Help Avira found 2 virus BOO/Sinowal.F & cant quarantine or delete

oliveoil54

Hi
Pc runs XP & Avira Antivirus, plus Malwarebytes.

Cant update Malwarebytes get following message
Error has occured. Please report error code to our support team.
PROGRAM_ERROR_UPDATING(5,0,Createfile)
Acces is denied.

Have got two detections of Malware found both the same apart from different Boot sector on 7th Feb.

E is my backup harddrive does this mean virus has access to this? The Avira detection for E only occurred on today's scan.
The file 'Boot sector 'E:\''
contained a virus or unwanted program 'BOO/Sinowal.F' [virus]
Action(s) taken:
Contains code of the BOO/Sinowal.F boot sector virus.
The boot sector was not written!
Also
The file 'Master boot sector HD1'
contained a virus or unwanted program 'BOO/Sinowal.F' [virus]
Action(s) taken:
Contains code of the BOO/Sinowal.F boot sector virus.
The boot sector was not written!

On events noticed this as far back as 08/01/2011
The file 'Master boot sector HD1'
contained a virus or unwanted program 'BOO/Sinowal.F' [virus]
Action(s) taken:
Contains code of the BOO/Sinowal.F boot sector virus.
The boot sector was not written!

Avira doesnt give the option to delete of quarantine.

As Malwarebytes isnt updating could the virus have disabled this?

Have tried to look for info on the net for this and came across this http://www.geekstogo.com/forum/topic/284389-boosinowalf/
which really alarmed me.

Unfortunately my husband uses this PC & hadnt taken onboard the significance of Avira failing to remove the Malware! Have only found out about this this morning!

This is the Avira scan from notepad

Avira AntiVir Personal
Report file date: 07 February 2011 10:14
Scanning for 2456743 virus strains and unwanted programs.
The program is running as an unrestricted full version.
Online services are available:
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : USER-Q9NPIFAZX8
Version information:
BUILD.DAT : 10.0.0.611 31824 Bytes 14/01/2011 13:42:00
AVSCAN.EXE : 10.0.3.5 435368 Bytes 08/12/2010 10:31:50
AVSCAN.DLL : 10.0.3.0 46440 Bytes 01/04/2010 12:57:04
LUKE.DLL : 10.0.3.2 104296 Bytes 08/12/2010 10:31:52
LUKERES.DLL : 10.0.0.1 12648 Bytes 10/02/2010 23:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 09:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 10:31:48
VBASE002.VDF : 7.11.0.1 2048 Bytes 14/12/2010 10:31:48
VBASE003.VDF : 7.11.0.2 2048 Bytes 14/12/2010 10:31:48
VBASE004.VDF : 7.11.0.3 2048 Bytes 14/12/2010 10:31:48
VBASE005.VDF : 7.11.0.4 2048 Bytes 14/12/2010 10:31:48
VBASE006.VDF : 7.11.0.5 2048 Bytes 14/12/2010 10:31:48
VBASE007.VDF : 7.11.0.6 2048 Bytes 14/12/2010 10:31:48
VBASE008.VDF : 7.11.0.7 2048 Bytes 14/12/2010 10:31:48
VBASE009.VDF : 7.11.0.8 2048 Bytes 14/12/2010 10:31:48
VBASE010.VDF : 7.11.0.9 2048 Bytes 14/12/2010 10:31:48
VBASE011.VDF : 7.11.0.10 2048 Bytes 14/12/2010 10:31:48
VBASE012.VDF : 7.11.0.11 2048 Bytes 14/12/2010 10:31:48
VBASE013.VDF : 7.11.0.52 128000 Bytes 16/12/2010 11:53:08
VBASE014.VDF : 7.11.0.91 226816 Bytes 20/12/2010 10:31:26
VBASE015.VDF : 7.11.0.122 136192 Bytes 21/12/2010 14:29:05
VBASE016.VDF : 7.11.0.156 122880 Bytes 24/12/2010 12:29:36
VBASE017.VDF : 7.11.0.185 146944 Bytes 27/12/2010 10:31:25
VBASE018.VDF : 7.11.0.228 132608 Bytes 30/12/2010 17:50:36
VBASE019.VDF : 7.11.1.5 148480 Bytes 03/01/2011 10:31:26
VBASE020.VDF : 7.11.1.37 156672 Bytes 07/01/2011 10:31:32
VBASE021.VDF : 7.11.1.65 140800 Bytes 10/01/2011 18:47:26
VBASE022.VDF : 7.11.1.87 225280 Bytes 11/01/2011 10:31:26
VBASE023.VDF : 7.11.1.124 125440 Bytes 14/01/2011 10:31:35
VBASE024.VDF : 7.11.1.155 132096 Bytes 17/01/2011 16:07:31
VBASE025.VDF : 7.11.1.189 451072 Bytes 20/01/2011 16:07:53
VBASE026.VDF : 7.11.1.230 138752 Bytes 24/01/2011 10:31:26
VBASE027.VDF : 7.11.2.12 164352 Bytes 27/01/2011 10:31:28
VBASE028.VDF : 7.11.2.43 178176 Bytes 01/02/2011 14:35:22
VBASE029.VDF : 7.11.2.78 206336 Bytes 04/02/2011 10:31:28
VBASE030.VDF : 7.11.2.79 2048 Bytes 04/02/2011 10:31:28
VBASE031.VDF : 7.11.2.80 2048 Bytes 04/02/2011 10:31:28
Engineversion : 8.2.4.162
AEVDF.DLL : 8.1.2.1 106868 Bytes 30/07/2010 15:28:55
AESCRIPT.DLL : 8.1.3.53 1282427 Bytes 31/01/2011 10:31:54
AESCN.DLL : 8.1.7.2 127349 Bytes 23/11/2010 17:09:23
AESBX.DLL : 8.1.3.2 254324 Bytes 23/11/2010 17:09:37
AERDL.DLL : 8.1.9.2 635252 Bytes 22/09/2010 14:28:48
AEPACK.DLL : 8.2.4.9 512374 Bytes 31/01/2011 10:31:51
AEOFFICE.DLL : 8.1.1.16 205179 Bytes 31/01/2011 10:31:46
AEHEUR.DLL : 8.1.2.73 3207541 Bytes 04/02/2011 10:31:33
AEHELP.DLL : 8.1.16.1 246134 Bytes 04/02/2011 10:31:27
AEGEN.DLL : 8.1.5.2 397683 Bytes 20/01/2011 16:08:15
AEEMU.DLL : 8.1.3.0 393589 Bytes 23/11/2010 17:08:59
AECORE.DLL : 8.1.19.2 196983 Bytes 20/01/2011 16:08:06
AEBB.DLL : 8.1.1.0 53618 Bytes 05/06/2010 19:13:12
AVWINLL.DLL : 10.0.0.0 19304 Bytes 14/01/2010 12:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 14/01/2010 12:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 18/02/2010 16:47:40
AVREG.DLL : 10.0.3.2 53096 Bytes 03/11/2010 10:33:00
AVSCPLR.DLL : 10.0.3.2 84328 Bytes 08/12/2010 10:31:51
AVARKT.DLL : 10.0.22.6 231784 Bytes 08/12/2010 10:31:47
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 26/01/2010 09:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 28/01/2010 12:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 16/03/2010 15:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 19/02/2010 14:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28/01/2010 13:10:20
RCTEXT.DLL : 10.0.58.0 97128 Bytes 03/11/2010 10:33:00
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, E:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Start of the scan: 07 February 2011 10:14
Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc\Config\Standalone\drivelist
[NOTE] The registry entry is invisible.
The scan of running processes will be started
Scan process 'iexplore.exe' - '131' Module(s) have been scanned
Scan process 'msdtc.exe' - '40' Module(s) have been scanned
Scan process 'dllhost.exe' - '59' Module(s) have been scanned
Scan process 'dllhost.exe' - '45' Module(s) have been scanned
Scan process 'vssvc.exe' - '48' Module(s) have been scanned
Scan process 'avscan.exe' - '70' Module(s) have been scanned
Scan process 'avcenter.exe' - '63' Module(s) have been scanned
Scan process 'iexplore.exe' - '103' Module(s) have been scanned
Scan process 'alg.exe' - '33' Module(s) have been scanned
Scan process 'iexplore.exe' - '101' Module(s) have been scanned
Scan process 'svchost.exe' - '39' Module(s) have been scanned
Scan process 'sqlwriter.exe' - '53' Module(s) have been scanned
Scan process 'sqlbrowser.exe' - '17' Module(s) have been scanned
Scan process 'dpupdchk.exe' - '25' Module(s) have been scanned
Scan process 'DLG.exe' - '23' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '54' Module(s) have been scanned
Scan process 'ctfmon.exe' - '25' Module(s) have been scanned
Scan process 'avgnt.exe' - '45' Module(s) have been scanned
Scan process 'ipoint.exe' - '55' Module(s) have been scanned
Scan process 'itype.exe' - '48' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '35' Module(s) have been scanned
Scan process 'avshadow.exe' - '26' Module(s) have been scanned
Scan process 'sqlservr.exe' - '53' Module(s) have been scanned
Scan process 'MDM.EXE' - '21' Module(s) have been scanned
Scan process 'avguard.exe' - '53' Module(s) have been scanned
Scan process 'Explorer.EXE' - '83' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'sched.exe' - '43' Module(s) have been scanned
Scan process 'spoolsv.exe' - '55' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'svchost.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '168' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '53' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '13' Module(s) have been scanned
Scan process 'lsass.exe' - '59' Module(s) have been scanned
Scan process 'services.exe' - '33' Module(s) have been scanned
Scan process 'winlogon.exe' - '71' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[DETECTION] Contains code of the BOO/Sinowal.F boot sector virus
[NOTE] The boot sector was not written!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!
Master boot sector HD5
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'E:\'
[DETECTION] Contains code of the BOO/Sinowal.F boot sector virus
[NOTE] The boot sector was not written!
Starting to scan executable files (registry).
The registry was scanned ( '259' files ).

Starting the file scan:
Begin scan in 'C:\'
Begin scan in 'E:\' <My Book>

End of the scan: 07 February 2011 11:00
Used time: 46:11 Minute(s)
The scan has been done completely.
6171 Scanned directories
392716 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
392716 Files not concerned
1326 Archives were scanned
0 Warnings
2 Notes
294341 Objects were scanned with rootkit scan
1 Hidden objects were found

Any advice welcome bearing in mind our limited computer knowledge.

WhiteChristmas

First step is to boot your computer into Safe Mode and then run the Avira scan.

Safe Mode stops the virus from loading so the antivirus should be able to delete it.

How to get into Safe Mode:
http://www.computerhope.com/issues/chsafe.htm#02

oliveoil54

Just downloaded Hijack This, but Hijack This could only download & run on Administrator, have posted the Administrator notepad below.
Tried to do the same on husband's account on this PC (where problem occurred) and there was no Hijack This Icon & it wasnt listed under All Programs. Tried to download again using husbands account page & this time it seemed to work. Have an Icon on desktop. But when tried to do scan & notepad got following error message:-

'It loks like your running Hijack This from a read only device like a CD or floppy disk (no - download from the Trend UK website). If you want to make backups of items you fix, you must copy HijackThis.exe to your hard disk first, and run it from there.
If you continue, you might get Path/File access errors.

After clicking ok, got following message:-
For some reason your system denied write access the the Hosts file. If hijacked domains are in this file, Hijack This may NOT be able to fix this. If this happens you need to edit the file yourself. To do this click Start, Run and type : notepad C:\WINDOWS\Systems32\drivers\etc\hosts
Find the line(s) HijackThis reports and delete them. Save the file as 'hosts' (with quotes) and reboot.

After clicking ok, got following message 'Write access was denied to the location you specified. Try a different location.'

Tried typing run message above and got a notepad page up with no HijackThis file on it to do anything with.

Tried to scan and log again on Hijack This and when I clicked scan at bottom of box it brought up the following info

Husband's Logfile - But this doesn't look like a proper logfile though?
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:19:53, on 07/02/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\notepad.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\David\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272723293296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
--
End of file - 6369 bytes



Administrator Logfile
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:42:26, on 07/02/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\David\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1708537768-1645522239-725345543-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'David')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272723293296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
--
End of file - 7215 bytes

oliveoil54

WhiteChristmas sorry missed your post, hence the Hijack This stuff in my last post.

Why didnt I think of that? I am now in Safemode with networking & am running a full scan on Avira & have managed to update Malwarebytes and am also running a full scan. So it will prob take quite a while for both scans to complete. Will let you know the results.

As I also had the same Malware detection problem on the E drive which is my hard drive backup. At the moment for security I have just unplugged it from the PC, will I need to do yet another scan using Safemode with the E drive connected if this (hope & pray) works?

Many thanks

oliveoil54

Whilst in Safemode
After Malwarebytes updated & finished scanning (before Avira) it found the following temporary internet files:-
Content. IE5\DRFINDMY\pack[1].exe(Rogue.SecurityShield)
Content. IE5\DRFINDMY\pack[2].exe(Rogue.SecurityShield)

Avira finshed scanning but said the scan was clear.
On Malwarebytes I quarantined & then deleted both & was prompted to reboot, which I did.

Then re-scanned using Avira & Malwarbytes both scanned ok without no virus or malware found.

Do I have to go through all this again with the 'E' drive (external backup hard drive) connected?

So hope that I have resolved the Virus/Malware problem? If so many thanks!

But the Malwarebytes 'Check for Updates' button on my husband's account & the guest account pages are greyed out & cant be clicked on. However the same button on the Administrator's account page is ok & will update without any problem & this also updates all the other accounts. Why cant the update be done from husband's account page, as happened previously?

WhiteChristmas

I'm guessing hubby's account is a user account without admin priviledges; are you sure it hasn't always been that way? If it has changed, I'm mystified.

I'd run a scan on the E:\ drive before doing anything else, but I think you're over the worst.

Do E:\ then update and run HJT again and post your logfile. The experts on here will spot anything we've missed.

oliveoil54

Correct, about user account. But he has always been able to update Malwarebytes on his own account previously.

Will scan E & post HJT log.
Thanks once again

GunJack

a symptom of such infections is to disable full access and/or updates to known antimalware progs. If you can now update mbam ok after a normal boot, then the main drive should be good to go. as WC says above, scan your external drive to be sure.

oliveoil54

Thought I'd fixed it but no!
When plug E Drive back into PC keep getting Guard: Autorun message blocked. Access to the file E:\autorum.inf was blocked for your security. This happens twice in quick succession.

Did update & Malwarebytes scan, and also an Avira Scan, both including the E Backup Hard Drive.

Malwarbytes said there were no detections & that the scan was ok.

Avira said there were 2 detections -
But after running Avira twice (ran Malwarbytes at same time - Malwarebytes said there was no detections in either) it was reporting a different problem on the Master boot sector the 1st being HD1 & the 2nd being HD5 in the two separate runs times!
Report finished at 21.23
Master boot sector HD1
[DETECTION] Contains code of the BOO/Sinowal.F boot sector virus
[NOTE] The boot sector was not written!
Boot sector 'E:\'
[DETECTION] Contains code of the BOO/Sinowal.F boot sector virus
[NOTE] The boot sector was not written!

Report finished at 20.01
Master boot sector HD5
[DETECTION] Contains code of the BOO/Sinowal.F boot sector virus
[NOTE] The boot sector was not written!
Start scanning boot sectors:
[DETECTION] Contains code of the BOO/Sinowal.F boot sector virus
[NOTE] The boot sector was not written!

Did both Avira & Malwarebytes scans with E drive connected in Safe mode.

Malwarebytes & Avira scans were clear.
So am now doing a further full scans in normal mode with both programs & with the E drive connected.

Am keeping fingers XXX and will post the logs/reports when they are finished, as well as HJT report.

oliveoil54

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5706
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
07/02/2011 23:21:29
mbam-log-2011-02-07 (23-21-29).txt
Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 225889
Time elapsed: 58 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

GunJack

boot into safe mode with networking, download combofix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

download link is under the paypal donate button, in the Using combofix section.

you will need to disable the av to run it.

post the log it produces back here...