Author Topic: TR/Crypt.XPACK.Gen [Trojan] and Avira's Response (Read 29235 times)

Tatterdemalion · « **on:** June 11, 2014, 10:28:49 AM »

Hi

I am running a Windows XP Professional laptop with Avira Free Anti Virus. The real-time protection element of this software has detected 'TR/Crypt.XPACK.Gen [trojan]'.

It highlighted it initially as a .dll file in my e.mail program. It said it was called "sqlite.dll" and asked if I would like to remove it.

I said YES.

It said it had deleted the rogue file.

I then checked the location of sqlite file. It was NOT there. What WAS there was a file called "sqlite3" with a "3". I ran the virus checker on that and it said it was O.K. so I assume it is a legitimate file.

I looked in my Avira log and found THREE events flagged up as DETECTIONS.

The one for the file that had infiltrated my e.mail program said its response was to "Deny access".

After that were two events which look to be the same but, worryingly, say the program response is to
"Allow access". I will quote --->

EVENT 2

11/06/2014 16:41 [Real-Time Protection] Malware found
Virus or unwanted program 'TR/Crypt.XPACK.Gen2 [trojan]'
detected in file 'C:\WINDOWS\system32\dwwin.exe.
Action performed: Allow access

EVENT 3

11/06/2014 16:41 [Real-Time Protection] Malware found
Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\WINDOWS\system32\dwwin.exe.
Action performed: Allow access

Please advise as to whether I need to take action.

Thanks for your expertise...

SuperDave · « **Reply #1 on:** June 11, 2014, 03:07:57 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please download AdwCleaner by Xplode onto your Desktop.

Before starting AdwCleaner, close all open programs and internet browsers, then double-click on the AdwCleaner icon.

If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.
When the AdwCleaner program will open, click on the Scan button as shown below.

AdwCleaner will now start to search for malicious files that may be installed on your computer.
To remove the files that were detected in the previous step, please click on the Clean button.

AdwCleaner will now prompt you to save any open files or data as the program will need to reboot the computer. Please do so and then click on the OK button. AdwCleaner will now delete all detected adware from your computer. When it is done it will display an alert that explains what PUPs (Potentially Unwanted Programs) and Adware are. Please read through this information and then press the OK button. You will now be presented with an alert that states AdwCleaner needs to reboot your computer.
Please click on the OK button to allow AdwCleaner reboot your computer.A log will be produced. Please copy and paste this log in your next reply.
*********************************************

Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

It should update automatically if the computer is connected to the internet.
Click on Threat Scan and click on Scan Now.
The scan may take some time to finish,so please be patient.
When the scan is complete make sure all the infections have "quarantine" selected in the Action box.
Click on "Quarantine All" You may be asked to Restart your computer to completely remove the infections.
When disinfection is completed you can click on "Copy to Clipboard".
Paste the log in you next reply (CTRL+ V)

*************************************************
Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.

Tatterdemalion · « **Reply #2 on:** June 11, 2014, 04:05:06 PM »

Thank you very much for your reply. I have downloaded the three applications that you indicated but - so far - only begun to run the first one - AdwCleaner.

I ran the scan and nothing was found in Services, Folders, Files, Shortcuts or Internet Explorer.

Firefox shows two files ending .js

Chrome has four lines of information in User Data\Default\preferences.

There aren't any check boxes in the tabs referring to the browsers.

I have 12 results in Registry. They are all "Keys" and all have their "Key" boxes checked ready for me to agree to "Clean" them.

As I don't know what any of these items actually ARE, how I acquired them or if it is OK to allow them to be removed, I will attempt to re-present the list (with as few typos as possible (!))

HKLM\SOFTWARE\Classes\AppID\secman.DLL
HKLM\SOFTWARE\Classes\S
HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager
HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1
HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
HKCU\Software\Myfree Codec
HKLM\Software\Myfree Codec

Please let me know if I should agree to "Clean" (I assume this means "Delete") all of these.

Thanks.

SuperDave · « **Reply #3 on:** June 11, 2014, 05:35:35 PM »

Yes, clean and post the other logs.

Tatterdemalion · « **Reply #4 on:** June 12, 2014, 12:25:36 AM »

Hi

Thank you for helping me.

When I returned to the compromised computer this morning to run the "Clean" process I found the screen had turned black and the machine would not respond. I tried connecting a mouse to see if that would wake it up but the USB peripheral was not detected. I tried pressing FN & F4 key combinations to activate the screen with no success. I tried lowering the laptop lid in the hope of resting the PC in order to revive it by raising it afterwards. I tried disconnecting wired internet by physically removing the ethernet cable.

None of these procedures helped so I switched the computer off.

My first re-boot did not load in the trackpad control. This often happens on this computer which is a Lenovo ThinkPad T61. I re-booted a second time and the trackpad cursor control worked as it should.

Loading personal settings took a long time and I think my external F drive was looked at a lot. That is where the FIRST of the virus instances was said to be. The one that was CLEARLY reported to me and that I was prompted to delete. I only knew about the two other occurrences by looking at Avira's logs.

When the Desktop had fully loaded the Program Icons for the three applications you suggested I should download were NEATLY ordered. When I had left the machine, those had been positioned in a higgledy piggledy manner. I don't know if it is indicative of anything that they had been tidied up.

