BTW should i insert the windows CD and let it change files like combo fix is asking?
It mentions that there are unrecognizable version atm and that they need to insert the Windows CD to replace the files.
Torpig trojan [Solved]
Started by
arclight
, Dec 04 2009 09:07 AM
-
This topic is locked
#16
Posted 09 December 2009 - 11:19 AM
arclight
- Topic Starter
-
- Member
-
- 176 posts
Member
BTW should i insert the windows CD and let it change files like combo fix is asking?
It mentions that there are unrecognizable version atm and that they need to insert the Windows CD to replace the files.
#18
Posted 12 December 2009 - 12:13 PM
arclight
- Topic Starter
-
- Member
-
- 176 posts
Member
Here is what its asking.
#19
Posted 13 December 2009 - 04:17 AM
Thunderbird1988
-
- Member
-
- 2,416 posts
Member 2k
Yes, please insert your windows cd when you run Combofix.
Thunderbird1988
Thunderbird1988
#20
Posted 13 December 2009 - 11:32 AM
arclight
- Topic Starter
-
- Member
-
- 176 posts
Member
I ran the scan and inserted the windows CD but then this error occurred when the log was being created.
It did mention though a file was infected and was successfully restored.
userinit.exe i think was the name.I ran combofix again with the same command in CFscript
ComboFix 09-12-07.04 - user 13/12/2009 16:20.14.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.174 [GMT 0:00]
Running from: F:\ComboFix.exe
Command switches used :: F:\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--------------- FCopy ---------------
c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe --> c:\windows\system32\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-11-13 to 2009-12-13 )))))))))))))))))))))))))))))))
.
2009-12-08 02:47 . 2004-08-04 12:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-12-08 02:47 . 2004-08-04 12:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-12-05 13:25 . 2009-12-05 13:25 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\PCHealth
2009-12-05 05:12 . 2009-12-05 05:12 -------- d-----w- c:\windows\system32\XPSViewer
2009-12-05 05:11 . 2009-12-05 05:11 -------- d-----w- c:\program files\Reference Assemblies
2009-12-05 05:10 . 2009-12-05 05:11 -------- d-----w- C:\e7241e681a8d2d600575b3588f74ab5f
2009-12-05 04:52 . 2009-12-05 04:52 -------- d-----w- c:\windows\ServicePackFiles
2009-12-04 20:20 . 2009-12-09 17:14 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-04 20:20 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-12-04 20:20 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-12-04 20:20 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-12-04 20:19 . 2009-12-04 20:19 -------- d-----w- c:\program files\Avira
2009-12-04 20:19 . 2009-12-04 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-13 04:56 . 2007-10-23 23:42 -------- d-----w- c:\program files\Microsoft SQL Server
2009-12-11 14:00 . 2009-09-30 21:37 -------- d-----w- c:\program files\Opera
2009-12-07 19:46 . 2009-07-12 00:31 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-04 14:07 . 2009-01-02 02:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 14:07 . 2009-01-10 02:30 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-03 16:14 . 2009-01-02 02:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 . 2009-01-02 02:30 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 12:33 . 2009-08-14 14:52 -------- d-----w- c:\program files\McAfee
2009-10-29 05:48 . 2006-02-28 12:00 662016 ------w- c:\windows\system32\wininet.dll
2009-10-25 19:46 . 2009-10-25 19:46 -------- d-----w- c:\program files\Sun
2009-10-25 19:44 . 2008-10-08 23:41 -------- d-----w- c:\program files\Java
2009-10-25 19:27 . 2009-10-25 19:27 -------- d-----w- c:\documents and settings\user\Application Data\JCreator
2009-10-25 19:27 . 2009-10-25 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\JCreator
2009-10-25 19:00 . 2009-10-25 19:00 -------- d-----w- c:\program files\Xinox Software
