A couple of FP's? AWhelper.dll & msvcrt.dll

[Amethyst]

This started off just being about AWhelper.dll, but when I ran a full scan in developer mode to provide here, it came up with another one as well, which came a complete surprise to me.

The log:

Malwarebytes' Anti-Malware 1.44

Database version: 3886

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

20/03/2010 2:46:03 AM

mbam-log-2010-03-20 (02-45-52).txt

Scan type: Full Scan (C:\|)

Objects scanned: 285493

Time elapsed: 56 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\TypeLib\{661e32fd-a5f0-49bc-96cc-d872fe10a7dc} (AdWare.WebHancer) -> No action taken. [623991BF46CDB7DD76CBCF56F1BD161A]

HKEY_CLASSES_ROOT\Interface\{3296405e-e08f-4442-801e-3dcd2c6aa82c} (AdWare.WebHancer) -> No action taken. [623991BF46CDB7DD76CBCF56F1BD161A]

HKEY_CLASSES_ROOT\CLSID\{bf0118d4-63ff-4138-9327-f3028fb1a578} (AdWare.WebHancer) -> No action taken. [623991BF46CDB7DD76CBCF56F1BD161A]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf0118d4-63ff-4138-9327-f3028fb1a578} (AdWare.WebHancer) -> No action taken. [623991BF46CDB7DD76CBCF56F1BD161A]

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\PySol Solitaire\PySol-4.60\python\DLLs\msvcrt.dll (Malware.Packer.Gen) -> No action taken. [442236584EC3C37DF66DD5EE8AC2DBB9]

C:\System Volume Information\_restore{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP2058\A0318818.dll (AdWare.WebHancer) -> No action taken. [623991BF46CDB7DD76CBCF56F1BD161A]

C:\WINDOWS\Web\Wallpaper\welcome\AWhelper.dll (AdWare.WebHancer) -> No action taken. [623991BF46CDB7DD76CBCF56F1BD161A]

Re the AWhelper.dll--this first came up when I was running a scan with SuperAntispyware. I had left the room and returned to find the scan stalled midway through and a warning that MWB had stopped this adware from executing. I allowed it to be quarantined and figured I would look into it more later. I had to restore it to have Virustotal and Jotti check it, and here are the results:

http://www.virustotal.com/analisis/bd7ee0e4ec169250aa2a6a12d94e97d24485caab9f90628299723a3baddc2062-1269067549

http://virusscan.jotti.org/en/scanresult/a60af6f0cacb145ab8569997a38569d493ddbbbc

I saw in a thread from bleepingcomputer that a couple of years ago a version of this .dll with the same MD5 number had been flagged by Ikarus and it was decided back then that this was a false positive. I'm hesitant to act on it and the registry entries until I get the go ahead from you folks that these things are OK or bad and I can safely get rid of them.

The msvcrt.dll has to do with a solitaire game I've had for about 10 years now. I haven't played it for a long time, but it's rather fun. It comes up clean at virustotal and jotti:

http://virusscan.jotti.org/en/scanresult/ced12fa40d7a43d95eb926692592aabe4cacf50d

http://www.virustotal.com/analisis/c3d319089ab988f45a83c1bbd61d2d103e62ce01ae257b7053bf41fbbae8eee6-1269074381

In examining the properties, it looks totally legit and hasn't been modified since 1999.

I hope it's OK to attach the zipped files.

(Edited by OP to remove attachments)

[nosirrah]

msvcrt.dll <- this file was modified but not in a malicious way and that caused the detection , it will be fixed in the next update .

The other file may be one you have to add to the ignore list as webhancer has a long adware history , I am still looking that one over .

[Amethyst]

Edited to add: Thanks, Nosirrah. by the time I hit the 'submit' button, you had already posted, so I'm editing. (Looks like the jury is still out on this awhelper.dll.)

The awhelper.dll is in a list of Kaspersky false positives mentioned here:

http://forums.whatthetech.com/Look_my_HJT_Log_t110849.html

I see in other message board threads related to threat removal, however, people are being advised to remove it.

[Amethyst]

@Nosirrah,

Sorry to bother you, but any further thoughts on that awhelper.dll?

I had had MWB put it on the ignore list, along with the related registry entries, but the protection logs show a detection of just the dll itself (allowed), but only when this .dll is scanned by SuperAntispyware. (I run SAS on demand daily. When I rt click scanned this dll with SAS, MWB logs a detection for the dll as well. Other than that, awhelper.dll doesn't seem to be doing anything.)

The Windows\Web\Wallpaper folder on my other system only has images. The one on the computer involved with this scan includes, along with the wallpaper images, a "Welcome" folder with some icon files, a js file, and this .dll. In the Welcome folder is also an icon that looks like it should open a Firefox browser page, but it actually doesn't lead to anything outside of the computer itself.

Edited to add that I just removed awhelper.dll and the related registry entries from the ignore list, ran a quick scan, and it came up with nothing. Likely what will happen, though, is if I run my routine SAS scan, awhelper.dll may pop up as a detection and MWB will stall SAS until I deal with it. I've zipped a copy of the .dll into a folder on an external drive and I'll quarantine it if it comes up again. I don't see anyone having any problems by NOT having this file. I'm still seeing mixed reviews about this online.