I ran the AdwCleaner program's scan again and it returned identical results to those revealed previously. I pressed "Clean" but was immediately met with a cascade of failures all piling up on top of each other. Most of these were boxes asking me if I wanted to send Error Reports. Initially I think these were items from my Task Bar. From the top to the bottom of the first swathe were :

EEventManager (Don't know what that is)
Kies (Samsung Mobile Phone Software)
Secunia PS1 (Program Version Checker/Updater)
Volume Panel (Creative Labs Soundcard volume control)
Synaptics TouchPad Enhancement (Touchpad)

DLL Module Loader (Don't know)
adwcleaner_3.212

Next I saw :

"To help protect your computer, Windows has closed this program CTF Loader Microsoft Corporation
CTF Loader has encountered a problem and needs to close."

and

"DLG.exe has encountered a problem"

Then further programs were cited sometimes repeatedly.

CTF Loader
Canon My Printer
Microsoft Works Calendar Reminder
CNSG
Spotify
CNSEPDT.EXE
Microsoft Works Calendar
Kies Tray Agent

I think it was at 06:25 that I found I could not close the KiesTray Agent Error report box.

Previously I had been able to manually shut boxes as I moved down that extensive initial pile. I think SOME were closing on their own which is why I didn't have time to copy down
the "CNSG" program.

With the KiesTray Agent Error report box unclosable, I could see there was another Error Report box underneath it and the AdwCleaner program right at the bottom.

I pressed CTRL-ALT-DEL to access Task Manager. I randomly chose to stop Nitro PDF Reader and then saw

"Data Execution Prevention - To help protect your computer Windows has closed this program Run a DLL as an App.
Run a DLL as an App has encountered a problem."

Looking at a REAL non-computer clock I saw that the time was actually 06:37 and NOT 06:25 and realised my computer must have frozen at that earlier time.

Trying to move the Windows Task Manager box around the screen resulted in me getting a trail of dozens of instances. They may not actually have been SEPARATE. It might be a graphical trail where the screen is not being updated properly.

I tried closing my Wacom Pen Tablet driver from the list of active processes because it was something I recognised the name of and I hoped I would be able to get all the boxes from in front of the AdwCleaner program to try to run it again.

Stopping the tablet driver didn't let me get back to AdwCleaner and I had a screen full of TaskManager boxes and a computer "stuck" at 06:25 so I came here and began typing this message.

In the time it took me to type this, my screensaver began running on the infected computer. When I touched it my white cursor was visible and moveable but I couldn't get the proper computer image to return. Under the cursor, the screen was just black.

Eventually I switched the PC off by long pressing the power button.

Please advise.

ADDITIONAL INFORMATION :

Last night - before coming here - I ran a Search for all instances of "dwwin" and got these results -->

DWWIN C:\I386\DRW 159KB Application 04/08/2004 13:00

DWWIN.EXE-30875ADC.pf C:WINDOWS\Prefetch 68k PF File 11/06/2014 16:42

dwwin C:\WINDOWS\system32 176KB Application 14/04/2008 01:12

dwwin C:\WINDOWS\ServicePackFiles\i386 176KB Application 14/04/2008 01:12

The second entry's time stamp corresponds with when Avira detected and alerted me to a problem.

SuperDave · « **Reply #5 on:** June 12, 2014, 12:44:53 PM »

Please do this even if you don't have your OS disk and tell me what happens.
Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:
•Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
*Let this run undisturbed until the window with the blue progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

Tatterdemalion · « **Reply #6 on:** June 12, 2014, 01:27:29 PM »

Hi

My computer is a Lenovo ThinkPad T61. They are a bit strange in that the operating system is provided on a shielded compartment. I'm not sure if you are meant to access recovery using the BLUE BUTTON. I might then need recovery disks that I generated a couple of years ago and that can only be made ONCE. I do not know where mine are. I can't find an original Windows XP CD. I *do* have something called a "Product Recovery CD-ROM" that came with a Desktop PC. It says it is for the software that was pre-installed on THAT machine. I don't know what will happen if I follow your instructions given that I have a Lenovo that is a bit non-standard and a Recovery disk not a full independent CD.

Please advise. I'm scared if I put the Evesham Micros CD recovery disk into my Lenovo and let it loose I may find myself in a worse situation.

ADDITIONAL INFORMATION : I have just found the CD that came with my other Windows XP desktop machine. That too is only a "Recovery CD-ROM".

SuperDave · « **Reply #7 on:** June 12, 2014, 06:49:38 PM »

Please run SFC without any disk in the drive. If there are corrupt or missing files, it will ask for the disk.

Tatterdemalion · « **Reply #8 on:** June 13, 2014, 01:40:23 AM »

Hi

I ran SFC and watched the blue progress bar all the way to completion. At 100% the box vanished with no comment or request.

SuperDave · « **Reply #9 on:** June 13, 2014, 04:10:42 PM »

Is the computer still acting up?

Tatterdemalion · « **Reply #10 on:** June 13, 2014, 09:42:21 PM »

Thank you for your help...

I haven't tried to run Adwarecleaner again yet or any of the other software that you suggested. Firefox will "get stuck" after a few hours of usage. THAT has been happening for months. I thought it might just be because that browser seems to constantly rack up more and more RAM usage over time. It frequently complains of a plug-in not responding. I use YouTube a lot and wonder if it is to do with adverts being loaded in - especially as so many of the clips now require ad's to run before and sometimes at set points during videos now.

I usually have to shut Firefox with Task Manager and then plugin.exe as well.

Oh ! When I did this last night - I CTRL-ALT-DELed for the Task Manager ONCE but about FIVE instances appeared on the tsak bar.

Before I set the Task Manager process list to order by RAM usage, something called EEventManager was at the top.

SuperDave · « **Reply #11 on:** June 14, 2014, 12:32:29 PM »

Quote

Firefox will "get stuck" after a few hours of usage. THAT has been happening for months. I thought it might just be because that browser seems to constantly rack up more and more RAM usage over time. It frequently complains of a plug-in not responding. I use YouTube a lot and wonder if it is to do with adverts being loaded in - especially as so many of the clips now require ad's to run before and sometimes at set points during videos now.

You could try resetting FF to its default. If that doesn't do anything, uninstall and re-install it.

Quote

Before I set the Task Manager process list to order by RAM usage, something called EEventManager was at the top.

This has something to do with an Epson printer.

Tatterdemalion · « **Reply #12 on:** June 14, 2014, 02:24:13 PM »

Thank you. I have an Epson scanner so that probably explains the EEventManager. Should I not be trying to run the Adwcleaner program again ?

SuperDave · « **Reply #13 on:** June 14, 2014, 05:49:01 PM »

I use Adblock plus to eliminate those annoying ads especially on YouTube.
What other pop-ups are you receiving now?

Tatterdemalion · « **Reply #14 on:** June 15, 2014, 12:15:54 AM »

My situation was that I got a real-time virus/trojan detection from Avira. It said it had deleted one file and labelled it with "Deny access".

When I looked in Avira's "Events" it showed two further instances of the named Trojan like this -->

EVENT 2

11/06/2014 16:41 [Real-Time Protection] Malware found
Virus or unwanted program 'TR/Crypt.XPACK.Gen2 [trojan]'
detected in file 'C:\WINDOWS\system32\dwwin.exe.
Action performed: Allow access

EVENT 3

11/06/2014 16:41 [Real-Time Protection] Malware found
Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
detected in file 'C:\WINDOWS\system32\dwwin.exe.
Action performed: Allow access

I am concerned that they say "*Allow* access".

When I Googled the Trojan it looked like it might be a Keylogger disguised as Dr Windows.

After the infection I came here for assistance and tried to run the Adwcleaner software that you suggested should be my first action.

When that program threw up so many Error screens and didn't appear to run properly, I thought that might be confirmation that my dwwin file had been replaced by a bogus application.

I ran the SFC as per your instructions.

The blue bar ran its 100% duration but it never asked for any discs and it never gave me any message about what it had or had not found/done. The graphic just went away after its half hour procedure.

Should I be running the three software applications you named ?

Will they now work properly if Windows has replaced dwwin with the legitimate version.

Perhaps I should do another search for dwwin.exe and see what the sizes are again.

Should it be displayed in lowercase letters if it is genuine ?

SuperDave · « **Reply #15 on:** June 15, 2014, 12:27:46 PM »

Quote

Should I be running the three software applications you named ?

Yes, please and post the logs.

Malwarebytes' Anti-Rootkit

Please download Malwarebytes' Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page for performing a scan.
Caution: This is a beta version so also read the disclaimer and back up all your data before using.
When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
Copy and paste the contents of these two log files in your next reply.

Tatterdemalion · « **Reply #16 on:** June 16, 2014, 12:33:59 AM »

I am trying to follow your original instructions in the order that you outlined and am therefore still only at the AdwCleaner stage.

Before trying to run it again, I conducted a fresh search on my PC for dwwin.exe

This was after running the SFC that you highlighted and that hopefully replaced any rogue version with the legitimate file.

The new search showed :

DWWIN in C:\I386\DRW 159KB Application 04/08/2004 13:00
dwwin in C:\WINDOWS\System32 176KB Application 14/04/2008 01:12
dwwin in C:\WINDOWS\ServicePackFiles\i386 176KB 14/04/2008 01:12

Having noted these results down, I ran AdwCleaner again and experienced the same difficulties with the program as before.

I ran the scan and think my results were identical to those discovered previously. Then I pressed "CLEAN"

The program responded with "adwcleaner has encountered a problem"

It cited "CTF loader" and said "Windows has closed this program".

Then I started getting lots of Error Boxes for the programs that have icons at the lower right of my screen. I am not sure if that is called "The Task Bar" or "The System Tray".

Each of these programs gave me a box offering the opportunity to "Send Error Report" or "Don't Send".

Are all of these Error Boxes generated by the Dr Win (dwwin) file/program

?

I was able to close these boxes by picking "Don't Send".

Then a box was shown that said : "Data Execution Prevention. To help protect your computer, Windows has closed this program
Name : CTF Loader Publisher : Microsoft Corporation

Another box said : "CTF Loader. CTF Loader has encountered a problem and needs to close. We are sorry for the inconvenience."

This box had the "Send Error Report" and "Don't Send" buttons but they were not clickable.

I noticed, like before, that the computer clock had frozen. It had stopped at 06:52 and I noticed at 06:58.

I pressed CTRL-ALT-DEL to open Task Manager. It showed dwwin.exe at the top of its default list.

Opening Task Manager seemed to trigger a further string of error boxes for more programs and I was ale to shut them but, as before, when I tried to move the Task Manager window to get to the AdwCleaner program underneath it left a trail of dozens of Task Manager windows that I could not close.

At that point I could still move my cursor (using the Trackpad) but NOT control anything. I couldn't shut the Task Manager or select anything from the Start button.

I think the Synaptics TouchPad control is one of the programs that had an Error during the second phase of displayed errors. Perhaps when THAT closes my trackpad buttons cease to function.

Do you think this is all due to me having been infected with a false version of dwwin ??

Should I try to run AdwCleaner for a third time or should I skip that program and move on to the SECOND software that you listed - the first MalwareBytes product : Malwarebytes Anti-Malware
with the mbam-setup.exe installer ?

