Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Ukash Trojan On Laptop


  • This topic is locked This topic is locked
17 replies to this topic

#1 sanscosm

sanscosm

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 13 March 2012 - 04:00 PM

I was reading, what I thought was a harmless, music blog and a pop-up appeared on my screen. After closing the window my screen turned white and the sentence "Please wait while connection is established" appeared (with a German translation). A further pop-up stating my computer was blocked also appeared. Ctrl-Alt-Delete did not work so I restarted my laptop and switched off the wireless; the pop-up appeared again, then in safe mode and safe mode with command prompt... I am out of ideas... Please help!

I read on a quick search of forums on Google that a "Metropolitan Police ukash trojan" has similar characteristics. Don't know if that is of any use.

I am on a Toshiba laptop which runs Windows XP. The CD/DVD writer is broken on both the laptop and my home computer.. can a USB be used before start-up?

Many thanks :)

BC AdBot (Login to Remove)

 


#2 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 16 March 2012 - 06:47 PM

Hi sanscosm

We need to see some information about what is happening in your machine. Please perform the following scans.

  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create a GMER log and post it in the reply where you post your DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


White Warrior

#3 sanscosm

sanscosm
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  

Posted 17 March 2012 - 05:09 PM

Hi White Warrior

Thank you for your reply.

I am afraid I am unable to run DDR or the GMER Anti-rootkit scanner as I can't seem to do anything after windows has started up. When the computer gets to the stage where the desktop should appear on the screen, and the welcome music has played, the "Please wait while connection is established" pop-up appears and nothing works. If I am connected to the internet a further pop-up appears saying my computer has been blocked. Ctrl-Alt-Delete doesn't work and task manager is blocked... Any ideas?

sanscosm

#4 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 18 March 2012 - 11:31 AM

Hi sanscosm

Please boot into safe mode with networking.
Press the Windows key + R and see if that brings up the run box.

If it works:
Please download Rkill by Grinler from one of these links:

Rkill.exe
Rkill.com
Rkill.scr
Rkill.pif

Save Rkill to your desktop.
Double-click on Rkill to run it.

Note: If the first one does not run successfully, download and try the other copies (with a different file extension) and see if one of them will run.

Warning: Do not let RKill reboot the machine. If it does reboot, then run RKill again.

Once Rkill has successfully run:

Try to run DDS.

White Warrior

#5 sanscosm

sanscosm
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 18 March 2012 - 12:28 PM

I have tried booting into safe mode (both with and without networking) and Windows key + R wont work... nightmare.

Is it possible to run another operating system from a USB before starting windows? My IT knowledge is pretty poor I must admit.

sanscosm

#6 sanscosm

sanscosm
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  

Posted 18 March 2012 - 01:28 PM

I have now tried going into safe mode with command prompt. If I am quick enough I can open explorer.exe. Not sure if search is working, but I managed to run MBAM and it found infected files which I quarantined. However, on restarting the laptop there seems to be no difference and the pop-up appears again. My computer also wont recognise a USB stick while in command prompt.

sanscosm

#7 sanscosm

sanscosm
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 18 March 2012 - 04:14 PM

Sorry to keep on posting...

I managed to access my USB by going into "Computer Management" and opening it manually. I am still in safe mode with command prompt.

RKill reported terminating:
C:\Documents and Settings\Owner\Application Data\flint4ytw.exe

The pop-up has now disappeared. Should I delete the .exe above? I have no way of copying and pasting results of DDS or GMER logs, but I could write out specific parts if that would be helpful?

sanscosm

#8 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 19 March 2012 - 03:38 PM

Hi sanscosm

Sorry to keep on posting...

Don't be sorry.
You're doing good.

I managed to access my USB by going into "Computer Management" and opening it manually. I am still in safe mode with command prompt.

Well done.
We'll work from safe mode for the time being. (safe mode with networking)

First of all I would like to see the MBAM log that you ran.
Please open MBAM>>click tne logs tag>>copy/paste the log that is on the bottom of the list.

RKill reported terminating:
C:\Documents and Settings\Owner\Application Data\flint4ytw.exe

Navigate to this file and delete it, then empty the recycle bin and reboot the computer back into safe mode with networking.

