Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TR/ATRAPS. Gen2 Virus [Solved]


  • This topic is locked This topic is locked

#31
Steviep

Steviep

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 311 posts
Cant find anything under the security tab but here is the system one (I think )and application one

Attached Files


Edited by Steviep, 31 December 2011 - 01:39 PM.

  • 0

Advertisements


#32
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
May be a bit on this as I need to do a bit deeper research
  • 0

#33
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Do you have access to another xp machine ?

If so we can export the registry entry for that to the sick one
  • 0

#34
Steviep

Steviep

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 311 posts
Yes i do, my desktop
  • 0

#35
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK we could be cooking :lol:

Could you open regedit on the good system and navigate to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dhcp
Right click the key and select Export


When the save dialogue opens save it to your desktop as dhcp


Copy this to the infected system desktop
Right click dhcp.reg and select merge

Check that the DHCP service is set to automatic start in the services part of administrative tools
Reboot and let me know the result
  • 0

#36
Steviep

Steviep

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 311 posts
Hi,

Still the same I'm afraid acquiring network address and the DHCP Client is not started in services
  • 0

#37
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
'Tis definitely a mystery this one ...

OK lets now run all the tests for net connection in one fell swoop

Please copy all in the below quote box:


@echo off
echo Please post back the %SystemDrive%\MyNICDetails.txt on your next reply
echo.
echo CheckMyNIC by AdvancedSetup >%SystemDrive%\MyNICDetails.txt
echo ... >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc dhcp >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex dhcp >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc TCPIP >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex TCPIP >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc Afd >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex Afd >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc NetBT >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex NetBT >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc NetBIOS >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex NetBIOS >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc Lmhosts >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex Lmhosts >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc Dnscache >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex Dnscache >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc PolicyAgent >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex PolicyAgent >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc Nla >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex Nla >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc lanmanserver >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex lanmanserver >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc IPSEC >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex IPSEC >>%SystemDrive%\MyNICDetails.txt
cmd /c sc qc RPCSS >>%SystemDrive%\MyNICDetails.txt
cmd /c sc queryex RPCSS >>%SystemDrive%\MyNICDetails.txt
pause

Save in Notepad as "MyNICDetails.bat" with the quote marks.
Save as type All Files to Desktop.
Once saved transfer to the infected computer's Desktop.
Click the file and post back the text file it produces please.

The text file will be located here: C:\MyNICDetails.txt
  • 0

#38
Steviep

Steviep

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 311 posts
Hi happy new year:0)

I've not tried your latest instructions yet as last night my anti virus threw up lots of viruses and it appears that my desktop pc is also infected. should i run your last instructions or would you like to see the anti virus log?
  • 0

#39
Steviep

Steviep

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 311 posts
CheckMyNIC by AdvancedSetup
...
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: dhcp
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip
: Afd
: NetBT
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: dhcp
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 924
FLAGS :
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: TCPIP
TYPE : 1 KERNEL_DRIVER
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\tcpip.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 4
DISPLAY_NAME : TCP/IP Protocol Driver
DEPENDENCIES : IPSec
SERVICE_START_NAME :

SERVICE_NAME: TCPIP
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: Afd
TYPE : 1 KERNEL_DRIVER
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : \SystemRoot\System32\drivers\afd.sys
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : AFD
DEPENDENCIES :
SERVICE_START_NAME :

SERVICE_NAME: Afd
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: NetBT
TYPE : 1 KERNEL_DRIVER
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\netbt.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 6
DISPLAY_NAME : NetBios over Tcpip
DEPENDENCIES : Tcpip
SERVICE_START_NAME :

SERVICE_NAME: NetBT
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: NetBIOS
TYPE : 2 FILE_SYSTEM_DRIVER
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\netbios.sys
LOAD_ORDER_GROUP : NetBIOSGroup
TAG : 1
DISPLAY_NAME : NetBIOS Interface
DEPENDENCIES :
SERVICE_START_NAME :

SERVICE_NAME: NetBIOS
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: Lmhosts
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TCP/IP NetBIOS Helper
DEPENDENCIES : NetBT
: Afd
SERVICE_START_NAME : NT AUTHORITY\LocalService

