Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden Objects


  • This topic is locked This topic is locked
8 replies to this topic

#1 AviraHelp

AviraHelp

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 28 March 2010 - 11:58 AM

Hi, i just updated the free avira personal edition version 9 to version 10.

During a complete scan it found several hidden processes. It starts as only 1 found being wgatray.exe, but as a use the computer more and do more scans the number of hidden processes increases to include other .exe's like firefox.exe, explorer.exe, and other programs i use. This previously never happened in avira personal edition version 9. If i restart the computer and run complete scan again it starts all over. It would found 1 hidden process then the number would increase again in later scans.

The complete scan results in avira 10 lists that hidden processes were found but reports no virus found.
I have since scanned the computer using hitman pro, malwarebytes antimalware, a-squared free, and windows defender. They all report nothing found.
I use comodo firewall, avira, prevx and threatfire for my realtime protection. They all report nothing found except for the hidden processes by avira.

I asked a friend if there were any other things i could try to be sure everything was good since i use this computer for work and it contains sensitive data for many customers. He recommended that i run ComboFix to see if it fixed or saw anything. I ran it but both of us have no clue how to read the log file, but it didn't look good to us.

Any help you guys can give us would be greatly appreciated, thx.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:25 AM

Posted 28 March 2010 - 01:54 PM

Hello, you should note the Blue text above this forum. CFix should only be run if there is malwarefor certain and then with supervision.

Please post the avira scan log it will be easier to determine what it is saying,thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 AviraHelp

AviraHelp
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 28 March 2010 - 02:09 PM

Yeah i was going to make a post before i ran combofix, but my friend couldn't wait, to trust him he was an "expert". This is a log right after a fresh reboot.



Avira AntiVir Personal
Report file date: Sunday, March 28, 2010 07:39

Scanning for 1931788 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : Sythe
Computer name : SYTHEBOOK

Version information:
BUILD.DAT : 10.0.0.561 32098 Bytes 3/18/2010 15:46:00
AVSCAN.EXE : 10.0.2.3 433832 Bytes 3/7/2010 21:57:10
AVSCAN.DLL : 10.0.2.2 45928 Bytes 3/2/2010 16:48:47
LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 22:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 03:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 13:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 23:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 21:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 20:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 15:29:03
VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 15:29:03
VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 15:29:03
VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 15:29:03
VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 15:29:03
VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 15:29:03
VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 15:29:03
VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 15:29:03
VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 15:29:03
VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 19:43:21
VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 19:24:21
VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 21:41:40
VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 13:25:53
VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 13:39:58
VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 17:01:24
VBASE019.VDF : 7.10.5.138 139776 Bytes 3/18/2010 21:15:25
VBASE020.VDF : 7.10.5.164 113152 Bytes 3/22/2010 21:15:26
VBASE021.VDF : 7.10.5.182 108032 Bytes 3/23/2010 21:15:27
VBASE022.VDF : 7.10.5.199 123904 Bytes 3/24/2010 21:15:28
VBASE023.VDF : 7.10.5.217 279552 Bytes 3/25/2010 00:34:47
VBASE024.VDF : 7.10.5.234 202240 Bytes 3/26/2010 04:31:20
VBASE025.VDF : 7.10.5.235 2048 Bytes 3/26/2010 04:31:20
VBASE026.VDF : 7.10.5.236 2048 Bytes 3/26/2010 04:31:20
VBASE027.VDF : 7.10.5.237 2048 Bytes 3/26/2010 04:31:21
VBASE028.VDF : 7.10.5.238 2048 Bytes 3/26/2010 04:31:21
VBASE029.VDF : 7.10.5.239 2048 Bytes 3/26/2010 04:31:21
VBASE030.VDF : 7.10.5.240 2048 Bytes 3/26/2010 04:31:21
VBASE031.VDF : 7.10.5.241 2048 Bytes 3/26/2010 04:31:21
Engineversion : 8.2.1.204
AEVDF.DLL : 8.1.1.3 106868 Bytes 2/13/2010 16:16:21
AESCRIPT.DLL : 8.1.3.23 1278331 Bytes 3/27/2010 04:31:33
AESCN.DLL : 8.1.5.0 127347 Bytes 2/25/2010 22:38:41
AESBX.DLL : 8.1.2.1 254323 Bytes 3/17/2010 15:09:47
AERDL.DLL : 8.1.4.3 541043 Bytes 3/17/2010 15:09:47
AEPACK.DLL : 8.2.1.1 426358 Bytes 3/24/2010 21:15:35
AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/17/2010 15:09:46
AEHEUR.DLL : 8.1.1.16 2503031 Bytes 3/27/2010 04:31:30
AEHELP.DLL : 8.1.10.2 237941 Bytes 3/17/2010 15:09:46
AEGEN.DLL : 8.1.3.2 373108 Bytes 3/24/2010 21:15:33
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/10/2009 13:04:22
AECORE.DLL : 8.1.12.3 188789 Bytes 3/17/2010 15:09:45
AEBB.DLL : 8.1.0.3 53618 Bytes 9/10/2009 16:15:06
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 16:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 16:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 20:47:40
AVREG.DLL : 10.0.1.2 52072 Bytes 1/29/2010 15:47:41
AVSCPLR.DLL : 10.0.2.3 83304 Bytes 3/7/2010 22:02:30
AVARKT.DLL : 10.0.0.13 227176 Bytes 3/7/2010 21:48:41
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 13:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 16:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 19:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 18:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 17:10:20
RCTEXT.DLL : 10.0.46.0 97128 Bytes 3/5/2010 14:09:41

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: d:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Sunday, March 28, 2010 07:39

Starting search for hidden objects.
c:\windows\system32\wgatray.exe
c:\WINDOWS\system32\WgaTray.exe
[NOTE] The process is not visible.

The scan of running processes will be started
Scan process 'avscan.exe' - '68' Module(s) have been scanned
Scan process 'avcenter.exe' - '94' Module(s) have been scanned
Scan process 'alg.exe' - '36' Module(s) have been scanned
Scan process 'TFService.exe' - '77' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'jqs.exe' - '36' Module(s) have been scanned
Scan process 'a2service.exe' - '32' Module(s) have been scanned
Scan process 'ffcntl.exe' - '25' Module(s) have been scanned
Scan process 'SuperHybridEngine.exe' - '29' Module(s) have been scanned
Scan process 'ctfmon.exe' - '32' Module(s) have been scanned
Scan process 'avgnt.exe' - '52' Module(s) have been scanned
Scan process 'jusched.exe' - '26' Module(s) have been scanned
Scan process 'TFTray.exe' - '42' Module(s) have been scanned
Scan process 'ETDDect.exe' - '4' Module(s) have been scanned
Scan process 'ETDCtrl.exe' - '0' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '0' Module(s) have been scanned
Scan process 'igfxext.exe' - '0' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '0' Module(s) have been scanned
Scan process 'hkcmd.exe' - '0' Module(s) have been scanned
Scan process 'igfxtray.exe' - '0' Module(s) have been scanned
Scan process 'AsTray.exe' - '0' Module(s) have been scanned
Scan process 'AsEPCMon.exe' - '0' Module(s) have been scanned
Scan process 'AsAcpiSvr.exe' - '0' Module(s) have been scanned
Scan process 'sched.exe' - '0' Module(s) have been scanned
Scan process 'spoolsv.exe' - '0' Module(s) have been scanned
Scan process 'Explorer.EXE' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'avshadow.exe' - '0' Module(s) have been scanned
Scan process 'avguard.exe' - '0' Module(s) have been scanned
Scan process 'lsass.exe' - '0' Module(s) have been scanned
Scan process 'services.exe' - '0' Module(s) have been scanned
Scan process 'winlogon.exe' - '0' Module(s) have been scanned
Scan process 'csrss.exe' - '0' Module(s) have been scanned
Scan process 'smss.exe' - '0' Module(s) have been scanned


End of the scan: Sunday, March 28, 2010 07:40
Used time: 01:23 Minute(s)

The scan has been canceled!

0 Scanned directories
597 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
597 Files not concerned
0 Archives were scanned
0 Warnings
0 Notes
172685 Objects were scanned with rootkit scan
1 Hidden objects were found

#4 AviraHelp

AviraHelp
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 28 March 2010 - 02:13 PM

Here is a complete scan report, not only just rootkits



Avira AntiVir Personal
Report file date: Sunday, March 28, 2010 06:49

Scanning for 1931788 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : SYTHEBOOK

Version information:
BUILD.DAT : 10.0.0.561 32098 Bytes 3/18/2010 15:46:00
AVSCAN.EXE : 10.0.2.3 433832 Bytes 3/7/2010 21:57:10
AVSCAN.DLL : 10.0.2.2 45928 Bytes 3/2/2010 16:48:47
LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 22:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 03:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 13:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 23:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 21:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 20:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 15:29:03
VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 15:29:03
VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 15:29:03
VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 15:29:03
VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 15:29:03
VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 15:29:03
VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 15:29:03
VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 15:29:03
VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 15:29:03
VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 19:43:21
VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 19:24:21
VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 21:41:40
VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 13:25:53
VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 13:39:58
VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 17:01:24
VBASE019.VDF : 7.10.5.138 139776 Bytes 3/18/2010 21:15:25
VBASE020.VDF : 7.10.5.164 113152 Bytes 3/22/2010 21:15:26
VBASE021.VDF : 7.10.5.182 108032 Bytes 3/23/2010 21:15:27
VBASE022.VDF : 7.10.5.199 123904 Bytes 3/24/2010 21:15:28
VBASE023.VDF : 7.10.5.217 279552 Bytes 3/25/2010 00:34:47
VBASE024.VDF : 7.10.5.234 202240 Bytes 3/26/2010 04:31:20
VBASE025.VDF : 7.10.5.235 2048 Bytes 3/26/2010 04:31:20
VBASE026.VDF : 7.10.5.236 2048 Bytes 3/26/2010 04:31:20
VBASE027.VDF : 7.10.5.237 2048 Bytes 3/26/2010 04:31:21
VBASE028.VDF : 7.10.5.238 2048 Bytes 3/26/2010 04:31:21
VBASE029.VDF : 7.10.5.239 2048 Bytes 3/26/2010 04:31:21
VBASE030.VDF : 7.10.5.240 2048 Bytes 3/26/2010 04:31:21
VBASE031.VDF : 7.10.5.241 2048 Bytes 3/26/2010 04:31:21
Engineversion : 8.2.1.204
AEVDF.DLL : 8.1.1.3 106868 Bytes 2/13/2010 16:16:21
AESCRIPT.DLL : 8.1.3.23 1278331 Bytes 3/27/2010 04:31:33
AESCN.DLL : 8.1.5.0 127347 Bytes 2/25/2010 22:38:41
AESBX.DLL : 8.1.2.1 254323 Bytes 3/17/2010 15:09:47
AERDL.DLL : 8.1.4.3 541043 Bytes 3/17/2010 15:09:47
AEPACK.DLL : 8.2.1.1 426358 Bytes 3/24/2010 21:15:35
AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/17/2010 15:09:46
AEHEUR.DLL : 8.1.1.16 2503031 Bytes 3/27/2010 04:31:30
AEHELP.DLL : 8.1.10.2 237941 Bytes 3/17/2010 15:09:46
AEGEN.DLL : 8.1.3.2 373108 Bytes 3/24/2010 21:15:33
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/10/2009 13:04:22
AECORE.DLL : 8.1.12.3 188789 Bytes 3/17/2010 15:09:45
AEBB.DLL : 8.1.0.3 53618 Bytes 9/10/2009 16:15:06
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 16:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 16:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 20:47:40
AVREG.DLL : 10.0.1.2 52072 Bytes 1/29/2010 15:47:41
AVSCPLR.DLL : 10.0.2.3 83304 Bytes 3/7/2010 22:02:30
AVARKT.DLL : 10.0.0.13 227176 Bytes 3/7/2010 21:48:41
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 13:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 16:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 19:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 18:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 17:10:20
RCTEXT.DLL : 10.0.46.0 97128 Bytes 3/5/2010 14:09:41

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: d:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Sunday, March 28, 2010 06:49

Starting search for hidden objects.
c:\windows\system32\wgatray.exe
c:\WINDOWS\system32\WgaTray.exe
[NOTE] The process is not visible.

The scan of running processes will be started
Scan process 'avscan.exe' - '68' Module(s) have been scanned
Scan process 'avcenter.exe' - '94' Module(s) have been scanned
Scan process 'alg.exe' - '36' Module(s) have been scanned
Scan process 'TFService.exe' - '77' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'jqs.exe' - '36' Module(s) have been scanned
Scan process 'a2service.exe' - '32' Module(s) have been scanned
Scan process 'ffcntl.exe' - '25' Module(s) have been scanned
Scan process 'SuperHybridEngine.exe' - '29' Module(s) have been scanned
Scan process 'ctfmon.exe' - '32' Module(s) have been scanned
Scan process 'avgnt.exe' - '52' Module(s) have been scanned
Scan process 'jusched.exe' - '26' Module(s) have been scanned
Scan process 'TFTray.exe' - '38' Module(s) have been scanned
Scan process 'cfp.exe' - '68' Module(s) have been scanned
Scan process 'ETDDect.exe' - '25' Module(s) have been scanned
Scan process 'ETDCtrl.exe' - '38' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '43' Module(s) have been scanned
Scan process 'igfxext.exe' - '29' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '31' Module(s) have been scanned
Scan process 'hkcmd.exe' - '30' Module(s) have been scanned
Scan process 'igfxtray.exe' - '31' Module(s) have been scanned
Scan process 'AsTray.exe' - '36' Module(s) have been scanned
Scan process 'AsEPCMon.exe' - '24' Module(s) have been scanned
Scan process 'AsAcpiSvr.exe' - '41' Module(s) have been scanned
Scan process 'sched.exe' - '46' Module(s) have been scanned
Scan process 'spoolsv.exe' - '52' Module(s) have been scanned
Scan process 'Explorer.EXE' - '88' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '152' Module(s) have been scanned
Scan process 'cmdagent.exe' - '74' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '33' Module(s) have been scanned
Scan process 'avshadow.exe' - '26' Module(s) have been scanned
Scan process 'avguard.exe' - '55' Module(s) have been scanned
Scan process 'lsass.exe' - '54' Module(s) have been scanned
Scan process 'services.exe' - '35' Module(s) have been scanned
Scan process 'winlogon.exe' - '74' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '324' files ).


Starting the file scan:

Begin scan in 'C:\'
Begin scan in 'D:\' <Local Disk>


End of the scan: Sunday, March 28, 2010 07:01
Used time: 11:08 Minute(s)

The scan has been done completely.

2496 Scanned directories
104078 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
104078 Files not concerned
613 Archives were scanned
0 Warnings
0 Notes
172679 Objects were scanned with rootkit scan
1 Hidden objects were found

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:25 AM

Posted 28 March 2010 - 02:47 PM

Hi, thank you..
That file WgaTray.exe is a system file and is hidden from scanners. You may also seee hiberfil and pagefile .sys this way. They are not scanned and you may see a "Note or warning".. File Hidden or not scanned message. It sounds as if it was a problem. It is only stating it did not look at it as the tool cannot.

wgatray.exe is a process which belongs to the Microsoft Windows Operating System and provides a notification system for Windows Genuine Advantage product validation software. This program is a non-essential process, but should not be terminated unless suspected to be causing problems. Should not be disabled


I would like you to search your PC for avguard.exe
Sometimes this is the Netsky Worm and not the Avira file shown below which is the proper location.

C:\Program Files\AVPersonal\AVGUARD.EXE


You may also experience some conflicts and/or slowness if you have 2 antivirus apps running real time art the same time. It is not recommended to have 2 AV's active.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 AviraHelp

AviraHelp
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 28 March 2010 - 03:03 PM

thanks for the tip

i located the file avguard.exe in D:\Program Files\Avira\AntiVir Desktop

I uploaded the file to virustotal.com got got 0 / 42 hits

Here is a scan report with windows running for a little while, the hidden process begin to build
this scan was done after combofix was run earlier



Avira AntiVir Personal
Report file date: Sunday, March 28, 2010 10:47

Scanning for 1931788 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : Sythe
Computer name : SYTHEBOOK

Version information:
BUILD.DAT : 10.0.0.561 32098 Bytes 3/18/2010 15:46:00
AVSCAN.EXE : 10.0.2.3 433832 Bytes 3/7/2010 21:57:10
AVSCAN.DLL : 10.0.2.2 45928 Bytes 3/2/2010 16:48:47
LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 22:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 03:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 13:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 23:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 21:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 20:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 15:29:03
VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 15:29:03
VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 15:29:03
VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 15:29:03
VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 15:29:03
VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 15:29:03
VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 15:29:03
VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 15:29:03
VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 15:29:03
VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 19:43:21
VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 19:24:21
VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 21:41:40
VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 13:25:53
VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 13:39:58
VBASE018.VDF : 7.10.5.121 112640 Bytes 3/18/2010 17:01:24
VBASE019.VDF : 7.10.5.138 139776 Bytes 3/18/2010 21:15:25
VBASE020.VDF : 7.10.5.164 113152 Bytes 3/22/2010 21:15:26
VBASE021.VDF : 7.10.5.182 108032 Bytes 3/23/2010 21:15:27
VBASE022.VDF : 7.10.5.199 123904 Bytes 3/24/2010 21:15:28
VBASE023.VDF : 7.10.5.217 279552 Bytes 3/25/2010 00:34:47
VBASE024.VDF : 7.10.5.234 202240 Bytes 3/26/2010 04:31:20
VBASE025.VDF : 7.10.5.235 2048 Bytes 3/26/2010 04:31:20
VBASE026.VDF : 7.10.5.236 2048 Bytes 3/26/2010 04:31:20
VBASE027.VDF : 7.10.5.237 2048 Bytes 3/26/2010 04:31:21
VBASE028.VDF : 7.10.5.238 2048 Bytes 3/26/2010 04:31:21
VBASE029.VDF : 7.10.5.239 2048 Bytes 3/26/2010 04:31:21
VBASE030.VDF : 7.10.5.240 2048 Bytes 3/26/2010 04:31:21
VBASE031.VDF : 7.10.5.241 2048 Bytes 3/26/2010 04:31:21
Engineversion : 8.2.1.204
AEVDF.DLL : 8.1.1.3 106868 Bytes 2/13/2010 16:16:21
AESCRIPT.DLL : 8.1.3.23 1278331 Bytes 3/27/2010 04:31:33
AESCN.DLL : 8.1.5.0 127347 Bytes 2/25/2010 22:38:41
AESBX.DLL : 8.1.2.1 254323 Bytes 3/17/2010 15:09:47
AERDL.DLL : 8.1.4.3 541043 Bytes 3/17/2010 15:09:47
AEPACK.DLL : 8.2.1.1 426358 Bytes 3/24/2010 21:15:35
AEOFFICE.DLL : 8.1.0.41 201083 Bytes 3/17/2010 15:09:46
AEHEUR.DLL : 8.1.1.16 2503031 Bytes 3/27/2010 04:31:30
AEHELP.DLL : 8.1.10.2 237941 Bytes 3/17/2010 15:09:46
AEGEN.DLL : 8.1.3.2 373108 Bytes 3/24/2010 21:15:33
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/10/2009 13:04:22
AECORE.DLL : 8.1.12.3 188789 Bytes 3/17/2010 15:09:45
AEBB.DLL : 8.1.0.3 53618 Bytes 9/10/2009 16:15:06
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 16:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 16:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 20:47:40
AVREG.DLL : 10.0.1.2 52072 Bytes 1/29/2010 15:47:41
AVSCPLR.DLL : 10.0.2.3 83304 Bytes 3/7/2010 22:02:30
AVARKT.DLL : 10.0.0.13 227176 Bytes 3/7/2010 21:48:41
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 13:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 16:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 19:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 18:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 17:10:20
RCTEXT.DLL : 10.0.46.0 97128 Bytes 3/5/2010 14:09:41

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: d:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: Sunday, March 28, 2010 10:47

Starting search for hidden objects.
HKEY_USERS\S-1-5-21-854245398-1935655697-527237240-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\hrzr_ehacngu
[NOTE] The registry entry is invisible.
HKEY_USERS\S-1-5-21-854245398-1935655697-527237240-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\savedlegacysettings
[NOTE] The registry entry is invisible.
c:\windows\system32\wgatray.exe
c:\WINDOWS\system32\WgaTray.exe
[NOTE] The process is not visible.

The scan of running processes will be started
Scan process 'HitmanPro35.exe' - '71' Module(s) have been scanned
Scan process 'avscan.exe' - '67' Module(s) have been scanned
Scan process 'avcenter.exe' - '93' Module(s) have been scanned
Scan process 'alg.exe' - '36' Module(s) have been scanned
Scan process 'TFService.exe' - '77' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'jqs.exe' - '36' Module(s) have been scanned
Scan process 'a2service.exe' - '32' Module(s) have been scanned
Scan process 'ffcntl.exe' - '24' Module(s) have been scanned
Scan process 'SuperHybridEngine.exe' - '28' Module(s) have been scanned
Scan process 'avgnt.exe' - '52' Module(s) have been scanned
Scan process 'jusched.exe' - '26' Module(s) have been scanned
Scan process 'TFTray.exe' - '37' Module(s) have been scanned
Scan process 'ETDDect.exe' - '24' Module(s) have been scanned
Scan process 'ETDCtrl.exe' - '35' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '42' Module(s) have been scanned
Scan process 'igfxext.exe' - '28' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '30' Module(s) have been scanned
Scan process 'hkcmd.exe' - '29' Module(s) have been scanned
Scan process 'igfxtray.exe' - '30' Module(s) have been scanned
Scan process 'AsTray.exe' - '35' Module(s) have been scanned
Scan process 'AsEPCMon.exe' - '23' Module(s) have been scanned
Scan process 'AsAcpiSvr.exe' - '40' Module(s) have been scanned
Scan process 'sched.exe' - '46' Module(s) have been scanned
Scan process 'spoolsv.exe' - '52' Module(s) have been scanned
Scan process 'Explorer.EXE' - '89' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '152' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'svchost.exe' - '33' Module(s) have been scanned
Scan process 'avshadow.exe' - '26' Module(s) have been scanned
Scan process 'avguard.exe' - '56' Module(s) have been scanned
Scan process 'lsass.exe' - '54' Module(s) have been scanned
Scan process 'services.exe' - '35' Module(s) have been scanned
Scan process 'winlogon.exe' - '75' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '323' files ).


Starting the file scan:

Begin scan in 'C:\'
Begin scan in 'D:\' <Local Disk>


End of the scan: Sunday, March 28, 2010 10:59
Used time: 12:16 Minute(s)

The scan has been done completely.

2560 Scanned directories
104709 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
104709 Files not concerned
733 Archives were scanned
0 Warnings
0 Notes
174002 Objects were scanned with rootkit scan
3 Hidden objects were found

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:25 AM

Posted 28 March 2010 - 03:44 PM

Hi after a bit of research I am not certain whether a true rootkit exists. The last hidden file leads me to a Gameguard or UEME_RUNPATH file. Both are rootkit type activity. one is game cheater protection and the latter Windows logging.
I feel best to be sure and have proper testing done thru DDS..

Post the DDS,GMER and your ComboFix log.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create the 2 logs include your ComboFix log and post them in the new topic created from step 9, not here.
If Gmer won't run,skip it and move on.
Let me know if that went well.

Edited by boopme, 28 March 2010 - 04:48 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 AviraHelp

AviraHelp
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 28 March 2010 - 04:45 PM

Thx for your great help, you have been very helpful in this stressful time for me lol

i have created a new thread and posted all the requested logs

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:25 AM

Posted 28 March 2010 - 05:50 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/305548/hidden-objects/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users