I have no way of copying and pasting results of DDS or GMER logs

Can you transfer them to the USB stick and transfer them to the clean computer?

Finally, Please visit this webpage for download links, and instructions for running the ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

When you are finished, see if you can boot into normal mode
Let me know how the computer is running now and what problems remain.

White Warrior

Edited by White Warrior, 20 March 2012 - 01:01 AM.


#9 sanscosm

sanscosm
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 20 March 2012 - 03:56 PM

Thank you :) Not sure whether you will want me to attach files it suggests from "How to create a GMER log" but I will do just in case.

I have followed your steps and now started up my laptop in normal mode. It seems to be running fine, no sign of the pop-up.

Do you have any recommendations for anti-virus (free or paid)? I have been using Avira for a while and was wondering whether there is anything more up-to-date?



MBAM log (from before the deletion of flint4ytw.exe) - I stopped it just before the end

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.18.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: YOUR-2D715D4B37 [administrator]

18/03/2012 21:51:48
mbam-log-2012-03-18 (21-51-48).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 159999
Time elapsed: 2 hour(s), 10 minute(s), 54 second(s) [aborted]

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{xZZHlbZp-cp9b-vHzS-P0ZA-6t3dhx9Vn6Sh} (Backdoor.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 19
C:\Documents and Settings\Administrator\Application Data\flint4ytw.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E38BOQMI\readme[1].exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP464\A0053917.exe (Backdoor.Bot.SCGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP464\A0053924.exe (Backdoor.Bot.SCGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP464\A0053930.exe (Backdoor.Bot.SCGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP478\A0055677.exe (Backdoor.Bot.SCGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP479\A0055694.exe (Backdoor.Bot.SCGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP479\A0055700.exe (Backdoor.Bot.SCGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP480\A0056071.exe (Backdoor.Bot.SCGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP480\A0056077.exe (Backdoor.Bot.SCGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP480\A0056086.exe (Backdoor.Bot.SCGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP481\A0056164.exe (Backdoor.Bot.SCGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP481\A0056141.exe (Backdoor.Bot.SCGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP481\A0056187.exe (Backdoor.Bot.SCGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP482\A0056189.exe (Backdoor.Bot.SCGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP484\A0064229.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP484\A0065229.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP484\A0066233.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP484\A0069234.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

(end)




DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_10
Run by Owner at 16:19:58 on 2012-03-20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.744 [GMT 0:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.plymouth.ac.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
uWinlogon: Userinit=c:\documents and settings\owner\application data\flint4ytw.exe,c:\windows\system32\userinit.exe,
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Adobe Reader Speed Launcher] c:\documents and settings\owner\application data\ruxxsut.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Adobe Reader Speed Launcher] c:\documents and settings\owner\application data\ruxxsut.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\documents and settings\all users\application data\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - c:\program files\panasonic\photofunstudio\PhAutoRun.exe
dPolicies-disallowrun: 1 = firefox.exe
dPolicies-disallowrun: 2 = opera.exe
dPolicies-disallowrun: 3 = chrome.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{E5397A82-B3D3-4AFA-8320-8ACDFC3A715B} : DhcpNameServer = 192.168.1.254 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\pv6z2qkb.default\
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.accept-encoding -
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-5-7 5888]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2008-5-7 288000]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-2-13 27632]
S0 pflb;pflb;c:\windows\system32\drivers\ofdq.sys --> c:\windows\system32\drivers\ofdq.sys [?]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-21 11608]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-21 136360]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-21 269480]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-21 66616]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-11-22 652360]
S2 NIHardwareService;NIHardwareService;c:\program files\common files\native instruments\hardware\NIHardwareService.exe [2010-3-25 3622912]
S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-10-26 13224]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-11-22 20464]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [2008-12-21 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [2008-12-21 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [2008-12-21 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [2008-12-21 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [2008-12-21 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [2008-12-21 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [2008-12-21 110120]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-03-20 11:21:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-01-04 00:48:42 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
.
============= FINISH: 16:21:15.78 ===============



ComboFix log:


ComboFix 12-03-20.01 - Owner 20/03/2012 20:21:33.8.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.548 [GMT 0:00]
Running from: F:\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Owner\Local Settings\Application Data\Windows Server\uses32.dat
.
.
((((((((((((((((((((((((( Files Created from 2012-02-20 to 2012-03-20 )))))))))))))))))))))))))))))))
.
.
2012-03-18 18:04 . 2012-03-18 18:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-03-18 17:59 . 2012-03-18 17:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Ahead
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-20 11:21 . 2011-05-19 16:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2008-05-07 07:46 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-16 18:01 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2008-05-07 08:53 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl
2012-02-18 22:19 . 2011-10-06 15:11 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-05 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-05 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-29 16859648]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2008-03-04 360448]
"TPSMain"="TPSMain.exe" [2007-10-12 266240]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-05-11 143360]
"NDSTray.exe"="NDSTray.exe" [BU]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-26 495616]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-25 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-06 1848648]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-07 281768]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware (cleanup)"="c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll" [2012-01-13 1081416]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
PHOTOfunSTUDIO.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe [2009-7-5 44176]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= firefox.exe
"2"= opera.exe
"3"= chrome.exe
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16059:TCP"= 16059:TCP:spport
"26066:TCP"= 26066:TCP:spport
"20105:TCP"= 20105:TCP:spport
.
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [07/05/2008 09:50 5888]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [07/05/2008 09:50 288000]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [13/02/2010 18:47 27632]
S0 pflb;pflb;c:\windows\system32\drivers\ofdq.sys --> c:\windows\system32\drivers\ofdq.sys [?]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [21/11/2009 15:15 136360]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [22/11/2009 11:09 652360]
S2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [25/03/2010 17:22 3622912]
S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [26/03/2007 11:22 105856]
S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [19/02/2007 11:15 134016]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [26/10/2010 14:49 13224]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [22/11/2009 11:09 20464]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [21/12/2008 00:22 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [21/12/2008 00:22 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [21/12/2008 00:22 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [21/12/2008 00:22 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [21/12/2008 00:22 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [21/12/2008 00:22 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [21/12/2008 00:22 110120]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - ffqcqfob
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:57]
.
2012-03-20 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
.
2012-03-20 c:\windows\Tasks\Windows Codec Update Service.job
- c:\program files\Essentials Codec Pack\WECPUpdate.exe [2011-02-21 10:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.plymouth.ac.uk/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pv6z2qkb.default\
FF - prefs.js: network.proxy.type - 4
FF - user.js: network.http.accept-encoding -
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Adobe Reader Speed Launcher - c:\documents and settings\Owner\Application Data\ruxxsut.exe
HKLM-Run-Adobe Reader Speed Launcher - c:\documents and settings\Owner\Application Data\ruxxsut.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-20 20:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(636)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2012-03-20 20:31:38
ComboFix-quarantined-files.txt 2012-03-20 20:31
.
Pre-Run: 25,594,552,320 bytes free
Post-Run: 29,647,532,032 bytes free
.
- - End Of File - - E8DD06504722C6817C3F8C641DFD060A

Attached Files



#10 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 21 March 2012 - 03:56 AM

Hi sanscosm

I have followed your steps and now started up my laptop in normal mode. It seems to be running fine, no sign of the pop-up.

That's great.

However, I'm afraid I have bad news.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Now, let's get you clean.

Do you have any recommendations for anti-virus (free or paid)?


Three good antivirus programs free for non-commercial home use are
avast! Free Antivirus
Avira AntiVir Personal - Free Antivirus
Microsoft Security Essentials
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Your Adobe Reader is now up to date!

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Microsoft: ‘Unprecedented Wave of Java Exploitation’
Drive-by Trojan preying on out-of-date Java installations
Ghosts of Java Haunt Users
Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows" (32-bit) or "Windows x64" (64-bit).
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on [Java file you downloaded earlier[/b] to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall (remember to uncheck Install Comodo Antivirus) or Sunbelt Firewall
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note: You should only have one firewall installed at a time. Having more than one firewall program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

Any more problems?