SERVICE_NAME: Lmhosts
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1068 (0x42c)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: Dnscache
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DNS Client
DEPENDENCIES : Tcpip
SERVICE_START_NAME : NT AUTHORITY\NetworkService

SERVICE_NAME: Dnscache
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1000
FLAGS :
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: PolicyAgent
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IPSEC Services
DEPENDENCIES : RPCSS
: Tcpip
: IPSec
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: PolicyAgent
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 664
FLAGS : RUNS_IN_SYSTEM_PROCESS
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: Nla
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Location Awareness (NLA)
DEPENDENCIES : Tcpip
: Afd
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: Nla
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 924
FLAGS :
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: lanmanserver
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: lanmanserver
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 924
FLAGS :
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: IPSEC
TYPE : 1 KERNEL_DRIVER
START_TYPE : 1 SYSTEM_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : system32\DRIVERS\ipsec.sys
LOAD_ORDER_GROUP : PNP_TDI
TAG : 5
DISPLAY_NAME : IPSEC driver
DEPENDENCIES :
SERVICE_START_NAME :

SERVICE_NAME: IPSEC
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: RPCSS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k rpcss
LOAD_ORDER_GROUP : COM Infrastructure
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC)
DEPENDENCIES :
SERVICE_START_NAME : NT AUTHORITY\NetworkService

SERVICE_NAME: RPCSS
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 884
FLAGS :
  • 0

#40
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I would like to check out the MBR, could you run this and post the virus log please

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image
  • 0

Advertisements


#41
Steviep

Steviep

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 311 posts
aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software
Run date: 2012-01-01 20:08:32
-----------------------------
20:08:32.937 OS Version: Windows 5.1.2600 Service Pack 3
20:08:32.937 Number of processors: 2 586 0x170A
20:08:32.937 ComputerName: E6400 UserName:
20:08:33.718 Initialize success
20:08:43.828 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
20:08:43.828 Disk 0 Vendor: WDC_WD25 11.0 Size: 238475MB BusType: 8
20:08:43.859 Disk 0 MBR read successfully
20:08:43.859 Disk 0 MBR scan
20:08:43.859 Disk 0 Windows XP default MBR code
20:08:43.859 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
20:08:43.875 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 238425 MB offset 80325
20:08:43.875 Disk 0 scanning sectors +488376000
20:08:43.937 Disk 0 scanning C:\WINDOWS\system32\drivers
20:08:51.578 Service scanning
20:08:52.921 Modules scanning
20:08:59.046 Disk 0 trace - called modules:
20:08:59.062 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
20:08:59.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7da558]
20:08:59.078 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a7ef028]
20:08:59.078 Scan finished successfully
20:09:08.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Gillian\Desktop\MBR.dat"
20:09:08.062 The log file has been saved successfully to "C:\Documents and Settings\Gillian\Desktop\aswMBR.txt"
  • 0

#42
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Definitely a mystery as th eMBR shows OK, all the NIC services are correct

Could you post the virus log please
  • 0

#43
Steviep

Steviep

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 311 posts
Avira Free Antivirus
Report file date: 01 January 2012 00:08

Scanning for 3000859 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : E6400

