Author Topic: Win32:Rootkit-gen [Rtk]" has been found in "C:\Documents and Settings\Owner\Loca  (Read 5452 times)

0 Members and 1 Guest are viewing this topic.


  • Guest
Hi. My Avast! had found Win32:Rootkit-gen [Rtk]" in "C:\Documents and Settings\Owner\Local Settings\Temp\Arc14.tmp\ATT_InternetSecurityWizardSetup.exe\Setup.exe\{app}\ISWComHandler.exe" file.  I tried to send it to the Virus Chest and it says it doesn't support.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:53:55 AM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AT&T Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - Startup: 2.3.lnk = C:\Program Files\ 2.3\program\quickstart.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} -
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

End of file - 6955 bytes

I downloaded Firefox 2.0 and tested the browser out. My computer gotten slower. This rootkit might've been connected with the Firefox. So I uninstalled the browser, and decided to stick to IE7, my current browser.

Any suggestions?
« Last Edit: May 27, 2008, 02:35:55 PM by Jtaylor83 »

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
C:\Documents and Settings\Owner\Local Settings\Temp\Arc14.tmp\ATT_InternetSecurityWizardSetup.exe\Setup.exe\{app}\ISWComHandler.exe

Could you temporarily disable avast, disable 'Hide protected operating system files' and enable 'View Hidden Files and Folders', and upload the above files to VirusTotal for analysis.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog


  • Guest
Here's the Results

Antivirus Version Last Update Result
AhnLab-V3 2008.5.22.1 2008.05.27 -
AntiVir 2008.05.27 -
Authentium 2008.05.26 -
Avast 4.8.1195.0 2008.05.27 Win32:Rootkit-gen
AVG 2008.05.26 -
BitDefender 7.2 2008.05.27 -
CAT-QuickHeal 9.50 2008.05.26 -
ClamAV 0.92.1 2008.05.27 -
DrWeb 2008.05.27 -
eSafe 2008.05.26 -
eTrust-Vet 31.4.5826 2008.05.27 -
Ewido 4.0 2008.05.27 -
F-Prot 2008.05.26 -
F-Secure 6.70.13260.0 2008.05.27 -
Fortinet 2008.05.27 -
GData 2.0.7306.1023 2008.05.27 -
Ikarus T3. 2008.05.27 -
Kaspersky 2008.05.27 -
McAfee 5303 2008.05.26 -
Microsoft 1.3520 2008.05.27 -
NOD32v2 3134 2008.05.27 -
Norman 5.80.02 2008.05.26 -
Panda 2008.05.27 -
Prevx1 V2 2008.05.27 -
Rising 2008.05.27 -
Sophos 4.29.0 2008.05.27 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.27 -
TheHacker 2008.05.26 -
VBA32 2008.05.27 -
VirusBuster 4.3.26:9 2008.05.27 -
Webwasher-Gateway 6.6.2 2008.05.27 -

Should I send the file for analysis?


  • Guest
This snippet from the AT&T Bellsouth forum may help you a bit:

"Are you running AT&T Internet Security or have you run it in the past?

Avast has the virus in a vault so you are no longer threatened by it. What a vault does is apply attributes to the file so they can no longer be wrtten to ro read from by you system. The files are dead in a sence just taking up space on the harddrive.

The problem here may be that you are running 2 antivirus programs. Antivirus programs and firewalls both use rootkit technology to control and block viruses, manage programs. If you are running 2 antivirus programs ... One may detect the rootkit technology of the other and mistakenly say its a virus since allot of the more advanced viruses use rootkit technology to mask themselves from the system. This is one of the things a good AV program looks for.

I guess what i am trying to say here is if you are running both Avast and AT&T's programs. Avast may be picking up the rootkit technology in AT&T's program and disabling it. Leaving the AT&T program worthless.

If you ran the AT&T program in the past. Avast may just be picking up leftover's from the uninstall and in that case .. no problem."
According to your post and your HijackThis log, you have it running.
"C:\Documents and Settings\Owner\Local Settings\Temp\Arc14.tmp\ATT_InternetSecurityWizardSetup.exe\Setup.exe\{app}\ISWComHandler.exe"

"C:\Program Files\AT&T\Internet Security Wizard\ISW.exe"
« Last Edit: May 27, 2008, 02:57:05 PM by AssistantX »

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Looks like a false positive. With avast! disabled again, put the file in a password-protected ZIP archive and send to virus[at] mentioning the password and the fact that the archive contains a possible false positive.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog


  • Guest
Do I have to include the password in the email?

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Yes please. The only point of the password is to prevent email scanners from looking into the archive.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline misak

  • Avast team
  • Sr. Member
  • *
  • Posts: 234
    • Personal page (CZE)
Thanks for sending file... False positive alert will be fixed in VPS 080528-0


  • Guest
Thank you. This antivirus really works. It helped me get rid of the MediaPipe Trojan "entry.dll" since I downloaded avast!. The other antivirus StopSign was a rip-off. I can't believe they advertise a piece of crap. Reported StopSign to McAfee Site Advisor as a scam.