Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: kandyk on January 10, 2006, 12:08:36 AM

Title: What is this?
Post by: kandyk on January 10, 2006, 12:08:36 AM

there are some files that the spyware program I have has identified as keyloggers.  these files were installed when i downloaded avast home edition (i guess).  can anyone help?

Title: Re: What is this?
Post by: chocholo on January 10, 2006, 12:27:45 AM

I am certainly sure, that original avast!'s installation package doesn't contain any malware.

There are three possibilities:
- your anti-spyware is detecting false positive
- your installation package was not downloaded from our download server
- found keyloggers are not connected with download of avast! in any way

Please can you post names of detected files?

Title: Re: What is this?
Post by: DavidR on January 10, 2006, 01:39:20 AM

Also what was the name of the spyware program?

Title: Re: What is this?
Post by: CharleyO on January 12, 2006, 08:52:09 PM

***

Welcome to the forums, kandyk!    :)

You should come back and let us know more so that someone can help with your problem ... or let us know how you solved your problem if you have.    :)


***

Title: Re: What is this?
Post by: kandyk on February 13, 2006, 12:16:00 PM

The name of the program is Trend Micro Anti Spyware, and....although I did not delete the files that were tagged as keylogggers, they are no longer appearing after I scan.  I can't remember the names, I only know that the spy slueth option of the program told me these files had been installed when I downloaded  Avast.  A friend of mine suggested I download hijack this.  The results of this scan makes no sense to me, and I was hoping one of you could help!  I would really appreciate it.


Logfile of HijackThis v1.99.1
Scan saved at 4:12:51 AM, on 2/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\amy\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7105863D-E8CE-40B3-99E8-D05E7608E6A9}: NameServer = 66.232.72.6 66.232.80.6
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thanks

Title: Re: What is this?
Post by: TedNelly on February 13, 2006, 12:56:01 PM

Hi kandyk Welcome
the first and obvious problem  is this Windows XP SP1 (WinNT 5.01.2600)
you should keep your operating system up-to date XP is now SP2 plus many
updates after SP2 You would need to do this asap

Title: Re: What is this?
Post by: DavidR on February 13, 2006, 03:41:59 PM

After the windows update, it is important to have a firewall, XP SP2 has one but that only provides inbount protection so a full firewall is advisable.

Next your JAVA is out of date an it too has been updated to correct vulnerabilities.
Ensure you have the latest version of JRE because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove.
Then get the latest update from here http://www.java.com/en/download/index.jsp


For an on-line analysis of your log check this http://hijackthis.de/logfiles/8911644ef3f528b6ad7ee1204e20da30.html.
I suggest you start by checking all the nasty, possibly nasty and unknown entries. You can use the paperclip icon to upload suspect files to be scanned or use google to search for info on the file names.

Title: Re: What is this?
Post by: CharleyO on February 13, 2006, 04:11:32 PM

***

Welcome back, kandy.    :)

I am surely not an expert on HJT logs so please follow David's advice above to analyze your HJT log. The below is just for information only.    :)

The following are HJT entries that are adware/spyware and are most likely what you were originally warned about by that anti-spyware program.    :(

O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)

O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe

O8 - Extra context menu item: &Search - http://kl(dot)bar(dot)need2find(dot)com/KL/menusearch(dot)html?p=KL
The above (dot) is my insert for "." so as to deactivate the link.


***

Title: Re: What is this?
Post by: kandyk on February 13, 2006, 04:42:50 PM

I am in the process of updating right now.  But the keylogger find happened prior to my boyfriend preforming a complete system recovery (thats right, recovery!?!) So...  I guess that would have given me a clean slate?  Anyhow, I certainly appreciate the advice.  Thanks again

Title: Re: What is this?
Post by: TedNelly on February 14, 2006, 08:14:17 AM

Not if you mean by system recovery (system restore) as this will just reinstall all of the previous problems
If you mean XP System Restore You should turn off System Restore/reboot/clean your system/reboot/turn on system restore h-t-h's

Title: Re: What is this?
Post by: Spiritsongs on February 15, 2006, 05:52:47 AM

 :)  Hi Kandyk :

     TrendMicro antiSPYWARE is NOT on the list of "Trustworthy"
     Anti-Spyware Products by AntiSpyware Expert Eric Howes;
     TrendMicro should stick to antiVIRUS detection. Therefore,
     I recommend you download Ad-Aware SE from :
     www.majorgeeks.com/download506.html . I would not rely
     on anything TrendMicro Antispyware allegedly "detects" .