MY DDS log




DDS (Ver_10-03-17.01) - NTFSx86
Run by Antivirus at 0:50:54.62 on Mon 09/13/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222.41 [GMT 5.5:30]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Antivirus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
TCP: {7CC2FDD7-4E5F-41FE-93F0-688524BE22B2} = 202.56.215.54,202.56.215.55
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\antivi~1\applic~1\mozilla\firefox\profiles\b335fjj7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-9-7 163280]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-9-9 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-9-9 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-9-9 267432]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-9-7 19024]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-9-9 60936]
S2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast5\avastsvc.exe" --> c:\program files\alwil software\avast5\AvastSvc.exe [?]
S3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast5\avastsvc.exe" --> c:\program files\alwil software\avast5\AvastSvc.exe [?]
S3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast5\avastsvc.exe" --> c:\program files\alwil software\avast5\AvastSvc.exe [?]

=============== Created Last 30 ================

2010-09-09 12:34:27 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-09-09 11:27:14 0 d-----w- c:\windows\system32\NtmsData
2010-09-09 11:01:34 0 d-----w- c:\docume~1\antivi~1\applic~1\Avira
2010-09-09 07:42:16 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-09-09 07:42:11 0 d-----w- c:\program files\Avira
2010-09-08 08:22:57 0 d-sh--w- c:\documents and settings\antivirus\IECompatCache
2010-09-08 08:12:16 0 d-sh--w- c:\documents and settings\antivirus\PrivacIE
2010-09-08 08:11:17 0 d-sh--w- c:\documents and settings\antivirus\IETldCache
2010-09-08 08:09:06 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-09-08 08:08:16 0 dc-h--w- c:\windows\ie8
2010-09-08 05:50:58 0 d-sh--w- c:\documents and settings\antivirus\UserData
2010-09-07 15:50:46 0 d-----w- c:\program files\common files\ODBC
2010-09-07 15:50:43 0 d-----w- c:\program files\common files\SpeechEngines
2010-09-07 15:50:17 0 d-----r- c:\documents and settings\all users\Documents
2010-09-07 13:26:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-09-07 13:16:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-09-07 11:33:38 0 d-----w- c:\program files\Microsoft ActiveSync
2010-09-07 10:59:18 0 d-----w- c:\program files\VideoLAN
2010-09-07 10:57:28 0 d-----w- c:\program files\Kundli
2010-09-07 10:30:09 0 d-sh--w- c:\documents and settings\all users\DRM
2010-09-07 10:29:48 0 d--h--w- c:\program files\WindowsUpdate
2010-09-07 10:28:53 0 d-----w- c:\program files\common files\MSSoap
2010-09-07 10:27:20 0 d-----w- c:\program files\Online Services
2010-09-07 10:27:12 0 d-----w- c:\program files\Messenger
2010-09-07 10:27:09 0 d-----w- c:\program files\MSN Gaming Zone
2010-09-07 10:26:35 0 d-----w- c:\program files\Windows NT

==================== Find3M ====================

2010-09-07 10:27:45 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 0:51:22.28 ===============


http://forums.spybot.info/showthread.php?t=59400 (http://forums.spybot.info/showthread.php?p=383257#post383257)

hi venus_n,

If you still need help. We will start with a download. Link and directions:

Please download Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

On clicking the Malwarebytes link in your reply, the page that opened was http://www.malwarebytes.org/mbam.php . There was no download link on the page, and no pop-up of download.

Ok this time i clicked i saw a link to download.



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4618

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

9/15/2010 1:48:53 PM
mbam-log-2010-09-15 (13-48-53).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 149554
Time elapsed: 13 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

hi,

ok, that log looks like a good start anyway. Do you have two antivirus installed, Avira and Avast? So you are getting E-mails that you think are not really from Yahoo support, but somebody else?

Yes i am getting them in my yahoo mailbox.

I had installed avast but my local computer man here said to me that its no good so he had removed it. Now the icon is not visible of avast. Then after that i got avira installed.

Did i install the true malwarebytes. You said the setup icon will be named mbam-setup.exe. Mine was mbam-setup-1.46.exe

I had installed avast but my local computer man here said to me that its no good so he had removed it. Now the icon is not visible of avast. Then after that i got avira installed.


Thats all before i contacted you or joined here.

You said the setup icon will be named mbam-setup.exe
my directions are a little old. You installed the correct file.

I had installed avast but my local computer man here said to me that its no good
Nothing wrong with Avast AV. Do you see Avast listed in the add/remove programs panel?

so he had removed it. Now the icon is not visible of avast
If Avast was uninstalled then you should not see the icon by the clock.

The reason for all this is that two AV's are one to many on a computer. More is not better in this case. One AV per computer.

You can keep Malwarebytes, note that the free version must be updated manually and a scan started manually. Its good practice to check for updates every few days or so even if you dont scan with it at that time. If its not kept updated it will soon be worthless. Updates help to cover the new malware threats.

how do you know the e-mails arent from yahoo support. do they answer your question or provide help at all? could help central be like a community page where other users can answer questions?

Avast is neither near the clock nor in the add-remove programs nor on any icon on the desktop nor listed in the start-up menu, the one which opens on clicking start.

Such mails that seem to be from Yahoo have been circulating around from a while and other yahoo members are receiving similar. I read somewhere on the yahoo site that to check if such mails are from Yahoo you have to look for the purple Y sign. This purple Y sign is the same which you see on several places on the yahoo site. If you see the mail listed in the inbox, the Y sign is to be in front of the mail in the same line as the mail. But the ones i get dont have the Y sign.

These mails that claim to be from yahoo try to answer my questions but haven't answerd any question completely. Helpcentral is not a community. Its a place with pre-written questions&answers, search for questions, FAQ's, different sections for different yahoo products, contact us forms.It is through those contact us forms that i asked my question.

What i write below happened according to india time.

I formatted windows on 7th of this month in the afternnon and installed Avast from a friend's CD(safe, he uses it).He was here that time with the CD. I mean he was here during the format. He gave the CD generously to me because he didnt want me to have virus on my computer and assured me that as long as i keep the avast in my computer, nothings gonna happen. It had many features.

On the same day (7th), around 7pm , i don't remember exact time, i think it was around 7 pm, i called up the computer man to install internet drivers which are required for internet to function. When this idiot looking man came, he on his own completely uninstalled avast without asking. When i asked him why. he made excuses including he said its useless. I asked him to install it back, he was jittery and randomly searched through his CD'S and loaded an avast, an avira, internet drivers, and went.

Well then i took a break. I was offline. Infact i hadn't gone online till now after the format . not even to check the drivers he had loaded. I hadn't gone online till next day morning (8th this month).

Ok after my break on 7th, i came back to my computer to see how the new windows looks and i noticed this about the avast and avira the idiot had loaded. Avast was only a memory testing version and avira had a liscence expiry date 2008 and couldn't be updated so it hadn't been updated since 2008. I called back and screamed.

After 2 days that is 9th this month, I sent the computer to a new technician to install fresh antivirus. It was with them from about 12:00 in the afternoon to 7:00 in the evening. They brought back the computer with fresh avira in it.

After 9th, i have not installed or downloaded myself anything from internet, CD, or whatever. Neither has the computer been sent to any more technicians or more technicians been called over since 9th.

Yes i did download DDS, ERUNT, and MBAM according to the directions i have received from your forum after i joined the forum.

Ok after my break on 7th, i came back to my computer to see how the new windows looks and i noticed this about the avast and avira the idiot had loaded. Avast was only a memory testing version and avira had a liscence expiry date 2008 and couldn't be updated so it hadn't been updated since 2008. I called back and screamed.


That was on 7th itself, after the break. I hadnt gone online till then, and was offline while checking, infact i was offline till 8th morning.

hi,


Avast is neither near the clock nor in the add-remove programs nor on any icon on the desktop nor listed in the start-up menu
Must be uninstalled then.

Do the E-mails have this (http://help.yahoo.com/l/us/yahoo/mail/classic/context/context-07.html) in the return field?

So Avira is up to date and you have recently scanned with it as a check for any possible malware on your computer?

You had said that only one AV should be on one computer,so to uninstall either avira or avast. But i didn't because i dont know where to uninstall avast from, since i dont see the icon on the desktop or add/remove programs or startup menu. or near the clock.

Is avast still on my computer?

I dont remember if this key symbol was there in front of from address.

Avira is up to date, or can say up to yesterday date. i updated it yesterday. I havent scanned with it recently because what i understood from forum rules is that i cant do anything like that without being instructed to by my helper, as it may kill evidence of infection.

i dont know where to uninstall avast from
If you dont see it in the add/remove programs panel then most likely it was uninstalled from your computer.
You could run this (http://www.avast.com/uninstall-utility) utility to be sure if you want to. Note that it runs in safe mode. To reach safe mode you would tap the f8 key during a computer restart. Log in to your usual account. Chose the first option from the list: safe mode. Once at the safe mode desktop run the utility. Reboot normally afterwards.


I havent scanned with it recently because what i understood...is that i cant do anything like that without being instructed to

This is the policy at many malware forums, but I do not agree with it.
Go ahead and check for updates and scan with Avira.

If the avast was removed from my computer then how did you know that i had avast?

Before running the utility you gave to uninstall avast, i want to check which folder it is in? Do you know?

May i scan with avira before uninstalling avast with the utiliy you gave? It will not be harmful?

I knew because of the entries in your DDS log. These may just be left over registry entries after the software was removed. You might find a folder in C:/Programs Files/Alwil/Avast, which would be the default location during the install process. This is where the Avast uninstall utility will look.


uninstalling avast with the utiliy you gave
If avast was already removed via the add/remove programs panel and since you dont see it listed in there then most likely it was uninstalled. The utility is just to make sure. It wont do any harm to run it.
You can safely scan with avira first if you want then run the utility.

i want to check which folder it is in? Do you know?


In the above quote I meant i want to check which folder is avast in.

Ok according to your directions, I do have a folder Alwil in C:/Programs Files/ , but there are 2 avasts in it. One is avast4 and one is avast5. i mean these are two folders under alwil, avast4 and avast5. This maybe because of the story i told you. That.. first i installed my friend's good avast on 7th afternoon. Then the computer man installed only memory testing version on 7th evening.

How to check which is which among avast4 and avast5?

I updated avira just now and ran scan with avira just now and it hasn't detected any virus. Also no warnings etc. All 0's . I had ran the complete scan.

scan with avira just now and it hasn't detected any virus
Ok good. Malwarebytes and Avira are coming up clean.




How to uninstall our software using aswClear:

1. Download aswClear5.exe on your desktop
2. Start Windows in Safe Mode
3. Open (execute) the uninstall utility
4. If you installed avast! in a different folder than the default, browse for it. (Note: Be careful! The content of any folder you choose will be deleted!)
5. Click REMOVE
6. Restart your computer



How to check which is which among avast4 and avast5?
if your concerned about #4 above dont be, it was installed to the default location. You can just boot into safe mode and run the uninstaller.

if your concerned about #4 above dont be, it was installed to the default location


Actually i am asking about avast4 and avast5 because I want to know which one is my friend's avast, i wanna keep that one.

Do the E-mails have this (http://help.yahoo.com/l/us/yahoo/mail/classic/context/context-07.html) in the return field?


No, they dont.

Also please dont miss my above post.

because I want to know which one is my friend's avast.. i wanna keep that one
If you dont see avast listed in the add/remove programs panel then it was most likely uninstalled from your machine. The Avast software has been removed, the uninstaller can leave a folder behind in C:/program files. Its just a leftover, theres really nothing to keep, Avast is non-functioning at this point.

Its just a leftover, theres really nothing to keep, Avast is non-functioning at this point.

I think there is an install avast file in the folder.




Do the E-mails have this (http://help.yahoo.com/l/us/yahoo/mail/classic/context/context-07.html) in the return field?

Those mails dont have this.

I think there is an install avast file in the folder.
you can always get the latest free version from the Avast website. Keep whats in c:/program files then and dont run that utility. Up to you.
We will get another download to use as a check for any malware on your machine:

Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe

Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

im scanning with rootrepeal, but what to do. Its not over and midway there is a beep and pop-up which made it stop scanning. Do i click ok? Pop-up says unrecognized partition type 14(0xe)!

click the popup and see if it continues scanning. If it dosnt click the stop button and File>Exit and we will do something else

Along with the pop-up had opened a notepad file which was like a report, so i had saved it before clicking ok on the pop-up.

Now i clicked ok on the popup after your reply. There was no more scan, but there was a kinda report in the rootrepeal white box i clicked on save report and named it "save report".

So below are the the two reports.

First the one which i saved from notepad file.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/09/20 02:08
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF1523000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xFA43D000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF11DE000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1543c78

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1543b34

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xfa643fbc

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf15440e8

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1544012

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf154370a

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xfa643fda

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1543c0e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf154364a

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf15436ae

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1543d2e

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf15441b6

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xfa643fe4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1543cee

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1543e6e

==EOF==


Now the one from the white space on clicking save report.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/09/20 02:08
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF1523000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xFA43D000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF11DE000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1543c78

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1543b34

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xfa643fbc

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf15440e8

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1544012

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf154370a

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xfa643fda

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1543c0e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf154364a

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf15436ae

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1543d2e

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf15441b6

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xfa643fe4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1543cee

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf1543e6e

==EOF==




you can always get the latest free version from the Avast website.

But my friends avast had so many features, i dont think are there in free versions.

One thing was diffrent about the instructions you gave and what was there on the rootrepeal. You said to tick all options. But you didnt tell the option hidden SSDT. But since you had said to tick all options, i ticked that before the scan. Is that ok?

But you didnt tell the option hidden SSDT......i ticked that before the scan. Is that ok
thats ok, my directions are old.

We cant seem to get away from these AV you have:


Avast is neither near the clock nor in the add-remove programs nor on any icon on the desktop nor listed in the start-up menu, the one which opens on clicking start


I updated avira just now and ran scan with avira just now


All this: aswSP.SYS in the root repeal log is a driver used by Avast antivirus.
Maybe it didnt uninstall correctly. at this point I would run that avast uninstall utility in safe mode to remove the driver.

I found by checking the date of creation of both avast4 and avast5 that my friend's avast was avast5 and the computer man's avast was avast4.

And i checked up at the avast website that avast4 is the previous version of avast5. Can you beleive? The computer man said your avast is outdated and put an older version.

Now i uninstalled both the avasts using the utility. The two avast folders inside alwil are gone, but the alwil folder has not gone. I still have a empty alwil folder in
c:\program files as well as in
C:\Documents and Settings\All Users\Application Data

ok good. You can delete those two alwil folders if you want to.


The computer man said your avast is outdated and put an older version.

Maybe you should get a new computer man.


You can delete the root repeal icon from your desktop also.

so back to the original problem. One way your e-mail can be stolen is by having malware on your machine. Your computer appears to be malware free. Have you heard anything more from Yahoo about it?

Have you heard anything more from Yahoo about it?

I do want to report this to yahoo but i can only do this through the contact us forms. I have reported and asked like 4-5 times, but everytime the replies are these which don't seem to be from yahoo. After few days of their reply, another one comes asking to give feedback on how good the help is. I got one of the emails (reply to my question) on 16th which was also one of these seemingly non-yahoo support mails. And another on 19th asking feedback.




You can delete the root repeal icon from your desktop also.

Will it also delete any other places rootrepeal drivers etc must have gone on my computer. I mean should i uninstall it or just delete it. Do i keep the root repeal reports on my desktop?


There is another empty folder called "_avast4_" in C:\Documents and Settings\Administrator\Local Settings\Temp . Can i delete that too.

RootRepeal dosnt install anything permanent so deleting the icon from the desktop is enough. You can delete the avast in the temp directory if you want to.

I dont know what to tell you about the yahoo e-mail support. Are the e-mails like a auto response letter thats sent out to address a problem? Maybe a real live person isnt reading your e-mail.

have you visited these links:

yahoo (http://help.yahoo.com/l/us/yahoo/mail/yahoomail/index.html?pir=hfRF721ibUn8QZ83QNRvIGcOwBHlUMfQOlwp6WY2.3GSgQaErnBiDIh3n5lS35EkfIIyxPuE54mhFjZO.ZuPvNFN_mZTUg--)

yahoo1 (http://help.yahoo.com/l/us/yahoo/mail/index.html?pir=hfRF721ibUn8QZ83QNRvIGcOwBHlUMfQOlwp6WY2.3GSgQaErnBiDIh3n5lS35EkfIIyxPuE54mhFjZO.ZuPvNFN_mZTUg--)

Are the e-mails are like a auto response letter

Ya they could be like autoresponce.



Maybe a real live person isnt reading your e-mail.

I have also phoned yahoo around 2 weeks back for this but again they gave me an email address to mail (not contact form). When i mailed at that email address, there was a autorespoce email like "this email address is no longer functioning please contact us through http://help.yahoo.com." But that was the only yahoo support email which had a purple Y sign and a key symbol in front of the return field like you described.





have you visited these links:

yahoo (http://help.yahoo.com/l/us/yahoo/mail/yahoomail/index.html?pir=hfRF721ibUn8QZ83QNRvIGcOwBHlUMfQOlwp6WY2.3GSgQaErnBiDIh3n5lS35EkfIIyxPuE54mhFjZO.ZuPvNFN_mZTUg--)

yahoo1 (http://help.yahoo.com/l/us/yahoo/mail/index.html?pir=hfRF721ibUn8QZ83QNRvIGcOwBHlUMfQOlwp6WY2.3GSgQaErnBiDIh3n5lS35EkfIIyxPuE54mhFjZO.ZuPvNFN_mZTUg--)
Yes i have visited these pages.
For the first page, my URL doesnt contain all that after /. i mean it it is till yahoomail/.
For the second page, my URL doesnt contain all that after /. i mean it it is till mail/.
I have visited yahoo helpcentral too.



I am also getting a lot of spam text messages on my cell phone. Yesterday night on the computer, i visited a website to search something there. I have no registration there. As soon as i was out of the website, i got a spam text message from that website/company of that website, on my cell phone. I had not even entered my number anywhere on the website while i was on it. How did they know my number.

We will get a download as another check for malware on your machine. Its called combofix. There is a guide to read first. Read through the guide then apply the directions on your own machine. Post the combofix log. After you run combofix you can also do a online scan.

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)


ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

Before i start, please clarify....

Do i be connected to internet while i run combofix.

The guide says "If you decided to continue, then ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration."

Do you you think combofix can create a system restore point in my computer because system restore seems to not be working otherwise on my comp. Maybe because i dont have the recovery console. In one place it did say "ComboFix will attempt to detect if you have the Windows Recovery Console installed.". And they show that combofix tries to install the recovery console in those cases, and wants the internet connection on at that time.

You said to do an online scan after combofix. What does that mean? You mean ESET ?

It says in one place that running combofix after your computer is clean or when adviced by your helper.Do you think i should scan with avira again before running combofix, because its been a while since last scanning.

In disabling firewall, when it talks about disabling the windows firewall, it uses the word windows defender, which is not what i think i have. Is it because mine is XP. Even in the the start>programs , its not listed, like they said.

Skip combofix for now and do the ESET online scan and we will see if it digs up anything.

In ESET scan there are so many options like "Remove found threats".
Infact there are 5 more more besides "Remove found threats". i mean this "Remove found threats" is there but other 5 too.

You mentioned to check both "Remove found threats" and "Scan unwanted applications" . What do i do with the others.

Also just before start, it says, another antivirus software was detected. this may affect the performance and quality of the scan. i clicked to show list of detected antivirus on my computer and it showed avira personal.

check "Remove found threats" and you can check "Scan archives" You can leave the defaults checked under Advanced settings.

click scan, may take some time to finish.
When it completes click on "List found threats"
click "Export to text file.." and save it to your desktop. Post the saved log.
Click "back" and "finish"

Also just before start, it says, another antivirus software was detected. this may affect the performance and quality of the scan. i clicked to show list of detected antivirus on my computer and it showed avira personal.

This happened, but i continued.

Here's the log.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=24042e53e91d524689a3ea59d486601e
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-25 04:27:54
# local_time=2010-09-25 09:57:54 (+0530, India Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=768 16777215 100 0 463432 463432 0 0
# compatibility_mode=1797 16775125 100 93 0 43707305 195458 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=17024
# found=0
# cleaned=0
# scan_time=668


After the scan was over, it asked me if i want to uninstall ESET application from my computer, before i click finish, i checked the box for uninstall, then clicked on finish. There was no option for back. After the pop-up of scanner closed, i saw the URL of the site. it says

"http://www.eset.com/online-scanner#"

But it had opended the ESET site by clicking the link for ESET from your post.

Although uninstalled. it has left behind an ESET folder, with all files inside it removed except and 2 files inside it,

OnlineScanner.ocx
OnlineScannerUninstaller


While the scan was on, it located a file desktop.ini in "My Documents", but didnt detect as threat. But its not visible in my documents, even on making hidden files visible.

May i scan with Avira, its been a while, or do i wait.

The ESET scan cant look any better. You can delete the folder or leave it, up to you. You can scan with Avira. Not seeing any malware on your machine based on any of the tools we ran.I dont see any need to run combofix.

The avira update and scan reports.

Update report.

Avira AntiVir Personal - Free Antivirus Updater
Complete product update

Creation time: Sun Sep 26 11:12:25 2010


Operating system:
Windows XP (Service Pack 2) [5.1.2600] 32 bit

Product information:
Product version: 10.0.0.567
Updater: C:\Program Files\Avira\AntiVir Desktop\update.exe 10.0.0.29
Update resource: C:\Program Files\Avira\AntiVir Desktop\updaterc.dll 10.0.9.0
Library: C:\Program Files\Avira\AntiVir Desktop\update.dll 0.1.0.44
Plugin: C:\Program Files\Avira\AntiVir Desktop\updext.dll 10.0.0.8
GUI: C:\Program Files\Avira\AntiVir Desktop\updgui.dll 10.0.2.0

Temp Directory: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\
Backup folder: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\BACKUP\
Installation Directory: C:\Program Files\Avira\AntiVir Desktop\
Updater folder: C:\Program Files\Avira\AntiVir Desktop\
AppData folder: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\

Proxy settings:
System settings used

11:12:30 [UPD] [INFO] Checking whether newer files are available.
11:12:31 [UPD] [INFO] Select update server 'http://62.146.66.181/update'.
11:12:31 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/idx/master.idx' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\master.idx'.
11:12:33 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/idx/wks_avira10-win32-en-pecl.idx' to 'C:\Documents and Settings\All

Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\wks_avira10-win32-en-pecl.idx'.
11:12:34 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/idx/wks_avira10-win32-en-pecl.info.gz' to 'C:\Documents and Settings\All

Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\wks_avira10-win32-en-pecl.info.gz'.
11:12:35 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/idx/vdf.info.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\vdf.info.gz'.
11:12:36 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/idx/rdf-common-int.info.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\rdf-common-int.info.gz'.
11:12:36 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/idx/ave2-win32-int.info.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\ave2-win32-int.info.gz'.
11:12:37 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/idx/wks_avira10-win32-en-pecl-info.info.gz' to 'C:\Documents and Settings\All

Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\wks_avira10-win32-en-pecl-info.info.gz'.
11:12:37 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/idx/hips-win32-int.info.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\hips-win32-int.info.gz'.
11:12:38 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/idx/scanner-win32-int.info.gz' to 'C:\Documents and Settings\All

Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\idx\scanner-win32-int.info.gz'.
11:12:38 [UPD] [INFO] Compare local files with status of update server
11:12:38 [UPD] [INFO] Product-info file: Executing mandatory product update initiated by Avira.
11:12:38 [UPD] [INFO] Checking module SELFUPDATE:
11:12:38 [UPD] [INFO] Checking module VDF:
11:12:38 [UPD] [INFO] File 'n_vdf/vbase016.vdf' (local, server): 7.10.11.232 < 7.10.12.4
11:12:38 [UPD] [INFO] File 'n_vdf/vbase017.vdf' (local, server): 7.10.11.233 < 7.10.12.5
11:12:38 [UPD] [INFO] File 'n_vdf/vbase018.vdf' (local, server): 7.10.11.234 < 7.10.12.6
11:12:38 [UPD] [INFO] File 'n_vdf/vbase019.vdf' (local, server): 7.10.11.235 < 7.10.12.7
11:12:38 [UPD] [INFO] File 'n_vdf/vbase020.vdf' (local, server): 7.10.11.236 < 7.10.12.8
11:12:38 [UPD] [INFO] File 'n_vdf/vbase021.vdf' (local, server): 7.10.11.237 < 7.10.12.9
11:12:38 [UPD] [INFO] File 'n_vdf/vbase022.vdf' (local, server): 7.10.11.238 < 7.10.12.10
11:12:38 [UPD] [INFO] File 'n_vdf/vbase023.vdf' (local, server): 7.10.11.239 < 7.10.12.11
11:12:38 [UPD] [INFO] File 'n_vdf/vbase024.vdf' (local, server): 7.10.11.240 < 7.10.12.12
11:12:38 [UPD] [INFO] File 'n_vdf/vbase025.vdf' (local, server): 7.10.11.241 < 7.10.12.13
11:12:38 [UPD] [INFO] File 'n_vdf/vbase026.vdf' (local, server): 7.10.11.242 < 7.10.12.14
11:12:38 [UPD] [INFO] File 'n_vdf/vbase027.vdf' (local, server): 7.10.11.243 < 7.10.12.15
11:12:38 [UPD] [INFO] File 'n_vdf/vbase028.vdf' (local, server): 7.10.11.244 < 7.10.12.16
11:12:38 [UPD] [INFO] File 'n_vdf/vbase029.vdf' (local, server): 7.10.11.245 < 7.10.12.17
11:12:38 [UPD] [INFO] File 'n_vdf/vbase030.vdf' (local, server): 7.10.11.246 < 7.10.12.18
11:12:38 [UPD] [INFO] File 'n_vdf/vbase031.vdf' (local, server): 7.10.12.1 < 7.10.12.30
11:12:38 [UPD] [INFO] File 'n_vdf/aevdf.dat' (local, server): 7.10.12.1 < 7.10.12.30
11:12:38 [UPD] [INFO] Checking module RDF:
11:12:38 [UPD] [INFO] Checking module AVE2:
11:12:38 [UPD] [INFO] File 'ave2/win32/int/aecore.dll' (local, server): 8.1.16.2 < 8.1.17.0
11:12:38 [UPD] [INFO] File 'ave2/win32/int/aehelp.dll' (local, server): 8.1.13.3 < 8.1.13.4
11:12:38 [UPD] [INFO] File 'ave2/win32/int/aeheur.dll' (local, server): 8.1.2.26 < 8.1.2.27
11:12:39 [UPD] [INFO] File 'ave2/win32/int/aeset.dat' (local, server): 8.2.4.60 < 8.2.4.66
11:12:39 [UPD] [INFO] Checking module MAIN:
11:12:43 [UPD] [INFO] The IGNORE flag is set for the file 'wks_avira10/win32/en/pecl/filelist.ini'. The file will therefore not be taken into

account.
11:12:43 [UPD] [INFO] The IGNORE flag is set for the file 'wks_avira10/win32/en/pecl/insthlp.exe'. The file will therefore not be taken into

account.
11:12:43 [UPD] [INFO] The IGNORE flag is set for the file 'wks_avira10/win32/en/pecl/presetup.exe'. The file will therefore not be taken into

account.
11:12:43 [UPD] [INFO] File'wks_avira10/win32/en/pecl/en-us/quicksysscan.avp' is already installed and is not being updated.
11:12:44 [UPD] [INFO] The IGNORE flag is set for the file 'wks_avira10/win32/en/pecl/vcredist_x86.exe'. The file will therefore not be taken

into account.
11:12:44 [UPD] [INFO] Checking module COMMAPPDATA_AV:
11:12:44 [UPD] [INFO] File'wks_avira10/win32/en/pecl/addr_file.html' is already installed and is not being updated.
11:12:44 [UPD] [INFO] Checking module COMMAPP:
11:12:44 [UPD] [INFO] File'wks_avira10/win32/en/pecl/en-us/produpd.avj' is already installed and is not being updated.
11:12:44 [UPD] [INFO] File'wks_avira10/win32/en/pecl/en-us/scanjob.avj' is already installed and is not being updated.
11:12:44 [UPD] [INFO] File'wks_avira10/win32/en/pecl/en-us/startupd.avj' is already installed and is not being updated.
11:12:44 [UPD] [INFO] File'wks_avira10/win32/en/pecl/en-us/updjob.avj' is already installed and is not being updated.
11:12:44 [UPD] [INFO] Checking module COMMAPDATA_AV_PROFILES:
11:12:44 [UPD] [INFO] File'wks_avira10/win32/en/pecl/en-us/folder.avp' is already installed and is not being updated.
11:12:44 [UPD] [INFO] Checking module TEXT:
11:12:44 [UPD] [INFO] The IGNORE flag is set for the file 'wks_avira10/win32/en/pecl/en-us/eula.txt'. The file will therefore not be taken

into account.
11:12:44 [UPD] [INFO] Checking module DRV:
11:12:44 [UPD] [INFO] Checking module PRODINFO:
11:12:44 [UPD] [INFO] Checking module HIPS:
11:12:44 [UPD] [INFO] Checking module SCANNER:
11:12:44 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\BACKUP\' requires 3502582 bytes of free disk

space.
11:12:44 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\' requires 7208934 bytes of free

disk space.
11:12:44 [UPD] [INFO] 'C:\Program Files\Avira\AntiVir Desktop\' requires 3604467 bytes of free disk space.
11:12:44 [UPD] [INFO] Disk space OK.
11:12:44 [UPD] [INFO] Drive: C:\, free capacity: 632774656 bytes.
11:12:44 [UPD] [INFO] New files are being downloaded...
11:12:45 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/n_vdf/vbase016.vdf.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase016.vdf.gz'.
11:12:51 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/n_vdf/vbase017.vdf.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase017.vdf.gz'.
11:12:52 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/n_vdf/vbase018.vdf.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase018.vdf.gz'.
11:12:52 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/n_vdf/vbase019.vdf.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase019.vdf.gz'.
11:12:53 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/n_vdf/vbase020.vdf.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase020.vdf.gz'.
11:12:53 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/n_vdf/vbase021.vdf.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase021.vdf.gz'.
11:12:54 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/n_vdf/vbase022.vdf.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase022.vdf.gz'.
11:12:54 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/n_vdf/vbase023.vdf.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase023.vdf.gz'.
11:12:55 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/n_vdf/vbase024.vdf.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase024.vdf.gz'.
11:12:55 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/n_vdf/vbase025.vdf.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase025.vdf.gz'.
11:12:56 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/n_vdf/vbase026.vdf.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase026.vdf.gz'.
11:12:56 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/n_vdf/vbase027.vdf.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase027.vdf.gz'.
11:12:57 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/n_vdf/vbase028.vdf.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase028.vdf.gz'.
11:12:57 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/n_vdf/vbase029.vdf.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase029.vdf.gz'.
11:12:58 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/n_vdf/vbase030.vdf.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase030.vdf.gz'.
11:12:58 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/n_vdf/vbase031.vdf.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\vbase031.vdf.gz'.
11:13:01 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/n_vdf/aevdf.dat.gz' to 'C:\Documents and Settings\All Users\Application

Data\Avira\AntiVir Desktop\TEMP\UPDATE\n_vdf\aevdf.dat.gz'.
11:13:02 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/ave2/win32/int/aecore.dll.gz' to 'C:\Documents and Settings\All

Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\ave2\win32\int\aecore.dll.gz'.
11:13:09 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/ave2/win32/int/aehelp.dll.gz' to 'C:\Documents and Settings\All

Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\ave2\win32\int\aehelp.dll.gz'.
11:13:15 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/ave2/win32/int/aeheur.dll.gz' to 'C:\Documents and Settings\All

Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\ave2\win32\int\aeheur.dll.gz'.
11:14:21 [UPD] [INFO] Downloading of 'http://62.146.66.181/update/ave2/win32/int/aeset.dat.gz' to 'C:\Documents and Settings\All

Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\ave2\win32\int\aeset.dat.gz'.
11:14:21 [UPD] [INFO] The program is running as an unrestricted full version.
11:15:33 [UPD] [INFO] The engine was successfully validated.
11:15:36 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase016.vdf' was copied to

'C:\Program Files\Avira\AntiVir Desktop\vbase016.vdf'.
11:15:36 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase017.vdf' was copied to

'C:\Program Files\Avira\AntiVir Desktop\vbase017.vdf'.
11:15:36 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase018.vdf' was copied to

'C:\Program Files\Avira\AntiVir Desktop\vbase018.vdf'.
11:15:37 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase019.vdf' was copied to

'C:\Program Files\Avira\AntiVir Desktop\vbase019.vdf'.
11:15:37 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase020.vdf' was copied to

'C:\Program Files\Avira\AntiVir Desktop\vbase020.vdf'.
11:15:37 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase021.vdf' was copied to

'C:\Program Files\Avira\AntiVir Desktop\vbase021.vdf'.
11:15:37 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase022.vdf' was copied to

'C:\Program Files\Avira\AntiVir Desktop\vbase022.vdf'.
11:15:37 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase023.vdf' was copied to

'C:\Program Files\Avira\AntiVir Desktop\vbase023.vdf'.
11:15:37 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase024.vdf' was copied to

'C:\Program Files\Avira\AntiVir Desktop\vbase024.vdf'.
11:15:37 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase025.vdf' was copied to

'C:\Program Files\Avira\AntiVir Desktop\vbase025.vdf'.
11:15:37 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase026.vdf' was copied to

'C:\Program Files\Avira\AntiVir Desktop\vbase026.vdf'.
11:15:37 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase027.vdf' was copied to

'C:\Program Files\Avira\AntiVir Desktop\vbase027.vdf'.
11:15:37 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase028.vdf' was copied to

'C:\Program Files\Avira\AntiVir Desktop\vbase028.vdf'.
11:15:37 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase029.vdf' was copied to

'C:\Program Files\Avira\AntiVir Desktop\vbase029.vdf'.
11:15:37 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase030.vdf' was copied to

'C:\Program Files\Avira\AntiVir Desktop\vbase030.vdf'.
11:15:38 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\vbase031.vdf' was copied to

'C:\Program Files\Avira\AntiVir Desktop\vbase031.vdf'.
11:15:38 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\n_vdf\aevdf.dat' was copied to

'C:\Program Files\Avira\AntiVir Desktop\aevdf.dat'.
11:15:40 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\ave2\win32\int\aecore.dll' was

copied to 'C:\Program Files\Avira\AntiVir Desktop\aecore.dll'.
11:15:42 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\ave2\win32\int\aehelp.dll' was

copied to 'C:\Program Files\Avira\AntiVir Desktop\aehelp.dll'.
11:15:47 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\ave2\win32\int\aeheur.dll' was

copied to 'C:\Program Files\Avira\AntiVir Desktop\aeheur.dll'.
11:15:47 [UPD] [INFO] 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\UPDATE\.\ave2\win32\int\aeset.dat' was

copied to 'C:\Program Files\Avira\AntiVir Desktop\aeset.dat'.
11:17:37 [UPD] [INFO] Re-initialization of Avira AntiVir Guard was successful.


Summary:
********
21 Files downloaded
21 Files installed
Downloaded file(s): vbase016.vdf 7.10.12.4; vbase017.vdf 7.10.12.5; vbase018.vdf 7.10.12.6; vbase019.vdf 7.10.12.7; vbase020.vdf 7.10.12.8;

vbase021.vdf 7.10.12.9; vbase022.vdf 7.10.12.10;
vbase023.vdf 7.10.12.11; vbase024.vdf 7.10.12.12; vbase025.vdf 7.10.12.13; vbase026.vdf 7.10.12.14; vbase027.vdf

7.10.12.15; vbase028.vdf 7.10.12.16; vbase029.vdf 7.10.12.17;
vbase030.vdf 7.10.12.18; vbase031.vdf 7.10.12.30; aevdf.dat 7.10.12.30; aecore.dll 8.1.17.0; aehelp.dll 8.1.13.4;

aeheur.dll 8.1.2.27; aeset.dat 8.2.4.66;


Sun Sep 26 11:18:09 2010
The update was carried out successfully!


Scan report.



Avira AntiVir Personal
Report file date: Sunday, September 26, 2010 11:53

Scanning for 2874959 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : ANTIVIRU-47914D

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 9/9/2010 07:55:48
AVSCAN.DLL : 10.0.3.0 46440 Bytes 9/9/2010 07:55:48
LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 13:03:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/10/2010 18:10:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 03:35:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 13:57:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 12:07:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 11:07:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 05:59:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 07:55:47
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 07:55:47
VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 07:55:48
VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 04:53:43
VBASE009.VDF : 7.10.11.134 2048 Bytes 9/13/2010 04:53:44
VBASE010.VDF : 7.10.11.135 2048 Bytes 9/13/2010 04:53:44
VBASE011.VDF : 7.10.11.136 2048 Bytes 9/13/2010 04:53:45
VBASE012.VDF : 7.10.11.137 2048 Bytes 9/13/2010 04:53:45
VBASE013.VDF : 7.10.11.165 172032 Bytes 9/15/2010 11:43:14
VBASE014.VDF : 7.10.11.202 144384 Bytes 9/18/2010 16:12:29
VBASE015.VDF : 7.10.11.231 129024 Bytes 9/21/2010 04:03:43
VBASE016.VDF : 7.10.12.4 126464 Bytes 9/23/2010 05:42:51
VBASE017.VDF : 7.10.12.5 2048 Bytes 9/23/2010 05:42:52
VBASE018.VDF : 7.10.12.6 2048 Bytes 9/23/2010 05:42:52
VBASE019.VDF : 7.10.12.7 2048 Bytes 9/23/2010 05:42:53
VBASE020.VDF : 7.10.12.8 2048 Bytes 9/23/2010 05:42:53
VBASE021.VDF : 7.10.12.9 2048 Bytes 9/23/2010 05:42:54
VBASE022.VDF : 7.10.12.10 2048 Bytes 9/23/2010 05:42:54
VBASE023.VDF : 7.10.12.11 2048 Bytes 9/23/2010 05:42:55
VBASE024.VDF : 7.10.12.12 2048 Bytes 9/23/2010 05:42:55
VBASE025.VDF : 7.10.12.13 2048 Bytes 9/23/2010 05:42:56
VBASE026.VDF : 7.10.12.14 2048 Bytes 9/23/2010 05:42:56
VBASE027.VDF : 7.10.12.15 2048 Bytes 9/23/2010 05:42:57
VBASE028.VDF : 7.10.12.16 2048 Bytes 9/23/2010 05:42:57
VBASE029.VDF : 7.10.12.17 2048 Bytes 9/23/2010 05:42:58
VBASE030.VDF : 7.10.12.18 2048 Bytes 9/23/2010 05:42:58
VBASE031.VDF : 7.10.12.30 73728 Bytes 9/24/2010 05:43:01
Engineversion : 8.2.4.66
AEVDF.DLL : 8.1.2.1 106868 Bytes 9/9/2010 07:55:48
AESCRIPT.DLL : 8.1.3.45 1368443 Bytes 9/18/2010 16:14:04
AESCN.DLL : 8.1.6.1 127347 Bytes 9/9/2010 07:55:48
AESBX.DLL : 8.1.3.1 254324 Bytes 9/9/2010 07:55:48
AERDL.DLL : 8.1.9.2 635252 Bytes 9/22/2010 04:04:12
AEPACK.DLL : 8.2.3.7 471413 Bytes 9/18/2010 16:13:40
AEOFFICE.DLL : 8.1.1.8 201081 Bytes 9/9/2010 07:55:48
AEHEUR.DLL : 8.1.2.27 2933110 Bytes 9/26/2010 05:44:21
AEHELP.DLL : 8.1.13.4 242038 Bytes 9/26/2010 05:43:15
AEGEN.DLL : 8.1.3.22 401780 Bytes 9/18/2010 16:12:45
AEEMU.DLL : 8.1.2.0 393588 Bytes 9/9/2010 07:55:48
AECORE.DLL : 8.1.17.0 196982 Bytes 9/26/2010 05:43:09
AEBB.DLL : 8.1.1.0 53618 Bytes 9/9/2010 07:55:48
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 06:33:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 06:33:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 11:17:40
AVREG.DLL : 10.0.3.0 53096 Bytes 9/9/2010 07:55:49
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 9/9/2010 07:55:49
AVARKT.DLL : 10.0.0.14 227176 Bytes 9/9/2010 07:55:48
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 04:23:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 07:27:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 10:08:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 09:11:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 07:40:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 9/9/2010 07:55:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, E:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+PCK,+PFS,+SPR,

Start of the scan: Sunday, September 26, 2010 11:53

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'avscan.exe' - '69' Module(s) have been scanned
Scan process 'avcenter.exe' - '70' Module(s) have been scanned
Scan process 'msdtc.exe' - '40' Module(s) have been scanned
Scan process 'dllhost.exe' - '59' Module(s) have been scanned
Scan process 'dllhost.exe' - '45' Module(s) have been scanned
Scan process 'vssvc.exe' - '48' Module(s) have been scanned
Scan process 'wuauclt.exe' - '33' Module(s) have been scanned
Scan process 'alg.exe' - '30' Module(s) have been scanned
Scan process 'WZQKPICK.EXE' - '18' Module(s) have been scanned
Scan process 'ctfmon.exe' - '24' Module(s) have been scanned
Scan process 'msmsgs.exe' - '42' Module(s) have been scanned
Scan process 'avgnt.exe' - '50' Module(s) have been scanned
Scan process 'hkcmd.exe' - '29' Module(s) have been scanned
Scan process 'Explorer.EXE' - '98' Module(s) have been scanned
Scan process 'avshadow.exe' - '26' Module(s) have been scanned
Scan process 'avguard.exe' - '52' Module(s) have been scanned
Scan process 'sched.exe' - '51' Module(s) have been scanned
Scan process 'spoolsv.exe' - '53' Module(s) have been scanned
Scan process 'svchost.exe' - '43' Module(s) have been scanned
Scan process 'svchost.exe' - '30' Module(s) have been scanned
Scan process 'svchost.exe' - '158' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '50' Module(s) have been scanned
Scan process 'lsass.exe' - '58' Module(s) have been scanned
Scan process 'services.exe' - '36' Module(s) have been scanned
Scan process 'winlogon.exe' - '64' Module(s) have been scanned
Scan process 'csrss.exe' - '11' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '321' files ).


Starting the file scan:

Begin scan in 'C:\'
Begin scan in 'D:\'
Begin scan in 'E:\'
Search path E:\ could not be opened!
System error [1005]: The volume does not contain a recognized file system.


End of the scan: Sunday, September 26, 2010 12:34
Used time: 40:56 Minute(s)

The scan has been done completely.

5025 Scanned directories
295873 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
295873 Files not concerned
1860 Archives were scanned
0 Warnings
0 Notes
175699 Objects were scanned with rootkit scan
0 Hidden objects were found





Not seeing any malware on your machine based on any of the tools we ran.

So do you think there is no malware on my computer.



You can delete the folder or leave it, up to you.

After i had clicked finish on the ESET scanner, it had said its recomended to uninstall ESET from your computer, inspite of my clicking to uninstall in the previous step. They have left behind the OnlineScannerUninstaller in it with most of the files deleted. So do you think i should run the uninstaller before deleting the folder.


Also, there is an 0 files contaning folder Avira in C:\Documents and settings\Antivirus\Application Data . Inside it is just one empty folder called JOBS.
The folder Avira in C:\Documents and Settings\All Users\Application Data has many files and folders.

So do you think there is no malware on my computer.
Correct, no malware


left behind the OnlineScannerUninstaller in it with most of the files deleted. So do you think i should run the uninstaller before deleting the folderTheres always traces of leftovers that are left behind after running most uninstallers.

Since you clicked the option to uninstall ESET these are probably just the leftovers. You could run the uninstaller.exe thats in the folder, then delete the folder.


Also, there is an 0 files contaning folder Avira in C:\Documents and settings\Antivirus\Application Data . Inside it is just one empty folder called JOBS.
The folder Avira in C:\Documents and Settings\All Users\Application Data has many files and folders.
I dont know what those are, obviously created and used by Avira. I wouldn't delete anything, you might foul up your Avira installation.

You can delete the rootrepeal icon from your desktop and DDS, there is no uninstaller. Note that the free version of Malwarebytes must be updated manually and a scan started manually. Its good practice to keep it updated even if you dont scan alot with it.

Correct, no malware

Yippee.



Since you clicked the option to uninstall ESET these are probably just the leftovers. You could run the uninstaller.exe thats in the folder, then delete the folder.

i just saw but that ESET folder seems to be missing. i had switched off the computer. Maybe restart led to this. So i think ESET is anyway gone.




You can delete the rootrepeal icon from your desktop.

Can i scan with root repeal once more before deleting to check again.

ESET folder seems to be missing
A restart may have finished the uninstall.


Can i scan with root repeal
sure

Scan with rootrepeal, again beep and pop-up saying unrecognized partition type 14(0xe)!


Report:


ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/09/27 10:05
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF154A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xFA43D000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF0F7E000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xfa65868e

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xfa658684

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xfa658693

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xfa65869d

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xfa6586a2

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xfa658670

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xfa658675

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xfa6586ac

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xfa6586a7

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xfa658698

==EOF==

Lets go back to combofix, read through the guide and apply the directions on your own machine as best as you can. The directions are pretty straight forward.
Do you you think combofix can create a system restore point
Combofix dosnt use the system restore archive to make a restore point.

Here it is.


ComboFix 10-09-26.04 - Antivirus 09/27/2010 19:10:22.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222.93 [GMT 5.5:30]
Running from: c:\documents and settings\Antivirus\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-08-27 to 2010-09-27 )))))))))))))))))))))))))))))))
.

2010-09-11 18:25 . 2010-09-11 18:26 -------- d-----w- c:\program files\ERUNT
2010-09-09 13:26 . 2010-09-09 13:26 0 ----a-w- c:\windows\nsreg.dat
2010-09-09 13:25 . 2010-09-09 13:25 -------- d-----w- c:\documents and settings\Antivirus\Local Settings\Application Data\Mozilla
2010-09-09 11:27 . 2010-09-26 07:04 -------- d-----w- c:\windows\system32\NtmsData
2010-09-09 11:01 . 2010-09-09 11:01 -------- d-----w- c:\documents and settings\Antivirus\Application Data\Avira
2010-09-09 07:42 . 2010-09-09 07:42 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-09-09 07:42 . 2010-03-01 03:35 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-09-09 07:42 . 2010-02-16 07:54 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-09-09 07:42 . 2009-05-11 06:19 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-09-09 07:42 . 2009-05-11 06:19 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-09-09 07:42 . 2010-09-09 07:42 -------- d-----w- c:\program files\Avira
2010-09-08 15:29 . 2010-09-08 15:29 -------- d-----w- c:\documents and settings\Antivirus\Local Settings\Application Data\WMTools Downloaded Files
2010-09-08 08:22 . 2010-09-08 08:22 -------- d-sh--w- c:\documents and settings\Antivirus\IECompatCache
2010-09-08 08:12 . 2010-09-08 08:12 -------- d-sh--w- c:\documents and settings\Antivirus\PrivacIE
2010-09-08 08:11 . 2010-09-08 08:11 -------- d-sh--w- c:\documents and settings\Antivirus\IETldCache
2010-09-08 08:09 . 2009-01-07 12:51 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-09-08 08:08 . 2010-09-08 08:09 -------- dc-h--w- c:\windows\ie8
2010-09-08 07:43 . 2010-09-08 07:43 -------- d-----w- c:\documents and settings\Antivirus\Local Settings\Application Data\Help
2010-09-08 05:50 . 2010-09-08 05:50 -------- d-sh--w- c:\documents and settings\Antivirus\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-25 09:37 . 2010-09-25 09:36 2826192 ----a-w- c:\documents and settings\Antivirus\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-09-20 07:03 . 2010-09-07 11:42 -------- d-----w- c:\program files\Alwil Software
2010-09-15 08:01 . 2010-09-15 08:01 -------- d-----w- c:\documents and settings\Antivirus\Application Data\Malwarebytes
2010-09-15 08:01 . 2010-09-15 08:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-15 08:01 . 2010-09-15 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-09 07:42 . 2010-09-07 13:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-09-08 06:41 . 2010-09-07 10:57 -------- d-----w- c:\program files\Kundli
2010-09-07 14:52 . 2010-09-07 10:30 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-09-07 13:19 . 2010-09-07 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-07 13:15 . 2010-09-07 13:10 -------- d-----w- c:\program files\Common Files\InstallShield
2010-09-07 13:12 . 2010-09-07 13:12 -------- d-----w- c:\program files\InstallShield Installation Information
2010-09-07 12:53 . 2010-09-07 12:53 42944 ----a-w- c:\documents and settings\Antivirus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-07 11:33 . 2010-09-07 11:33 -------- d-----w- c:\program files\Microsoft.NET
2010-09-07 11:33 . 2010-09-07 11:33 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-09-07 11:10 . 2010-09-07 11:10 -------- d-----w- c:\documents and settings\Antivirus\Application Data\vlc
2010-09-07 10:59 . 2010-09-07 10:59 -------- d-----w- c:\program files\VideoLAN
2010-09-07 10:56 . 2010-09-07 10:56 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-07 10:31 . 2010-09-07 10:31 -------- d-----w- c:\program files\microsoft frontpage
2010-09-07 10:27 . 2010-09-07 10:27 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-9-7 122880]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/9/2010 1:12 PM 135336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HTTPFILTER
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {7CC2FDD7-4E5F-41FE-93F0-688524BE22B2} = 202.56.215.54,202.56.215.55
FF - ProfilePath - c:\documents and settings\Antivirus\Application Data\Mozilla\Firefox\Profiles\b335fjj7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-27 19:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL

- - - - - - - > 'explorer.exe'(3268)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-09-27 19:14:51
ComboFix-quarantined-files.txt 2010-09-27 13:44

Pre-Run: 17,735,729,152 bytes free
Post-Run: 17,704,951,808 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0C68E8CDC2AC44AB89066012EE3E4022



And it hadnt disconnected me from internet during scan, unlike what it had said in instructions that it will.

Log looks ok. you can remove combofix like this;
start>run and type in combofix /uninstall
note the space after the x and before the /

When i write combofix /uninstall there, it says do you want to run combofix.exe from C:\documents and settings\antivirus\desktop. Is this not the same program combofix. Will it run combofix or uninstall combofix. combofix.exe.

After that, can i run rootrepeal, avira, malwarebytes. in what sequence.

After running combobofix, there is now a folder called RECYCLER in D:\ . I dont know if it was invisible earlier. It has 85 bytes. It says 2 files and 1 folder inside it, on the properties. But on clicking it, going inside, nothing's visible, inspite of selecting view invisible files and folders.

Also, my computer seems to be a bit slower.

In addition to my above post, just above this, ....

The Qoobox seems to be for combofix. Inside it is one text file named ComboFix-quarantined-files. On clicking the text file, it lists these:

2010-09-27 13:42:13 . 2010-09-27 13:42:13 7,341 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-09-27 13:37:23 . 2010-09-27 13:37:23 51 ----a-w- C:\Qoobox\Quarantine\catchme.log

There is also a folder quarentine in Qoobox. Should i empty the quarentine folder before uninstalling combofix, or uninstalling will automatically delete the quarentine folder entries.

combofix /uninstall should remove combofix. dont delete anything until after combofix uninstalls. If that dosnt work first then rename the combofix icon to: uninstall.exe and doubleclick it.
you can run what ever you want. I dont see any malware and we are 5 pages deep. I am done.

This topic has been closed. Thank you shelf life. :)

venus_n linked to WTT for further assistance with Yahoo! issues.
http://forums.spybot.info/showthread.php?p=384628#post384628