White Warrior

#11 sanscosm

sanscosm
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 22 March 2012 - 02:28 PM

That is fantastic, thank you :) I have updated Adobe, deleted/updated Java and installed Comodo Firewall. MBAM did not pick up anything on its last scan but Avira is still finding malicious .exe files.. will this eventually sort itself out if I keep on deleting them?

sanscosm

#12 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 23 March 2012 - 05:52 PM

Hi sanscosm

but Avira is still finding malicious .exe files.

These are probably false positives as MBAM is not finding them.
Please post the Avira log.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
White Warrior

#13 sanscosm

sanscosm
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  

Posted 24 March 2012 - 06:19 PM

Hello :) The ESET scan found no viruses and offered no log for me to save. I will paste the last two warnings that Avira has found below.. it always seems to be .exe files that start with an A and then a series of numbers.

Should a stay clear of using my laptop for personal emails/banking etc?

sanscosm

1

Avira AntiVir Personal
Report file date: 24 March 2012 23:11

Scanning for 3591904 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : YOUR-2D715D4B37

Version information:
BUILD.DAT : 10.2.0.707 36070 Bytes 1/25/2012 13:11:00
AVSCAN.EXE : 10.3.0.7 484008 Bytes 6/28/2011 18:56:26
AVSCAN.DLL : 10.0.5.0 47464 Bytes 6/28/2011 18:56:26
LUKE.DLL : 10.3.0.5 45416 Bytes 6/28/2011 18:56:31
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/10/2010 23:40:49
AVSCPLR.DLL : 10.3.0.7 119656 Bytes 6/28/2011 18:56:31
AVREG.DLL : 10.3.0.9 88833 Bytes 7/12/2011 16:48:08
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:17:47
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 16:45:05
VBASE002.VDF : 7.11.19.170 14374912 Bytes 12/20/2011 23:41:48
VBASE003.VDF : 7.11.21.238 4472832 Bytes 2/1/2012 11:06:12
VBASE004.VDF : 7.11.21.239 2048 Bytes 2/1/2012 11:06:13
VBASE005.VDF : 7.11.21.240 2048 Bytes 2/1/2012 11:06:13
VBASE006.VDF : 7.11.21.241 2048 Bytes 2/1/2012 11:06:13
VBASE007.VDF : 7.11.21.242 2048 Bytes 2/1/2012 11:06:13
VBASE008.VDF : 7.11.21.243 2048 Bytes 2/1/2012 11:06:13
VBASE009.VDF : 7.11.21.244 2048 Bytes 2/1/2012 11:06:13
VBASE010.VDF : 7.11.21.245 2048 Bytes 2/1/2012 11:06:14
VBASE011.VDF : 7.11.21.246 2048 Bytes 2/1/2012 11:06:14
VBASE012.VDF : 7.11.21.247 2048 Bytes 2/1/2012 11:06:14
