Windows Antivirus 2010 malware

afox83 · March 17, 2010

Hello. I am having an issue with a program called ave.exe, one of those malwares that purports to be a Windows Antivirus program and constantly spams pop-ups. During the course of following the directions from this forum the virus was still active after running Malwarebytes' Anti-Malware and my current anti-virus (Avira), but now that I've finished all the steps I do not see it. I would still very much appreciate if someone could take a look at my logs and confirm that the virus is gone. Thank you in advance!

As a side note, when I ran DeFogger it did not ask if I wanted to reboot the computer after disabling the drivers. I did reboot the computer manually.

DDS:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Abram at 2:31:40.97 on Wed 03/17/2010

Internet Explorer: 7.0.6002.18005

Microsoft

Attach.zip

ark.zip

Maniac · March 17, 2010

Hello afox83! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

The process of cleaning your system may take some time, so please be patient.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
If you don't know or can't understand something please ask.
Do not install any software or hardware, while work on.

Step 1:

Please uninstall the following applications:

Adobe Reader 8.2.1

Japanese Fonts Support For Adobe Reader 8

After finish our work, please download and install the latest version of Adobe Reader from:

http://www.adobe.com

Step 2:

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location and post it back when you reply
Then look for the following Java folders and if found delete them.
C:\Program Files\Java
C:\Program Files\Common Files\Java
C:\Windows\Sun
C:\Documents and Settings\All Users\Application Data\Java
C:\Documents and Settings\All Users\Application Data\Sun\Java
C:\Documents and Settings\username\Application Data\Java
C:\Documents and Settings\username\Application Data\Sun\Java

Step 3:

I also see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player

Step 4:

You have some leftovers from AVG8, so please download AVGRemover from:

http://download.avg.com/filedir/util/avg_a.../avgremover.exe

Run it and follow the instructions to successfully clean your system from AVG.

Step 5:

Launch Malwarebytes' Anti-Malware
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

* JavaRa log

* DDS log (new)

* MalwareBytes' Anti-Malware log

afox83 · March 17, 2010

Maniac, thank you very much for your help with this problem! You were definitely right, although the constant pop-ups have ceased, my computer is still running extremely slow and it's clear something else is going on with it.

I followed the steps you provided, in order. There was one issue- after I ran JavaRa, it notified me that a logfile had been generated, but did not say where, and a logfile did not]pop up for me to save to a location of my choosing. Do you know where on my computer it was saved?

Here are the other two logs requested. Thanks again.

New DDS log:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Abram at 14:32:35.91 on Wed 03/17/2010

Internet Explorer: 7.0.6002.18005

Microsoft

Maniac · March 17, 2010

JavaRa log is saved in C:\ and is named JavaRa.txt . Please post it!

afox83 · March 17, 2010

There isn't a file with that name in my C:\ drive. I did an advanced search of my computer for 'JavaRa' and only returned JavaRa.zip, a shortcut to JavaRa.zip, JavaRa.exe, and JavaRa.def. Should I run JavaRa again? Thanks again for your help.

Maniac · March 17, 2010

Yes, please try again.

afox83 · March 17, 2010

I ran JavaRa.exe again, and had the same result. After it finished I got a pop-up saying it was saving a log file in my C:\ folder, but there is not a JavaRa.txt file there. A search of my computer for "JavaRa" turned up the same four results.

Maniac · March 17, 2010

Your last log seems to clean of Java, so don't worry about JavaRa. Now:

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

afox83 · March 17, 2010

Maniac,

I followed the instructions and ran ComboFix on my computer. It completed and generated a log file, but it appears to have created some registry issues. I'm currently writing this from another computer in my household. When I tried to open my primary browser, Firefox, I received a message that read:

"C:\Program Files\Mozilla Firefox\firefox.exe

Illegal operation attempted on a registry key that has been marked for deletion."

I received the same message, with the appropriate extension listed, for Internet Explorer and every other .txt, .doc, and .exe shortcut or file I attempted to open, including HijackThis. I am able to open folders from my desktop. I am also able to open .jpegs in a folder, but received a similar message as above when trying to open .doc files.

Thanks again for your help with this issue.

afox83 · March 17, 2010

I was able to get the log.txt from ComboFix by using a USB drive (I did get the same above error message regarding rundll32 [i think?] when attempting to manually eject the drive).

