Solved Win32/Heur SHeur3.AQRA Win32/Zbot.B Infection

I went ahead and ran Combofix in SafeMode

It ran and completed, rebooted and was preparing the txt file when it blue screened again.

However it did write the txt file and I have attached it here .... not sure if it is complete

That seems to have removed a few nasties. Are you able to run combofix in normal mode now? If so, please do so as that log was incomplete.
Another Eset scan would be great too.

Apologies this might be slow for a few days, as I am travelling.

I ran Combofix in normal mode and it blue screened at the same stage as the first time I ran it in normal mode

No worries. Post up the ESET log when you can.

ESET run tonight .... more viruses cleaned

1. Please open Notepad

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

• Combofix.txt

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Same routine with combofix as last time

in normal mode I got the BSOD some way through the CF routine

in safe mode I got the BSOD after the file had been written

Combofix txt file attached not sure whether it is complete or not

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

Ran the scan .... two files created

limit was 20,000 characters

both files are 110,000 characters so I have attached them

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  Code:

  :Files
  C:\Documents and Settings\User1\Application Data\Yvohe
  C:\Documents and Settings\LocalService\Application Data\bawuho.dat
  C:\Documents and Settings\User1\Local Settings\Application Data\imnegkrbc
  C:\WINDOWS\ecefotizicifa.dll
  :OTL
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva346.sys -- (XDva346)
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva345.sys -- (XDva345)
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XDva343.sys -- (XDva343)
  DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\DRIVERS\tclondrv.sys -- (tclondrv)
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\User1\LOCALS~1\Temp\sony_ssm.sys -- (sony_ssm.sys)
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\EagleNT.sys -- (EagleNT)
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\MediaCoder iPhone Edition\SysInfo.sys -- (CrystalSysInfo)
  DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\User1\LOCALS~1\Temp\catchme.sys -- (catchme)
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
  O2 - BHO: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - No CLSID value found.
  O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll File not found
  O4 - HKLM..\Run: [Dtito] C:\WINDOWS\ecefotizicifa.DLL File not found
  O4 - HKLM..\Run: [NPSStartup]  File not found
  O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe File not found
  O4 - HKCU..\Run: [{F19DB013-8657-82F5-B23E-030E63C9724D}] C:\Documents and Settings\User1\Application Data\Yvohe\xiqon.exe File not found
  O4 - HKCU..\Run: [asam] C:\WINDOWS\asam.exe File not found
  O4 - HKCU..\Run: [JumiController]  File not found
  O4 - HKCU..\Run: [noicgoqj] C:\Documents and Settings\User1\Local Settings\Application Data\imnegkrbc\lelqvyxtssd.exe File not found
  O4 - HKCU..\Run: [Omagiko] C:\WINDOWS\dsclok.DLL File not found
  O4 - HKCU..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe File not found
  O15 - HKLM\..Trusted Domains: amaena.com ([]* in Trusted sites)
  O15 - HKLM\..Trusted Domains: antispyexpert.com ([]* in Trusted sites)
  O15 - HKLM\..Trusted Domains: avsystemcare.com ([]* in Trusted sites)
  O15 - HKLM\..Trusted Domains: imageservr.com ([]* in Trusted sites)
  O15 - HKLM\..Trusted Domains: imagesrvr.com ([]* in Trusted sites)
  O15 - HKLM\..Trusted Domains: onerateld.com ([]* in Trusted sites)
  O15 - HKLM\..Trusted Domains: safetydownload.com ([]* in Trusted sites)
  O15 - HKLM\..Trusted Domains: spyguardpro.com ([]* in Trusted sites)
  O15 - HKLM\..Trusted Domains: storageguardsoft.com ([]* in Trusted sites)
  O15 - HKLM\..Trusted Domains: trustedantivirus.com ([]* in Trusted sites)
  O15 - HKLM\..Trusted Domains: virusremover2008.com ([]* in Trusted sites)
  O15 - HKLM\..Trusted Domains: virusschlacht.com ([]* in Trusted sites)
  O15 - HKCU\..Trusted Domains: amaena.com ([]* in Trusted sites)
  O15 - HKCU\..Trusted Domains: antispyexpert.com ([]* in Trusted sites)
  O15 - HKCU\..Trusted Domains: avsystemcare.com ([]* in Trusted sites)
  O15 - HKCU\..Trusted Domains: imageservr.com ([]* in Trusted sites)
  O15 - HKCU\..Trusted Domains: imagesrvr.com ([]* in Trusted sites)
  O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
  O15 - HKCU\..Trusted Domains: onerateld.com ([]* in Trusted sites)
  O15 - HKCU\..Trusted Domains: safetydownload.com ([]* in Trusted sites)
  O15 - HKCU\..Trusted Domains: spyguardpro.com ([]* in Trusted sites)
  O15 - HKCU\..Trusted Domains: storageguardsoft.com ([]* in Trusted sites)
  O15 - HKCU\..Trusted Domains: trustedantivirus.com ([]* in Trusted sites)
  O15 - HKCU\..Trusted Domains: virusremover2008.com ([]* in Trusted sites)
  O15 - HKCU\..Trusted Domains: virusschlacht.com ([]* in Trusted sites)
  O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
  :Reg
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "{F19DB013-8657-82F5-B23E-030E63C9724D}"=-
  :Commands
  [clearallrestorepoints]
  [emptyflash]
  [emptytemp]
  [resethosts]
  
  [Reboot]

• Then click the Run Fix button at the top.
• Let the program run unhindered, reboot the PC when it is done.
• Post log from this run.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

First run .... file posted below

All processes killed
========== FILES ==========
File\Folder C:\Documents and Settings\User1\Application Data\Yvohe not found.
C:\Documents and Settings\LocalService\Application Data\bawuho.dat moved successfully.
C:\Documents and Settings\User1\Local Settings\Application Data\imnegkrbc folder moved successfully.
File\Folder C:\WINDOWS\ecefotizicifa.dll not found.
========== OTL ==========
Service XDva346 stopped successfully!
Service XDva346 deleted successfully!
File C:\WINDOWS\System32\XDva346.sys not found.
Service XDva345 stopped successfully!
Service XDva345 deleted successfully!
File C:\WINDOWS\System32\XDva345.sys not found.
Service XDva343 stopped successfully!
Service XDva343 deleted successfully!
File C:\WINDOWS\System32\XDva343.sys not found.
Service tclondrv stopped successfully!
Service tclondrv deleted successfully!
File C:\WINDOWS\System32\DRIVERS\tclondrv.sys not found.
Service sony_ssm.sys stopped successfully!
Service sony_ssm.sys deleted successfully!
File C:\DOCUME~1\User1\LOCALS~1\Temp\sony_ssm.sys not found.
Service EagleNT stopped successfully!
Service EagleNT deleted successfully!
File C:\WINDOWS\System32\drivers\EagleNT.sys not found.
Service CrystalSysInfo stopped successfully!
Service CrystalSysInfo deleted successfully!
File C:\Program Files\MediaCoder iPhone Edition\SysInfo.sys not found.
Service catchme stopped successfully!
Service catchme deleted successfully!
File C:\DOCUME~1\User1\LOCALS~1\Temp\catchme.sys not found.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Dtito deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\NPSStartup deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\WinampAgent deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\{F19DB013-8657-82F5-B23E-030E63C9724D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F19DB013-8657-82F5-B23E-030E63C9724D}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\asam deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\JumiController deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\noicgoqj deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Omagiko deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Rainlendar2 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\amaena.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\antispyexpert.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\avsystemcare.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imageservr.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imagesrvr.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\onerateld.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\safetydownload.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\spyguardpro.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\storageguardsoft.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trustedantivirus.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusremover2008.com\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusschlacht.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\amaena.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\antispyexpert.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\avsystemcare.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imageservr.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imagesrvr.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\localhost\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\onerateld.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\safetydownload.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\spyguardpro.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\storageguardsoft.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\trustedantivirus.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusremover2008.com\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\virusschlacht.com\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\GD\\http deleted successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\{F19DB013-8657-82F5-B23E-030E63C9724D} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F19DB013-8657-82F5-B23E-030E63C9724D}\ not found.
========== COMMANDS ==========
Restore points cleared and new OTL Restore Point set!

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Ben2
->Flash cache emptied: 456 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Guest
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

User: Sara

User: Sara.BEN
->Flash cache emptied: 0 bytes

User: User1
->Flash cache emptied: 301430 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Ben2
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Java cache emptied: 131549 bytes
->FireFox cache emptied: 20101334 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 970 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Sara
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Sara.BEN
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: User1
->Temp folder emptied: 32768 bytes
->Temporary Internet Files folder emptied: 10968829 bytes
->Java cache emptied: 18437830 bytes
->FireFox cache emptied: 79728897 bytes
->Google Chrome cache emptied: 245961842 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 17867 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 358.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.14.1 log created on 09252010_153905

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Second OTL run

too long again (66000+)

attached below

Are you still getting alerts from AVG?

no more alerts at the moment.

Very early into the process, I switched from AVG to Avira

Will run a full scan now

Avira scan picked up rootkit RKIT/agent.biiu

report below




Avira AntiVir Personal
Report file date: 26 September 2010 08:32

Scanning for 2874959 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : DELLPC-BEN

Version information:
BUILD.DAT : 9.0.0.422 21701 Bytes 3/9/2010 10:29:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 12/3/2009 21:57:31
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 09:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 10:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 09:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 21:57:26
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 21:57:27
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 17:05:48
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 19:21:25
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 14:12:57
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 08:59:33
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 14:29:57
VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 08:36:53
VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 18:36:34
VBASE009.VDF : 7.10.11.134 2048 Bytes 9/13/2010 18:36:34
VBASE010.VDF : 7.10.11.135 2048 Bytes 9/13/2010 18:36:35
VBASE011.VDF : 7.10.11.136 2048 Bytes 9/13/2010 18:36:35
VBASE012.VDF : 7.10.11.137 2048 Bytes 9/13/2010 18:36:35
VBASE013.VDF : 7.10.11.165 172032 Bytes 9/15/2010 18:25:36
VBASE014.VDF : 7.10.11.202 144384 Bytes 9/18/2010 18:23:11
VBASE015.VDF : 7.10.11.231 129024 Bytes 9/21/2010 18:23:16
VBASE016.VDF : 7.10.12.4 126464 Bytes 9/23/2010 19:29:07
VBASE017.VDF : 7.10.12.5 2048 Bytes 9/23/2010 19:29:07
VBASE018.VDF : 7.10.12.6 2048 Bytes 9/23/2010 19:29:07
VBASE019.VDF : 7.10.12.7 2048 Bytes 9/23/2010 19:29:07
VBASE020.VDF : 7.10.12.8 2048 Bytes 9/23/2010 19:29:07
VBASE021.VDF : 7.10.12.9 2048 Bytes 9/23/2010 19:29:07
VBASE022.VDF : 7.10.12.10 2048 Bytes 9/23/2010 19:29:07
VBASE023.VDF : 7.10.12.11 2048 Bytes 9/23/2010 19:29:07
VBASE024.VDF : 7.10.12.12 2048 Bytes 9/23/2010 19:29:07
VBASE025.VDF : 7.10.12.13 2048 Bytes 9/23/2010 19:29:08
VBASE026.VDF : 7.10.12.14 2048 Bytes 9/23/2010 19:29:08
VBASE027.VDF : 7.10.12.15 2048 Bytes 9/23/2010 19:29:08
VBASE028.VDF : 7.10.12.16 2048 Bytes 9/23/2010 19:29:08
VBASE029.VDF : 7.10.12.17 2048 Bytes 9/23/2010 19:29:08
VBASE030.VDF : 7.10.12.18 2048 Bytes 9/23/2010 19:29:08
VBASE031.VDF : 7.10.12.30 73728 Bytes 9/24/2010 19:29:08
Engineversion : 8.2.4.66
AEVDF.DLL : 8.1.2.1 106868 Bytes 8/5/2010 08:37:15
AESCRIPT.DLL : 8.1.3.45 1368443 Bytes 9/18/2010 18:23:21
AESCN.DLL : 8.1.6.1 127347 Bytes 5/14/2010 17:44:28
AESBX.DLL : 8.1.3.1 254324 Bytes 4/23/2010 18:09:47
AERDL.DLL : 8.1.9.2 635252 Bytes 9/21/2010 18:23:19
AEPACK.DLL : 8.2.3.7 471413 Bytes 9/18/2010 18:23:19
AEOFFICE.DLL : 8.1.1.8 201081 Bytes 8/5/2010 08:37:08
AEHEUR.DLL : 8.1.2.27 2933110 Bytes 9/24/2010 19:29:17
AEHELP.DLL : 8.1.13.4 242038 Bytes 9/24/2010 19:29:11
AEGEN.DLL : 8.1.3.22 401780 Bytes 9/18/2010 18:23:15
AEEMU.DLL : 8.1.2.0 393588 Bytes 4/23/2010 18:09:46
AECORE.DLL : 8.1.17.0 196982 Bytes 9/24/2010 19:29:09
AEBB.DLL : 8.1.1.0 53618 Bytes 4/23/2010 18:09:45
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 07:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 9/8/2009 18:10:28
AVREP.DLL : 8.0.0.7 159784 Bytes 2/17/2010 20:27:41
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 09:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 4/27/2009 18:02:01
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 09:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 14:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 07:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 09:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 6/10/2009 17:57:49
RCTEXT.DLL : 9.0.73.0 86785 Bytes 12/3/2009 21:57:21

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: 26 September 2010 08:32

Starting search for hidden objects.
'62960' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'agent.exe' - '1' Module(s) have been scanned
Scan process 'ISUSPM.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexingService.exe' - '1' Module(s) have been scanned
Scan process 'BTTray.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'NMIndexStoreSvr.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'btdna.exe' - '1' Module(s) have been scanned
Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'TrayIcon.exe' - '1' Module(s) have been scanned
Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'CALMAIN.exe' - '1' Module(s) have been scanned
Scan process 'searchindexer.exe' - '1' Module(s) have been scanned
Scan process 'UAService7.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrB.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'NMSAccessU.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'iDownloadService.exe' - '1' Module(s) have been scanned
Scan process 'FsUsbExService.Exe' - '1' Module(s) have been scanned
Scan process 'BDTUpdateService.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'btwdins.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
58 processes with 58 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '78' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\User1\My Documents\Downloads\Hjsplit\DWTTOC42698763.7z.001
[WARNING] The file could not be read!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_nzsrby_.sys.zip
[0] Archive type: ZIP
--> nzsrby.sys
[DETECTION] Contains recognition pattern of the RKIT/Agent.biiu root kit
Begin scan in 'D:\' <Media Drive>

Beginning disinfection:
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_nzsrby_.sys.zip
[NOTE] The file was moved to '4d192251.qua'!


End of the scan: 26 September 2010 11:35
Used time: 2:35:34 Hour(s)

The scan has been done completely.

21167 Scanned directories
816879 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
816876 Files not concerned
8842 Archives were scanned
3 Warnings
3 Notes
62960 Objects were scanned with rootkit scan
0 Hidden objects were found

That rootkit was already removed by Combofix . Avira just found it in it's quarantine folder.

Is the PC behaving itself now?

yes the PC is running well, no alerts or bad behaviour.

I am going to give it a good clean up, way too much rubbish on it .... my son has been using it for a few years and it is overdue a good clean.

Ok then, you may as well do the following:

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC by OldTimer:
Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

done all tools are now gone

No worries. Keep it clean .

thanks very much for all your help ..... much appreciated

Simon

You are welcome