Tatterdemalion · « **Reply #17 on:** June 16, 2014, 12:01:22 PM »

I can't see a button showing how I can edit my last message. I wanted to add to it that I have done another search for dwwin and got a 71KB PF File located at DWWIN.EXE-30875ADC.pf in C:\WINDOWSS\Prefetch at 06:58 this morning. This is the time period when I was trying to run ADWCleaner.

SuperDave · « **Reply #18 on:** June 16, 2014, 04:40:29 PM »

Please try running MBAM and AdwCleaner in Safe Mode.

Tatterdemalion · « **Reply #19 on:** June 17, 2014, 02:05:30 PM »

Thank you very much for your on-going help.

I was able to access Safe Mode to run AdwCleaner successfully.

This is the log produced -->

# AdwCleaner v3.212 - Report created 17/06/2014 at 19:22:23
# Updated 05/06/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Test - LENOVO-0102D958
# Running from : C:\Documents and Settings\Test\Desktop\adwcleaner_3.212.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager
Key Deleted : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Deleted : HKCU\Software\Myfree Codec
Key Deleted : HKLM\Software\Myfree Codec

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v29.0.1 (en-GB)

[ File : C:\Documents and Settings\lenovo\Application Data\Mozilla\Firefox\Profiles\izzh4wup.default\prefs.js ]

[ File : C:\Documents and Settings\Test\Application Data\Mozilla\Firefox\Profiles\uqhyu9vs.default\prefs.js ]

-\\ Google Chrome v

[ File : C:\Documents and Settings\lenovo\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted [Extension] : kdcnnmifdmlmjffdgeieikcokcogpbej
Deleted [Extension] : kincjchfokkeneeofpeefomkikfkiedl

[ File : C:\Documents and Settings\Test\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [2104 octets] - [11/06/2014 22:35:49]
AdwCleaner[R1].txt - [2164 octets] - [12/06/2014 06:21:21]
AdwCleaner[R2].txt - [2224 octets] - [16/06/2014 06:49:31]
AdwCleaner[R3].txt - [2284 octets] - [17/06/2014 19:20:36]
AdwCleaner[S0].txt - [2233 octets] - [17/06/2014 19:22:23]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2293 octets] ##########

My second attempt at starting in Safe Mode did not work. I don't know why. Only Windows XP Professional was listed. I proceeded with a full boot. The first time I tried to open Control Panel to install MBAM Control Panel would not open and I got the message "Windows Explorer has encountered a problem" then "Dr Watson Postmortem Debugger has encountered a problem and needs to close." I said "Don't send" in the Error Box and tried again and the installation appeared to go without hitch. I switched Avira's real-time protection off before installing and have now re-activated it having exported MBAM's report ---->

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 17/06/2014
Scan Time: 20:32:49
Logfile: MalwareBytes Result.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.17.10
Rootkit Database: v2014.06.02.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Test

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 358180
Time Elapsed: 19 min, 11 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

Do I still need to run JRT ?

SuperDave · « **Reply #20 on:** June 17, 2014, 05:19:31 PM »

Quote

Do I still need to run JRT ?

Yes, please.

Malwarebytes' Anti-Rootkit

Please download Malwarebytes' Anti-Rootkit and save it to your desktop.

Be sure to print out and follow the instructions provided on that same page for performing a scan.
Caution: This is a beta version so also read the disclaimer and back up all your data before using.
When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
Copy and paste the contents of these two log files in your next reply.

Tatterdemalion · « **Reply #21 on:** June 18, 2014, 02:31:00 AM »

Hi

Thank you for your help.

I ran the Junkware Removal Tool from the normal desktop (NOT Safe Mode), having temporarily disabled Avira Anti Virus.

When it reached Processes it showed the programs from my System Tray saying that they needed to close and throwing up their Error Boxes. I was able to close them all with "Don't Send" clicks.

I received another sequence of "problem encountered...needs to close" boxes as the JRT Scan reached the Registry.

The program ran to completion and generated this report --->

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Microsoft Windows XP x86
Ran by Test on 18/06/2014 at 8:45:59.01
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

~~~ Registry Keys

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Program Files\myfree codec"

~~~ FireFox

Emptied folder: C:\Documents and Settings\Test\Application Data\mozilla\firefox\profiles\uqhyu9vs.default\minidumps [47 files]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 18/06/2014 at 8:53:14.25
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Has this run correctly meaning that (once I disable my AV again) I should be able to run Malwarebytes Anti-Rootkit right away ?

SuperDave · « **Reply #22 on:** June 18, 2014, 02:51:54 PM »

You shouldn't have to disable your AV to run MBRK

Tatterdemalion · « **Reply #23 on:** June 19, 2014, 02:32:00 AM »

Thank you for your help. I have run the Anti-Rootkit program twice. I re-booted before the second go. These are my results -->

FIRST SESSION LOG

Malwarebytes Anti-Rootkit BETA 1.07.0.1012
www.malwarebytes.org

Database version: v2014.06.19.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Test :: LENOVO-0102D958 [administrator]

19/06/2014 06:51:03
mbar-log-2014-06-19 (06-51-03).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 364806
Time elapsed: 29 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0

FIRST SESSION SYSTEM LOG

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1012

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, G:\ DRIVE_FIXED
CPU speed: 1.795000 GHz
Memory total: 2112065536, free: 813096960

