5 replies to this topic

[tranquilview]

I was wondering if anyone else has had this particular file infection detected yet. Only after updating MBAM this evening have I ever had an infection detected. All scans prior to today's have not detected any infections. Could this be a false positive? I also ran the developer mode of MBAM and it did not detect any infections. I have since then deleted the offending file out of the MBAM quarantine.

Malwarebytes' Anti-Malware 1.34
Database version: 1790
Windows 5.1.2600 Service Pack 3

2/21/2009 8:19:35 PM
mbam-log-2009-02-21 (20-19-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 81861
Time elapsed: 5 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\$NtServicePackUninstall$\msmsgs.exe (Trojan.Autorun) -> Quarantined and deleted successfully.

------------------------------------------------------------------
HiJackThis log after the MBAM scan and removal process:
------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:29 PM, on 2/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1228955025250
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs:
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[AdvancedSetup]

Please don't remove from quarantine when you suspect a False Positive.

Thanks.

[lurkingatu2]

hello

i'm finding it also but when i right click scan msmsgs.exe Mbam doin't say nothing so i scaned
it at virscan and found nothing

i do not use windows messenger at all

Malwarebytes' Anti-Malware 1.34
Database version: 1790
Windows 5.1.2600 Service Pack 3

2/21/2009 7:25:28 PM
mbam-log-2009-02-21 (19-25-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 103038
Time elapsed: 9 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\$NtUninstallKB887472$\msmsgs.exe (Trojan.Autorun) -> No action taken. [6722202021207170231766202070702423226819212423692217691924671923]


virscan log

VirSCAN.org Scanned Report :
Scanned time : 2009/02/22 11:30:10 (CST)
Scanner results: All Scanners reported not find malware!
File Name : msmsgs.exe
File Size : 1694208 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 74e6e96c6f0e2eca4edbb7f7a468f259
SHA1 : 1b4729d1bd15e4d48422ecb5730959390c0be1c7
Online report : http://virscan.org/report/4835c1051421c251...91e32cc194.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090221170551 2009-02-21 2.62 -
AhnLab V3 2009.02.21.00 2009.02.21 2009-02-21 1.12 -
AntiVir 7.9.0.87 7.1.2.59 2009-02-21 1.87 -
Antiy 2.0.18 20090222.2199698 2009-02-22 0.12 -
Authentium 5.1.1 200902211511 2009-02-21 1.19 -
AVAST! 3.0.1 090221-0 2009-02-21 0.09 -
AVG 7.5.52.442 270.11.2/1965 2009-02-21 1.95 -
BitDefender 7.81008.2680327 7.23804 2009-02-22 2.54 -
CA (VET) 9.0.0.143 31.6.6368 2009-02-21 4.61 -
ClamAV 0.94.2 9022 2009-02-22 0.32 -
Comodo 3.8 986 2009-02-20 0.45 -
CP Secure 1.1.0.715 2009.02.21 2009-02-21 7.11 -
Dr.Web 4.44.0.9170 2009.02.22 2009-02-22 4.06 -
F-Prot 4.4.4.56 20090221 2009-02-21 1.17 -
F-Secure 5.51.6100 2009.02.22.01 2009-02-22 0.10 -
Fortinet 2.81-3.117 10.71 2009-02-21 0.31 -
GData 19.3306/19.233 20090222 2009-02-22 3.34 -
ViRobot 20090220 2009.02.20 2009-02-20 0.98 -
Ikarus T3.1.01.45 2009.02.22.72336 2009-02-22 3.75 -
JiangMin 11.0.706 2009.02.21 2009-02-21 1.50 -
Kaspersky 5.5.10 2009.02.22 2009-02-22 0.07 -
KingSoft 2009.2.5.15 2009.2.21.20 2009-02-21 0.67 -
McAfee 5.3.00 5532 2009-02-21 3.11 -
Microsoft 1.4306 2009.02.22 2009-02-22 4.86 -
mks_vir 2.01 2009.02.21 2009-02-21 2.78 -
Norman 6.00.06 6.00.00 2009-02-20 8.01 -
Panda 9.05.01 2009.02.21 2009-02-21 1.66 -
Trend Micro 8.700-1004 5.860.23 2009-02-21 0.03 -
Quick Heal 10.00 2009.02.20 2009-02-20 1.41 -
Rising 20.0 21.17.52.00 2009-02-21 1.74 -
Sophos 2.83.3 4.38 2009-02-22 2.60 -
Sunbelt 4819 4819 2009-02-16 0.50 -
Symantec 1.3.0.24 20090221.004 2009-02-21 0.07 -
nProtect 20090222.01 3175936 2009-02-22 3.87 -
The Hacker 6.3.2.4 v00263 2009-02-21 0.58 -
VBA32 3.12.10.0 20090221.1740 2009-02-21 2.02 -
VirusBuster 4.5.11.10 10.101.21/930783 2009-02-21 1.61 -


thanks

[CharlesT]

Hello All,
Yes I got that detection as well still qurantined though fiqure its a false positive sense very similar to what i had an internet security again didnt pick up on it and havent done anything to have gotten it so just posting log file for reference to show i got kinda cross between both of you mssmsgs.exe like first post and long line of numbers like second post, 6722202021207170231766202070702423226819212423692217691924671923

log posted below

Malwarebytes' Anti-Malware 1.34
Database version: 1790
Windows 5.1.2600 Service Pack 3

2/21/2009 11:28:59 PM
mbam-log-2009-02-21 (23-28-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 120228
Time elapsed: 16 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\$NtServicePackUninstall$\msmsgs.exe (Trojan.Autorun) -> Quarantined and deleted successfully. [6722202021207170231766202070702423226819212423692217691924671923]

all similar yet different ,,, im thinking fp this time waiting to see anyhow not deleting

[Fatdcuk]

This is definetly a F/P detection,please add to ignore for now but it will be addressed shortly.

[GT500]

lurkingatu2 said:

... when i right click scan msmsgs.exe Mbam doin't say nothing...

That's because the scan done through the context menu in Windows Explorer does not use heuristics.