Here it is:

ComboFix 10-03-17.01 - Abram 03/17/2010 17:49:44.2.4 - x86

Microsoft

Maniac · March 17, 2010

Very bad!

First, please start your Windows in Safe Mode:

http://www.microsoft.com/resources/documen...e.mspx?mfr=true

Second, Click Start button, then Run... and enter

sfc /scannow

Finally, click OK .

This runs System Rile Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.

Tell me how are things after these steps.

afox83 · March 17, 2010

I followed your instructions, and after running System File Check in Safe Mode and rebooting I am able to open files as normal without registry errors.

I ran HijackThis (I currently have v2.0.2) and received this message:

For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this.
If that happens, you need to edit the file yourself. To do this, click Start, Run, and type:
notepad C:\Window\System32\drivers\etc\hosts
and press Enter. Find the line(s) HijackThis reports and delete them. Save the file as 'hosts.' (with quote), and reboot.
For Vista: simply, exit HijackThis, right click on the HijackThis icon, choose 'Run as administrator'.

My computer runs Vista. Should I follow the instructions above?

afox83 · March 17, 2010

I should note that HijackThis did still run and generate a log file:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:50:52 AM, on 3/17/2010

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v7.00 (7.00.6002.18005)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskeng.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\System32\nvraidservice.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Microsoft LifeChat\LifeChat.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\System32\mobsync.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\System32\notepad.exe

C:\Program Files\Internet Explorer\ieuser.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe

C:\Windows\system32\werfault.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [skytel] Skytel.exe

O4 - HKLM\..\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [spywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"

O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [LifeChat] "C:\Program Files\Microsoft LifeChat\LifeChat.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" resetprofile

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 7606 bytes

Maniac · March 18, 2010

Delete your copy of ComboFix and follow the instructions again:

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

P.S.: For HijackThis, please Run as Administrator and everything will be fine.

afox83 · March 18, 2010

I am running into the same issue when trying to open programs after running ComboFix: "Illegal operation attempted on a registry key that has been marked for deletion."

I ran Firefox as administrator to open it, and that worked to let me send this email. Initially when I tried to run HijackThis (as administrator) after running ComboFix, it told me the program was already running. I opened the task manager and ended the process, and then was able to successfully run it.

ComboFix log:

ComboFix 10-03-17.07 - Abram 03/18/2010 11:40:09.3.4 - x86

Microsoft

Maniac · March 18, 2010

Step 1:

Please, open HiJackThis and select Do a system scan only.

Check the following entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

Then, close all open windows except that of HijackThis, and select Fix Checked.

Step 2:

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.

afox83 · March 18, 2010

Here's the Avira report and HijackThis log after following your instructions. Avira did not prompt me to delete any files during or after the scan.

Avira report:

Avira AntiVir Personal

Report file date: Thursday, March 18, 2010 13:54

Scanning for 1867270 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows Vista

Windows version : (Service Pack 2) [6.0.6002]

Boot mode : Normally booted

Username : SYSTEM

Computer name : HOME-PC

Version information:

