Help Avira found 2 virus BOO/Sinowal.F & cant quarantine or delete

[oliveoil]

Hi

Pc runs XP Service Pack 3 & Avira Antivirus, plus Malwarebytes.

Cant update Malwarebytes on user Account pages get following message

Error has occured. Please report error code to our support team.

PROGRAM_ERROR_UPDATING(5,0,Createfile)

Acces is denied.

But can update on Administrator

Have got two detections of Malware found both the same apart from different Boot sector on 7th Feb.

E is my backup harddrive does this mean virus has access to this? The Avira detection for E only occurred on yesterday's scan.

The file 'Boot sector 'E:\''

contained a virus or unwanted program 'BOO/Sinowal.F' [virus]

Action(s) taken:

Contains code of the BOO/Sinowal.F boot sector virus.

The boot sector was not written!

Also

The file 'Master boot sector HD1'

contained a virus or unwanted program 'BOO/Sinowal.F' [virus]

Action(s) taken:

Contains code of the BOO/Sinowal.F boot sector virus.

The boot sector was not written!

On events noticed this as far back as 08/01/2011

The file 'Master boot sector HD1'

contained a virus or unwanted program 'BOO/Sinowal.F' [virus]

Action(s) taken:

Contains code of the BOO/Sinowal.F boot sector virus.

The boot sector was not written!

Avira doesnt give the option to delete of quarantine.

As Malwarebytes isnt updating could the virus have disabled this?

Have tried to look for info on the net for this and came across this http://www.geekstogo.com/forum/topic...9-boosinowalf/

which really alarmed me.

Unfortunately my husband uses this PC & hadnt taken onboard the significance of Avira failing to remove the Malware! Avira records only go back to begin of Jan & the there are continued records from then of the virus being on Master Boot HD1. Have only found out about this this morning!

This is the Avira scan from notepad

Avira AntiVir Personal

Report file date: 07 February 2011 10:14

Scanning for 2456743 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : USER-Q9NPIFAZX8

Version information:

BUILD.DAT : 10.0.0.611 31824 Bytes 14/01/2011 13:42:00

AVSCAN.EXE : 10.0.3.5 435368 Bytes 08/12/2010 10:31:50

AVSCAN.DLL : 10.0.3.0 46440 Bytes 01/04/2010 12:57:04

LUKE.DLL : 10.0.3.2 104296 Bytes 08/12/2010 10:31:52

LUKERES.DLL : 10.0.0.1 12648 Bytes 10/02/2010 23:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 09:05:36

VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 10:31:48

VBASE002.VDF : 7.11.0.1 2048 Bytes 14/12/2010 10:31:48

VBASE003.VDF : 7.11.0.2 2048 Bytes 14/12/2010 10:31:48

VBASE004.VDF : 7.11.0.3 2048 Bytes 14/12/2010 10:31:48

VBASE005.VDF : 7.11.0.4 2048 Bytes 14/12/2010 10:31:48

VBASE006.VDF : 7.11.0.5 2048 Bytes 14/12/2010 10:31:48

VBASE007.VDF : 7.11.0.6 2048 Bytes 14/12/2010 10:31:48

VBASE008.VDF : 7.11.0.7 2048 Bytes 14/12/2010 10:31:48

VBASE009.VDF : 7.11.0.8 2048 Bytes 14/12/2010 10:31:48

VBASE010.VDF : 7.11.0.9 2048 Bytes 14/12/2010 10:31:48

VBASE011.VDF : 7.11.0.10 2048 Bytes 14/12/2010 10:31:48

VBASE012.VDF : 7.11.0.11 2048 Bytes 14/12/2010 10:31:48

VBASE013.VDF : 7.11.0.52 128000 Bytes 16/12/2010 11:53:08

VBASE014.VDF : 7.11.0.91 226816 Bytes 20/12/2010 10:31:26

VBASE015.VDF : 7.11.0.122 136192 Bytes 21/12/2010 14:29:05

VBASE016.VDF : 7.11.0.156 122880 Bytes 24/12/2010 12:29:36

VBASE017.VDF : 7.11.0.185 146944 Bytes 27/12/2010 10:31:25

VBASE018.VDF : 7.11.0.228 132608 Bytes 30/12/2010 17:50:36

VBASE019.VDF : 7.11.1.5 148480 Bytes 03/01/2011 10:31:26

VBASE020.VDF : 7.11.1.37 156672 Bytes 07/01/2011 10:31:32

VBASE021.VDF : 7.11.1.65 140800 Bytes 10/01/2011 18:47:26

VBASE022.VDF : 7.11.1.87 225280 Bytes 11/01/2011 10:31:26

VBASE023.VDF : 7.11.1.124 125440 Bytes 14/01/2011 10:31:35

VBASE024.VDF : 7.11.1.155 132096 Bytes 17/01/2011 16:07:31

VBASE025.VDF : 7.11.1.189 451072 Bytes 20/01/2011 16:07:53

VBASE026.VDF : 7.11.1.230 138752 Bytes 24/01/2011 10:31:26

VBASE027.VDF : 7.11.2.12 164352 Bytes 27/01/2011 10:31:28

VBASE028.VDF : 7.11.2.43 178176 Bytes 01/02/2011 14:35:22

VBASE029.VDF : 7.11.2.78 206336 Bytes 04/02/2011 10:31:28

VBASE030.VDF : 7.11.2.79 2048 Bytes 04/02/2011 10:31:28

VBASE031.VDF : 7.11.2.80 2048 Bytes 04/02/2011 10:31:28

Engineversion : 8.2.4.162

AEVDF.DLL : 8.1.2.1 106868 Bytes 30/07/2010 15:28:55

AESCRIPT.DLL : 8.1.3.53 1282427 Bytes 31/01/2011 10:31:54

AESCN.DLL : 8.1.7.2 127349 Bytes 23/11/2010 17:09:23

AESBX.DLL : 8.1.3.2 254324 Bytes 23/11/2010 17:09:37

AERDL.DLL : 8.1.9.2 635252 Bytes 22/09/2010 14:28:48

AEPACK.DLL : 8.2.4.9 512374 Bytes 31/01/2011 10:31:51

AEOFFICE.DLL : 8.1.1.16 205179 Bytes 31/01/2011 10:31:46

AEHEUR.DLL : 8.1.2.73 3207541 Bytes 04/02/2011 10:31:33

AEHELP.DLL : 8.1.16.1 246134 Bytes 04/02/2011 10:31:27

AEGEN.DLL : 8.1.5.2 397683 Bytes 20/01/2011 16:08:15

AEEMU.DLL : 8.1.3.0 393589 Bytes 23/11/2010 17:08:59

AECORE.DLL : 8.1.19.2 196983 Bytes 20/01/2011 16:08:06

AEBB.DLL : 8.1.1.0 53618 Bytes 05/06/2010 19:13:12

AVWINLL.DLL : 10.0.0.0 19304 Bytes 14/01/2010 12:03:38

AVPREF.DLL : 10.0.0.0 44904 Bytes 14/01/2010 12:03:35

AVREP.DLL : 10.0.0.8 62209 Bytes 18/02/2010 16:47:40

AVREG.DLL : 10.0.3.2 53096 Bytes 03/11/2010 10:33:00

AVSCPLR.DLL : 10.0.3.2 84328 Bytes 08/12/2010 10:31:51

AVARKT.DLL : 10.0.22.6 231784 Bytes 08/12/2010 10:31:47

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 26/01/2010 09:53:30

SQLITE3.DLL : 3.6.19.0 355688 Bytes 28/01/2010 12:57:58

AVSMTP.DLL : 10.0.0.17 63848 Bytes 16/03/2010 15:38:56

NETNT.DLL : 10.0.0.0 11624 Bytes 19/02/2010 14:41:00

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28/01/2010 13:10:20

RCTEXT.DLL : 10.0.58.0 97128 Bytes 03/11/2010 10:33:00

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, E:,

Process scan........................: on

Extended process scan...............: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: 07 February 2011 10:14

Starting search for hidden objects.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N tmsSvc\Config\Standalone\drivelist

[NOTE] The registry entry is invisible.

