007-10-03] (Silicon Image, Inc)
S3 TTP7; C:\Windows\system32\drivers\ttp7up.sys [12928 2005-11-09] (TerraTec)
S3 uagp35; C:\Windows\system32\drivers\sisagpx.sys [58400 2009-08-01] (Silicon Integrated Systems Corporation)
S3 uwbusb; C:\Windows\System32\Drivers\usbuwbmini.sys [9600 2008-09-15] (Intel Corp.)
S3 vcrdrx32; C:\Windows\system32\drivers\vcrdrx32.sys [99952 2010-08-13] (VIA Technologies, Inc.)
S3 viamraid; C:\Windows\system32\drivers\viamraid.sys [141424 2010-12-02] (VIA Technologies Inc.,Ltd)
S3 videX32; C:\Windows\system32\drivers\videX32.sys [13976 2010-02-11] (VIA Technologies, Inc.)
S3 winbondcir; C:\Windows\System32\DRIVERS\winbondcir.sys [43008 2007-03-28] (Winbond Electronics Corporation)
S3 WinTVCIUSB; C:\Windows\system32\drivers\hcw11.sys [91136 2008-02-28] (Hauppauge Computer Works, Inc.)
S3 WmBEnum; C:\Windows\system32\drivers\WmBEnum.sys [19336 2008-01-24] (Logitech Inc.)
S3 WmFilter; C:\Windows\system32\drivers\WmFilter.sys [28168 2008-01-24] (Logitech Inc.)
S3 WmHidLo; C:\Windows\system32\drivers\WmHidLo.sys [29192 2008-01-24] (Logitech Inc.)
S3 WmVirHid; C:\Windows\system32\drivers\WmVirHid.sys [14728 2008-01-24] (Logitech Inc.)
S3 WmXlCore; C:\Windows\system32\drivers\WmXlCore.sys [48904 2008-01-24] (Logitech Inc.)
S0 xfilt; C:\Windows\System32\drivers\xfilt.sys [23192 2010-02-11] (VIA Technologies, Inc.)
S3 VGPU; System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-06-13 09:22 - 2013-06-13 09:22 - 00000000 ____D C:\FRST
2013-06-13 08:31 - 2013-06-13 08:31 - 00003416 ____N C:\bootsqm.dat
2013-06-13 08:30 - 2013-06-13 08:30 - 00000000 __SHD C:\found.000
2013-06-13 00:46 - 2013-06-13 00:46 - 85212644 ____A C:\reback.reg
2013-06-12 23:26 - 2013-06-12 23:26 - 00000000 ____D C:\Windows\pss
2013-06-12 08:02 - 2013-06-13 09:14 - 00030464 ____A C:\Windows\System32\Drivers\hitmanpro37.sys
2013-06-12 01:44 - 2013-06-12 01:44 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\MFAData
2013-06-12 01:44 - 2013-06-12 01:44 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\Avg2013
2013-06-12 01:44 - 2013-06-12 01:44 - 00000000 ____D C:\ProgramData\MFAData
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Roaming\Google
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Roaming\Adobe
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\Google
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\ESET
2013-06-12 00:34 - 2013-06-12 00:34 - 00000020 ___SH C:\Users\timcaslisa.GEBRUIK-0JVN1EO\ntuser.ini
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Netwerkprinteromgeving
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Menu Start
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Documents\Mijn video's
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Documents\Mijn muziek
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\Geschiedenis
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 ____D C:\users\timcaslisa.GEBRUIK-0JVN1EO