2009-10-21 06:00 . 2006-02-28 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2006-02-28 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2006-02-28 12:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2006-02-28 12:00 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2006-02-28 12:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2006-02-28 12:00 112128 ----a-w- c:\windows\system32\rastls.dll
2009-09-25 05:56 . 2008-10-08 22:45 81920 ----a-w- c:\windows\system32\ieencode.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-07-10 28739]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-14 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"lxdpmon.exe"="c:\program files\Lexmark Z2300 Series\lxdpmon.exe" [2008-03-27 656040]
"EzPrint"="c:\program files\Lexmark Z2300 Series\ezprint.exe" [2008-03-27 107176]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-08 68856]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\user\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"New Value #1"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Alarm Master.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\Alarm Master.lnk
backup=c:\windows\pss\Alarm Master.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2007-08-31 11:01 1037736 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBCSTray]
2007-06-15 14:17 699120 ----a-w- c:\program files\Sunbelt Software\CounterSpy\SBCSTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 12:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\sopvod.exe"=
"c:\\Program Files\\Azureusvuze\\Azureus.exe"=
"c:\\Program Files\\Azureus2\\Azureus.exe"=
"c:\\Program Files\\Lexmark Z2300 Series\\lxdpmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdppswx.exe"=
"c:\\WINDOWS\\system32\\lxdpcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdptime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpjswx.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
R0 SBHR;SBHR;c:\windows\system32\drivers\sbhr.sys [14/09/2007 18:27 15544]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [08/12/2008 01:54 15104]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - SBAPIFS
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: Download using LeechGet - file://c:\program files\LeechGet 2009\\AddUrl.html
IE: Download using LeechGet Wizard - file://c:\program files\LeechGet 2009\\Wizard.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Parse with LeechGet - file://c:\program files\LeechGet 2009\\Parser.html
DPF: {2CA2C9B8-E4F6-4BE9-8601-52ED0AFBA79D} - hxxp://asp.mathxl.com/books/_Players/AccountingPlayer.cab
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\x36qtul5.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-13 17:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(516)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-12-13 17:13
ComboFix-quarantined-files.txt 2009-12-13 17:13
ComboFix2.txt 2009-12-13 16:04
ComboFix3.txt 2009-12-06 01:28
ComboFix4.txt 2009-12-06 00:17
ComboFix5.txt 2009-12-13 16:09
Pre-Run: 14,926,921,728 bytes free
Post-Run: 14,913,687,552 bytes free
- - End Of File - - E51560CEDD8F56200F20342C1C370E67
Edited by arclight, 13 December 2009 - 03:22 PM.
#21
Posted 14 December 2009 - 02:54 AM
Thunderbird1988
-
- Member
-
- 2,416 posts
Member 2k
Your log is now clean. How is your computer running?
#22
Posted 14 December 2009 - 07:42 AM
arclight
- Topic Starter
-
- Member
-
- 176 posts
Member
Computer Seems fine.
Is there any other checks or scans i can run just to be sure?
Is there any other checks or scans i can run just to be sure?
#23
Posted 14 December 2009 - 11:35 AM
Thunderbird1988
-
- Member
-
- 2,416 posts
Member 2k
You can run Avira if you like.
#24
Posted 14 December 2009 - 10:35 PM
arclight
- Topic Starter
-
- Member
-
- 176 posts
Member
Avira AntiVir Personal
Report file date: 15 December 2009 01:07
Scanning for 1443507 virus strains and unwanted programs.
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : USER-2A1DED054E
Version information:
BUILD.DAT : 9.0.0.418 21723 Bytes 12/2/2009 16:28:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 11:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 10:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 07:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 20:23:52
VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 20:23:52
VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 20:23:52
VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 20:23:52
VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 20:23:52
VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 20:23:52
VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 20:23:52
VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 20:23:52
VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 20:23:52
VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 20:23:53
VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 20:23:53
VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 20:23:53
VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 20:23:54
VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/2009 20:23:54
VBASE015.VDF : 7.10.1.178 195584 Bytes 12/7/2009 17:14:38
VBASE016.VDF : 7.10.1.224 183296 Bytes 12/14/2009 19:17:29
VBASE017.VDF : 7.10.1.225 2048 Bytes 12/14/2009 19:17:29
VBASE018.VDF : 7.10.1.226 2048 Bytes 12/14/2009 19:17:29
VBASE019.VDF : 7.10.1.227 2048 Bytes 12/14/2009 19:17:29
VBASE020.VDF : 7.10.1.228 2048 Bytes 12/14/2009 19:17:29
VBASE021.VDF : 7.10.1.229 2048 Bytes 12/14/2009 19:17:29
VBASE022.VDF : 7.10.1.230 2048 Bytes 12/14/2009 19:17:29
VBASE023.VDF : 7.10.1.231 2048 Bytes 12/14/2009 19:17:30
VBASE024.VDF : 7.10.1.232 2048 Bytes 12/14/2009 19:17:30
VBASE025.VDF : 7.10.1.233 2048 Bytes 12/14/2009 19:17:30
VBASE026.VDF : 7.10.1.234 2048 Bytes 12/14/2009 19:17:30
VBASE027.VDF : 7.10.1.235 2048 Bytes 12/14/2009 19:17:30
VBASE028.VDF : 7.10.1.236 2048 Bytes 12/14/2009 19:17:30
VBASE029.VDF : 7.10.1.237 2048 Bytes 12/14/2009 19:17:30
VBASE030.VDF : 7.10.1.238 2048 Bytes 12/14/2009 19:17:31
VBASE031.VDF : 7.10.1.241 131584 Bytes 12/14/2009 19:17:31
Engineversion : 8.2.1.108
AEVDF.DLL : 8.1.1.2 106867 Bytes 11/8/2009 07:38:52
AESCRIPT.DLL : 8.1.3.2 582010 Bytes 12/10/2009 19:18:08
AESCN.DLL : 8.1.3.0 127348 Bytes 12/10/2009 19:18:08
AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 07:38:44
AERDL.DLL : 8.1.3.4 479605 Bytes 12/4/2009 20:23:57
AEPACK.DLL : 8.2.0.3 422261 Bytes 11/8/2009 07:38:40
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 07:38:38
AEHEUR.DLL : 8.1.0.186 2183544 Bytes 12/9/2009 17:14:42
AEHELP.DLL : 8.1.8.0 237942 Bytes 12/9/2009 17:14:40
AEGEN.DLL : 8.1.1.80 364917 Bytes 12/9/2009 17:14:39
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 07:38:26
AECORE.DLL : 8.1.9.1 180598 Bytes 12/10/2009 19:18:07
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 07:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 15:14:02
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 14:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 15:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 12:25:47
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, F:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,
Start of the scan: 15 December 2009 01:07
Starting search for hidden objects.
'191064' objects were checked, '0' hidden objects were found.
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'AdobeUpdater.exe' - '1' Module(s) have been scanned
Scan process 'AcroRd32.exe' - '1' Module(s) have been scanned
Scan process 'winamp.exe' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'sqlwriter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'INSTAN~1.EXE' - '1' Module(s) have been scanned
Scan process 'ezprint.exe' - '1' Module(s) have been scanned
Scan process 'SBCSSvc.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Scan process 'McSACore.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'lxdpcoms.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
41 processes with 41 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!
Starting to scan executable files (registry).
The registry was scanned ( '52' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\user\Local Settings\Application Data\Opera\Opera\cache\opr0EK2M
[0] Archive type: NSIS
--> 2
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
Begin scan in 'F:\' <SCSI1_VOL1>
F:\New Folder\Microsoft Publisher XP 2002 With Serial.zip
[0] Archive type: ZIP
--> Microsoft Publisher XP 2002/FILES/MOD/OFFICE1.CAB
[1] Archive type: CAB (Microsoft)
--> secmanag.CF96.76FACAA8_4C38_49B4_B59C_6698F3D0BB4F
[WARNING] No further files can be extracted from this archive. The archive will be closed
F:\System Volume Information\_restore{DAD4D94B-5139-4C09-8B20-68886CEFDB3B}\RP109\A0170403.exe
[DETECTION] Is the TR/Spirt.8 Trojan
F:\System Volume Information\_restore{DAD4D94B-5139-4C09-8B20-68886CEFDB3B}\RP109\A0170404.exe
[DETECTION] Is the TR/Patch.Z Trojan
Beginning disinfection:
F:\System Volume Information\_restore{DAD4D94B-5139-4C09-8B20-68886CEFDB3B}\RP109\A0170403.exe
[DETECTION] Is the TR/Spirt.8 Trojan
[NOTE] The file was moved to '4b581165.qua'!
F:\System Volume Information\_restore{DAD4D94B-5139-4C09-8B20-68886CEFDB3B}\RP109\A0170404.exe
[DETECTION] Is the TR/Patch.Z Trojan
[NOTE] The file was moved to '4a3e2476.qua'!
End of the scan: 15 December 2009 04:31
Used time: 2:50:58 Hour(s)
The scan has been done completely.
18843 Scanned directories
975625 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
2 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
975621 Files not concerned
24360 Archives were scanned
5 Warnings
4 Notes
191064 Objects were scanned with rootkit scan
0 Hidden objects were found
That was the result of the Avira scan,a few Trojans.
Report file date: 15 December 2009 01:07
Scanning for 1443507 virus strains and unwanted programs.
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : USER-2A1DED054E
Version information:
BUILD.DAT : 9.0.0.418 21723 Bytes 12/2/2009 16:28:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 11:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 10:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 07:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 20:23:52
VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 20:23:52
VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 20:23:52
VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 20:23:52
VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 20:23:52
VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 20:23:52
VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 20:23:52
VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 20:23:52
VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 20:23:52
VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 20:23:53
VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 20:23:53
VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 20:23:53
VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 20:23:54
VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/2009 20:23:54
VBASE015.VDF : 7.10.1.178 195584 Bytes 12/7/2009 17:14:38
VBASE016.VDF : 7.10.1.224 183296 Bytes 12/14/2009 19:17:29
VBASE017.VDF : 7.10.1.225 2048 Bytes 12/14/2009 19:17:29
VBASE018.VDF : 7.10.1.226 2048 Bytes 12/14/2009 19:17:29
VBASE019.VDF : 7.10.1.227 2048 Bytes 12/14/2009 19:17:29
VBASE020.VDF : 7.10.1.228 2048 Bytes 12/14/2009 19:17:29
VBASE021.VDF : 7.10.1.229 2048 Bytes 12/14/2009 19:17:29
VBASE022.VDF : 7.10.1.230 2048 Bytes 12/14/2009 19:17:29
VBASE023.VDF : 7.10.1.231 2048 Bytes 12/14/2009 19:17:30
VBASE024.VDF : 7.10.1.232 2048 Bytes 12/14/2009 19:17:30
VBASE025.VDF : 7.10.1.233 2048 Bytes 12/14/2009 19:17:30
VBASE026.VDF : 7.10.1.234 2048 Bytes 12/14/2009 19:17:30
VBASE027.VDF : 7.10.1.235 2048 Bytes 12/14/2009 19:17:30
VBASE028.VDF : 7.10.1.236 2048 Bytes 12/14/2009 19:17:30
VBASE029.VDF : 7.10.1.237 2048 Bytes 12/14/2009 19:17:30
VBASE030.VDF : 7.10.1.238 2048 Bytes 12/14/2009 19:17:31
VBASE031.VDF : 7.10.1.241 131584 Bytes 12/14/2009 19:17:31
Engineversion : 8.2.1.108
AEVDF.DLL : 8.1.1.2 106867 Bytes 11/8/2009 07:38:52
AESCRIPT.DLL : 8.1.3.2 582010 Bytes 12/10/2009 19:18:08
AESCN.DLL : 8.1.3.0 127348 Bytes 12/10/2009 19:18:08
AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 07:38:44
AERDL.DLL : 8.1.3.4 479605 Bytes 12/4/2009 20:23:57
AEPACK.DLL : 8.2.0.3 422261 Bytes 11/8/2009 07:38:40
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 07:38:38
AEHEUR.DLL : 8.1.0.186 2183544 Bytes 12/9/2009 17:14:42
AEHELP.DLL : 8.1.8.0 237942 Bytes 12/9/2009 17:14:40
AEGEN.DLL : 8.1.1.80 364917 Bytes 12/9/2009 17:14:39
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 07:38:26
AECORE.DLL : 8.1.9.1 180598 Bytes 12/10/2009 19:18:07
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 07:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 15:14:02
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 14:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 15:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 12:25:47
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, F:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,
Start of the scan: 15 December 2009 01:07
Starting search for hidden objects.
'191064' objects were checked, '0' hidden objects were found.
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'AdobeUpdater.exe' - '1' Module(s) have been scanned
Scan process 'AcroRd32.exe' - '1' Module(s) have been scanned
Scan process 'winamp.exe' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'sqlwriter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'INSTAN~1.EXE' - '1' Module(s) have been scanned
Scan process 'ezprint.exe' - '1' Module(s) have been scanned
Scan process 'SBCSSvc.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Scan process 'McSACore.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'lxdpcoms.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
41 processes with 41 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!
Starting to scan executable files (registry).
The registry was scanned ( '52' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\user\Local Settings\Application Data\Opera\Opera\cache\opr0EK2M
[0] Archive type: NSIS
--> 2
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
Begin scan in 'F:\' <SCSI1_VOL1>
F:\New Folder\Microsoft Publisher XP 2002 With Serial.zip
[0] Archive type: ZIP
--> Microsoft Publisher XP 2002/FILES/MOD/OFFICE1.CAB
[1] Archive type: CAB (Microsoft)
--> secmanag.CF96.76FACAA8_4C38_49B4_B59C_6698F3D0BB4F
[WARNING] No further files can be extracted from this archive. The archive will be closed
F:\System Volume Information\_restore{DAD4D94B-5139-4C09-8B20-68886CEFDB3B}\RP109\A0170403.exe
[DETECTION] Is the TR/Spirt.8 Trojan
F:\System Volume Information\_restore{DAD4D94B-5139-4C09-8B20-68886CEFDB3B}\RP109\A0170404.exe
[DETECTION] Is the TR/Patch.Z Trojan
Beginning disinfection:
F:\System Volume Information\_restore{DAD4D94B-5139-4C09-8B20-68886CEFDB3B}\RP109\A0170403.exe
[DETECTION] Is the TR/Spirt.8 Trojan
[NOTE] The file was moved to '4b581165.qua'!
F:\System Volume Information\_restore{DAD4D94B-5139-4C09-8B20-68886CEFDB3B}\RP109\A0170404.exe
[DETECTION] Is the TR/Patch.Z Trojan
[NOTE] The file was moved to '4a3e2476.qua'!
End of the scan: 15 December 2009 04:31
Used time: 2:50:58 Hour(s)
The scan has been done completely.
18843 Scanned directories
975625 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
2 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
975621 Files not concerned
24360 Archives were scanned
5 Warnings
4 Notes
191064 Objects were scanned with rootkit scan
0 Hidden objects were found
That was the result of the Avira scan,a few Trojans.
#25
Posted 17 December 2009 - 01:03 PM
Thunderbird1988
-
- Member
-
- 2,416 posts
Member 2k
Hello Arclight,
The items Avira found are leftovers and not dangerous anymore. Do you have any other questions?
The items Avira found are leftovers and not dangerous anymore. Do you have any other questions?
#26
Posted 17 December 2009 - 03:25 PM
arclight
- Topic Starter
-
- Member
-
- 176 posts
Member
Not really.
Are there any programs you would recommend apart from mbam/avira/tfc/rootrepeal which i have?
I also use opera and unlike firefox i can't find a site advisor tool for it or something slimiar.
Are there any programs you would recommend apart from mbam/avira/tfc/rootrepeal which i have?
I also use opera and unlike firefox i can't find a site advisor tool for it or something slimiar.
#28
Posted 21 December 2009 - 07:54 PM
arclight
- Topic Starter
-
- Member
-
- 176 posts
Member
No i think thats it.
Thx for the help.Comp runs smoother now
Thx for the help.Comp runs smoother now
#29
Posted 22 December 2009 - 03:34 AM
Thunderbird1988
-
- Member
-
- 2,416 posts
Member 2k
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
Thunderbird1988
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
- Download OTC to your desktop and run it
- Click Yes to beginning the Cleanup process and remove these components, including this application.
- You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
Thunderbird1988
#30
Posted 22 December 2009 - 03:34 AM
Thunderbird1988
-
- Member
-
- 2,416 posts
Member 2k
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. 
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
Similar Topics
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
