Results 1 to 4 of 4

Thread: Resident Log

  1. #1
    Junior Member
    Join Date
    Oct 2012
    Posts
    2

    Default Resident Log

    Yesterday evening I became suspicious that I might have been attacked by malware. I did scans with avast, spybot, even windows defender and nothing was found. This morning I checked teatimer log to find 5 changes that were made yesterday that i'm not sure are normal. I cant remember what I was doing at this time other than running scans. Are these changes normal? What can I do to be notified as these are happening?



    10/16/2012 8:51:29 PM Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
    aswBoot.exe /A:"*" /A:"*STARTUP" /L:"1033" /heur:100 /RA:ask /pup /archives /IA:0 /KBD:5 /wow /dir:"C:\Program Files\Alwil Software\Avast5"
    ") changed in Session manager!
    10/16/2012 9:32:47 PM Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
    ") changed in Session manager!
    10/20/2012 5:38:00 AM Allowed (based on user decision) value "{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}" (new data: "") added in ActiveX Distribution Unit!
    10/20/2012 5:38:00 AM Allowed (based on user decision) value "{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}" (new data: "") deleted in ActiveX Distribution Unit!
    10/20/2012 5:38:13 AM Allowed (based on user decision) value "SunJavaUpdateSched" (new data: "") deleted in System Startup global entry!
    10/20/2012 5:38:17 AM Allowed (based on user decision) value "SunJavaUpdateSched" (new data: ""C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"") added in System Startup global entry!
    10/23/2012 10:47:51 PM Allowed (based on user decision) value "aswAhAScr.dll" (new data: ""C:\Program Files\Alwil Software\Avast5\aswRegSvr.exe" "C:\Program Files\Alwil Software\Avast5\AhAScr.dll"") added in System Startup global entry!
    10/23/2012 10:47:54 PM Allowed (based on user decision) value "aswasOutExt.dll" (new data: ""C:\Program Files\Alwil Software\Avast5\aswRegSvr.exe" "C:\Program Files\Alwil Software\Avast5\asOutExt.dll"") added in System Startup global entry!
    10/23/2012 10:47:57 PM Allowed (based on user decision) value "aswasOutExt64.dll" (new data: ""C:\Program Files\Alwil Software\Avast5\aswRegSvr64.exe" "C:\Program Files\Alwil Software\Avast5\asOutExt64.dll"") added in System Startup global entry!
    10/23/2012 10:50:15 PM Allowed (based on user decision) value "aswAhAScr.dll" (new data: "") deleted in System Startup global entry!
    10/23/2012 10:50:15 PM Allowed (based on user decision) value "aswasOutExt.dll" (new data: "") deleted in System Startup global entry!
    10/23/2012 10:50:15 PM Allowed (based on user decision) value "aswasOutExt64.dll" (new data: "") deleted in System Startup global entry!
    10/25/2012 9:20:58 AM Allowed (based on user decision) value "SpybotSD TeaTimer" (new data: "C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe") added in System Startup user entry!
    10/26/2012 6:09:00 PM Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
    aswBoot.exe /A:"*" /A:"*STARTUP" /A:"C:" /L:"1033" /heur:100 /RA:ask /pup /archives /IA:0 /KBD:5 /wow /dir:"C:\Program Files\Alwil Software\Avast5"
    ") changed in Session manager!
    10/26/2012 7:44:52 PM Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
    ") changed in Session manager!
    10/26/2012 7:44:57 PM Allowed (based on user decision) value "BootExecute" (new data: "") deleted in Session manager!
    10/26/2012 7:44:57 PM Allowed (based on user decision) value "ExcludeFromKnownDlls" (new data: "") deleted in Session manager!
    10/26/2012 7:44:59 PM Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
    ") added in Session manager!
    10/26/2012 7:44:59 PM Allowed (based on user decision) value "ExcludeFromKnownDlls" (new data: "") added in Session manager!

  2. #2
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,532

    Default

    Please see here for an explanation of BootExecute and ExcludeFromKnownDlls registry entries:
    http://forums.spybot.info/showthread.php?t=17691

    Just prior to the five entries you bolded in your teatimer log,there was this entry from 6:09:00 PM :
    10/26/2012 6:09:00 PM Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
    aswBoot.exe /A:"*" /A:"*STARTUP" /A:"C:" /L:"1033" /heur:100 /RA:ask /pup /archives /IA:0 /KBD:5 /wow /dir:"C:\Program Files\Alwil Software\Avast5"
    ") changed in Session manager!
    That entry is related to Avast:
    http://www.runscanner.net/lib/aswboot.exe.html

    So,it's my best guess that the last five entries you bolded are normal.

    To be notified when those changes are happening,you could try rightclicking Teatimer and selecting Paranoid mode.But,Spybot uses a whitelist with a lot of things now,and personally I find that easier,so I'm not crazy about recommending it to anyone,though it's each person's decision,of course.

    You were suspicious that you were attacked by malware.Are you having any problems,popups,anything like that?

  3. #3
    Junior Member
    Join Date
    Oct 2012
    Posts
    2

    Default

    The reason I became suspicious is because Avast tried to open on its own, but couldnt because I have it password protected. Then Windows Defender was temp disabled until I restartd it. I havent had any other suspicious behavior except the log entries. Ive never had 5 entries after an Avast boot scan, thats why I was worried. Also I was trying to restart defender, and make my computer more safe, and may have made some settings changes that caused this as well. If there is a serious problem I want to resolve it soon thats why I asked for opinions, thanks.

  4. #4
    Spybot Advisor Team Zenobia's Avatar
    Join Date
    Oct 2005
    Posts
    5,532

    Default

    It's odd that you had to restart Windows Defender,but otherwise sounds ok.
    If you start noticing weird behavior or get the nagging "somethings up,I just know it" feeling,post on back,and I'll give you the link to the malware forum.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •