Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help please


  • Please log in to reply
3 replies to this topic

#1 Richie_S

Richie_S

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 07 January 2012 - 02:08 PM

Was running F-Secure, spybot and malwarebytes. F-Secure is no longer updating so untinstalled it and spybot.
Installed new antivirus(Avira)which is pulling up at least 6 trojans including RKIT/MBR.Sinowal, TR/Crypt.ULPM and TR/Dropper.GEN. T It detects tthem nut says they are "access denied".
Have run a Malwarebytes scan which detected one item which clicked to remove.

Below is log file from Hijackthis:

Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Virgin Media\Digital Home Support\HsdService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\Program Files\Virgin Media\Service Manager\ServicepointService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Virgin Media\Digital Home Support\DHSClient.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanionInfo.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Richie.RICHIE--PC\Desktop\Internet Security\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: ZoneAlarm Security - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Avira SearchFree Toolbar plus Web Protection - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Virgin Net Broadband\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Installer] "C:\Program Files\CheckPoint\Install\Launcher.exe" "C:\Program Files\CheckPoint\Install\Install.exe" /r download /c "C:\Program Files\CheckPoint\Install\Install.xml" /w
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [ServiceManager.exe] "C:\Program Files\Virgin Media\Service Manager\ServiceManager.exe" /AUTORUN
O4 - HKLM\..\Run: [DHSClient.exe] "C:\Program Files\Virgin Media\Digital Home Support\DHSClient.exe" /AUTORUN
O4 - HKCU\..\Run: [Sony Ericsson PC Companion] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe" /Background
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/5.0_(Windows_NT_5.1;_rv:2.0.1)_Gecko/20100101_Firefox/4.0.1" -"http://www.nationalexpress.com/coach/index.cfm?utm_source=google&utm_medium=cpc&utm_term=national%20express&utm_campaign=Pure%20Brand"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5CE72DD0-4695-4D18-A4D3-3367ACD37578} (F-Secure Health Check 1.0) - http://support.f-secure.com/enu/home/onlineservices/fshc/fscax.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197404269328
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.euro.dell.com/systemprofiler/DellSystemLite.CAB
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by121fd.bay121.hotmail.msn.com/activex/HMAtchmt.ocx
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Web Protection (AntiVirWebService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: HsdService - Virgin Media - C:\Program Files\Virgin Media\Digital Home Support\HsdService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: ServicepointService - Radialpoint Inc. - C:\Program Files\Virgin Media\Service Manager\ServicepointService.exe
O23 - Service: Sony Ericsson PCCompanion - Avanquest Software - C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


Below is on of the Avira reports:



Avira Free Antivirus
Report file date: 07 January 2012 19:02

Scanning for 3031228 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus

Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM


Version information:
BUILD.DAT : 12.0.0.872 41826 Bytes 15/12/2011 17:24:00
AVSCAN.EXE : 12.1.0.18 490448 Bytes 06/01/2012 19:12:38
AVSCAN.DLL : 12.1.0.17 54224 Bytes 23/09/2011 13:34:56
LUKE.DLL : 12.1.0.17 68304 Bytes 23/09/2011 12:55:16
AVSCPLR.DLL : 12.1.0.21 99536 Bytes 05/01/2012 19:12:25
AVREG.DLL : 12.1.0.27 227536 Bytes 05/01/2012 19:12:25
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 20:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 11:07:39
VBASE002.VDF : 7.11.19.170 14374912 Bytes 20/12/2011 19:12:12
VBASE003.VDF : 7.11.19.171 2048 Bytes 20/12/2011 19:12:12
VBASE004.VDF : 7.11.19.172 2048 Bytes 20/12/2011 19:12:12
VBASE005.VDF : 7.11.19.173 2048 Bytes 20/12/2011 19:12:12
VBASE006.VDF : 7.11.19.174 2048 Bytes 20/12/2011 19:12:12
VBASE007.VDF : 7.11.19.175 2048 Bytes 20/12/2011 19:12:12
VBASE008.VDF : 7.11.19.176 2048 Bytes 20/12/2011 19:12:12
VBASE009.VDF : 7.11.19.177 2048 Bytes 20/12/2011 19:12:12
VBASE010.VDF : 7.11.19.178 2048 Bytes 20/12/2011 19:12:12
VBASE011.VDF : 7.11.19.179 2048 Bytes 20/12/2011 19:12:13
VBASE012.VDF : 7.11.19.180 2048 Bytes 20/12/2011 19:12:13
VBASE013.VDF : 7.11.19.217 182784 Bytes 22/12/2011 19:12:13
VBASE014.VDF : 7.11.19.255 148480 Bytes 24/12/2011 19:12:13
VBASE015.VDF : 7.11.20.29 164352 Bytes 27/12/2011 19:12:14
VBASE016.VDF : 7.11.20.70 180224 Bytes 29/12/2011 19:12:14
VBASE017.VDF : 7.11.20.102 240640 Bytes 02/01/2012 19:12:15
VBASE018.VDF : 7.11.20.139 164864 Bytes 04/01/2012 19:12:15
VBASE019.VDF : 7.11.20.178 167424 Bytes 06/01/2012 19:12:38
VBASE020.VDF : 7.11.20.179 2048 Bytes 06/01/2012 19:12:38
VBASE021.VDF : 7.11.20.180 2048 Bytes 06/01/2012 19:12:38
VBASE022.VDF : 7.11.20.181 2048 Bytes 06/01/2012 19:12:38
VBASE023.VDF : 7.11.20.182 2048 Bytes 06/01/2012 19:12:38
VBASE024.VDF : 7.11.20.183 2048 Bytes 06/01/2012 19:12:38
VBASE025.VDF : 7.11.20.184 2048 Bytes 06/01/2012 19:12:38
VBASE026.VDF : 7.11.20.185 2048 Bytes 06/01/2012 19:12:38
VBASE027.VDF : 7.11.20.186 2048 Bytes 06/01/2012 19:12:38
VBASE028.VDF : 7.11.20.187 2048 Bytes 06/01/2012 19:12:38
VBASE029.VDF : 7.11.20.188 2048 Bytes 06/01/2012 19:12:38
VBASE030.VDF : 7.11.20.189 2048 Bytes 06/01/2012 19:12:38
VBASE031.VDF : 7.11.20.194 3584 Bytes 06/01/2012 19:12:38
Engineversion : 8.2.8.18
AEVDF.DLL : 8.1.2.2 106868 Bytes 05/01/2012 19:12:24
AESCRIPT.DLL : 8.1.3.95 479612 Bytes 05/01/2012 19:12:23
AESCN.DLL : 8.1.7.2 127349 Bytes 01/09/2011 23:46:02
AESBX.DLL : 8.2.4.5 434549 Bytes 05/01/2012 19:12:24
AERDL.DLL : 8.1.9.15 639348 Bytes 08/09/2011 23:16:06
AEPACK.DLL : 8.2.15.1 770423 Bytes 05/01/2012 19:12:23
AEOFFICE.DLL : 8.1.2.25 201084 Bytes 05/01/2012 19:12:22
AEHEUR.DLL : 8.1.3.14 4260216 Bytes 05/01/2012 19:12:21
AEHELP.DLL : 8.1.18.0 254327 Bytes 05/01/2012 19:12:18
AEGEN.DLL : 8.1.5.17 405877 Bytes 05/01/2012 19:12:18
AEEMU.DLL : 8.1.3.0 393589 Bytes 01/09/2011 23:46:01
AECORE.DLL : 8.1.24.3 201079 Bytes 05/01/2012 19:12:17
AEBB.DLL : 8.1.1.0 53618 Bytes 01/09/2011 23:46:01
AVWINLL.DLL : 12.1.0.17 27344 Bytes 23/09/2011 12:13:18
AVPREF.DLL : 12.1.0.17 51920 Bytes 23/09/2011 11:53:57
AVREP.DLL : 12.1.0.17 179408 Bytes 23/09/2011 11:55:01
AVARKT.DLL : 12.1.0.19 208848 Bytes 06/01/2012 19:12:38
AVEVTLOG.DLL : 12.1.0.17 169168 Bytes 23/09/2011 11:34:37
SQLITE3.DLL : 3.7.0.0 398288 Bytes 16/09/2011 02:05:58
AVSMTP.DLL : 12.1.0.17 62928 Bytes 23/09/2011 12:03:47
NETNT.DLL : 12.1.0.17 17104 Bytes 23/09/2011 12:58:06
RCIMAGE.DLL : 12.1.0.17 4450000 Bytes 23/09/2011 13:37:25
RCTEXT.DLL : 12.1.1.16 96208 Bytes 06/01/2012 19:12:38

