Solved

Avira antivirus giving me fake alerts?

Posted on 2009-06-30
11
1,870 Views
Last Modified: 2013-11-22
My Avira detected this when i just boot my comp.

Virus or unwanted program 'TR/TDss.yux [trojan]'
detected in file 'E:\Windows\System32\hjgruiqmlrbdqp.dll.
Action performed: Allow access.

and this when i opened Windows Live! mail

Virus or unwanted program 'TR/TDss.yux [trojan]'
detected in file 'E:\Windows\Temp\hjgruiryrqxojkeg.tmp.
Action performed: Delete file.

The thing is i cant find these files on the system...but the alert keeps poping up...what files could these be?
0
Comment
Question by:toggle151
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 24746288
Hi toggle151,

The files are probably hidden...if you go to my computer...then select tools...then select folder options...select the view tab. Make sure that show hidden files and folder is selected. Make sure that you don't delete any files from here...there hidden for a reason and might corrupt your OS if deleted. Try scanning with another antivirus...and see if it detects these files...it's possible that Avira might detecting false alerts.
0
 
LVL 23

Accepted Solution

by:
Admin3k earned 125 total points
ID: 24750219
Virus or unwanted program 'TR/TDss.yux [trojan]'
detected in file 'E:\Windows\Temp\hjgruiryrqxojkeg.tmp.
Action performed: Delete file.


Sounds like a genuine detection for me if this file name is not malware related, then nothing is :)
TDSS is a known rootkit that is also associated with Vundo or Zlob Trojan infections in most of the cases, I would suggest you first run a full scan with Avira in safe mode, then try malwarebytes Antimalware first & then use Combofix if the problem persists, please post logs of both if you run them.
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 24750290
You might want to try scanning with Dr. Web Anti-Virus as well.
http://www.freedrweb.com/
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24750892
Those are not fake alerts...

Have those quarantine or deleted by your resident antivirus.
Or use MalwareBytes or Combofix as already suggested which both take care of TDSS rootkits, Combofix is the best tool for this as it removes all relevant registry entries as well.

You need to rename MalwareBytes or Combofix before saving the file to your desktop as these nasties often block these tools from running.

Run MalwareBytes and or Combofix in normal mode not safe mode.

0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 24750947
Yep...rpggamergirl is correct...these are not fake alerts...after doing some more research...Combofix can detect it...but won't delete it...I don't know if any other Expert(s) experienced or knew of this before...but I just wanted to let the other Experts know...In case if they didn't.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24752616
Combofix removes TDSS* rootkits and for other variants not in its database Combofix has a script function that can delete anything you input into the script,
that's why we ask to look at a Combofix log because any bad files, services, reg entries not removed in its first run can be removed in the second run.
0
 
LVL 7

Expert Comment

by:Phateon
ID: 24752917
Better, use the Avira RescueCD. It will work most of the times as these files will not be in use.
Some help about the Avira RescueCD can be found here: http://forum.avira.com/wbb/index.php?page=Thread&threadID=82163
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 24756480
Oops!...I should of been more clear in my last comment...I knew already that Combofix doesn't remove all of the infections on the first scan...and I understand that's why the Experts want to look at the Combofix log for any missed files that should be removed...my comment is meant to state that...Combofix as far as I know will detect it...but won't delete it...on the first run.
0
 

Author Comment

by:toggle151
ID: 24759850
This is the log that i got from combofix...according to this it should have solved the problem...and i figure the problem came from a WGA crack i used for vista...could any of these be false positives or are they realy rootkits? btw thanx for all the help so far guys

ComboFix 09-07-01.01 - Spike 02/07/2009  9:44.1 - NTFSx86
Microsoft® Windows Vista" Ultimate   6.0.6001.1.1252.65.1033.18.2046.1177 [GMT 8:00]
Running from: e:\users\Spike\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\windows\system32\ammppg.dll
e:\windows\system32\drivers\hjgruitbrpxprn.sys
e:\windows\system32\hjgruiiwxskief.dat
e:\windows\system32\hjgruijwqvdmpn.dll
e:\windows\system32\hjgruiqmlrbdqp.dll
e:\windows\system32\hjgruirpibiihx.dat
e:\windows\system32\mlfcache.dat
e:\windows\system32\WgaLogon.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruifpbwydtm


(((((((((((((((((((((((((   Files Created from 2009-06-02 to 2009-07-02  )))))))))))))))))))))))))))))))
.

2009-07-02 01:53 . 2009-07-02 01:53      --------      d-----w-      e:\users\Administrator\AppData\Local\temp
2009-07-01 12:04 . 2009-07-01 12:04      198064      ----a-w-      e:\users\Administrator\AppData\Roaming\IDM\idmmzcc3\components\idmmzcc.dll
2009-07-01 12:04 . 2009-07-01 12:04      --------      d-----w-      e:\users\Administrator\AppData\Roaming\IDM
2009-07-01 12:04 . 2009-07-01 12:04      --------      d-----w-      e:\users\Administrator\AppData\Roaming\DMCache
2009-06-30 02:21 . 2009-06-30 12:46      --------      d-----w-      e:\users\Spike\AppData\Roaming\tor
2009-06-29 13:10 . 2004-08-03 23:00      506368      ----a-w-      e:\windows\system32\msxml.dll
2009-06-29 12:33 . 2009-06-29 12:33      --------      d-----w-      e:\program files\MKVtoolnix
2009-06-29 12:33 . 2009-06-29 12:33      --------      d-----w-      e:\program files\DirectVobSub
2009-06-29 11:20 . 2009-06-29 11:30      --------      d-----w-      e:\program files\Nero
2009-06-29 11:20 . 2009-06-29 11:31      --------      d-----w-      e:\program files\Common Files\Nero
2009-06-29 11:20 . 2009-06-29 11:23      --------      d-----w-      e:\programdata\Nero
2009-06-29 11:20 . 2008-08-20 03:33      1315328      ----a-w-      e:\windows\system32\ole32.dll
2009-06-29 10:33 . 2009-06-29 10:33      --------      d-----w-      e:\program files\MainConcept
2009-06-29 10:27 . 2009-06-29 10:33      --------      d-----w-      e:\program files\megui
2009-06-29 10:26 . 2009-06-29 10:26      --------      d-----w-      e:\program files\Xvid
2009-06-29 10:26 . 2009-06-07 08:24      180224      ----a-w-      e:\windows\system32\xvidvfw.dll
2009-06-29 10:26 . 2009-06-07 08:16      819200      ----a-w-      e:\windows\system32\xvidcore.dll
2009-06-29 10:26 . 2009-06-29 10:26      --------      d-----w-      e:\program files\AC3Filter
2009-06-29 10:23 . 2009-05-15 11:36      85504      ----a-w-      e:\windows\system32\ff_vfw.dll
2009-06-29 10:23 . 2009-06-29 10:23      --------      d-----w-      e:\program files\ffdshow
2009-06-29 10:23 . 2009-05-15 11:36      60273      ----a-w-      e:\windows\system32\pthreadGC2.dll
2009-06-29 10:23 . 2009-06-29 10:23      --------      d-----w-      e:\program files\Common Files\Sonic Shared
2009-06-29 10:23 . 2009-06-29 10:23      --------      d-----w-      e:\program files\Sonic
2009-06-29 10:22 . 2009-06-29 10:22      --------      d-----w-      e:\program files\CoreCodec
2009-06-29 10:21 . 2009-06-29 10:21      --------      d-----w-      e:\program files\Haali
2009-06-29 10:14 . 2009-06-30 12:56      --------      d-----w-      e:\program files\a-squared Anti-Malware
2009-06-29 10:13 . 2009-06-29 10:13      --------      d-----w-      e:\program files\Wireshark
2009-06-29 10:12 . 2009-06-29 10:12      --------      d-----w-      e:\program files\VideoLAN
2009-06-29 10:11 . 2009-06-30 12:46      --------      d-----w-      e:\users\Spike\AppData\Roaming\Vidalia
2009-06-29 10:11 . 2009-06-29 10:11      --------      d-----w-      e:\program files\Vidalia Bundle
2009-06-29 10:11 . 2009-06-29 10:11      --------      d-----w-      e:\program files\Real Alternative
2009-06-29 10:07 . 2009-06-29 10:07      --------      d-----w-      e:\program files\Apple Software Update
2009-06-29 10:04 . 2009-06-29 10:04      --------      d-----w-      e:\program files\LimeWire
2009-06-26 16:01 . 2009-04-20 14:28      57016      ----a-w-      e:\windows\system32\imsys.dll
2009-06-26 16:01 . 2009-04-20 14:28      233144      ----a-w-      e:\windows\system32\IMImage.dll
2009-06-26 16:01 . 2009-04-20 14:28      367800      ----a-w-      e:\windows\system32\iimds.dll
2009-06-26 16:01 . 2009-02-10 16:02      14848      ----a-w-      e:\windows\system32\iimir.dll
2009-06-26 15:52 . 2009-06-26 16:02      --------      d-----w-      e:\program files\iMacros
2009-06-26 12:41 . 2009-06-23 05:52      57344      ----a-w-      e:\users\Spike\AppData\Roaming\Mozilla\Firefox\Profiles\m5pizx7x.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}\components\nsCatcher.dll
2009-06-26 12:41 . 2009-06-08 06:00      110592      ----a-w-      e:\users\Spike\AppData\Roaming\Mozilla\Firefox\Profiles\m5pizx7x.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
2009-06-14 13:23 . 2009-04-30 12:37      293376      ----a-w-      e:\windows\system32\psisdecd.dll
2009-06-14 13:23 . 2009-04-30 12:37      428544      ----a-w-      e:\windows\system32\EncDec.dll
2009-06-11 05:26 . 2009-04-21 11:55      2033152      ----a-w-      e:\windows\system32\win32k.sys
2009-06-11 05:26 . 2009-04-23 12:42      636928      ----a-w-      e:\windows\system32\localspl.dll
2009-06-11 05:25 . 2009-05-09 05:50      915456      ----a-w-      e:\windows\system32\wininet.dll
2009-06-11 05:25 . 2009-05-09 05:34      71680      ----a-w-      e:\windows\system32\iesetup.dll
2009-06-11 05:25 . 2009-04-23 12:43      784896      ----a-w-      e:\windows\system32\rpcrt4.dll
2009-06-09 10:43 . 2009-06-09 10:45      --------      d-----w-      e:\users\Spike\AppData\Roaming\CopyTrans
2009-06-05 10:42 . 2009-07-02 01:32      4096      ----a-w-      e:\windows\system32\detoured.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 01:44 . 2009-05-08 11:29      65327      ----a-w-      e:\programdata\nvModes.dat
2009-07-01 16:57 . 2009-03-18 06:23      --------      d-----w-      e:\program files\Warcraft III
2009-06-30 14:56 . 2008-07-31 04:27      --------      d-----w-      e:\users\Spike\AppData\Roaming\DMCache
2009-06-30 14:20 . 2009-01-17 06:23      --------      d-----w-      e:\program files\Left 4 Dead
2009-06-29 12:32 . 2008-11-15 10:06      --------      d-----w-      e:\users\Spike\AppData\Roaming\Nero
2009-06-29 10:23 . 2008-11-01 16:01      --------      d-----w-      e:\program files\Common Files\Roxio Shared
2009-06-29 10:13 . 2009-02-14 02:48      --------      d-----w-      e:\program files\WinPcap
2009-06-29 10:10 . 2008-07-31 09:34      --------      d-----w-      e:\program files\FLV Player
2009-06-29 10:09 . 2009-06-29 10:08      --------      d-----w-      e:\program files\QuickTime
2009-06-29 10:08 . 2009-06-29 10:08      --------      d-----w-      e:\program files\AviSynth 2.5
2009-06-29 10:08 . 2009-06-29 10:08      --------      d-----w-      e:\program files\AnMing
2009-06-29 10:06 . 2009-01-04 14:27      --------      d-----w-      e:\programdata\WinZip
2009-06-29 09:13 . 2008-11-01 07:19      --------      d-----w-      e:\users\Spike\AppData\Roaming\IDM
2009-06-29 09:11 . 2008-11-15 10:04      --------      d-----w-      e:\program files\Nero 9
2009-06-21 15:42 . 2008-09-09 14:49      --------      d-----w-      e:\users\Spike\AppData\Roaming\UseNeXT
2009-06-13 05:50 . 2008-07-31 05:22      --------      d-----w-      e:\programdata\Microsoft Help
2009-06-09 12:14 . 2009-03-20 12:29      97608      ----a-w-      e:\windows\system32\drivers\avfwot.sys
2009-06-06 16:35 . 2008-08-05 13:09      --------      d-----w-      e:\users\Spike\AppData\Roaming\LimeWire
2009-05-30 13:57 . 2008-08-16 04:25      --------      d-----w-      e:\users\Spike\AppData\Roaming\MyPhoneExplorer
2009-05-30 11:00 . 2008-08-23 09:37      --------      d-----w-      e:\program files\MyPhoneExplorer
2009-05-30 02:38 . 2009-05-30 02:23      --------      d-----w-      e:\programdata\DriverScanner
2009-05-30 02:38 . 2009-05-30 02:22      --------      dc-h--w-      e:\programdata\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-05-30 02:38 . 2008-12-21 12:26      --------      d-----w-      e:\users\Spike\AppData\Roaming\Uniblue
2009-05-29 10:49 . 2008-09-09 14:49      --------      d-----w-      e:\program files\UseNeXT
2009-05-23 13:21 . 2009-05-23 13:06      --------      d-----w-      e:\program files\Your Uninstaller 2008
2009-05-23 13:17 . 2008-07-31 03:38      --------      d--h--w-      e:\program files\InstallShield Installation Information
2009-05-23 13:16 . 2009-05-20 10:54      --------      d-----w-      e:\programdata\CyberLink
2009-05-23 13:13 . 2009-05-20 10:50      53319      ----a-w-      e:\programdata\TEMP\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe
2009-05-23 13:06 . 2009-05-23 13:06      --------      d-----w-      e:\users\Spike\AppData\Roaming\URSoft
2009-05-23 12:18 . 2008-09-06 05:40      --------      d-----w-      e:\program files\Replay Music 3
2009-05-23 11:01 . 2008-11-01 07:19      --------      d-----w-      e:\program files\Internet Download Manager
2009-05-22 11:19 . 2009-05-22 11:19      --------      d-----w-      e:\users\Spike\AppData\Roaming\Sunbelt
2009-05-22 11:18 . 2009-05-22 11:18      --------      d-----w-      e:\programdata\Sunbelt
2009-05-21 11:08 . 2008-12-21 14:27      --------      d-----w-      e:\program files\Cheat Engine
2009-05-20 11:07 . 2009-05-20 10:54      --------      d-----w-      e:\users\Spike\AppData\Roaming\CyberLink
2009-05-20 10:56 . 2009-05-20 10:50      29480      ----a-w-      e:\windows\system32\msxml3a.dll
2009-05-20 10:56 . 2008-07-31 09:07      353576      ----a-w-      e:\windows\system32\msvcr71.dll
2009-05-20 10:56 . 2009-05-20 10:56      53319      ----a-w-      e:\programdata\TEMP\{2B55AF83-017A-4C81-9324-D9D3255642A6}\PostBuild.exe
2009-05-20 10:56 . 2008-07-31 09:07      505128      ----a-w-      e:\windows\system32\msvcp71.dll
2009-05-20 10:53 . 2009-05-20 10:53      --------      d-----w-      e:\program files\Common Files\CyberLink
2009-05-17 06:03 . 2009-05-17 06:03      198064      ----a-w-      e:\users\Spike\AppData\Roaming\IDM\idmmzcc3\components\idmmzcc.dll
2009-05-17 05:21 . 2008-07-31 09:34      --------      d-----w-      e:\program files\Common Files\DVDVideoSoft
2009-05-17 05:19 . 2008-12-21 08:28      --------      d-----w-      e:\program files\Common Files\Common Share
2009-05-16 05:01 . 2009-05-16 05:01      --------      d-----w-      e:\program files\hiro's tool
2009-05-15 00:02 . 2009-05-15 00:02      2373416      ----a-w-      e:\programdata\Nero\Nero\DrWeb\DrWeb32.dll
2009-05-14 23:50 . 2009-05-14 23:50      2373416      ----a-w-      e:\programdata\Nero\Nero 9\DrWeb\DrWeb32.dll
2009-05-14 10:57 . 2008-07-31 09:18      --------      d-----w-      e:\program files\Microsoft Works
2009-05-14 10:47 . 2006-11-02 11:18      --------      d-----w-      e:\program files\Windows Mail
2009-05-11 10:58 . 2009-05-11 10:58      --------      d-----w-      e:\users\Spike\AppData\Roaming\JAM Software
2009-05-08 11:29 . 2008-07-31 03:51      --------      d-----w-      e:\programdata\NVIDIA
2009-05-08 11:25 . 2009-03-18 09:42      --------      d-----w-      e:\program files\Common Files\Wise Installation Wizard
2009-05-08 11:22 . 2009-04-10 04:23      --------      d-----w-      e:\users\Spike\AppData\Roaming\Orbit
2009-04-30 16:08 . 2009-04-30 16:08      1194528      ----a-w-      e:\windows\system32\nvcplui.exe
2009-04-30 16:08 . 2009-04-30 16:08      1292832      ----a-w-      e:\windows\system32\nvsvs.dll
2009-04-30 16:07 . 2009-04-30 16:07      92704      ----a-w-      e:\windows\system32\nvmctray.dll
2009-04-30 16:07 . 2009-04-30 16:07      768544      ----a-w-      e:\windows\system32\nvsvc.dll
2009-04-30 16:07 . 2009-04-30 16:07      4045344      ----a-w-      e:\windows\system32\nvvitvs.dll
2009-04-30 16:07 . 2009-04-30 16:07      4020768      ----a-w-      e:\windows\system32\nvdisps.dll
2009-04-30 16:07 . 2009-04-30 16:07      3516960      ----a-w-      e:\windows\system32\nvgames.dll
2009-04-30 16:07 . 2009-04-30 16:07      3123744      ----a-w-      e:\windows\system32\nvwss.dll
2009-04-30 16:07 . 2009-04-30 16:07      211488      ----a-w-      e:\windows\system32\nvvsvc.exe
2009-04-30 16:07 . 2009-04-30 16:07      195104      ----a-w-      e:\windows\system32\nvmccss.dll
2009-04-30 16:07 . 2009-04-30 16:07      143360      ----a-w-      e:\windows\system32\nvshext.dll
2009-04-30 16:07 . 2009-04-30 16:07      13781536      ----a-w-      e:\windows\system32\nvcpl.dll
2009-04-30 16:07 . 2009-04-30 16:07      1288736      ----a-w-      e:\windows\system32\nvmobls.dll
2009-04-30 14:02 . 2009-04-30 14:02      9850016      ----a-w-      e:\windows\system32\drivers\nvlddmkm.sys
2009-04-30 14:02 . 2009-04-30 14:02      7593472      ----a-w-      e:\windows\system32\nvd3dum.dll
2009-04-30 14:02 . 2009-04-30 14:02      663552      ----a-w-      e:\windows\system32\nvcuvid.dll
2009-04-30 14:02 . 2009-04-30 14:02      457248      ----a-w-      e:\windows\system32\nvudisp.exe
2009-04-30 14:02 . 2009-04-30 14:02      3128320      ----a-w-      e:\windows\system32\nvwgf2um.dll
2009-04-30 14:02 . 2009-04-30 14:02      1704960      ----a-w-      e:\windows\system32\nvcuda.dll
2009-04-30 14:02 . 2009-04-30 14:02      143360      ----a-w-      e:\windows\system32\nvcod146.dll
2009-04-30 14:02 . 2009-04-30 14:02      143360      ----a-w-      e:\windows\system32\nvcod.dll
2009-04-30 14:02 . 2009-04-30 14:02      1314816      ----a-w-      e:\windows\system32\nvcuvenc.dll
2009-04-30 14:02 . 2009-04-30 14:02      10366976      ----a-w-      e:\windows\system32\nvoglv32.dll
2009-04-30 14:02 . 2007-12-11 09:06      983552      ----a-w-      e:\windows\system32\nvapi.dll
2009-04-27 11:21 . 2009-03-20 10:27      96104      ----a-w-      e:\windows\system32\drivers\avipbb.sys
2009-04-27 11:21 . 2009-03-20 10:27      55640      ----a-w-      e:\windows\system32\drivers\avgntflt.sys
2009-04-26 16:42 . 2008-07-31 03:47      457248      ----a-w-      e:\windows\system32\NVUNINST.EXE
2009-04-16 02:48 . 2009-04-16 02:48      23      --sha-w-      e:\windows\system32\fbdaabb3_x.dat
2009-04-04 05:04 . 2008-07-31 03:48      882232      ----a-w-      e:\windows\system32\drivers\tcpip.sys
2009-04-03 14:15 . 2009-04-03 14:16      102664      ----a-w-      e:\windows\system32\drivers\tmcomm.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="e:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"WMPNSCFG"="e:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="e:\windows\RtHDVCpl.exe" [2007-08-09 4702208]
"Thumbs"="e:\users\Spike\Desktop\DXWnd\ThumbWin\ThumbWin.exe" [2007-08-29 119808]
"avgnt"="e:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-20 209153]
"mxomssmenu"="e:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2009-04-30 13781536]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"a-squared"="e:\program files\A-SQUARED ANTI-MALWARE\a2guard.exe" [2009-06-07 3207824]

e:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - e:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

e:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Privoxy.lnk - e:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1407395325-2259414566-1186877101-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5C79436D-F158-47F6-BE30-1197CB29266F}"= e:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{E50BA9EB-C37A-4DB1-A3CA-854085EA202A}"= TCP:6004|e:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{0B9C2E98-B9F9-43CE-98AB-8BBF49CF1305}"= UDP:e:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{C55416D3-B718-4233-ADCB-16BE1ACC1746}"= TCP:e:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{54536ABF-F7CF-4976-9356-97EF31EEA8E0}"= UDP:e:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{79E46E6D-684E-42D6-9365-E41F10710807}"= TCP:e:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\Avira\AntiVir Desktop\sched.exe [20/3/2009 6:27 PM 108289]
S2 .webroot_reset;Webroot Reset; [x]
S3 NPF;NetGroup Packet Filter Driver;e:\windows\System32\drivers\npf.sys [23/12/2008 11:35 PM 50704]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;e:\windows\System32\drivers\CT_ZTEMT_U_USBSER.sys [1/9/2008 4:41 PM 104320]
S4 AntiVirMailService;Avira AntiVir MailGuard;e:\program files\Avira\AntiVir Desktop\avmailc.exe [20/3/2009 6:27 PM 194817]
S4 AntiVirWebService;Avira AntiVir WebGuard;e:\program files\Avira\AntiVir Desktop\avwebgrd.exe [20/3/2009 6:27 PM 434945]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"e:\windows\System32\rundll32.exe" "e:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = local
IE: Download all links with IDM - e:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - e:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - e:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: e:\windows\system32\idmmbc.dll
FF - ProfilePath - e:\users\Spike\AppData\Roaming\Mozilla\Firefox\Profiles\m5pizx7x.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: network.proxy.http - 81.219.46.218
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 2
FF - component: e:\users\Spike\AppData\Roaming\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: e:\users\Spike\AppData\Roaming\Mozilla\Firefox\Profiles\m5pizx7x.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: e:\users\Spike\AppData\Roaming\Mozilla\Firefox\Profiles\m5pizx7x.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}\components\nsCatcher.dll
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 09:53
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1407395325-2259414566-1186877101-1000_Classes\CLSID\{6aafe09b-dc33-4682-b332-8643f99e58be}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000115
"Therad"=dword:0000001b
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
   4b,7b,ad,4d,51,c8,2e,97,6b,20,ae,9f,a5,91,2f,47,1f,5f,13,d7,34,45,07,bf,10,\

[HKEY_USERS\S-1-5-21-1407395325-2259414566-1186877101-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):48,41,4a,c5,da,f8,d2,23,da,28,0c,80,d0,fe,40,ab,c0,46,3d,17,71,
   34,cc,67,f0,c4,9a,b0,63,38,f5,b0,49,b5,3f,ce,64,18,6a,23,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-07-02  9:55
ComboFix-quarantined-files.txt  2009-07-02 01:55

Pre-Run: 40,556,527,616 bytes free
Post-Run: 42,309,668,864 bytes free

266      --- E O F ---      2009-06-27 14:38
0
 

Author Comment

by:toggle151
ID: 24760005
BTW avira no longer detects the viruses on boot...i guess its solved! case closed :) THANKS ALOT GUYS for everyting :)
0
 

Author Closing Comment

by:toggle151
ID: 31598362
Spot on..thanx
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now