==================== One Month Modified Files and Folders ========

2013-06-13 09:24 - 2010-11-21 01:06 - 00000000 ____D C:\Windows\CSC
2013-06-13 09:22 - 2013-06-13 09:22 - 00000000 ____D C:\FRST
2013-06-13 09:18 - 2012-07-20 17:21 - 00018000 ____A C:\Windows\WindowsUpdate.log
2013-06-13 09:14 - 2013-06-12 08:02 - 00030464 ____A C:\Windows\System32\Drivers\hitmanpro37.sys
2013-06-13 09:14 - 2012-07-29 20:57 - 00001046 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-13 09:14 - 2012-07-21 09:50 - 00086750 ____A C:\Windows\setupact.log
2013-06-13 09:14 - 2009-07-14 05:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-13 08:31 - 2013-06-13 08:31 - 00003416 ____N C:\bootsqm.dat
2013-06-13 08:30 - 2013-06-13 08:30 - 00000000 __SHD C:\found.000
2013-06-13 00:46 - 2013-06-13 00:46 - 85212644 ____A C:\reback.reg
2013-06-12 23:59 - 2012-10-04 08:58 - 00000940 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-12 23:26 - 2013-06-12 23:26 - 00000000 ____D C:\Windows\pss
2013-06-12 22:13 - 2012-07-29 20:57 - 00001050 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-12 03:41 - 2009-07-14 00:40 - 00249856 ____A (Microsoft Corporation) C:\Windows\System32\uxtheme.dll
2013-06-12 03:40 - 2009-07-14 00:39 - 00037376 ____A (Microsoft Corporation) C:\Windows\System32\themeservice.dll
2013-06-12 03:34 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\System32\LogFiles
2013-06-12 01:44 - 2013-06-12 01:44 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\MFAData
2013-06-12 01:44 - 2013-06-12 01:44 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\Avg2013
2013-06-12 01:44 - 2013-06-12 01:44 - 00000000 ____D C:\ProgramData\MFAData
2013-06-12 01:38 - 2009-07-14 05:34 - 00019680 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-12 01:38 - 2009-07-14 05:34 - 00019680 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-12 01:35 - 2010-11-21 00:57 - 00701564 ____A C:\Windows\System32\perfh013.dat
2013-06-12 01:35 - 2010-11-21 00:57 - 00133564 ____A C:\Windows\System32\perfc013.dat
2013-06-12 01:35 - 2010-11-20 22:01 - 01549262 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Roaming\Google
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Roaming\Adobe
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\Google
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\ESET
2013-06-12 00:34 - 2013-06-12 00:34 - 00000020 ___SH C:\Users\timcaslisa.GEBRUIK-0JVN1EO\ntuser.ini
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Netwerkprinteromgeving
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Menu Start
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Documents\Mijn video's
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Documents\Mijn muziek
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\Geschiedenis
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 ____D C:\users\timcaslisa.GEBRUIK-0JVN1EO
2013-06-11 11:18 - 2012-07-25 21:56 - 00000000 ___RD C:\Users\Gebruiker\Dropbox
2013-06-11 11:18 - 2012-07-25 21:53 - 00000000 ____D C:\Users\Gebruiker\AppData\Roaming\Dropbox
2013-06-10 13:45 - 2012-08-02 21:21 - 00005632 ____A C:\Users\Gebruiker\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-06-08 00:51 - 2009-07-14 05:53 - 00032626 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-06-07 05:51 - 2012-07-30 08:05 - 00006002 ____A C:\Windows\PFRO.log
2013-06-06 19:22 - 2012-07-29 20:57 - 00002129 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-05-30 08:23 - 2012-07-25 21:56 - 00001036 ____A C:\Users\Gebruiker\Desktop\Dropbox.lnk
2013-05-21 06:11 - 2012-09-02 10:47 - 00000000 ____D C:\Users\Gebruiker\AppData\Local\Nero
2013-05-15 18:51 - 2012-07-20 20:48 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-05-15 18:51 - 2012-07-20 20:48 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe
[2011-11-19 17:25] - [2011-11-19 17:25] - 0287232 ____A (Microsoft Corporation) 7295110E1BF93885D29480D29D967E0F

C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe
[2011-11-19 16:57] - [2011-11-19 16:57] - 0021504 ____A (Microsoft Corporation) ECDB182F885292145826C58252B53000

C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2011-11-19 17:06] - [2011-11-19 17:06] - 0246144 ____A (Microsoft Corporation) C2232C62CD2E44E40CDADD00BBCFE366


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================


==================== Memory info =========================== 

Percentage of memory in use: 11%
Total physical RAM: 4060.87 MB
Available physical RAM: 3586.32 MB
Total Pagefile: 4059.15 MB
Available Pagefile: 3608.7 MB
Total Virtual: 2047.88 MB
Available Virtual: 1937.57 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:226.38 GB) (Free:98.61 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Datadisk) (Fixed) (Total:465.76 GB) (Free:26.76 GB) NTFS
Drive e: (Backup disk) (Fixed) (Total:13 GB) (Free:12.68 GB) NTFS
Drive f: (Datadisk2) (Fixed) (Total:226.38 GB) (Free:226.28 GB) NTFS
Drive h: (USB) (Removable) (Total:7.44 GB) (Free:7.43 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 50A5B170)
Partition 1: (Not Active) - (Size=13 GB) - (Type=07 NTFS)
Partition 2: (Active) - (Size=226 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=226 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 466 GB) (Disk ID: 9AFDD31B)
Partition 1: (Not Active) - (Size=466 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 7 GB) (Disk ID: C126C0BC)
Partition 1: (Active) - (Size=7 GB) - (Type=0B)


LastRegBack: 2013-06-04 09:08

==================== End Of Log ============================

[gheetka]

Ok, understand :-) I'll run it with the checkbox unchecked.

[gheetka]

This is the log with the checkbox 'Registry' unchecked:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-06-2013 04
Ran by SYSTEM on 13-06-2013 10:51:58
Running from H:\
Windows 7 Ultimate Service Pack 1 (X86) OS Language: Dutch Standard
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
[b]ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.[/b]

