Expert: Brian Benosky - 7/30/2011

Question
QUESTION: hey brian. im having trouble getting rid of a few viruses BDS/IRCNite.bxr. my anti virus scan cant seem to get rid of them, i use avira. any other way to get rid of them? thanks for the help!!

ANSWER: Hi Meghan

I'm fairly certain they may be false positive detections.  Open Avira and click on Reports.  Find your last scan with the detections, and double-click it.  Click Report File.  Copy the contents of the notepad file that opens, and paste it in your reply to me.

Brian

---------- FOLLOW-UP ----------

QUESTION: hey brian, here is the report



Avira AntiVir Personal
Report file date: Thursday, July 28, 2011  09:08

Scanning for 3294984 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee        : Avira AntiVir Personal - Free Antivirus
Serial number   : 0000149996-ADJIE-0000001
Platform        : Windows XP
Windows version : (Service Pack 3)  [5.1.2600]
Boot mode       : Normally booted
Username        : SYSTEM
Computer name   : MEGHAN

Version information:
BUILD.DAT       : 10.2.0.696     35934 Bytes   6/29/2011 17:32:00
AVSCAN.EXE      : 10.3.0.7      484008 Bytes   6/28/2011 17:16:31
AVSCAN.DLL      : 10.0.5.0       47464 Bytes   6/28/2011 17:16:31
LUKE.DLL        : 10.3.0.5       45416 Bytes   6/28/2011 17:16:31
LUKERES.DLL     : 10.0.0.1       12648 Bytes   2/11/2010 05:40:49
AVSCPLR.DLL     : 10.3.0.7      119656 Bytes   6/28/2011 17:16:32
AVREG.DLL       : 10.3.0.9       88833 Bytes   7/13/2011 04:45:07
VBASE000.VDF    : 7.10.0.0    19875328 Bytes   11/6/2009 15:05:36
VBASE001.VDF    : 7.11.0.0    13342208 Bytes  12/14/2010 20:02:49
VBASE002.VDF    : 7.11.3.0     1950720 Bytes    2/9/2011 00:21:55
VBASE003.VDF    : 7.11.5.225   1980416 Bytes    4/7/2011 20:16:33
VBASE004.VDF    : 7.11.8.178   2354176 Bytes   5/31/2011 21:56:16
VBASE005.VDF    : 7.11.10.251  1788416 Bytes    7/7/2011 12:19:50
VBASE006.VDF    : 7.11.10.252     2048 Bytes    7/7/2011 12:19:50
VBASE007.VDF    : 7.11.10.253     2048 Bytes    7/7/2011 12:19:50
VBASE008.VDF    : 7.11.10.254     2048 Bytes    7/7/2011 12:19:50
VBASE009.VDF    : 7.11.10.255     2048 Bytes    7/7/2011 12:19:50
VBASE010.VDF    : 7.11.11.0       2048 Bytes    7/7/2011 12:19:50
VBASE011.VDF    : 7.11.11.1       2048 Bytes    7/7/2011 12:19:51
VBASE012.VDF    : 7.11.11.2       2048 Bytes    7/7/2011 12:19:51
VBASE013.VDF    : 7.11.11.75    688128 Bytes   7/12/2011 04:45:04
VBASE014.VDF    : 7.11.11.104   978944 Bytes   7/13/2011 17:46:34
VBASE015.VDF    : 7.11.11.137   655360 Bytes   7/14/2011 17:47:25
VBASE016.VDF    : 7.11.11.184   699392 Bytes   7/18/2011 20:01:46
VBASE017.VDF    : 7.11.11.214   414208 Bytes   7/19/2011 18:45:28
VBASE018.VDF    : 7.11.11.242   772096 Bytes   7/20/2011 18:46:36
VBASE019.VDF    : 7.11.12.3    1291776 Bytes   7/20/2011 18:48:13
VBASE020.VDF    : 7.11.12.30    844288 Bytes   7/21/2011 16:55:11
VBASE021.VDF    : 7.11.12.67    149504 Bytes   7/24/2011 20:30:45
VBASE022.VDF    : 7.11.12.93    195072 Bytes   7/25/2011 18:48:25
VBASE023.VDF    : 7.11.12.113   150528 Bytes   7/26/2011 18:48:28
VBASE024.VDF    : 7.11.12.114     2048 Bytes   7/26/2011 18:48:29
VBASE025.VDF    : 7.11.12.115     2048 Bytes   7/26/2011 18:48:29
VBASE026.VDF    : 7.11.12.116     2048 Bytes   7/26/2011 18:48:29
VBASE027.VDF    : 7.11.12.117     2048 Bytes   7/26/2011 18:48:29
VBASE028.VDF    : 7.11.12.118     2048 Bytes   7/26/2011 18:48:29
VBASE029.VDF    : 7.11.12.119     2048 Bytes   7/26/2011 18:48:30
VBASE030.VDF    : 7.11.12.120     2048 Bytes   7/26/2011 18:48:30
VBASE031.VDF    : 7.11.12.140    70656 Bytes   7/27/2011 19:22:16
Engineversion   : 8.2.6.18  
AEVDF.DLL       : 8.1.2.1       106868 Bytes    9/1/2010 21:31:28
AESCRIPT.DLL    : 8.1.3.73     1622395 Bytes   7/15/2011 17:51:21
AESCN.DLL       : 8.1.7.2       127349 Bytes  11/23/2010 03:00:17
AESBX.DLL       : 8.2.1.34      323957 Bytes    6/1/2011 21:57:53
AERDL.DLL       : 8.1.9.13      639349 Bytes   7/15/2011 17:50:33
AEPACK.DLL      : 8.2.9.5       676214 Bytes   7/15/2011 17:50:13
AEOFFICE.DLL    : 8.1.2.12      201083 Bytes   7/15/2011 17:49:45
AEHEUR.DLL      : 8.1.2.146    3633527 Bytes   7/20/2011 18:50:36
AEHELP.DLL      : 8.1.17.6      254326 Bytes   7/20/2011 18:48:34
AEGEN.DLL       : 8.1.5.6       401780 Bytes   5/19/2011 20:58:40
AEEMU.DLL       : 8.1.3.0       393589 Bytes  11/23/2010 02:59:54
AECORE.DLL      : 8.1.22.4      196983 Bytes   7/15/2011 17:47:49
AEBB.DLL        : 8.1.1.0        53618 Bytes    9/1/2010 21:31:15
AVWINLL.DLL     : 10.0.0.0       19304 Bytes   1/14/2010 18:03:38
AVPREF.DLL      : 10.0.3.2       44904 Bytes   6/28/2011 17:16:31
AVREP.DLL       : 10.0.0.10     174120 Bytes   5/17/2011 20:59:08
AVARKT.DLL      : 10.0.26.1     255336 Bytes   6/28/2011 17:16:31
AVEVTLOG.DLL    : 10.0.0.9      203112 Bytes   6/28/2011 17:16:31
SQLITE3.DLL     : 3.6.19.0      355688 Bytes   1/28/2010 18:57:58
AVSMTP.DLL      : 10.0.0.17      63848 Bytes   3/16/2010 21:38:56
NETNT.DLL       : 10.0.0.0       11624 Bytes   2/19/2010 20:41:00
RCIMAGE.DLL     : 10.0.0.35    2589544 Bytes   6/28/2011 17:16:30
RCTEXT.DLL      : 10.0.64.0      97640 Bytes   6/28/2011 17:16:30

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: Default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Advanced

Start of the scan: Thursday, July 28, 2011  09:08

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'rsmsink.exe' - '31' Module(s) have been scanned
Scan process 'wuauclt.exe' - '44' Module(s) have been scanned
Scan process 'dllhost.exe' - '47' Module(s) have been scanned
Scan process 'vssvc.exe' - '50' Module(s) have been scanned
Scan process 'avscan.exe' - '72' Module(s) have been scanned
Scan process 'avcenter.exe' - '65' Module(s) have been scanned
Scan process 'PresentationFontCache.exe' - '31' Module(s) have been scanned
Scan process 'Rim.Desktop.AutoUpdate.exe' - '89' Module(s) have been scanned
Scan process 'msdtc.exe' - '42' Module(s) have been scanned
Scan process 'dllhost.exe' - '63' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '26' Module(s) have been scanned
Scan process 'iPodService.exe' - '32' Module(s) have been scanned
Scan process 'ObjectDock.exe' - '62' Module(s) have been scanned
Scan process 'RAMASST.exe' - '21' Module(s) have been scanned
Scan process 'WeatherEye.exe' - '82' Module(s) have been scanned
Scan process 'ctfmon.exe' - '27' Module(s) have been scanned
Scan process 'ISUSPM.exe' - '26' Module(s) have been scanned
Scan process 'toscdspd.exe' - '20' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '72' Module(s) have been scanned
Scan process 'dpupdchk.exe' - '50' Module(s) have been scanned
Scan process 'TPSBattM.exe' - '24' Module(s) have been scanned
Scan process 'jusched.exe' - '23' Module(s) have been scanned
Scan process 'RIMBBLaunchAgent.exe' - '43' Module(s) have been scanned
Scan process 'avgnt.exe' - '55' Module(s) have been scanned
Scan process 'ipoint.exe' - '57' Module(s) have been scanned
Scan process 'itype.exe' - '49' Module(s) have been scanned
Scan process 'TPSMain.exe' - '35' Module(s) have been scanned
Scan process 'igfxpers.exe' - '25' Module(s) have been scanned
Scan process 'hkcmd.exe' - '24' Module(s) have been scanned
Scan process 'igfxtray.exe' - '29' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '29' Module(s) have been scanned
Scan process 'Ltmoh.exe' - '23' Module(s) have been scanned
Scan process 'TFncKy.exe' - '31' Module(s) have been scanned
Scan process 'thotkey.exe' - '35' Module(s) have been scanned
Scan process 'TvsTray.exe' - '22' Module(s) have been scanned
Scan process 'SmoothView.exe' - '19' Module(s) have been scanned
Scan process 'DLACTRLW.EXE' - '31' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '38' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '21' Module(s) have been scanned
Scan process 'alg.exe' - '35' Module(s) have been scanned
Scan process '1XConfig.exe' - '38' Module(s) have been scanned
Scan process 'Explorer.EXE' - '134' Module(s) have been scanned
Scan process 'ZcfgSvc.exe' - '51' Module(s) have been scanned
Scan process 'ViewpointService.exe' - '21' Module(s) have been scanned
Scan process 'TAPPSRV.exe' - '16' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '23' Module(s) have been scanned
Scan process 'jqs.exe' - '35' Module(s) have been scanned
Scan process 'DVDRAMSV.exe' - '15' Module(s) have been scanned
Scan process 'CFSvcs.exe' - '44' Module(s) have been scanned
Scan process 'avshadow.exe' - '28' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '30' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '52' Module(s) have been scanned
Scan process 'avguard.exe' - '65' Module(s) have been scanned
Scan process 'svchost.exe' - '36' Module(s) have been scanned
Scan process 'sched.exe' - '48' Module(s) have been scanned
Scan process 'spoolsv.exe' - '63' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '40' Module(s) have been scanned
Scan process 'EvtEng.exe' - '57' Module(s) have been scanned
Scan process 'svchost.exe' - '180' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '56' Module(s) have been scanned
Scan process 'lsass.exe' - '60' Module(s) have been scanned
Scan process 'services.exe' - '41' Module(s) have been scanned
Scan process 'winlogon.exe' - '69' Module(s) have been scanned
Scan process 'csrss.exe' - '16' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
   [INFO]      No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
   [INFO]      No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1253' files ).


Starting the file scan:

Begin scan in 'C:\' <S3A4000D003>
C:\System Volume Information\_restore{2A8A1FC7-6452-4AFF-9853-CFA56DEF7433}\RP84\A0006706.dll
 [DETECTION] Contains a recognition pattern of the (harmful) BDS/IRCNite.bxr back-door program

Beginning disinfection:
C:\System Volume Information\_restore{2A8A1FC7-6452-4AFF-9853-CFA56DEF7433}\RP84\A0006706.dll
 [DETECTION] Contains a recognition pattern of the (harmful) BDS/IRCNite.bxr back-door program
 [NOTE]      The file was moved to the quarantine directory under the name '44ee297d.qua'.


End of the scan: Thursday, July 28, 2011  11:26
Used time: 53:18 Minute(s)

The scan has been done completely.

 12434 Scanned directories
283778 Files were scanned
     1 Viruses and/or unwanted programs were found
     0 Files were classified as suspicious
     0 files were deleted
     0 Viruses and unwanted programs were repaired
     1 Files were moved to quarantine
     0 Files were renamed
     0 Files cannot be scanned
283777 Files not concerned
  7041 Archives were scanned
     0 Warnings
     1 Notes
539235 Objects were scanned with rootkit scan
     0 Hidden objects were found

Answer
Hi Meghan

The infected file that keeps showing up is located in the Windows System Restore folder.  The reason it keeps showing up after removal is that Windows replicates the file so that it can be restored using System Restore.  So Avira deletes the file and XP keeps recreating it.  The easiest way to break this cycle is to purge your System Restore and start fresh.  To do this:

   Click Start, right-click My Computer, and then click Properties.
   In the System Properties dialog box, click the System Restore tab.
   Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
   Click OK.
   When you receive the following message, click Yes to confirm that you want to turn off System Restore:
   "You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

   Do you want to turn off System Restore?"
   After a few moments, the System Properties dialog box closes.

Now turn on System Restore once again:

   Click Start, right-click My Computer, and then click Properties.
   In the System Properties dialog box, click the System Restore tab.
   Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
   Click OK.

   After a few moments, the System Properties dialog box closes.

Note that after you turn off and on System Restore, all your previous restore points will be deleted along with the virus file.  This should not be a problem if your computer is currently working normally.  You will just be starting fresh with new restore points.
If you have any further questions, just let me know.


Brian