Avast WEBforum
Other => Viruses and worms => Topic started by: painter on April 01, 2009, 05:01:58 AM
-
I tried out the avast! standalone antirootkit tool on my Vista Home Basic SP1 machine, and searching for these items on google turned up nothing. Is there anything here I should be worried about?
Thanks in advance.
avast! Antirootkit, version 0.9.6
Scan started: Tuesday, March 31, 2009 9:09:51 PM
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5E2E667E-E8EC-55E5-90D3-22E0B1EFACCD}] **HIDDEN**
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5E2E667E-E8EC-55E5-90D3-22E0B1EFACCD}] hagafcejebpekloi=(binary value) **HIDDEN**
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5E2E667E-E8EC-55E5-90D3-22E0B1EFACCD}] iamabhioiigihfanmp=(binary value) **HIDDEN**
Scan finished: Tuesday, March 31, 2009 9:16:53 PM
Hidden files found: 0
Hidden registry items found: 3
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0
-
I can't tell.
Could you maybe download hijackthis http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html and post the full log here?
-
I put the entries into hijackthis.de, and it says that they're ok. I'd still like to see a full log to be sure though.
-
Thanks for taking the time to help. :)
Here's my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:02 PM, on 3/31/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\itunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\tinySpell\tinyspell.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\UltimateZip\uzqkst.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Opera 962\opera.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [DPService] "C:\Program Files\HP\DVDPlay\DPService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [tinySpell] C:\Program Files\tinySpell\tinyspell.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\spybot - search & destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: UltimateZip Quick Start.lnk = C:\Program Files\UltimateZip\uzqkst.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8239 bytes
-
We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum.
Fix this entries:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Unnecessary (deactivated) entry that can be fixed. Ycomp*_*_*_*.dll - Yahoo Companion!, Yahoo Companion!
Everything else looks ok...
-
Had HJT fix that entry.
I'm using windows firewall. Double-checked to make sure it's active.
Thanks for your help, I appreciate it. :)
-
I put the entries into hijackthis.de, and it says that they're ok. I'd still like to see a full log to be sure though.
I don't know if the HJT auto analyser is up to plain registry checking, given that the entries are what is generated by avast and not HJT.
I did a search in the SystemLookup site for the CLSID and nothing, and that makes me suspicious too, given the random names hagafcejebpekloi and iamabhioiigihfanmp just increases that suspicion. A google search for that CLSID only reveals one hit, this topic, so further suspicion.
So I think avast is heading in the right direction with the hidden shell extensions, though I have no idea how it would proceed or if that would be a manual removal of the {5E2E667E-E8EC-55E5-90D3-22E0B1EFACCD}] sub-keys in the shell extension approved key
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\.
I don't like messing with the registry.
So I would suggest that painter runs these tools:
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
- 1. SUPERantispyware (http://www.superantispyware.com) On-Demand only in free version.
- 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe), right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
-
Yeah, I didn't like the odd names either, and I understood that the CLSID's were from avast, and not hijackthis, but the analyzer seemed to know what to do! I have never tried it before, but it looked like it worked.
I agree with DavidR to run those programs...
-
No, the CLSIDs are from the registry, all avast is doing is coping the registry name and values and tagging the **HIDDEN** bit on the end.
So they were created by whatever created the entries.
-
No, I know that avast was copying the registry names... I just meant they were from avast and not hijackthis. I guess I wasn't being clear enough.
I know what you meant.
-
So I would suggest that painter runs these tools:
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
- 1. SUPERantispyware (http://www.superantispyware.com) On-Demand only in free version.
- 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe), right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
Done. Thanks for the advice. :)
By the way, is it important that all four steps (download, install, update, run) be done in safe mode? I did the first three before switching over to perform the scans. I got rid of the cookies SUPERAntiSpyware found before running the MalwareBytes' scan.
Also, I removed my user name from the logs.
Here they are:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 04/01/2009 at 02:54 PM
Application Version : 4.26.1000
Core Rules Database Version : 3823
Trace Rules Database Version: 1779
Scan type : Complete Scan
Total Scan Time : 00:47:56
Memory items scanned : 255
Memory threats detected : 0
Registry items scanned : 6618
Registry threats detected : 0
File items scanned : 32323
File threats detected : 2
Adware.Tracking Cookie
C:\Users\(username)\AppData\Roaming\Microsoft\Windows\Cookies\(username)@kaspersky.122.2o7[1].txt
C:\Users\(username)\AppData\Roaming\Microsoft\Windows\Cookies\Low\(username)@kaspersky.122.2o7[1].txt
---
Malwarebytes' Anti-Malware 1.35
Database version: 1929
Windows 6.0.6001 Service Pack 1
4/1/2009 4:29:04 PM
mbam-log-2009-04-01 (16-29-04).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 288250
Time elapsed: 41 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
No, it isn't necessary, but some malware is on the hunt for security programs, and download doesn't have to be in safe mode as that would mean being on-line with your trousers down as avast doesn't run in safe mode, so the same I would say goes for updating too.
The install and run from safe mode is more efficient and it would then be reasonable to assume you were off to a good start when you could then run from normal mode and do a signature update.
Since there was effectively nothing found, I would say download and run SAS install from normal mode (as you can't in safe mode) update and then boot into safe mode and run.
-
Sounds like everything should be ok then. Thanks again! ;D
-
You're welcome!
-
Sounds like everything should be ok then. Thanks again! ;D
Yes, it looks that way.
A belated welcome to the forums.