Hello. I have downloaded Avira anti-virus recently and there are a number virus found at system volume. On the other hand, Malwarebytes does not detect anything. I want to know what to do with these files. Here are the virus found by Avira and my 'hijack this' log:
Avira Log
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP182\A0173748.inf
[DETECTION] Is the TR/Autorun.AJV Trojan
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP182\A0173767.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP182\A0173796.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP182\A0173818.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP182\A0173837.exe
[DETECTION] Is the TR/Drop.Agent.ahdz Trojan
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP182\A0173838.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP182\A0173849.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP203\A0216956.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP203\A0216957.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP203\A0216958.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP203\A0217211.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP203\A0217212.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP203\A0217213.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP204\A0234031.exe
[DETECTION] Contains recognition pattern of the WORM/Agent.US.21 worm
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP204\A0234032.exe
[DETECTION] Contains recognition pattern of the WORM/Agent.US.21 worm
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP204\A0234033.com
[DETECTION] Contains recognition pattern of the WORM/Agent.US.21 worm
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP204\A0234034.exe
[DETECTION] Contains recognition pattern of the WORM/Agent.US.21 worm
Begin scan in 'D:\'
D:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP182\A0173750.inf
[DETECTION] Is the TR/Autorun.AJV Trojan
Beginning disinfection:
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP182\A0173748.inf
[DETECTION] Is the TR/Autorun.AJV Trojan
[NOTE] The file was moved to '4ac27226.qua'!
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP182\A0173767.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49fed0ff.qua'!
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP182\A0173796.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4bb4f05f.qua'!
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP182\A0173818.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4bbae02f.qua'!
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP182\A0173837.exe
[DETECTION] Is the TR/Drop.Agent.ahdz Trojan
[NOTE] The file was moved to '4ac27227.qua'!
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP182\A0173838.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4bb600c0.qua'!
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP182\A0173849.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4bb8d3b0.qua'!
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP203\A0216956.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4ac37227.qua'!
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP203\A0216957.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49fed888.qua'!
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP203\A0216958.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49fdc040.qua'!
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP203\A0217211.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49fcc818.qua'!
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP203\A0217212.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4983b3d0.qua'!
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP203\A0217213.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4982bbe8.qua'!
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP204\A0234031.exe
[DETECTION] Contains recognition pattern of the WORM/Agent.US.21 worm
[NOTE] The file was moved to '4981a3a0.qua'!
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP204\A0234032.exe
[DETECTION] Contains recognition pattern of the WORM/Agent.US.21 worm
[NOTE] The file was moved to '4bbaebf8.qua'!
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP204\A0234033.com
[DETECTION] Contains recognition pattern of the WORM/Agent.US.21 worm
[NOTE] The file was moved to '49869300.qua'!
C:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP204\A0234034.exe
[DETECTION] Contains recognition pattern of the WORM/Agent.US.21 worm
[NOTE] The file was moved to '49859ad8.qua'!
D:\System Volume Information\_restore{90340035-8A4A-49FD-A490-D4B62CDDEC47}\RP182\A0173750.inf
[DETECTION] Is the TR/Autorun.AJV Trojan
[NOTE] The file was moved to '491421b0.qua'!
End of the scan: Monday, August 24, 2009 00:44
Used time: 44:22 Minute(s)
The scan has been done completely.
8706 Scanned directories
205527 Files were scanned
18 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
18 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
205508 Files not concerned
813 Archives were scanned
1 Warnings
19 Notes
32919 Objects were scanned with rootkit scan
0 Hidden objects were found
Hijack this log
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\GizmoPlugin\GizmoPlugin.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avnotify.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C59 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBHP.EXE /FU "C:\WINDOWS\TEMP\E_S189.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [WebEx Document Loader] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBHP.EXE /FU "C:\WINDOWS\TEMP\E_SD1.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
--
End of file - 9016 bytes
Thank you.
Full Version: Virus/worm found but Malwarebytes can't detect it
Hi,
What Avira found are leftovers in your System Restore points. That also explains why mbam doesn't find them because it doesn't scan the System Retore points by default (since the scan takes LONG and files present in system restore points can't do anything anyway as long as you don't revert to that infected restore point).
To get rid of these easily, Flush your system restore points:
To do this, you have to disable systemrestore and enable it afterwards again.
(note: this will delete all your system restore points and malware that were present in it).
How to disable system restore in XP <= click me for instructions with screenshots
After you disabled System Restore.... Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now!
Extra note.. I see you have the Ask Toolbar installed. This one is not recommended so I suggest you uninstall it.
The rest of your log looks OK
What Avira found are leftovers in your System Restore points. That also explains why mbam doesn't find them because it doesn't scan the System Retore points by default (since the scan takes LONG and files present in system restore points can't do anything anyway as long as you don't revert to that infected restore point).
To get rid of these easily, Flush your system restore points:
To do this, you have to disable systemrestore and enable it afterwards again.
(note: this will delete all your system restore points and malware that were present in it).
How to disable system restore in XP <= click me for instructions with screenshots
After you disabled System Restore.... Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now!
Extra note.. I see you have the Ask Toolbar installed. This one is not recommended so I suggest you uninstall it.
The rest of your log looks OK
Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.