PDA

View Full Version : Resident Log



Gamespotgirl88
2012-10-27, 15:34
Yesterday evening I became suspicious that I might have been attacked by malware. I did scans with avast, spybot, even windows defender and nothing was found. This morning I checked teatimer log to find 5 changes that were made yesterday that i'm not sure are normal. I cant remember what I was doing at this time other than running scans. Are these changes normal? What can I do to be notified as these are happening?



10/16/2012 8:51:29 PM Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
aswBoot.exe /A:"*" /A:"*STARTUP" /L:"1033" /heur:100 /RA:ask /pup /archives /IA:0 /KBD:5 /wow /dir:"C:\Program Files\Alwil Software\Avast5"
") changed in Session manager!
10/16/2012 9:32:47 PM Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
") changed in Session manager!
10/20/2012 5:38:00 AM Allowed (based on user decision) value "{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}" (new data: "") added in ActiveX Distribution Unit!
10/20/2012 5:38:00 AM Allowed (based on user decision) value "{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}" (new data: "") deleted in ActiveX Distribution Unit!
10/20/2012 5:38:13 AM Allowed (based on user decision) value "SunJavaUpdateSched" (new data: "") deleted in System Startup global entry!
10/20/2012 5:38:17 AM Allowed (based on user decision) value "SunJavaUpdateSched" (new data: ""C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"") added in System Startup global entry!
10/23/2012 10:47:51 PM Allowed (based on user decision) value "aswAhAScr.dll" (new data: ""C:\Program Files\Alwil Software\Avast5\aswRegSvr.exe" "C:\Program Files\Alwil Software\Avast5\AhAScr.dll"") added in System Startup global entry!
10/23/2012 10:47:54 PM Allowed (based on user decision) value "aswasOutExt.dll" (new data: ""C:\Program Files\Alwil Software\Avast5\aswRegSvr.exe" "C:\Program Files\Alwil Software\Avast5\asOutExt.dll"") added in System Startup global entry!
10/23/2012 10:47:57 PM Allowed (based on user decision) value "aswasOutExt64.dll" (new data: ""C:\Program Files\Alwil Software\Avast5\aswRegSvr64.exe" "C:\Program Files\Alwil Software\Avast5\asOutExt64.dll"") added in System Startup global entry!
10/23/2012 10:50:15 PM Allowed (based on user decision) value "aswAhAScr.dll" (new data: "") deleted in System Startup global entry!
10/23/2012 10:50:15 PM Allowed (based on user decision) value "aswasOutExt.dll" (new data: "") deleted in System Startup global entry!
10/23/2012 10:50:15 PM Allowed (based on user decision) value "aswasOutExt64.dll" (new data: "") deleted in System Startup global entry!
10/25/2012 9:20:58 AM Allowed (based on user decision) value "SpybotSD TeaTimer" (new data: "C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe") added in System Startup user entry!
10/26/2012 6:09:00 PM Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
aswBoot.exe /A:"*" /A:"*STARTUP" /A:"C:" /L:"1033" /heur:100 /RA:ask /pup /archives /IA:0 /KBD:5 /wow /dir:"C:\Program Files\Alwil Software\Avast5"
") changed in Session manager!
10/26/2012 7:44:52 PM Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
") changed in Session manager!
10/26/2012 7:44:57 PM Allowed (based on user decision) value "BootExecute" (new data: "") deleted in Session manager!
10/26/2012 7:44:57 PM Allowed (based on user decision) value "ExcludeFromKnownDlls" (new data: "") deleted in Session manager!
10/26/2012 7:44:59 PM Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
") added in Session manager!
10/26/2012 7:44:59 PM Allowed (based on user decision) value "ExcludeFromKnownDlls" (new data: "") added in Session manager!

Zenobia
2012-10-28, 02:35
Please see here for an explanation of BootExecute and ExcludeFromKnownDlls registry entries:
http://forums.spybot.info/showthread.php?t=17691

Just prior to the five entries you bolded in your teatimer log,there was this entry from 6:09:00 PM :

10/26/2012 6:09:00 PM Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
aswBoot.exe /A:"*" /A:"*STARTUP" /A:"C:" /L:"1033" /heur:100 /RA:ask /pup /archives /IA:0 /KBD:5 /wow /dir:"C:\Program Files\Alwil Software\Avast5"
") changed in Session manager!
That entry is related to Avast:
http://www.runscanner.net/lib/aswboot.exe.html

So,it's my best guess that the last five entries you bolded are normal.

To be notified when those changes are happening,you could try rightclicking Teatimer and selecting Paranoid mode.But,Spybot uses a whitelist with a lot of things now,and personally I find that easier,so I'm not crazy about recommending it to anyone,though it's each person's decision,of course. :)

You were suspicious that you were attacked by malware.Are you having any problems,popups,anything like that?

Gamespotgirl88
2012-10-28, 19:34
The reason I became suspicious is because Avast tried to open on its own, but couldnt because I have it password protected. Then Windows Defender was temp disabled until I restartd it. I havent had any other suspicious behavior except the log entries. Ive never had 5 entries after an Avast boot scan, thats why I was worried. Also I was trying to restart defender, and make my computer more safe, and may have made some settings changes that caused this as well. If there is a serious problem I want to resolve it soon thats why I asked for opinions, thanks.

Zenobia
2012-10-28, 22:57
It's odd that you had to restart Windows Defender,but otherwise sounds ok.
If you start noticing weird behavior or get the nagging "somethings up,I just know it" feeling,post on back,and I'll give you the link to the malware forum. :)