Sorry for the late reply.
Please delete these folders:
c:\users\Arvind Raje\AppData\Roaming\BB06E
c:\users\Arvind Raje\AppData\Roaming\Microsoft\99B3
c:\users\Arvind Raje\AppData\Roaming\341BB
MrC
-
This topic is locked
39 replies to this topic
#21
MrCharlie
-
- Experts
-
- 18,274 posts
Forum Deity
- Gender:Male
- Location:So. Plainfield, New Jersey, USA
Posted 27 February 2012 - 08:16 AM
Malware Removal Expert
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.
Thanks MrC & crew
#22
ranon
-
- Members
-
- 20 posts
New Member
Posted 27 February 2012 - 11:58 AM
I'm grateful for the help.
I've deleted the folders. What next.
I've deleted the folders. What next.
#23
MrCharlie
-
- Experts
-
- 18,274 posts
Forum Deity
- Gender:Male
- Location:So. Plainfield, New Jersey, USA
Posted 27 February 2012 - 12:04 PM
Please Update and run a Quick Scan with MBAM, post the report.
Please let me know how it is, MrC
Please let me know how it is, MrC
Malware Removal Expert
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.
Thanks MrC & crew
#24
ranon
-
- Members
-
- 20 posts
New Member
Posted 27 February 2012 - 12:49 PM
The scan came back clean. results are attached. But I don't think that I am rid of this virus yet.
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.27.02
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Arvind Raje :: LAPTOPPC [administrator]
27-02-2012 22:58:08
mbam-log-2012-02-27 (22-58-08).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 203644
Time elapsed: 7 minute(s), 31 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.27.02
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Arvind Raje :: LAPTOPPC [administrator]
27-02-2012 22:58:08
mbam-log-2012-02-27 (22-58-08).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 203644
Time elapsed: 7 minute(s), 31 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
#25
MrCharlie
-
- Experts
-
- 18,274 posts
Forum Deity
- Gender:Male
- Location:So. Plainfield, New Jersey, USA
Posted 27 February 2012 - 12:56 PM
What problems are you having?? MrC
Malware Removal Expert
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.
Thanks MrC & crew
#26
ranon
-
- Members
-
- 20 posts
New Member
Posted 27 February 2012 - 01:27 PM
Ok, the memory usage is still high. CPU is constantly being used (abt 10-40%).
I use dropbox to keep files on various PC's the same. in post #20, rkill detected dropbox as having a virus and stopped it. Do I now start it again.
I have also not restarted since the rkill. At some point I am going to have to restart it. Please tell me when I can restart.
When I use windows task manager, i start it by right clicking on taskbar. On the image it shows as command line "taskeng.exe {98336E83-2C8E-4A6E-9318-DDE2FFB11188}". There are two processes with same name and slightly different parameters.
There are 13 different svchost.exe processes, all starting from c:\windows\system32.
Rishi
I use dropbox to keep files on various PC's the same. in post #20, rkill detected dropbox as having a virus and stopped it. Do I now start it again.
I have also not restarted since the rkill. At some point I am going to have to restart it. Please tell me when I can restart.
When I use windows task manager, i start it by right clicking on taskbar. On the image it shows as command line "taskeng.exe {98336E83-2C8E-4A6E-9318-DDE2FFB11188}". There are two processes with same name and slightly different parameters.
There are 13 different svchost.exe processes, all starting from c:\windows\system32.
Rishi
#27
MrCharlie
-
- Experts
-
- 18,274 posts
Forum Deity
- Gender:Male
- Location:So. Plainfield, New Jersey, USA
Posted 27 February 2012 - 01:53 PM
Quote
I use dropbox to keep files on various PC's the same. in post #20, rkill detected dropbox as having a virus and stopped it. Do I now start it again.
Rkill didn't detect it as a virus, it just terminated it while it did it's job, so it's OK.
You can restart it.
Quote
I have also not restarted since the rkill. At some point I am going to have to restart it. Please tell me when I can restart
Yes, restart the omputer.
Quote
When I use windows task manager, i start it by right clicking on taskbar. On the image it shows as command line "taskeng.exe {98336E83-2C8E-4A6E-9318-DDE2FFB11188}". There are two processes with same name and slightly different parameters.
This may help: (can you locate the files in question?)
http://www.neuber.co...askeng.exe.html
Quote
There are 13 different svchost.exe processes, all starting from c:\windows\system32.
This is not unusually, check the link below:
http://www.howtogeek...-is-it-running/
Let me know, there's another scan we could run that will take about 3 hours to do.
Malware Removal Expert
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.
Thanks MrC & crew
#28
ranon
-
- Members
-
- 20 posts
New Member
Posted 27 February 2012 - 02:18 PM
Both taskeng processses are starting from c:\windows\system32.
I have restarted my pc. No problems yet with it.
Please tell me about the scan.
I have restarted my pc. No problems yet with it.
Please tell me about the scan.
#29
MrCharlie
-
- Experts
-
- 18,274 posts
Forum Deity
- Gender:Male
- Location:So. Plainfield, New Jersey, USA
Posted 27 February 2012 - 02:34 PM
Malware Removal Expert
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.
Thanks MrC & crew
#30
ranon
-
- Members
-
- 20 posts
New Member
Posted 27 February 2012 - 11:52 PM
I ran the viprerescue scan.
About 75% through the scan (6hrs) the system made a hard reboot.
I am posting the last 10 lines of the log so you can see where it stopped. Quarantine directory of vipersrescue iis empty, so it does not seem to have found anything.
Also during the scan, a few processes popped up in the task manager. dllhost, csrss and one more that I cannot remember. All three were running from standard directories, but with command line as having a parameter that looks like a registry key. Is this normal?
I also noticed a directory c:\63e8929133247ad70dee9a5b. Created on 24-02-12, 12:15 pm. When I click it on explorer, it says that I do not have permission to access the directory. I can change the permissions, but I await instructions on the matter.
Log of vipresrescue follows.
TRA 2840 4812 2012-02-28 09:46:14 473532916337 VIPRERescueScanner VIPRERescueScanner: C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EP0LVP1R.GPD
VER 2840 4812 2012-02-28 09:46:15 473533561147 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:16.022087]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:15 473534001065 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:16.052831]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:15 473534439831 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:16.083453]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:15 473535058643 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:16.126455]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
TRA 2840 4812 2012-02-28 09:46:18 473581204260 VIPRERescueScanner VIPRERescueScanner: C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EP0LVP1S.GPD
VER 2840 4812 2012-02-28 09:46:18 473582108613 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:19.412678]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:18 473582733605 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:19.456321]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:18 473583531084 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:19.511953]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:18 473584266049 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:19.563222]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
TRA 2840 4812 2012-02-28 09:46:21 473623831121 VIPRERescueScanner VIPRERescueScanner: C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EP0LVP1T.GPD
VER 2840 4812 2012-02-28 09:46:21 473624596111 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:22.379949]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:21 473625140572 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:22.417976]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:21 473625734027 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:22.459203]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:21 473626417980 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:22.507195]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
TRA 2840 4812 2012-02-28 09:46:26 473691229035 VIPRERescueScanner VIPRERescueScanner: C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EP0LVP1U.GPD
VER 2840 4812 2012-02-28 09:46:26 473692113463 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:27.095489]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:26 473692743688 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:27.139401]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:26 473693377286 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:27.183824]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:26 473694140085 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:27.237024]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
TRA 2840 4812 2012-02-28 09:46:29 473746557019 VIPRERescueScanner VIPRERescueScanner: C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EP0LVP1V.GPD
VER 2840 4812 2012-02-28 09:46:29 473747460043 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:30.960966]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:29 473748069181 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:31.003572]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:30 473748921177 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:31.063074]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:30 473749645945 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:31.113685]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
About 75% through the scan (6hrs) the system made a hard reboot.
I am posting the last 10 lines of the log so you can see where it stopped. Quarantine directory of vipersrescue iis empty, so it does not seem to have found anything.
Also during the scan, a few processes popped up in the task manager. dllhost, csrss and one more that I cannot remember. All three were running from standard directories, but with command line as having a parameter that looks like a registry key. Is this normal?
I also noticed a directory c:\63e8929133247ad70dee9a5b. Created on 24-02-12, 12:15 pm. When I click it on explorer, it says that I do not have permission to access the directory. I can change the permissions, but I await instructions on the matter.