Downloaded database version: v2014.06.19.03
Downloaded database version: v2014.06.02.01
Initializing...
======================
------------ Kernel report ------------
06/19/2014 06:49:59
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
pcmcia.sys
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
ACPIEC.sys
\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
VolSnap.sys
atapi.sys
iaStor.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
DRVMCDB.SYS
PxHelp20.sys
KSecDD.sys
WudfPf.sys
Ntfs.sys
NDIS.sys
Apsx86.sys
ApsHM86.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
Mup.sys
\SystemRoot\system32\DRIVERS\nic1394.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nv4_mini.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\e1e5132.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\NETw4x32.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\atmeltpm.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\ibmpmdrv.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\drivers\Afc.sys
\SystemRoot\System32\Drivers\DLACDBHM.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\wacomvhid.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\tvtpktfilter.sys
\SystemRoot\system32\drivers\ScreamingBAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\psadd.sys
\SystemRoot\system32\DRIVERS\Tvti2c.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\wacommousefilter.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\drivers\ADIHdAud.sys
\SystemRoot\system32\drivers\AEAudio.sys
\SystemRoot\system32\DRIVERS\HSFHWAZL.sys
\SystemRoot\system32\DRIVERS\HSF_DPV.sys
\SystemRoot\system32\DRIVERS\HSF_CNXT.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\Drivers\DLARTL_N.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\System32\Drivers\SYMTDI.SYS
\SystemRoot\system32\DRIVERS\ipnat.sys
\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\arp1394.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\System32\drivers\TSMAPIP.SYS
\SystemRoot\System32\drivers\Tppwrif.sys
\SystemRoot\system32\DRIVERS\TPHKDRV.sys
\SystemRoot\system32\DRIVERS\ssmdrv.sys
\SystemRoot\System32\Drivers\SRTSPX.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\Drivers\tcusb.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\system32\DRIVERS\avkmgr.sys
\SystemRoot\system32\DRIVERS\avipbb.sys
\SystemRoot\System32\drivers\ANC.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\nv4_disp.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\avgntflt.sys
\SystemRoot\system32\DRIVERS\tvtfilter.sys
\SystemRoot\System32\Drivers\DRVNDDM.SYS
\SystemRoot\System32\DLA\DLADResN.SYS
\SystemRoot\System32\DLA\DLAIFS_M.SYS
\SystemRoot\System32\DLA\DLAOPIOM.SYS
\SystemRoot\System32\DLA\DLAPoolM.SYS
\??\C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys
\SystemRoot\System32\DLA\DLABOIOM.SYS
\SystemRoot\System32\DLA\DLAUDFAM.SYS
\SystemRoot\System32\DLA\DLAUDF_M.SYS
\SystemRoot\system32\DRIVERS\AegisP.sys
\SystemRoot\system32\DRIVERS\s24trans.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\system32\DRIVERS\PROCDD.SYS
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\mdmxsdk.sys
\??\C:\WINDOWS\System32\drivers\pmemnt.sys
\SystemRoot\System32\Drivers\SRTSP.SYS
\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070110.052\NAVEX15.SYS
\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070110.052\NAVENG.SYS
\SystemRoot\system32\DRIVERS\psi_mf_x86.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\System32\Drivers\SYMREDRV.SYS
\SystemRoot\System32\Drivers\Udfs.SYS
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR9
Upper Device Object: 0xffffffff86ad9ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000bc\
Lower Device Object: 0xffffffff87cf6ab8
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR3
Upper Device Object: 0xffffffff89360030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000b3\
Lower Device Object: 0xffffffff898554b8
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8a551030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-0\
Lower Device Object: 0xffffffff8a535030
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8a551030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8a551800, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a551a18, DeviceName: Unknown, DriverName: \Driver\Shockprf\
DevicePointer: 0xffffffff8a551030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a527b50, DeviceName: \Device\0000009a\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8a535030, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\Shockprf\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: ED1F86F7

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 478956177
Partition file system is NTFS
Partition is bootable

Partition 1 type is Other (0x12)
Partition is NOT ACTIVE.
Partition starts at LBA: 478956240 Numsec = 9434880

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 250059350016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488377168-488397168)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff89360030, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89488288, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89360030, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff898554b8, DeviceName: \Device\000000b3\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C3072E18

Partition information:

Partition 0 type is Other (0x6)
Partition is ACTIVE.
Partition starts at LBA: 32 Numsec = 4062176
Partition file system is FAT
Partition is not bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 2079850496 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 512
Drive: 2, DevicePointer: 0xffffffff86ad9ab8, DeviceName: \Device\Harddisk2\DR9\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff87b0c020, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff86ad9ab8, DeviceName: \Device\Harddisk2\DR9\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff87cf6ab8, DeviceName: \Device\000000bc\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk2\DR9\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 2
Scanning MBR on drive 2...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 44FDFE06

Partition information:

Partition 0 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 1465144002

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 750156374016 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================

Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\VBR-0-0-63-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\VBR-1-0-32-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-2-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-2-r.mbam...
Removal finished

SECOND SESSION

Malwarebytes Anti-Rootkit BETA 1.07.0.1012
www.malwarebytes.org

Database version: v2014.06.19.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Test :: LENOVO-0102D958 [administrator]

19/06/2014 08:25:57
mbar-log-2014-06-19 (08-25-57).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 366160
Time elapsed: 29 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

SECOND SESSION SYSTEM LOG

Malwarebytes Anti-Rootkit BETA 1.07.0.1012

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, G:\ DRIVE_FIXED
CPU speed: 1.795000 GHz
Memory total: 2112065536, free: 813096960

