Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Avira found hidden objects in my registry

4K views 2 replies 2 participants last post by  Cookiegal 
#1 ·
I run a system scan once a week with Avira. This week it threw up a hidden object when it did the 'Hidden objects search'. I'm pretty sure it found just one hidden object, then it advised me to restart my system and scan again, and it found 2 hidden items on the 2nd scan.

I'm attaching the logfile to my post. Anybody have any suggestions on how to proceed?
 

Attachments

#2 ·
Please copy and paste reports for easier viewing and reference. I'll paste it here.

Avira Free Antivirus
Report file date: 22 January 2013 16:47

Scanning for 4704931 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available.

Licensee : Avira Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows 7 Home Premium
Windows version : (Service Pack 1) [6.1.7601]
Boot mode : Normally booted
Username : SYSTEM
Computer name : JAMES-PC

Version information:
BUILD.DAT : 12.1.9.1236 40872 Bytes 11/10/2012 15:58:00
AVSCAN.EXE : 12.3.0.48 468256 Bytes 14/11/2012 18:32:53
AVSCAN.DLL : 12.3.0.15 54736 Bytes 08/05/2012 22:41:09
LUKE.DLL : 12.3.0.15 68304 Bytes 08/05/2012 22:41:09
AVSCPLR.DLL : 12.3.0.14 97032 Bytes 08/05/2012 22:41:10
AVREG.DLL : 12.3.0.17 232200 Bytes 10/05/2012 22:37:15
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 19:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 10:07:39
VBASE002.VDF : 7.11.19.170 14374912 Bytes 20/12/2011 18:03:29
VBASE003.VDF : 7.11.21.238 4472832 Bytes 01/02/2012 22:38:49
VBASE004.VDF : 7.11.26.44 4329472 Bytes 28/03/2012 14:20:16
VBASE005.VDF : 7.11.34.116 4034048 Bytes 29/06/2012 20:41:24
VBASE006.VDF : 7.11.41.250 4902400 Bytes 06/09/2012 22:55:19
VBASE007.VDF : 7.11.50.230 3904512 Bytes 22/11/2012 19:18:47
VBASE008.VDF : 7.11.55.142 2214912 Bytes 03/01/2013 21:19:37
VBASE009.VDF : 7.11.55.143 2048 Bytes 03/01/2013 21:19:37
VBASE010.VDF : 7.11.55.144 2048 Bytes 03/01/2013 21:19:37
VBASE011.VDF : 7.11.55.145 2048 Bytes 03/01/2013 21:19:37
VBASE012.VDF : 7.11.55.146 2048 Bytes 03/01/2013 21:19:37
VBASE013.VDF : 7.11.55.196 260096 Bytes 04/01/2013 21:19:39
VBASE014.VDF : 7.11.56.23 206848 Bytes 07/01/2013 18:00:43
VBASE015.VDF : 7.11.56.83 186880 Bytes 08/01/2013 18:01:37
VBASE016.VDF : 7.11.56.145 135168 Bytes 09/01/2013 18:02:14
VBASE017.VDF : 7.11.56.211 139776 Bytes 11/01/2013 18:02:14
VBASE018.VDF : 7.11.57.11 153088 Bytes 13/01/2013 18:02:29
VBASE019.VDF : 7.11.57.75 165888 Bytes 15/01/2013 18:07:04
VBASE020.VDF : 7.11.57.163 190976 Bytes 17/01/2013 18:07:05
VBASE021.VDF : 7.11.57.219 119808 Bytes 18/01/2013 18:50:08
VBASE022.VDF : 7.11.58.7 167936 Bytes 21/01/2013 18:50:10
VBASE023.VDF : 7.11.58.8 2048 Bytes 21/01/2013 18:50:10
VBASE024.VDF : 7.11.58.9 2048 Bytes 21/01/2013 18:50:10
VBASE025.VDF : 7.11.58.10 2048 Bytes 21/01/2013 18:50:10
VBASE026.VDF : 7.11.58.11 2048 Bytes 21/01/2013 18:50:11
VBASE027.VDF : 7.11.58.12 2048 Bytes 21/01/2013 18:50:11
VBASE028.VDF : 7.11.58.13 2048 Bytes 21/01/2013 18:50:11
VBASE029.VDF : 7.11.58.14 2048 Bytes 21/01/2013 18:50:12
VBASE030.VDF : 7.11.58.15 2048 Bytes 21/01/2013 18:50:12
VBASE031.VDF : 7.11.58.26 62464 Bytes 21/01/2013 18:50:12
Engine version : 8.2.10.236
AEVDF.DLL : 8.1.2.10 102772 Bytes 10/07/2012 21:45:25
AESCRIPT.DLL : 8.1.4.82 467323 Bytes 17/01/2013 18:07:08
AESCN.DLL : 8.1.10.0 131445 Bytes 13/12/2012 20:41:41
AESBX.DLL : 8.2.5.12 606578 Bytes 14/06/2012 20:45:02
AERDL.DLL : 8.2.0.88 643444 Bytes 10/01/2013 18:02:31
AEPACK.DLL : 8.3.1.2 819574 Bytes 20/12/2012 20:41:49
AEOFFICE.DLL : 8.1.2.50 201084 Bytes 05/11/2012 18:33:14
AEHEUR.DLL : 8.1.4.180 5665144 Bytes 21/01/2013 18:50:26
AEHELP.DLL : 8.1.25.2 258423 Bytes 13/10/2012 10:10:43
AEGEN.DLL : 8.1.6.14 434548 Bytes 10/01/2013 18:02:20
AEEXP.DLL : 8.3.0.12 188789 Bytes 21/01/2013 18:50:26
AEEMU.DLL : 8.1.3.2 393587 Bytes 10/07/2012 21:45:23
AECORE.DLL : 8.1.30.0 201079 Bytes 13/12/2012 20:41:30
AEBB.DLL : 8.1.1.4 53619 Bytes 05/11/2012 18:32:33
AVWINLL.DLL : 12.3.0.15 27344 Bytes 08/05/2012 22:41:09
AVPREF.DLL : 12.3.0.32 50720 Bytes 14/11/2012 18:32:52
AVREP.DLL : 12.3.0.15 179208 Bytes 08/05/2012 22:41:10
AVARKT.DLL : 12.3.0.33 209696 Bytes 14/11/2012 18:32:51
AVEVTLOG.DLL : 12.3.0.15 169168 Bytes 08/05/2012 22:41:09
SQLITE3.DLL : 3.7.0.1 398288 Bytes 08/05/2012 22:41:09
AVSMTP.DLL : 12.3.0.32 63480 Bytes 08/08/2012 22:06:31
NETNT.DLL : 12.3.0.15 17104 Bytes 08/05/2012 22:41:09
RCIMAGE.DLL : 12.3.0.31 4445944 Bytes 08/08/2012 22:06:01
RCTEXT.DLL : 12.3.0.32 97056 Bytes 14/11/2012 18:32:45

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\ProgramData\Avira\AntiVir Desktop\PROFILES\AVSCAN-20130122-164322-52C81AA3.avp
Logging.............................: default
Primary action......................: Interactive
Secondary action....................: Ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: extended

Start of the scan: 22 January 2013 16:47

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting search for hidden objects.
HKEY_USERS\S-1-5-21-1782297335-1938775777-2195318004-1000\Software\Avira\AntiVir Desktop\profDataStr
[NOTE] The registry entry is invisible.
Hidden driver
[NOTE] A memory modification has been detected, which could potentially be used to hide file access attempts.

The scan of running processes will be started
Scan process 'chrome.exe' - '39' Module(s) have been scanned
Scan process 'chrome.exe' - '39' Module(s) have been scanned
Scan process 'chrome.exe' - '39' Module(s) have been scanned
Scan process 'ymsgr_tray.exe' - '35' Module(s) have been scanned
Scan process 'chrome.exe' - '39' Module(s) have been scanned
Scan process 'chrome.exe' - '39' Module(s) have been scanned
Scan process 'chrome.exe' - '50' Module(s) have been scanned
Scan process 'chrome.exe' - '39' Module(s) have been scanned
Scan process 'chrome.exe' - '39' Module(s) have been scanned
Scan process 'chrome.exe' - '39' Module(s) have been scanned
Scan process 'chrome.exe' - '39' Module(s) have been scanned
Scan process 'chrome.exe' - '39' Module(s) have been scanned
Scan process 'chrome.exe' - '64' Module(s) have been scanned
Scan process 'chrome.exe' - '100' Module(s) have been scanned
Scan process 'jusched.exe' - '25' Module(s) have been scanned
Scan process 'YahooAUService.exe' - '48' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '71' Module(s) have been scanned
Scan process 'issch.exe' - '40' Module(s) have been scanned
Scan process 'postgres.exe' - '37' Module(s) have been scanned
Scan process 'postgres.exe' - '37' Module(s) have been scanned
Scan process 'postgres.exe' - '37' Module(s) have been scanned
Scan process 'postgres.exe' - '37' Module(s) have been scanned
Scan process 'postgres.exe' - '47' Module(s) have been scanned
Scan process 'pg_ctl.exe' - '41' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '63' Module(s) have been scanned
Scan process 'hpqSRMon.exe' - '30' Module(s) have been scanned
Scan process 'avscan.exe' - '89' Module(s) have been scanned
Scan process 'avcenter.exe' - '82' Module(s) have been scanned
Scan process 'openvpntray.exe' - '45' Module(s) have been scanned
Scan process 'avgnt.exe' - '82' Module(s) have been scanned
Scan process 'flux.exe' - '53' Module(s) have been scanned
Scan process 'DCSHelper.exe' - '28' Module(s) have been scanned
Scan process 'OpenTFTPServerMT.exe' - '23' Module(s) have been scanned
Scan process 'ouc.exe' - '26' Module(s) have been scanned
Scan process 'mbbservice.exe' - '32' Module(s) have been scanned
Scan process 'hsswd.exe' - '36' Module(s) have been scanned
Scan process 'hsssrv.exe' - '36' Module(s) have been scanned
Scan process 'openvpnas.exe' - '44' Module(s) have been scanned
Scan process 'avguard.exe' - '62' Module(s) have been scanned
Scan process 'sched.exe' - '42' Module(s) have been scanned

End of the scan: 22 January 2013 17:21
Used time: 34:19 Minute(s)

The scan has been done completely.

0 Scanned directories
1832 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
1832 Files not concerned
0 Archives were scanned
0 Warnings
2 Notes
1069687 Objects were scanned with rootkit scan
2 Hidden objects were found
 
#3 ·
The first one is related to Avira so it's basically detecting itself.

The second may be related to Avira as well but it's not specified.

Please download GMER from: http://www.gmer.net

Click on the "Download EXE" button and save the randomly named .exe file to your desktop.

Note: You must uninstall any CD Emulation programs that you have before running GMER as they can cause conflicts and give false results.

Double click the GMER .exe file on your desktop to run the tool and it will automatically do a quick scan.

If the tool warns of rootkit activity and asks if you want to run a full scan, click on No and make sure the following are unchecked on the right-hand side:

IAT/EAT
Any drive letter other than the primary system drive (which is generally C).

Click the Scan button and when the scan is finished, click Save and save the log in Notepad with the name ark.txt to your desktop.

Note: It's important that all other windows be closed and that you don't touch the mouse or do anything with the computer during the scan as it may cause it to freeze. You should disable your screen saver as if it comes on it may cause the program to freeze.

Open the ark.txt file and copy and paste the contents of the log here please.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top