Log of vipresrescue follows.
TRA 2840 4812 2012-02-28 09:46:14 473532916337 VIPRERescueScanner VIPRERescueScanner: C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EP0LVP1R.GPD
VER 2840 4812 2012-02-28 09:46:15 473533561147 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:16.022087]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:15 473534001065 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:16.052831]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:15 473534439831 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:16.083453]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:15 473535058643 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:16.126455]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
TRA 2840 4812 2012-02-28 09:46:18 473581204260 VIPRERescueScanner VIPRERescueScanner: C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EP0LVP1S.GPD
VER 2840 4812 2012-02-28 09:46:18 473582108613 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:19.412678]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:18 473582733605 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:19.456321]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:18 473583531084 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:19.511953]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:18 473584266049 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:19.563222]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
TRA 2840 4812 2012-02-28 09:46:21 473623831121 VIPRERescueScanner VIPRERescueScanner: C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EP0LVP1T.GPD
VER 2840 4812 2012-02-28 09:46:21 473624596111 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:22.379949]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:21 473625140572 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:22.417976]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:21 473625734027 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:22.459203]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:21 473626417980 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:22.507195]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
TRA 2840 4812 2012-02-28 09:46:26 473691229035 VIPRERescueScanner VIPRERescueScanner: C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EP0LVP1U.GPD
VER 2840 4812 2012-02-28 09:46:26 473692113463 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:27.095489]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:26 473692743688 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:27.139401]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:26 473693377286 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:27.183824]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:26 473694140085 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:27.237024]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
TRA 2840 4812 2012-02-28 09:46:29 473746557019 VIPRERescueScanner VIPRERescueScanner: C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EP0LVP1V.GPD
VER 2840 4812 2012-02-28 09:46:29 473747460043 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:30.960966]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:29 473748069181 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:31.003572]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:30 473748921177 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:31.063074]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
VER 2840 4812 2012-02-28 09:46:30 473749645945 VIPRERescueScanner SBTE: Vipre: [4812][02/28 09:46:31.113685]:[vcore:ublDiag] unpackOneMember: EmbeddedItem_0_ contains 1 members; success=1
#31
MrCharlie
-
- Experts
-
- 18,274 posts
Forum Deity
- Gender:Male
- Location:So. Plainfield, New Jersey, USA
Posted 28 February 2012 - 09:32 AM
Quote
I also noticed a directory c:\63e8929133247ad70dee9a5b
Go ahead and have a look, I believe it's OK though.
Quote
Also during the scan, a few processes popped up in the task manager. dllhost, csrss and one more that I cannot remember. All three were running from standard directories, but with command line as having a parameter that looks like a registry key. Is this normal?
I'm not sure on that.
Quote
TRA 2840 4812 2012-02-28 09:46:14 473532916337 VIPRERescueScanner VIPRERescueScanner: C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EP0LVP1R.GPD
That's a good Vista file???
MrC
Malware Removal Expert
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.
Thanks MrC & crew
#32
ranon
-
- Members
-
- 20 posts
New Member
Posted 28 February 2012 - 12:55 PM
I checked the directory on c:
it contains about 20 folders and 10 files.
What is interesting about it is that the permissions are set such that I cannot read any of the files in noteped or open any of the directories.
Directories are named 1025, 1028, 1029 etc. And the files have a setup.exe along with some xml files, but you cannot read any of them in notepad. I have not tried clickimg on the exe.
about the general health of my comp, the virus is still around. It keeps CPU usage high, other processes are painfully slow. Slo much so that I cannot even watch a video on youtube without cpu at 100% and some frame loss.
Rishi
it contains about 20 folders and 10 files.
What is interesting about it is that the permissions are set such that I cannot read any of the files in noteped or open any of the directories.
Directories are named 1025, 1028, 1029 etc. And the files have a setup.exe along with some xml files, but you cannot read any of them in notepad. I have not tried clickimg on the exe.
about the general health of my comp, the virus is still around. It keeps CPU usage high, other processes are painfully slow. Slo much so that I cannot even watch a video on youtube without cpu at 100% and some frame loss.