Version information:
BUILD.DAT : 12.0.0.872 41826 Bytes 15/12/2011 17:24:00
AVSCAN.EXE : 12.1.0.18 490448 Bytes 25/10/2011 18:18:44
AVSCAN.DLL : 12.1.0.17 54224 Bytes 23/09/2011 12:34:56
LUKE.DLL : 12.1.0.17 68304 Bytes 11/10/2011 14:00:17
AVSCPLR.DLL : 12.1.0.21 99536 Bytes 08/12/2011 15:18:10
AVREG.DLL : 12.1.0.27 227536 Bytes 10/12/2011 23:49:55
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 19:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 10:07:39
VBASE002.VDF : 7.11.19.170 14374912 Bytes 20/12/2011 16:51:17
VBASE003.VDF : 7.11.19.171 2048 Bytes 20/12/2011 16:51:17
VBASE004.VDF : 7.11.19.172 2048 Bytes 20/12/2011 16:51:17
VBASE005.VDF : 7.11.19.173 2048 Bytes 20/12/2011 16:51:17
VBASE006.VDF : 7.11.19.174 2048 Bytes 20/12/2011 16:51:17
VBASE007.VDF : 7.11.19.175 2048 Bytes 20/12/2011 16:51:17
VBASE008.VDF : 7.11.19.176 2048 Bytes 20/12/2011 16:51:17
VBASE009.VDF : 7.11.19.177 2048 Bytes 20/12/2011 16:51:17
VBASE010.VDF : 7.11.19.178 2048 Bytes 20/12/2011 16:51:17
VBASE011.VDF : 7.11.19.179 2048 Bytes 20/12/2011 16:51:17
VBASE012.VDF : 7.11.19.180 2048 Bytes 20/12/2011 16:51:17
VBASE013.VDF : 7.11.19.217 182784 Bytes 22/12/2011 16:51:17
VBASE014.VDF : 7.11.19.255 148480 Bytes 24/12/2011 16:51:17
VBASE015.VDF : 7.11.20.29 164352 Bytes 27/12/2011 16:51:17
VBASE016.VDF : 7.11.20.70 180224 Bytes 29/12/2011 16:51:17
VBASE017.VDF : 7.11.20.71 2048 Bytes 29/12/2011 16:51:17
VBASE018.VDF : 7.11.20.72 2048 Bytes 29/12/2011 16:51:17
VBASE019.VDF : 7.11.20.73 2048 Bytes 29/12/2011 16:51:17
VBASE020.VDF : 7.11.20.74 2048 Bytes 29/12/2011 16:51:17
VBASE021.VDF : 7.11.20.75 2048 Bytes 29/12/2011 16:51:17
VBASE022.VDF : 7.11.20.76 2048 Bytes 29/12/2011 16:51:17
VBASE023.VDF : 7.11.20.77 2048 Bytes 29/12/2011 16:51:17
VBASE024.VDF : 7.11.20.78 2048 Bytes 29/12/2011 16:51:17
VBASE025.VDF : 7.11.20.79 2048 Bytes 29/12/2011 16:51:17
VBASE026.VDF : 7.11.20.80 2048 Bytes 29/12/2011 16:51:17
VBASE027.VDF : 7.11.20.81 2048 Bytes 29/12/2011 16:51:17
VBASE028.VDF : 7.11.20.82 2048 Bytes 29/12/2011 16:51:17
VBASE029.VDF : 7.11.20.83 2048 Bytes 29/12/2011 16:51:17
VBASE030.VDF : 7.11.20.84 2048 Bytes 29/12/2011 16:51:17
VBASE031.VDF : 7.11.20.97 132608 Bytes 30/12/2011 16:51:17
Engineversion : 8.2.8.18
AEVDF.DLL : 8.1.2.2 106868 Bytes 25/10/2011 18:18:43
AESCRIPT.DLL : 8.1.3.95 479612 Bytes 31/12/2011 16:51:17
AESCN.DLL : 8.1.7.2 127349 Bytes 01/09/2011 22:46:02
AESBX.DLL : 8.2.4.5 434549 Bytes 03/12/2011 11:46:41
AERDL.DLL : 8.1.9.15 639348 Bytes 08/09/2011 22:16:06
AEPACK.DLL : 8.2.15.1 770423 Bytes 13/12/2011 12:14:35
AEOFFICE.DLL : 8.1.2.25 201084 Bytes 31/12/2011 16:51:17
AEHEUR.DLL : 8.1.3.14 4260216 Bytes 31/12/2011 16:51:17
AEHELP.DLL : 8.1.18.0 254327 Bytes 25/10/2011 18:18:35
AEGEN.DLL : 8.1.5.17 405877 Bytes 10/12/2011 23:49:48
AEEMU.DLL : 8.1.3.0 393589 Bytes 01/09/2011 22:46:01
AECORE.DLL : 8.1.24.3 201079 Bytes 31/12/2011 16:51:17
AEBB.DLL : 8.1.1.0 53618 Bytes 01/09/2011 22:46:01
AVWINLL.DLL : 12.1.0.17 27344 Bytes 11/10/2011 14:00:11
AVPREF.DLL : 12.1.0.17 51920 Bytes 11/10/2011 14:00:09
AVREP.DLL : 12.1.0.17 179408 Bytes 11/10/2011 14:00:09
AVARKT.DLL : 12.1.0.19 208848 Bytes 08/12/2011 15:17:59
AVEVTLOG.DLL : 12.1.0.17 169168 Bytes 11/10/2011 14:00:08
SQLITE3.DLL : 3.7.0.0 398288 Bytes 11/10/2011 14:00:22
AVSMTP.DLL : 12.1.0.17 62928 Bytes 11/10/2011 14:00:10
NETNT.DLL : 12.1.0.17 17104 Bytes 11/10/2011 14:00:18
RCIMAGE.DLL : 12.1.0.17 4450000 Bytes 11/10/2011 14:00:31
RCTEXT.DLL : 12.1.1.16 96208 Bytes 31/12/2011 16:51:17

Configuration settings for the scan:
Jobname.............................: AVGuardAsyncScan
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_4eff9e22\guard_slideup.avp
Logging.............................: default
Primary action......................: repair
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Complete

Start of the scan: 01 January 2012 00:08

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'rapimgr.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'wcescomm.exe' - '1' Module(s) have been scanned
Scan process 'mbamgui.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'AESTFltr.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'sttray.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.exe' - '1' Module(s) have been scanned
Scan process 'DiskDefrag.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'mbamservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'SCardSvr.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'bcmwltry.exe' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'C:\System Volume Information\_restore{C0399D09-F54B-4A27-8EFA-E9D833C26B7C}\RP357\A0162153.sys'
C:\System Volume Information\_restore{C0399D09-F54B-4A27-8EFA-E9D833C26B7C}\RP357\A0162153.sys
[DETECTION] Is the TR/Sirefef.IL Trojan
[NOTE] The file was moved to the quarantine directory under the name '4cdb056b.qua'.
Begin scan in 'C:\System Volume Information\_restore{C0399D09-F54B-4A27-8EFA-E9D833C26B7C}\RP357\A0162173.sys'
C:\System Volume Information\_restore{C0399D09-F54B-4A27-8EFA-E9D833C26B7C}\RP357\A0162173.sys
[DETECTION] Is the TR/Sirefef.IL Trojan
[NOTE] The file was moved to the quarantine directory under the name '544c2acc.qua'.
Begin scan in 'C:\System Volume Information\_restore{C0399D09-F54B-4A27-8EFA-E9D833C26B7C}\RP357\A0163173.sys'
C:\System Volume Information\_restore{C0399D09-F54B-4A27-8EFA-E9D833C26B7C}\RP357\A0163173.sys
[DETECTION] Is the TR/Sirefef.IL Trojan
[NOTE] The file was moved to the quarantine directory under the name '06137024.qua'.
Begin scan in 'C:\System Volume Information\_restore{C0399D09-F54B-4A27-8EFA-E9D833C26B7C}\RP357\A0163191.sys'
C:\System Volume Information\_restore{C0399D09-F54B-4A27-8EFA-E9D833C26B7C}\RP357\A0163191.sys
[DETECTION] Is the TR/Sirefef.IL Trojan
[NOTE] The file was moved to the quarantine directory under the name '60243fe6.qua'.
Begin scan in 'C:\System Volume Information\_restore{C0399D09-F54B-4A27-8EFA-E9D833C26B7C}\RP358\A0163258.sys'
C:\System Volume Information\_restore{C0399D09-F54B-4A27-8EFA-E9D833C26B7C}\RP358\A0163258.sys
[DETECTION] Is the TR/Sirefef.IL Trojan
[NOTE] The file was moved to the quarantine directory under the name '25a012d8.qua'.
Begin scan in 'C:\System Volume Information\_restore{C0399D09-F54B-4A27-8EFA-E9D833C26B7C}\RP358\A0163286.sys'
C:\System Volume Information\_restore{C0399D09-F54B-4A27-8EFA-E9D833C26B7C}\RP358\A0163286.sys
[DETECTION] Is the TR/Sirefef.IL Trojan
[NOTE] The file was moved to the quarantine directory under the name '5abb20b9.qua'.
Begin scan in 'C:\System Volume Information\_restore{C0399D09-F54B-4A27-8EFA-E9D833C26B7C}\RP359\A0163310.sys'
C:\System Volume Information\_restore{C0399D09-F54B-4A27-8EFA-E9D833C26B7C}\RP359\A0163310.sys
[DETECTION] Is the TR/Sirefef.IL Trojan
[NOTE] The file was moved to the quarantine directory under the name '16030cf3.qua'.


End of the scan: 01 January 2012 00:09
Used time: 00:06 Minute(s)

The scan has been done completely.

0 Scanned directories
48 Files were scanned
7 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
7 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
41 Files not concerned
0 Archives were scanned
0 Warnings
7 Notes
  • 0

#44
Steviep

Steviep

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 311 posts
Avira Free Antivirus
Report file date: 01 January 2012 00:08

Scanning for 3000859 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : E6400

Version information:
BUILD.DAT : 12.0.0.872 41826 Bytes 15/12/2011 17:24:00
AVSCAN.EXE : 12.1.0.18 490448 Bytes 25/10/2011 18:18:44
AVSCAN.DLL : 12.1.0.17 54224 Bytes 23/09/2011 12:34:56
LUKE.DLL : 12.1.0.17 68304 Bytes 11/10/2011 14:00:17
AVSCPLR.DLL : 12.1.0.21 99536 Bytes 08/12/2011 15:18:10
AVREG.DLL : 12.1.0.27 227536 Bytes 10/12/2011 23:49:55
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 19:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 10:07:39
VBASE002.VDF : 7.11.19.170 14374912 Bytes 20/12/2011 16:51:17
VBASE003.VDF : 7.11.19.171 2048 Bytes 20/12/2011 16:51:17
VBASE004.VDF : 7.11.19.172 2048 Bytes 20/12/2011 16:51:17
VBASE005.VDF : 7.11.19.173 2048 Bytes 20/12/2011 16:51:17
VBASE006.VDF : 7.11.19.174 2048 Bytes 20/12/2011 16:51:17
VBASE007.VDF : 7.11.19.175 2048 Bytes 20/12/2011 16:51:17
VBASE008.VDF : 7.11.19.176 2048 Bytes 20/12/2011 16:51:17
VBASE009.VDF : 7.11.19.177 2048 Bytes 20/12/2011 16:51:17
VBASE010.VDF : 7.11.19.178 2048 Bytes 20/12/2011 16:51:17
VBASE011.VDF : 7.11.19.179 2048 Bytes 20/12/2011 16:51:17
VBASE012.VDF : 7.11.19.180 2048 Bytes 20/12/2011 16:51:17
VBASE013.VDF : 7.11.19.217 182784 Bytes 22/12/2011 16:51:17
VBASE014.VDF : 7.11.19.255 148480 Bytes 24/12/2011 16:51:17
VBASE015.VDF : 7.11.20.29 164352 Bytes 27/12/2011 16:51:17
VBASE016.VDF : 7.11.20.70 180224 Bytes 29/12/2011 16:51:17
VBASE017.VDF : 7.11.20.71 2048 Bytes 29/12/2011 16:51:17
VBASE018.VDF : 7.11.20.72 2048 Bytes 29/12/2011 16:51:17
VBASE019.VDF : 7.11.20.73 2048 Bytes 29/12/2011 16:51:17
VBASE020.VDF : 7.11.20.74 2048 Bytes 29/12/2011 16:51:17
VBASE021.VDF : 7.11.20.75 2048 Bytes 29/12/2011 16:51:17
VBASE022.VDF : 7.11.20.76 2048 Bytes 29/12/2011 16:51:17
VBASE023.VDF : 7.11.20.77 2048 Bytes 29/12/2011 16:51:17
VBASE024.VDF : 7.11.20.78 2048 Bytes 29/12/2011 16:51:17
VBASE025.VDF : 7.11.20.79 2048 Bytes 29/12/2011 16:51:17
VBASE026.VDF : 7.11.20.80 2048 Bytes 29/12/2011 16:51:17
VBASE027.VDF : 7.11.20.81 2048 Bytes 29/12/2011 16:51:17
VBASE028.VDF : 7.11.20.82 2048 Bytes 29/12/2011 16:51:17
VBASE029.VDF : 7.11.20.83 2048 Bytes 29/12/2011 16:51:17
VBASE030.VDF : 7.11.20.84 2048 Bytes 29/12/2011 16:51:17
VBASE031.VDF : 7.11.20.97 132608 Bytes 30/12/2011 16:51:17
Engineversion : 8.2.8.18
AEVDF.DLL : 8.1.2.2 106868 Bytes 25/10/2011 18:18:43
AESCRIPT.DLL : 8.1.3.95 479612 Bytes 31/12/2011 16:51:17
AESCN.DLL : 8.1.7.2 127349 Bytes 01/09/2011 22:46:02
AESBX.DLL : 8.2.4.5 434549 Bytes 03/12/2011 11:46:41
AERDL.DLL : 8.1.9.15 639348 Bytes 08/09/2011 22:16:06
AEPACK.DLL : 8.2.15.1 770423 Bytes 13/12/2011 12:14:35
AEOFFICE.DLL : 8.1.2.25 201084 Bytes 31/12/2011 16:51:17
AEHEUR.DLL : 8.1.3.14 4260216 Bytes 31/12/2011 16:51:17
AEHELP.DLL : 8.1.18.0 254327 Bytes 25/10/2011 18:18:35
AEGEN.DLL : 8.1.5.17 405877 Bytes 10/12/2011 23:49:48
AEEMU.DLL : 8.1.3.0 393589 Bytes 01/09/2011 22:46:01
AECORE.DLL : 8.1.24.3 201079 Bytes 31/12/2011 16:51:17
AEBB.DLL : 8.1.1.0 53618 Bytes 01/09/2011 22:46:01
AVWINLL.DLL : 12.1.0.17 27344 Bytes 11/10/2011 14:00:11
AVPREF.DLL : 12.1.0.17 51920 Bytes 11/10/2011 14:00:09
AVREP.DLL : 12.1.0.17 179408 Bytes 11/10/2011 14:00:09
AVARKT.DLL : 12.1.0.19 208848 Bytes 08/12/2011 15:17:59
AVEVTLOG.DLL : 12.1.0.17 169168 Bytes 11/10/2011 14:00:08
SQLITE3.DLL : 3.7.0.0 398288 Bytes 11/10/2011 14:00:22
AVSMTP.DLL : 12.1.0.17 62928 Bytes 11/10/2011 14:00:10
NETNT.DLL : 12.1.0.17 17104 Bytes 11/10/2011 14:00:18
RCIMAGE.DLL : 12.1.0.17 4450000 Bytes 11/10/2011 14:00:31
RCTEXT.DLL : 12.1.1.16 96208 Bytes 31/12/2011 16:51:17