VBASE013.VDF : 7.11.22.33 1486848 Bytes 2/3/2012 21:14:32
VBASE014.VDF : 7.11.22.56 687616 Bytes 2/3/2012 21:14:35
VBASE015.VDF : 7.11.22.92 178176 Bytes 2/6/2012 20:03:32
VBASE016.VDF : 7.11.22.154 144896 Bytes 2/8/2012 14:49:53
VBASE017.VDF : 7.11.22.220 183296 Bytes 2/13/2012 17:30:43
VBASE018.VDF : 7.11.23.34 202752 Bytes 2/15/2012 17:30:46
VBASE019.VDF : 7.11.23.98 126464 Bytes 2/17/2012 21:40:11
VBASE020.VDF : 7.11.23.150 148480 Bytes 2/20/2012 17:28:47
VBASE021.VDF : 7.11.23.224 172544 Bytes 2/23/2012 14:41:23
VBASE022.VDF : 7.11.24.52 219648 Bytes 2/28/2012 11:46:47
VBASE023.VDF : 7.11.24.152 165888 Bytes 3/5/2012 15:52:28
VBASE024.VDF : 7.11.24.204 177664 Bytes 3/7/2012 10:11:57
VBASE025.VDF : 7.11.25.30 245248 Bytes 3/12/2012 11:15:37
VBASE026.VDF : 7.11.25.121 252416 Bytes 3/15/2012 11:15:38
VBASE027.VDF : 7.11.25.177 202752 Bytes 3/20/2012 17:35:14
VBASE028.VDF : 7.11.25.233 169984 Bytes 3/23/2012 18:50:56
VBASE029.VDF : 7.11.25.234 2048 Bytes 3/23/2012 18:50:57
VBASE030.VDF : 7.11.25.235 2048 Bytes 3/23/2012 18:50:57
VBASE031.VDF : 7.11.25.246 38912 Bytes 3/23/2012 18:50:57
Engineversion : 8.2.10.28
AEVDF.DLL : 8.1.2.2 106868 Bytes 10/27/2011 13:45:00
AESCRIPT.DLL : 8.1.4.13 442746 Bytes 3/24/2012 18:51:24
AESCN.DLL : 8.1.8.2 131444 Bytes 1/29/2012 13:55:23
AESBX.DLL : 8.2.5.5 606579 Bytes 3/20/2012 11:15:59
AERDL.DLL : 8.1.9.15 639348 Bytes 9/11/2011 14:06:16
AEPACK.DLL : 8.2.16.7 803190 Bytes 3/24/2012 18:51:22
AEOFFICE.DLL : 8.1.2.25 201084 Bytes 1/1/2012 15:20:40
AEHEUR.DLL : 8.1.4.8 4514165 Bytes 3/24/2012 18:51:18
AEHELP.DLL : 8.1.19.0 254327 Bytes 1/22/2012 16:31:18
AEGEN.DLL : 8.1.5.23 409973 Bytes 3/8/2012 10:11:59
AEEXP.DLL : 8.1.0.25 74101 Bytes 3/20/2012 11:15:59
AEEMU.DLL : 8.1.3.0 393589 Bytes 11/22/2010 22:40:35
AECORE.DLL : 8.1.25.6 201078 Bytes 3/20/2012 11:15:46
AEBB.DLL : 8.1.1.0 53618 Bytes 4/26/2010 18:17:06
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 12:03:38
AVPREF.DLL : 10.0.3.2 44904 Bytes 6/28/2011 18:56:26
AVREP.DLL : 10.0.0.10 174120 Bytes 5/20/2011 20:49:47
AVARKT.DLL : 10.0.26.1 255336 Bytes 6/28/2011 18:56:23
AVEVTLOG.DLL : 10.0.0.9 203112 Bytes 6/28/2011 18:56:25
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 12:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 15:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 14:41:00
RCIMAGE.DLL : 10.0.0.35 2589544 Bytes 6/28/2011 18:56:21
RCTEXT.DLL : 10.0.64.0 97640 Bytes 6/28/2011 18:56:21

Configuration settings for the scan:
Jobname.............................: avguard_async_scan
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_4fa69e40\guard_slideup.avp
Logging.............................: Default
Primary action......................: repair
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Complete
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: 24 March 2012 23:11

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'plugin-container.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexingService.exe' - '1' Module(s) have been scanned
Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexStoreSvr.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'PhAutoRun.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
Scan process 'toscdspd.exe' - '1' Module(s) have been scanned
Scan process 'cfp.exe' - '1' Module(s) have been scanned
Scan process 'CLPS.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'ArcCon.ac' - '1' Module(s) have been scanned
Scan process 'DivXUpdate.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'BJMyPrt.exe' - '1' Module(s) have been scanned
Scan process 'TPSBattM.exe' - '1' Module(s) have been scanned
Scan process 'vVX1000.exe' - '1' Module(s) have been scanned
Scan process 'ACDaemon.exe' - '1' Module(s) have been scanned
Scan process 'ddwmon.exe' - '1' Module(s) have been scanned
Scan process 'NDSTray.exe' - '1' Module(s) have been scanned
Scan process 'SmoothView.exe' - '1' Module(s) have been scanned
Scan process 'TPSMain.exe' - '1' Module(s) have been scanned
Scan process 'thotkey.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'TosBtSrv.exe' - '1' Module(s) have been scanned
Scan process 'TODDSrv.exe' - '1' Module(s) have been scanned
Scan process 'TAPPSRV.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'NIHardwareService.exe' - '1' Module(s) have been scanned
Scan process 'MSCamS32.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'mbamservice.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'CFSvcs.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'agrsmsvc.exe' - '1' Module(s) have been scanned
Scan process 'ACService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'cmdagent.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'CLPSLS.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP463\A0053908.exe'
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP463\A0053908.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Caphaw.A.221 back-door program
[NOTE] The file was moved to the quarantine directory under the name '4d0cf5d3.qua'.
Begin scan in 'C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP474\A0055584.exe'
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP474\A0055584.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen7 Trojan
[NOTE] The file was moved to the quarantine directory under the name '559bda74.qua'.
Begin scan in 'C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP475\A0055586.exe'
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP475\A0055586.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen7 Trojan
[NOTE] The file was moved to the quarantine directory under the name '07c4809c.qua'.
Begin scan in 'C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP475\A0055598.exe'
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP475\A0055598.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen7 Trojan
[NOTE] The file was moved to the quarantine directory under the name '61f3cf5e.qua'.
Begin scan in 'C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP480\A0056107.exe'
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP480\A0056107.exe
[DETECTION] Is the TR/Zusy.980.1 Trojan
[NOTE] The file was moved to the quarantine directory under the name '2477e260.qua'.
Begin scan in 'C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP481\A0056130.exe'
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP481\A0056130.exe
[DETECTION] Is the TR/Graftor.17063.1 Trojan
[NOTE] The file was moved to the quarantine directory under the name '5b6cd000.qua'.
Begin scan in 'C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP482\A0056199.exe'
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP482\A0056199.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '17d4fc4a.qua'.
Begin scan in 'C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP482\A0056206.exe'
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP482\A0056206.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '6bccbc1a.qua'.
Begin scan in 'C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP483\A0056208.exe'
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP483\A0056208.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '46969357.qua'.
Begin scan in 'C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP483\A0056214.exe'
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP483\A0056214.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '5ffea8cd.qua'.


End of the scan: 24 March 2012 23:11
Used time: 00:03 Minute(s)

The scan has been done completely.

0 Scanned directories
78 Files were scanned
10 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
10 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
68 Files not concerned
0 Archives were scanned
0 Warnings
10 Notes



2



Avira AntiVir Personal
Report file date: 24 March 2012 23:10

Scanning for 3591904 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : YOUR-2D715D4B37

