Fixed: Avira Premium Security Suite Firewall detected as Win32.Delf.qmw

P

pkolbus

New member
Spybot 1.6.0 on Windows XP SP3 is detecting Avira Premium Security Suite's firewall service as Win32.Delf.qmw. I've checked the file that the ImagePath key points at. VirusTotal confirms that it is clean:

http://www.virustotal.com/analisis/40b231cc36f17583ed9d9e0de39b28fd

Spybot - Search & Destroy\Logs\Checks.090110-0325.txt follows.

Any advice?

--- Report generated: 2009-01-10 03:25 ---

Hint of the Day: Click the bar at the right of this to see more information! ()


Win32.Delf.qmw: [SBI $D186309C] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntiVirFirewallService

Win32.Delf.qmw: [SBI $0B1718E3] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AntiVirFirewallService


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080729) ---

2008-08-14 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-08-14 SDFiles.exe (1.6.0.4)
2008-08-14 SDMain.exe (1.0.0.6)
2008-08-14 SDShred.exe (1.0.2.3)
2008-08-14 SDUpdate.exe (1.6.0.9)
2008-08-14 SDWinSec.exe (1.0.0.12)
2008-07-30 SpybotSD.exe (1.6.0.31)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-09-07 unins000.exe (51.49.0.0)
2008-08-14 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2008-11-04 Includes\Adware.sbi (*)
2008-12-29 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2009-01-06 Includes\Dialer.sbi (*)
2009-01-06 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2009-01-05 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2008-12-22 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2009-01-06 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-01-06 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-12-29 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-12-10 Includes\Spyware.sbi (*)
2009-01-06 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-01-05 Includes\Trojans.sbi (*)
2009-01-06 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Click to expand...
 
Last edited:
Thank you for reporting this false positive.
It will be fixed with the upcoming detection update this week.

It looks like the trojan horse Win32.Delf.qmw is missusing the service name of the Antivir firewall.
 
I do also have the same Problem.

Phew .. im really glad, the problem has already been detected here. Otherwise that would have provided me a sleepless night.
Some days ago, it detected nothing. After I updated today and started a scan, it reported:

Tipp des Tages: Klicken Sie auf den Balken rechts, um mehr Informationen zu sehen! ()


Win32.Delf.qmw: [SBI $D186309C] Einstellungen (Registrierungsdatenbank-Schlüssel, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntiVirFirewallService

Win32.Delf.qmw: [SBI $8BE70FFC] Einstellungen (Registrierungsdatenbank-Schlüssel, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntiVirFirewallService


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080729) ---

2008-07-30 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-07-30 SDFiles.exe (1.6.0.4)
2008-07-30 SDMain.exe (1.0.0.6)
2008-07-30 SDShred.exe (1.0.2.3)
2008-07-30 SDUpdate.exe (1.6.0.9)
2008-07-30 SDWinSec.exe (1.0.0.12)
2008-07-30 SpybotSD.exe (1.6.0.31)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-08-11 unins000.exe (51.49.0.0)
2008-07-30 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2008-11-04 Includes\Adware.sbi (*)
2008-12-29 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2009-01-06 Includes\Dialer.sbi (*)
2009-01-06 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2009-01-05 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2008-12-22 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2009-01-06 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-01-06 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-12-29 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-12-10 Includes\Spyware.sbi (*)
2009-01-06 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-01-05 Includes\Trojans.sbi (*)
2009-01-06 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Click to expand...

Im just wondering that the results differ concerning the second hit:

ControlSet002 <-> ControlSet003

Anybody knows any reason for this ?

Also the series of numbers at:
2008-07-30 blindman.exe (1.0.0.8) differs
 
Last edited:
Nammoth said:
Im just wondering that the results differ concerning the second hit:

ControlSet002 <-> ControlSet003

Anybody knows any reason for this ?
Click to expand...

The ControlSet keys are driver/service/etc. configurations - one is the current, another may be the "last known good", etc. The numbers will vary from system to system; CurrentControlSet is just an alias for the current configuration.

Read more here: http://support.microsoft.com/kb/100010
 
You must log in or register to reply here.
Back
Top