Configuration settings for the scan:
Jobname.............................: AVGuardAsyncScan
Configuration file..................: C:\Documents and Settings\All Users.WINDOWS\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_4f087f7c\guard_slideup.avp
Logging.............................: default
Primary action......................: repair
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Complete
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: 07 January 2012 19:02

The scan of running processes will be started
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'mbam.exe' - '1' Module(s) have been scanned
Scan process 'plugin-container.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'ForceField.exe' - '1' Module(s) have been scanned
Scan process 'PCCompanionInfo.exe' - '1' Module(s) have been scanned
Scan process 'PCCompanion.exe' - '1' Module(s) have been scanned
Scan process 'DHSClient.exe' - '1' Module(s) have been scanned
Scan process 'zlclient.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'Updater.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'AVWEBGRD.EXE' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ServicepointService.exe' - '1' Module(s) have been scanned
Scan process 'SupServ.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'HsdService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'IswSvc.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'vsmon.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'RapportMgmtService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP127\A0062401.dll'
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP127\A0062401.dll
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4c043625.qua'.
Begin scan in 'C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP128\A0063384.exe'
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP128\A0063384.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '54931983.qua'.
Begin scan in 'C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP130\A0063520.dll'
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP130\A0063520.dll
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '06cc4354.qua'.
Begin scan in 'C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP132\A0064646.dll'
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP132\A0064646.dll
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '60fb0c96.qua'.
Begin scan in 'C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP132\A0065646.dll'
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP132\A0065646.dll
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '257f21a8.qua'.
Begin scan in 'C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP133\A0065663.dll'
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP133\A0065663.dll
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '5a6413c8.qua'.


End of the scan: 07 January 2012 19:03
Used time: 01:04 Minute(s)

The scan has been done completely.

0 Scanned directories
48 Files were scanned
6 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
6 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
42 Files not concerned
0 Archives were scanned
0 Warnings
6 Notes



Out of interest, I am with Virgin Media and can get free Antivirus(made by trend microsystems)but I have heard mixed reports. Would this be a better option than Avira (also currently running ZoneAlarm).

Cheers.
Richie.

Edited by Queen-Evie, 07 January 2012 - 02:45 PM.
moved from AII to Malware Removal Logs


BC AdBot (Login to Remove)

 


#2 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:45 AM

Posted 07 January 2012 - 03:28 PM

Hi Richie,

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.





Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

Posted Image

Please post the final results, good or bad. We like to know!
My help is always free, but if I have helped you, please consider making a donation to help me continue the fight against malware! Posted Image


#3 Richie_S

Richie_S
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 08 January 2012 - 03:01 PM

Hi mate, thanks for your reply.
New antivirus was suggesting my PC was riddled so I just bit the bullet and completed a clean re-install of Windows XP.
Currently running Virgin Media Antivirus (think its a re-branded Kaspersky - Trend Microsystems). Also running Comodo firewall.
Couldn't install Avira again as it needs XP SP3 which hasn't updated on my pc yet.
Will download the above files for future reference incase I need them though.

Thanks for your time.

#4 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:45 AM

Posted 08 January 2012 - 03:21 PM

Hi,

Couldn't install Avira again

Virgin Media Antivirus is good enough (and you should never install multiple anti-virus programs!).

as it needs XP SP3 which hasn't updated on my pc yet

Please do that ASAP. Your PC is very vulnerable at the moment.

Will download the above files for future reference incase I need them though.

Because you reinstalled your PC, the infection should be gone as well, so you don't need to download them (and you certainly shouldn't run them on your own with supervision of someone like me).

:thumbup2:

Edited by Gammo, 08 January 2012 - 03:22 PM.
typo

Posted Image

Please post the final results, good or bad. We like to know!
My help is always free, but if I have helped you, please consider making a donation to help me continue the fight against malware! Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users