hidden objects virus

shaun40400

just updated to avira antivar 2012
ran a full scan and after about 25mins up pops
hidden objects virus or unwanted program detected
at this point it say something like ;avira scan dvd needed to scan and clear virus
if i click here nothing happens if i press stop scan it vanishes and if i try to go to avira help the file vanishes when i try to research it,or leave it alone for more than 3 mins,
what am i doing wrong?

fiddiwebb

Does it tell you in Avira reports what the virus/unwanted programme is?

waddler_8

1. Right click the Avira icon in the system tray and click Start Antivir
2. Click Overview, then click Reports
3. Highlight the most recent Scan report.
4. Right click the report and choose Display Report.

It should open in notepad - copy/paste it here.

shaun40400

running again

waddler_8

It doesn't necessarily mean you're infected. As I pointed out before, having Daemon Tools installed can cause false positives with rootkit scans.

Look at the difference between these aswMBR scans, one with the CD emulation driver enabled, one with it disabled.

Enabled:

19:01:48.605 Service scanning
19:01:50.076 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
19:01:50.692 Modules scanning
19:02:01.810 Disk 0 trace - called modules:
19:02:01.821 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8648a1f8]<<
19:02:01.825 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8721c780]
19:02:01.829 3 CLASSPNP.SYS[8a3a18b3] -> nt!IofCallDriver -> [0x86ff4918]
19:02:01.832 5 acpi.sys[807b36bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-2[0x86fdc8a0]
19:02:01.836 \Driver\atapi[0x86fbb690] -> IRP_MJ_CREATE -> 0x8648a1f8

Disabled:

21:11:31.143 Service scanning
21:11:33.358 Modules scanning
21:11:40.222 Disk 0 trace - called modules:
21:11:40.238 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
21:11:40.238 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86fb55d0]
21:11:40.238 3 CLASSPNP.SYS[89fa68b3] -> nt!IofCallDriver -> [0x86ce1918]
21:11:40.253 5 acpi.sys[806936bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-2[0x86cc8030]

waddler_8

http://forums.moneysavingexpert.com/showpost.php?p=50768669&postcount=26

Do you bank online? With the infection you had it's all about you being comfortable using the machine. The least I'd do is change your passwords when you feel it's clean. If there's any doubt and you lose confidence in its secureness then I'd consider reformatting the drive & reinstalling windows.

shaun40400

maybe uninstall Daemon Tools then as i dont use it that often

shaun40400

Avira Free Antivirus
Report file date: 13 February 2012 13:18

Scanning for 3451437 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (Service Pack 2) [6.0.6002]
Boot mode : Normally booted
Username : SYSTEM
Computer name : LUCANCOMPUTERS

Version information:
BUILD.DAT : 12.0.0.883 41963 Bytes 25/01/2012 17:11:00
AVSCAN.EXE : 12.1.0.18 490448 Bytes 15/12/2011 15:00:13
AVSCAN.DLL : 12.1.0.17 54224 Bytes 15/12/2011 15:00:31
LUKE.DLL : 12.1.0.17 68304 Bytes 15/12/2011 15:00:21
AVSCPLR.DLL : 12.1.0.21 99536 Bytes 15/12/2011 15:00:13
AVREG.DLL : 12.1.0.27 227536 Bytes 15/12/2011 15:00:13
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 19:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 00:33:08
VBASE002.VDF : 7.11.19.170 14374912 Bytes 20/12/2011 14:24:17
VBASE003.VDF : 7.11.21.238 4472832 Bytes 01/02/2012 14:28:18
VBASE004.VDF : 7.11.21.239 2048 Bytes 01/02/2012 14:28:18
VBASE005.VDF : 7.11.21.240 2048 Bytes 01/02/2012 14:28:18
VBASE006.VDF : 7.11.21.241 2048 Bytes 01/02/2012 14:28:18
VBASE007.VDF : 7.11.21.242 2048 Bytes 01/02/2012 14:28:18
VBASE008.VDF : 7.11.21.243 2048 Bytes 01/02/2012 14:28:18
VBASE009.VDF : 7.11.21.244 2048 Bytes 01/02/2012 14:28:18
VBASE010.VDF : 7.11.21.245 2048 Bytes 01/02/2012 14:28:18
VBASE011.VDF : 7.11.21.246 2048 Bytes 01/02/2012 14:28:18
VBASE012.VDF : 7.11.21.247 2048 Bytes 01/02/2012 14:28:19
VBASE013.VDF : 7.11.22.33 1486848 Bytes 03/02/2012 14:28:21
VBASE014.VDF : 7.11.22.56 687616 Bytes 03/02/2012 14:28:23
VBASE015.VDF : 7.11.22.92 178176 Bytes 06/02/2012 14:28:24
VBASE016.VDF : 7.11.22.154 144896 Bytes 08/02/2012 14:28:25
VBASE017.VDF : 7.11.22.155 2048 Bytes 08/02/2012 14:28:25
VBASE018.VDF : 7.11.22.156 2048 Bytes 08/02/2012 14:28:26
VBASE019.VDF : 7.11.22.157 2048 Bytes 08/02/2012 14:28:26
VBASE020.VDF : 7.11.22.158 2048 Bytes 08/02/2012 14:28:26
VBASE021.VDF : 7.11.22.159 2048 Bytes 08/02/2012 14:28:26
VBASE022.VDF : 7.11.22.160 2048 Bytes 08/02/2012 14:28:26
VBASE023.VDF : 7.11.22.161 2048 Bytes 08/02/2012 14:28:26
VBASE024.VDF : 7.11.22.162 2048 Bytes 08/02/2012 14:28:26
VBASE025.VDF : 7.11.22.163 2048 Bytes 08/02/2012 14:28:26
VBASE026.VDF : 7.11.22.164 2048 Bytes 08/02/2012 14:28:27
VBASE027.VDF : 7.11.22.165 2048 Bytes 08/02/2012 14:28:27
VBASE028.VDF : 7.11.22.166 2048 Bytes 08/02/2012 14:28:27
VBASE029.VDF : 7.11.22.167 2048 Bytes 08/02/2012 14:28:27
VBASE030.VDF : 7.11.22.168 2048 Bytes 08/02/2012 14:28:27
VBASE031.VDF : 7.11.22.218 183296 Bytes 13/02/2012 12:33:55
Engineversion : 8.2.10.2
AEVDF.DLL : 8.1.2.2 106868 Bytes 15/12/2011 15:00:10
AESCRIPT.DLL : 8.1.4.5 442745 Bytes 10/02/2012 12:34:03
AESCN.DLL : 8.1.8.2 131444 Bytes 09/02/2012 14:28:34
AESBX.DLL : 8.2.4.5 434549 Bytes 15/12/2011 15:00:09
AERDL.DLL : 8.1.9.15 639348 Bytes 15/12/2011 00:32:23
AEPACK.DLL : 8.2.16.3 799094 Bytes 10/02/2012 12:33:54
AEOFFICE.DLL : 8.1.2.25 201084 Bytes 09/02/2012 14:28:33
AEHEUR.DLL : 8.1.3.27 4391285 Bytes 10/02/2012 12:33:39
AEHELP.DLL : 8.1.19.0 254327 Bytes 09/02/2012 14:28:30
AEGEN.DLL : 8.1.5.21 409971 Bytes 09/02/2012 14:28:29
AEEXP.DLL : 8.1.0.20 70004 Bytes 13/02/2012 12:33:55
AEEMU.DLL : 8.1.3.0 393589 Bytes 15/12/2011 00:32:19
AECORE.DLL : 8.1.25.4 201079 Bytes 13/02/2012 12:33:55
AEBB.DLL : 8.1.1.0 53618 Bytes 15/12/2011 00:32:19
AVWINLL.DLL : 12.1.0.17 27344 Bytes 15/12/2011 15:00:16
AVPREF.DLL : 12.1.0.17 51920 Bytes 15/12/2011 15:00:12
AVREP.DLL : 12.1.0.17 179408 Bytes 15/12/2011 15:00:13
AVARKT.DLL : 12.1.0.19 208848 Bytes 15/12/2011 15:00:10
AVEVTLOG.DLL : 12.1.0.17 169168 Bytes 15/12/2011 15:00:12
SQLITE3.DLL : 3.7.0.0 398288 Bytes 15/12/2011 15:00:24
AVSMTP.DLL : 12.1.0.17 62928 Bytes 15/12/2011 15:00:14
NETNT.DLL : 12.1.0.17 17104 Bytes 15/12/2011 15:00:21
RCIMAGE.DLL : 12.1.0.17 4450000 Bytes 15/12/2011 15:00:34
RCTEXT.DLL : 12.1.1.16 96208 Bytes 15/12/2011 15:00:34

