HiJackThis log - weird virus within Themida demo

Hi,

I usually run a pretty tight ship and don't usually come across any problems as I scan everything before I open it.

However, I seem to have gotten infected with something. Yikes!

I run Zonealarm free and Symantec Corporate all the time, and they usually protect me from everything. I also run weekly scans with Spybot and Ad-aware.

Today I downloaded a file, scanned it and it came out clean. Then when I went to install it I got this Themida Logo screen, and something to do with scvhost. Well needless to say it got my antennae going, as it should be svchost and not scvhost.

Whatever the heck it is it has tried to access the internet, thankfully Zonealarm popped up to let me know it was trying to do so. Of course I didn't allow it to access the internet.

I scanned the whole machine with Symantec Corporate, with all the latest definitions - results were clean.

I scanned the whole machine Ad-aware with all the latest definitions - results were clean.

I scanned the system with Spybot with all the latest definitions - results were funny, there was a Smitfraud alert so I did the removal.

Once I restarted the machine a little box came up with something about personal setting and scvhost, and this logo came up from Themida and www.oreans.com I of course stopped all the accesses that were trying to be made to the internet, thank goodness for ZA. Then I went and permanently blocked all the instances of scvhost in Zonealarm.

I reran Spybot and the Smitfraud stuff was still there.

It appears that Themida might be a rootkit, and the virus is packed into it to avoid detection and deletion. After 20 minutes a little box comes up and says that as this is a demo version of Themida it only runs for 20 minutes.

I came here, and read the before posting post, and Dl'ed and ran CCleaner.

I downloaded the programs and files in the before you post do this message.

I went into safe mode and ran the programs, but bitdefender and panda didn't run, as they both hung.

I restarted in normal mode.

I ran Hijackthis after naming it something else as per the instructions. I have attached this log. It did throw up a warning when I first ran it saying that something was wrong. Posted log below.

I ran getrunkey and shownew.

Funny enough once I came out of safe mode all my usual programs did not run, no zonealarm, no symantec, so I had to restart them.

I am not sure if my system is now clean or not, one weird thing is that explorer no longer shuts down when I turn off the pc, I have to shut it down manually form the warning box.

Any and all help will be most appreciated.

Sincerely, Arthur

 

CounterSpyScans, one from safe mode, one after restart.

 

Hi,

This is my rootkitrevealer log as well... don't know if this helps.

Cheers, Arthur

 

Hi,

Sorry it seems rootkitrevealer will not save its log file.

Help Please!

 

ok, here is the rootkitrevealer log

Thanks!