Jump to content

avastSVC.exe = Security.Hijack ?


tevion

Recommended Posts

Good morning,

please take a look on the following log, maybe a false positive ?

Urgend question because of Malwarebytes wants to kill the key during a restart.

Its maybe an important registrykey of Avast Antivirus.

Malwarebytes Anti-Malware (PRO) 1.75.0.1300

www.malwarebytes.org

Datenbank Version: v2013.05.04.02

Windows 8 x86 NTFS

Internet Explorer 10.0.9200.16540

PetePan :: PETEPAN-PC [Administrator]

Schutz: Aktiviert

04.05.2013 08:49:27

MBAM-log-2013-05-04 (08-52-26).txt

Art des Suchlaufs: Flash-Scan

Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM | P2P

Deaktivierte Suchlaufeinstellungen: Registrierung | Dateisystem

Durchsuchte Objekte: 204108

Laufzeit: 2 Minute(n), 19 Sekunde(n)

Infizierte Speicherprozesse: 0

(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0

(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe (Security.Hijack) -> Keine Aktion durchgeführt.

Infizierte Registrierungswerte: 0

(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0

(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0

(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0

(Keine bösartigen Objekte gefunden)

(Ende)

Thank you very much

Tevion

Link to post
Share on other sites

Hello

I suspect it is false positive detection, not entirely sure though.

I'm experiencing the same issue.

Here is my log (in italian):

Malwarebytes Anti-Malware (PRO) 1.75.0.1300

www.malwarebytes.org

Versione database: v2013.05.05.06

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 10.0.9200.16540

lxxxx ::xxxx-PC [amministratore]

Protezione: Disattivata

05/05/2013 23:22:35

MBAM-log-2013-05-05 (23-33-07).txt

Tipo di scansione: Scansione veloce

Opzioni di scansione attive: Memoria | Esecuzione automatica | Registro | File di sistema | Euristica/Extra | Euristica/Shuriken | PUP | PUM | P2P

Opzioni di scansione disattivate:

Elementi esaminati: 211882

Tempo impiegato: 4 minuti, 54 secondi

Processi rilevati in memoria: 0

(non sono stati rilevati elementi nocivi)

Moduli di memoria rilevati: 0

(non sono stati rilevati elementi nocivi)

Chiavi di registro rilevate: 1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe (Security.Hijack) -> Nessuna azione intrapresa.

Valori di registro rilevati: 0

(non sono stati rilevati elementi nocivi)

Voci rilevate nei dati di registro: 0

(non sono stati rilevati elementi nocivi)

Cartelle rilevate: 0

(non sono stati rilevati elementi nocivi)

File rilevati: 0

(non sono stati rilevati elementi nocivi)

(fine)

I researched the web and I have found:

http://forums.malwar...showtopic=93912

http://www.drwebhk.c...Kill.29118.html

http://about-threats...TROJ_FAKEAV.BBK

However I have never been infected by those rogue security software listed.

I scanned my Windows 7 SP1 x64 with:

1) Emsisoft Emergency Kit

2) SuperAntispyware

3) Microsoft Safety Scanner

4) F-secure online scanner

no malware was found.

I do not have Oracle Java JRE and Adobe Reader installed, my O.S and main programs are fully up to date.

I usually surf the web with my browser sandboxed with administrator rights dropped.

I use PrivateFirewall, sandboxie (paid), Winpatrol plus and Avast antivirus free.

Hopefully MalwareBytes' forum staff will help us soon, as usual ; )

Link to post
Share on other sites

Would it be possible for you to export this key with regedit and zip and attach here?

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe

Hello

sorry I can't, since I let MBAM remove it.

I had to uninstall Avast, first, 'cause everytime I rebooted, that registry key came back.

However according to those articles I found the infected key looks like

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\

CurrentVersion\Image File Execution Options\avastui.exe

Debugger = "svchost.exe"

Well, there were no "Debugger = "svchost.exe" value, hence I presume It is a false positive: AvastUI.exe and AvastSVC.exe are part of Avast antivirus and my Avast was working fine.

I scanned my O.S with Dr.Web Cureit, Comodo Cleaning Essential and HitManPro, too.

Results: no malware found.

I replaced Avast with MSE anyway.

I'll try to reproduce this issue on another computer of mine tomorrow and I'll make you know.

Thank you for your reply and your patience

Cheers :)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.