Rishi
#33
MrCharlie
-
- Experts
-
- 18,274 posts
Forum Deity
- Gender:Male
- Location:So. Plainfield, New Jersey, USA
Posted 28 February 2012 - 01:18 PM
Quote
c:\63e8929133247ad70dee9a5b
I don't have Vista but from what I remember is that it's related to the operating system or validation.
Can't you right click on it and scan it with your AV or MB??
-------------------------------------
Download aswMBR to your desktop.
http://public.avast....erek/aswMBR.exe
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.
NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
Please zip it up and attach it in your post.
MrC
Malware Removal Expert
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.
Thanks MrC & crew
#34
ranon
-
- Members
-
- 20 posts
New Member
Posted 28 February 2012 - 06:13 PM
I ran the scans with Norton and MAB on the folder. Both are clean. Still I renamed the folder just as a precaution.
I also ran the scan with aswMBR and results follow.
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.27.02
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Arvind Raje :: LAPTOPPC [administrator]
29-02-2012 00:13:54
mbam-log-2012-02-29 (00-13-54).txt
Scan type: Custom scan
Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P
Objects scanned: 105
Time elapsed: 38 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
askMBR Log -------------------------------
aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-29 00:20:24
-----------------------------
00:20:24.376 OS Version: Windows 6.0.6002 Service Pack 2
00:20:24.376 Number of processors: 2 586 0xF0D
00:20:24.381 ComputerName: LAPTOPPC UserName:
00:20:27.803 Initialize success
00:41:40.478 AVAST engine defs: 12022801
01:28:26.053 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
01:28:26.059 Disk 0 Vendor: Hitachi_ SBDO Size: 114473MB BusType: 3
01:28:26.076 Disk 0 MBR read successfully
01:28:26.080 Disk 0 MBR scan
01:28:26.295 Disk 0 unknown MBR code
01:28:26.299 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 106022 MB offset 63
01:28:26.343 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 8448 MB offset 217134540
01:28:26.353 Disk 0 scanning sectors +234436545
01:28:26.442 Disk 0 scanning C:\Windows\system32\drivers
01:28:43.895 Service scanning
01:29:28.624 Modules scanning
01:29:42.194 Disk 0 trace - called modules:
01:29:42.213 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
01:29:42.569 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85c9bac8]
01:29:42.577 3 CLASSPNP.SYS[885a78b3] -> nt!IofCallDriver -> [0x83c8a168]
01:29:42.584 5 acpi.sys[87a9b6bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x83ce2030]
01:29:43.573 AVAST engine scan C:\Windows
01:29:48.862 AVAST engine scan C:\Windows\system32
01:35:58.516 AVAST engine scan C:\Windows\system32\drivers
01:36:24.972 AVAST engine scan C:\Users\Arvind Raje
02:12:58.067 File: C:\Users\Arvind Raje\Documents\tmp\Visual Studio Enterprise\Visual Studio Enterprise\SETUP.EXE **INFECTED** Win32:Sality
02:30:16.717 AVAST engine scan C:\ProgramData
02:41:05.256 Scan finished successfully
04:27:18.577 Disk 0 MBR has been saved successfully to "C:\Users\Arvind Raje\Documents\virus\MBR.dat"
04:27:18.596 The log file has been saved successfully to "C:\Users\Arvind Raje\Documents\virus\aswMBR.txt"
I also ran the scan with aswMBR and results follow.
