Can anyone assist me with these three Adware Avast has in Quarantine?

Heilsa!

I am working on a friends Laptop an HP Pavilion dv6000 running Windows Vista Home Premium. Well he had placed AVG AV on top of the expired Norton AV trial version already installed on it. So I uninstalled the Norton with their removal tool and AVG with Revo uninstaller and installed Avast Home Edition, ZoneAlarm 8.0 and SUPERAntiSpyware :slight_smile: .

Now Super found three other things supposed Trojans and someone going by screen name SASServices saw SUPER’s log and had me restore them run another scan with SUPER and report those three as false positives and restore them.

Well, Avast found 3 of what it is calling Adware. Are these false positives also? Can anyone help me on this? I would greatly appreciate it!

Now this machine was saying something about a complication with HP Connections and then the page on the HP site it sent me to was saying that there was no longer any support for the HP Connections application and it needed to be uninstalled and had a download for that uninstall, of which I downloaded and tried to run it to uninstall the HP connections app and it said something about not being compatible with the uninstall tool or something like that.

But this what Avast has in its chest and I need to know what to do if you will?

C:\Program Files\HP Connections\6811507\Program\Interop.SHDocVw.dll
C:\Program Files\HP Connections\6811507\Program\HPBWSetup\Interop.SHDocVw.dll
C:\Windows\HPCPCUninstall-6811507\Interop.SHDocVw.dll

Thank you! I will greatly appreciate it!

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Heilsa!

File Interop.SHDocVw.dll received on 05.08.2009 03:07:21 (CET)
Current status: finished
Result: 8/41 (19.51%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared - - -
AhnLab-V3 - - -
AntiVir - - -
Antiy-AVL - - -
Authentium - - -
Avast - - Win32:Adware-gen
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
Comodo - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
F-Prot - - -
F-Secure - - -
Fortinet - - Adware/BroadCap
GData - - Win32:Adware-gen
Ikarus - - -
Jiangmin - - -
K7AntiVirus - - Trojan.Win32.Malware.1
Kaspersky - - -
McAfee - - potentially unwanted program Generic PUP
McAfee+Artemis - - potentially unwanted program Generic PUP
McAfee-GW-Edition - - -
Microsoft - - -
NOD32 - - -
Norman - - -
nProtect - - -
Panda - - Generic Malware
PCTools - - -
Prevx - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - -
ViRobot - - Adware.Broadcap.126976
VirusBuster - - -
Additional information
MD5: 3564ff72d975982b4782e16ce8f541cd
SHA1: 6b683b7ece2033829d3d29f2ebddd1c10340da0c
SHA256: 413cdc71bff0b624374e7e2b01f3905d9f2645690d28b66ee0dec4476bafcb47
SHA512: db79958ebf2993b3d10121993adaca9121706283c8fd04bb28ffd4cf6331707d5ab466291e77e125afd73a4da58c686d5cb55a806fb04a75c6ce5f8413efb8b4

This is what Virus Total, actually already had for it, as it said file already scanned.

Now I need to know if it needs to be removed or not and id it doesn’t how do we get it back into its original positions as all three of the files were the same when I extracted them to that excluded folder Suspect I created it said all three were the same and asked if I wanted to replace the file on each extraction.

If they do need to be removed how are we going to go about that, also? I really do appreciate this too!

Thank you again!

You can leave it for few weeks and scan it again so if its detected as a virus so yes you can delete it. Dont worry the virus wont harm in the chest.

But i dont know but i find this site and its match to your file http://www.threatexpert.com/files/interop.shdocvw.dll.html so i dont know who is true :slight_smile:

Mr.Agent

Firstly I never accept the results of a previous scan unless it is on the same day and this is over 7 days old, a long time in AV terms, so I would always get a fresh scan. This may provide more information, either more scanners or less scanners detecting it.

Since a lot of the detections are generic there is still room for doubt and I would suggest you scan it again and if you get the same results then send it to avast for further analysis

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible false positive in the subject.

Or you can send it from the Infected Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Periodically scan the file in the chest after VPS updates, etc. and if it is no longer detected you can restore it, so as you can see there should be no rush to delete, leave in the chest.

Heilsa!

I might have the machine in question this weekend as the owner took it home. I sent all three of the files to Avast but I forgot to send them as possible false positives and sent them as possible malware.

I again scanned them after updating the virus database and it claimed them to be virus again. So, do I re-send them as possible false positives when I can?

Anyone found anything out about these things?

Thank you again!


These files appear to be legitimate files belonging to MS and used by HP computers. Be sure to check the version numbers on your friend’s laptop against those listed at the link below.