Version information:
BUILD.DAT : 10.2.0.707 36070 Bytes 1/25/2012 13:11:00
AVSCAN.EXE : 10.3.0.7 484008 Bytes 6/28/2011 18:56:26
AVSCAN.DLL : 10.0.5.0 47464 Bytes 6/28/2011 18:56:26
LUKE.DLL : 10.3.0.5 45416 Bytes 6/28/2011 18:56:31
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/10/2010 23:40:49
AVSCPLR.DLL : 10.3.0.7 119656 Bytes 6/28/2011 18:56:31
AVREG.DLL : 10.3.0.9 88833 Bytes 7/12/2011 16:48:08
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:17:47
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 16:45:05
VBASE002.VDF : 7.11.19.170 14374912 Bytes 12/20/2011 23:41:48
VBASE003.VDF : 7.11.21.238 4472832 Bytes 2/1/2012 11:06:12
VBASE004.VDF : 7.11.21.239 2048 Bytes 2/1/2012 11:06:13
VBASE005.VDF : 7.11.21.240 2048 Bytes 2/1/2012 11:06:13
VBASE006.VDF : 7.11.21.241 2048 Bytes 2/1/2012 11:06:13
VBASE007.VDF : 7.11.21.242 2048 Bytes 2/1/2012 11:06:13
VBASE008.VDF : 7.11.21.243 2048 Bytes 2/1/2012 11:06:13
VBASE009.VDF : 7.11.21.244 2048 Bytes 2/1/2012 11:06:13
VBASE010.VDF : 7.11.21.245 2048 Bytes 2/1/2012 11:06:14
VBASE011.VDF : 7.11.21.246 2048 Bytes 2/1/2012 11:06:14
VBASE012.VDF : 7.11.21.247 2048 Bytes 2/1/2012 11:06:14
VBASE013.VDF : 7.11.22.33 1486848 Bytes 2/3/2012 21:14:32
VBASE014.VDF : 7.11.22.56 687616 Bytes 2/3/2012 21:14:35
VBASE015.VDF : 7.11.22.92 178176 Bytes 2/6/2012 20:03:32
VBASE016.VDF : 7.11.22.154 144896 Bytes 2/8/2012 14:49:53
VBASE017.VDF : 7.11.22.220 183296 Bytes 2/13/2012 17:30:43
VBASE018.VDF : 7.11.23.34 202752 Bytes 2/15/2012 17:30:46
VBASE019.VDF : 7.11.23.98 126464 Bytes 2/17/2012 21:40:11
VBASE020.VDF : 7.11.23.150 148480 Bytes 2/20/2012 17:28:47
VBASE021.VDF : 7.11.23.224 172544 Bytes 2/23/2012 14:41:23
VBASE022.VDF : 7.11.24.52 219648 Bytes 2/28/2012 11:46:47
VBASE023.VDF : 7.11.24.152 165888 Bytes 3/5/2012 15:52:28
VBASE024.VDF : 7.11.24.204 177664 Bytes 3/7/2012 10:11:57
VBASE025.VDF : 7.11.25.30 245248 Bytes 3/12/2012 11:15:37
VBASE026.VDF : 7.11.25.121 252416 Bytes 3/15/2012 11:15:38
VBASE027.VDF : 7.11.25.177 202752 Bytes 3/20/2012 17:35:14
VBASE028.VDF : 7.11.25.233 169984 Bytes 3/23/2012 18:50:56
VBASE029.VDF : 7.11.25.234 2048 Bytes 3/23/2012 18:50:57
VBASE030.VDF : 7.11.25.235 2048 Bytes 3/23/2012 18:50:57
VBASE031.VDF : 7.11.25.246 38912 Bytes 3/23/2012 18:50:57
Engineversion : 8.2.10.28
AEVDF.DLL : 8.1.2.2 106868 Bytes 10/27/2011 13:45:00
AESCRIPT.DLL : 8.1.4.13 442746 Bytes 3/24/2012 18:51:24
AESCN.DLL : 8.1.8.2 131444 Bytes 1/29/2012 13:55:23
AESBX.DLL : 8.2.5.5 606579 Bytes 3/20/2012 11:15:59
AERDL.DLL : 8.1.9.15 639348 Bytes 9/11/2011 14:06:16
AEPACK.DLL : 8.2.16.7 803190 Bytes 3/24/2012 18:51:22
AEOFFICE.DLL : 8.1.2.25 201084 Bytes 1/1/2012 15:20:40
AEHEUR.DLL : 8.1.4.8 4514165 Bytes 3/24/2012 18:51:18
AEHELP.DLL : 8.1.19.0 254327 Bytes 1/22/2012 16:31:18
AEGEN.DLL : 8.1.5.23 409973 Bytes 3/8/2012 10:11:59
AEEXP.DLL : 8.1.0.25 74101 Bytes 3/20/2012 11:15:59
AEEMU.DLL : 8.1.3.0 393589 Bytes 11/22/2010 22:40:35
AECORE.DLL : 8.1.25.6 201078 Bytes 3/20/2012 11:15:46
AEBB.DLL : 8.1.1.0 53618 Bytes 4/26/2010 18:17:06
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 12:03:38
AVPREF.DLL : 10.0.3.2 44904 Bytes 6/28/2011 18:56:26
AVREP.DLL : 10.0.0.10 174120 Bytes 5/20/2011 20:49:47
AVARKT.DLL : 10.0.26.1 255336 Bytes 6/28/2011 18:56:23
AVEVTLOG.DLL : 10.0.0.9 203112 Bytes 6/28/2011 18:56:25
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 12:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 15:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 14:41:00
RCIMAGE.DLL : 10.0.0.35 2589544 Bytes 6/28/2011 18:56:21
RCTEXT.DLL : 10.0.64.0 97640 Bytes 6/28/2011 18:56:21

