[Solved] Unable to remove Win32/Heur

Bobbye · Mar 5, 2011

Not sure why you ran the Avast scan> those files were moved in OTM. You can delete the contents of the quarantine files in Avast.

Sorry about having to uninstall AVG for Combofix. I have those directions saved separately, but I am going to add them to Combofix.
===============================================
Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it: Be sure to scroll down to include ALL lines.
Code:
Folder::
g:\docume~1\vasilis\locals~1\applic~1\Temp
g:\program files\GetData
G:\GetData Recover My Files Professional Edition v4.6.8.993
g:\program files\uTorrent.exe
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\uTorrent.exe"=-
"g:\\Program Files\\uTorrent.exe"=-
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
P2P or 'file sharing' Warning:
I note you have utorrrent on 2 drives- that doubles the vulnerability from file sharing.
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall uTorrent for the following reasons:

As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.

Malware writers use these program to include malicious content.

File sharing is usually unmonitored and there is a danger that your private files might be accessed.

The 'sharing' also includes malware that the shared system has on it.

Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
=================================
How is the system running now?

vbakis · Mar 8, 2011

Am sorry for the late response I was away the weekend, the system looks fine atm, this is the log from Combofix:

ComboFix 11-03-07.05 - Vasilis 08/03/2011 11:48:32.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1253.30.1033.18.1535.1180 [GMT 2:00]
Running from: g:\documents and settings\Vasilis\My Documents\Downloads\Protection - Antivirus -Spyware\ComboFix.exe
Command switches used :: g:\documents and settings\Vasilis\My Documents\Downloads\Protection - Antivirus -Spyware\CFScript.TXT
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
g:\docume~1\vasilis\locals~1\applic~1\Temp
G:\GetData Recover My Files Professional Edition v4.6.8.993
g:\getdata recover my files professional edition v4.6.8.993\Crack.rar
g:\getdata recover my files professional edition v4.6.8.993\File_id.diz
g:\getdata recover my files professional edition v4.6.8.993\GetData Recover My Files v4.6.8.993.txt
g:\getdata recover my files professional edition v4.6.8.993\INSTALL NOTES.txt
g:\getdata recover my files professional edition v4.6.8.993\RecoverMyFiles-Setup.exe
g:\program files\GetData
g:\program files\GetData\Recover My Files v4\FFF.NFO
g:\program files\GetData\Recover My Files v4\FILE_ID.DIZ
g:\program files\Quicktime\QTTask.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
.
.
2011-03-04 09:35 . 2011-03-04 09:35 -------- d-----w- G:\_OTM
2011-02-21 11:05 . 2011-02-21 11:05 -------- d-----w- G:\ATI
2011-02-21 10:45 . 2011-02-21 10:45 -------- d-----w- G:\$AVG
2011-02-18 11:38 . 2011-02-18 11:38 -------- d-----r- G:\MSOCache
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-02_10.58.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-02 11:13 . 2010-06-17 12:27 28520 g:\windows\system32\drivers\ssmdrv.sys
+ 2011-03-02 11:13 . 2010-06-17 12:27 22360 g:\windows\system32\drivers\avgntmgr.sys
+ 2011-03-02 11:13 . 2011-01-10 12:23 61960 g:\windows\system32\drivers\avgntflt.sys
+ 2011-03-02 11:13 . 2010-06-17 12:27 45416 g:\windows\system32\drivers\avgntdd.sys
+ 2011-03-02 11:13 . 2011-01-10 12:23 135096 g:\windows\system32\drivers\avipbb.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="g:\documents and settings\Vasilis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-02-18 136176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-02 577536]
"ATICustomerCare"="g:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
"Adobe Reader Speed Launcher"="g:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="g:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"HP Software Update"="g:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"iTunesHelper"="g:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"avgnt"="g:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
.
g:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - g:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\uTorrent.exe"=
"g:\\Program Files\\uTorrent.exe"=
"h:\\World of Warcraft\\Launcher.exe"=
"g:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"g:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"g:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"g:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"g:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\Program Files\\World of Warcraft\\Launcher.exe"=
"g:\\Documents and Settings\\Vasilis\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;g:\program files\Avira\AntiVir Desktop\sched.exe [2/3/2011 1:13 μμ 135336]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-03 g:\windows\Tasks\AppleSoftwareUpdate.job
- g:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 09:50]
.
2011-03-07 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1220945662-725345543-1003Core.job
- g:\documents and settings\Vasilis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-18 11:36]
.
2011-03-08 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1220945662-725345543-1003UA.job
- g:\documents and settings\Vasilis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-18 11:36]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-QuickTime Task - g:\program files\QuickTime\QTTask.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-08 11:53
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-08 11:55:07
ComboFix-quarantined-files.txt 2011-03-08 09:55
ComboFix2.txt 2011-03-02 10:59
.
Pre-Run: 84.435.468.288 bytes free
Post-Run: 84.422.111.232 bytes free
.
- - End Of File - - 11FFF23506C8F50B36E29F0EF7CBF593

Bobbye · Mar 9, 2011

No problem- I frequently run behind, so it gives me a chance to catch up.

The logs show entries from drives C, G, H. I know that the H drive was the hard drive you had as a student in 2001. And the infected files came from the recovery you used. I'm just a bit confused about the following in the Attach.txt log from DDS:
C: is FIXED (NTFS) - 233 GiB total, 195,228 GiB free.
D: is Removable
E: is CDROM ()
F: is CDROM ()
G: is FIXED (NTFS) - 112 GiB total, 98,966 GiB free.
H: is FIXED (NTFS) - 233 GiB total, 84,556 GiB free.
======================================
The only thing I would do is removed these Registry settings:
"c:\\uTorrent.exe"
"g:\\Program Files\\uTorrent.exe"
But I have warned you about the dangers of file sharing. Let me know if you have continue using this program or if you would like me to remove the entries.
=======================================
I'd like you to run the Eset scan once more- let's make sure all of those infected files were found and removed:

Run Eset NOD32 Online AntiVirus scan HERE

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the Active X control to install

Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.

Click Start

Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked

Click Scan

Wait for the scan to finish

Click on "Copy to Clipboard"> (you won't see the 'clipboard')

Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.

Re-enable your Antivirus software.
NOTE: If you forget to copy to the clipboard, you can find the log here:
C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

If clean, I'll have you remove all the cleaning tools we used.

By the way, If you glance at this forum page, you will see a lot of members with AVG/Win32/Heur!

vbakis · Mar 10, 2011

Ok i;ll try to short things out so you can have a clear view of my drives, G: is the system disk, its where windows are installed and its the disk i had as a student and H: is a flash disk i used to recover the files from G:
What I did is to Format G: and then install windows onto it and then try to recover the files before the format on H:
I deleted the file c:\\uTorrent.exe
anyway I dont use it anymore so feel free to show me how to remove them.

Eset still finds malware on the removable flash drive H: here's the log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=d5531ca7203fe54797e590b518b5db27
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-24 05:41:41
# local_time=2011-02-24 07:41:41 (+0200, GTB Standard Time)
# country="Greece"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 35242 35242 0 0
# compatibility_mode=1032 16777173 100 94 7752 41863832 0 0
# compatibility_mode=8192 67108863 100 0 3900 3900 0 0
# scanned=113439
# found=13
# cleaned=0
# scan_time=3061
H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_18174360.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_52609881.exe a variant of Win32/Conficker.Y worm (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe a variant of Win32/TrojanDownloader.FakeAlert.GO trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_63078584.exe a variant of Win32/Kryptik.AY trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=d5531ca7203fe54797e590b518b5db27
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-02 10:26:57
# local_time=2011-03-02 12:26:57 (+0200, GTB Standard Time)
# country="Greece"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 526576 526576 0 0
# compatibility_mode=1032 16777189 100 94 8612 42355166 0 0
# compatibility_mode=8192 67108863 100 0 495234 495234 0 0
# scanned=118859
# found=13
# cleaned=0
# scan_time=4043
H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_18174360.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_52609881.exe a variant of Win32/Conficker.Y worm (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe a variant of Win32/TrojanDownloader.FakeAlert.GO trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_63078584.exe a variant of Win32/Kryptik.AY trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=d5531ca7203fe54797e590b518b5db27
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-10 09:13:25
# local_time=2011-03-10 11:13:25 (+0200, GTB Standard Time)
# country="Greece"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 1214219 1214219 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 93 0 36285366 188346 0
# compatibility_mode=8192 67108863 100 0 1182877 1182877 0 0
# scanned=142897
# found=12
# cleaned=0
# scan_time=3187
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_18174360.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_52609881.exe a variant of Win32/Conficker.Y worm (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_63078584.exe a variant of Win32/Kryptik.AY trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I

Bobbye · Mar 11, 2011

Eset scans:
First scan: examples
H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean)
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean)
Second scan: examples
H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean)
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 0000000

OTM examples
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe moved successfully.
H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe moved successfully.

Current scan: examples
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean)
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean)
=========================================
All infected files were removed from Drive H by OTL.
I don't know why these driver letters are changing!
==========================================
Delete the contents of the Avast quarantine folder. Please do not run Avast again unless I instruct you to. If you plan to continue using AVG, reinstall it on the system and do an update immediately. Let me know if anything new show-no log please. AVG put out a bad update that is causing legitimate entries to be Win32/Heur If the is you case, the update should handle it.
======================================
I can't tell if you re reinfecting the system or just changing drive letters. Please don't make any more system changes.
=======================================
Please disinfect all movable drives again:

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings

The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.

Wait until it has finished scanning and then exit the program.

Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================

vbakis · Mar 11, 2011

Ok I did run Flash_Disinfector and deleted 2 folders I found by the name $AVG on G:\ and H:\
Now, am not planning to use AVG again since I had trouble running Combofix. Am using Avira.
I have to tell you that once in a while I got a popup message from Avira Active Guard about a malware found on H:\ and that is moved to quarantine. Here follows the Log from last warning:

Avira AntiVir Personal
Report file date: Πέμπτη, 10 Μαρτίου 2011 10:17

Scanning for 2470218 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : VASILIS-45A94C9