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.27.02
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Arvind Raje :: LAPTOPPC [administrator]
29-02-2012 00:13:54
mbam-log-2012-02-29 (00-13-54).txt
Scan type: Custom scan
Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P
Objects scanned: 105
Time elapsed: 38 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
askMBR Log -------------------------------
aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-02-29 00:20:24
-----------------------------
00:20:24.376 OS Version: Windows 6.0.6002 Service Pack 2
00:20:24.376 Number of processors: 2 586 0xF0D
00:20:24.381 ComputerName: LAPTOPPC UserName:
00:20:27.803 Initialize success
00:41:40.478 AVAST engine defs: 12022801
01:28:26.053 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
01:28:26.059 Disk 0 Vendor: Hitachi_ SBDO Size: 114473MB BusType: 3
01:28:26.076 Disk 0 MBR read successfully
01:28:26.080 Disk 0 MBR scan
01:28:26.295 Disk 0 unknown MBR code
01:28:26.299 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 106022 MB offset 63
01:28:26.343 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 8448 MB offset 217134540
01:28:26.353 Disk 0 scanning sectors +234436545
01:28:26.442 Disk 0 scanning C:\Windows\system32\drivers
01:28:43.895 Service scanning
01:29:28.624 Modules scanning
01:29:42.194 Disk 0 trace - called modules:
01:29:42.213 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
01:29:42.569 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85c9bac8]
01:29:42.577 3 CLASSPNP.SYS[885a78b3] -> nt!IofCallDriver -> [0x83c8a168]
01:29:42.584 5 acpi.sys[87a9b6bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x83ce2030]
01:29:43.573 AVAST engine scan C:\Windows
01:29:48.862 AVAST engine scan C:\Windows\system32
01:35:58.516 AVAST engine scan C:\Windows\system32\drivers
01:36:24.972 AVAST engine scan C:\Users\Arvind Raje
02:12:58.067 File: C:\Users\Arvind Raje\Documents\tmp\Visual Studio Enterprise\Visual Studio Enterprise\SETUP.EXE **INFECTED** Win32:Sality
02:30:16.717 AVAST engine scan C:\ProgramData
02:41:05.256 Scan finished successfully
04:27:18.577 Disk 0 MBR has been saved successfully to "C:\Users\Arvind Raje\Documents\virus\MBR.dat"
04:27:18.596 The log file has been saved successfully to "C:\Users\Arvind Raje\Documents\virus\aswMBR.txt"
Attached Files
-
MBR.rar 543bytes
2 downloads
#35
MrCharlie
-
- Experts
-
- 18,274 posts
Forum Deity
- Gender:Male
- Location:So. Plainfield, New Jersey, USA
Posted 28 February 2012 - 06:26 PM
The only file in question is this one:
It's most likely a false positive.
You can upload it to VirusTotal for a free scan...let me know the results.
C:\Users\Arvind Raje\Documents\tmp\Visual Studio Enterprise\Visual Studio Enterprise\SETUP.EXE
http://www.virustotal.com/
MrC
Quote
02:12:58.067 File: C:\Users\Arvind Raje\Documents\tmp\Visual Studio Enterprise\Visual Studio Enterprise\SETUP.EXE **INFECTED** Win32:Sality
It's most likely a false positive.
You can upload it to VirusTotal for a free scan...let me know the results.
C:\Users\Arvind Raje\Documents\tmp\Visual Studio Enterprise\Visual Studio Enterprise\SETUP.EXE
http://www.virustotal.com/
MrC
Malware Removal Expert
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.
Thanks MrC & crew
#36
ranon
-
- Members
-
- 20 posts
New Member
#37
MrCharlie
-
- Experts
-
- 18,274 posts
Forum Deity
- Gender:Male
- Location:So. Plainfield, New Jersey, USA
Posted 28 February 2012 - 07:12 PM
AVAST found it as it did in the scan, I say it's a false positive.
If you're concerned about it, please rename the file for now.
C:\Users\Arvind Raje\Documents\tmp\Visual Studio Enterprise\Visual Studio Enterprise\SETUP.EXE
MrC
If you're concerned about it, please rename the file for now.
C:\Users\Arvind Raje\Documents\tmp\Visual Studio Enterprise\Visual Studio Enterprise\SETUP.EXE
MrC
Malware Removal Expert
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.
Thanks MrC & crew
#39
MrCharlie
-
- Experts
-
- 18,274 posts
Forum Deity
- Gender:Male
- Location:So. Plainfield, New Jersey, USA
Posted 28 February 2012 - 07:21 PM
That's about all I can do for you, I'm not seeing any malware on the system.
Some of the tools we used have to uninstalled a certain way.
Let me know what you what to do, MrC
Some of the tools we used have to uninstalled a certain way.
Let me know what you what to do, MrC
Malware Removal Expert
I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.
Thanks MrC & crew
#40
LDTate
-
- Moderators
-
- 20,228 posts
Forum Deity
- Gender:Male
- Location:Missouri, USA
Posted 05 March 2012 - 12:22 PM
Glad we could help. 
If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.
Other members who need assistance please start your own topic in a new thread. Thanks!
If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.
Other members who need assistance please start your own topic in a new thread. Thanks!
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
