AVIRA rootkit detected files in the registry

H

hgd7833

New Member
Recently, I noticed a slowness in my laptop and takes a long time to boot.
it was working fine in the safe mode but freezes in the normal mode.
I ran some AV and some antispyware programs and with the help of some experts, we found some nasty files in system 32 and some malware.
We removed all of them. But I am still feel unsafe, so I downloaded today the
AVIRA rootkit tool, and ran it. It detected 3 files in the registry.
the report of AVIRA rootkit is the following :

Avira AntiRootkit Tool (1.1.0.1)

========================================================================================================
- Scan started Wednesday, July 28, 2010 - 21:27:09 PM
========================================================================================================

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [ ] Fast scan
- Working disk total size : 220.97 GB
- Working disk free size : 162.07 GB (73 %)
--------------------------------------------------------------------------------------------------------

Results:
Hidden value : HKEY_USERS\S-1-5-21-883753229-2986850252-1660446485-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 -> 8762648d8ec23a496ee3e8316d0454bf77797e1d26
Hidden value : HKEY_USERS\S-1-5-21-883753229-2986850252-1660446485-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 -> 95f4e391831e9a19bbb7aca64df53c6d457fff7134
Hidden key : HKEY_LOCAL_MACHINE\Software\DigitalPersona\DB\Cache\AMMAR-PC\users
Hidden key : HKEY_LOCAL_MACHINE\Software\DigitalPersona\DB\MainDB\users

--------------------------------------------------------------------------------------------------------
Files: 0/233929
Registry items: 4/595520
Processes: 0/69
Scan time: 00:13:36
--------------------------------------------------------------------------------------------------------
Active processes:
- System (PID 4)
- svchost.exe (PID 1924)
- svchost.exe (PID 1128)
- svchost.exe (PID 1004)
- DpHostW.exe (PID 1828)
- oasrv.exe (PID 1604)
- explorer.exe (PID 3360)
- prevx.exe (PID 2640)
- svchost.exe (PID 1440)
- svchost.exe (PID 1168)
- svchost.exe (PID 1336)
- smss.exe (PID 476)
- prevx.exe (PID 2056)
- csrss.exe (PID 560)
- oacat.exe (PID 1592)
- lsm.exe (PID 676)
- avguard.exe (PID 732)
- winlogon.exe (PID 956)
- svchost.exe (PID 1156)
- wininit.exe (PID 612)
- svchost.exe (PID 780)
- services.exe (PID 656)
- csrss.exe (PID 624)
- lsass.exe (PID 668)
- audiodg.exe (PID 1256)
- nvvsvc.exe (PID 1328)
- mDNSResponder.exe (PID 1116)
- svchost.exe (PID 828)
- nvvsvc.exe (PID 964)
- oaui.exe (PID 760)
- svchost.exe (PID 2684)
- AAWTray.exe (PID 1088)
- SearchIndexer.exe (PID 4092)
- QPCapSvc.exe (PID 2744)
- svchost.exe (PID 1272)
- SLsvc.exe (PID 1292)
- AppleMobileDeviceService.exe (PID 568)
- taskeng.exe (PID 3740)
- AAWService.exe (PID 1700)
- spoolsv.exe (PID 1800)
- sched.exe (PID 1884)
- taskeng.exe (PID 1448)
- SBPIMSvc.exe (PID 3876)
- McciCMService.exe (PID 2464)
- IAANTmon.exe (PID 2196)
- hpqWmiEx.exe (PID 3984)
- LSSrvc.exe (PID 2324)
- SeaPort.exe (PID 4048)
- HPHC_Service.exe (PID 5068)
- WLIDSVC.EXE (PID 3308)
- svchost.exe (PID 2652)
- dwm.exe (PID 3256)
- mfpmp.exe (PID 6348)
- QPSched.exe (PID 3900)
- Athan.exe (PID 3108)
- avgnt.exe (PID 1248)
- DpAgent.exe (PID 3048)
- svchost.exe (PID 3072)
- HPKBDAPP.exe (PID 3076)
- WmiPrvSE.exe (PID 4668)
- SBAMTray.exe (PID 3428)
- oahlp.exe (PID 2904)
- alg.exe (PID 4268)
- unsecapp.exe (PID 4284)
- WLIDSVCM.EXE (PID 4724)
- SBAMSvc.exe (PID 4840)
- plugin-container.exe (PID 5392)
- kksqygqz.exe (PID 9140) (Avira AntiRootkit Tool)
- avirarkd.exe (PID 8896)
========================================================================================================
- Scan finished Wednesday, July 28, 2010 - 21:40:46 PM
========================================================================================================


Please, if any one can find this out to me if these are rootkits and I have to remove them, or what ?
Thanks
 
Well since we don't know who the experts are that you have already worked with I would like to begin with what we normally use on this forum. Please CLOSELY follow the instructions below so we can begin.

------

Please download Malwarebytes' Anti-Malware HERE or HERE and save it to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    o Update Malwarebytes' Anti-Malware
    o and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

Then please post a HijackThis log by doing the following:

Download the HijackThis installer from HERE

Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log and a detailed description of the problems you are experiencing.
 
You must log in or register to reply here.
Back
Top