Ascentive Library Installer

[chrut]

I was wondering if this "Ascentive Library Installer" is containing any viruses... It seems rather suspicious, but maybe someone can shed som light on it... Btw, didn't find anything in the installer with avast free edition and free edition of SuperAntispyware!

http://www.ascentive.com/support/new/support_dll.phtml?dllname=COMDLG32.OCX

[DavidR]

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.

[Jtaylor83]

According to WOT, this site is bad. Not to mention, their TV ads are deceptive and it's related to Finally Fast.

[chrut]

Here's the result:

[ scan result ]
a-squared   4.0.0.93/20090201   found nothing
AhnLab-V3   5.0.0.2/20090131   found nothing
AntiVir   7.9.0.60/20090130   found [ADSPY/EShoper.BC.1]
Authentium   5.1.0.4/20090131   found nothing
Avast   4.8.1281.0/20090201   found nothing
AVG   8.0.0.229/20090131   found nothing
BitDefender   7.2/20090201   found nothing
CAT-QuickHeal   10.00/20090131   found nothing
ClamAV   0.94.1/20090201   found nothing
Comodo   955/20090131   found nothing
DrWeb   4.44.0.09170/20090201   found nothing
eSafe   7.0.17.0/20090129   found [Win32.ADSPYEShoper.b]
eTrust-Vet   31.6.6335/20090129   found nothing
F-Prot   4.4.4.56/20090131   found nothing
F-Secure   8.0.14470.0/20090201   found nothing
Fortinet   3.117.0.0/20090131   found nothing
GData   19/20090201   found nothing
Ikarus   T3.1.1.45.0/20090201   found nothing
K7AntiVirus   7.10.612/20090131   found nothing
Kaspersky   7.0.0.125/20090201   found nothing
McAfee   5512/20090131   found nothing
McAfee+Artemis   5512/20090131   found nothing
Microsoft   1.4306/20090131   found nothing
NOD32   3816/20090201   found nothing
Norman   6.00.02/20090131   found nothing
nProtect   2009.1.8.0/20090130   found nothing
Panda   9.5.1.2/20090131   found nothing
PCTools   4.4.2.0/20090131   found nothing
Prevx1   V2/20090201   found nothing
Rising   21.13.42.00/20090123   found nothing
SecureWeb-Gateway   6.7.6/20090130   found [Ad-Spyware.EShoper.BC.1]
Sophos   4.38.0/20090201   found nothing
Sunbelt   3.2.1835.2/20090116   found nothing
Symantec   10/20090201   found nothing
TheHacker   6.3.1.5.243/20090201   found nothing
TrendMicro   8.700.0.1004/20090130   found nothing
VBA32   3.12.8.12/20090201   found nothing
ViRobot   2009.1.31.1583/20090131   found nothing
VirusBuster   4.5.11.0/20090131   found nothing

EShoper.BC.1...? How can I get rid of it?

[DavidR]

Whilst this is a low level of detection and all the same. It would appear that this spys on your browsing habits to gather marketing information to deliver ads that you might be more likely to respond to. Given that and the very poor WOT ranking I would have to as how it got on your system as it seems undesirable ?

[chrut]

Unfortunate for me, my unaware sister was "clicking around" the internet.

[chrut]

Is there anyway to remove the spy, well exept for format c:?

[DavidR]

I would have though there would have been an associated uninstaller fot the "Ascentive Library Installer" That is the problem with these types of things, they are often considered opt-in as they purport to offer a service like eshopper in this case.

There is also MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

This tool should show what is running and allow you to fix the registry entry responsible for running it, it would also show where the associated files are located (handy if there is no uninstaller or add remove programs entry).

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.

Download and run HJT and post the contents of the log file (cut and paste or attach the log file) into this topic, you may need to split it over two or more posts depending on how large it is.

[chrut]

Malewarebyte didn't find anything, and here's the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:39, on 2009-02-01
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Software\Utility\Security\Antispyware\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Software\Utility\Security\Antivirus\Avast\ashDisp.exe
C:\Software\Driver\Logitech\SetPoint\x86\SetPoint32.exe
C:\Software\Application\Communication\Mozilla Firefox\firefox.exe
C:\Software\Utility\Security\Antispyware\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [avast!] C:\Software\Utility\Security\ANTIVI~1\Avast\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Software\Utility\Optical Disc Image Software\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Software\Utility\Security\Antispyware\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = ?
O13 - Gopher Prefix:
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Software\Utility\Security\Antispyware\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Software\Utility\Security\Antivirus\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Software\Utility\Security\Antivirus\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Software\Utility\Security\Antivirus\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Software\Utility\Security\Antivirus\Avast\ashWebSv.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Software\Utility\Display Changer\nHancer\nHancerService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: O&O Defrag - Unknown owner - C:\Windows\system32\oodag.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 6321 bytes

[chrut]

I can't see a trace from the virus.... that a the bad sign I suppose. What do you recommend, is formatting the drive the best way to go (would hate to do it though).

[DavidR]

Something looks wrong with your log file, it appears to be missing large chunks of information, e.g. there doesn't seem to be many running processes.

There however many files reported as missing, this could well be an incompatibility with Vista SP1 and HiJackThis, I don't know, but you should check the physical locations that the files are in fact there.

Other than that I don't see anything obvious.

You don't appear to have an active firewall - It should be capable of blocking unauthorised outbound Internet Connections. - What is your firewall ?

Presumably the Vista one, were the outbound checking is disabled by default - You could also enable the outbound protection of the Vista firewall, but it isn't very friendly, is rule based and you have to create the rules. - Vista Firewall Control, check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0

[chrut]

I just use the inbuilt Vista firewall, thought that would suffice... do you recommend the free version of comodo?

[DavidR]

The built in firewall is fine, but it doesn't enable outbound protection and you need to do that, but it isn't very friendly, hence the link about the Vista Firewall Control info.

[CharleyO]

***

Possibly the log looks as it does because HJT is not in it's own folder?

C:\Software\Utility\Security\Antispyware\HijackThis\HijackThis.exe


***

[DavidR]

It shouldn't make any difference what the log contains by not having it in the default location.

How many times have you seen it on the desktop, that is when we say it should be in a folder of its own so that backups are contained within that specific folder. So that is the only requirement it be in a folder specifically created for HJT, but it doesn't matter where. I used to have mine in a different partition.