Avira scan

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I can't seem to find an Avira forum that comes up in English.
Here's a scan result I got at http://mewnlite.com/LF.jpg
15 detections, 6 "moved". What happened to the other 9?
The log file looks like this:


Avira Free Antivirus
Report file date: Wednesday, March 28, 2012  05:48

Scanning for 3642834 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee        : Avira AntiVir Personal - Free Antivirus
Serial number   : 0000149996-ADJIE-0000001
Platform        : Windows XP
Windows version : (Service Pack 3)  [5.1.2600]
Boot mode       : Normally booted
Username        : SYSTEM
Computer name   : BASEMENT

Version information:
BUILD.DAT       : 12.0.0.898     41963 Bytes   1/31/2012 14:50:00
AVSCAN.EXE      : 12.1.0.20     492496 Bytes   3/12/2012 22:28:06
AVSCAN.DLL      : 12.1.0.18      54224 Bytes   3/12/2012 22:28:06
LUKE.DLL        : 12.1.0.19      68304 Bytes   3/12/2012 22:28:07
AVSCPLR.DLL     : 12.1.0.22     100048 Bytes   3/12/2012 22:28:08
AVREG.DLL       : 12.1.0.29     228048 Bytes   3/12/2012 22:28:08
VBASE000.VDF    : 7.10.0.0    19875328 Bytes   11/6/2009 02:18:34
VBASE001.VDF    : 7.11.0.0    13342208 Bytes  12/14/2010 17:07:39
VBASE002.VDF    : 7.11.19.170 14374912 Bytes  12/20/2011 04:25:10
VBASE003.VDF    : 7.11.21.238  4472832 Bytes    2/1/2012 22:27:33
VBASE004.VDF    : 7.11.21.239     2048 Bytes    2/1/2012 22:27:34
VBASE005.VDF    : 7.11.21.240     2048 Bytes    2/1/2012 22:27:34
VBASE006.VDF    : 7.11.21.241     2048 Bytes    2/1/2012 22:27:34
VBASE007.VDF    : 7.11.21.242     2048 Bytes    2/1/2012 22:27:34
VBASE008.VDF    : 7.11.21.243     2048 Bytes    2/1/2012 22:27:35
VBASE009.VDF    : 7.11.21.244     2048 Bytes    2/1/2012 22:27:35
VBASE010.VDF    : 7.11.21.245     2048 Bytes    2/1/2012 22:27:35
VBASE011.VDF    : 7.11.21.246     2048 Bytes    2/1/2012 22:27:35
VBASE012.VDF    : 7.11.21.247     2048 Bytes    2/1/2012 22:27:35
VBASE013.VDF    : 7.11.22.33   1486848 Bytes    2/3/2012 22:27:41
VBASE014.VDF    : 7.11.22.56    687616 Bytes    2/3/2012 22:27:43
VBASE015.VDF    : 7.11.22.92    178176 Bytes    2/6/2012 22:27:44
VBASE016.VDF    : 7.11.22.154   144896 Bytes    2/8/2012 22:27:45
VBASE017.VDF    : 7.11.22.220   183296 Bytes   2/13/2012 22:27:45
VBASE018.VDF    : 7.11.23.34    202752 Bytes   2/15/2012 22:27:46
VBASE019.VDF    : 7.11.23.98    126464 Bytes   2/17/2012 22:27:46
VBASE020.VDF    : 7.11.23.150   148480 Bytes   2/20/2012 22:27:47
VBASE021.VDF    : 7.11.23.224   172544 Bytes   2/23/2012 22:27:47
VBASE022.VDF    : 7.11.24.52    219648 Bytes   2/28/2012 22:27:48
VBASE023.VDF    : 7.11.24.152   165888 Bytes    3/5/2012 22:27:48
VBASE024.VDF    : 7.11.24.204   177664 Bytes    3/7/2012 22:27:49
VBASE025.VDF    : 7.11.25.30    245248 Bytes   3/12/2012 22:27:51
VBASE026.VDF    : 7.11.25.121   252416 Bytes   3/15/2012 02:56:10
VBASE027.VDF    : 7.11.25.177   202752 Bytes   3/20/2012 01:35:55
VBASE028.VDF    : 7.11.25.233   169984 Bytes   3/23/2012 19:15:15
VBASE029.VDF    : 7.11.26.25    681472 Bytes   3/27/2012 22:12:52
VBASE030.VDF    : 7.11.26.26      2048 Bytes   3/27/2012 22:12:52
VBASE031.VDF    : 7.11.26.34     49664 Bytes   3/27/2012 22:12:53
Engineversion   : 8.2.10.28
AEVDF.DLL       : 8.1.2.2       106868 Bytes   12/5/2011 01:49:03
AESCRIPT.DLL    : 8.1.4.13      442746 Bytes   3/23/2012 01:36:00
AESCN.DLL       : 8.1.8.2       131444 Bytes   3/12/2012 22:28:04
AESBX.DLL       : 8.2.5.5       606579 Bytes   3/12/2012 22:28:05
AERDL.DLL       : 8.1.9.15      639348 Bytes    9/9/2011 05:16:06
AEPACK.DLL      : 8.2.16.7      803190 Bytes   3/23/2012 01:36:00
AEOFFICE.DLL    : 8.1.2.25      201084 Bytes  12/30/2011 00:02:19
AEHEUR.DLL      : 8.1.4.8      4514165 Bytes   3/23/2012 01:35:59
AEHELP.DLL      : 8.1.19.0      254327 Bytes   1/19/2012 21:31:36
AEGEN.DLL       : 8.1.5.23      409973 Bytes   3/12/2012 22:27:57
AEEXP.DLL       : 8.1.0.25       74101 Bytes   3/16/2012 02:56:17
AEEMU.DLL       : 8.1.3.0       393589 Bytes    9/2/2011 05:46:01
AECORE.DLL      : 8.1.25.6      201078 Bytes   3/16/2012 02:56:11
AEBB.DLL        : 8.1.1.0        53618 Bytes    9/2/2011 05:46:01
AVWINLL.DLL     : 12.1.0.17      27344 Bytes   9/23/2011 18:13:18
AVPREF.DLL      : 12.1.0.17      51920 Bytes   9/23/2011 17:53:57
AVREP.DLL       : 12.1.0.17     179408 Bytes   9/23/2011 17:55:01
AVARKT.DLL      : 12.1.0.23     209360 Bytes   3/12/2012 22:28:06
AVEVTLOG.DLL    : 12.1.0.17     169168 Bytes   9/23/2011 17:34:37
SQLITE3.DLL     : 3.7.0.0       398288 Bytes   9/16/2011 08:05:58
AVSMTP.DLL      : 12.1.0.17      62928 Bytes   9/23/2011 18:03:47
NETNT.DLL       : 12.1.0.17      17104 Bytes   9/23/2011 18:58:06
RCIMAGE.DLL     : 12.1.0.17    4450000 Bytes   9/23/2011 19:37:25
RCTEXT.DLL      : 12.1.1.16      96208 Bytes  12/23/2011 04:25:10

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files\Avira\AntiVir
Desktop\sysscan.avp
Logging.............................: default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: extended

Start of the scan: Wednesday, March 28, 2012  05:48

Starting master boot sector scan:
Master boot sector HD0
    [INFO]      No virus was found!

Start scanning boot sectors:
Boot sector 'C:'
    [INFO]      No virus was found!

Starting search for hidden objects.

The scan of running processes will be started
Scan process 'logon.scr' - '13' Module(s) have been scanned
Scan process 'rsmsink.exe' - '29' Module(s) have been scanned
Scan process 'msdtc.exe' - '40' Module(s) have been scanned
Scan process 'dllhost.exe' - '60' Module(s) have been scanned
Scan process 'dllhost.exe' - '45' Module(s) have been scanned
Scan process 'vssvc.exe' - '48' Module(s) have been scanned
Scan process 'avscan.exe' - '67' Module(s) have been scanned
Scan process 'avcenter.exe' - '66' Module(s) have been scanned
Scan process 'AutoLauncher.exe' - '46' Module(s) have been scanned
Scan process 'LightScribeControlPanel.exe' - '30' Module(s) have been
scanned
Scan process 'jusched.exe' - '40' Module(s) have been scanned
Scan process 'avgnt.exe' - '58' Module(s) have been scanned
Scan process 'brs.exe' - '19' Module(s) have been scanned
Scan process 'PDVD8Serv.exe' - '24' Module(s) have been scanned
Scan process 'CLMLSvc.exe' - '35' Module(s) have been scanned
Scan process 'IBurn.exe' - '31' Module(s) have been scanned
Scan process 'VCDDaemon.exe' - '23' Module(s) have been scanned
Scan process 'tv_w32.exe' - '24' Module(s) have been scanned
Scan process 'Explorer.EXE' - '121' Module(s) have been scanned
Scan process 'TeamViewer.exe' - '85' Module(s) have been scanned
Scan process 'alg.exe' - '33' Module(s) have been scanned
Scan process 'avshadow.exe' - '26' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '14' Module(s) have been scanned
Scan process 'TeamViewer_Service.exe' - '61' Module(s) have been scanned
Scan process 'svchost.exe' - '39' Module(s) have been scanned
Scan process 'PMBDeviceInfoProvider.exe' - '23' Module(s) have been
scanned
Scan process 'CTSvcCDA.EXE' - '9' Module(s) have been scanned
Scan process 'avguard.exe' - '64' Module(s) have been scanned
Scan process 'svchost.exe' - '33' Module(s) have been scanned
Scan process 'sched.exe' - '38' Module(s) have been scanned
Scan process 'spoolsv.exe' - '61' Module(s) have been scanned
Scan process 'svchost.exe' - '40' Module(s) have been scanned
Scan process 'svchost.exe' - '32' Module(s) have been scanned
Scan process 'svchost.exe' - '164' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '19' Module(s) have been scanned
Scan process 'svchost.exe' - '39' Module(s) have been scanned
Scan process 'svchost.exe' - '54' Module(s) have been scanned
Scan process 'lsass.exe' - '58' Module(s) have been scanned
Scan process 'services.exe' - '38' Module(s) have been scanned
Scan process 'winlogon.exe' - '91' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting to scan executable files (registry).
The registry was scanned ( '1918' files ).


Starting the file scan:

Begin scan in 'C:' <Main Drive>
C:\Documents and Settings\Administrator\Application Data\Sun\Java
\Deployment\cache.0f142c00-580e0c54
  [0] Archive type: ZIP
  --> xmltree/alpina.class
      [DETECTION] Contains recognition pattern of the EXP/JAVA.Coniz.Gen
exploit
  --> xmltree/kolibra.class
      [DETECTION] Contains recognition pattern of the EXP/JAVA.Coniz.Gen
exploit
  --> xmltree/umbro.class
      [DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840
exploit
C:\Documents and Settings\Administrator\Application Data\Sun\Java
\Deployment\cache.032f84b-535b33ca
  [0] Archive type: ZIP
  --> main.class
      [DETECTION] Contains recognition pattern of the EXP/CVE-2011-3544
exploit
C:\Documents and Settings\Administrator\Application Data\Sun\Java
\Deployment\cache.0eb175e-2d58ee60
  [0] Archive type: ZIP
  --> ud.class
      [DETECTION] Contains recognition pattern of the EXP/11-3544.CZ.2
exploit
  --> cr.class
      [DETECTION] Contains recognition pattern of the EXP/11-3544.CS.2.B
exploit
  --> G.class
      [DETECTION] Contains recognition pattern of the EXP/11-3544.CT.1.A
exploit
  --> ub.class
      [DETECTION] Contains recognition pattern of the EXP/11-3544.CU.2
exploit
  --> uc.class
      [DETECTION] Contains recognition pattern of the EXP/11-3544.CW.2
exploit
  --> ua.class
      [DETECTION] Contains recognition pattern of the EXP/11-3544.CV.2.A
exploit
C:\Documents and Settings\Administrator\Application Data\Sun\Java
\Deployment\cache.04d702c-3fbe53de
  [0] Archive type: ZIP
  --> yujswepsmfrcqtnl/fvlrsmsfpmwkjgsfruejg.class
      [DETECTION] Contains recognition pattern of the EXP/JAVA.Niabil.Gen
exploit
  --> yujswepsmfrcqtnl/qpvpemkmmushjcfjbndjf.class
      [DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840
exploit
C:\Documents and Settings\Administrator\Application Data\Sun\Java
\Deployment\cache.0f1ac7a-1aeccf3b
  [0] Archive type: ZIP
  --> yujswepsmfrcqtnl/fvlrsmsfpmwkjgsfruejg.class
      [DETECTION] Contains recognition pattern of the EXP/JAVA.Niabil.Gen
exploit
  --> yujswepsmfrcqtnl/qpvpemkmmushjcfjbndjf.class
      [DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840
exploit
C:\Documents and Settings\Administrator\Application Data\Sun\Java
\Deployment\cache.0a3ed06-615d18e1
  [0] Archive type: ZIP
  --> andora.class
      [DETECTION] Contains recognition pattern of the EXP/CVE-2011-3544
exploit

Beginning disinfection:
C:\Documents and Settings\Administrator\Application Data\Sun\Java
\Deployment\cache.0a3ed06-615d18e1
  [DETECTION] Contains recognition pattern of the EXP/CVE-2011-3544
exploit
  [NOTE]      The file was moved to the quarantine directory under the
name '4d23bdb1.qua'.
C:\Documents and Settings\Administrator\Application Data\Sun\Java
\Deployment\cache.0f1ac7a-1aeccf3b
  [DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840
exploit
  [NOTE]      The file was moved to the quarantine directory under the
name '55b99210.qua'.
C:\Documents and Settings\Administrator\Application Data\Sun\Java
\Deployment\cache.04d702c-3fbe53de
  [DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840
exploit
  [NOTE]      The file was moved to the quarantine directory under the
name '0798c8f3.qua'.
C:\Documents and Settings\Administrator\Application Data\Sun\Java
\Deployment\cache.0eb175e-2d58ee60
  [DETECTION] Contains recognition pattern of the EXP/11-3544.CV.2.A
exploit
  [NOTE]      The file was moved to the quarantine directory under the
name '61d08732.qua'.
C:\Documents and Settings\Administrator\Application Data\Sun\Java
\Deployment\cache.032f84b-535b33ca
  [DETECTION] Contains recognition pattern of the EXP/CVE-2011-3544
exploit
  [NOTE]      The file was moved to the quarantine directory under the
name '242aaa0f.qua'.
C:\Documents and Settings\Administrator\Application Data\Sun\Java
\Deployment\cache.0f142c00-580e0c54
  [DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840
exploit
  [NOTE]      The file was moved to the quarantine directory under the
name '5b339bb0.qua'.


End of the scan: Wednesday, March 28, 2012  09:01
Used time:  1:27:20 Hour(s)

The scan has been done completely.

  15465 Scanned directories
 473498 Files were scanned
     15 Viruses and/or unwanted programs were found
      0 Files were classified as suspicious
      0 Files were deleted
      0 Viruses and unwanted programs were repaired
      6 Files were moved to quarantine
      0 Files were renamed
      0 Files cannot be scanned
 473483 Files not concerned
   1883 Archives were scanned
      0 Warnings
      6 Notes
 607886 Objects were scanned with rootkit scan
      0 Hidden objects were found

This doesn't add up.


--
   --- A dyslexic man walks into a bra ---

Re: Avira scan

"Li'l Abner" wrote:
Quoted text here. Click to load it
[...]

Quoted text here. Click to load it

Yes it does. 6 Java .jar (zip) files containing a total of 15 .class
files; 15 - 6 = 9.



Re: Avira scan


Quoted text here. Click to load it

You reposted all of that for four lines of worthless information.

--
Bear
http://bearware.info
The real Bear's header path is:
news.sunsite.dk!dotsrc.org!filter.dotsrc.org!news.dotsrc.org!not-for-mail

Re: Avira scan

Li'l Abner wrote:

Quoted text here. Click to load it

Really?

Quoted text here. Click to load it
<repeated 5 more times, 6 total>

One, you are really logging on under the Administrator account?  Why?
That is your disaster recovery account, NOT for use as your everyday
account.  Create another admin-level account and use that as your
everyday account (if you really need admin privs all the time).  Leave
the Administrator account alone unless you absolutely need to use it,
like when your normal admin-level account gets screwed up and you can no
longer log into it.

Two, if you must be running at admin-level privileges most of the time,
run your Internet-facing apps under a LUA (limited user account) token.
That will reduce their privileges down to those for a limited account.
While there are security programs that can drop the rights on a process
when it loads, some of them only work when you use a shortcut and not
when the program is called as a child process, like clicking on a URL
link in an e-mail in your e-mail client.  Use software restriction
policies (SRPs) to run the web-facing apps under Basic mode which runs
them under a LUA account.  Else, make sure you have decent security
software if you feel you need to run web-facing apps with admin privs.
Since AV programs are not sufficient to catch all exploits, you might
want to consider running your web apps under admin privs but in a
sandbox (e.g., Sandboxie, BufferZone) or under enforced privs (e.g.,
GeSWall).

Three, do you really need to cache up Java applets?  Unless they are
huge and you run them everyday and they get pushed by a local server in
a corporate network to ensure you have the latest version, configure
Java to NOT keep old Java applets on your host.  Control Panel -> Java,
General tab, Temporty Internet Files, Settings, disable "Keep temporary
files on my computer".  Then flush whatever you have now in the Java TIF
cache.

Four, do you often visit sites that incorporate Java to run on your
computer (the applets they download and run on your host)?  Some online
games sites use Java.  Rather than let the web browser run Java applets
anytime it runs across a web site that wants to push on onto your
computer, change "Scripting of Java applets" from Enable to Prompt (this
is for IE, other web browsers may have a differently named setting).  I
have this option set to Prompt.  After visiting a couple hundred sites
in my Favorites list, not one showed a prompt because none of them use
Java; however, I don't do online games where I have seen Java used.

Re: Avira scan


Quoted text here. Click to load it
 
First of all, it's not my computer. The owner does not do a whole lot on
the internet except for updating his software. He is in to photography
and movies of weddings and other events. He probably just lets Java
update itself when it notifies him.

This guy is Mr. Gullible. There were installation files on his desktop
for registry cleaners, tune ups, speed up your computer, and all that
kind of junk.

The administrator account is all that was ever on it. Until now, that is.
I created a user account for him which now comes up automatically.
Administrator is only an option in Safe Mode.

I've run across a few other XP computers that only had administrator
accounts. Evidently the first run when they were new did not require a
username to be entered.

--
   --- A dyslexic man walks into a bra ---

Re: Avira scan

Li'l Abner wrote:

Quoted text here. Click to load it

It is until or unless you say otherwise.  So, from your first post, yep,
it was your computer.

Quoted text here. Click to load it

Just where does this "user" go to do downloads that requires Java?  Not
likely, so the owner *is* going somewhere else, like game sites (online
games, like crosswords or tile puzzles).

Quoted text here. Click to load it

So he's downloading all sorts of junk from who knows where.  Well, if he
wants to screw around doing unsafe hex, maybe he should look into doing
backups which are partition images of his OS (and other) partitions to
restore when he decides to download and install garbageware.  If the
owner isn't doing backups, time to introduce him to backups.  Tell him
"If you don't backup then you deem your data as worthless or
reproducible."

However, all these unsafe uninstalls probably aren't were came from the
Java-cached applets that you reported here that the owner reported to
you or you found on his host.

Quoted text here. Click to load it

If the owner is the boob, er, gullible type that you proclaim then he,
er, you should setup another admin-level account, migrate the
userprofile from Administrator to his new admin account, wipe the
Administrator profile and create a new one from scratch.  However,
you'll need a 3rd admin account (like a backup one to Administrator) to
do the userprofile migration since a profile can't be use from where you
copy (the source) to where you copy it to (the target).

Quoted text here. Click to load it

The default install of Windows is to create an Administrator account
but, as I recall, you are asked to enter your username.  That creates a
new 2nd admin-level account afterwhich the Administrator account gets
hidden (although there are hacks to make the Adminstrator account appear
in the Fischer-Price bobbleheads Welcome Screen).  If no 2nd user
account (whether admin-level or limited) account has not yet been
created is why the user ends up using the Administrator account because
no other account was made available to them and they haven't a clue on
how to make their own account.  They haven't read a Dummies book on
their OS, haven't a clue how to set it up, and rely on others to hand
hold them - so you might have to hand hold this owner in setting image
backups, using virtual machines or something like Returnil for when they
want to play with unknown and untrusted software before committing to
it, and get them *off* the Administrator account.  Easy way to convince
them is to say user profiles *do* get corrupted eventually (how long is
variable) and without the availability of the Administrator account to
make repairs that such repairs would incur more hours that you charge
them than of having to flatten and rebuild their host (i.e., do a fresh
install of the OS and have them start all over).

Since the owner is gullible and installing unknown and untrusted
software on their production host, you fixing anything now will not undo
the source of the infestation: the owner.  They'll screw it up again and
maybe much worse next time.

Re: Avira scan


Quoted text here. Click to load it

Nice post Loony Horsehit. No really, it was.

--
p-0^0-h the cat
Internet Terrorist, Mass Sock puppeteer, Agent provocateur, Gutter rat
Devil incarnate, Linux user#666, BaStarD hacker

Re: Avira scan

Quoted text here. Click to load it

Six files, containing a total of 15 scanned objects.

Site Timeline