Downloaded database version: v2014.06.19.03
Downloaded database version: v2014.06.02.01
Initializing...
======================
------------ Kernel report ------------
06/19/2014 06:49:59
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
pcmcia.sys
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
ACPIEC.sys
\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
VolSnap.sys
atapi.sys
iaStor.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
DRVMCDB.SYS
PxHelp20.sys
KSecDD.sys
WudfPf.sys
Ntfs.sys
NDIS.sys
Apsx86.sys
ApsHM86.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
Mup.sys
\SystemRoot\system32\DRIVERS\nic1394.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nv4_mini.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\e1e5132.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\NETw4x32.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\atmeltpm.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\ibmpmdrv.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\drivers\Afc.sys
\SystemRoot\System32\Drivers\DLACDBHM.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\wacomvhid.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\tvtpktfilter.sys
\SystemRoot\system32\drivers\ScreamingBAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\psadd.sys
\SystemRoot\system32\DRIVERS\Tvti2c.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\wacommousefilter.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\drivers\ADIHdAud.sys
\SystemRoot\system32\drivers\AEAudio.sys
\SystemRoot\system32\DRIVERS\HSFHWAZL.sys
\SystemRoot\system32\DRIVERS\HSF_DPV.sys
\SystemRoot\system32\DRIVERS\HSF_CNXT.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\Drivers\DLARTL_N.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\System32\Drivers\SYMTDI.SYS
\SystemRoot\system32\DRIVERS\ipnat.sys
\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\arp1394.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\System32\drivers\TSMAPIP.SYS
\SystemRoot\System32\drivers\Tppwrif.sys
\SystemRoot\system32\DRIVERS\TPHKDRV.sys
\SystemRoot\system32\DRIVERS\ssmdrv.sys
\SystemRoot\System32\Drivers\SRTSPX.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\Drivers\tcusb.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\system32\DRIVERS\avkmgr.sys
\SystemRoot\system32\DRIVERS\avipbb.sys
\SystemRoot\System32\drivers\ANC.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\nv4_disp.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\avgntflt.sys
\SystemRoot\system32\DRIVERS\tvtfilter.sys
\SystemRoot\System32\Drivers\DRVNDDM.SYS
\SystemRoot\System32\DLA\DLADResN.SYS
\SystemRoot\System32\DLA\DLAIFS_M.SYS
\SystemRoot\System32\DLA\DLAOPIOM.SYS
\SystemRoot\System32\DLA\DLAPoolM.SYS
\??\C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys
\SystemRoot\System32\DLA\DLABOIOM.SYS
\SystemRoot\System32\DLA\DLAUDFAM.SYS
\SystemRoot\System32\DLA\DLAUDF_M.SYS
\SystemRoot\system32\DRIVERS\AegisP.sys
\SystemRoot\system32\DRIVERS\s24trans.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\system32\DRIVERS\PROCDD.SYS
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\mdmxsdk.sys
\??\C:\WINDOWS\System32\drivers\pmemnt.sys
\SystemRoot\System32\Drivers\SRTSP.SYS
\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070110.052\NAVEX15.SYS
\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070110.052\NAVENG.SYS
\SystemRoot\system32\DRIVERS\psi_mf_x86.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\System32\Drivers\SYMREDRV.SYS
\SystemRoot\System32\Drivers\Udfs.SYS
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR9
Upper Device Object: 0xffffffff86ad9ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000bc\
Lower Device Object: 0xffffffff87cf6ab8
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR3
Upper Device Object: 0xffffffff89360030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000b3\
Lower Device Object: 0xffffffff898554b8
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8a551030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-0\
Lower Device Object: 0xffffffff8a535030
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8a551030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8a551800, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a551a18, DeviceName: Unknown, DriverName: \Driver\Shockprf\
DevicePointer: 0xffffffff8a551030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a527b50, DeviceName: \Device\0000009a\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8a535030, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\Shockprf\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: ED1F86F7

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 478956177
Partition file system is NTFS
Partition is bootable

Partition 1 type is Other (0x12)
Partition is NOT ACTIVE.
Partition starts at LBA: 478956240 Numsec = 9434880

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 250059350016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488377168-488397168)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff89360030, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89488288, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89360030, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff898554b8, DeviceName: \Device\000000b3\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C3072E18

Partition information:

Partition 0 type is Other (0x6)
Partition is ACTIVE.
Partition starts at LBA: 32 Numsec = 4062176
Partition file system is FAT
Partition is not bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 2079850496 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 512
Drive: 2, DevicePointer: 0xffffffff86ad9ab8, DeviceName: \Device\Harddisk2\DR9\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff87b0c020, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff86ad9ab8, DeviceName: \Device\Harddisk2\DR9\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff87cf6ab8, DeviceName: \Device\000000bc\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk2\DR9\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 2
Scanning MBR on drive 2...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 44FDFE06

Partition information:

Partition 0 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 1465144002

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 750156374016 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================

Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\VBR-0-0-63-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\VBR-1-0-32-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-2-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-2-r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1012

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, G:\ DRIVE_FIXED
CPU speed: 1.795000 GHz
Memory total: 2112065536, free: 940027904

Initializing...
=======================================
------------ Kernel report ------------
06/19/2014 08:24:54
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
pcmcia.sys
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
ACPIEC.sys
\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
VolSnap.sys
atapi.sys
iaStor.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
DRVMCDB.SYS
PxHelp20.sys
KSecDD.sys
WudfPf.sys
Ntfs.sys
NDIS.sys
Apsx86.sys
ApsHM86.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
Mup.sys
\SystemRoot\system32\DRIVERS\nic1394.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nv4_mini.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\e1e5132.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\NETw4x32.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\atmeltpm.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\ibmpmdrv.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\drivers\Afc.sys
\SystemRoot\System32\Drivers\DLACDBHM.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\wacomvhid.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\tvtpktfilter.sys
\SystemRoot\system32\drivers\ScreamingBAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\psadd.sys
\SystemRoot\system32\DRIVERS\Tvti2c.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\wacommousefilter.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\drivers\ADIHdAud.sys
\SystemRoot\system32\drivers\AEAudio.sys
\SystemRoot\system32\DRIVERS\HSFHWAZL.sys
\SystemRoot\system32\DRIVERS\HSF_DPV.sys
\SystemRoot\system32\DRIVERS\HSF_CNXT.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\System32\Drivers\tcusb.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\Drivers\DLARTL_N.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\System32\Drivers\SYMTDI.SYS
\SystemRoot\system32\DRIVERS\ipnat.sys
\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\arp1394.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\System32\drivers\TSMAPIP.SYS
\SystemRoot\System32\drivers\Tppwrif.sys
\SystemRoot\system32\DRIVERS\TPHKDRV.sys
\SystemRoot\system32\DRIVERS\ssmdrv.sys
\SystemRoot\System32\Drivers\SRTSPX.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys
\SystemRoot\System32\Drivers\Fips.SYS
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\system32\DRIVERS\avkmgr.sys
\SystemRoot\system32\DRIVERS\avipbb.sys
\SystemRoot\System32\drivers\ANC.SYS
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\nv4_disp.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\avgntflt.sys
\SystemRoot\system32\DRIVERS\tvtfilter.sys
\SystemRoot\System32\Drivers\DRVNDDM.SYS
\SystemRoot\System32\DLA\DLADResN.SYS
\SystemRoot\System32\DLA\DLAIFS_M.SYS
\SystemRoot\System32\DLA\DLAOPIOM.SYS
\SystemRoot\System32\DLA\DLAPoolM.SYS
\??\C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys
\SystemRoot\System32\DLA\DLABOIOM.SYS
\SystemRoot\System32\DLA\DLAUDFAM.SYS
\SystemRoot\System32\DLA\DLAUDF_M.SYS
\SystemRoot\system32\DRIVERS\AegisP.sys
\SystemRoot\system32\DRIVERS\s24trans.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\system32\DRIVERS\PROCDD.SYS
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\mdmxsdk.sys
\??\C:\WINDOWS\System32\drivers\pmemnt.sys
\SystemRoot\System32\Drivers\SRTSP.SYS
\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070110.052\NAVEX15.SYS
\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070110.052\NAVENG.SYS
\SystemRoot\system32\DRIVERS\psi_mf_x86.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\System32\Drivers\SYMREDRV.SYS
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR4
Upper Device Object: 0xffffffff89a2f818
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000b4\
Lower Device Object: 0xffffffff894f32a0
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR3
Upper Device Object: 0xffffffff89b69ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000b3\
Lower Device Object: 0xffffffff8986aab0
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8a555ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-0\
Lower Device Object: 0xffffffff8a4d9030
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8a555ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8a535800, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a535a18, DeviceName: Unknown, DriverName: \Driver\Shockprf\
DevicePointer: 0xffffffff8a555ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a539160, DeviceName: \Device\0000009a\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8a4d9030, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\Shockprf\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: ED1F86F7

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 478956177
Partition file system is NTFS
Partition is bootable

Partition 1 type is Other (0x12)
Partition is NOT ACTIVE.
Partition starts at LBA: 478956240 Numsec = 9434880

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 250059350016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-488377168-488397168)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff89b69ab8, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89441a68, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89b69ab8, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8986aab0, DeviceName: \Device\000000b3\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C3072E18

Partition information:

Partition 0 type is Other (0x6)
Partition is ACTIVE.
Partition starts at LBA: 32 Numsec = 4062176
Partition file system is FAT
Partition is not bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 2079850496 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 512
Drive: 2, DevicePointer: 0xffffffff89a2f818, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8986c020, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89a2f818, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff894f32a0, DeviceName: \Device\000000b4\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 2
Scanning MBR on drive 2...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 44FDFE06

Partition information:

Partition 0 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 1465144002

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 750156374016 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================

Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\VBR-0-0-63-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\VBR-1-0-32-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-2-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-2-r.mbam...
Removal finished

SuperDave · « **Reply #24 on:** June 19, 2014, 12:19:07 PM »

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.

Leave the check mark next to Remove found threats.

•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Tatterdemalion · « **Reply #25 on:** June 19, 2014, 05:59:16 PM »

Thank you for your help.

My ESET Report generated this text -->

C:\Documents and Settings\lenovo\Local Settings\Temp\AskSLib.dll   a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application   deleted - quarantined
C:\Documents and Settings\lenovo\My Documents\Downloads\ccsetup320.exe   Win32/Bundled.Toolbar.Google.E potentially unsafe application   deleted - quarantined
C:\Documents and Settings\lenovo\My Documents\Dropbox\Shared W & K\Utilities\FreeFileSync_5.13_Windows_Setup.exe   Win32/OpenCandy potentially unsafe application   deleted - quarantined
C:\Documents and Settings\Test\Local Settings\Temp\AskSLib.dll   a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application   deleted - quarantined
C:\Documents and Settings\Test\Local Settings\Temp\GQHKs7eG.exe.part   Win32/Bundled.Toolbar.Google.D potentially unsafe application   deleted - quarantined
C:\Documents and Settings\Test\My Documents\Dropbox\0 Shared\W & K\Utilities\FreeFileSync_5.13_Windows_Setup.exe   Win32/OpenCandy potentially unsafe application   deleted - quarantined
C:\Documents and Settings\Test\My Documents\Dropbox\Software\gamebooster.exe   Win32/OpenCandy potentially unsafe application   deleted - quarantined
C:\Program Files\Avira\AntiVir Desktop\apnic.dll   a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application   deleted - quarantined
C:\Program Files\Avira\AntiVir Desktop\apntoolbarinstaller.exe   a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application   deleted - quarantined
C:\Program Files\Avira\AntiVir Desktop\Offercast_AVIRAV7_.exe   a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application   deleted - quarantined
C:\WINDOWS\Temp\AskSLib.dll   a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application   deleted - quarantined
G:\Audiobooks\Finance\Dare To Create Money [Tony Robbins, T Harv Eker, Bonnie Holscher, Robert Kiyosaki, Bob Proctor]\Free Texas Holdem Poker Bot\HoldemIndicatorSetup.exe   a variant of Win32/Packed.Themida potentially unwanted application   deleted - quarantined

I haven't pressed the BACK button yet.

Has it deleted part of my Avira Anti Virus software ??

Has it deleted the installer for Free File Sync 5.13 ? I use that file comparison software on another computer. Is the program considered dangerous ?

It also looks like it has removed an installer for CCleaner which I thought was supposed to be a HELPFUL/NECESSARY utility.

Please advise...

SuperDave · « **Reply #26 on:** June 19, 2014, 07:37:44 PM »

Quote

Has it deleted part of my Avira Anti Virus software ??

No, just some junk that was in quarantine.

Quote

Has it deleted the installer for Free File Sync 5.13 ? I use that file comparison software on another computer. Is the program considered dangerous ?

I see no evidence of that. I've never used it but it appears safe to use.
Press the back button and then run ESET again.

Tatterdemalion · « **Reply #27 on:** June 19, 2014, 09:40:10 PM »

Did you mean you meant you saw no evidence of FreeFileSync being a dangerous program OR that you did not think the installer for it had been deleted ?

I thought these lines --->

C:\Documents and Settings\Test\My Documents\Dropbox\0 Shared\W & K\Utilities\FreeFileSync_5.13_Windows_Setup.exe   Win32/OpenCandy potentially unsafe application   deleted - quarantined
C:\Documents and Settings\Test\My Documents\Dropbox\Software\gamebooster.exe   Win32/OpenCandy potentially unsafe application   deleted - quarantined
C:\Documents and Settings\lenovo\My Documents\Downloads\ccsetup320.exe   Win32/Bundled.Toolbar.Google.E potentially unsafe application   deleted - quarantined

meant that three executables had been ERASED because they install Open Candy which (I have since read) leaves machines vulnerable.

Seems rather ironic that CCleaner is among them if Open Candy is a big threat. What does it actually DO ? Monitor your browser usiage so that targeted adverts can be served to the end user so that the original programmer can get paid for creating a free software utility - or is it something sinister ?

A bit of Googling has meant it seems like there's no such thing as a free lunch and no such thing as a safe toolbar.

ESET looks like it has condemned a Toolbar in Avira and Avast (running on the machine I am typing from) has just said it wants to remove a Norton Toolbar....that I can't SEE.

I have started a second ESET scan and will return with the result when it completes. The last scan took neary five hours, so I expect this analysis to be of a similar duration.

Thank you for your help.

Tatterdemalion · « **Reply #28 on:** June 20, 2014, 03:19:59 AM »

I have run the scan a second time. This is the latest information :

C:\Program Files\Avira\AntiVir Desktop\Offercast_AVIRAV7_.exe a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application deleted - quarantined

SuperDave · « **Reply #29 on:** June 20, 2014, 12:34:22 PM »

Quote

Did you mean you meant you saw no evidence of FreeFileSync being a dangerous program OR that you did not think the installer for it had been deleted ?

I meant that I consider it safe to use.
Any other issues with your computer?

Tatterdemalion · « **Reply #30 on:** June 20, 2014, 01:18:11 PM »

I hope not. Thank you for all of your help. Do you think the machine is clear now and I can carry on using it as normal ? Do I tell the ESET program to remove itself ?

SuperDave · « **Reply #31 on:** June 20, 2014, 07:35:05 PM »

Quote

Do you think the machine is clear now and I can carry on using it as normal ? Do I tell the ESET program to remove itself ?

As clean as I can make it being thousands of kilometers away from you. You can uninstall the ESET scanner.
Let's do some cleanup. You may keep MBAM and AdwCleaner on your computer, if you wish. Update them and run them on a regular basis.

Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.

Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.

This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
***************************************
Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Tatterdemalion · « **Reply #32 on:** June 21, 2014, 12:57:42 PM »

THANK YOU for all of your help.

SuperDave · « **Reply #33 on:** June 21, 2014, 07:36:34 PM »

You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.

Computer Hope Forum

News:

Author Topic: TR/Crypt.XPACK.Gen [Trojan] and Avira's Response (Read 29235 times)

Tatterdemalion

SuperDave

Tatterdemalion

SuperDave

Tatterdemalion

SuperDave

Tatterdemalion

SuperDave

Tatterdemalion

SuperDave

Tatterdemalion

SuperDave

Tatterdemalion

SuperDave

Tatterdemalion

SuperDave

Tatterdemalion

Tatterdemalion

SuperDave

Tatterdemalion

SuperDave

Tatterdemalion

SuperDave

Tatterdemalion

SuperDave

Tatterdemalion

SuperDave

Tatterdemalion

Tatterdemalion

SuperDave

Tatterdemalion

SuperDave

Tatterdemalion

SuperDave