Version information:
BUILD.DAT : 10.0.0.611 31824 Bytes 14/1/2011 13:42:00
AVSCAN.EXE : 10.0.3.5 435368 Bytes 10/1/2011 12:23:31
AVSCAN.DLL : 10.0.3.0 46440 Bytes 1/4/2010 10:57:04
LUKE.DLL : 10.0.3.2 104296 Bytes 10/1/2011 12:23:40
LUKERES.DLL : 10.0.0.1 12648 Bytes 10/2/2010 21:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 6/11/2009 07:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 12:23:50
VBASE002.VDF : 7.11.3.0 1950720 Bytes 9/2/2011 11:15:09
VBASE003.VDF : 7.11.3.1 2048 Bytes 9/2/2011 11:15:10
VBASE004.VDF : 7.11.3.2 2048 Bytes 9/2/2011 11:15:10
VBASE005.VDF : 7.11.3.3 2048 Bytes 9/2/2011 11:15:10
VBASE006.VDF : 7.11.3.4 2048 Bytes 9/2/2011 11:15:10
VBASE007.VDF : 7.11.3.5 2048 Bytes 9/2/2011 11:15:10
VBASE008.VDF : 7.11.3.6 2048 Bytes 9/2/2011 11:15:10
VBASE009.VDF : 7.11.3.7 2048 Bytes 9/2/2011 11:15:10
VBASE010.VDF : 7.11.3.8 2048 Bytes 9/2/2011 11:15:10
VBASE011.VDF : 7.11.3.9 2048 Bytes 9/2/2011 11:15:11
VBASE012.VDF : 7.11.3.10 2048 Bytes 9/2/2011 11:15:11
VBASE013.VDF : 7.11.3.59 157184 Bytes 14/2/2011 11:15:12
VBASE014.VDF : 7.11.3.97 120320 Bytes 16/2/2011 11:15:13
VBASE015.VDF : 7.11.3.148 128000 Bytes 19/2/2011 11:15:14
VBASE016.VDF : 7.11.3.183 140288 Bytes 22/2/2011 11:15:14
VBASE017.VDF : 7.11.3.216 124416 Bytes 24/2/2011 11:15:14
VBASE018.VDF : 7.11.3.251 159232 Bytes 28/2/2011 11:15:15
VBASE019.VDF : 7.11.4.33 148992 Bytes 2/3/2011 11:14:18
VBASE020.VDF : 7.11.4.73 150016 Bytes 6/3/2011 02:00:35
VBASE021.VDF : 7.11.4.74 2048 Bytes 6/3/2011 02:00:35
VBASE022.VDF : 7.11.4.75 2048 Bytes 6/3/2011 02:00:35
VBASE023.VDF : 7.11.4.76 2048 Bytes 6/3/2011 02:00:35
VBASE024.VDF : 7.11.4.77 2048 Bytes 6/3/2011 02:00:35
VBASE025.VDF : 7.11.4.78 2048 Bytes 6/3/2011 02:00:35
VBASE026.VDF : 7.11.4.79 2048 Bytes 6/3/2011 02:00:35
VBASE027.VDF : 7.11.4.80 2048 Bytes 6/3/2011 02:00:35
VBASE028.VDF : 7.11.4.81 2048 Bytes 6/3/2011 02:00:35
VBASE029.VDF : 7.11.4.82 2048 Bytes 6/3/2011 02:00:35
VBASE030.VDF : 7.11.4.83 2048 Bytes 6/3/2011 02:00:35
VBASE031.VDF : 7.11.4.100 97792 Bytes 7/3/2011 02:00:35
Engineversion : 8.2.4.180
AEVDF.DLL : 8.1.2.1 106868 Bytes 10/1/2011 12:23:26
AESCRIPT.DLL : 8.1.3.56 1261945 Bytes 8/3/2011 02:00:39
AESCN.DLL : 8.1.7.2 127349 Bytes 10/1/2011 12:23:26
AESBX.DLL : 8.1.3.2 254324 Bytes 10/1/2011 12:23:26
AERDL.DLL : 8.1.9.2 635252 Bytes 10/1/2011 12:23:25
AEPACK.DLL : 8.2.4.11 520566 Bytes 3/3/2011 11:14:20
AEOFFICE.DLL : 8.1.1.17 205177 Bytes 8/3/2011 02:00:38
AEHEUR.DLL : 8.1.2.83 3338613 Bytes 8/3/2011 02:00:38
AEHELP.DLL : 8.1.16.1 246134 Bytes 2/3/2011 11:15:17
AEGEN.DLL : 8.1.5.2 397683 Bytes 2/3/2011 11:15:17
AEEMU.DLL : 8.1.3.0 393589 Bytes 10/1/2011 12:23:18
AECORE.DLL : 8.1.19.2 196983 Bytes 2/3/2011 11:15:17
AEBB.DLL : 8.1.1.0 53618 Bytes 10/1/2011 12:23:18
AVWINLL.DLL : 10.0.0.0 19304 Bytes 10/1/2011 12:23:32
AVPREF.DLL : 10.0.0.0 44904 Bytes 10/1/2011 12:23:30
AVREP.DLL : 10.0.0.8 62209 Bytes 17/6/2010 12:27:13
AVREG.DLL : 10.0.3.2 53096 Bytes 10/1/2011 12:23:31
AVSCPLR.DLL : 10.0.3.2 84328 Bytes 10/1/2011 12:23:31
AVARKT.DLL : 10.0.22.6 231784 Bytes 10/1/2011 12:23:27
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 10/1/2011 12:23:28
SQLITE3.DLL : 3.6.19.0 355688 Bytes 17/6/2010 12:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 10/1/2011 12:23:31
NETNT.DLL : 10.0.0.0 11624 Bytes 17/6/2010 12:27:21
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28/1/2010 11:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 10/1/2011 12:23:52

Configuration settings for the scan:
Jobname.............................: avguard_async_scan
Configuration file..................: G:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_f532bcb6\guard_slideup.avp
Logging.............................: low
Primary action......................: repair
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: high

Start of the scan: Πέμπτη, 10 Μαρτίου 2011 10:17

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'hpqSTE08.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'HPWuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'H:\System Volume Information\_restore{2E663128-412D-4110-88DE-59CEE8824EA9}\RP30\A0013309.exe'
H:\System Volume Information\_restore{2E663128-412D-4110-88DE-59CEE8824EA9}\RP30\A0013309.exe
[DETECTION] Is the TR/Dropper.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '4f462837.qua'.

End of the scan: Πέμπτη, 10 Μαρτίου 2011 10:17
Used time: 00:15 Minute(s)

The scan has been done completely.

0 Scanned directories
34 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
33 Files not concerned
0 Archives were scanned
0 Warnings
1 Notes

The scan results will be transferred to the Guard.

Bobbye · Mar 11, 2011

H:\System Volume Information\_restore{2E663128-412D-4110-88DE-59CEE8824EA9}\RP30\A0013309.exe

Please note: System Volume are where the System Restore points are held. It is a protected system file and AV scans cannot remove it. As long as the malware is only located there, it is not active in the system. If you should do a system restore now and happen to choose that particular point, then you could reinfect the system. Otherwise, you are in no danger. When we are finished with the cleaning, I will have you drop the old restore points and set a new clean one.

Someday, I hope antivirus programs will be able to read this correctly and not display it to the user, making them think they are still infected.
===========================================
Removing all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Download OTCleanIt by OldTimer and save it to your Desktop.

Double click OTCleanIt.exe.

Click the CleanUp! button.

If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

Go to Start > All Programs > Accessories > System Tools

Click "System Restore".

Choose "Create a Restore Point" on the first screen then click "Next".

Give the Restore Point a name> click "Create".

Go back and follow the path to > System Tools.
[*]Choose Disc Cleanup
[*]Click "OK" to select the partition or drive you want.
[*]Click the "More Options" Tab.
[*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
=======================================
Now download AVG and save it to your desktop>> don't run it yet.

Boot into Safe Mode

Restart your computer and start pressing the F8 key on your keyboard.

Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

To uninstall Avira:

Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)

Wait for the list of installed programs to load, then click the name of the Avira program.

Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).

Press Yes, to confirm the removal and then OK.

. Click Next until Finish. The software is removed.

======================
Reinstall AVG. Then immediately boot into Normal Mode and update it. Hopefully this will now have removed the Win32/Heur False Positive.

IF you have any problem along the way, let me know.

Bobbye · Mar 14, 2011

Reopening per member's request.

Please be sure you have the latest AVG update per my post here: http://www.techspot.com/vb/topic162350.html

Run a new Eset scan and let's see what it shows after you update AVG and reboot. Please leave the log in your next reply.

vbakis · Mar 15, 2011

ok good news eset didn't find any threats here's the log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=d5531ca7203fe54797e590b518b5db27
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-24 05:41:41
# local_time=2011-02-24 07:41:41 (+0200, GTB Standard Time)
# country="Greece"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 35242 35242 0 0
# compatibility_mode=1032 16777173 100 94 7752 41863832 0 0
# compatibility_mode=8192 67108863 100 0 3900 3900 0 0
# scanned=113439
# found=13
# cleaned=0
# scan_time=3061
H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_18174360.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_52609881.exe a variant of Win32/Conficker.Y worm (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe a variant of Win32/TrojanDownloader.FakeAlert.GO trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_63078584.exe a variant of Win32/Kryptik.AY trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=d5531ca7203fe54797e590b518b5db27
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-02 10:26:57
# local_time=2011-03-02 12:26:57 (+0200, GTB Standard Time)
# country="Greece"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 526576 526576 0 0
# compatibility_mode=1032 16777189 100 94 8612 42355166 0 0
# compatibility_mode=8192 67108863 100 0 495234 495234 0 0
# scanned=118859
# found=13
# cleaned=0
# scan_time=4043
H:\office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_18174360.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_52609881.exe a variant of Win32/Conficker.Y worm (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_5472056.exe a variant of Win32/TrojanDownloader.FakeAlert.GO trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\LostFile_EXE_63078584.exe a variant of Win32/Kryptik.AY trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
H:\office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=d5531ca7203fe54797e590b518b5db27
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-10 09:13:25
# local_time=2011-03-10 11:13:25 (+0200, GTB Standard Time)
# country="Greece"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 1214219 1214219 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 93 0 36285366 188346 0
# compatibility_mode=8192 67108863 100 0 1182877 1182877 0 0
# scanned=142897
# found=12
# cleaned=0
# scan_time=3187
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_17977144.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_18174360.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_52609881.exe a variant of Win32/Conficker.Y worm (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\LostFile_EXE_63078584.exe a variant of Win32/Kryptik.AY trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_104647160.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10607648.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_10630496.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_11193632.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_5979896.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_8634784.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_9084792.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
G:\_OTM\MovedFiles\03042011_113550\H_office recovery\G\Lost File Results\Identified [Virtual NTFS Partition @ 0]\LostFile_EXE_92521216.exe a variant of Win32/Kryptik.AAQ trojan (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=d5531ca7203fe54797e590b518b5db27
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-15 10:08:01
# local_time=2011-03-15 12:08:01 (+0200, GTB Standard Time)
# country="Greece"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 1647177 1647177 0 0
# compatibility_mode=1032 16777173 100 94 3911 43475767 0 0
# compatibility_mode=8192 67108863 100 0 1615835 1615835 0 0
# scanned=151431
# found=0
# cleaned=0
# scan_time=5506

Shall I run a scan with AVG just to make sure? I've already updated

Bobbye · Mar 17, 2011

Make sure you have done the cleanup of the cleaning tools first, including setting new restore point, dropping old restore points. Reboot the computer. AVG should no longer show the System Restore> OTM entries. If it does and they are the same ones I had you remove, just delete the contents of the AVG quarantine folder.

vbakis · Mar 18, 2011

Hey Bobbye, I think we did it!
I cleanup all the tools and previous restore points and made a new scan with AVG and no virus where found!
Is there anything else I should do before I thank you!?

Bobbye · Mar 18, 2011

It's okay to thank me now! The system is clean. Make sure you have disinfected whatever you used for the office recovery.

Use any or all of the following to stay safe and clean:
Tips for added security and safer browsing:

Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.

Have layered Security:

Antivirus Software(only one):Both of the following programs are free and known to be good:
[o]Avira-AntiVir-Personal-Free-Antivirus
[o]Avast Free Version

Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
[o]Comodo
[o]Zone Alarm

Antispyware: I recommend all of the following:
[o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.

[o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
[o]Replace the Host Files
MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
[o]Google Toolbar Get the free google toolbar to help stop pop up windows.

Stay current on updates:
[o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
[o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
[o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

Reset Cookies to prevent Tracking Cookies:
[o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
[o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

Do regular Maintenance
Remove Temporary Internet Files regularly:
[o]ATF Cleaner by Atribune
OR
[o]TFC
Disable and Enable System Restore:
[o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

Practice Safe Email Handling
[o] Don't open email from anyone you don't know.
[o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
[o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Use a Site Advisor! I use the Web of Trust (WOT) which is an add-on safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

Every time to do a search and the screen comes up with the sites, they will have the rating light. Green (2 shades), Amber/Yellow Caution, Red> not advised. A few sites haven't been rated and show as a blue flashlight. :http://www.mywot.com/en/download

vbakis · Mar 18, 2011

Thank you very much for all the support!!
I'll keep in mind all the advices and tips!

Thanks again!

Bobbye · Mar 18, 2011

You're very welcome!

TechSpot

[Solved] Unable to remove Win32/Heur

Bobbye Helper on the Fringe

vbakis Newcomer, in training

Bobbye Helper on the Fringe

vbakis Newcomer, in training

Bobbye Helper on the Fringe

vbakis Newcomer, in training

Bobbye Helper on the Fringe

Bobbye Helper on the Fringe

vbakis Newcomer, in training

Bobbye Helper on the Fringe

vbakis Newcomer, in training

Bobbye Helper on the Fringe

vbakis Newcomer, in training

Bobbye Helper on the Fringe