You are not logged in.

Wednesday, April 16th 2014, 3:11pm

Dear visitor, welcome to Avira Support Forum. If this is your first visit here, please read the Help. It explains in detail how this page works. To use all features of this page, you should consider registering. Please use the registration form, to register here or read more information about the registration process. If you are already registered, please login here.

  • "krazzymule" started this thread

Date of registration:
Nov 24th 2009

  • Send private message

1

Tuesday, November 24th 2009, 2:40pm

Please help! Warning every 30 seconds!

Hi, my computer is infected with this...

C:\WINDOWS\fdfgun.bak
TR/PSW.Kates.Q.5


HKEY_LOCAL_MACHINE
SOFTWARE
MICROSOFT
WINDOWS
CURRENT VERSION

(Default) REG_SZ (value not set)
CommonFilesDir REG_SZ C:\programfiles\common files
DevicePath REG_EXPAND_SZ %SystemRoot%\inf
MediaPath REG_SZ C:\WINDOWS\Media
MediaPathUnexpanded REG_EXPAND_SZ %SystemRoot\Media
ProductId REG_SZ 55274-653-7213323-23473
ProgramFilesDir REG_SZ C:\Program Files
SM_ConfigureProgramsName REG_SZ Set Program Access and Defaults
SM_GamesName REG_SZ Games
WallPaperDir REG_EXPAND_SZ %SystemRoot%\Web\Wallpaper


/\ is that what you need or did I copy the wrong bit? They looked dodgy. ?(

Any help much apriciated.
At this rate i'm just going to Nuke my harddrive to get rid of it.

2

Tuesday, November 24th 2009, 2:52pm

Hi krazzymule,

please did to scan in save mode of windows.
If its no solution of your problem we need more infos.
Which Service Pack and much more
Freundliche Gruesse / Best regards
Avira Operations GmbH & Co. KG

Maik Schubert
Support Services Expertise Center

Es werden keine unangeforderten Supportanfragen per PN beantwortet. Bitte nutzen Sie den ihrem Produkt entsprechenden Bereich im Forum.
There is no support for unsolicited PM requests available. Please use the board section which accords to your product.

537 * VirenLabor Datei Upload
* HJT Anleitung

  • "krazzymule" started this thread

Date of registration:
Nov 24th 2009

  • Send private message

3

Tuesday, November 24th 2009, 3:07pm

Hi Maik,

XP (32) Pro (sp2)

What else do you need to know?

Its quite annoying, Avira finds it, I quarantine it, delete it. But it comes back really fast. :cursing:

My PC is brand spanking new, only had it a couple of weeks.

4

Tuesday, November 24th 2009, 3:11pm

Hey,

please scan your pc in save mode of windows.
Antivir will be delete this virus and it wont be come back.
Freundliche Gruesse / Best regards
Avira Operations GmbH & Co. KG

Maik Schubert
Support Services Expertise Center

Es werden keine unangeforderten Supportanfragen per PN beantwortet. Bitte nutzen Sie den ihrem Produkt entsprechenden Bereich im Forum.
There is no support for unsolicited PM requests available. Please use the board section which accords to your product.

537 * VirenLabor Datei Upload
* HJT Anleitung

  • "krazzymule" started this thread

Date of registration:
Nov 24th 2009

  • Send private message

5

Tuesday, November 24th 2009, 3:49pm

Hi Maik,
I ran antiV in safe mode.

Now in normal mode and its back.

  • "krazzymule" started this thread

Date of registration:
Nov 24th 2009

  • Send private message

6

Tuesday, November 24th 2009, 3:59pm

AV Report (Normal Mode)

Avira AntiVir Personal
Report file date: 24 November 2009 14:51

Scanning for 1391641 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : MAIN

Version information:
BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 11/23/2009 22:44:49
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 10:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 22:44:49
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 22:44:49
VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 22:44:49
VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 22:44:49
VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 22:44:49
VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 22:44:49
VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 22:44:49
VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 22:44:49
VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 22:44:49
VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 22:44:49
VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 22:44:49
VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 22:44:49
VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 22:44:49
VBASE013.VDF : 7.10.1.12 2048 Bytes 11/19/2009 22:44:49
VBASE014.VDF : 7.10.1.13 2048 Bytes 11/19/2009 22:44:49
VBASE015.VDF : 7.10.1.14 2048 Bytes 11/19/2009 22:44:49
VBASE016.VDF : 7.10.1.15 2048 Bytes 11/19/2009 22:44:49
VBASE017.VDF : 7.10.1.16 2048 Bytes 11/19/2009 22:44:49
VBASE018.VDF : 7.10.1.17 2048 Bytes 11/19/2009 22:44:49
VBASE019.VDF : 7.10.1.18 2048 Bytes 11/19/2009 22:44:49
VBASE020.VDF : 7.10.1.19 2048 Bytes 11/19/2009 22:44:49
VBASE021.VDF : 7.10.1.20 2048 Bytes 11/19/2009 22:44:49
VBASE022.VDF : 7.10.1.21 2048 Bytes 11/19/2009 22:44:49
VBASE023.VDF : 7.10.1.22 2048 Bytes 11/19/2009 22:44:49
VBASE024.VDF : 7.10.1.23 2048 Bytes 11/19/2009 22:44:49
VBASE025.VDF : 7.10.1.24 2048 Bytes 11/19/2009 22:44:49
VBASE026.VDF : 7.10.1.25 2048 Bytes 11/19/2009 22:44:49
VBASE027.VDF : 7.10.1.26 2048 Bytes 11/19/2009 22:44:49
VBASE028.VDF : 7.10.1.27 2048 Bytes 11/19/2009 22:44:49
VBASE029.VDF : 7.10.1.28 2048 Bytes 11/19/2009 22:44:49
VBASE030.VDF : 7.10.1.29 2048 Bytes 11/19/2009 22:44:49
VBASE031.VDF : 7.10.1.69 186880 Bytes 11/24/2009 13:33:35
Engineversion : 8.2.1.72
AEVDF.DLL : 8.1.1.2 106867 Bytes 10/20/2007 20:52:49
AESCRIPT.DLL : 8.1.2.45 586108 Bytes 11/23/2009 22:44:49
AESCN.DLL : 8.1.2.5 127346 Bytes 10/20/2007 20:51:23
AESBX.DLL : 8.1.1.1 246132 Bytes 11/23/2009 22:44:49
AERDL.DLL : 8.1.3.2 479604 Bytes 10/20/2007 20:51:22
AEPACK.DLL : 8.2.0.3 422261 Bytes 11/6/2009 14:43:12
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 09:59:39
AEHEUR.DLL : 8.1.0.180 2093432 Bytes 11/7/2009 20:14:38
AEHELP.DLL : 8.1.7.4 237943 Bytes 11/23/2009 22:44:49
AEGEN.DLL : 8.1.1.75 364918 Bytes 11/23/2009 22:44:49
AEEMU.DLL : 8.1.1.0 393587 Bytes 10/20/2007 20:50:29
AECORE.DLL : 8.1.8.2 184694 Bytes 11/6/2009 14:42:30
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 14:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 10/22/2007 13:08:02
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 14:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 15:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 11/23/2009 22:44:49

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: 24 November 2009 14:51

Starting search for hidden objects.
'29627' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'soffice.bin' - '1' Module(s) have been scanned
Scan process 'soffice.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'HDeck.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
27 processes with 27 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '42' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\WINDOWS\fdfgun.bak
[DETECTION] Is the TR/PSW.Kates.Q.5 Trojan

Beginning disinfection:
C:\WINDOWS\fdfgun.bak
[DETECTION] Is the TR/PSW.Kates.Q.5 Trojan
[NOTE] The file was moved to '4b71f57f.qua'!


End of the scan: 24 November 2009 15:00
Used time: 08:08 Minute(s)

The scan has been done completely.

4052 Scanned directories
134070 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
134068 Files not concerned
807 Archives were scanned
1 Warnings
2 Notes
29627 Objects were scanned with rootkit scan
0 Hidden objects were found

avon

Community member

Date of registration:
Apr 15th 2008

Version:
Avira Antivirus Suite

Operating System:
Windows 8.1 Pro 32bit & Win XP Home SP3 32bit

  • Send private message

7

Tuesday, November 24th 2009, 5:08pm

Hi Maik,
I ran antiV in safe mode.

Now in normal mode and its back.

Hi krazzymule,
Question: Prior to Safe Mode scan, the System Restore was disabled or not?=
http://forum.avira.com/wbb/index.php?page=Thread&threadID=32508

If yes and you have no results, my advice is to download and run the free antispyware tool Malwarebytes' Anti-Malware=
http://www.malwarebytes.org/mbam.php
http://forum.avira.com/wbb/index.php?page=Thread&threadID=86035

Please post a HijackThis log=
http://forum.avira.com/wbb/index.php?page=Thread&threadID=84737

Also you can check the above mentioned file ( C:\WINDOWS\fdfgun.bak) in virustotal =
http://www.virustotal.com/

avon.

This post has been edited 2 times, last edit by "avon" (Nov 24th 2009, 5:13pm)


  • "krazzymule" started this thread

Date of registration:
Nov 24th 2009

  • Send private message

8

Tuesday, November 24th 2009, 5:41pm

I didnt disable system restore. I will try that now.

Checked in Virus Total and got this... (no eyed deer what it means)

File fdfgun.bak received on 2009.11.24 16:34:23 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 28/41 (68.3%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.11.24 Trojan-PWS.Win32.Kates!IK
AhnLab-V3 5.0.0.2 2009.11.24 -
AntiVir 7.9.1.70 2009.11.24 TR/PSW.Kates.CA.1
Antiy-AVL 2.0.3.7 2009.11.24 Trojan/Win32.Kates.gen
Authentium 5.2.0.5 2009.11.23 -
Avast 4.8.1351.0 2009.11.24 Win32:Kates-B
AVG 8.5.0.425 2009.11.24 PSW.Generic7.AQRI
BitDefender 7.2 2009.11.24 -
CAT-QuickHeal 10.00 2009.11.24 TrojanPSW.Kates.q
ClamAV 0.94.1 2009.11.24 -
Comodo 3020 2009.11.24 TrojWare.Win32.PSW.Kates.Q
DrWeb 5.0.0.12182 2009.11.24 Trojan.AuxSpy.71
eSafe 7.0.17.0 2009.11.24 -
eTrust-Vet 35.1.7139 2009.11.24 Win32/Kates!generic
F-Prot 4.5.1.85 2009.11.23 -
F-Secure 9.0.15370.0 2009.11.24 -
Fortinet 4.0.14.0 2009.11.24 -
GData 19 2009.11.24 Win32:Kates-B
Ikarus T3.1.1.74.0 2009.11.24 Trojan-PWS.Win32.Kates
Jiangmin 11.0.800 2009.11.24 Trojan/PSW.Kates.ce
K7AntiVirus 7.10.903 2009.11.23 -
Kaspersky 7.0.0.125 2009.11.24 Trojan-PSW.Win32.Kates.q
McAfee 5811 2009.11.23 Generic PWS.df
McAfee+Artemis 5811 2009.11.23 Generic PWS.df
McAfee-GW-Edition 6.8.5 2009.11.24 Trojan.PSW.Kates.Q.5
Microsoft 1.5302 2009.11.24 Trojan:Win32/Daonol.gen!A
NOD32 4633 2009.11.24 Win32/Daonol.O
Norman 6.03.02 2009.11.24 W32/Zbot.NLK
nProtect 2009.1.8.0 2009.11.24 Trojan/W32.Daonol.Gen
Panda 10.0.2.2 2009.11.24 Trj/Downloader.MDW
PCTools 7.0.3.5 2009.11.24 Backdoor.Trojan
Prevx 3.0 2009.11.24 -
Rising 22.23.01.09 2009.11.24 Trojan.Clicker.Win32.Agent.fga
Sophos 4.47.0 2009.11.24 Mal/Kates-A
Sunbelt 3.2.1858.2 2009.11.24 -
Symantec 1.4.4.12 2009.11.24 Backdoor.Trojan
TheHacker 6.5.0.2.076 2009.11.23 -
TrendMicro 9.0.0.1003 2009.11.24 TSPY_KATES.SMB
VBA32 3.12.12.0 2009.11.24 Trojan-PSW.Win32.Kates.aq
ViRobot 2009.11.24.2051 2009.11.24 -
VirusBuster 5.0.21.0 2009.11.23 Trojan.Daonol.Gen.3
Additional information
File size: 28672 bytes
MD5...: 5606b75dd89e1baa777b2f0b097b64be
SHA1..: c0423507bd36da5f798c3cc357e457a3e1de9355
SHA256: fc0dacea2e61fa956fe0d9a1ee9aa86567d197148a39c8941eb3010f702e0f5f
ssdeep: 768:qApn1Zcknnjy9GhrqzwVE2Vuy3BQnKFnYdP:j1Zcknjy9GBqz+zu6QKFY

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x6fdc
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x603c 0x6200 7.03 f7001b18c26e8a290afc14f6c5d36d3e
DATA 0x8000 0x68 0x200 0.93 a43fae1ac37591ae75304295bd116a8d
BSS 0x9000 0x681 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xa000 0x172 0x200 3.14 f2b797d8464f137ad1c881365286d72d
.tls 0xb000 0x4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xc000 0x18 0x200 0.20 d56d240d6621f80d9fc10837ead724ba
.reloc 0xd000 0x128 0x200 3.85 90d93806708739da96c4180b3c344514
.rsrc 0xe000 0x180 0x200 2.68 21740f1e9fec20e8df4ee5da66b6a453

( 3 imports )
> kernel32.dll: GetCurrentThreadId, ExitProcess, RtlUnwind, RaiseException, TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, FreeLibrary, GetProcessHeap
> kernel32.dll: GetTickCount
> user32.dll: MessageBoxA

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.1%)
Win16/32 Executable Delphi generic (9.3%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: ________________
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

  • "krazzymule" started this thread

Date of registration:
Nov 24th 2009

  • Send private message

9

Tuesday, November 24th 2009, 5:42pm

Sorry, system restore was turned off.

FFreestyleRR

Community member

Date of registration:
Apr 16th 2008

Version:
Avira Free Antivirus

Operating System:
Windows 7 Ultimate SP1 x64

  • Send private message

avon

Community member

Date of registration:
Apr 15th 2008

Version:
Avira Antivirus Suite

Operating System:
Windows 8.1 Pro 32bit & Win XP Home SP3 32bit

  • Send private message

11

Tuesday, November 24th 2009, 6:34pm

@ krazzymule,
The log from virustotal confirms:Your file fdfgun.bak is really infected and not just another Avira's FP (false positive).
Please note bellow the results(virus name in bold)=

Quoted

Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.11.24 Trojan-PWS.Win32.Kates!IK
AhnLab-V3 5.0.0.2 2009.11.24 -
AntiVir 7.9.1.70 2009.11.24 TR/PSW.Kates.CA.1
Antiy-AVL 2.0.3.7 2009.11.24 Trojan/Win32.Kates.gen
Authentium 5.2.0.5 2009.11.23 -
Avast 4.8.1351.0 2009.11.24 Win32:Kates-B
AVG 8.5.0.425 2009.11.24 PSW.Generic7.AQRI
BitDefender 7.2 2009.11.24 -
CAT-QuickHeal 10.00 2009.11.24 TrojanPSW.Kates.q
ClamAV 0.94.1 2009.11.24 -
Comodo 3020 2009.11.24 TrojWare.Win32.PSW.Kates.Q
DrWeb 5.0.0.12182 2009.11.24 Trojan.AuxSpy.71
---


Please post a HijackThis log.

avon.