# Avira Virus Detections on Startup

Page 2 of 2   1, 2

## Avira Virus Detections on Startup

First topic message reminder :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:08 PM, on 11/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS.1\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS.1\system32\wscntfy.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS.1\system32\ctfmon.exe
C:\WINDOWS.1\System32\svchost.exe
C:\Documents and Settings\Alexander\Application Data\Microsoft\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alexander\Desktop\Hi-JackThis.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.1\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [svchost.exe] C:\Documents and Settings\Alexander\Application Data\Microsoft\svchost.exe
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.1\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.1\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows.1\system32\nwprovau.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.1\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS.1\system32\GameMon.des.exe (file missing)
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe

--
End of file - 4440 bytes

Restricted

Rookie Surfer

Posts : 158
Joined : 2009-06-12
Operating System : Win7 Ultimate 32-bit

## Re: Avira Virus Detections on Startup

Let me go ahead and give you a background on the situation as of now. After taking a closer look at the log above, it appears a rootkit has been strangling the Registry. It is called nProtect GameGuard. The program was once good, but it has now - by my research - been declared malware.

I also have seen a backdoor trojan that is nagging your computer.

This is not meant to scare you, but it is the synopsis of a very close look of the log above. It was hard to figure out the situation, so a closer look was my only option.

Most of the time, this is a means for a reformat and reinstall of your Operating System. However, I can help you avoid that. But, here is some information to help you stay safe from the threat of this, and to make your decision:

Backdoor trojans are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker.
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned.
Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
• What Should I Do If I've Become A Victim Of Identity Theft?
• Identity Theft Victims Guide - What to do

Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a backdoor trojan. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove backdoor trojans cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:

• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Help: I Got Hacked. Now What Do I Do? Part II
• Where to draw the line? When to recommend a format and reinstall?
Guides for format and reinstall: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]
However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

Please re-open HijackThis and scan. Check the boxes to the left of all the entries listed below.

O4 - HKLM\..\Run: [alq] C:\Program Files\Common Files\alq.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS.1\system32\GameMon.des.exe (file missing)

Then, please exit all programs except for HijackThis (System Tray (bottom right of screen): right-click on each program icon and click an Exit or shut down option, etc.), then click Fix Checked.

After it completes its process, please close HijackThis and reboot your computer.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this file (if present):

C:\Program Files\Common Files\alq.exe

==

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products. ~DMJ GeekPolice Academy Manager Donations/Contributions DragonMaster Jay Manager | Tech Officer Posts : 13451 Joined : 2009-09-07 Operating System : Windows 7 Ultimate ## Re: Avira Virus Detections on Startup SDFix: Version 1.240 Run by Alexander on Fri 11/27/2009 at 10:12 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS.EXE - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.] Rootkit scan 2009-11-27 22:28:39 Windows 5.1.2600 Service Pack 3 NTFS scanning hȋdden processes ... scanning hȋdden services & system hive ... scanning hȋdden registry entries ... scanning hȋdden files ... scan completed successfully hȋdden processes: 0 hȋdden services: 0 hȋdden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\WINDOWS.1\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS.1\\system32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard" "C:\\Documents and Settings\\Alexander\\Local Settings\\Temp\\usmt\\migwiz.exe"="C:\\Documents and Settings\\Alexander\\Local Settings\\Temp\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard" "C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam" "C:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2 demo\\left4dead2.exe"="C:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2 demo\\left4dead2.exe:*:Enabled:left4dead2" "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent" "C:\\WINDOWS.1\\system32\\PnkBstrA.exe"="C:\\WINDOWS.1\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA" "C:\\WINDOWS.1\\system32\\PnkBstrB.exe"="C:\\WINDOWS.1\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB" "C:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE:*:Enabled:Microsoft SharePoint Workspace" "C:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote" "C:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook" "C:\\WINDOWS.1\\system32\\lxdvcoms.exe"="C:\\WINDOWS.1\\system32\\lxdvcoms.exe:*:Enabled:X5400 Series Server" "C:\\Program Files\\Lexmark X5400 Series\\lxdvmon.exe"="C:\\Program Files\\Lexmark X5400 Series\\lxdvmon.exe:*:Enabled:Printer Device Monitor" "C:\\WINDOWS.1\\system32\\spool\\drivers\\w32x86\\3\\lxdvpswx.exe"="C:\\WINDOWS.1\\system32\\spool\\drivers\\w32x86\\3\\lxdvpswx.exe:*:Enabled:Printer Status Window Interface" "C:\\WINDOWS.1\\system32\\spool\\drivers\\w32x86\\3\\lxdvjswx.exe"="C:\\WINDOWS.1\\system32\\spool\\drivers\\w32x86\\3\\lxdvjswx.exe:*:Enabled:Job Status Window Interface" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with hȋdden Attributes : Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe" Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" Mon 26 Jan 2009 2,144,088 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" Finished! Here is another HJT log just in case you need to see anything new: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:35:12 PM, on 11/27/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS.1\System32\smss.exe C:\WINDOWS.1\system32\winlogon.exe C:\WINDOWS.1\system32\services.exe C:\WINDOWS.1\system32\lsass.exe C:\WINDOWS.1\system32\Ati2evxx.exe C:\WINDOWS.1\system32\svchost.exe C:\WINDOWS.1\System32\svchost.exe C:\WINDOWS.1\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\WINDOWS.1\system32\Ati2evxx.exe C:\WINDOWS.1\Explorer.EXE C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\WINDOWS.1\system32\inetsrv\inetinfo.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS.1\system32\lxdvcoms.exe C:\Program Files\PC Tools Firewall Plus\FWService.exe C:\WINDOWS.1\system32\svchost.exe C:\WINDOWS.1\system32\wscntfy.exe C:\WINDOWS.1\system32\notepad.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS.1\System32\svchost.exe C:\Program Files\Lexmark X5400 Series\lxdvmon.exe C:\Program Files\Lexmark X5400 Series\lxdvamon.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS.1\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Alexander\Desktop\Hi-JackThis.scr R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.] R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.] O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices O4 - HKLM\..\Run: [ATICCC] "c:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [lxdvmon.exe] "C:\Program Files\Lexmark X5400 Series\lxdvmon.exe" O4 - HKLM\..\Run: [lxdvamon] "C:\Program Files\Lexmark X5400 Series\lxdvamon.exe" O4 - HKLM\..\Run: [Lexmark X5400 Series Fax Server] "C:\Program Files\Lexmark X5400 Series\fm3032.exe" /s O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.1\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.] O8 - Extra context menu item: Se&nd to OneNote - [You must be registered and logged in to see this link.] O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS.1\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS.1\bdoscandel.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.1\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.1\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows.1\system32\nwprovau.dll O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [You must be registered and logged in to see this link.] O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.] O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.1\system32\Ati2evxx.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: lxdvCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS.1\System32\spool\DRIVERS\W32X86\3\\lxdvserv.exe O23 - Service: lxdv_device - - C:\WINDOWS.1\system32\lxdvcoms.exe O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS.1\system32\GameMon.des.exe (file missing) O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe -- End of file - 6468 bytes Restricted Rookie Surfer Posts : 158 Joined : 2009-06-12 Operating System : Win7 Ultimate 32-bit ## Re: Avira Virus Detections on Startup Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr. • Save it to your Desktop. • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. • A Notepad document should open automatically called checkup.txt; please post the contents of that document. How is your computer running? [You must be registered and logged in to see this link.] - Get$30 off Kaspersky products.

~DMJ

Donations/Contributions

DragonMaster Jay

Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

## Re: Avira Virus Detections on Startup

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3

Antivirus/Firewall Check:

Avira AntiVir Personal - Free Antivirus
PC Tools Firewall Plus 6.0
Antivirus out of date!

Anti-malware/Other Utilities Check:

HijackThis 2.0.2
CCleaner
Java(TM) 6 Update 17
Java(TM) SE Development Kit 6 Update 17
Java DB 10.4.2.1

Process Check:
objlist.exe by Laurent

Avira Antivir avgnt.exe
Avira Antivir avguard.exe
PC Tools Firewall Plus FWService.exe
PC Tools Firewall Plus FirewallGUI.exe

DNS Vulnerability Check:

[color]nslookup.exe missing![/color]
GREAT! (Not vulnerable to DNS cache poisoning)

End of Log

Good.
Is there anything else that needs to happen to make sure it is all gone?

EDIT: Avira still wont update.

Restricted

Rookie Surfer

Posts : 158
Joined : 2009-06-12
Operating System : Win7 Ultimate 32-bit

## Re: Avira Virus Detections on Startup

I do not think there is too much more to do and your computer is clean. If the computer gets re-infected, we are still here.

Like I had said earlier, we cannot be too sure your computer is 100% clean, since the backdoor trojan your computer had was very severe.

I am going the recommend that you change Antivirus software since Avira is not cooperating.

Antivirus/Antispyware

• Microsoft Security Essentials: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
• AVG Free: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.

Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?

[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products. ~DMJ GeekPolice Academy Manager Donations/Contributions DragonMaster Jay Manager | Tech Officer Posts : 13451 Joined : 2009-09-07 Operating System : Windows 7 Ultimate ## Re: Avira Virus Detections on Startup Nope that should be all. Thanks a lot. Restricted Rookie Surfer Posts : 158 Joined : 2009-06-12 Operating System : Win7 Ultimate 32-bit ## Re: Avira Virus Detections on Startup You are welcome. [You must be registered and logged in to see this link.] - Get$30 off Kaspersky products.

~DMJ

Donations/Contributions

DragonMaster Jay

Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate