You are not logged in.

Saturday, April 19th 2014, 1:15am

Dear visitor, welcome to Avira Support Forum. If this is your first visit here, please read the Help. It explains in detail how this page works. To use all features of this page, you should consider registering. Please use the registration form, to register here or read more information about the registration process. If you are already registered, please login here.

  • "elasticbandy" started this thread

Date of registration:
Jun 7th 2012

Version:
Avira Free Antivirus

Operating System:
Windows 7

  • Send private message

1

Thursday, June 7th 2012, 12:29pm

Removing TR/Small.FI, TR/Dldr.Karagany.I.102 & TR/ATRAPS.GEN2

Hi there,

I have seen a number of threads including some of these viruses and advice on how to remove them but despite following a couple of the steps I have seen, I haven't really got myself anywhere. Not being particularly tech aware, I figured I would consult some further help as I am not really sure what I am doing and what any of the 'reports' mean. The viruses being detected seem to be increasing so I'm hoping, with some help, that they can be removed.




The scan report is as follows:




Avira Free Antivirus
Report file date: 07 June 2012 10:31

Scanning for 3802583 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available.

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows 7 Home Premium
Windows version : (Service Pack 1) [6.1.7601]
Boot mode : Normally booted
Username : SYSTEM
Computer name : BANDY-TOSH

Version information:
BUILD.DAT : 12.0.0.1125 41829 Bytes 02/05/2012 17:40:00
AVSCAN.EXE : 12.3.0.15 466896 Bytes 08/05/2012 17:19:19
AVSCAN.DLL : 12.3.0.15 54736 Bytes 08/05/2012 17:19:19
LUKE.DLL : 12.3.0.15 68304 Bytes 08/05/2012 17:19:19
AVSCPLR.DLL : 12.3.0.14 97032 Bytes 08/05/2012 17:19:20
AVREG.DLL : 12.3.0.17 232200 Bytes 11/05/2012 20:55:20
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 20:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 11:07:39
VBASE002.VDF : 7.11.19.170 14374912 Bytes 20/12/2011 21:37:37
VBASE003.VDF : 7.11.21.238 4472832 Bytes 01/02/2012 17:19:50
VBASE004.VDF : 7.11.26.44 4329472 Bytes 28/03/2012 16:10:53
VBASE005.VDF : 7.11.29.136 2166272 Bytes 10/05/2012 20:55:17
VBASE006.VDF : 7.11.29.137 2048 Bytes 10/05/2012 20:55:17
VBASE007.VDF : 7.11.29.138 2048 Bytes 10/05/2012 20:55:17
VBASE008.VDF : 7.11.29.139 2048 Bytes 10/05/2012 20:55:17
VBASE009.VDF : 7.11.29.140 2048 Bytes 10/05/2012 20:55:17
VBASE010.VDF : 7.11.29.141 2048 Bytes 10/05/2012 20:55:17
VBASE011.VDF : 7.11.29.142 2048 Bytes 10/05/2012 20:55:17
VBASE012.VDF : 7.11.29.143 2048 Bytes 10/05/2012 20:55:17
VBASE013.VDF : 7.11.29.144 2048 Bytes 10/05/2012 20:55:18
VBASE014.VDF : 7.11.30.3 198144 Bytes 14/05/2012 17:52:26
VBASE015.VDF : 7.11.30.69 186368 Bytes 17/05/2012 17:52:36
VBASE016.VDF : 7.11.30.143 223744 Bytes 21/05/2012 17:52:28
VBASE017.VDF : 7.11.30.207 287744 Bytes 23/05/2012 17:55:39
VBASE018.VDF : 7.11.31.57 188416 Bytes 28/05/2012 13:29:51
VBASE019.VDF : 7.11.31.111 214528 Bytes 30/05/2012 13:30:52
VBASE020.VDF : 7.11.31.151 116736 Bytes 31/05/2012 17:14:49
VBASE021.VDF : 7.11.31.205 134144 Bytes 03/06/2012 22:22:36
VBASE022.VDF : 7.11.32.9 169472 Bytes 05/06/2012 22:22:36
VBASE023.VDF : 7.11.32.10 2048 Bytes 05/06/2012 22:22:36
VBASE024.VDF : 7.11.32.11 2048 Bytes 05/06/2012 22:22:36
VBASE025.VDF : 7.11.32.12 2048 Bytes 05/06/2012 22:22:36
VBASE026.VDF : 7.11.32.13 2048 Bytes 05/06/2012 22:22:36
VBASE027.VDF : 7.11.32.14 2048 Bytes 05/06/2012 22:22:37
VBASE028.VDF : 7.11.32.15 2048 Bytes 05/06/2012 22:22:37
VBASE029.VDF : 7.11.32.16 2048 Bytes 05/06/2012 22:22:37
VBASE030.VDF : 7.11.32.17 2048 Bytes 05/06/2012 22:22:37
VBASE031.VDF : 7.11.32.42 66048 Bytes 06/06/2012 22:22:37
Engine version : 8.2.10.80
AEVDF.DLL : 8.1.2.8 106867 Bytes 01/06/2012 17:13:46
AESCRIPT.DLL : 8.1.4.24 450939 Bytes 31/05/2012 17:15:01
AESCN.DLL : 8.1.8.2 131444 Bytes 27/01/2012 10:56:07
AESBX.DLL : 8.2.5.10 606580 Bytes 30/05/2012 13:35:28
AERDL.DLL : 8.1.9.15 639348 Bytes 08/09/2011 23:16:06
AEPACK.DLL : 8.2.16.16 807288 Bytes 30/05/2012 13:32:47
AEOFFICE.DLL : 8.1.2.28 201082 Bytes 26/04/2012 17:58:05
AEHEUR.DLL : 8.1.4.36 4874615 Bytes 31/05/2012 17:15:01
AEHELP.DLL : 8.1.21.0 254326 Bytes 11/05/2012 20:55:18
AEGEN.DLL : 8.1.5.28 422260 Bytes 26/04/2012 17:52:54
AEEXP.DLL : 8.1.0.44 82293 Bytes 30/05/2012 13:35:30
AEEMU.DLL : 8.1.3.0 393589 Bytes 01/09/2011 23:46:01
AECORE.DLL : 8.1.25.10 201080 Bytes 31/05/2012 17:14:58
AEBB.DLL : 8.1.1.0 53618 Bytes 01/09/2011 23:46:01
AVWINLL.DLL : 12.3.0.15 27344 Bytes 08/05/2012 17:19:19
AVPREF.DLL : 12.3.0.15 51920 Bytes 08/05/2012 17:19:19
AVREP.DLL : 12.3.0.15 179208 Bytes 08/05/2012 17:19:20
AVARKT.DLL : 12.3.0.15 211408 Bytes 08/05/2012 17:19:19
AVEVTLOG.DLL : 12.3.0.15 169168 Bytes 08/05/2012 17:19:19
SQLITE3.DLL : 3.7.0.1 398288 Bytes 08/05/2012 17:19:20
AVSMTP.DLL : 12.3.0.15 63440 Bytes 08/05/2012 17:19:19
NETNT.DLL : 12.3.0.15 17104 Bytes 08/05/2012 17:19:19
RCIMAGE.DLL : 12.3.0.15 4450000 Bytes 08/05/2012 17:19:19
RCTEXT.DLL : 12.3.0.15 96720 Bytes 08/05/2012 17:19:19

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files (x86)\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: default
Primary action......................: Interactive
Secondary action....................: Ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, Q:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: extended

Start of the scan: 07 June 2012 10:31

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'Q:\'
[INFO] No virus was found!
[INFO] Please restart the search with Administrator rights

Starting search for hidden objects.
Error in ARK library

The scan of running processes will be started
Scan process 'avscan.exe' - '83' Module(s) have been scanned
Scan process 'chrome.exe' - '47' Module(s) have been scanned
Scan process 'chrome.exe' - '47' Module(s) have been scanned
Scan process 'chrome.exe' - '47' Module(s) have been scanned
Scan process 'chrome.exe' - '47' Module(s) have been scanned
Scan process 'chrome.exe' - '47' Module(s) have been scanned
Scan process 'chrome.exe' - '64' Module(s) have been scanned
Scan process 'chrome.exe' - '47' Module(s) have been scanned
Scan process 'chrome.exe' - '47' Module(s) have been scanned
Scan process 'chrome.exe' - '101' Module(s) have been scanned
Scan process 'UNS.exe' - '55' Module(s) have been scanned
Scan process 'NASvc.exe' - '42' Module(s) have been scanned
Scan process 'mbamservice.exe' - '51' Module(s) have been scanned
Scan process 'CFSvcs.exe' - '48' Module(s) have been scanned
Scan process 'CFSwMgr.exe' - '56' Module(s) have been scanned
Scan process 'NDSTray.exe' - '82' Module(s) have been scanned
Scan process 'mbamgui.exe' - '35' Module(s) have been scanned
Scan process 'hpwuschd2.exe' - '20' Module(s) have been scanned
Scan process 'DivXUpdate.exe' - '65' Module(s) have been scanned
Scan process 'avgnt.exe' - '77' Module(s) have been scanned
Scan process 'KeNotify.exe' - '24' Module(s) have been scanned
Scan process 'SpotifyWebHelper.exe' - '34' Module(s) have been scanned
Scan process 'spotify.exe' - '75' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '47' Module(s) have been scanned
Scan process 'CVHSVC.EXE' - '59' Module(s) have been scanned
Scan process 'sftlist.exe' - '63' Module(s) have been scanned
Scan process 'sftvsa.exe' - '28' Module(s) have been scanned
Scan process 'LMS.exe' - '29' Module(s) have been scanned
Scan process 'RIconMan.exe' - '38' Module(s) have been scanned
Scan process 'avguard.exe' - '81' Module(s) have been scanned
Scan process 'armsvc.exe' - '24' Module(s) have been scanned
Scan process 'sched.exe' - '42' Module(s) have been scanned

Starting to scan executable files (registry).
The registry was scanned ( '11445' files ).


Starting the file scan:

Begin scan in 'C:\' <WINDOWS>
C:\Users\Bandy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\c560898-304586d9
[DETECTION] Is the TR/Dldr.Karagany.I.102 Trojan
C:\Users\Bandy\Downloads\palom.rar
[WARNING] The archive is password protected
C:\Windows\Installer\{0c17f446-b9c1-bbe0-744f-43ffe625f916}\U\00000001.@
[DETECTION] Is the TR/Small.FI Trojan
C:\Windows\Installer\{0c17f446-b9c1-bbe0-744f-43ffe625f916}\U\80000000.@
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\Windows\Installer\{0c17f446-b9c1-bbe0-744f-43ffe625f916}\U\800000cb.@
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
C:\Windows\SoftwareDistribution\Download\a568738027b9278d7681fca958f664fb\BITA64E.tmp
[0] Archive type: CAB SFX (self extracting)
--> silverlight.7z
[WARNING] The file could not be read!
[WARNING] No further files can be extracted from this archive. The archive will be closed
Begin scan in 'D:\' <Data>
Begin scan in 'Q:\'
Search path Q:\ could not be opened!
System error [5]: Access is denied.

Beginning disinfection:
C:\Windows\Installer\{0c17f446-b9c1-bbe0-744f-43ffe625f916}\U\800000cb.@
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '55da226d.qua'.
C:\Windows\Installer\{0c17f446-b9c1-bbe0-744f-43ffe625f916}\U\80000000.@
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4d4d0dca.qua'.
C:\Windows\Installer\{0c17f446-b9c1-bbe0-744f-43ffe625f916}\U\00000001.@
[DETECTION] Is the TR/Small.FI Trojan
[NOTE] The file could not be copied to quarantine!
[NOTE] The file does not exist!
C:\Users\Bandy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\c560898-304586d9
[DETECTION] Is the TR/Dldr.Karagany.I.102 Trojan
[NOTE] The file was moved to the quarantine directory under the name '792318e8.qua'.


End of the scan: 07 June 2012 11:26
Used time: 52:04 Minute(s)

The scan has been done completely.

23332 Scanned directories
328728 Files were scanned
4 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
3 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
328724 Files not concerned
3459 Archives were scanned
3 Warnings
4 Notes
24989 Objects were scanned with rootkit scan
0 Hidden objects were found

I am also about to run Codefix (as that has been recommended in other posts and will put the report here in another post when it has been completed)
Thanks in advance.

  • "elasticbandy" started this thread

Date of registration:
Jun 7th 2012

Version:
Avira Free Antivirus

Operating System:
Windows 7

  • Send private message

2

Thursday, June 7th 2012, 12:42pm

This may seem a daft question but, how do you disable Avira? I have tried right clicking and turning off real time protection but Codefix tells me that it is still running.

FFreestyleRR

Community member

Date of registration:
Apr 16th 2008

Version:
Avira Free Antivirus

Operating System:
Windows 7 Ultimate SP1 x64

  • Send private message

3

Thursday, June 7th 2012, 12:47pm

Hi,


The steps are individual for each user. They aren't universal for all.
Following them without supervisor's assistance could render your PC unbootable.
Please refrain from doing so.



  • Please download BlitzBlank.exe by emsisoft and save it to your desktop

  • Open Blitzblank.exe by double click on it.

  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).

  • Click the Script tab and copy/paste the following text there:

    Quoted


    DeleteFolder:
    C:\Windows\Installer\{0c17f446-b9c1-bbe0-744f-43ffe625f916}


  • Click Execute Now. Your computer will need to reboot in order to replace the files.

  • When done, post me the report created by Blitzblank. you can find it at the root of the drive C:\




Regards,
Georgi

  • "elasticbandy" started this thread

Date of registration:
Jun 7th 2012

Version:
Avira Free Antivirus

Operating System:
Windows 7

  • Send private message

4

Thursday, June 7th 2012, 2:38pm

Thank you for getting back to me so quickly. Unfortunately I appear to have done some damage while trying to execute Codefix as I now receive this message when logging onto Windows:

C:\\Windowszsystem32\config\systemprofile\Desktop refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the Internet on your network, and then try again. If it cannot be located, the information might have been moved to a different location.

Windows 7 doesn't appear to bge there any more and it the way the interface looks, it looks as though it's reverted back to Windows 95. I am currently on a different computer as a lot of the programs from my laptop have disappeared, including internet browsers.

Here is the BlitzBlank report:

BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
MoveDirectoryOnReboot: sourceDirectory = "\??\c:\\windows\installer\{0c17f446-b9c1-bbe0-744f-43ffe625f916}", destinationDirectory = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\\windows\installer\{0c17f446-b9c1-bbe0-744f-43ffe625f916}\@", destinationFile = "(null)", replaceWithDummy = 0
MoveDirectoryOnReboot: sourceDirectory = "\??\c:\\windows\installer\{0c17f446-b9c1-bbe0-744f-43ffe625f916}\L", destinationDirectory = "(null)", replaceWithDummy = 0
MoveDirectoryOnReboot: sourceDirectory = "\??\c:\\windows\installer\{0c17f446-b9c1-bbe0-744f-43ffe625f916}\U", destinationDirectory = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\\windows\installer\{0c17f446-b9c1-bbe0-744f-43ffe625f916}\U\00000001.@", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\\windows\installer\{0c17f446-b9c1-bbe0-744f-43ffe625f916}\U\80000000.@", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\\windows\installer\{0c17f446-b9c1-bbe0-744f-43ffe625f916}\U\800000cb.@", destinationFile = "(null)", replaceWithDummy = 0

FFreestyleRR

Community member

Date of registration:
Apr 16th 2008

Version:
Avira Free Antivirus

Operating System:
Windows 7 Ultimate SP1 x64

  • Send private message

5

Thursday, June 7th 2012, 4:31pm

Hi,


It sounds like your profile is getting corrupted...

Do you have a folder called Qoobox on C: Drive?
If so please post back the contents of the ComboFix-quarantined-files.txt or Combofix.txt in your next reply.



Regards,
Georgi

FFreestyleRR

Community member

Date of registration:
Apr 16th 2008

Version:
Avira Free Antivirus

Operating System:
Windows 7 Ultimate SP1 x64

  • Send private message

6

Sunday, June 10th 2012, 7:02pm

Hi,


Please keep me posted.
Do you still need a help?


Regards,
Georgi

Date of registration:
Jun 13th 2012

Version:
Avira Antivirus Premium

Operating System:
windows xp

  • Send private message

7

Wednesday, June 13th 2012, 6:48pm

I have same problem. I tried blitzblank - nothing! Here is logfile :
BlitzBlank 1.0.0.32
File/Registry Modification Engine native application
MoveFileOnReboot: sourceFile = "\??\C:\Windows\Installer\{f46c22b0-ea48-d5f7-d09e-2f586543cc2a}\U\00000001.@", destinationFile = "(null)", replaceWithDummy = 0
Why AVIRA can't remove this trojan ?
This is report from AVIRA
last fileC:\WINDOWS\Installer\{f46c22b0-ea48-d5f7-d09e-2f586543cc2a}\U\00000001.@
last virus TR/Small.FI

This post has been edited 1 times, last edit by "g.mavrov" (Jun 13th 2012, 6:54pm)


Date of registration:
Jun 13th 2012

Version:
Avira Antivirus Premium

Operating System:
windows xp

  • Send private message

8

Wednesday, June 13th 2012, 8:29pm

New full scan Report
Beginning disinfection:
C:\WINDOWS\Installer\{f46c22b0-ea48-d5f7-d09e-2f586543cc2a}\U\800000cb.@
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[NOTE] The file was successfully wiped!
[NOTE] The file was deleted!
C:\WINDOWS\Installer\{f46c22b0-ea48-d5f7-d09e-2f586543cc2a}\U\80000000.@
[DETECTION] Is the TR/Sirefef.AG.35 Trojan
[NOTE] The file was successfully wiped!
[NOTE] The file was deleted!
C:\WINDOWS\Installer\{f46c22b0-ea48-d5f7-d09e-2f586543cc2a}\U\00000001.@
[DETECTION] Is the TR/Small.FI Trojan
[NOTE] The file was successfully wiped!
[NOTE] The file was deleted!

Let see - realy removed?

5 minute later - No, trojan are here !
AVIRA not clean them!

This post has been edited 1 times, last edit by "g.mavrov" (Jun 13th 2012, 8:40pm)


FFreestyleRR

Community member

Date of registration:
Apr 16th 2008

Version:
Avira Free Antivirus

Operating System:
Windows 7 Ultimate SP1 x64

  • Send private message

9

Wednesday, June 13th 2012, 11:57pm

Hi,

@g.mavrov,

Please open your own threat and don't hijack this thread to discuss your problems. :)
The steps are individual for each user. They aren't universal for all.


Regards,
Georgi

Date of registration:
Jun 13th 2012

Version:
Avira Antivirus Premium

Operating System:
windows xp

  • Send private message

10

Thursday, June 14th 2012, 10:28am

Sorry, I thought that AVIRA can fix the problem automatically for all users