Jump to content
1972vet

Can someone check this one please?

Recommended Posts

It's only been detected with the latest update. I've had this file for quite some time now:

2/4/09

Files Infected:

E:\Program Files\QuickTime Alternative\QuickTimePlayer.exe (Adware.SearchIt99) -> No action taken.

2/3/09

These reg entries too please:

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

Run\services <- this is malware in all cases I have seen , if you have info on clean software using it please let me know .

Share this post


Link to post
Share on other sites

The entry comes from my own system...the full log here:

Malwarebytes' Anti-Malware 1.33

Database version: 1721

Windows 5.1.2600 Service Pack 3

2/3/2009 4:52:18 PM

mbam-log-2009-02-03 (16-52-18).txt

Scan type: Full Scan (C:\|E:\|F:\|)

Objects scanned: 243698

Time elapsed: 2 hour(s), 16 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

...and was from a full system scan. The scan finds nothing from a quick scan but this full scan squawked about those reg entries and reference no files. Nothing else I have run complains of a thing either. (Antivir, AVZ, SB S&D, SAS, ComodoA/V)

I've not run a full scan before so I couldn't tell you what application may have caused this or perhaps, which update...I just think it's a FP since I have no issues and no other app that complains.

Share this post


Link to post
Share on other sites

I used to use QT Alternative (aswell as RT Alternative) and unless they've changed recently, it's an F/P as that program used to be 100% clean.

I'll download a fresh copy of it and find out :D

Share this post


Link to post
Share on other sites

Okie, installed QTA and am not seeing either of those reg keys?

QuickTimePlayer.exe is the uninstaller for it, so unless somethings infected it, I've not got an answer for this one.

Share this post


Link to post
Share on other sites

OK, since you've said it's malware I'm in the process now of doing some deeper investigative scans (all files and drives)...rootkit scans, malware/virus scans...when this completes, I'll see about restoring those entries and scan again in developer mode to save the log.

Share this post


Link to post
Share on other sites

OK Bruce...interesting findings. Originally of course, mbam found this but as stated, only after a full system scan. Now, after restoring the items, mbam finds nothing either quick scan or full scan but SAS did. Below are the logs. By the way, did you still want me to run the scan in developer mode?

Spybot S&D:Nothing

Comodo:Nothing

BlackLight:Nothing

gmer:NothingRemarkable

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/02/05 11:12

Program Version: Version 1.0.2.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: E:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xB6E01000 Size: 98304 File Visible: No

Status: -

Name: dump_WMILIB.SYS

Image Path: E:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBADF2000 Size: 8192 File Visible: No

Status: -

Name: PAGEDFRG.SYS

Image Path: E:\WINDOWS\system32\Drivers\PAGEDFRG.SYS

Address: 0xBAF88000 Size: 1664 File Visible: No

Status: -

Name: RootRepeal.sys

Image Path: E:\WINDOWS\system32\drivers\RootRepeal.sys

Address: 0xB59DD000 Size: 40960 File Visible: No

Status: -

Name: uphcleanhlp.sys

Image Path: E:\WINDOWS\system32\Drivers\uphcleanhlp.sys

Address: 0xB53A0000 Size: 8960 File Visible: No

Status: -

Antivir:E:\System Volume Information\_restore{553ECCAA-42A4-47E2-85CC-A8A376539570}\RP245\A0091853.exe

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was deleted!

Since nothing was found except in system restore, I doubt this finding is valid...deleting a s/r file causes me no heartburn either.

MBAM normal scheduled scan (Quick Scan) again this morning finds nothing during it's normal quickscan mode even after I restored these findings...however, SAS found those same entries during a quick scan this morning:

Malwarebytes' Anti-Malware 1.33

Database version: 1731

Windows 5.1.2600 Service Pack 3

2/5/2009 9:08:35 AM

mbam-log-2009-02-05 (09-08-35).txt

Scan type: Quick Scan

Objects scanned: 48219

Time elapsed: 2 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

SAS:

Adware.MyWebSearch/FunWebProducts [2 items]

Registry Keys:

HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}

HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.