Interop.SHDocVw.dll
http://www.programchecker.com/file/15563.aspx

Also see these links :

http://support.microsoft.com/kb/310674

http://www.bleepingcomputer.com/filedb/interop.shdocvw.dll-3221.html

The above is not to say that the files on your friend’s laptop are legitimate. As David has suggested above, the actual files on your friend’s laptop should be tested at VirusTotal - Multi engine on-line virus scanner as it is always possible that the files are malicious & masquerading as legitimate files.


Heilsa!

Thank you very much. Going to check the version #s on these things and if it is a match going to restore them and report them as possible false positives.

Thanks again, I didn’t find that info when searching!

Hi jammer09,

To check whether you have any traces of this adware really there, see what it normally puts on your computer:

Broadcap Characterstics
[[antispyware.com]] Displays ads
Tracks browsing activity with installed applications
Inadequate uninstall procedures
Insufficient privacy disclosure and consent

Detected Items

  1. Detected Files:
  2. Detected Files with variable Filenames: MD5: 3564FF72D975982B4782E16CE8F541CD Size: 126976 %WINDIR%\HPCPCUninstall-6811507\Interop.SHDocVw.dll %PROGRAMFILES%\HP Connections\6811507\Program\Interop.SHDocVw.dll %PROGRAMFILES%\HP Connections\6811507\Program\HPBWSetup\Interop.SHDocVw.dll %PROGRAMFILES%\updates from hp\9972322\program\interop.shdocvw.dll %PROGRAMFILES%\Compaq Connections\5577497\Program\Interop.SHDocVw.dll %WINDIR%\HPCPCUninstall-3572475\Interop.SHDocVw.dll %PROGRAMFILES%\Compaq Connections\3572475\Program\Interop.SHDocVw.dll %PROGRAMFILES%\Compaq Connections\3572475\Program\HPBWSetup\Interop.SHDocVw.dll %SystemDiskRoot%\Windows.old\Program Files\Updates from HP\9972322\Program\Interop.SHDocVw.dll %DESKTOP%\PC Backup Files\C\Updates from HP\9972322\Program\Interop.SHDocVw.dll %SystemDiskRoot%\System Volume Information_restore{B3A1165A-B243-4636-9AD5-9D938ACB32AD}\RP498\A0101505.dll and next 29 variations.

Detecting items list:

  1. Files by MD5 MD5: 3564FF72D975982B4782E16CE8F541CD Size: 126976

Find and Remove Broadcap registry values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@^Breg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@^RVP

Find and Remove Broadcap registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\RVP

Find and Delete Broadcap Files:

%program_files%\bpt

The following Files were created:

Name Version Publisher Signature (MD5) File Size (in KB)
…\8abb1156.dll 2.0.0.0 e8799e61605875b01da9b8a56d3aa39f 143360
…\bpt\bptre_inst.exe ad28b78f6b7f4c038c32cd365957c444
…\tvs\bpcv2.plugins.dll 1.0.1941.19140 9effc88daeefc90d98d009ce7eb6746d 16384
…\76938d7f.exe a37ea93e41fd898bdc288ffffe72d0f0
…\76938d7f.exe a37ea93e41fd898bdc288ffffe72d0f0
…\bpt\bpt_c.exe 0839ea3b8704c5ad90c1ff5dc3c09e7e
…\7d39481b.exe b5de636b672d9f53d5a493019697ebe3
…\6043d14d.exe 5867758bad106e5a51ef54fdfb1586fe 317415
…\7d39481b.exe b5de636b672d9f53d5a493019697ebe3
…\java\bpt.cfg
…\94f1cb5d.exe b8f72292ff15676779e348149a062105
…\9c331919.exe e7666c790c186b901d1ce32b59ccf342 246324
…\java\bcre.exe a8307eccf24ec132edb8cbb586370922
…\48460bfa.dll 8bb3830026cabe1bb6f9e299306e47b4
…\portfile.db

The following Registry Entries were created:

• …\Software\Microsoft\Windows\CurrentVersion\RunOnce\“bcpc_c”
• …\Software\Microsoft\Windows\CurrentVersion\Run\“xcpy1”
• …\Software\bpt
• …\Software\Microsoft\Windows\CurrentVersion\Run\“bpt”
• …\Software\Microsoft\Windows\CurrentVersion\Run\“breg”

If not any of the above is found, it looks you are not infected,

polonus

Heilsa!

I have just been able to find the time to post this. Those three files turned out to be False Positives and they restored them without sending them in to report them as false positives too. Don’t know if we can somehow do it without sending them personally or not. But that was the latest version of the Home edition and a machine running Vista. I think it had something to do with that combination, don’t really know though.

Thanks for all that help in that area. He took it to someone else without letting me report them as false positives etc… before they went to work and restored them.