The scan of running processes will be started

Scan process 'iexplore.exe' - '131' Module(s) have been scanned

Scan process 'msdtc.exe' - '40' Module(s) have been scanned

Scan process 'dllhost.exe' - '59' Module(s) have been scanned

Scan process 'dllhost.exe' - '45' Module(s) have been scanned

Scan process 'vssvc.exe' - '48' Module(s) have been scanned

Scan process 'avscan.exe' - '70' Module(s) have been scanned

Scan process 'avcenter.exe' - '63' Module(s) have been scanned

Scan process 'iexplore.exe' - '103' Module(s) have been scanned

Scan process 'alg.exe' - '33' Module(s) have been scanned

Scan process 'iexplore.exe' - '101' Module(s) have been scanned

Scan process 'svchost.exe' - '39' Module(s) have been scanned

Scan process 'sqlwriter.exe' - '53' Module(s) have been scanned

Scan process 'sqlbrowser.exe' - '17' Module(s) have been scanned

Scan process 'dpupdchk.exe' - '25' Module(s) have been scanned

Scan process 'DLG.exe' - '23' Module(s) have been scanned

Scan process 'GoogleToolbarNotifier.exe' - '54' Module(s) have been scanned

Scan process 'ctfmon.exe' - '25' Module(s) have been scanned

Scan process 'avgnt.exe' - '45' Module(s) have been scanned

Scan process 'ipoint.exe' - '55' Module(s) have been scanned

Scan process 'itype.exe' - '48' Module(s) have been scanned

Scan process 'smax4pnp.exe' - '35' Module(s) have been scanned

Scan process 'avshadow.exe' - '26' Module(s) have been scanned

Scan process 'sqlservr.exe' - '53' Module(s) have been scanned

Scan process 'MDM.EXE' - '21' Module(s) have been scanned

Scan process 'avguard.exe' - '53' Module(s) have been scanned

Scan process 'Explorer.EXE' - '83' Module(s) have been scanned

Scan process 'svchost.exe' - '34' Module(s) have been scanned

Scan process 'sched.exe' - '43' Module(s) have been scanned

Scan process 'spoolsv.exe' - '55' Module(s) have been scanned

Scan process 'svchost.exe' - '37' Module(s) have been scanned

Scan process 'svchost.exe' - '32' Module(s) have been scanned

Scan process 'svchost.exe' - '168' Module(s) have been scanned

Scan process 'svchost.exe' - '38' Module(s) have been scanned

Scan process 'svchost.exe' - '53' Module(s) have been scanned

Scan process 'Ati2evxx.exe' - '13' Module(s) have been scanned

Scan process 'lsass.exe' - '59' Module(s) have been scanned

Scan process 'services.exe' - '33' Module(s) have been scanned

Scan process 'winlogon.exe' - '71' Module(s) have been scanned

Scan process 'csrss.exe' - '12' Module(s) have been scanned

Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[DETECTION] Contains code of the BOO/Sinowal.F boot sector virus

[NOTE] The boot sector was not written!

Master boot sector HD2

[iNFO] No virus was found!

Master boot sector HD3

[iNFO] No virus was found!

Master boot sector HD4

[iNFO] No virus was found!

Master boot sector HD5

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'E:\'

[DETECTION] Contains code of the BOO/Sinowal.F boot sector virus

[NOTE] The boot sector was not written!

Starting to scan executable files (registry).

The registry was scanned ( '259' files ).

Starting the file scan:

Begin scan in 'C:\'

Begin scan in 'E:\' <My Book>

End of the scan: 07 February 2011 11:00

Used time: 46:11 Minute(s)

The scan has been done completely.

6171 Scanned directories

392716 Files were scanned

2 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

0 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

392716 Files not concerned

1326 Archives were scanned

0 Warnings

2 Notes

294341 Objects were scanned with rootkit scan

1 Hidden objects were found

Did scans of Avira & Malwarebytes in Safemode & Malwarebytes discovered the following

Content. IE5\DRFINDMY\pack[1].exe(Rogue.SecurityShield)

Content. IE5\DRFINDMY\pack[2].exe(Rogue.SecurityShield)

Avira finshed scanning but said the scan was clear.

On Malwarebytes I quarantined & then deleted both & was prompted to reboot, which I did.

Then re-scanned in normal mode using Avira & Malwarbytes both scanned ok without no virus or malware found

As the virus had been found on the E external Hard drive I had unplugged it for saftey. When plug E Drive back into PC keep getting Guard: Autorun message blocked. Access to the file E:\autorum.inf was blocked for your security. This happens twice in quick succession.

Did update & Malwarebytes scan, and also an Avira Scan, both including the E Backup Hard Drive.

Malwarbytes said there were no detections & that the scan was ok.

Avira said there were 2 detections -

But after running Avira twice (ran Malwarbytes at same time - Malwarebytes said there was no detections in either) it was reporting a different problem on the Master boot sector the 1st being HD1 & the 2nd being HD5 in the two separate runs times!

Report finished at 21.23

Master boot sector HD1

[DETECTION] Contains code of the BOO/Sinowal.F boot sector virus

[NOTE] The boot sector was not written!

Boot sector 'E:\'

[DETECTION] Contains code of the BOO/Sinowal.F boot sector virus

[NOTE] The boot sector was not written!

Report finished at 20.01

Master boot sector HD5

[DETECTION] Contains code of the BOO/Sinowal.F boot sector virus

[NOTE] The boot sector was not written!

Start scanning boot sectors:

[DETECTION] Contains code of the BOO/Sinowal.F boot sector virus

[NOTE] The boot sector was not written!

Did both Avira & Malwarebytes scans with E drive connected in Safe mode and they were clear no detections.

So did a further full scan on Malwarebytes & Avira in normal mode with both programs & with the E drive connected and again they were clear no detections.

Posted the results of last Malwarebytes, Avira & Hijack This below

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5706

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

07/02/2011 23:21:29

mbam-log-2011-02-07 (23-21-29).txt

Scan type: Full scan (C:\|D:\|E:\|)

Objects scanned: 225889

Time elapsed: 58 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Avira AntiVir Personal

Report file date: 07 February 2011 22:21

Scanning for 2461137 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : USER-Q9NPIFAZX8

Version information:

BUILD.DAT : 10.0.0.611 31824 Bytes 14/01/2011 13:42:00

AVSCAN.EXE : 10.0.3.5 435368 Bytes 08/12/2010 10:31:50

AVSCAN.DLL : 10.0.3.0 46440 Bytes 01/04/2010 12:57:04

LUKE.DLL : 10.0.3.2 104296 Bytes 08/12/2010 10:31:52

LUKERES.DLL : 10.0.0.1 12648 Bytes 10/02/2010 23:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 09:05:36

VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 10:31:48

VBASE002.VDF : 7.11.0.1 2048 Bytes 14/12/2010 10:31:48

VBASE003.VDF : 7.11.0.2 2048 Bytes 14/12/2010 10:31:48

VBASE004.VDF : 7.11.0.3 2048 Bytes 14/12/2010 10:31:48

VBASE005.VDF : 7.11.0.4 2048 Bytes 14/12/2010 10:31:48

VBASE006.VDF : 7.11.0.5 2048 Bytes 14/12/2010 10:31:48

VBASE007.VDF : 7.11.0.6 2048 Bytes 14/12/2010 10:31:48

VBASE008.VDF : 7.11.0.7 2048 Bytes 14/12/2010 10:31:48

VBASE009.VDF : 7.11.0.8 2048 Bytes 14/12/2010 10:31:48

VBASE010.VDF : 7.11.0.9 2048 Bytes 14/12/2010 10:31:48

VBASE011.VDF : 7.11.0.10 2048 Bytes 14/12/2010 10:31:48

VBASE012.VDF : 7.11.0.11 2048 Bytes 14/12/2010 10:31:48

VBASE013.VDF : 7.11.0.52 128000 Bytes 16/12/2010 11:53:08

VBASE014.VDF : 7.11.0.91 226816 Bytes 20/12/2010 10:31:26

VBASE015.VDF : 7.11.0.122 136192 Bytes 21/12/2010 14:29:05

VBASE016.VDF : 7.11.0.156 122880 Bytes 24/12/2010 12:29:36

VBASE017.VDF : 7.11.0.185 146944 Bytes 27/12/2010 10:31:25

VBASE018.VDF : 7.11.0.228 132608 Bytes 30/12/2010 17:50:36

VBASE019.VDF : 7.11.1.5 148480 Bytes 03/01/2011 10:31:26

VBASE020.VDF : 7.11.1.37 156672 Bytes 07/01/2011 10:31:32

VBASE021.VDF : 7.11.1.65 140800 Bytes 10/01/2011 18:47:26

VBASE022.VDF : 7.11.1.87 225280 Bytes 11/01/2011 10:31:26

VBASE023.VDF : 7.11.1.124 125440 Bytes 14/01/2011 10:31:35

VBASE024.VDF : 7.11.1.155 132096 Bytes 17/01/2011 16:07:31

VBASE025.VDF : 7.11.1.189 451072 Bytes 20/01/2011 16:07:53

VBASE026.VDF : 7.11.1.230 138752 Bytes 24/01/2011 10:31:26

VBASE027.VDF : 7.11.2.12 164352 Bytes 27/01/2011 10:31:28

VBASE028.VDF : 7.11.2.43 178176 Bytes 01/02/2011 14:35:22

VBASE029.VDF : 7.11.2.78 206336 Bytes 04/02/2011 10:31:28

VBASE030.VDF : 7.11.2.79 2048 Bytes 04/02/2011 10:31:28

VBASE031.VDF : 7.11.2.92 66560 Bytes 07/02/2011 21:28:42

Engineversion : 8.2.4.162

AEVDF.DLL : 8.1.2.1 106868 Bytes 30/07/2010 15:28:55

AESCRIPT.DLL : 8.1.3.53 1282427 Bytes 31/01/2011 10:31:54

AESCN.DLL : 8.1.7.2 127349 Bytes 23/11/2010 17:09:23

AESBX.DLL : 8.1.3.2 254324 Bytes 23/11/2010 17:09:37

AERDL.DLL : 8.1.9.2 635252 Bytes 22/09/2010 14:28:48

AEPACK.DLL : 8.2.4.9 512374 Bytes 31/01/2011 10:31:51

AEOFFICE.DLL : 8.1.1.16 205179 Bytes 31/01/2011 10:31:46

AEHEUR.DLL : 8.1.2.73 3207541 Bytes 04/02/2011 10:31:33

AEHELP.DLL : 8.1.16.1 246134 Bytes 04/02/2011 10:31:27

AEGEN.DLL : 8.1.5.2 397683 Bytes 20/01/2011 16:08:15

AEEMU.DLL : 8.1.3.0 393589 Bytes 23/11/2010 17:08:59

AECORE.DLL : 8.1.19.2 196983 Bytes 20/01/2011 16:08:06

AEBB.DLL : 8.1.1.0 53618 Bytes 05/06/2010 19:13:12

AVWINLL.DLL : 10.0.0.0 19304 Bytes 14/01/2010 12:03:38

AVPREF.DLL : 10.0.0.0 44904 Bytes 14/01/2010 12:03:35

AVREP.DLL : 10.0.0.8 62209 Bytes 18/02/2010 16:47:40

AVREG.DLL : 10.0.3.2 53096 Bytes 03/11/2010 10:33:00

AVSCPLR.DLL : 10.0.3.2 84328 Bytes 08/12/2010 10:31:51

AVARKT.DLL : 10.0.22.6 231784 Bytes 08/12/2010 10:31:47

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 26/01/2010 09:53:30

SQLITE3.DLL : 3.6.19.0 355688 Bytes 28/01/2010 12:57:58

AVSMTP.DLL : 10.0.0.17 63848 Bytes 16/03/2010 15:38:56

NETNT.DLL : 10.0.0.0 11624 Bytes 19/02/2010 14:41:00

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28/01/2010 13:10:20

