Can someone check this one please?

1972vet · February 4, 2009

It's only been detected with the latest update. I've had this file for quite some time now:

2/4/09

Files Infected:

E:\Program Files\QuickTime Alternative\QuickTimePlayer.exe (Adware.SearchIt99) -> No action taken.

2/3/09

These reg entries too please:

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.

nosirrah · February 5, 2009

Run\services <- this is malware in all cases I have seen , if you have info on clean software using it please let me know .

1972vet · February 5, 2009

The entry comes from my own system...the full log here:

Malwarebytes' Anti-Malware 1.33
Database version: 1721
Windows 5.1.2600 Service Pack 3
2/3/2009 4:52:18 PM
mbam-log-2009-02-03 (16-52-18).txt
Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 243698
Time elapsed: 2 hour(s), 16 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

...and was from a full system scan. The scan finds nothing from a quick scan but this full scan squawked about those reg entries and reference no files. Nothing else I have run complains of a thing either. (Antivir, AVZ, SB S&D, SAS, ComodoA/V)

I've not run a full scan before so I couldn't tell you what application may have caused this or perhaps, which update...I just think it's a FP since I have no issues and no other app that complains.

MysteryFCM · February 5, 2009

I used to use QT Alternative (aswell as RT Alternative) and unless they've changed recently, it's an F/P as that program used to be 100% clean.

I'll download a fresh copy of it and find out

MysteryFCM · February 5, 2009

Okie, installed QTA and am not seeing either of those reg keys?

QuickTimePlayer.exe is the uninstaller for it, so unless somethings infected it, I've not got an answer for this one.

nosirrah · February 5, 2009

http://www.malwarebytes.org/forums/index.php?showtopic=3228

I need a dev log please .

1972vet · February 5, 2009

OK, since you've said it's malware I'm in the process now of doing some deeper investigative scans (all files and drives)...rootkit scans, malware/virus scans...when this completes, I'll see about restoring those entries and scan again in developer mode to save the log.

1972vet · February 5, 2009

OK Bruce...interesting findings. Originally of course, mbam found this but as stated, only after a full system scan. Now, after restoring the items, mbam finds nothing either quick scan or full scan but SAS did. Below are the logs. By the way, did you still want me to run the scan in developer mode?

Spybot S&D:Nothing

Comodo:Nothing

BlackLight:Nothing

gmer:NothingRemarkable

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/02/05 11:12

Program Version: Version 1.0.2.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: E:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xB6E01000 Size: 98304 File Visible: No

Status: -

Name: dump_WMILIB.SYS

Image Path: E:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBADF2000 Size: 8192 File Visible: No

Status: -

Name: PAGEDFRG.SYS

Image Path: E:\WINDOWS\system32\Drivers\PAGEDFRG.SYS

Address: 0xBAF88000 Size: 1664 File Visible: No

Status: -

Name: RootRepeal.sys

Image Path: E:\WINDOWS\system32\drivers\RootRepeal.sys

Address: 0xB59DD000 Size: 40960 File Visible: No

Status: -

Name: uphcleanhlp.sys

Image Path: E:\WINDOWS\system32\Drivers\uphcleanhlp.sys

Address: 0xB53A0000 Size: 8960 File Visible: No

Status: -

Antivir:E:\System Volume Information\_restore{553ECCAA-42A4-47E2-85CC-A8A376539570}\RP245\A0091853.exe

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was deleted!

Since nothing was found except in system restore, I doubt this finding is valid...deleting a s/r file causes me no heartburn either.

MBAM normal scheduled scan (Quick Scan) again this morning finds nothing during it's normal quickscan mode even after I restored these findings...however, SAS found those same entries during a quick scan this morning:

Malwarebytes' Anti-Malware 1.33

Database version: 1731

Windows 5.1.2600 Service Pack 3

2/5/2009 9:08:35 AM

mbam-log-2009-02-05 (09-08-35).txt

Scan type: Quick Scan

Objects scanned: 48219

Time elapsed: 2 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected: