Three specific log file concerns

Evening all,

I know I’m supposed to keep out of the logs on the whole, but I’m scratching around for any clues to a persistent wireless connection issue that I have, and I’m trying to convince myself it’s not associated with my security software either singly or in combination. So please humour me awhiles … :slight_smile:

I’m running Win XP Home SP3, with Avast! 4.8, Online Armor free edition, TrojanHunter and Malwarebytes AntiMalware.

  1. setifaceUpdatePackages

I know that I can expect setifaceUpdatePackages to fail from time to time, and it’s no cause for concern. Until recently, that is exactly what was happening. But since 9 September, the warning log shows anything from 1 to 9 instances (return code 20000004) every day, with one exception (16 September), and this does not sound good. Admittedly, the virus database is only 1 day out of date, so the update process does seem to be limping along somehow - but why would it have started to fail so regularly?

  1. x_AavmCheckFileDirectEx

There are loads of entries in the warning and error logs for this routine (returning 00000005), and I know the typical culprits (usually Firefox profile stuff and Microsoft template stuff), and I know I don’t need to worry about them on the whole. But I do keep an eye out for the more unusual entries and since 2 September I have had 11 instances of this (so once every two days, on average):

AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\dllcache\beep.sys (C:\WINDOWS\system32\dllcache\beep.sys) returning error, 00000005.

That’s a pretty low-level file to be causing a problem, so I’d like to know why it’s happening all of a sudden.

  1. Three instances in the last two months, the last one the day before yesterday, of this:

Automatic rootkit scan was not started as it didn’t complete successfully during the last run

How alarmed should I be about this?

Andy

Shortly, verbose of the logs. Don’t worry.

Error 5 is access denied. Probably file in use. Nothing that much to be worried also.

A little bit strange as the rootkit scanning is run 8 minutes after boot and should have be no trouble…
Anti-rootkit scan log is in C:\Program Files\Alwil Software\Avast4\DATA\log\aswAr.log.
It will basically just look for hidden services and drivers, that’s it. I.e. it will take a list of loaded services and drivers (which means a list of roughly 200~ items) and compare these results with a low level scan. As I said, it should be fairly fast (not noticable).

  1. it happens and is nothing to worry about as avast will try again to get a connection, if it fails after all attempts then you would get a Red pop-up Update failed notice. If you do get that again unless it is a regular occurrence, like all the time again I wouldn’t worry about.

  2. again under normal circumstances this is nothing to worry about it, avast just can’t scan a file because access is denied. What you have to identify is if the reason access is denied is reasonable and to do that you have to investigate the file name.

See http://www.threatexpert.com/files/beep.sys.html which basically says this file name has been found to be malicious on many occasions and could be being protected by a malicious process, but a file name is no certainty.

You Should check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.

If multiple scanners find these infected send the samples to avast for analysis and inclusion in the virus database.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

  1. again unless it is happening all the time not too much too be concerned about, but bearing in mind the above about beep.sys it needs further investigation.

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

Finally:
Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.

Download and run HJT and post the contents of the log file (cut and paste or attach the log file) into this topic, you may need to split it over two or more posts depending on how large it is.

I got a 1/41 score for my beep.sys. ESafe detected Win32.Banker. This is the same result, from the same engine, as I got on the other occasion I uploaded a file to VirusTotal for analysis recently, so I presume this is an Esafe FP. But I’d be happier if I’d got a 0/41 score on both occasions. Not sure what you mean by: "report the findings here the URL in the Address bar of the VT results page. "

Diagnostics:

  • I’ve been using MBAM for several months now, it hasn’t found anything amiss for quite a while.
  • SuperAntiSpyware I recently uninstalled because it seemed to me to be resource-greedy for little payback
  • HijackThis log below

Andy

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:40:34, on 24/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Tall Emu\Online Armor\OAcat.exe
D:\Tall Emu\Online Armor\oasrv.exe
D:\Alwil Software\Avast4\aswUpdSv.exe
D:\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
D:\Malwarebytes’ Anti-Malware\mbamservice.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
D:\Alwil Software\Avast4\ashMaiSv.exe
D:\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\vVX3000.exe
D:\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Malwarebytes’ Anti-Malware\mbamgui.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
D:\ALWILS~1\Avast4\ashDisp.exe
D:\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Skype\Phone\Skype.exe
D:\MagicDisc\MagicDisc.exe
D:\SigChanger\sigchanger.exe
D:\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\FireTrust\MailWasher Pro\MailWasher.exe
D:\Mozilla\Firefox\firefox.exe
D:\compact and bijou\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [THGuard] “D:\TrojanHunter 5.0\THGuard.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [Malwarebytes’ Anti-Malware] “D:\Malwarebytes’ Anti-Malware\mbamgui.exe” /starttray
O4 - HKLM..\Run: [LifeCam] “C:\Program Files\Microsoft LifeCam\LifeExp.exe”
O4 - HKLM..\Run: [Jet Detection] “C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe”
O4 - HKLM..\Run: [itype] “C:\Program Files\Microsoft IntelliType Pro\itype.exe”
O4 - HKLM..\Run: [IntelliPoint] “C:\Program Files\Microsoft IntelliPoint\ipoint.exe”
O4 - HKLM..\Run: [avast!] D:\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [@OnlineArmor GUI] “D:\Tall Emu\Online Armor\oaui.exe”
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [Google Update] “C:\Documents and Settings\Andy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” /c
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: MagicDisc.lnk = D:\MagicDisc\MagicDisc.exe
O4 - Startup: SigChanger.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191279822593
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/su/ocx/15108/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Update Service (gupdate1c9be248d703b14) (gupdate1c9be248d703b14) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - D:\Malwarebytes’ Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - D:\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - D:\Tall Emu\Online Armor\oasrv.exe


End of file - 7485 bytes

Go to Add/Remove Programs and un-install vulnerable Adobe Reader 7.0.

Adobe Reader has become the latest favorite of the malware purveyors and is under constant attack and I would remove all Adobe Reader from the system and get Foxit Reader as it is much safer:
http://www.filehippo.com/download_foxit

Run the install application then select Custom then Next then un-select Desktop shortcut, Quick Launch Toolbar and Firefox plugin if you don’t have Firefox then Next then Install then un-select Foxit Toolbar and Ask.com default search then Next then un-select Create desktop eBay, quick launch

Download and install User Profile Hive Cleanup Service
Brief Description
A service to help with slow log off and unreconciled profile problems.
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Run Secunia Online Software Inspector to see what applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

Hi,

I ran Secunia, and it identified three vulnerable apps: Jav, QuickTime and Adobe Reade. I downloaded the recommended patch installers for all three and installed them.

So I haven’t uninstalled Adobe Reader 7 yet.

I didn’t follow up the hive cleanup service because I’m not getting any events with IDs 1517 or 1524.

You need to uninstall old versions of adobe reader or there are exploits that try to use old versions specifically. You should only have the latest version installed and remove older versions.

If you aren’t having any slow log-off or shutdown issues, then you don’t really need the User Profile Hive Cleanup service.

In every XP system I have worked on having User Profile Hive Cleanup Service installed speeded up Log off, Restart and Shutdown.

User Profile Hive Cleanup Service is standard in Vista and Windows 7.

UPH Cleanup used to make a difference on my old system, on this one it doesn’t make a blind bit of difference.

On my old XP Home 2.4GHZ 512MB RAM system it made a lot of difference and the XP Pro system not as much but on your Core2Duo E8300/ 2GB Ram system then I guess it does not.