RCTEXT.DLL : 10.0.58.0 97128 Bytes 03/11/2010 10:33:00

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, E:,

Process scan........................: on

Extended process scan...............: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: 07 February 2011 22:21

Starting search for hidden objects.

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N tmsSvc\Config\Standalone\drivelist

[NOTE] The registry entry is invisible.

The scan of running processes will be started

Scan process 'notepad.exe' - '27' Module(s) have been scanned

Scan process 'notepad.exe' - '27' Module(s) have been scanned

Scan process 'dllhost.exe' - '45' Module(s) have been scanned

Scan process 'vssvc.exe' - '48' Module(s) have been scanned

Scan process 'avscan.exe' - '70' Module(s) have been scanned

Scan process 'mbam.exe' - '56' Module(s) have been scanned

Scan process 'avcenter.exe' - '71' Module(s) have been scanned

Scan process 'iexplore.exe' - '126' Module(s) have been scanned

Scan process 'iexplore.exe' - '70' Module(s) have been scanned

Scan process 'msdtc.exe' - '40' Module(s) have been scanned

Scan process 'dllhost.exe' - '59' Module(s) have been scanned

Scan process 'dpupdchk.exe' - '26' Module(s) have been scanned

Scan process 'DLG.exe' - '22' Module(s) have been scanned

Scan process 'GoogleToolbarNotifier.exe' - '54' Module(s) have been scanned

Scan process 'ctfmon.exe' - '25' Module(s) have been scanned

Scan process 'avgnt.exe' - '46' Module(s) have been scanned

Scan process 'ipoint.exe' - '54' Module(s) have been scanned

Scan process 'itype.exe' - '53' Module(s) have been scanned

Scan process 'smax4pnp.exe' - '35' Module(s) have been scanned

Scan process 'Explorer.EXE' - '88' Module(s) have been scanned

Scan process 'alg.exe' - '33' Module(s) have been scanned

Scan process 'svchost.exe' - '39' Module(s) have been scanned

Scan process 'avshadow.exe' - '26' Module(s) have been scanned

Scan process 'sqlwriter.exe' - '53' Module(s) have been scanned

Scan process 'sqlbrowser.exe' - '17' Module(s) have been scanned

Scan process 'sqlservr.exe' - '53' Module(s) have been scanned

Scan process 'MDM.EXE' - '21' Module(s) have been scanned

Scan process 'avguard.exe' - '53' Module(s) have been scanned

Scan process 'svchost.exe' - '34' Module(s) have been scanned

Scan process 'sched.exe' - '45' Module(s) have been scanned

Scan process 'spoolsv.exe' - '55' Module(s) have been scanned

Scan process 'svchost.exe' - '37' Module(s) have been scanned

Scan process 'svchost.exe' - '32' Module(s) have been scanned

Scan process 'svchost.exe' - '167' Module(s) have been scanned

Scan process 'svchost.exe' - '38' Module(s) have been scanned

Scan process 'svchost.exe' - '53' Module(s) have been scanned

Scan process 'Ati2evxx.exe' - '13' Module(s) have been scanned

Scan process 'lsass.exe' - '59' Module(s) have been scanned

Scan process 'services.exe' - '33' Module(s) have been scanned

Scan process 'winlogon.exe' - '74' Module(s) have been scanned

Scan process 'csrss.exe' - '12' Module(s) have been scanned

Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Master boot sector HD2

[iNFO] No virus was found!

Master boot sector HD3

[iNFO] No virus was found!

Master boot sector HD4

[iNFO] No virus was found!

Master boot sector HD5

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'E:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '360' files ).

Starting the file scan:

Begin scan in 'C:\'

Begin scan in 'E:\' <My Book>

End of the scan: 07 February 2011 23:34

Used time: 1:12:30 Hour(s)

The scan has been done completely.

6172 Scanned directories

387180 Files were scanned

0 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

0 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

387180 Files not concerned

1322 Archives were scanned

0 Warnings

0 Notes

285558 Objects were scanned with rootkit scan

1 Hidden objects were found

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 23:36:59, on 07/02/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\WINDOWS\System32\dllhost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\dllhost.exe

C:\WINDOWS\System32\vssvc.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\s wg.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [uIUCU] C:\DOCUME~1\David\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E117 12C84EA7E12B.dll/cmsidewiki.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1272723293296

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

--

End of file - 7131 bytes

Does this now mean the sytem is now clear or is the ****** just hiding in the Master Boot Record, getting all the info it wants from our PC, and not being detected by Malwarebytes or Avira anymore? Have done Avira & Malware full scans this morning & they are still clear.

Would really appreciate some advice pref not too technical as all this is a bit daunting.

Also Malwarebytes updates for users is still greyed out ie cant update from user account page, but can on Administrator which then updates the Users accounts?

Sorry for such a huge post, look forward to your replies!

[daledoc1]

Hello and welcome, oliveoil:

Sorry to hear that your computer is infected.

Sounds like you could use some help from the malware experts.

There are 3 options:

1) run a few preliminary scans & start a thread at the HJT forum;

2) start a support ticket (free for paid users of MBAM PRO);

3) try one of the premium, fee-based support options.

Alas, we do not work on malware removal in this particular sub-forum.

Instructions on how to proceed are posted in the 2nd Important Topic pinned at the top of this forum: "I'm Infected - What Do I Do Now?".

OPTION 1:

Free, expert assistance can be found at the malware removal-HJT forum.

Please go to this page, print out, read and follow as many instructions as you can, skipping any you are unable to complete:

http://forums.malwarebytes.org/index.php?showtopic=69723

Then please describe your computer's symptoms as best you can and post the requested logs by starting a new thread here:

http://forums.malwarebytes.org/index.php?showforum=7

One of the authorized, trained experts will then assist you as soon as possible.

When you post, please be sure to select Track This Topic & choose one of the email options, so that you will be notified when someone responds; allow 24-48 hours before bumping your thread.

OPTION 2:

Alternatively, as a paying customer, you may wish to start a support ticket by contacting support at: support@malwarebytes.org;

OPTION 3:

Premium, fee-based support options here:

http://www.malwarebytes.org/premium-support.php

Also, please use the "Add Reply" button when replying here & at the other boards, so that it will be easier for everyone to follow the thread.

I hope this gets you started on cleaning up your system,

daledoc1

[daledoc1]

Dear mods:

User has posted in the HJT forum, so it is probably OK to close this thread.

Thanks!

daledoc1

[oliveoil]

Many thanks for your advice have reposted in HJT Forum, as have already run the Malwarebytes & Avira scans

[daledoc1]

Indeed -- I saw that you had.

Please be patient until an expert helper comes along to assist with checking/cleaning your system.

Hope you get it all straightened out!

daledoc1

PS OK, NOW we can close this thread.