Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Avira antivirus giving me fake alerts?

Posted on 2009-06-30
11
Medium Priority
?
1,920 Views
Last Modified: 2013-11-22
My Avira detected this when i just boot my comp.

Virus or unwanted program 'TR/TDss.yux [trojan]'
detected in file 'E:\Windows\System32\hjgruiqmlrbdqp.dll.
Action performed: Allow access.

and this when i opened Windows Live! mail

Virus or unwanted program 'TR/TDss.yux [trojan]'
detected in file 'E:\Windows\Temp\hjgruiryrqxojkeg.tmp.
Action performed: Delete file.

The thing is i cant find these files on the system...but the alert keeps poping up...what files could these be?
0
Comment
Question by:toggle151
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 24746288
Hi toggle151,

The files are probably hidden...if you go to my computer...then select tools...then select folder options...select the view tab. Make sure that show hidden files and folder is selected. Make sure that you don't delete any files from here...there hidden for a reason and might corrupt your OS if deleted. Try scanning with another antivirus...and see if it detects these files...it's possible that Avira might detecting false alerts.
0
 
LVL 23

Accepted Solution

by:
Mohamed Osama earned 500 total points
ID: 24750219
Virus or unwanted program 'TR/TDss.yux [trojan]'
detected in file 'E:\Windows\Temp\hjgruiryrqxojkeg.tmp.
Action performed: Delete file.


Sounds like a genuine detection for me if this file name is not malware related, then nothing is :)
TDSS is a known rootkit that is also associated with Vundo or Zlob Trojan infections in most of the cases, I would suggest you first run a full scan with Avira in safe mode, then try malwarebytes Antimalware first & then use Combofix if the problem persists, please post logs of both if you run them.
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 24750290
You might want to try scanning with Dr. Web Anti-Virus as well.
http://www.freedrweb.com/
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24750892
Those are not fake alerts...

Have those quarantine or deleted by your resident antivirus.
Or use MalwareBytes or Combofix as already suggested which both take care of TDSS rootkits, Combofix is the best tool for this as it removes all relevant registry entries as well.

You need to rename MalwareBytes or Combofix before saving the file to your desktop as these nasties often block these tools from running.

Run MalwareBytes and or Combofix in normal mode not safe mode.

0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 24750947
Yep...rpggamergirl is correct...these are not fake alerts...after doing some more research...Combofix can detect it...but won't delete it...I don't know if any other Expert(s) experienced or knew of this before...but I just wanted to let the other Experts know...In case if they didn't.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24752616
Combofix removes TDSS* rootkits and for other variants not in its database Combofix has a script function that can delete anything you input into the script,
that's why we ask to look at a Combofix log because any bad files, services, reg entries not removed in its first run can be removed in the second run.
0
 
LVL 7

Expert Comment

by:Phateon
ID: 24752917
Better, use the Avira RescueCD. It will work most of the times as these files will not be in use.
Some help about the Avira RescueCD can be found here: http://forum.avira.com/wbb/index.php?page=Thread&threadID=82163
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 24756480
Oops!...I should of been more clear in my last comment...I knew already that Combofix doesn't remove all of the infections on the first scan...and I understand that's why the Experts want to look at the Combofix log for any missed files that should be removed...my comment is meant to state that...Combofix as far as I know will detect it...but won't delete it...on the first run.
0
 

Author Comment

by:toggle151
ID: 24759850
This is the log that i got from combofix...according to this it should have solved the problem...and i figure the problem came from a WGA crack i used for vista...could any of these be false positives or are they realy rootkits? btw thanx for all the help so far guys

ComboFix 09-07-01.01 - Spike 02/07/2009  9:44.1 - NTFSx86
Microsoft® Windows Vista" Ultimate   6.0.6001.1.1252.65.1033.18.2046.1177 [GMT 8:00]
Running from: e:\users\Spike\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\windows\system32\ammppg.dll
e:\windows\system32\drivers\hjgruitbrpxprn.sys
e:\windows\system32\hjgruiiwxskief.dat
e:\windows\system32\hjgruijwqvdmpn.dll
e:\windows\system32\hjgruiqmlrbdqp.dll
e:\windows\system32\hjgruirpibiihx.dat
e:\windows\system32\mlfcache.dat
e:\windows\system32\WgaLogon.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruifpbwydtm


(((((((((((((((((((((((((   Files Created from 2009-06-02 to 2009-07-02  )))))))))))))))))))))))))))))))
.

2009-07-02 01:53 . 2009-07-02 01:53      --------      d-----w-      e:\users\Administrator\AppData\Local\temp
2009-07-01 12:04 . 2009-07-01 12:04      198064      ----a-w-      e:\users\Administrator\AppData\Roaming\IDM\idmmzcc3\components\idmmzcc.dll
2009-07-01 12:04 . 2009-07-01 12:04      --------      d-----w-      e:\users\Administrator\AppData\Roaming\IDM
2009-07-01 12:04 . 2009-07-01 12:04      --------      d-----w-      e:\users\Administrator\AppData\Roaming\DMCache
2009-06-30 02:21 . 2009-06-30 12:46      --------      d-----w-      e:\users\Spike\AppData\Roaming\tor
2009-06-29 13:10 . 2004-08-03 23:00      506368      ----a-w-      e:\windows\system32\msxml.dll
2009-06-29 12:33 . 2009-06-29 12:33      --------      d-----w-      e:\program files\MKVtoolnix
2009-06-29 12:33 . 2009-06-29 12:33      --------      d-----w-      e:\program files\DirectVobSub
2009-06-29 11:20 . 2009-06-29 11:30      --------      d-----w-      e:\program files\Nero
2009-06-29 11:20 . 2009-06-29 11:31      --------      d-----w-      e:\program files\Common Files\Nero
2009-06-29 11:20 . 2009-06-29 11:23      --------      d-----w-      e:\programdata\Nero
2009-06-29 11:20 . 2008-08-20 03:33      1315328      ----a-w-      e:\windows\system32\ole32.dll
2009-06-29 10:33 . 2009-06-29 10:33      --------      d-----w-      e:\program files\MainConcept
2009-06-29 10:27 . 2009-06-29 10:33      --------      d-----w-      e:\program files\megui
2009-06-29 10:26 . 2009-06-29 10:26      --------      d-----w-      e:\program files\Xvid
2009-06-29 10:26 . 2009-06-07 08:24      180224      ----a-w-      e:\windows\system32\xvidvfw.dll
2009-06-29 10:26 . 2009-06-07 08:16      819200      ----a-w-      e:\windows\system32\xvidcore.dll
2009-06-29 10:26 . 2009-06-29 10:26      --------      d-----w-      e:\program files\AC3Filter
2009-06-29 10:23 . 2009-05-15 11:36      85504      ----a-w-      e:\windows\system32\ff_vfw.dll
2009-06-29 10:23 . 2009-06-29 10:23      --------      d-----w-      e:\program files\ffdshow
2009-06-29 10:23 . 2009-05-15 11:36      60273      ----a-w-      e:\windows\system32\pthreadGC2.dll
2009-06-29 10:23 . 2009-06-29 10:23      --------      d-----w-      e:\program files\Common Files\Sonic Shared
2009-06-29 10:23 . 2009-06-29 10:23      --------      d-----w-      e:\program files\Sonic
2009-06-29 10:22 . 2009-06-29 10:22      --------      d-----w-      e:\program files\CoreCodec
2009-06-29 10:21 . 2009-06-29 10:21      --------      d-----w-      e:\program files\Haali
2009-06-29 10:14 . 2009-06-30 12:56      --------      d-----w-      e:\program files\a-squared Anti-Malware
2009-06-29 10:13 . 2009-06-29 10:13      --------      d-----w-      e:\program files\Wireshark
2009-06-29 10:12 . 2009-06-29 10:12      --------      d-----w-      e:\program files\VideoLAN
2009-06-29 10:11 . 2009-06-30 12:46      --------      d-----w-      e:\users\Spike\AppData\Roaming\Vidalia
2009-06-29 10:11 . 2009-06-29 10:11      --------      d-----w-      e:\program files\Vidalia Bundle
2009-06-29 10:11 . 2009-06-29 10:11      --------      d-----w-      e:\program files\Real Alternative
2009-06-29 10:07 . 2009-06-29 10:07      --------      d-----w-      e:\program files\Apple Software Update
2009-06-29 10:04 . 2009-06-29 10:04      --------      d-----w-      e:\program files\LimeWire
2009-06-26 16:01 . 2009-04-20 14:28      57016      ----a-w-      e:\windows\system32\imsys.dll
2009-06-26 16:01 . 2009-04-20 14:28      233144      ----a-w-      e:\windows\system32\IMImage.dll
2009-06-26 16:01 . 2009-04-20 14:28      367800      ----a-w-      e:\windows\system32\iimds.dll
2009-06-26 16:01 . 2009-02-10 16:02      14848      ----a-w-      e:\windows\system32\iimir.dll
2009-06-26 15:52 . 2009-06-26 16:02      --------      d-----w-      e:\program files\iMacros
2009-06-26 12:41 . 2009-06-23 05:52      57344      ----a-w-      e:\users\Spike\AppData\Roaming\Mozilla\Firefox\Profiles\m5pizx7x.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}\components\nsCatcher.dll
2009-06-26 12:41 . 2009-06-08 06:00      110592      ----a-w-      e:\users\Spike\AppData\Roaming\Mozilla\Firefox\Profiles\m5pizx7x.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
2009-06-14 13:23 . 2009-04-30 12:37      293376      ----a-w-      e:\windows\system32\psisdecd.dll
2009-06-14 13:23 . 2009-04-30 12:37      428544      ----a-w-      e:\windows\system32\EncDec.dll
2009-06-11 05:26 . 2009-04-21 11:55      2033152      ----a-w-      e:\windows\system32\win32k.sys
2009-06-11 05:26 . 2009-04-23 12:42      636928      ----a-w-      e:\windows\system32\localspl.dll
2009-06-11 05:25 . 2009-05-09 05:50      915456      ----a-w-      e:\windows\system32\wininet.dll
2009-06-11 05:25 . 2009-05-09 05:34      71680      ----a-w-      e:\windows\system32\iesetup.dll
2009-06-11 05:25 . 2009-04-23 12:43      784896      ----a-w-      e:\windows\system32\rpcrt4.dll
2009-06-09 10:43 . 2009-06-09 10:45      --------      d-----w-      e:\users\Spike\AppData\Roaming\CopyTrans
2009-06-05 10:42 . 2009-07-02 01:32      4096      ----a-w-      e:\windows\system32\detoured.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 01:44 . 2009-05-08 11:29      65327      ----a-w-      e:\programdata\nvModes.dat
2009-07-01 16:57 . 2009-03-18 06:23      --------      d-----w-      e:\program files\Warcraft III
2009-06-30 14:56 . 2008-07-31 04:27      --------      d-----w-      e:\users\Spike\AppData\Roaming\DMCache
2009-06-30 14:20 . 2009-01-17 06:23      --------      d-----w-      e:\program files\Left 4 Dead
2009-06-29 12:32 . 2008-11-15 10:06      --------      d-----w-      e:\users\Spike\AppData\Roaming\Nero
2009-06-29 10:23 . 2008-11-01 16:01      --------      d-----w-      e:\program files\Common Files\Roxio Shared
2009-06-29 10:13 . 2009-02-14 02:48      --------      d-----w-      e:\program files\WinPcap
2009-06-29 10:10 . 2008-07-31 09:34      --------      d-----w-      e:\program files\FLV Player
2009-06-29 10:09 . 2009-06-29 10:08      --------      d-----w-      e:\program files\QuickTime
2009-06-29 10:08 . 2009-06-29 10:08      --------      d-----w-      e:\program files\AviSynth 2.5
2009-06-29 10:08 . 2009-06-29 10:08      --------      d-----w-      e:\program files\AnMing
2009-06-29 10:06 . 2009-01-04 14:27      --------      d-----w-      e:\programdata\WinZip
2009-06-29 09:13 . 2008-11-01 07:19      --------      d-----w-      e:\users\Spike\AppData\Roaming\IDM
2009-06-29 09:11 . 2008-11-15 10:04      --------      d-----w-      e:\program files\Nero 9
2009-06-21 15:42 . 2008-09-09 14:49      --------      d-----w-      e:\users\Spike\AppData\Roaming\UseNeXT
2009-06-13 05:50 . 2008-07-31 05:22      --------      d-----w-      e:\programdata\Microsoft Help
2009-06-09 12:14 . 2009-03-20 12:29      97608      ----a-w-      e:\windows\system32\drivers\avfwot.sys
2009-06-06 16:35 . 2008-08-05 13:09      --------      d-----w-      e:\users\Spike\AppData\Roaming\LimeWire
2009-05-30 13:57 . 2008-08-16 04:25      --------      d-----w-      e:\users\Spike\AppData\Roaming\MyPhoneExplorer
2009-05-30 11:00 . 2008-08-23 09:37      --------      d-----w-      e:\program files\MyPhoneExplorer
2009-05-30 02:38 . 2009-05-30 02:23      --------      d-----w-      e:\programdata\DriverScanner
2009-05-30 02:38 . 2009-05-30 02:22      --------      dc-h--w-      e:\programdata\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-05-30 02:38 . 2008-12-21 12:26      --------      d-----w-      e:\users\Spike\AppData\Roaming\Uniblue
2009-05-29 10:49 . 2008-09-09 14:49      --------      d-----w-      e:\program files\UseNeXT
2009-05-23 13:21 . 2009-05-23 13:06      --------      d-----w-      e:\program files\Your Uninstaller 2008
2009-05-23 13:17 . 2008-07-31 03:38      --------      d--h--w-      e:\program files\InstallShield Installation Information
2009-05-23 13:16 . 2009-05-20 10:54      --------      d-----w-      e:\programdata\CyberLink
2009-05-23 13:13 . 2009-05-20 10:50      53319      ----a-w-      e:\programdata\TEMP\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe
2009-05-23 13:06 . 2009-05-23 13:06      --------      d-----w-      e:\users\Spike\AppData\Roaming\URSoft
2009-05-23 12:18 . 2008-09-06 05:40      --------      d-----w-      e:\program files\Replay Music 3
2009-05-23 11:01 . 2008-11-01 07:19      --------      d-----w-      e:\program files\Internet Download Manager
2009-05-22 11:19 . 2009-05-22 11:19      --------      d-----w-      e:\users\Spike\AppData\Roaming\Sunbelt
2009-05-22 11:18 . 2009-05-22 11:18      --------      d-----w-      e:\programdata\Sunbelt
2009-05-21 11:08 . 2008-12-21 14:27      --------      d-----w-      e:\program files\Cheat Engine
2009-05-20 11:07 . 2009-05-20 10:54      --------      d-----w-      e:\users\Spike\AppData\Roaming\CyberLink
2009-05-20 10:56 . 2009-05-20 10:50      29480      ----a-w-      e:\windows\system32\msxml3a.dll
2009-05-20 10:56 . 2008-07-31 09:07      353576      ----a-w-      e:\windows\system32\msvcr71.dll
2009-05-20 10:56 . 2009-05-20 10:56      53319      ----a-w-      e:\programdata\TEMP\{2B55AF83-017A-4C81-9324-D9D3255642A6}\PostBuild.exe
2009-05-20 10:56 . 2008-07-31 09:07      505128      ----a-w-      e:\windows\system32\msvcp71.dll
2009-05-20 10:53 . 2009-05-20 10:53      --------      d-----w-      e:\program files\Common Files\CyberLink
2009-05-17 06:03 . 2009-05-17 06:03      198064      ----a-w-      e:\users\Spike\AppData\Roaming\IDM\idmmzcc3\components\idmmzcc.dll
2009-05-17 05:21 . 2008-07-31 09:34      --------      d-----w-      e:\program files\Common Files\DVDVideoSoft
2009-05-17 05:19 . 2008-12-21 08:28      --------      d-----w-      e:\program files\Common Files\Common Share
2009-05-16 05:01 . 2009-05-16 05:01      --------      d-----w-      e:\program files\hiro's tool
2009-05-15 00:02 . 2009-05-15 00:02      2373416      ----a-w-      e:\programdata\Nero\Nero\DrWeb\DrWeb32.dll
2009-05-14 23:50 . 2009-05-14 23:50      2373416      ----a-w-      e:\programdata\Nero\Nero 9\DrWeb\DrWeb32.dll
2009-05-14 10:57 . 2008-07-31 09:18      --------      d-----w-      e:\program files\Microsoft Works
2009-05-14 10:47 . 2006-11-02 11:18      --------      d-----w-      e:\program files\Windows Mail
2009-05-11 10:58 . 2009-05-11 10:58      --------      d-----w-      e:\users\Spike\AppData\Roaming\JAM Software
2009-05-08 11:29 . 2008-07-31 03:51      --------      d-----w-      e:\programdata\NVIDIA
2009-05-08 11:25 . 2009-03-18 09:42      --------      d-----w-      e:\program files\Common Files\Wise Installation Wizard
2009-05-08 11:22 . 2009-04-10 04:23      --------      d-----w-      e:\users\Spike\AppData\Roaming\Orbit
2009-04-30 16:08 . 2009-04-30 16:08      1194528      ----a-w-      e:\windows\system32\nvcplui.exe
2009-04-30 16:08 . 2009-04-30 16:08      1292832      ----a-w-      e:\windows\system32\nvsvs.dll
2009-04-30 16:07 . 2009-04-30 16:07      92704      ----a-w-      e:\windows\system32\nvmctray.dll
2009-04-30 16:07 . 2009-04-30 16:07      768544      ----a-w-      e:\windows\system32\nvsvc.dll
2009-04-30 16:07 . 2009-04-30 16:07      4045344      ----a-w-      e:\windows\system32\nvvitvs.dll
2009-04-30 16:07 . 2009-04-30 16:07      4020768      ----a-w-      e:\windows\system32\nvdisps.dll
2009-04-30 16:07 . 2009-04-30 16:07      3516960      ----a-w-      e:\windows\system32\nvgames.dll
2009-04-30 16:07 . 2009-04-30 16:07      3123744      ----a-w-      e:\windows\system32\nvwss.dll
2009-04-30 16:07 . 2009-04-30 16:07      211488      ----a-w-      e:\windows\system32\nvvsvc.exe
2009-04-30 16:07 . 2009-04-30 16:07      195104      ----a-w-      e:\windows\system32\nvmccss.dll
2009-04-30 16:07 . 2009-04-30 16:07      143360      ----a-w-      e:\windows\system32\nvshext.dll
2009-04-30 16:07 . 2009-04-30 16:07      13781536      ----a-w-      e:\windows\system32\nvcpl.dll
2009-04-30 16:07 . 2009-04-30 16:07      1288736      ----a-w-      e:\windows\system32\nvmobls.dll
2009-04-30 14:02 . 2009-04-30 14:02      9850016      ----a-w-      e:\windows\system32\drivers\nvlddmkm.sys
2009-04-30 14:02 . 2009-04-30 14:02      7593472      ----a-w-      e:\windows\system32\nvd3dum.dll
2009-04-30 14:02 . 2009-04-30 14:02      663552      ----a-w-      e:\windows\system32\nvcuvid.dll
2009-04-30 14:02 . 2009-04-30 14:02      457248      ----a-w-      e:\windows\system32\nvudisp.exe
2009-04-30 14:02 . 2009-04-30 14:02      3128320      ----a-w-      e:\windows\system32\nvwgf2um.dll
2009-04-30 14:02 . 2009-04-30 14:02      1704960      ----a-w-      e:\windows\system32\nvcuda.dll
2009-04-30 14:02 . 2009-04-30 14:02      143360      ----a-w-      e:\windows\system32\nvcod146.dll
2009-04-30 14:02 . 2009-04-30 14:02      143360      ----a-w-      e:\windows\system32\nvcod.dll
2009-04-30 14:02 . 2009-04-30 14:02      1314816      ----a-w-      e:\windows\system32\nvcuvenc.dll
2009-04-30 14:02 . 2009-04-30 14:02      10366976      ----a-w-      e:\windows\system32\nvoglv32.dll
2009-04-30 14:02 . 2007-12-11 09:06      983552      ----a-w-      e:\windows\system32\nvapi.dll
2009-04-27 11:21 . 2009-03-20 10:27      96104      ----a-w-      e:\windows\system32\drivers\avipbb.sys
2009-04-27 11:21 . 2009-03-20 10:27      55640      ----a-w-      e:\windows\system32\drivers\avgntflt.sys
2009-04-26 16:42 . 2008-07-31 03:47      457248      ----a-w-      e:\windows\system32\NVUNINST.EXE
2009-04-16 02:48 . 2009-04-16 02:48      23      --sha-w-      e:\windows\system32\fbdaabb3_x.dat
2009-04-04 05:04 . 2008-07-31 03:48      882232      ----a-w-      e:\windows\system32\drivers\tcpip.sys
2009-04-03 14:15 . 2009-04-03 14:16      102664      ----a-w-      e:\windows\system32\drivers\tmcomm.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="e:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"WMPNSCFG"="e:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="e:\windows\RtHDVCpl.exe" [2007-08-09 4702208]
"Thumbs"="e:\users\Spike\Desktop\DXWnd\ThumbWin\ThumbWin.exe" [2007-08-29 119808]
"avgnt"="e:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-20 209153]
"mxomssmenu"="e:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2009-04-30 13781536]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"a-squared"="e:\program files\A-SQUARED ANTI-MALWARE\a2guard.exe" [2009-06-07 3207824]

e:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - e:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

e:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Privoxy.lnk - e:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1407395325-2259414566-1186877101-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5C79436D-F158-47F6-BE30-1197CB29266F}"= e:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{E50BA9EB-C37A-4DB1-A3CA-854085EA202A}"= TCP:6004|e:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{0B9C2E98-B9F9-43CE-98AB-8BBF49CF1305}"= UDP:e:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{C55416D3-B718-4233-ADCB-16BE1ACC1746}"= TCP:e:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{54536ABF-F7CF-4976-9356-97EF31EEA8E0}"= UDP:e:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{79E46E6D-684E-42D6-9365-E41F10710807}"= TCP:e:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\Avira\AntiVir Desktop\sched.exe [20/3/2009 6:27 PM 108289]
S2 .webroot_reset;Webroot Reset; [x]
S3 NPF;NetGroup Packet Filter Driver;e:\windows\System32\drivers\npf.sys [23/12/2008 11:35 PM 50704]
S3 zteusbser;ZTE USB Device for Legacy Serial Communication;e:\windows\System32\drivers\CT_ZTEMT_U_USBSER.sys [1/9/2008 4:41 PM 104320]
S4 AntiVirMailService;Avira AntiVir MailGuard;e:\program files\Avira\AntiVir Desktop\avmailc.exe [20/3/2009 6:27 PM 194817]
S4 AntiVirWebService;Avira AntiVir WebGuard;e:\program files\Avira\AntiVir Desktop\avwebgrd.exe [20/3/2009 6:27 PM 434945]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"e:\windows\System32\rundll32.exe" "e:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = local
IE: Download all links with IDM - e:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - e:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - e:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: e:\windows\system32\idmmbc.dll
FF - ProfilePath - e:\users\Spike\AppData\Roaming\Mozilla\Firefox\Profiles\m5pizx7x.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: network.proxy.http - 81.219.46.218
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 2
FF - component: e:\users\Spike\AppData\Roaming\IDM\idmmzcc3\components\idmmzcc.dll
FF - component: e:\users\Spike\AppData\Roaming\Mozilla\Firefox\Profiles\m5pizx7x.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: e:\users\Spike\AppData\Roaming\Mozilla\Firefox\Profiles\m5pizx7x.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}\components\nsCatcher.dll
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 09:53
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1407395325-2259414566-1186877101-1000_Classes\CLSID\{6aafe09b-dc33-4682-b332-8643f99e58be}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000115
"Therad"=dword:0000001b
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
   4b,7b,ad,4d,51,c8,2e,97,6b,20,ae,9f,a5,91,2f,47,1f,5f,13,d7,34,45,07,bf,10,\

[HKEY_USERS\S-1-5-21-1407395325-2259414566-1186877101-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):48,41,4a,c5,da,f8,d2,23,da,28,0c,80,d0,fe,40,ab,c0,46,3d,17,71,
   34,cc,67,f0,c4,9a,b0,63,38,f5,b0,49,b5,3f,ce,64,18,6a,23,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-07-02  9:55
ComboFix-quarantined-files.txt  2009-07-02 01:55

Pre-Run: 40,556,527,616 bytes free
Post-Run: 42,309,668,864 bytes free

266      --- E O F ---      2009-06-27 14:38
0
 

Author Comment

by:toggle151
ID: 24760005
BTW avira no longer detects the viruses on boot...i guess its solved! case closed :) THANKS ALOT GUYS for everyting :)
0
 

Author Closing Comment

by:toggle151
ID: 31598362
Spot on..thanx
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to provide information to successfully add specific IIS 7.0 role services for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technol…
PREFACE The purpose of this guide is to provide information to successfully install the MS SQL client tools for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technology…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question