You are not logged in.

Thursday, April 24th 2014, 8:17am

Dear visitor, welcome to Avira Support Forum. If this is your first visit here, please read the Help. It explains in detail how this page works. To use all features of this page, you should consider registering. Please use the registration form, to register here or read more information about the registration process. If you are already registered, please login here.

  • "JohnDoe12" started this thread

Date of registration:
Mar 26th 2010

  • Send private message

1

Friday, March 26th 2010, 7:04pm

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb [DETECTION] Is the TR/Crypt.ULPM.Gen Trojan

Hi,

My Avira Premium detects the following file as the trojan TR-Crypt.ULPM.Gen C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb.

It is unable to delete, quarantine etc. do any action on this file. Now I found a similar post on this forum stating that this may be a false positive BUT NOTE My Snort network scanner, which is monitoring all network traffic on my home network via a mirrored port gave a warning yesterday that it detected a trojan/like request for a certain russian name server.

Please see below the log file of the scan... Please let me know how to proceed!

Avira AntiVir Premium
Report file date: vrijdag 26 maart 2010 06:43

Scanning for 1900330 virus strains and unwanted programs.

Licensee : XXXXX
Serial number : XXXXX
Platform : Windows Vista
Windows version : (plain) [6.1.7600]
Boot mode : Normally booted
Username : XXXXX
Computer name : XXXXX

Version information:
BUILD.DAT : 9.0.0.458 24893 Bytes 25-2-2010 12:27:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 14-1-2010 11:20:10
AVSCAN.DLL : 9.0.3.0 40705 Bytes 14-1-2010 11:20:09
LUKE.DLL : 9.0.3.2 209665 Bytes 14-1-2010 11:20:15
LUKERES.DLL : 9.0.2.0 12033 Bytes 14-1-2010 11:20:15
VBASE000.VDF : 7.10.0.0 19875328 Bytes 6-11-2009 11:19:59
VBASE001.VDF : 7.10.1.0 1372672 Bytes 19-11-2009 11:20:00
VBASE002.VDF : 7.10.3.1 3143680 Bytes 20-1-2010 17:40:39
VBASE003.VDF : 7.10.3.75 996864 Bytes 26-1-2010 17:26:59
VBASE004.VDF : 7.10.4.203 1579008 Bytes 5-3-2010 10:17:17
VBASE005.VDF : 7.10.4.204 2048 Bytes 5-3-2010 10:17:18
VBASE006.VDF : 7.10.4.205 2048 Bytes 5-3-2010 10:17:18
VBASE007.VDF : 7.10.4.206 2048 Bytes 5-3-2010 10:17:18
VBASE008.VDF : 7.10.4.207 2048 Bytes 5-3-2010 10:17:18
VBASE009.VDF : 7.10.4.208 2048 Bytes 5-3-2010 10:17:18
VBASE010.VDF : 7.10.4.209 2048 Bytes 5-3-2010 10:17:18
VBASE011.VDF : 7.10.4.210 2048 Bytes 5-3-2010 10:17:18
VBASE012.VDF : 7.10.4.211 2048 Bytes 5-3-2010 10:17:18
VBASE013.VDF : 7.10.4.242 153088 Bytes 8-3-2010 10:17:18
VBASE014.VDF : 7.10.5.17 99328 Bytes 10-3-2010 10:17:18
VBASE015.VDF : 7.10.5.44 107008 Bytes 11-3-2010 10:17:18
VBASE016.VDF : 7.10.5.69 92672 Bytes 12-3-2010 06:41:27
VBASE017.VDF : 7.10.5.91 119808 Bytes 15-3-2010 06:17:22
VBASE018.VDF : 7.10.5.121 112640 Bytes 18-3-2010 16:41:56
VBASE019.VDF : 7.10.5.138 139776 Bytes 18-3-2010 05:44:46
VBASE020.VDF : 7.10.5.164 113152 Bytes 22-3-2010 08:49:12
VBASE021.VDF : 7.10.5.182 108032 Bytes 23-3-2010 20:44:42
VBASE022.VDF : 7.10.5.199 123904 Bytes 24-3-2010 20:44:42
VBASE023.VDF : 7.10.5.200 2048 Bytes 24-3-2010 20:44:42
VBASE024.VDF : 7.10.5.201 2048 Bytes 24-3-2010 20:44:42
VBASE025.VDF : 7.10.5.202 2048 Bytes 24-3-2010 20:44:42
VBASE026.VDF : 7.10.5.203 2048 Bytes 24-3-2010 20:44:42
VBASE027.VDF : 7.10.5.204 2048 Bytes 24-3-2010 20:44:42
VBASE028.VDF : 7.10.5.205 2048 Bytes 24-3-2010 20:44:42
VBASE029.VDF : 7.10.5.206 2048 Bytes 24-3-2010 20:44:42
VBASE030.VDF : 7.10.5.207 2048 Bytes 24-3-2010 20:44:42
VBASE031.VDF : 7.10.5.208 26112 Bytes 24-3-2010 20:44:42
Engineversion : 8.2.1.196
AEVDF.DLL : 8.1.1.3 106868 Bytes 22-1-2010 22:51:40
AESCRIPT.DLL : 8.1.3.18 1024378 Bytes 17-3-2010 21:39:21
AESCN.DLL : 8.1.5.0 127347 Bytes 14-3-2010 10:17:20
AESBX.DLL : 8.1.2.1 254323 Bytes 17-3-2010 21:39:21
AERDL.DLL : 8.1.4.3 541043 Bytes 17-3-2010 21:39:21
AEPACK.DLL : 8.2.1.1 426358 Bytes 20-3-2010 05:44:48
AEOFFICE.DLL : 8.1.0.41 201083 Bytes 17-3-2010 21:39:21
AEHEUR.DLL : 8.1.1.13 2470262 Bytes 17-3-2010 21:39:21
AEHELP.DLL : 8.1.10.2 237941 Bytes 17-3-2010 21:39:20
AEGEN.DLL : 8.1.3.2 373108 Bytes 20-3-2010 05:44:48
AEEMU.DLL : 8.1.1.0 393587 Bytes 14-1-2010 11:20:03
AECORE.DLL : 8.1.12.3 188789 Bytes 17-3-2010 21:39:20
AEBB.DLL : 8.1.0.3 53618 Bytes 14-1-2010 11:20:03
AVWINLL.DLL : 9.0.0.3 18177 Bytes 14-1-2010 11:20:11
AVPREF.DLL : 9.0.3.0 44289 Bytes 14-1-2010 11:20:09
AVREP.DLL : 8.0.0.7 159784 Bytes 14-3-2010 10:17:21
AVREG.DLL : 9.0.0.0 36609 Bytes 14-1-2010 11:20:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 14-1-2010 11:20:07
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 14-1-2010 11:20:07
SQLITE3.DLL : 3.6.1.0 326401 Bytes 14-1-2010 11:20:16
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 14-1-2010 11:20:16
NETNT.DLL : 9.0.0.0 11521 Bytes 14-1-2010 11:20:15
RCIMAGE.DLL : 9.0.0.28 2623745 Bytes 14-1-2010 11:19:46
RCTEXT.DLL : 9.0.75.0 90369 Bytes 24-3-2010 20:44:42

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: quarantine
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, E:, F:, G:, H:, I:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: on
Optimised scan......................: on
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+PCK,+PFS,+SPR,

Start of the scan: vrijdag 26 maart 2010 06:43

Initiating scan of system files:
Signed -> 'C:\Windows\system32\svchost.exe'
Signed -> 'C:\Windows\system32\winlogon.exe'
Signed -> 'C:\Windows\explorer.exe'
Signed -> 'C:\Windows\system32\smss.exe'
Signed -> 'C:\Windows\system32\wininet.DLL'
Signed -> 'C:\Windows\system32\wsock32.DLL'
Signed -> 'C:\Windows\system32\ws2_32.DLL'
Signed -> 'C:\Windows\system32\services.exe'
Signed -> 'C:\Windows\system32\lsass.exe'
Signed -> 'C:\Windows\system32\csrss.exe'
Signed -> 'C:\Windows\system32\drivers\kbdclass.sys'
Signed -> 'C:\Windows\system32\spoolsv.exe'
Signed -> 'C:\Windows\system32\alg.exe'
Signed -> 'C:\Windows\system32\wuauclt.exe'
Signed -> 'C:\Windows\system32\advapi32.DLL'
Signed -> 'C:\Windows\system32\user32.DLL'
Signed -> 'C:\Windows\system32\gdi32.DLL'
Signed -> 'C:\Windows\system32\kernel32.DLL'
Signed -> 'C:\Windows\system32\ntdll.DLL'
Signed -> 'C:\Windows\system32\ntoskrnl.exe'
Signed -> 'C:\Windows\system32\ctfmon.exe'
The system files were scanned ('21' files)

Starting search for hidden objects.
'17776' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'cfp.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'thunderbird.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'skypePM.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'TomTomHOMERunner.exe' - '1' Module(s) have been scanned
Scan process 'Skype.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
Scan process 'vspc1330.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'dwm.exe' - '1' Module(s) have been scanned
Scan process 'taskhost.exe' - '1' Module(s) have been scanned
Scan process 'avwebgrd.exe' - '1' Module(s) have been scanned
Scan process 'avmailc.exe' - '1' Module(s) have been scanned
Scan process 'nvSCPAPISvr.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'nvvsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'cmdagent.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvvsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'lsm.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'wininit.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
49 processes with 49 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!
Boot sector 'G:\'
[INFO] No virus was found!
Boot sector 'H:\'
[INFO] No virus was found!
Boot sector 'I:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '21' files ).


Starting the file scan:

Begin scan in 'C:\' <Windows 7>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb
[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[WARNING] The file was ignored!
Begin scan in 'D:\' <Windows XP>
Begin scan in 'E:\' <Data>
Begin scan in 'F:\' <Swap WinXP>
Begin scan in 'G:\' <VirtualOSs>
Begin scan in 'H:\' <Swap Win7>
H:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
Begin scan in 'I:\' <FastDisk>


End of the scan: vrijdag 26 maart 2010 07:46
Used time: 1:03:23 Hour(s)

The scan has been done completely.

41235 Scanned directories
1200414 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
1200411 Files not concerned
6275 Archives were scanned
3 Warnings
3 Notes
17776 Objects were scanned with rootkit scan
0 Hidden objects were found

XXXXX - personal data was removed.

This post has been edited 1 times, last edit by "Farger" (Jul 14th 2011, 2:35pm)


Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Ultimate Protection Suite
Avira Internet Security

Operating System:
Windows XP/ Windows 7

  • Send private message

2

Friday, March 26th 2010, 10:58pm

Hi JohnDoe12,

It must be a FP. Please submit that file to Avira lab, using this link. In File type choose Suspected False Positive.
Scotty is currently on patrol

This post has been edited 1 times, last edit by "Farger" (Mar 26th 2010, 10:58pm)


  • "JohnDoe12" started this thread

Date of registration:
Mar 26th 2010

  • Send private message

3

Saturday, March 27th 2010, 7:17am

Hi Farger,

But what about the fact that my Snort intrusion scanner detect Trojan network activity? Coincidence??

  • "Alexandru Frigioiu" has been banned

Date of registration:
Dec 8th 2008

Operating System:
XP and VISTA

  • Send private message

4

Tuesday, March 30th 2010, 5:00pm

Hi,
Did you received an answer from our Virus Lab regarding that file?