Configuration settings for the scan:
Jobname.............................: AVGuardAsyncScan
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_4eff9e22\guard_slideup.avp
Logging.............................: default
Primary action......................: repair
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Complete

Start of the scan: 01 January 2012 00:08

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'rapimgr.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'wcescomm.exe' - '1' Module(s) have been scanned
Scan process 'mbamgui.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'AESTFltr.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'sttray.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.exe' - '1' Module(s) have been scanned
Scan process 'DiskDefrag.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'mbamservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'SCardSvr.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'bcmwltry.exe' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'C:\System Volume Information\_restore{C0399D09-F54B-4A27-8EFA-E9D833C26B7C}\RP357\A0162139.sys'
C:\System Volume Information\_restore{C0399D09-F54B-4A27-8EFA-E9D833C26B7C}\RP357\A0162139.sys
[DETECTION] Is the TR/Sirefef.IL Trojan
[NOTE] The file was moved to the quarantine directory under the name '4cdb057c.qua'.


End of the scan: 01 January 2012 00:08
Used time: 00:09 Minute(s)

The scan has been done completely.

0 Scanned directories
42 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
41 Files not concerned
0 Archives were scanned
0 Warnings
1 Notes
  • 0

#45
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Phew, they were all in system restore and so were of no consequence

However, it has put a possible thought into my head

Start the DHCP service
Then run this OTL fix, this will delete the old infected restore point and create a new one

After the reboot if DHCP is still not running then select the restore point that OTL is about to make and restore to that. The hope being that as the restore point was set with the service running that it will revert to that

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CLEARALLRESTOREPOINTS]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP