Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Jtaylor83 on May 27, 2008, 02:12:26 PM
-
Hi. My Avast! had found Win32:Rootkit-gen [Rtk]" in "C:\Documents and Settings\Owner\Local Settings\Temp\Arc14.tmp\ATT_InternetSecurityWizardSetup.exe\Setup.exe\{app}\ISWComHandler.exe" file. I tried to send it to the Virus Chest and it says it doesn't support.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:55 AM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.selectronix.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_4-2-1.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
--
End of file - 6955 bytes
I downloaded Firefox 2.0 and tested the browser out. My computer gotten slower. This rootkit might've been connected with the Firefox. So I uninstalled the browser, and decided to stick to IE7, my current browser.
Any suggestions?
-
C:\Documents and Settings\Owner\Local Settings\Temp\Arc14.tmp\ATT_InternetSecurityWizardSetup.exe\Setup.exe\{app}\ISWComHandler.exe
Could you temporarily disable avast, disable 'Hide protected operating system files' (http://www.xtra.co.nz/help/0,,4155-1916458,00.html) and enable 'View Hidden Files and Folders' (http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp), and upload the above files to VirusTotal (http://www.virustotal.com/) for analysis.
-
Here's the Results
Antivirus Version Last Update Result
AhnLab-V3 2008.5.22.1 2008.05.27 -
AntiVir 7.8.0.19 2008.05.27 -
Authentium 5.1.0.4 2008.05.26 -
Avast 4.8.1195.0 2008.05.27 Win32:Rootkit-gen
AVG 7.5.0.516 2008.05.26 -
BitDefender 7.2 2008.05.27 -
CAT-QuickHeal 9.50 2008.05.26 -
ClamAV 0.92.1 2008.05.27 -
DrWeb 4.44.0.09170 2008.05.27 -
eSafe 7.0.15.0 2008.05.26 -
eTrust-Vet 31.4.5826 2008.05.27 -
Ewido 4.0 2008.05.27 -
F-Prot 4.4.4.56 2008.05.26 -
F-Secure 6.70.13260.0 2008.05.27 -
Fortinet 3.14.0.0 2008.05.27 -
GData 2.0.7306.1023 2008.05.27 -
Ikarus T3.1.1.26.0 2008.05.27 -
Kaspersky 7.0.0.125 2008.05.27 -
McAfee 5303 2008.05.26 -
Microsoft 1.3520 2008.05.27 -
NOD32v2 3134 2008.05.27 -
Norman 5.80.02 2008.05.26 -
Panda 9.0.0.4 2008.05.27 -
Prevx1 V2 2008.05.27 -
Rising 20.46.12.00 2008.05.27 -
Sophos 4.29.0 2008.05.27 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.27 -
TheHacker 6.2.92.320 2008.05.26 -
VBA32 3.12.6.6 2008.05.27 -
VirusBuster 4.3.26:9 2008.05.27 -
Webwasher-Gateway 6.6.2 2008.05.27 -
Should I send the file for analysis?
-
This snippet from the AT&T Bellsouth forum may help you a bit:
"Are you running AT&T Internet Security or have you run it in the past?
Avast has the virus in a vault so you are no longer threatened by it. What a vault does is apply attributes to the file so they can no longer be wrtten to ro read from by you system. The files are dead in a sence just taking up space on the harddrive.
The problem here may be that you are running 2 antivirus programs. Antivirus programs and firewalls both use rootkit technology to control and block viruses, manage programs. If you are running 2 antivirus programs ... One may detect the rootkit technology of the other and mistakenly say its a virus since allot of the more advanced viruses use rootkit technology to mask themselves from the system. This is one of the things a good AV program looks for.
I guess what i am trying to say here is if you are running both Avast and AT&T's programs. Avast may be picking up the rootkit technology in AT&T's program and disabling it. Leaving the AT&T program worthless.
If you ran the AT&T program in the past. Avast may just be picking up leftover's from the uninstall and in that case .. no problem."
-----
According to your post and your HijackThis log, you have it running.
"C:\Documents and Settings\Owner\Local Settings\Temp\Arc14.tmp\ATT_InternetSecurityWizardSetup.exe\Setup.exe\{app}\ISWComHandler.exe"
"C:\Program Files\AT&T\Internet Security Wizard\ISW.exe"
-
Looks like a false positive. With avast! disabled again, put the file in a password-protected ZIP archive and send to virus[at]avast.com mentioning the password and the fact that the archive contains a possible false positive.
-
Do I have to include the password in the email?
-
Yes please. The only point of the password is to prevent email scanners from looking into the archive.
-
Thanks for sending file... False positive alert will be fixed in VPS 080528-0
-
Thank you. This antivirus really works. It helped me get rid of the MediaPipe Trojan "entry.dll" since I downloaded avast!. The other antivirus StopSign was a rip-off. I can't believe they advertise a piece of crap. Reported StopSign to McAfee Site Advisor as a scam.