Configuration settings for the scan:
Jobname.............................: avguard_async_scan
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_4fa69e40\guard_slideup.avp
Logging.............................: Default
Primary action......................: interactive
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Complete
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: 24 March 2012 23:10

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'plugin-container.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexingService.exe' - '1' Module(s) have been scanned
Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexStoreSvr.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'PhAutoRun.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
Scan process 'toscdspd.exe' - '1' Module(s) have been scanned
Scan process 'cfp.exe' - '1' Module(s) have been scanned
Scan process 'CLPS.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'ArcCon.ac' - '1' Module(s) have been scanned
Scan process 'DivXUpdate.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'BJMyPrt.exe' - '1' Module(s) have been scanned
Scan process 'TPSBattM.exe' - '1' Module(s) have been scanned
Scan process 'vVX1000.exe' - '1' Module(s) have been scanned
Scan process 'ACDaemon.exe' - '1' Module(s) have been scanned
Scan process 'ddwmon.exe' - '1' Module(s) have been scanned
Scan process 'NDSTray.exe' - '1' Module(s) have been scanned
Scan process 'SmoothView.exe' - '1' Module(s) have been scanned
Scan process 'TPSMain.exe' - '1' Module(s) have been scanned
Scan process 'thotkey.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'TosBtSrv.exe' - '1' Module(s) have been scanned
Scan process 'TODDSrv.exe' - '1' Module(s) have been scanned
Scan process 'TAPPSRV.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'NIHardwareService.exe' - '1' Module(s) have been scanned
Scan process 'MSCamS32.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'mbamservice.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'CFSvcs.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'agrsmsvc.exe' - '1' Module(s) have been scanned
Scan process 'ACService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'cmdagent.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'CLPSLS.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP463\A0053861.exe'
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP463\A0053861.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Caphaw.A.221 back-door program
Begin scan in 'C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP463\A0053867.exe'
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP463\A0053867.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Caphaw.A.221 back-door program

Beginning disinfection:
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP463\A0053867.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Caphaw.A.221 back-door program
[NOTE] The file was moved to the quarantine directory under the name '4d0cf032.qua'.
C:\System Volume Information\_restore{FCF3B85C-4072-416E-BD2A-0141FF43547F}\RP463\A0053861.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Caphaw.A.221 back-door program
[NOTE] The file was moved to the quarantine directory under the name '559bdf95.qua'.


End of the scan: 24 March 2012 23:10
Used time: 00:03 Minute(s)

The scan has been done completely.

0 Scanned directories
70 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
2 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
68 Files not concerned
0 Archives were scanned
0 Warnings
2 Notes


The scan results will be transferred to the Guard.

#14 Guest_White Warrior_*

Guest_White Warrior_*

  • Guests
  • OFFLINE
  •  

Posted 25 March 2012 - 06:52 AM

Hi sanscosm

The good news is your logs look clean.

Avira is picking up the infection in old restore points.
These will all be deleted when combofix is uninstalled.

Should a stay clear of using my laptop for personal emails/banking etc?

That is your decision.
We cannot be 100% sure that your computer is clean, but it appears to be clean now.
Also, you can take precautions.
Change your passwords regularly.
Keep an eye on your bank accounts for any unusual activity and report it immediately.

Now to tidy up our mess.

Now to uninstall ComboFix.

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Note: The space between x and / is needed.

Delete all files/folders from the desktop for tools we asked you to download.

Below I have outlined a series of categories that outline how you can increase the security of your computer so that you will not be infected again in the future.

Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.

    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
Visit Microsoft's Windows Update Site Frequently

It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install an AntiSpyware Program

A highly recommended AntiSpyware program is Malwarebytes' Anti-Malware
Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

How-to-use-malwarebytes-anti-malware

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Install SpywareBlaster

SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

White Warrior

#15 sanscosm

sanscosm
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 26 March 2012 - 01:35 PM

Thank you so much for all your help! :)

My computer doesn't seem to want to delete ComboFix as it can't find "ComboFix /Uninstall". Perhaps I have already deleted it..? The only folder I can see which has ComboFix files in it is called Qoobox. Should I delete that manually?

Other than that I have followed your advice above and made sure everything is up to date.

sanscosm




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users