==================== Registry (All) ===========================

HKLM\...\Run: [Cmiboot] C:\Windows\cmiboot.exe [65536 2007-02-07] ()
HKLM\...\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe [267632 2010-09-17] (Alps Electric Co., Ltd.)
HKLM\...\Run: [ETDWare] %ProgramFiles%\Elantech\ETDCtrl.exe [1861416 2011-07-28] (ELAN Microelectronics Corp.)
HKLM\...\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe [1861416 2011-07-28] (ELAN Microelectronics Corp.)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2274600 2011-06-09] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [11430504 2011-10-17] (Realtek Semiconductor)
HKLM\...\Run: [SAOB Monitor] C:\Program Files\Acronis\OnlineBackupStandalone\TrueImageMonitor.exe [2536752 2010-09-02] (Acronis)
HKLM\...\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [5508416 2010-09-22] (Acronis)
HKLM\...\Run: [Acronis Scheduler2Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [391008 2010-09-22] (Acronis)
HKLM\...\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice [3117344 2012-03-07] (ESET)
HKLM\...\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [32768 2004-06-28] (Cyberlink Corp.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [NBAgent] "C:\Program Files\Nero\Nero 11\Nero BackItUp\NBAgent.exe" /WinStart [1493288 2011-09-20] (Nero AG)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe, [26624 2010-11-20] (Microsoft Corporation)
HKLM\...\Winlogon: [Shell] Explorer.exe [2616320 2011-05-22] (Microsoft Corporation)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [ 2010-11-20] (Microsoft Corporation)
HKU\Default\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [ 2009-07-14] (Microsoft Corporation)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [ 2010-11-20] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [ 2009-07-14] (Microsoft Corporation)
HKU\Gebruiker\...\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun [ 2012-04-17] (DT Soft Ltd)
HKU\Gebruiker\...\Winlogon: [Shell] Explorer.exe
HKU\timcaslisa\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [ 2010-11-20] (Microsoft Corporation)
HKU\timcaslisa\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [ 2009-07-14] (Microsoft Corporation)
HKU\UpdatusUser\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun [ 2010-11-20] (Microsoft Corporation)
HKU\UpdatusUser\...\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe [ 2009-07-14] (Microsoft Corporation)
Lsa: [Authentication Packages] msv1_0
Lsa: [Notification Packages] scecli
Startup: C:\Users\Gebruiker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} -  No File
BootExecute: autocheck autochk * 

========================== Services (Whitelisted) =================

S2 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [780224 2010-09-22] (Acronis)
S2 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [3975088 2012-07-21] (Acronis)
S2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [913144 2012-03-07] (ESET)
S3 HitmanPro37Crusader; C:\Program Files\HitmanPro\HitmanPro.exe [9171472 2013-06-04] (SurfRight B.V.)
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [106280 2013-06-04] (SurfRight B.V.)
S2 NAUpdate; C:\Program Files\Nero\Update\NASvc.exe [641832 2011-09-23] (Nero AG)

==================== Drivers (Whitelisted) ====================

S3 2310_00; C:\Windows\system32\drivers\2310_00.sys [135200 2009-06-12] (HighPoint Technologies, Inc.)
S3 272x_1x; C:\Windows\system32\drivers\272x_1x.sys [554080 2011-09-05] (HighPoint Technologies, Inc.)
S3 274x_3x; C:\Windows\system32\drivers\274x_3x.sys [190048 2011-05-27] (HighPoint Technologies, Inc.)
S3 ahcix86; C:\Windows\system32\drivers\ahcix86.sys [214096 2010-09-23] (Advanced Micro Devices, Inc)
S3 ahcix86s; C:\Windows\system32\drivers\ahcix86s.sys [184120 2009-07-14] (Advanced Micro Devices, Inc)
S3 amdhub30; C:\Windows\system32\drivers\amdhub30.sys [70272 2011-03-17] (Advanced Micro Devices, INC.)
S3 amdxhc; C:\Windows\system32\drivers\amdxhc.sys [149632 2011-03-17] (Advanced Micro Devices, INC.)
S3 amd_sata; C:\Windows\system32\drivers\amd_sata.sys [65664 2011-03-04] (Advanced Micro Devices)
S0 amd_xata; C:\Windows\System32\drivers\amd_xata.sys [32896 2011-03-04] (Advanced Micro Devices)
S3 arcm_x86; C:\Windows\system32\drivers\arcm_x86.sys [43552 2009-11-09] (ARECA Technology Corporation)
S3 asahci32; C:\Windows\system32\drivers\asahci32.sys [32864 2011-05-04] (Asmedia Technology)
S3 asmthub3; C:\Windows\system32\drivers\asmthub3.sys [102376 2011-09-28] (ASMedia Technology Inc)
S3 asmtxhci; C:\Windows\system32\drivers\asmtxhci.sys [311784 2011-09-28] (ASMedia Technology Inc)
S3 b06diag; C:\Windows\system32\drivers\bxdiagx.sys [76840 2010-12-16] (Broadcom Corporation)
S3 BFN7x86; C:\Windows\system32\drivers\Xeno7x86.sys [129640 2011-01-14] (Bigfoot Networks, Inc.)
S3 BFNVis32; C:\Windows\system32\drivers\XenoVx86.sys [129640 2011-01-14] (Bigfoot Networks, Inc.)
S3 BXOIS; C:\Windows\system32\drivers\bxois.sys [431144 2010-12-10] (Broadcom Corporation)
S3 cbaf; C:\Windows\System32\Drivers\cbaf.sys [11008 2007-11-03] (Intel Corp.)
S3 CMISTOR; C:\Windows\system32\drivers\cmiucr.SYS [93056 2007-01-12] (C-Media Corporation)
S3 DC133; C:\Windows\system32\drivers\DC133.sys [36328 2011-05-02] (Dawicontrol GmbH)
S3 DC150; C:\Windows\system32\drivers\DC150.sys [36824 2011-05-02] (Dawicontrol GmbH)
S3 DC154; C:\Windows\system32\drivers\DC154.sys [44376 2011-05-02] (Dawicontrol GmbH)
S3 DC300e; C:\Windows\system32\drivers\DC300e.sys [37272 2011-05-02] (Dawicontrol GmbH)
S0 DC324e; C:\Windows\System32\drivers\DC324e.sys [45816 2011-05-02] (Dawicontrol GmbH)
S0 DC3410; C:\Windows\System32\drivers\DC3410.sys [44360 2011-05-02] (Dawicontrol GmbH)
S3 DC4300; C:\Windows\system32\drivers\DC4300.sys [44392 2011-05-02] (Dawicontrol GmbH)
S3 DC600e; C:\Windows\system32\drivers\DC600e.sys [37752 2011-05-02] (Dawicontrol GmbH)
S3 dfuuwb; C:\Windows\System32\Drivers\DfuUWB.sys [500736 2008-09-11] (Intel Corp.)
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [242240 2012-07-20] (DT Soft Ltd)
S1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [169080 2012-03-14] (ESET)
S1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [120152 2012-03-14] (ESET)
S3 enecirhid; C:\Windows\system32\drivers\enecirhid.sys [17232 2009-12-25] (ENE TECHNOLOGY INC.)
S3 enecirhidma; C:\Windows\system32\drivers\enecirhidma.sys [11088 2009-12-25] (ENE TECHNOLOGY INC.)
S2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [103112 2012-03-14] (ESET)
S3 ETD; C:\Windows\system32\drivers\ETD.sys [157480 2011-07-28] (ELAN Microelectronics Corp.)
S3 EtronHub3; C:\Windows\System32\Drivers\EtronHub3.sys [45056 2011-08-17] (Etron Technology Inc)
S3 EtronXHCI; C:\Windows\System32\Drivers\EtronXHCI.sys [64896 2011-08-17] (Etron Technology Inc)
S3 FilterService; C:\Windows\system32\drivers\lvuvcflt.sys [23832 2009-10-07] (Logitech Inc.)
S3 FLxHCIc; C:\Windows\system32\drivers\FLxHCIc.sys [152064 2011-07-06] (Fresco Logic)
S3 FLxHCIh; C:\Windows\system32\drivers\FLxHCIh.sys [47104 2011-07-06] (Fresco Logic)
S3 FTDIBUS; C:\Windows\system32\drivers\ftdibus.sys [61704 2011-03-18] (FTDI Ltd.)
S3 FUJ02B1; C:\Windows\system32\drivers\FUJ02B1.sys [5888 2006-11-01] (FUJITSU LIMITED)
S3 FUJ02E1; C:\Windows\System32\Drivers\FUJ02E1.sys [5632 2004-10-17] (Fujitsu Limited)
S3 hcw99rc; C:\Windows\System32\Drivers\hcw99rc.sys [10368 2007-03-23] (Hauppauge Computer Works, Inc.)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [30464 2013-06-13] ()
S3 hptiop; C:\Windows\system32\drivers\hptiop.sys [15008 2009-04-28] (HighPoint Technologies, Inc.)
S3 hptmv; C:\Windows\system32\drivers\hptmv.sys [71968 2006-09-27] (HighPoint Technologies, Inc.)
S3 hptmv6; C:\Windows\system32\drivers\hptmv6.sys [120352 2007-11-01] (HighPoint Technologies, Inc.)
S3 HWA; C:\Windows\System32\Drivers\HWA.sys [53376 2008-09-29] (Intel Corp.)
S3 IFCoEMP; C:\Windows\system32\drivers\ifM60x32.sys [269584 2011-06-15] (Intel(R) Corporation)
S3 IFCoEVB; C:\Windows\system32\drivers\ifP60X32.sys [61712 2011-06-15] (Intel(R) Corporation)
S3 ioatdma1; C:\Windows\System32\Drivers\qd16032.sys [36552 2009-11-16] (Intel Corporation)
S3 ioatdma2; C:\Windows\System32\Drivers\qd26032.sys [37576 2009-11-16] (Intel Corporation)
S3 iSSetup; C:\Windows\system32\drivers\iSSetup.sys [75672 2007-06-19] (Intel Corporation)
S3 itecir; C:\Windows\system32\drivers\itecir.sys [65640 2010-07-13] (ITE Tech. Inc. )
S3 iteraid; C:\Windows\system32\drivers\iteraid.sys [29184 2007-05-02] (ITE Tech. Inc.)
S3 johci; C:\Windows\system32\drivers\johci.sys [23640 2011-02-09] (JMicron Technology Corp.)
S3 JRAID; C:\Windows\system32\drivers\jraid.sys [103512 2011-05-19] (JMicron Technology Corp.)
S3 m5288; C:\Windows\system32\drivers\m5288.sys [211072 2006-07-19] (ULi Electronics Inc.)
S3 m5289; C:\Windows\system32\drivers\m5289.sys [52480 2005-07-04] (ULi Electronics Inc.)
S3 MegaSR1; C:\Windows\system32\drivers\MegaSR1.sys [407120 2010-06-15] (LSI Corporation, Inc.)
S3 MEI; C:\Windows\system32\drivers\HECI.sys [41216 2011-09-22] (Intel Corporation)
S3 MODRC; C:\Windows\system32\drivers\modrc.sys [13056 2006-11-14] (DiBcom S.A.)
S3 MTsensor; C:\Windows\system32\drivers\ASACPI.sys [7680 2009-06-03] ()
S3 mv61xx; C:\Windows\system32\drivers\mv61xx.sys [159024 2010-10-26] (Marvell Semiconductor, Inc.)
S3 mv91cons; C:\Windows\system32\drivers\mv91cons.sys [21808 2011-06-16] (Marvell Semiconductor Inc.)
S3 mv91xx; C:\Windows\system32\drivers\mv91xx.sys [273712 2011-06-16] (Marvell Semiconductor, Inc.)
S3 MxEF; C:\Windows\system32\drivers\MxEF32.sys [81920 2011-08-15] (Matrox Graphics Inc.)
S3 MxEFLF; C:\Windows\system32\drivers\MxEFLF32.sys [80384 2011-08-15] (Matrox Graphics Inc.)
S3 MxEFUF; C:\Windows\system32\drivers\MxEFUF32.sys [108544 2011-08-15] (Matrox Graphics Inc.)
S3 MxEMgr; C:\Windows\system32\drivers\MxEMgr32.sys [92192 2011-08-16] (Matrox Graphics Inc.)
S3 NETwNs32; C:\Windows\System32\DRIVERS\NETwNs32.sys [7087616 2011-01-19] (Intel Corporation)
S3 nusb3hub; C:\Windows\system32\drivers\nusb3hub.sys [73344 2011-09-13] (Renesas Electronics Corporation)
S3 nusb3xhc; C:\Windows\system32\drivers\nusb3xhc.sys [164736 2011-09-13] (Renesas Electronics Corporation)
S3 nvamacpi; C:\Windows\system32\drivers\NVAMACPI.sys [24608 2009-07-17] (NVIDIA Corporation)
S3 pfc; C:\Windows\System32\drivers\pfc.sys [10368 2003-12-05] (Padus, Inc.)
S3 risdpcie; C:\Windows\system32\drivers\risdpe86.sys [47616 2009-10-28] (REDC)
S3 risdxc; C:\Windows\system32\drivers\risdxc86.sys [72704 2010-12-28] (REDC)
S3 rixdpcie; C:\Windows\system32\drivers\rixdpe86.sys [38912 2009-12-11] (REDC)
S3 rr172x; C:\Windows\system32\drivers\rr172x.sys [101920 2007-11-01] (HighPoint Technologies, Inc.)
S3 rr174x; C:\Windows\system32\drivers\rr174x.sys [126496 2007-11-01] (HighPoint Technologies, Inc.)
S3 rr2210; C:\Windows\system32\drivers\rr2210.sys [122400 2007-11-01] (HighPoint Technologies, Inc.)
S3 rr232x; C:\Windows\system32\drivers\rr232x.sys [120352 2008-05-05] (HighPoint Technologies, Inc.)
S3 rr2340; C:\Windows\system32\drivers\rr2340.sys [128608 2009-12-31] (HighPoint Technologies, Inc.)
S3 rr2522; C:\Windows\system32\drivers\rr2522.sys [132704 2009-12-31] (HighPoint Technologies, Inc.)
S3 rr276x; C:\Windows\system32\drivers\rr276x.sys [184928 2010-10-12] (HighPoint Technologies, Inc.)
S3 rr278x; C:\Windows\system32\drivers\rr278x.sys [186456 2011-05-16] (HighPoint Technologies, Inc.)
S3 rr62x; C:\Windows\system32\drivers\rr62x.sys [123488 2010-06-16] (HighPoint Technologies, Inc.)
S3 rusb3hub; C:\Windows\system32\drivers\rusb3hub.sys [77568 2011-09-15] (Renesas Electronics Corporation)
S3 rusb3xhc; C:\Windows\system32\drivers\rusb3xhc.sys [167680 2011-09-15] (Renesas Electronics Corporation)
S3 SI3112; C:\Windows\system32\drivers\SI3112.sys [69168 2007-01-26] (Silicon Image, Inc.)
S3 SI3112r; C:\Windows\system32\drivers\SI3112r.sys [110128 2007-02-01] (Silicon Image, Inc)
S3 SI3114; C:\Windows\system32\drivers\SI3114.sys [68912 2006-11-10] (Silicon Image, Inc.)
S3 SI3114r; C:\Windows\system32\drivers\SI3114R.sys [110384 2007-04-11] (Silicon Image, Inc)
S3 Si3114r5; C:\Windows\system32\drivers\Si3114r5.sys [209200 2007-02-07] (Silicon Image, Inc)
S3 SI3124; C:\Windows\system32\drivers\SI3124.sys [76208 2006-11-02] (Silicon Image, Inc.)
S3 Si3124r5; C:\Windows\system32\drivers\Si3124r5.sys [207152 2006-09-20] (Silicon Image, Inc)
S3 SI3132; C:\Windows\system32\drivers\SI3132.sys [80424 2007-10-03] (Silicon Image, Inc)
S3 Si3132r5; C:\Windows\system32\drivers\Si3132r5.sys [217128 2008-10-30] (Silicon Image, Inc)
S3 Si3531; C:\Windows\system32\drivers\Si3531.sys [212520 2009-02-05] (Silicon Image, Inc)
S0 SiFilter; C:\Windows\System32\drivers\SiWinAcc.sys [19240 2007-10-03] (Silicon Image, Inc)
S0 SiRemFil; C:\Windows\System32\drivers\SiRemFil.sys [15400 2007-10-03] (Silicon Image, Inc)
S3 TTP7; C:\Windows\system32\drivers\ttp7up.sys [12928 2005-11-09] (TerraTec)
S3 uagp35; C:\Windows\system32\drivers\sisagpx.sys [58400 2009-08-01] (Silicon Integrated Systems Corporation)
S3 uwbusb; C:\Windows\System32\Drivers\usbuwbmini.sys [9600 2008-09-15] (Intel Corp.)
S3 vcrdrx32; C:\Windows\system32\drivers\vcrdrx32.sys [99952 2010-08-13] (VIA Technologies, Inc.)
S3 viamraid; C:\Windows\system32\drivers\viamraid.sys [141424 2010-12-02] (VIA Technologies Inc.,Ltd)
S3 videX32; C:\Windows\system32\drivers\videX32.sys [13976 2010-02-11] (VIA Technologies, Inc.)
S3 winbondcir; C:\Windows\System32\DRIVERS\winbondcir.sys [43008 2007-03-28] (Winbond Electronics Corporation)
S3 WinTVCIUSB; C:\Windows\system32\drivers\hcw11.sys [91136 2008-02-28] (Hauppauge Computer Works, Inc.)
S3 WmBEnum; C:\Windows\system32\drivers\WmBEnum.sys [19336 2008-01-24] (Logitech Inc.)
S3 WmFilter; C:\Windows\system32\drivers\WmFilter.sys [28168 2008-01-24] (Logitech Inc.)
S3 WmHidLo; C:\Windows\system32\drivers\WmHidLo.sys [29192 2008-01-24] (Logitech Inc.)
S3 WmVirHid; C:\Windows\system32\drivers\WmVirHid.sys [14728 2008-01-24] (Logitech Inc.)
S3 WmXlCore; C:\Windows\system32\drivers\WmXlCore.sys [48904 2008-01-24] (Logitech Inc.)
S0 xfilt; C:\Windows\System32\drivers\xfilt.sys [23192 2010-02-11] (VIA Technologies, Inc.)
S3 VGPU; System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-06-13 09:22 - 2013-06-13 09:22 - 00000000 ____D C:\FRST
2013-06-13 08:31 - 2013-06-13 08:31 - 00003416 ____N C:\bootsqm.dat
2013-06-13 08:30 - 2013-06-13 08:30 - 00000000 __SHD C:\found.000
2013-06-13 00:46 - 2013-06-13 00:46 - 85212644 ____A C:\reback.reg
2013-06-12 23:26 - 2013-06-12 23:26 - 00000000 ____D C:\Windows\pss
2013-06-12 08:02 - 2013-06-13 09:14 - 00030464 ____A C:\Windows\System32\Drivers\hitmanpro37.sys
2013-06-12 01:44 - 2013-06-12 01:44 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\MFAData
2013-06-12 01:44 - 2013-06-12 01:44 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\Avg2013
2013-06-12 01:44 - 2013-06-12 01:44 - 00000000 ____D C:\ProgramData\MFAData
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Roaming\Google
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Roaming\Adobe
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\Google
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\ESET
2013-06-12 00:34 - 2013-06-12 00:34 - 00000020 ___SH C:\Users\timcaslisa.GEBRUIK-0JVN1EO\ntuser.ini
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Netwerkprinteromgeving
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Menu Start
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Documents\Mijn video's
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Documents\Mijn muziek
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\Geschiedenis
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 ____D C:\users\timcaslisa.GEBRUIK-0JVN1EO

==================== One Month Modified Files and Folders ========

2013-06-13 09:24 - 2010-11-21 01:06 - 00000000 ____D C:\Windows\CSC
2013-06-13 09:22 - 2013-06-13 09:22 - 00000000 ____D C:\FRST
2013-06-13 09:18 - 2012-07-20 17:21 - 00018000 ____A C:\Windows\WindowsUpdate.log
2013-06-13 09:14 - 2013-06-12 08:02 - 00030464 ____A C:\Windows\System32\Drivers\hitmanpro37.sys
2013-06-13 09:14 - 2012-07-29 20:57 - 00001046 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-13 09:14 - 2012-07-21 09:50 - 00086750 ____A C:\Windows\setupact.log
2013-06-13 09:14 - 2009-07-14 05:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-13 08:31 - 2013-06-13 08:31 - 00003416 ____N C:\bootsqm.dat
2013-06-13 08:30 - 2013-06-13 08:30 - 00000000 __SHD C:\found.000
2013-06-13 00:46 - 2013-06-13 00:46 - 85212644 ____A C:\reback.reg
2013-06-12 23:59 - 2012-10-04 08:58 - 00000940 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-12 23:26 - 2013-06-12 23:26 - 00000000 ____D C:\Windows\pss
2013-06-12 22:13 - 2012-07-29 20:57 - 00001050 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-12 03:41 - 2009-07-14 00:40 - 00249856 ____A (Microsoft Corporation) C:\Windows\System32\uxtheme.dll
2013-06-12 03:40 - 2009-07-14 00:39 - 00037376 ____A (Microsoft Corporation) C:\Windows\System32\themeservice.dll
2013-06-12 03:34 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\System32\LogFiles
2013-06-12 01:44 - 2013-06-12 01:44 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\MFAData
2013-06-12 01:44 - 2013-06-12 01:44 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\Avg2013
2013-06-12 01:44 - 2013-06-12 01:44 - 00000000 ____D C:\ProgramData\MFAData
2013-06-12 01:38 - 2009-07-14 05:34 - 00019680 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-12 01:38 - 2009-07-14 05:34 - 00019680 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-12 01:35 - 2010-11-21 00:57 - 00701564 ____A C:\Windows\System32\perfh013.dat
2013-06-12 01:35 - 2010-11-21 00:57 - 00133564 ____A C:\Windows\System32\perfc013.dat
2013-06-12 01:35 - 2010-11-20 22:01 - 01549262 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Roaming\Google
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Roaming\Adobe
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\Google
2013-06-12 01:34 - 2013-06-12 01:34 - 00000000 ____D C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\ESET
2013-06-12 00:34 - 2013-06-12 00:34 - 00000020 ___SH C:\Users\timcaslisa.GEBRUIK-0JVN1EO\ntuser.ini
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Netwerkprinteromgeving
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Menu Start
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Documents\Mijn video's
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\Documents\Mijn muziek
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 __SHD C:\Users\timcaslisa.GEBRUIK-0JVN1EO\AppData\Local\Geschiedenis
2013-06-12 00:34 - 2013-06-12 00:34 - 00000000 ____D C:\users\timcaslisa.GEBRUIK-0JVN1EO
2013-06-11 11:18 - 2012-07-25 21:56 - 00000000 ___RD C:\Users\Gebruiker\Dropbox
2013-06-11 11:18 - 2012-07-25 21:53 - 00000000 ____D C:\Users\Gebruiker\AppData\Roaming\Dropbox
2013-06-10 13:45 - 2012-08-02 21:21 - 00005632 ____A C:\Users\Gebruiker\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-06-08 00:51 - 2009-07-14 05:53 - 00032626 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-06-07 05:51 - 2012-07-30 08:05 - 00006002 ____A C:\Windows\PFRO.log
2013-06-06 19:22 - 2012-07-29 20:57 - 00002129 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-05-30 08:23 - 2012-07-25 21:56 - 00001036 ____A C:\Users\Gebruiker\Desktop\Dropbox.lnk
2013-05-21 06:11 - 2012-09-02 10:47 - 00000000 ____D C:\Users\Gebruiker\AppData\Local\Nero
2013-05-15 18:51 - 2012-07-20 20:48 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-05-15 18:51 - 2012-07-20 20:48 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe
[2011-11-19 17:25] - [2011-11-19 17:25] - 0287232 ____A (Microsoft Corporation) 7295110E1BF93885D29480D29D967E0F

C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe
[2011-11-19 16:57] - [2011-11-19 16:57] - 0021504 ____A (Microsoft Corporation) ECDB182F885292145826C58252B53000

C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2011-11-19 17:06] - [2011-11-19 17:06] - 0246144 ____A (Microsoft Corporation) C2232C62CD2E44E40CDADD00BBCFE366


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================


==================== Memory info =========================== 

Percentage of memory in use: 11%
Total physical RAM: 4060.87 MB
Available physical RAM: 3585.95 MB
Total Pagefile: 4059.15 MB
Available Pagefile: 3608.6 MB
Total Virtual: 2047.88 MB
Available Virtual: 1953.57 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:226.38 GB) (Free:98.61 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Datadisk) (Fixed) (Total:465.76 GB) (Free:26.76 GB) NTFS
Drive e: (Backup disk) (Fixed) (Total:13 GB) (Free:12.68 GB) NTFS
Drive f: (Datadisk2) (Fixed) (Total:226.38 GB) (Free:226.28 GB) NTFS
Drive h: (USB) (Removable) (Total:7.44 GB) (Free:7.43 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 50A5B170)
Partition 1: (Not Active) - (Size=13 GB) - (Type=07 NTFS)
Partition 2: (Active) - (Size=226 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=226 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 466 GB) (Disk ID: 9AFDD31B)
Partition 1: (Not Active) - (Size=466 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 7 GB) (Disk ID: C126C0BC)
Partition 1: (Active) - (Size=7 GB) - (Type=0B)


LastRegBack: 2013-06-04 09:08

==================== End Of Log ============================

[Psychotic]

Let´s try something...

Fix with FRST

• Open notepad (Start =>All Programs => Accessories => Notepad).
  
• Please copy the entire contents of the code box below.
  (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt
  

  
  C:\users\timcaslisa.GEBRUIK-0JVN1EO
  

  
  NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  Now please enter System Recovery Options again.
  

• Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  
• The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
  

[gheetka]

Done. Here is the logfile:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-06-2013 04
Ran by SYSTEM at 2013-06-13 11:15:58 Run:2
Running from H:\
Boot Mode: Recovery

==============================================

C:\users\timcaslisa.GEBRUIK-0JVN1EO => Moved successfully.

==== End of Fixlog ====

Should I reboot in normal mode now?

[Psychotic]

Try that - we have to check some possibilities as we cannot see the malware at the moment.

[gheetka]

Didn't help It's still starting the police screen.

[gheetka]

Maybe this might help: I tried starting in Safe mode with command prompt (didn't work before) and that does work now...

[Psychotic]

hmmm...we have to get a tool working:

Download Combofix and safe it to your flash disk.

Start your computer in safe mode with command prompt.

Plug the flashdrive into the infected PC.

• 
  In the command window:
  
• type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
  
• In the command window type e:\combofix.exe and press Enter
  
• Note: Replace letter e with the drive letter of your flash drive.
  

[gheetka]

Too bad, can't follow your instructions. When I click 'open' in notepad, windows signs off and restarts. Tried another time, it looks like explorer.exe is infected. Once that's started, the virus shows up.

