Avira Premium Security Suite Firewall detected as Win32.Delf.qmw

[pkolbus]

Spybot 1.6.0 on Windows XP SP3 is detecting Avira Premium Security Suite's firewall service as Win32.Delf.qmw. I've checked the file that the ImagePath key points at. VirusTotal confirms that it is clean:

http://www.virustotal.com/analisis/4...9d9e0de39b28fd

Spybot - Search & Destroy\Logs\Checks.090110-0325.txt follows.

Any advice?

--- Report generated: 2009-01-10 03:25 ---

Hint of the Day: Click the bar at the right of this to see more information! ()


Win32.Delf.qmw: [SBI $D186309C] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntiVirFirewallService

Win32.Delf.qmw: [SBI $0B1718E3] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AntiVirFirewallService


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080729) ---

2008-08-14 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-08-14 SDFiles.exe (1.6.0.4)
2008-08-14 SDMain.exe (1.0.0.6)
2008-08-14 SDShred.exe (1.0.2.3)
2008-08-14 SDUpdate.exe (1.6.0.9)
2008-08-14 SDWinSec.exe (1.0.0.12)
2008-07-30 SpybotSD.exe (1.6.0.31)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-09-07 unins000.exe (51.49.0.0)
2008-08-14 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2008-11-04 Includes\Adware.sbi (*)
2008-12-29 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2009-01-06 Includes\Dialer.sbi (*)
2009-01-06 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2009-01-05 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2008-12-22 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2009-01-06 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-01-06 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-12-29 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-12-10 Includes\Spyware.sbi (*)
2009-01-06 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-01-05 Includes\Trojans.sbi (*)
2009-01-06 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

[Hoschy]

I have the same problem.
See attachement.

[Yodama]

Thank you for reporting this false positive.
It will be fixed with the upcoming detection update this week.

It looks like the trojan horse Win32.Delf.qmw is missusing the service name of the Antivir firewall.

[Nammoth]

I do also have the same Problem.

Phew .. im really glad, the problem has already been detected here. Otherwise that would have provided me a sleepless night.
Some days ago, it detected nothing. After I updated today and started a scan, it reported:

Tipp des Tages: Klicken Sie auf den Balken rechts, um mehr Informationen zu sehen! ()


Win32.Delf.qmw: [SBI $D186309C] Einstellungen (Registrierungsdatenbank-Schlüssel, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntiVirFirewallService

Win32.Delf.qmw: [SBI $8BE70FFC] Einstellungen (Registrierungsdatenbank-Schlüssel, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntiVirFirewallService


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080729) ---

2008-07-30 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-07-30 SDFiles.exe (1.6.0.4)
2008-07-30 SDMain.exe (1.0.0.6)
2008-07-30 SDShred.exe (1.0.2.3)
2008-07-30 SDUpdate.exe (1.6.0.9)
2008-07-30 SDWinSec.exe (1.0.0.12)
2008-07-30 SpybotSD.exe (1.6.0.31)
2008-09-16 TeaTimer.exe (1.6.3.25)
2008-08-11 unins000.exe (51.49.0.0)
2008-07-30 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2008-11-04 Includes\Adware.sbi (*)
2008-12-29 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2009-01-06 Includes\Dialer.sbi (*)
2009-01-06 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-11-18 Includes\Hijackers.sbi (*)
2009-01-05 Includes\HijackersC.sbi (*)
2008-12-09 Includes\Keyloggers.sbi (*)
2008-12-22 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-11-18 Includes\Malware.sbi (*)
2009-01-06 Includes\MalwareC.sbi (*)
2008-12-16 Includes\PUPS.sbi (*)
2009-01-06 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-12-29 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-12-10 Includes\Spyware.sbi (*)
2009-01-06 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2009-01-05 Includes\Trojans.sbi (*)
2009-01-06 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Im just wondering that the results differ concerning the second hit:

ControlSet002 <-> ControlSet003

Anybody knows any reason for this ?

Also the series of numbers at:
2008-07-30 blindman.exe (1.0.0.8) differs

[pkolbus]

Im just wondering that the results differ concerning the second hit:

ControlSet002 <-> ControlSet003

Anybody knows any reason for this ?

The ControlSet keys are driver/service/etc. configurations - one is the current, another may be the "last known good", etc. The numbers will vary from system to system; CurrentControlSet is just an alias for the current configuration.

Read more here: http://support.microsoft.com/kb/100010

[Nammoth]

Alright. Thank you for the explanation!

[pkolbus]

Confirmed fixed with the latest updates. Thanks!