BUILD.DAT : 9.0.0.419 21701 Bytes 1/22/2010 18:29:00

AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 16:26:33

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 12:35:52

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 00:29:14

VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 00:29:17

VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 00:29:18

VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 05:12:37

VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 05:12:37

VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 05:12:37

VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 05:12:37

VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 05:12:38

VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 05:12:38

VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 05:12:38

VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 05:12:38

VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 05:12:38

VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 05:12:45

VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 05:12:49

VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 11:01:39

VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 13:51:13

VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 14:09:20

VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 14:45:20

VBASE019.VDF : 7.10.5.122 2048 Bytes 3/18/2010 14:45:20

VBASE020.VDF : 7.10.5.123 2048 Bytes 3/18/2010 14:45:20

VBASE021.VDF : 7.10.5.124 2048 Bytes 3/18/2010 14:45:20

VBASE022.VDF : 7.10.5.125 2048 Bytes 3/18/2010 14:45:54

VBASE023.VDF : 7.10.5.126 2048 Bytes 3/18/2010 14:45:55

VBASE024.VDF : 7.10.5.127 2048 Bytes 3/18/2010 14:47:00

VBASE025.VDF : 7.10.5.128 2048 Bytes 3/18/2010 14:50:07

VBASE026.VDF : 7.10.5.129 2048 Bytes 3/18/2010 14:50:08

VBASE027.VDF : 7.10.5.130 2048 Bytes 3/18/2010 14:50:08

VBASE028.VDF : 7.10.5.131 2048 Bytes 3/18/2010 14:50:08

VBASE029.VDF : 7.10.5.132 2048 Bytes 3/18/2010 14:50:08

VBASE030.VDF : 7.10.5.133 2048 Bytes 3/18/2010 14:50:08

VBASE031.VDF : 7.10.5.134 16384 Bytes 3/18/2010 14:50:08

Engineversion : 8.2.1.194

AEVDF.DLL : 8.1.1.3 106868 Bytes 2/26/2010 00:29:24

AESCRIPT.DLL : 8.1.3.18 1024378 Bytes 3/17/2010 15:20:47

AESCN.DLL : 8.1.5.0 127347 Bytes 2/26/2010 00:29:24

AESBX.DLL : 8.1.2.1 254323 Bytes 3/17/2010 15:20:50

AERDL.DLL : 8.1.4.3 541043 Bytes 3/17/2010 15:20:28

AEPACK.DLL : 8.2.1.0 426356 Bytes 3/3/2010 04:40:26

AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/17/2010 15:20:18

AEHEUR.DLL : 8.1.1.13 2470262 Bytes 3/17/2010 15:20:14

AEHELP.DLL : 8.1.10.2 237941 Bytes 3/17/2010 15:19:17

AEGEN.DLL : 8.1.2.2 373107 Bytes 3/17/2010 15:19:14

AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 12:38:26

AECORE.DLL : 8.1.12.3 188789 Bytes 3/17/2010 15:19:08

AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 12:38:20

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59

AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 20:14:02

AVREP.DLL : 8.0.0.7 159784 Bytes 2/26/2010 00:29:24

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09

AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10

RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 20:39:58

RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 17:25:47

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +JOKE,+PFS,

Start of the scan: Thursday, March 18, 2010 13:54

Starting search for hidden objects.

'119303' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'taskeng.exe' - '1' Module(s) have been scanned

Scan process 'unsecapp.exe' - '1' Module(s) have been scanned

Scan process 'mobsync.exe' - '1' Module(s) have been scanned

Scan process 'WmiPrvSE.exe' - '1' Module(s) have been scanned

Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'WUDFHost.exe' - '1' Module(s) have been scanned

Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'nvSCPAPISvr.exe' - '1' Module(s) have been scanned

Scan process 'sprtsvc.exe' - '1' Module(s) have been scanned

Scan process 'RoxWatch9.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'nTuneService.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'ehmsas.exe' - '1' Module(s) have been scanned

Scan process 'wmpnscfg.exe' - '1' Module(s) have been scanned

Scan process 'ehtray.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'LifeChat.exe' - '1' Module(s) have been scanned

Scan process 'RtHDVCpl.exe' - '1' Module(s) have been scanned

Scan process 'sprtcmd.exe' - '1' Module(s) have been scanned

Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned

Scan process 'nvraidservice.exe' - '1' Module(s) have been scanned

Scan process 'MSASCui.exe' - '1' Module(s) have been scanned

Scan process 'dwm.exe' - '1' Module(s) have been scanned

Scan process 'taskeng.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'nvvsvc.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'SLsvc.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'audiodg.exe' - '0' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'nvvsvc.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsm.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'wininit.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

58 processes with 58 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

[iNFO] Please restart the search with Administrator rights

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '39' files ).

Starting the file scan:

Begin scan in 'C:\' <OS>

C:\hiberfil.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

Begin scan in 'D:\' <RECOVERY>

End of the scan: Thursday, March 18, 2010 15:13

Used time: 1:19:10 Hour(s)

The scan has been done completely.

30298 Scanned directories

472609 Files were scanned

0 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

0 Files were moved to quarantine

0 Files were renamed

2 Files cannot be scanned

472607 Files not concerned

4204 Archives were scanned

2 Warnings

2 Notes

119303 Objects were scanned with rootkit scan

0 Hidden objects were found

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:23:12 PM, on 3/18/2010