Configuration settings for the scan:
Jobname.............................: Vollständige Systemprüfung
Configuration file..................: C:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, ,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: extended

Start of the scan: 13 February 2012 13:18

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting search for hidden objects.
Hidden driver
[NOTE] A memory modification has been detected, which could potentially be used to hide file access attempts.

The scan of running processes will be started
Scan process 'svchost.exe' - '30' Module(s) have been scanned
Scan process 'vssvc.exe' - '49' Module(s) have been scanned
Scan process 'avscan.exe' - '78' Module(s) have been scanned
Scan process 'avscan.exe' - '28' Module(s) have been scanned
Scan process 'avcenter.exe' - '87' Module(s) have been scanned
Scan process 'plugin-container.exe' - '86' Module(s) have been scanned
Scan process 'avgnt.exe' - '65' Module(s) have been scanned
Scan process 'sched.exe' - '52' Module(s) have been scanned
Scan process 'avnotify.exe' - '46' Module(s) have been scanned
Scan process 'firefox.exe' - '126' Module(s) have been scanned
Scan process 'WUDFHost.exe' - '34' Module(s) have been scanned
Scan process 'rundll32.exe' - '37' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '33' Module(s) have been scanned
Scan process 'unsecapp.exe' - '51' Module(s) have been scanned
Scan process 'NMIndexStoreSvr.exe' - '68' Module(s) have been scanned
Scan process 'NMIndexingService.exe' - '40' Module(s) have been scanned
Scan process 'ehmsas.exe' - '48' Module(s) have been scanned
Scan process 'nvtray.exe' - '65' Module(s) have been scanned
Scan process 'DTLite.exe' - '58' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '51' Module(s) have been scanned
Scan process 'Skype.exe' - '117' Module(s) have been scanned
Scan process 'ehtray.exe' - '52' Module(s) have been scanned
Scan process 'NMBgMonitor.exe' - '59' Module(s) have been scanned
Scan process 'DivXUpdate.exe' - '62' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '62' Module(s) have been scanned
Scan process 'aaCenter.exe' - '44' Module(s) have been scanned
Scan process 'RtWLan.exe' - '56' Module(s) have been scanned
Scan process 'taskeng.exe' - '25' Module(s) have been scanned
Scan process 'taskeng.exe' - '89' Module(s) have been scanned
Scan process 'Explorer.EXE' - '164' Module(s) have been scanned
Scan process 'Dwm.exe' - '60' Module(s) have been scanned
Scan process 'svchost.exe' - '62' Module(s) have been scanned
Scan process 'daemonu.exe' - '56' Module(s) have been scanned
Scan process 'svchost.exe' - '21' Module(s) have been scanned
Scan process 'alg.exe' - '35' Module(s) have been scanned
Scan process 'avshadow.exe' - '33' Module(s) have been scanned
Scan process 'taskeng.exe' - '49' Module(s) have been scanned
Scan process 'WLIDSvcM.exe' - '16' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '60' Module(s) have been scanned
Scan process 'WLIDSVC.EXE' - '67' Module(s) have been scanned
Scan process 'svchost.exe' - '9' Module(s) have been scanned
Scan process 'svchost.exe' - '49' Module(s) have been scanned
Scan process 'SbieSvc.exe' - '30' Module(s) have been scanned
Scan process 'PsiService_2.exe' - '17' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'PassThruSvr.exe' - '16' Module(s) have been scanned
Scan process 'InCDsrv.exe' - '36' Module(s) have been scanned
Scan process 'IJPLMSVC.EXE' - '20' Module(s) have been scanned
Scan process 'CooLSrv.exe' - '5' Module(s) have been scanned
Scan process 'svchost.exe' - '30' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '30' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '30' Module(s) have been scanned
Scan process 'avguard.exe' - '66' Module(s) have been scanned
Scan process 'ACService.exe' - '24' Module(s) have been scanned
Scan process 'SASCORE.EXE' - '18' Module(s) have been scanned
Scan process 'svchost.exe' - '58' Module(s) have been scanned
Scan process 'spoolsv.exe' - '94' Module(s) have been scanned
Scan process 'svchost.exe' - '84' Module(s) have been scanned
Scan process 'nvvsvc.exe' - '51' Module(s) have been scanned
Scan process 'nvxdsync.exe' - '43' Module(s) have been scanned
Scan process 'svchost.exe' - '87' Module(s) have been scanned
Scan process 'SLsvc.exe' - '26' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'AUDIODG.EXE' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '155' Module(s) have been scanned
Scan process 'svchost.exe' - '116' Module(s) have been scanned
Scan process 'svchost.exe' - '65' Module(s) have been scanned
Scan process 'svchost.exe' - '49' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'nvvsvc.exe' - '36' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'winlogon.exe' - '30' Module(s) have been scanned
Scan process 'lsm.exe' - '22' Module(s) have been scanned
Scan process 'lsass.exe' - '66' Module(s) have been scanned
Scan process 'services.exe' - '33' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'wininit.exe' - '26' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting to scan executable files (registry).
The registry was scanned ( '4745' files ).


Starting the file scan:

Begin scan in 'C:\' <System>
Begin scan in 'D:\'
\Temp\jar_cache6340376853628521143.tmp
[0] Archive type: ZIP
--> a.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452 exploit

Beginning disinfection:
\Temp\jar_cache6340376853628521143.tmp
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452 exploit
[NOTE] The file was moved to the quarantine directory under the name '4a919367.qua'.


End of the scan: 13 February 2012 15:52
Used time: 1:53:42 Hour(s)

The scan has been done completely.

31809 Scanned directories
716542 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
716541 Files not concerned
7419 Archives were scanned
0 Warnings
2 Notes
796393 Objects were scanned with rootkit scan
1 Hidden objects were found

waddler_8

Begin scan in 'D:\'
\Temp\jar_cache6340376853628521143.tmp
[0] Archive type: ZIP
--> a.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452 exploit

Beginning disinfection:
\Temp\jar_cache6340376853628521143.tmp
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452 exploit
[NOTE] The file was moved to the quarantine directory under the name '4a919367.qua'.

Not to much to worry about as that exploit code affected Java SE 6 update 23 & earlier - You have update 30 installed.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4452

Starting search for hidden objects.
Hidden driver

[NOTE] A memory modification has been detected, which could potentially be used to hide file access attempts.

A bit ambiguous, but that could refer to the above in red in the aswMBR log (Post #5).

The only way to check would be to disable the driver as we did before with defogger & then re-run Avira's hidden objects scan.

If that proves inconclusive then we could do a further rootkit scan with another rootkit scanner such as GMER.

.

pineapple

Just to say a hidden object isn't necessarily a virus.
Discussion about Avira here
http://forums.majorgeeks.com/showthread.php?t=219061