br101 Posted August 14, 2009 ID:110160 Share Posted August 14, 2009 hi.i make a scan with a-squared free here and detect a malware called (gen.tdss!ik) in the file msvcrt.dll. i sent to virustotal and only a-squared and ikarus is detecting the malware. is this a false positive or i have a rootkit here?virustotal resultsavira, prevx, malwarebytes and superantispyware don't detected nothing here.i don't know if my system is clean. please analyze my logs. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 17:22:30, on 14/8/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16876)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Arquivos de programas\Avira\AntiVir Desktop\sched.exeC:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exeC:\Arquivos de programas\Prevx\prevx.exeC:\Arquivos de programas\PC Tools Firewall Plus\FWService.exeC:\Arquivos de programas\Macrium\Reflect\ReflectService.exeC:\WINDOWS\system32\wbem\wmiapsrv.exeC:\Arquivos de programas\Prevx\prevx.exeC:\WINDOWS\Explorer.EXEC:\Arquivos de programas\Microsoft IntelliPoint\ipoint.exeC:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exeC:\Arquivos de programas\PC Tools Firewall Plus\FirewallGUI.exeC:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exeC:\Arquivos de programas\RALINK\Common\RaUI.exeC:\Arquivos de programas\Microsoft IntelliPoint\dpupdchk.exeC:\Arquivos de programas\Opera 10 Beta\Opera.exeC:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Arquivos de programas\Siber Systems\AI RoboForm\roboform.dllO3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Arquivos de programas\Siber Systems\AI RoboForm\roboform.dllO4 - HKLM\..\Run: [intelliPoint] "C:\Arquivos de programas\Microsoft IntelliPoint\ipoint.exe"O4 - HKLM\..\Run: [WinPatrol] C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe -expressbootO4 - HKLM\..\Run: [00PCTFW] "C:\Arquivos de programas\PC Tools Firewall Plus\FirewallGUI.exe" -sO4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Arquivos de programas\RALINK\Common\RaUI.exeO8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000O8 - Extra context menu item: Preencher - file://C:\Arquivos de programas\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlO9 - Extra button: Preencher - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Arquivos de programas\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlO9 - Extra 'Tools' menuitem: Preencher - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Arquivos de programas\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.aspO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218637684484O16 - DPF: {E001C731-5E37-4538-A5CB-8168736A2360} (ActiveQscan Control) - http://qscan.bitdefender.com/cab/ActiveQscan.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{477F5228-2AD3-46CE-9F1D-A92DD32EB349}: NameServer = 30.20.10.1 208.67.220.220O17 - HKLM\System\CCS\Services\Tcpip\..\{97E24F12-18C1-4029-9FD1-70E0B45398F9}: NameServer = 208.67.222.222,208.67.220.220O17 - HKLM\System\CS1\Services\Tcpip\..\{477F5228-2AD3-46CE-9F1D-A92DD32EB349}: NameServer = 30.20.10.1 208.67.220.220O20 - Winlogon Notify: !SASWinLogon - C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exeO23 - Service: CSIScanner - Prevx - C:\Arquivos de programas\Prevx\prevx.exeO23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Arquivos de programas\PC Tools Firewall Plus\FWService.exeO23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Arquivos de programas\RALINK\Common\RalinkRegistryWriter.exeO23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Arquivos de programas\Macrium\Reflect\ReflectService.exe--End of file - 5486 bytesthanks! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted August 18, 2009 Staff ID:111506 Share Posted August 18, 2009 Hi,Please send the file to Ikarus and a-squared so they can fix this detection. Link to post Share on other sites More sharing options...
br101 Posted August 18, 2009 Author ID:111718 Share Posted August 18, 2009 hi miekiemoes.ok, but my logs are clean?thanks. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted August 18, 2009 Staff ID:111745 Share Posted August 18, 2009 Hi,Yes, they are clean, otherwise I would have told you Link to post Share on other sites More sharing options...
Staff miekiemoes Posted August 24, 2009 Staff ID:114221 Share Posted August 24, 2009 Since this issue appears resolved ... this Topic is closed.If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.Everyone else please begin a New Topic. Link to post Share on other sites More sharing options...
Recommended Posts