Please advise:
Scolabar, hi,
The aswMBR scan, your step 2, didn't go as described, and I need to know what to do before I proceed.
First, when I went to double click on aswMBR.exe icon, on my desktop, OnlineArmor firewall reported, "aswMBR.sys wants to start automatically with your computer". I clicked accept, figuring that I'd accept anything the program wants to do, but I believe I unclicked "Remember this decision," because I have Avira running, already, and thought it would create a conflict. Since it's not the regular Avast antivirus, I didn't expect it to was to run automatically, later.
(At this point, I should mention that when you have said, "Before we proceed please make sure any open programs are closed," it didn't occur to me to shut down my security software. Am I supposed to be deactivating my antivirus, Spybot S&D Resident, SpywareBlaster, or my OnlineArmor firewall?)
Then, aswMBR asked to update its virus definitions. I agreed and let it download those.
I then clicked Scan, and it scanned for only a couple of minutes, then said it was scanning TDSSKiller.
aswMBR appeared to hang upon scanning TDSSKiller. It said it was scanning TDSSKiller as the last item at the bottom of what it had already scanned for exactly 20 minutes, then the screen froze (the clock froze and the mouse pointer wouldn't move) and the computer became unresponsive. The screen remained up, as it was before it hung. (Of course, the message that the scan was completed was never displayed.)
I let it sit for 34 minutes, hoping the program would catch up with itself, before trying to raise Task Manager with CNTRL+ALT_DEL. The computer remained unresponsive. I eventually had to actually unplug the computer, in order to restart.
ALL OF THE FOLLOWING IS AFTER aswMBR HUNG, AND THE COMPUTER WAS REBOOTED:
Upon restart, OnlineArmor reported that it blocked AUTOBACK.EXE. OnlineArmor says,
"Status: Ask
Program name: AUTOBACK.EXE
Name: AUTOBACK.EXE,0.0.0.0,(0.0.0.0)
First Detected: 12/07/11 12:34:38
Trust Level: Unknown"
When I right-clicked on this line of info, in OnlineArmor, and chose Copy to Clipboard, it copied this:
AUTOBACK.EXE, 0.0.0.0, (0.0.0.0)
C:\Program Files\ERUNT\AUTOBACK.EXE
Hash(MD5): E00DE20F0F6BED5CD2160247DDC9443B
No log appeared to have been created from the first aswMBR scan, or at least there was nothing on the Desktop.
I clicked to start aswMBR.exe again, not intending to rescan but in hopes of getting some log or error message regarding the first scan. Again, a message from OnlineArmor said it asked for permission to start automatically, and I allowed, after unclicking, "Remember my decision."
The first time I restarted aswMBR.exe after reboot, it said it failed to initialize, which might be because it was waiting for me to respond to the firewall request for aswMBR.exe to run automatically. I asked for a log, which did not include info from the first scan, just this:
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-10 19:59:46
-----------------------------
19:59:46.953 OS Version: Windows 5.1.2600 Service Pack 3
19:59:46.953 Number of processors: 2 586 0x403
19:59:46.953 ComputerName: USER-PC UserName: user
20:00:47.390 Initialze error C0000034 - driver not loaded
20:00:58.343 AVAST engine defs: 11121001
20:02:56.328 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR.txt"
The second time, aswMBR.exe initialized successfully. I didn't scan. I created a log again:
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-12-10 20:05:09
-----------------------------
20:05:09.921 OS Version: Windows 5.1.2600 Service Pack 3
20:05:09.921 Number of processors: 2 586 0x403
20:05:09.921 ComputerName: USER-PC UserName: user
20:05:21.125 Initialize success
20:05:27.625 AVAST engine defs: 11121001
20:37:38.093 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR 2.txt"
So, I'll have to wait for more information from you, before I can proceed.
Regarding Avira's report from Dec. 7, here's that log. To be clear,
this is not the last scan by Avira, but it's the last Avira scan to detect an infection, and the only Avira scan with a detection since the first symptoms of infection. As I reported below, for the first few days after signs of infection, Avira scans were clean, then this, on Dec. 7th:
Avira AntiVir Personal
Report file date: Wednesday, December 07, 2011 10:03
Scanning for 3542348 virus strains and unwanted programs.
The program is running as an unrestricted full version.
Online services are available:
Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : USER-PC
Version information:
BUILD.DAT : 10.2.0.690 35934 Bytes 6/22/2011 18:07:00
AVSCAN.EXE : 10.3.0.7 484008 Bytes 6/28/2011 16:25:09
AVSCAN.DLL : 10.0.5.0 47464 Bytes 6/28/2011 16:25:09
LUKE.DLL : 10.3.0.5 45416 Bytes 6/28/2011 16:25:10
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 06:40:49
AVSCPLR.DLL : 10.3.0.7 119656 Bytes 6/28/2011 16:25:11
AVREG.DLL : 10.3.0.7 90472 Bytes 6/28/2011 16:25:10
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 16:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 10:19:52
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 16:13:30
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 12:48:11
VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 13:21:53
VBASE005.VDF : 7.11.10.251 1788416 Bytes 7/7/2011 20:17:30
VBASE006.VDF : 7.11.13.60 6411776 Bytes 8/16/2011 10:09:51
VBASE007.VDF : 7.11.15.106 2389504 Bytes 10/5/2011 20:40:15
VBASE008.VDF : 7.11.18.32 2132992 Bytes 11/24/2011 16:03:27
VBASE009.VDF : 7.11.18.33 2048 Bytes 11/24/2011 16:03:27
VBASE010.VDF : 7.11.18.34 2048 Bytes 11/24/2011 16:03:28
VBASE011.VDF : 7.11.18.35 2048 Bytes 11/24/2011 16:03:28
VBASE012.VDF : 7.11.18.36 2048 Bytes 11/24/2011 16:03:28
VBASE013.VDF : 7.11.18.89 204800 Bytes 11/28/2011 19:54:58
VBASE014.VDF : 7.11.18.145 143872 Bytes 12/1/2011 12:39:57
VBASE015.VDF : 7.11.18.180 173056 Bytes 12/2/2011 13:31:07
VBASE016.VDF : 7.11.18.208 164864 Bytes 12/5/2011 13:57:48
VBASE017.VDF : 7.11.18.239 177152 Bytes 12/6/2011 22:03:11
VBASE018.VDF : 7.11.18.240 2048 Bytes 12/6/2011 22:03:12
VBASE019.VDF : 7.11.18.241 2048 Bytes 12/6/2011 22:03:12
VBASE020.VDF : 7.11.18.242 2048 Bytes 12/6/2011 22:03:12
VBASE021.VDF : 7.11.18.243 2048 Bytes 12/6/2011 22:03:12
VBASE022.VDF : 7.11.18.244 2048 Bytes 12/6/2011 22:03:13
VBASE023.VDF : 7.11.18.245 2048 Bytes 12/6/2011 22:03:13
VBASE024.VDF : 7.11.18.246 2048 Bytes 12/6/2011 22:03:13
VBASE025.VDF : 7.11.18.247 2048 Bytes 12/6/2011 22:03:13
VBASE026.VDF : 7.11.18.248 2048 Bytes 12/6/2011 22:03:14
VBASE027.VDF : 7.11.18.249 2048 Bytes 12/6/2011 22:03:14
VBASE028.VDF : 7.11.18.250 2048 Bytes 12/6/2011 22:03:14
VBASE029.VDF : 7.11.18.251 2048 Bytes 12/6/2011 22:03:14
VBASE030.VDF : 7.11.18.252 2048 Bytes 12/6/2011 22:03:15
VBASE031.VDF : 7.11.19.20 88064 Bytes 12/7/2011 18:02:35
Engineversion : 8.2.6.128
AEVDF.DLL : 8.1.2.2 106868 Bytes 10/25/2011 19:03:56
AESCRIPT.DLL : 8.1.3.88 479611 Bytes 12/5/2011 17:50:22
AESCN.DLL : 8.1.7.2 127349 Bytes 11/22/2010 12:26:13
AESBX.DLL : 8.2.4.5 434549 Bytes 12/5/2011 17:50:24
AERDL.DLL : 8.1.9.15 639348 Bytes 9/9/2011 03:46:30
AEPACK.DLL : 8.2.14.4 741752 Bytes 12/5/2011 17:50:18
AEOFFICE.DLL : 8.1.2.21 201084 Bytes 12/5/2011 17:50:12
AEHEUR.DLL : 8.1.3.3 3871095 Bytes 12/5/2011 17:50:10
AEHELP.DLL : 8.1.18.0 254327 Bytes 10/25/2011 19:03:18
AEGEN.DLL : 8.1.5.15 405878 Bytes 12/5/2011 17:49:46
AEEMU.DLL : 8.1.3.0 393589 Bytes 11/22/2010 12:23:32
AECORE.DLL : 8.1.24.0 196983 Bytes 10/25/2011 19:03:13
AEBB.DLL : 8.1.1.0 53618 Bytes 4/23/2010 15:10:33
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 19:03:38
AVPREF.DLL : 10.0.3.2 44904 Bytes 6/28/2011 16:25:09
AVREP.DLL : 10.0.0.10 174120 Bytes 5/17/2011 13:58:35
AVARKT.DLL : 10.0.26.1 255336 Bytes 6/28/2011 16:25:09
AVEVTLOG.DLL : 10.0.0.9 203112 Bytes 6/28/2011 16:25:09
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 19:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 22:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 21:41:00
RCIMAGE.DLL : 10.0.0.35 2589544 Bytes 6/28/2011 16:25:08
RCTEXT.DLL : 10.0.64.0 97640 Bytes 6/28/2011 16:25:08
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: Default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Advanced
Deviating risk categories...........: +APPL,+PCK,+PFS,+SPR,
Start of the scan: Wednesday, December 07, 2011 10:03
Starting search for hidden objects.
The scan of running processes will be started
Scan process 'rsmsink.exe' - '30' Module(s) have been scanned
Scan process 'dllhost.exe' - '47' Module(s) have been scanned
Scan process 'vssvc.exe' - '50' Module(s) have been scanned
Scan process 'avscan.exe' - '72' Module(s) have been scanned
Scan process 'avcenter.exe' - '71' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '46' Module(s) have been scanned
Scan process 'msdtc.exe' - '42' Module(s) have been scanned
Scan process 'dllhost.exe' - '62' Module(s) have been scanned
Scan process 'jqs.exe' - '35' Module(s) have been scanned
Scan process 'ccc.exe' - '162' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '61' Module(s) have been scanned
Scan process 'OAhlp.exe' - '55' Module(s) have been scanned
Scan process 'RunDLL32.exe' - '43' Module(s) have been scanned
Scan process 'svchost.exe' - '36' Module(s) have been scanned
Scan process 'wuauclt.exe' - '47' Module(s) have been scanned
Scan process 'MOM.exe' - '60' Module(s) have been scanned
Scan process 'oaui.exe' - '57' Module(s) have been scanned
Scan process 'avgnt.exe' - '61' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '45' Module(s) have been scanned
Scan process 'ctfmon.exe' - '35' Module(s) have been scanned
Scan process 'alg.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'avshadow.exe' - '28' Module(s) have been scanned
Scan process 'MDM.EXE' - '24' Module(s) have been scanned
Scan process 'avguard.exe' - '56' Module(s) have been scanned
Scan process 'sched.exe' - '47' Module(s) have been scanned
Scan process 'spoolsv.exe' - '57' Module(s) have been scanned
Scan process 'Explorer.EXE' - '170' Module(s) have been scanned
Scan process 'oasrv.exe' - '64' Module(s) have been scanned
Scan process 'OAcat.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '33' Module(s) have been scanned
Scan process 'svchost.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '173' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '53' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '30' Module(s) have been scanned
Scan process 'lsass.exe' - '64' Module(s) have been scanned
Scan process 'services.exe' - '29' Module(s) have been scanned
Scan process 'winlogon.exe' - '78' Module(s) have been scanned
Scan process 'csrss.exe' - '16' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Starting to scan executable files (registry).
The registry was scanned ( '1064' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\Documents and Settings\user\Local Settings\Temp\jar_cache489517355002911589.tmp
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\user\Local Settings\Temp\jar_cache489517355002911589.tmp
[DETECTION] Is the TR/Fake.Rean.3192 Trojan
Beginning disinfection:
C:\Documents and Settings\user\Local Settings\Temp\jar_cache489517355002911589.tmp
[DETECTION] Is the TR/Fake.Rean.3192 Trojan
[NOTE] The file was moved to the quarantine directory under the name '4c37185f.qua'.
End of the scan: Wednesday, December 07, 2011 11:20
Used time: 1:14:53 Hour(s)
The scan has been done completely.
7080 Scanned directories
282431 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
282430 Files not concerned
5329 Archives were scanned
0 Warnings
1 Notes
553989 Objects were scanned with rootkit scan
0 Hidden objects were found
[End of Avira scan]
I'll be checking back frequently, for your next instructions. Thanks for your continued help!