I tried it with bypassing the notepad-part for discovering the drive letter and tried just to type the H:/combofix.exe command, but then its response: 'The device is not ready' (yes, I waited a few seconds after plugging the flash drive in)

[Psychotic]

Enter System Recovery Options

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Choose your language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

On the System Recovery Options menu you will get the following options:

• Startup Repair
  
• System Restore
  
• Windows Complete PC Restore
  
• Windows Memory Diagnostic Tool
  
• Command Prompt
  

Select System Resore.

Look for a restore point from a time where the virus wasn´t there and follow the instructions to restore to that point.

After the reboot, log into windows and report

[gheetka]

I'm sorry, as I mentioned in my first post, System restore didn't help. System restore shows that there are no restore points available.

[Psychotic]

OK, then we have to do something else.

Do a FRST scan again and uncheck all whitelists.

This will produce a large log so please attach it here and be patient while I´m reviewing it.

[gheetka]

Ok, I've attached the logfile to this reply since it's quite big to paste here.

Thanks!

FRST.txt

[Psychotic]

Download http://unetbootin.so...dows-latest.exe & http://noahdfear.net.../xpud-0.9.2.iso to the desktop of your clean computer

• Insert your USB drive
  
• Press Start > My Computer > right click your USB drive > choose Format > Quick format
  
• Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  
• Press Run then OK
  
• Select the DiskImage option then click the browse button located on the right side of the textbox field.
  
• Browse to and select the xpud-0.9.2.iso file you downloaded
  
• Verify the correct drive letter is selected for your USB device then click OK
  
• It will install a little bootable OS on your USB device
  
• Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  
• After it has completed do not choose to reboot the clean computer simply close the installer
  
• Next download http://noahdfear.net...loads/driver.sh to your USB
  
• Remove the USB and insert it in the sick computer
  
• Boot the Sick computer
  
• Press F12 and choose to boot from the USB
  
• Follow the prompts
  
• A Welcome to xPUD screen will appear
  
• Press File
  
• Expand mnt
  
• sda1,2...usually corresponds to your HDD
  
• sdb1 is likely your USB
  
• Click on the folder that represents your USB drive (sdb1 ?)
  
• Confirm that you see driver.sh that you downloaded there
  
• Press Tool at the top
  
• Choose Open Terminal
  
• Type bash driver.sh
  
• Press Enter
  
• After it has finished a report will be located on your USB drive named report.txt
  
• Remove the USB drive and insert back in your working computer and navigate to report.txt
  Please note - all text entries are case sensitive
  

Copy and paste the report.txt for my review

[gheetka]

While i ran driver.sh (did it twice) it stopped after the '/mnt/sda2/Windows/System32/drivers/EtronXHCI.sys processed' console output.

When I browse to the driver folder in the file manager I can see that evbdx.sys should be the next driver (alphabetically order). Is it possible that this takes +10 minutes for this single driver?

[Psychotic]

OK, we have to take out the registry entry that loads the trojan.

Fix with FRST

• Open notepad (Start =>All Programs => Accessories => Notepad).
  
• Please copy the entire contents of the code box below.
  (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt
  

  LastRegBack: 2013-06-04 09:08

  
  NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  Now please enter System Recovery Options again.
  

• Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  
• The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
  

Reboot and try to lo in again.

[gheetka]

Applied the fixlist.txt, this was the fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-06-2013 04
Ran by SYSTEM at 2013-06-13 14:51:55 Run:3
Running from H:\
Boot Mode: Recovery

==============================================

DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.

==== End of Fixlog ====

Unfortunately, without the desired result... The virus still appears.

[Psychotic]

When did the virus appear the first time?

[gheetka]

Monday (June 10th)

Is there any way to check if explorer.exe is infected? Earlier this morning I tried to rename explorer.exe to something else and temporarly changed the winlogon/shell key to iexplore.exe instead of explorer.exe .. When I booted in normal mode, the virus didn't appear (and clear enough I didn't see any icons). As soon as I did File->open in notepad for example, it did show up again.

[Psychotic]

I have another option:

Run the following tool from safe mode with command prompt.

Download and run OTL

1. Download OTL by OldTimer and save it to your desktop.
   
2. Double click on the OTL.exe icon on your desktop. If you are using Vista, please right-click and select run as administrator
   
3. Click the "Scan All Users" checkbox.
   Note: If you are using a Windows 64bit machine, please make sure the checkbox next to Include 64Bit Scans is checked. It will be checked by default.
   
4. Copy the following code into the textbox:
   

   
   		activex
   		netsvcs
   		msconfig
   		%SYSTEMDRIVE%\*.
   		%PROGRAMFILES%\*.exe
   		%LOCALAPPDATA%\*.exe
   		%systemroot%\*. /mp /s
   		/md5start
   		explorer.exe
   		regedit.exe
   		winlogon.exe
   		wininit.exe
   		userinit.exe
   		/md5stop
   		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems|Windows /rs
   		HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
   		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
   		CREATERESTOREPOINT
   

   
   

5. Push the button.
   
6. It will now begin to scan, please be paitent while it scans.
   
7. Two reports will open once it's done.
   
8. Please copy and paste them in your next reply:
   
   • OTL.txt <-- Will be opened
     
   • Extras.txt <-- Will be minimized