I tried out the avast! standalone antirootkit tool on my Vista Home Basic SP1 machine, and searching for these items on google turned up nothing. Is there anything here I should be worried about?

Thanks in advance.

avast! Antirootkit, version 0.9.6
Scan started: Tuesday, March 31, 2009 9:09:51 PM

Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved{5E2E667E-E8EC-55E5-90D3-22E0B1EFACCD}] HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved{5E2E667E-E8EC-55E5-90D3-22E0B1EFACCD}] hagafcejebpekloi=(binary value) HIDDEN
Registry item [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved{5E2E667E-E8EC-55E5-90D3-22E0B1EFACCD}] iamabhioiigihfanmp=(binary value) HIDDEN

Scan finished: Tuesday, March 31, 2009 9:16:53 PM
Hidden files found: 0
Hidden registry items found: 3
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

I can’t tell.

Could you maybe download hijackthis http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html and post the full log here?

I put the entries into hijackthis.de, and it says that they’re ok. I’d still like to see a full log to be sure though.

Thanks for taking the time to help.

Here’s my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:02 PM, on 3/31/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\itunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\tinySpell\tinyspell.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\UltimateZip\uzqkst.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Opera 962\opera.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM..\Run: [OsdMaestro] “C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe”
O4 - HKLM..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM..\Run: [DPService] “C:\Program Files\HP\DVDPlay\DPService.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU..\Run: [tinySpell] C:\Program Files\tinySpell\tinyspell.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\spybot - search & destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 - Startup: UltimateZip Quick Start.lnk = C:\Program Files\UltimateZip\uzqkst.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

–
End of file - 8239 bytes

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one. In case you got questions or you want us to add the firewall you use to our database, contact us at our forum.

Fix this entries:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Unnecessary (deactivated) entry that can be fixed. Ycomp**_.dll - Yahoo Companion!, Yahoo Companion!

Everything else looks ok…

Had HJT fix that entry.
I’m using windows firewall. Double-checked to make sure it’s active.

Thanks for your help, I appreciate it.

I don’t know if the HJT auto analyser is up to plain registry checking, given that the entries are what is generated by avast and not HJT.

I did a search in the SystemLookup site for the CLSID and nothing, and that makes me suspicious too, given the random names hagafcejebpekloi and iamabhioiigihfanmp just increases that suspicion. A google search for that CLSID only reveals one hit, this topic, so further suspicion.

So I think avast is heading in the right direction with the hidden shell extensions, though I have no idea how it would proceed or if that would be a manual removal of the {5E2E667E-E8EC-55E5-90D3-22E0B1EFACCD}] sub-keys in the shell extension approved key

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved.

I don’t like messing with the registry.

So I would suggest that painter runs these tools:
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

• 1. SUPERantispyware On-Demand only in free version. - 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

Yeah, I didn’t like the odd names either, and I understood that the CLSID’s were from avast, and not hijackthis, but the analyzer seemed to know what to do! I have never tried it before, but it looked like it worked.

I agree with DavidR to run those programs…

No, the CLSIDs are from the registry, all avast is doing is coping the registry name and values and tagging the HIDDEN bit on the end.

So they were created by whatever created the entries.

No, I know that avast was copying the registry names… I just meant they were from avast and not hijackthis. I guess I wasn’t being clear enough.

I know what you meant.

Done. Thanks for the advice.

By the way, is it important that all four steps (download, install, update, run) be done in safe mode? I did the first three before switching over to perform the scans. I got rid of the cookies SUPERAntiSpyware found before running the MalwareBytes’ scan.

Also, I removed my user name from the logs.

Here they are:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/01/2009 at 02:54 PM

Application Version : 4.26.1000

Core Rules Database Version : 3823
Trace Rules Database Version: 1779

Scan type : Complete Scan
Total Scan Time : 00:47:56

Memory items scanned : 255
Memory threats detected : 0
Registry items scanned : 6618
Registry threats detected : 0
File items scanned : 32323
File threats detected : 2

Adware.Tracking Cookie
C:\Users(username)\AppData\Roaming\Microsoft\Windows\Cookies(username)@kaspersky.122.2o7[1].txt
C:\Users(username)\AppData\Roaming\Microsoft\Windows\Cookies\Low(username)@kaspersky.122.2o7[1].txt

Malwarebytes’ Anti-Malware 1.35
Database version: 1929
Windows 6.0.6001 Service Pack 1

4/1/2009 4:29:04 PM
mbam-log-2009-04-01 (16-29-04).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 288250
Time elapsed: 41 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

No, it isn’t necessary, but some malware is on the hunt for security programs, and download doesn’t have to be in safe mode as that would mean being on-line with your trousers down as avast doesn’t run in safe mode, so the same I would say goes for updating too.

The install and run from safe mode is more efficient and it would then be reasonable to assume you were off to a good start when you could then run from normal mode and do a signature update.

Since there was effectively nothing found, I would say download and run SAS install from normal mode (as you can’t in safe mode) update and then boot into safe mode and run.

Sounds like everything should be ok then. Thanks again! ;D

You’re welcome!

Yes, it looks that way.

A belated welcome to the forums.