Jump to content

Can someone check this one please?


1972vet

Recommended Posts

It's only been detected with the latest update. I've had this file for quite some time now:

2/4/09

Files Infected:

E:\Program Files\QuickTime Alternative\QuickTimePlayer.exe (Adware.SearchIt99) -> No action taken.

2/3/09

These reg entries too please:

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

The entry comes from my own system...the full log here:

Malwarebytes' Anti-Malware 1.33

Database version: 1721

Windows 5.1.2600 Service Pack 3

2/3/2009 4:52:18 PM

mbam-log-2009-02-03 (16-52-18).txt

Scan type: Full Scan (C:\|E:\|F:\|)

Objects scanned: 243698

Time elapsed: 2 hour(s), 16 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

...and was from a full system scan. The scan finds nothing from a quick scan but this full scan squawked about those reg entries and reference no files. Nothing else I have run complains of a thing either. (Antivir, AVZ, SB S&D, SAS, ComodoA/V)

I've not run a full scan before so I couldn't tell you what application may have caused this or perhaps, which update...I just think it's a FP since I have no issues and no other app that complains.

Link to post
Share on other sites

OK, since you've said it's malware I'm in the process now of doing some deeper investigative scans (all files and drives)...rootkit scans, malware/virus scans...when this completes, I'll see about restoring those entries and scan again in developer mode to save the log.

Link to post
Share on other sites

OK Bruce...interesting findings. Originally of course, mbam found this but as stated, only after a full system scan. Now, after restoring the items, mbam finds nothing either quick scan or full scan but SAS did. Below are the logs. By the way, did you still want me to run the scan in developer mode?

Spybot S&D:Nothing

Comodo:Nothing

BlackLight:Nothing

gmer:NothingRemarkable

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/02/05 11:12

Program Version: Version 1.0.2.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: E:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xB6E01000 Size: 98304 File Visible: No

Status: -

Name: dump_WMILIB.SYS

Image Path: E:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBADF2000 Size: 8192 File Visible: No

Status: -

Name: PAGEDFRG.SYS

Image Path: E:\WINDOWS\system32\Drivers\PAGEDFRG.SYS

Address: 0xBAF88000 Size: 1664 File Visible: No

Status: -

Name: RootRepeal.sys

Image Path: E:\WINDOWS\system32\drivers\RootRepeal.sys

Address: 0xB59DD000 Size: 40960 File Visible: No

Status: -

Name: uphcleanhlp.sys

Image Path: E:\WINDOWS\system32\Drivers\uphcleanhlp.sys

Address: 0xB53A0000 Size: 8960 File Visible: No

Status: -

Antivir:E:\System Volume Information\_restore{553ECCAA-42A4-47E2-85CC-A8A376539570}\RP245\A0091853.exe

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was deleted!

Since nothing was found except in system restore, I doubt this finding is valid...deleting a s/r file causes me no heartburn either.

MBAM normal scheduled scan (Quick Scan) again this morning finds nothing during it's normal quickscan mode even after I restored these findings...however, SAS found those same entries during a quick scan this morning:

Malwarebytes' Anti-Malware 1.33

Database version: 1731

Windows 5.1.2600 Service Pack 3

2/5/2009 9:08:35 AM

mbam-log-2009-02-05 (09-08-35).txt

Scan type: Quick Scan

Objects scanned: 48219

Time elapsed: 2 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

SAS:

Adware.MyWebSearch/FunWebProducts [2 items]

Registry Keys:

HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}

HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.