Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection with acovcnt.exe and other Sys32 infections


  • This topic is locked This topic is locked
30 replies to this topic

#1 MarkR42

MarkR42

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 27 August 2009 - 04:01 PM

I have Windows Vista Home Premium on my Asus Laptop. I've recently got a warning about acovcnt.exe infection from Scan Spyware and RemoveIt, as well as warnings about Sys32.athiavs, Sys32..athihvui, Sys32.functiondscoveryfolder, Sys32.rp3daa32, Sys32.wsceappr, Sys32.yk60x86, Sys32.asscrpro, Sys32.asscrprolog, and Sys32.pev from only RemoveIt. Scan Spyware removes the file, but after restarting the file is there again. RemoveIt is unable to remove ANY of the files.

The only problems I am having with my computer is strange slow browsing speeds on Firefox, but NOT on IE8...and often upon attempting to open Firefox I get the error "Firefox is already running and must be stopped...blah, blah, blah".

I've downloaded Combofix and ran it without noticing the warning about using only under supervision, but acovcnt.exe still keeps showing up, and so do the other Sys32 problems.

I have Avast! Anti-Virus, Super AntiSpyware, Spywareblaster and Ad-Aware and under these programs I get NO virus or malware warning. Only with Scan Spyware and RemoveIt.

Can you please help a Computer Beginner to remove this malware from my System?

Thanks, Mark

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 27 August 2009 - 05:38 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#3 MarkR42

MarkR42
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 27 August 2009 - 07:18 PM

Followed all your instructions and here is the log file from Malwarebytes:





Malwarebytes' Anti-Malware 1.40
Database version: 2707
Windows 6.0.6002 Service Pack 2

28.08.2009 02:15:19
mbam-log-2009-08-28 (02-15-19).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 236978
Time elapsed: 47 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Mark Riemer\Documents\Programm EXE.s\soleromusicviewer8.0.29.370.exe (Rogue.Antivirus) -> Quarantined and deleted successfully.

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 27 August 2009 - 07:54 PM

What are the files that it says that it is detecting?
Computer Pro

#5 MarkR42

MarkR42
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 28 August 2009 - 05:04 AM

After the scan last night, Malwarebytes found only Rogue.Antivirus....

I scanned again this morning and it found NOTHING.

However, I checked again with Scan Spyware and RemoveIt and they both found acovcnt.exe as well as the above-mentioned Sys32 threats.

Should I trust MBAB and just assume the other threats under Scan Spyware and RemoveIt are just false positives?? Its hard to know which Anti-Malware/Sypware software to trust the most, since they are all giving me different results...

#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 28 August 2009 - 05:16 PM

Ok, lets submit the exe file to a virus scanner. They software that is detecting it should be showing its location, so that you will know where to browse for it. Heres the instructions:

To submit a file to Virus Total:

-Go to Virus Total
-Click the Browse button and then browse to the file's location. Once there, click the file and then press open.
-Then click Send File
-Please wait for the scanner to finish processing the file.
-Once done, please copy and paste the results on this page into your next post.
Computer Pro

#7 MarkR42

MarkR42
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 28 August 2009 - 06:12 PM

Strange, but after receiving your instructions, I scanned with both Scan Sypware and RemoveIt to find the locations of the threats, and FINALLY acovcnt.exe was not found by either program.

RemoveIt still found threats Sys32.athihvs, Sys32.athivui, Sys32.functiondiscoveryfolder, Sys32.rp3daa32, Sys32.wsceappr, Sys32.yk60x86, Sys32.asscrpro, Sys32.asscrprolog and Sys32.pev.


Only half of these files can be found in the Windows\System32 folder. Shall I scan some of these with Virus Total???

#8 MarkR42

MarkR42
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 28 August 2009 - 06:18 PM

Here's the report for a scan of rp3daa32


File RP3DAA32.dll received on 2009.08.28 22:59:02 (UTC)
Current status: finished
Result: 0/41 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.28 -
AhnLab-V3 5.0.0.2 2009.08.28 -
AntiVir 7.9.1.7 2009.08.28 -
Antiy-AVL 2.0.3.7 2009.08.24 -
Authentium 5.1.2.4 2009.08.29 -
Avast 4.8.1335.0 2009.08.28 -
AVG 8.5.0.406 2009.08.28 -
BitDefender 7.2 2009.08.28 -
CAT-QuickHeal 10.00 2009.08.28 -
ClamAV 0.94.1 2009.08.28 -
Comodo 2124 2009.08.29 -
DrWeb 5.0.0.12182 2009.08.28 -
eSafe 7.0.17.0 2009.08.27 -
eTrust-Vet 31.6.6707 2009.08.28 -
F-Prot 4.5.1.85 2009.08.29 -
F-Secure 8.0.14470.0 2009.08.28 -
Fortinet 3.120.0.0 2009.08.28 -
GData 19 2009.08.29 -
Ikarus T3.1.1.68.0 2009.08.28 -
Jiangmin 11.0.800 2009.08.28 -
K7AntiVirus 7.10.830 2009.08.28 -
Kaspersky 7.0.0.125 2009.08.29 -
McAfee 5723 2009.08.28 -
McAfee+Artemis 5723 2009.08.28 -
McAfee-GW-Edition 6.8.5 2009.08.29 -
Microsoft 1.5005 2009.08.28 -
NOD32 4378 2009.08.28 -
Norman 2009.08.28 -
nProtect 2009.1.8.0 2009.08.28 -
Panda 10.0.2.2 2009.08.28 -
PCTools 4.4.2.0 2009.08.28 -
Prevx 3.0 2009.08.29 -
Rising 21.44.40.00 2009.08.28 -
Sophos 4.45.0 2009.08.29 -
Sunbelt 3.2.1858.2 2009.08.29 -
Symantec 1.4.4.12 2009.08.29 -
TheHacker 6.3.4.3.390 2009.08.28 -
TrendMicro 8.950.0.1094 2009.08.28 -
VBA32 3.12.10.10 2009.08.28 -
ViRobot 2009.8.28.1907 2009.08.28 -
VirusBuster 4.6.5.0 2009.08.28 -
Additional information
File size: 290304 bytes
MD5 : 0fe8e6440f9cfd5f32bb0bdde4347a55
SHA1 : b9a54f08cf1155d73d9b90d453f3b3a49b8467f7
SHA256: 04cbd01736741d89a72ebf836e52ebd792daecd83cd86c04cca91f9a7e585013
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x8867
timedatestamp.....: 0x49B4EFD7 (Mon Mar 9 11:30:47 2009)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x99F9 0x9A00 6.34 c3437e6ca95c091600461f2d63f04a12
.data 0xB000 0x5A8 0x200 1.93 9cecffc2c4d8a46b4336234cf9c21279
.rsrc 0xC000 0x3BF30 0x3C000 5.51 3a976b649fc32015d38e8675fa7b1038
.reloc 0x48000 0xCC4 0xE00 4.36 bbe836cdf4019ce833fa47c9dfbd220e

( 8 imports )

> advapi32.dll: RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegOpenKeyExW, RegSetValueExW, RegQueryInfoKeyW, RegEnumKeyExW, RegNotifyChangeKeyValue, RegDeleteKeyW
> comctl32.dll: CreatePropertySheetPageW, DestroyPropertySheetPage
> gdi32.dll: SelectObject, CreateCompatibleDC, GetObjectW, BitBlt, DeleteDC
> kernel32.dll: QueryPerformanceCounter, InterlockedCompareExchange, Sleep, GetTickCount, InterlockedExchange, GetVersionExA, CreateThread, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, OutputDebugStringA, lstrlenW, RaiseException, InitializeCriticalSection, DeleteCriticalSection, GetLastError, InterlockedIncrement, InterlockedDecrement, lstrcmpiW, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, FreeLibrary, MultiByteToWideChar, SizeofResource, LoadResource, FindResourceW, LoadLibraryExW, GetModuleHandleW, SetThreadLocale, GetThreadLocale, GetUserDefaultUILanguage, CloseHandle, WaitForSingleObject, SetEvent, WaitForMultipleObjects, CreateEventW
> msvcrt.dll: __2@YAPAXI@Z, memset, wcscpy_s, wcscat_s, swprintf_s, wcsstr, _XcptFilter, _initterm, _amsg_exit, _adjust_fdiv, _terminate@@YAXXZ, ___V@YAXPAX@Z, malloc, free, memcpy_s, _CxxThrowException, wcsncpy_s, __CxxFrameHandler3, __1type_info@@UAE@XZ, _except_handler4_common, realloc, _errno, _unlock, __dllonexit, _lock, _onexit, ___U@YAPAXI@Z, _purecall, __3@YAXPAX@Z
> ole32.dll: CoCreateInstance, StringFromGUID2, CoTaskMemFree, CoTaskMemRealloc, CoTaskMemAlloc, PropVariantClear
> oleaut32.dll: -, -, -, -, -, -, -, -
> user32.dll: UnregisterClassA, LoadStringW, SetWindowPos, CheckDlgButton, IsDlgButtonChecked, GetParent, EnableWindow, ShowWindow, CharNextW, SetWindowLongW, GetWindowLongW, GetWindowRect, GetDlgItem, LoadBitmapW, EndPaint, BeginPaint, ReleaseDC, GetDC, PostMessageW, ScreenToClient, SendMessageW

( 1 exports )

> DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer
TrID : File type identification
Windows OCX File (46.2%)
Win64 Executable Generic (32.0%)
Win32 Executable MS Visual C++ (generic) (14.1%)
Win32 Executable Generic (3.1%)
Win32 Dynamic Link Library (generic) (2.8%)
ssdeep: 6144:yRzyUV/6bmAv9gTllpKGrUxng9IKA/i6nOS:MejshKnO
PEiD : -
RDS : NSRL Reference Data Set
-

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file
VirusT

#9 MarkR42

MarkR42
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 28 August 2009 - 06:22 PM

Here's another scan from Virus Total für athihvs.exe

Another strange thing has started happening....In all my personal folders ther is an Icon with desktop.ini....these were never there before...


File athihvs.dll received on 2009.08.28 23:19:34 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 7.
Estimated start time is between 96 and 137 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.28 -
AhnLab-V3 5.0.0.2 2009.08.28 -
AntiVir 7.9.1.7 2009.08.28 -
Antiy-AVL 2.0.3.7 2009.08.24 -
Authentium 5.1.2.4 2009.08.29 -
Avast 4.8.1335.0 2009.08.28 -
AVG 8.5.0.406 2009.08.28 -
BitDefender 7.2 2009.08.29 -
CAT-QuickHeal 10.00 2009.08.28 -
ClamAV 0.94.1 2009.08.28 -
Comodo 2124 2009.08.29 -
DrWeb 5.0.0.12182 2009.08.28 -
eSafe 7.0.17.0 2009.08.27 -
eTrust-Vet 31.6.6707 2009.08.28 -
F-Prot 4.5.1.85 2009.08.29 -
F-Secure 8.0.14470.0 2009.08.28 -
Fortinet 3.120.0.0 2009.08.28 -
GData 19 2009.08.29 -
Ikarus T3.1.1.68.0 2009.08.28 -
Jiangmin 11.0.800 2009.08.28 -
K7AntiVirus 7.10.830 2009.08.28 -
Kaspersky 7.0.0.125 2009.08.29 -
McAfee 5723 2009.08.28 -
McAfee+Artemis 5723 2009.08.28 -
McAfee-GW-Edition 6.8.5 2009.08.29 -
Microsoft 1.5005 2009.08.28 -
NOD32 4378 2009.08.28 -
Norman 2009.08.28 -
nProtect 2009.1.8.0 2009.08.28 -
Panda 10.0.2.2 2009.08.28 -
PCTools 4.4.2.0 2009.08.28 -
Prevx 3.0 2009.08.29 -
Rising 21.44.40.00 2009.08.28 -
Sophos 4.45.0 2009.08.29 -
Sunbelt 3.2.1858.2 2009.08.29 -
Symantec 1.4.4.12 2009.08.29 -
TheHacker 6.3.4.3.390 2009.08.28 -
TrendMicro 8.950.0.1094 2009.08.28 -
VBA32 3.12.10.10 2009.08.28 -
ViRobot 2009.8.28.1907 2009.08.28 -
VirusBuster 4.6.5.0 2009.08.28 -
Additional information
File size: 393216 bytes
MD5...: 4a3814d2315cd9527f930c8a48a014f1
SHA1..: fc85a831b116fdb7dd1359713debd98551cc6133
SHA256: 80078ce536dc94374a8c6fc88ceaab65af92775fa546145ec5a26ea291a2f91c
ssdeep: 6144:l8/LzD7JrCM+oXiNGgS6fTDumtAxJM/hXBrtB5NLOgk/g:gzRZ+oSN5lfTS
mUJMLeg
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3888f
timedatestamp.....: 0x488e3a89 (Mon Jul 28 21:30:49 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x38e3f 0x39000 6.70 844e9a49259e30f7a1b73b37f60306a4
.rdata 0x3a000 0x1d649 0x1e000 5.61 391027120140e06601519355bb682df9
.data 0x58000 0x36b0 0x3000 2.02 543e2fda3208865e4e4125117e170fb9
.rsrc 0x5c000 0x590 0x1000 4.11 faafebd773d55a1ed63923b155bad721
.reloc 0x5d000 0x3988 0x4000 5.93 f22f0d9a6534e41f6fdf4acc6013c11b

( 13 imports )
> Wlanapi.dll: WlanOpenHandle, WlanQueryInterface, WlanRegisterNotification, WlanCloseHandle, WlanDisconnect, WlanGetAvailableNetworkList, WlanFreeMemory, WlanGetProfileList, WlanSetSecuritySettings, WlanReasonCodeToString, WlanGetProfile, WlanConnect
> CRYPT32.dll: CryptUnprotectData
> WS2_32.dll: getaddrinfo, -, -, -, -, -, -
> XmlLite.dll: CreateXmlReader
> KERNEL32.dll: LockFileEx, WriteFile, GetLocalTime, GetFileSize, lstrcpynW, SetFilePointer, HeapFree, CreateMutexW, CreateDirectoryW, CreateFileW, GetProcAddress, LoadLibraryA, CreateMutexA, LocalAlloc, SetEvent, GetVersionExA, SetThreadPriority, GetProcessHeap, GetTickCount, GetComputerNameA, GetTickCount64, InterlockedCompareExchange, InterlockedExchange, ResetEvent, WideCharToMultiByte, MultiByteToWideChar, GetSystemInfo, GetModuleHandleA, GetComputerNameW, GetSystemDefaultLocaleName, GetUserDefaultLocaleName, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentProcess, UnlockFileEx, MoveFileW, DeleteFileW, WaitForSingleObject, GetLastError, GetSystemTime, ReleaseMutex, GetCurrentThreadId, OutputDebugStringW, LeaveCriticalSection, CreateThread, Sleep, LocalFree, DisableThreadLibraryCalls, EnterCriticalSection, CloseHandle, InitializeCriticalSection, CreateEventA, DeleteCriticalSection, GetSystemTimeAsFileTime, GetModuleFileNameW, TerminateProcess
> USER32.dll: MsgWaitForMultipleObjects
> ADVAPI32.dll: CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, RegQueryValueExA, RevertToSelf, GetTokenInformation, ImpersonateLoggedOnUser, DuplicateToken, RegOpenKeyExA, RegDeleteValueA, RegSetValueExA, RegGetValueA, RegOpenKeyExW, RegQueryValueExW, RegCloseKey
> ole32.dll: CoCreateInstance, CoUninitialize, CreateStreamOnHGlobal, CoInitializeEx
> OLEAUT32.dll: -, -, -, -
> MSVCR80.dll: _except_handler4_common, __clean_type_info_names_internal, __type_info_dtor_internal_method@type_info@@QAEXXZ, _terminate@@YAXXZ, _crt_debugger_hook, _onexit, _lock, __dllonexit, wcschr, wcstoul, swprintf_s, _wtoi, _wcsnicmp, __3@YAXPAX@Z, wcscpy_s, fclose, __2@YAPAXI@Z, fopen_s, sprintf, strcat_s, vsprintf_s, sprintf_s, fputs, mbstowcs_s, fflush, strtok, wcstombs, _waccess, wcstombs_s, _wfopen_s, wcsncpy_s, _putws, wcsrchr, _snwprintf_s, memset, vsprintf, __CxxFrameHandler3, memcpy, _purecall, rand, mbtowc, wcscat_s, _CxxThrowException, _CIlog10, _encode_pointer, _malloc_crt, free, _encoded_null, _decode_pointer, _initterm, _initterm_e, _amsg_exit, _adjust_fdiv, __CppXcptFilter, _unlock
> IPHLPAPI.DLL: IpReleaseAddress, IpRenewAddress, GetIpNetTable2, Icmp6CreateFile, Icmp6SendEcho2, IcmpCreateFile, IcmpSendEcho, IcmpCloseHandle, GetUnicastIpAddressTable, FreeMibTable, GetAdaptersAddresses, GetAdaptersInfo, NotifyAddrChange, CancelIPChangeNotify, GetIfTable, GetIpAddrTable, GetInterfaceInfo
> RPCRT4.dll: UuidToStringA, RpcStringFreeA
> WTSAPI32.dll: WTSQuerySessionInformationA, WTSFreeMemory, WTSQueryUserToken, WTSEnumerateSessionsA

( 2 exports )
Dot11ExtIhvGetVersionInfo, Dot11ExtIhvInitService
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file
Virus

#10 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 28 August 2009 - 08:21 PM

Hmm strange, look like False Positives to me. Are you experiencing any other symptoms?
Computer Pro

#11 MarkR42

MarkR42
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 29 August 2009 - 03:04 AM

Only symptoms I notice now, related or not ar

-extremely slow browsing, especially with Firefox
-Fireox error "Firefox is already running...." where I have to constantly go to Task Manager and stop Firefox before I can open it
-out of nowhere are suddenly desktop.ini icons in all my personal files....I delete them, but they come back

Scan Spyware now finds also nothing...It is only RemoveIt that finds all the Sys32 threats.

Edited by MarkR42, 29 August 2009 - 03:08 AM.


#12 MarkR42

MarkR42
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 29 August 2009 - 03:18 AM

Well, acovcnt.exe showed up in the Windows file again this morning, so here's the analysis from Virus Total:


Datei acovcnt.exe empfangen 2009.08.29 08:16:06 (UTC)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt
Ergebnis: 0/41 (0%)
Laden der Serverinformationen...
Ihre Datei wartet momentan auf Position: 2.
Geschätzte Startzeit ist zwischen 52 und 75 Sekunden.
Dieses Fenster bis zum Abschluss des Scans nicht schließen.
Der Scanner, welcher momentan Ihre Datei bearbeitet ist momentan gestoppt. Wir warten einige Sekunden um Ihr Ergebnis zu erstellen.
Falls Sie längern als fünf Minuten warten, versenden Sie bitte die Datei erneut.
Ihre Datei wird momentan von VirusTotal überprüft,
Ergebnisse werden sofort nach der Generierung angezeigt.
Filter Filter
Drucken der Ergebnisse Drucken der Ergebnisse
Datei existiert nicht oder dessen Lebensdauer wurde überschritten
Dienst momentan gestoppt. Ihre Datei befindet sich in der Warteschlange (position: ). Diese wird abgearbeitet, wenn der Dienst wieder startet.

SIe können auf einen automatischen reload der homepage warten, oder ihre email in das untere formular eintragen. Klicken Sie auf "Anfragen", damit das System sie benachrichtigt wenn die Überprüfung abgeschlossen ist.
Email:

Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.5.0.24 2009.08.29 -
AhnLab-V3 5.0.0.2 2009.08.29 -
AntiVir 7.9.1.7 2009.08.28 -
Antiy-AVL 2.0.3.7 2009.08.24 -
Authentium 5.1.2.4 2009.08.29 -
Avast 4.8.1335.0 2009.08.28 -
AVG 8.5.0.406 2009.08.28 -
BitDefender 7.2 2009.08.29 -
CAT-QuickHeal 10.00 2009.08.29 -
ClamAV 0.94.1 2009.08.29 -
Comodo 2124 2009.08.29 -
DrWeb 5.0.0.12182 2009.08.29 -
eSafe 7.0.17.0 2009.08.27 -
eTrust-Vet 31.6.6707 2009.08.28 -
F-Prot 4.5.1.85 2009.08.29 -
F-Secure 8.0.14470.0 2009.08.28 -
Fortinet 3.120.0.0 2009.08.29 -
GData 19 2009.08.29 -
Ikarus T3.1.1.68.0 2009.08.29 -
Jiangmin 11.0.800 2009.08.29 -
K7AntiVirus 7.10.830 2009.08.28 -
Kaspersky 7.0.0.125 2009.08.29 -
McAfee 5723 2009.08.28 -
McAfee+Artemis 5723 2009.08.28 -
McAfee-GW-Edition 6.8.5 2009.08.29 -
Microsoft 1.5005 2009.08.29 -
NOD32 4378 2009.08.28 -
Norman 2009.08.28 -
nProtect 2009.1.8.0 2009.08.29 -
Panda 10.0.2.2 2009.08.28 -
PCTools 4.4.2.0 2009.08.28 -
Prevx 3.0 2009.08.29 -
Rising 21.44.40.00 2009.08.28 -
Sophos 4.45.0 2009.08.29 -
Sunbelt 3.2.1858.2 2009.08.29 -
Symantec 1.4.4.12 2009.08.29 -
TheHacker 6.3.4.3.390 2009.08.28 -
TrendMicro 8.950.0.1094 2009.08.28 -
VBA32 3.12.10.10 2009.08.29 -
ViRobot 2009.8.28.1907 2009.08.28 -
VirusBuster 4.6.5.0 2009.08.28 -
weitere Informationen
File size: 45056 bytes
MD5...: 6bcaf46e2b7fa9ace92b4d39f3037c5c
SHA1..: 6d5a81e3cf59832d73f28d6e87f51d073c3e4095
SHA256: aaf659e3d38ad04848a9c3ed6250b30dc13acc8ac9f527a11f0c14e6ec8735b2
ssdeep: 384:eswH94Z+gT87cSDxeHlxpCjkDADNZop8ZYNniy91AI1ZQSrS9E5l1wX:OHE5
g7p8xQrN8niLI1ZQSeu5lG
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1613
timedatestamp.....: 0x425539fb (Thu Apr 07 13:47:39 2005)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4ee6 0x5000 6.60 f7aa46b67e4004a80db01ad39b5c4bd7
.rdata 0x6000 0xb32 0x1000 4.20 f3ceef6b97b6aad02714644497ad4da9
.data 0x7000 0x413c 0x3000 0.56 af4abe2835a3f5bf87330b627a696dbf
.rsrc 0xc000 0xc0 0x1000 0.14 c85d6206afcdfed0fe16bdc48441d945

( 5 imports )
> DDRAW.dll: DirectDrawCreateEx
> KERNEL32.dll: CreateEventA, SetEvent, CloseHandle, GetModuleFileNameA, SetHandleCount, GetStdHandle, GetEnvironmentStringsW, SetStdHandle, LoadLibraryA, GetProcAddress, HeapReAlloc, VirtualAlloc, GetOEMCP, GetACP, FlushFileBuffers, LCMapStringW, LCMapStringA, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, HeapDestroy, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetCPInfo, HeapFree, RtlUnwind, GetFileType, GetEnvironmentVariableA, GetVersionExA, MultiByteToWideChar, HeapCreate, VirtualFree, GetStringTypeA, WriteFile, SetFilePointer, GetLastError, GetStringTypeW, HeapAlloc
> USER32.dll: TranslateMessage, DispatchMessageA, CreateWindowExA, TranslateAcceleratorA, GetMessageA, LoadStringA, RegisterClassExA, DefWindowProcA, PostQuitMessage, LoadCursorA, LoadIconA
> ADVAPI32.dll: RegCloseKey, RegSetValueExA, RegDeleteValueA, RegCreateKeyA
> ole32.dll: CoInitializeEx, CoUninitialize

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=6bcaf46e2b7fa9ace92b4d39f3037c5c' target='_blank'>http://www.threatexpert.com/report.aspx?md5=6bcaf46e2b7fa9ace92b4d39f3037c5c</a>

ACHTUNG ACHTUNG: VirusTotal ist ein kostenloser Dienst bereitgestellt von Hispasec Sistemas. Es gibt keine Garantie zur Verfügbarkeit sowie Fortbestehen der Dienstleistung. Obwohl die Erkennungsrate mehrerer Antivirus-Engines besser ist als nur durch ein Produkt, garantieren die Ergebnisse des Scans nicht die Harmlosigkeit einer Datei. Gegenwärtig gibt es keine Lösung, welche eine Erkennungsrate aller Viren und Malware zu 100% bietet.

Scan another file

#13 MarkR42

MarkR42
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 29 August 2009 - 03:21 AM

Ooops, sorry, here's the scan in English:


File acovcnt.exe received on 2009.08.29 08:19:36 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 52 and 75 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.29 -
AhnLab-V3 5.0.0.2 2009.08.29 -
AntiVir 7.9.1.7 2009.08.28 -
Antiy-AVL 2.0.3.7 2009.08.24 -
Authentium 5.1.2.4 2009.08.29 -
Avast 4.8.1335.0 2009.08.28 -
AVG 8.5.0.406 2009.08.28 -
BitDefender 7.2 2009.08.29 -
CAT-QuickHeal 10.00 2009.08.29 -
ClamAV 0.94.1 2009.08.29 -
Comodo 2124 2009.08.29 -
DrWeb 5.0.0.12182 2009.08.29 -
eSafe 7.0.17.0 2009.08.27 -
eTrust-Vet 31.6.6707 2009.08.28 -
F-Prot 4.5.1.85 2009.08.29 -
F-Secure 8.0.14470.0 2009.08.28 -
Fortinet 3.120.0.0 2009.08.29 -
GData 19 2009.08.29 -
Ikarus T3.1.1.68.0 2009.08.29 -
Jiangmin 11.0.800 2009.08.29 -
K7AntiVirus 7.10.830 2009.08.28 -
Kaspersky 7.0.0.125 2009.08.29 -
McAfee 5723 2009.08.28 -
McAfee+Artemis 5723 2009.08.28 -
McAfee-GW-Edition 6.8.5 2009.08.29 -
Microsoft 1.5005 2009.08.29 -
NOD32 4378 2009.08.28 -
Norman 2009.08.28 -
nProtect 2009.1.8.0 2009.08.29 -
Panda 10.0.2.2 2009.08.28 -
PCTools 4.4.2.0 2009.08.28 -
Prevx 3.0 2009.08.29 -
Rising 21.44.40.00 2009.08.28 -
Sophos 4.45.0 2009.08.29 -
Sunbelt 3.2.1858.2 2009.08.29 -
Symantec 1.4.4.12 2009.08.29 -
TheHacker 6.3.4.3.390 2009.08.28 -
TrendMicro 8.950.0.1094 2009.08.28 -
VBA32 3.12.10.10 2009.08.29 -
ViRobot 2009.8.28.1907 2009.08.28 -
VirusBuster 4.6.5.0 2009.08.28 -
Additional information
File size: 45056 bytes
MD5...: 6bcaf46e2b7fa9ace92b4d39f3037c5c
SHA1..: 6d5a81e3cf59832d73f28d6e87f51d073c3e4095
SHA256: aaf659e3d38ad04848a9c3ed6250b30dc13acc8ac9f527a11f0c14e6ec8735b2
ssdeep: 384:eswH94Z+gT87cSDxeHlxpCjkDADNZop8ZYNniy91AI1ZQSrS9E5l1wX:OHE5
g7p8xQrN8niLI1ZQSeu5lG
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1613
timedatestamp.....: 0x425539fb (Thu Apr 07 13:47:39 2005)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4ee6 0x5000 6.60 f7aa46b67e4004a80db01ad39b5c4bd7
.rdata 0x6000 0xb32 0x1000 4.20 f3ceef6b97b6aad02714644497ad4da9
.data 0x7000 0x413c 0x3000 0.56 af4abe2835a3f5bf87330b627a696dbf
.rsrc 0xc000 0xc0 0x1000 0.14 c85d6206afcdfed0fe16bdc48441d945

( 5 imports )
> DDRAW.dll: DirectDrawCreateEx
> KERNEL32.dll: CreateEventA, SetEvent, CloseHandle, GetModuleFileNameA, SetHandleCount, GetStdHandle, GetEnvironmentStringsW, SetStdHandle, LoadLibraryA, GetProcAddress, HeapReAlloc, VirtualAlloc, GetOEMCP, GetACP, FlushFileBuffers, LCMapStringW, LCMapStringA, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, HeapDestroy, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetCPInfo, HeapFree, RtlUnwind, GetFileType, GetEnvironmentVariableA, GetVersionExA, MultiByteToWideChar, HeapCreate, VirtualFree, GetStringTypeA, WriteFile, SetFilePointer, GetLastError, GetStringTypeW, HeapAlloc
> USER32.dll: TranslateMessage, DispatchMessageA, CreateWindowExA, TranslateAcceleratorA, GetMessageA, LoadStringA, RegisterClassExA, DefWindowProcA, PostQuitMessage, LoadCursorA, LoadIconA
> ADVAPI32.dll: RegCloseKey, RegSetValueExA, RegDeleteValueA, RegCreateKeyA
> ole32.dll: CoInitializeEx, CoUninitialize

( 0 exports )
RDS...: NSRL Reference Data Set
-
trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
pdfid.: -
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=6bcaf46e2b7fa9ace92b4d39f3037c5c' target='_blank'>http://www.threatexpert.com/report.aspx?md5=6bcaf46e2b7fa9ace92b4d39f3037c5c</a>

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file

#14 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 29 August 2009 - 06:07 PM

What version of FireFox do you use?
Computer Pro

#15 MarkR42

MarkR42
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 29 August 2009 - 06:29 PM

Firefox 3.5.2

I deinstalled and re-installed today, but no change in the behavior.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users