[sg09]

I use DELL LATITUDE E5400 laptop with win7 ultimte & ubuntu dual boot. I've always cautious about malware. So i used a lot of security measures. I use mainly chrome & rarely firefox with noscript. I have Mcafee virusscan plus(with fw), MBAM and USB Virusscan in realtime. And lots of backup scanners like a2free,SAS, Spybot, clamwin, spyware blaster. there is no observable conflicts. I also have avast & bitdefender in ubuntu. I also scan windows portion from there. None of them reported any serious virus.
yesterday i read about Remove it pro in softpedia. And downloaded & installed it. It found about 32 viruses. Here is the report

11:17:08 AM: Scanning, please wait...
11:19:44 AM: Infected file (Sys32.bthmtpcontexthandler) C:\Windows\system32\bthmtpcontexthandler.dll
11:19:49 AM: Infected file (Sys32.cleanmem) C:\Windows\system32\cleanmem.exe
11:19:54 AM: Infected file (Sys32.dfscli) C:\Windows\system32\dfscli.dll
11:19:58 AM: Infected file (Sys32.dwrite) C:\Windows\system32\dwrite.dll
11:20:14 AM: Infected file (Sys32.gmailfs) C:\Windows\system32\shellext\gmailfs.dll
11:20:15 AM: Infected file (Sys32.grcauth1) C:\Windows\system32\grcauth1.dll
11:20:15 AM: Infected file (Sys32.grcauth2) C:\Windows\system32\grcauth2.dll
11:20:20 AM: Infected file (Sys32.hwrcomp) C:\Windows\system32\hwrcomp.exe
11:20:22 AM: Infected file (Sys32.igfxtvcx) C:\Windows\system32\igfxtvcx.dll
11:21:06 AM: Infected file (Sys32.pdfdll32) C:\Windows\system32\pdfdll32.dll
11:21:11 AM: Infected file (Sys32.prsgrc) C:\Windows\system32\prsgrc.dll
11:21:20 AM: Infected file (Sys32.rdpshell) C:\Windows\system32\rdpshell.exe
11:21:29 AM: Infected file (Sys32.sppcext) C:\Windows\system32\sppcext.dll
11:21:37 AM: Infected file (Sys32.tvwizudlg) C:\Windows\system32\tvwizudlg.exe
11:21:37 AM: Infected file (Sys32.tvwsetup) C:\Windows\system32\tvwsetup.exe
11:22:05 AM: Infected file (Sys32.xpsgdiconverter) C:\Windows\system32\xpsgdiconverter.dll
11:22:05 AM: Infected file (Sys32.xpsprint) C:\Windows\system32\xpsprint.dll
11:22:05 AM: Infected file (Sys32.xpsrasterservice) C:\Windows\system32\xpsrasterservice.dll
11:22:05 AM: Infected file (Sys32.xpsservices) C:\Windows\system32\xpsservices.dll
11:23:10 AM: 19 Dangerous files have been found on your computer.
Click on "Fix" button to fix selected tasks.
11:23:23 AM: Scanning, please wait...
11:23:34 AM: Infected file (Sys32.cleanmem) C:\Program Files\CleanMem\CleanMem.exe
11:26:13 AM: Infected file (Sys32.tvwsetup) C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_x86_neutral_bcea7a 504cffc240\TVWSetup.exe
11:28:37 AM: Infected file (Sys32.xpsgdiconverter) C:\Windows\winsxs\x86_microsoft-windows-c..ent-xpsgdiconverter_31bf3856ad364e35_6.1.7600.16385_none_12c2cbad4ca45cfa\XpsGd iConverter.dll
11:28:37 AM: Infected file (Sys32.xpsrasterservice) C:\Windows\winsxs\x86_microsoft-windows-c..nt-xpsrasterservice_31bf3856ad364e35_6.1.7600.16385_none_1a73b3248d54945a\XpsR asterService.dll
11:28:37 AM: Infected file (Sys32.xpsservices) C:\Windows\winsxs\x86_microsoft-windows-c..t-xpsomandstreaming_31bf3856ad364e35_6.1.7600.16385_none_aeeed09d4674da37\xps services.dll
11:28:40 AM: Infected file (Sys32.bthmtpcontexthandler) C:\Windows\winsxs\x86_microsoft-windows-d..thmtpcontexthandler_31bf3856ad364e35_6.1.7600.16385_none_3cb7f3eab63c348 f\BthMtpContextHandler.dll
11:28:41 AM: Infected file (Sys32.dfscli) C:\Windows\winsxs\x86_microsoft-windows-dfsclient-netapi_31bf3856ad364e35_6.1.7600.16385_none_6072917391cb3511\dfscli.dll
11:28:41 AM: Infected file (Sys32.dwrite) C:\Windows\winsxs\x86_microsoft-windows-directwrite_31bf3856ad364e35_6.1.7600.16385_none_d273c54560c2a525\DWrite.dl l
11:29:18 AM: Infected file (Sys32.xpsprint) C:\Windows\winsxs\x86_microsoft-windows-printing-xpsprint_31bf3856ad364e35_6.1.7600.16385_none_ab79794d729ee4c1\XpsPrint.dll
11:29:25 AM: Infected file (Sys32.sppcext) C:\Windows\winsxs\x86_microsoft-windows-security-spp-clientext_31bf3856ad364e35_6.1.7600.16385_none_cc9d4bf812728aae\sppcext.dll
11:29:29 AM: Infected file (Sys32.hwrcomp) C:\Windows\winsxs\x86_microsoft-windows-t..-coreinkrecognition_31bf3856ad364e35_6.1.7600.16385_none_ed6e97c85c464885\hw rcomp.exe
11:29:30 AM: Infected file (Sys32.rdpshell) C:\Windows\winsxs\x86_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_6.1.7600.16385_none_1eb1767ca777285a\rdpshell.ex e
11:30:41 AM: Infected file (Sys32.gmailfs) D:\Softwares\Utility\gmailfs115\GMailFS.dll
11:23:23 AM: 32 Dangerous files have been found on your computer.
Click on "Fix" button to fix selected tasks.


I haven't done anything till now. I am afraid if all these are false positives.
a few i recognized are cleanmem an efficient memory cleaner software & gmail drive application.
Please help. thanks.

[sg09]

Here are some softwares installed in my laptop
Cleanmem
Gmail drive
Poweriso
Auslogics disk defrag
nero 8
unlocker
Bleachbit
Skype
FDM
CCleaner
your uninstaller
PDF Tiger
Winzip
Windjvu
Foxit Reader
USB Safely Remove
VLC
Kantaris
K Lite Codec Pack
Sigmaplot
origin
ms office 2007
google book dloader
fileminimiser office
defraggler
Arduo pdf merger
cambridge talking dictionary

[dvk01]

they all look like false alarms to me

removeit pro is well known for a lot of false positives

but in case they are infected by a virus file infector

* Run Kaspersky online virus scan Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
select the (b)"Spyware, Adware, Dialers and other potentially dangerous programs" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from

[sg09]

@dvk01: i tried to run the online scanner. it tried to download ~120mb files. but due to link failure error of my broadband connection it could not be completed.
Does the Kaspersky Virus Removal Tool 7.0 (45mb) which is updated daily, the same as the online scanner? It will be easy for me to download it from here
http://support.kaspersky.com/viruses/avptool?level=2
thanks...

[dvk01]

I really wanted you to run teh scanner & not any tool that deletes anything because I am 99.9% sure they are false detections
I am not sure whether avp tool does autodelete what it finmds or gives you options

but try it & see what it finds, hopefully it will find nothing

[sg09]

Ok, i will try to run the online scanner again. If i fail again i will download the avp tool.
Thanks a lot.

[sg09]

I am very sorry dvk01, I failed once again. That great link failure problem of my broadband connection :-x . I could not download a single file w/o download manager in the last few days.
So, I'm going to download the avp tool atlast. Let's hope it'll give me option to take action after scan.

[sg09]

One more question. Should I run the scan in safe mode to avoid conflict with my existing security applications?

[dvk01]

it is always a good idea to do taht

[sg09]

thanks

[sg09]

Ok..!! I'm done. AVP has all sorts of customizations.
Above all NO DETECTIONS
Report in detail

Kaspersky Virus Removal Tool
filename: setup_7.0.0.290_24.11.2009_18-14

Scan Settings:

Security Level: Custom
Action: Prompt for action when the scan is complete
Run mode: Manually
File types: Scan all files
Scan only new and changed files: No
Scan archives: All
Scan embedded OLE objects: All
Skip if object is larger than: No
Skip if scan takes longer than: No
Parse email formats: Yes
Scan password-protected archives: No
Enable iChecker technology: Yes
Enable iSwift technology Yes
Show detected threats on "Detected" tab: Yes
Rootkits search: Yes
Deep rootkits search: Yes
Use heuristic analyzer: Yes

Scan Report:

All Objects: 161517
System Memory: 1164
Startup Objects: 709
Disk Boot Sectors: 3
Local Disk(C: 159641
Detected: 0

to reduce scan time I scanned only system drive.
Scan was quite fast
Scan Duration: 00:42:34
But it is not resource friendly
Average CPU Usage: 50%
Average Memory consumption: 125 Mb
for 1time scanning it is ok

I'm uploaded the detailed log file here
http://www.wikifortio.com/766106/AVP Scan Report.zip
as the file size just exceeded the extreme file size of the forum.

[dvk01]

as I said in my 1st reply removeit is well known for false detections and unforgivable errors, but there was a 0.01% chance of a virus

uninstall removeit & stick to well known reliable anti-malware and you will be fine

[sg09]

Thank you dvk01 for all your valuable help.
I have a last quite unrelated quary.. as you said before scanning in safe mode is always good. But i'd observed a surprising thing with Avira, one of my favourites. Avira don't scan for rootkits in safe mode. Any explanation?
Thanks you again.

[dvk01]

you would have to ask Avira that

probably because it needs a special driver to do the scan & that driver isn't set to load in safe mode

You did say that AVP used a lot of system resources & memory when scanning

Any scan tool to be effiective needs to be the only thing running and to clean malware you can't downlaod in background, watch videos or surf etc

Always close all programs & run the antivirus and let it do its thing unhindered

I would expect an antivirus to use up to 90% of resources when doing a full system scan

[sg09]

Thanks a lot dvk01 for all your help ...