Jump to content

nighthawk

Members
  • Posts

    10
  • Joined

  • Last visited

Reputation

0 Neutral
  1. I'm now fairly sure that my machine is clean, so let's get back to the reason why I registered here in the first place. is-PQ10B.exe was found in c:\windows together with .lst and .msg file with the same name, as I said here. I regularly scan my pc with HijackThis, and between two scans I only installed Asynx Planetarium and Microsoft Visual c++ and updated Malwarebytes. My memory is not too good, but time of the creation of is-PQ10B files rougly matches the time of update. Malwarebytes requested system restart after update which I refused, I shut down my pc several hours later. The is-PQ10B.lst points to Malwarebytes. is-PQ10B.exe doesn't seem to be malicious, no AV or AS has identified it as malware and it doesn't attempt to access network. So, I would like (if it is possible) that someone with good knowledge of Malwarebytes (say, someone from development team) confirms that these files belong to Malwarebytes.
  2. I wanted to find out more about this infection and I wanted to check the installation of Alcohol that I used on my real machine. Today I repeated the test on clean VM. After Combofix virtual drive was gone, but it was back after reboot, or just after starting Alcohol (no reboot). When I restored clean VM (windows XP SP2 with some services disabled for faster performance, nothing installed) I booted live linux cd and copied original atapi.sys (didn't want to use unlocker) to another drive. After installation of Alcohol i went back to linux and again copied atapi.sys. The I ran ComboFix and again copied atapi.sys. Each time md5 signature of the file was the same, so, in fact atapi.sys was not changed after installation of Alcohol, nor after ComboFix. None of the AV engines on VirusTotal reported anything. So, it looks like the ComboFix gave a false positive, or at least it was wrong about atapi.sys. Drivers installed by Alcohol are also clean. After this I tried (on VM) several Anti Rootkit programs: Rootkit Revealer, BitDefender, AVG, F-Secure BlackLight and gmer. No infection was found, gmer caused BSOD right on start, and after reboot and logging in system was totally unresponsive, I couldn't even start Task Manager (it is so nice when a VM gets busted like this, isn't it). Now I'm scanning my real machine with RR, it will take better part of the day to finish, but so far C: is done and it seems clean.
  3. I've done some work on my own. After scan with ComboFix I noticed that the virtual drive is gone. I used Alcohol 120% (1.9.2.1705) since 2007 without any problem, but after this it became suspicious. This is what VirusTotal says about it's installation file (I took it from a friend who probably got it from torrent network). Installed .exe seems to be clean. Then I ran HijackThis and Combofix on virtual machine with the same OS (winXP SP2), installed from the same CD, before and after the installation of Alcohol 120%. After installation it found a rootkit and required reboot. The same file (atapi.sys) was infected. Here are the logs: HijackThis ++++++++++ ++before++++ ++++++++++ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:38:08 PM, on 10/7/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareUser.exe C:\Program Files\VMware\VMware Tools\VMwareService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\virt1\Desktop\otmica.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://scroogle.org/ O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe O4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{AA191B09-9081-4731-850A-A7BBF32A76A5}: NameServer = 208.67.222.222,208.67.220.220 O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe -- End of file - 1986 bytes +++++++++ ++after++++ +++++++++ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:46:43 PM, on 10/7/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\VMware\VMware Tools\VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareUser.exe C:\Program Files\GNU\GnuPG\dirmngr.exe C:\Program Files\VMware\VMware Tools\VMwareService.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\virt1\Desktop\otmica.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://scroogle.org/ O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe O4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{AA191B09-9081-4731-850A-A7BBF32A76A5}: NameServer = 208.67.222.222,208.67.220.220 O23 - Service: DirMngr - Unknown owner - C:\Program Files\GNU\GnuPG\dirmngr.exe O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe -- End of file - 2035 bytes ================= ================= Combofix before ++++++++++++++++ ComboFix 09-10-06.04 - virt1 10/07/2009 20:13.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.191.48 [GMT 2:00] Running from: c:\documents and settings\virt1\My Documents\Downloads\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 ))))))))))))))))))))))))))))))) . 2009-10-04 12:41 . 2004-08-03 21:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys 2009-10-04 12:39 . 2009-10-04 12:39 -------- d-----w- c:\program files\NMRC 2009-10-04 12:35 . 2009-10-04 12:35 -------- d-----w- c:\documents and settings\virt1\Application Data\gtk-2.0 2009-10-04 12:30 . 2009-10-04 12:30 -------- d-----w- c:\documents and settings\virt1\Local Settings\Application Data\Chromium 2009-10-04 12:30 . 2009-10-04 12:30 -------- d-----w- c:\documents and settings\virt1\.kde 2009-10-04 12:28 . 2009-10-04 12:28 -------- d-----w- c:\documents and settings\virt1\Local Settings\Application Data\GNU 2009-10-04 12:27 . 2009-10-04 12:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\GNU 2009-10-04 12:27 . 2009-10-04 12:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\gnupg 2009-10-04 12:27 . 2009-10-07 18:07 -------- d-----w- c:\documents and settings\virt1\Application Data\gnupg 2009-10-04 12:27 . 2009-10-04 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\GNU 2009-10-04 12:26 . 2009-10-04 12:26 -------- d-----w- c:\program files\GNU 2009-09-28 19:41 . 2009-10-04 12:32 -------- d-----w- c:\program files\PHPLiveEdit 2005 2009-09-26 18:09 . 2009-09-26 18:09 -------- d-----w- c:\program files\7-Zip 2009-09-26 17:45 . 2009-10-07 18:07 -------- d-----w- c:\documents and settings\virt1\Application Data\Tor 2009-09-26 17:45 . 2009-09-26 17:46 -------- d-----w- c:\documents and settings\virt1\Application Data\Vidalia 2009-09-26 17:45 . 2009-09-26 17:45 -------- d-----w- c:\program files\Vidalia Bundle 2009-09-26 17:09 . 2009-09-26 17:09 -------- d--h--w- c:\windows\system32\GroupPolicy 2009-09-26 16:51 . 2009-09-26 16:52 -------- d-----w- c:\documents and settings\virt1\Application Data\TrueCrypt 2009-09-26 16:51 . 2009-09-26 16:51 235840 ----a-w- c:\windows\system32\drivers\truecrypt.sys 2009-09-26 16:51 . 2009-09-26 16:51 -------- d-----w- c:\program files\TrueCrypt . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VMware Tools"="c:\program files\VMware\VMware Tools\VMwareTray.exe" [2006-11-13 56112] "VMware User Process"="c:\program files\VMware\VMware Tools\VMwareUser.exe" [2006-11-13 109360] "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 158208] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk backup=c:\windows\pss\Privoxy.lnkCommon Startup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [11/13/2006 9:50 PM 17840] R2 hgfs;hgfs;c:\windows\system32\drivers\hgfs.sys [2/2/2008 1:49 PM 85704] R2 VMTools;VMware Tools Service;c:\program files\VMware\VMware Tools\VMwareService.exe [11/13/2006 9:50 PM 142128] R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [11/13/2006 9:50 PM 11568] R3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [11/13/2006 9:50 PM 22704] R3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [11/13/2006 9:50 PM 29488] S2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [9/28/2009 6:15 PM 242176] . . ------- Supplementary Scan ------- . TCP: {AA191B09-9081-4731-850A-A7BBF32A76A5} = 208.67.222.222,208.67.220.220 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-07 20:27 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1108) c:\program files\VMware\VMware Tools\hook.dll c:\windows\System32\hgfs.dll . Completion time: 2009-10-07 20:32 ComboFix-quarantined-files.txt 2009-10-07 18:32 Pre-Run: 1,451,847,680 bytes free Post-Run: 1,478,549,504 bytes free 79 +++++++++++++++++++++++ +++++++++++++++++++++ After ComboFix 09-10-06.04 - virt1 10/07/2009 21:03.2.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.191.108 [GMT 2:00] Running from: c:\documents and settings\virt1\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected Kitty ate it . ((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 ))))))))))))))))))))))))))))))) . 2009-10-07 18:40 . 2004-04-30 07:37 160640 ----a-w- c:\windows\system32\drivers\a347bus.sys 2009-10-07 18:40 . 2004-04-30 07:33 5248 ----a-w- c:\windows\system32\drivers\a347scsi.sys 2009-10-07 18:40 . 2009-10-07 18:40 -------- d-----w- c:\program files\Alcohol Soft 2009-10-04 12:41 . 2004-08-03 21:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys 2009-10-04 12:39 . 2009-10-04 12:39 -------- d-----w- c:\program files\NMRC 2009-10-04 12:35 . 2009-10-04 12:35 -------- d-----w- c:\documents and settings\virt1\Application Data\gtk-2.0 2009-10-04 12:30 . 2009-10-04 12:30 -------- d-----w- c:\documents and settings\virt1\Local Settings\Application Data\Chromium 2009-10-04 12:30 . 2009-10-04 12:30 -------- d-----w- c:\documents and settings\virt1\.kde 2009-10-04 12:28 . 2009-10-04 12:28 -------- d-----w- c:\documents and settings\virt1\Local Settings\Application Data\GNU 2009-10-04 12:27 . 2009-10-04 12:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\GNU 2009-10-04 12:27 . 2009-10-04 12:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\gnupg 2009-10-04 12:27 . 2009-10-07 18:07 -------- d-----w- c:\documents and settings\virt1\Application Data\gnupg 2009-10-04 12:27 . 2009-10-04 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\GNU 2009-10-04 12:26 . 2009-10-04 12:26 -------- d-----w- c:\program files\GNU 2009-09-28 19:41 . 2009-10-04 12:32 -------- d-----w- c:\program files\PHPLiveEdit 2005 2009-09-26 18:09 . 2009-09-26 18:09 -------- d-----w- c:\program files\7-Zip 2009-09-26 17:45 . 2009-10-07 18:07 -------- d-----w- c:\documents and settings\virt1\Application Data\Tor 2009-09-26 17:45 . 2009-09-26 17:46 -------- d-----w- c:\documents and settings\virt1\Application Data\Vidalia 2009-09-26 17:45 . 2009-09-26 17:45 -------- d-----w- c:\program files\Vidalia Bundle 2009-09-26 17:09 . 2009-09-26 17:09 -------- d--h--w- c:\windows\system32\GroupPolicy 2009-09-26 16:51 . 2009-09-26 16:52 -------- d-----w- c:\documents and settings\virt1\Application Data\TrueCrypt 2009-09-26 16:51 . 2009-09-26 16:51 235840 ----a-w- c:\windows\system32\drivers\truecrypt.sys 2009-09-26 16:51 . 2009-09-26 16:51 -------- d-----w- c:\program files\TrueCrypt . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((( SnapShot@2009-10-07_18.28.01 ))))))))))))))))))))))))))))))))))))))))) . + 2004-08-03 20:59 . 2004-08-03 20:59 95360 c:\windows\system32\dllcache\atapi.sys + 2009-10-07 18:40 . 2009-10-07 18:40 49152 c:\windows\Installer\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\IconE9F814236.exe + 2009-10-07 18:40 . 2009-10-07 18:40 5120 c:\windows\Installer\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\IconE9F814234.exe + 2009-10-07 18:40 . 2009-10-07 18:40 958464 c:\windows\Installer\3280b9.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VMware Tools"="c:\program files\VMware\VMware Tools\VMwareTray.exe" [2006-11-13 56112] "VMware User Process"="c:\program files\VMware\VMware Tools\VMwareUser.exe" [2006-11-13 109360] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk backup=c:\windows\pss\Privoxy.lnkCommon Startup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R2 DirMngr;DirMngr;c:\program files\GNU\GnuPG\dirmngr.exe [2009-09-28 242176] S0 vmscsi;vmscsi;c:\windows\system32\DRIVERS\vmscsi.sys [2006-11-13 17840] S2 hgfs;hgfs;c:\windows\system32\DRIVERS\hgfs.sys [2006-11-13 85704] S2 VMTools;VMware Tools Service;c:\program files\VMware\VMware Tools\VMwareService.exe [2006-11-13 142128] S3 vmmouse;VMware Pointing Device;c:\windows\system32\DRIVERS\vmmouse.sys [2006-11-13 11568] S3 vmx_svga;vmx_svga;c:\windows\system32\DRIVERS\vmx_svga.sys [2006-11-13 22704] S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\DRIVERS\vmxnet.sys [2006-11-13 29488] . . ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = hxxp://scroogle.org/ TCP: {AA191B09-9081-4731-850A-A7BBF32A76A5} = 208.67.222.222,208.67.220.220 . - - - - ORPHANS REMOVED - - - - AddRemove-HijackThis - c:\documents and settings\virt1\Desktop\HijackThis.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-07 21:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2009-10-07 21:23 ComboFix-quarantined-files.txt 2009-10-07 19:23 ComboFix2.txt 2009-10-07 18:32 Pre-Run: 1,473,699,840 bytes free Post-Run: 1,471,930,368 bytes free 91 This doesn't explain is-PQ10B files, I used Alcohol for over two years and they didn't appear, and there were no such files on virtual machine.
  4. I hate to doublepost, but I don't see an option to edit message. Those is-PQ10B.exe files are now removed. Log says that something was removed, can you tell what kind of malware was that, if it was a keylogger it would be vary bad for me.
  5. During the scan ComboFix found "Rootkit activity" and required a reboot. ComboFix 09-10-06.04 - ja 10/07/2009 16:45.1.1 - NTFSx86 Running from: c:\documents and settings\milos\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\S-1-5-21-1116871056-3922734005-1551252272-1003 c:\recycler\S-1-5-21-1202660629-1788223648-839522115-1003 Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected Kitty ate it . ((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 ))))))))))))))))))))))))))))))) . 2009-10-05 21:45 . 1998-09-02 08:28 38160 ----a-w- c:\windows\system32\LMRTREND.dll 2009-10-05 21:45 . 1998-08-27 04:51 182032 ----a-w- c:\windows\system32\dxtmsft3.dll 2009-10-05 21:45 . 1998-09-02 08:28 63488 ----a-w- c:\windows\system32\unam4ie.exe 2009-10-05 21:45 . 1998-08-17 09:21 10240 ----a-w- c:\windows\system32\vidx16.dll 2009-10-05 21:45 . 1998-09-02 08:02 194320 ----a-w- c:\windows\system32\qcut.dll 2009-10-05 21:45 . 1998-08-17 09:21 11776 ----a-w- c:\windows\system32\mciqtz.drv 2009-10-05 21:45 . 2009-10-05 21:45 2272 ----a-w- c:\windows\system32\w95inf16.dll 2009-10-05 21:45 . 2009-10-05 21:45 4608 ----a-w- c:\windows\system32\w95inf32.dll 2009-10-05 08:45 . 2009-10-05 08:45 -------- d-----w- c:\documents and settings\ja\Application Data\gnupg 2009-09-23 09:17 . 2009-09-23 09:55 -------- d-----w- c:\documents and settings\milos\Application Data\Dev-Cpp 2009-09-23 09:14 . 2009-09-23 09:23 -------- d-----w- c:\documents and settings\ja\Application Data\Dev-Cpp 2009-09-21 21:37 . 2009-09-21 21:37 -------- d-----w- c:\documents and settings\milos\Local Settings\Application Data\Microsoft Help 2009-09-21 21:19 . 2009-09-21 21:19 -------- d-----w- c:\program files\Microsoft SQL Server 2009-09-21 21:17 . 2009-09-21 21:17 -------- d-----w- c:\documents and settings\ja\Local Settings\Application Data\Microsoft Help 2009-09-21 21:13 . 2009-09-21 21:14 -------- d-----w- c:\program files\Common Files\Merge Modules 2009-09-21 21:13 . 2009-09-21 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-09-21 21:11 . 2009-09-21 21:11 -------- d-----w- c:\program files\Microsoft SDKs 2009-09-21 21:09 . 2009-09-21 21:09 157464 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-09-07 21:33 . 2009-09-07 21:33 -------- d-----w- c:\documents and settings\milos\Application Data\KeePass . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-07 14:43 . 2007-07-18 10:24 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware 2009-10-05 16:33 . 2008-12-03 14:51 -------- d-----w- c:\documents and settings\milos\Application Data\AIMP 2009-10-04 20:58 . 2007-07-18 11:26 -------- d-----w- c:\documents and settings\milos\Application Data\VMware 2009-10-02 14:55 . 2009-01-27 16:53 -------- d-----w- c:\documents and settings\milos\Application Data\Free Download Manager 2009-09-21 21:37 . 2007-04-17 14:45 69360 ------w- c:\documents and settings\milos\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-18 20:52 . 2008-12-04 19:39 -------- d-----w- c:\documents and settings\milos\Application Data\codeblocks 2009-09-10 12:54 . 2008-12-04 11:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 12:53 . 2008-12-04 11:35 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-02 18:35 . 2009-09-02 18:35 -------- d-----w- c:\documents and settings\nighthawk\Application Data\Malwarebytes 2009-09-02 10:12 . 2009-09-02 10:12 -------- d-----w- c:\program files\Planetarium0130 2009-08-20 14:04 . 2007-07-14 13:43 -------- d-----w- c:\program files\Google 2009-08-12 16:40 . 2009-03-07 20:37 -------- d-----w- c:\documents and settings\gnutella\Application Data\FrostWire . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368] "Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2002-10-11 98304] "COMODO Internet Security"="c:\program files\Comodo\COMODO Internet Security\cfp.exe" [2009-01-03 1797880] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497] c:\documents and settings\nighthawk\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 01000000 "NoSMMyDocs"= 01000000 "NoSMMyPictures"= 01000000 [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk] backup=c:\windows\pss\Privoxy.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WordWeb.lnk] backup=c:\windows\pss\WordWeb.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^milos^Start Menu^Programs^Startup^Adobe Gamma.lnk] backup=c:\windows\pss\Adobe Gamma.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outpost Firewall [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "OutpostFirewall"=2 (0x2) "SatSrv"=2 (0x2) "Adobe LM Service"=3 (0x3) "KPF4"=2 (0x2) "Alerter"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\dpnsvr.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Miranda IM\\miranda32.exe"= "j:\\program files\\Microsoft Games1\\Rise of Nations\\rise.exe"= "d:\\Programi\\radni\\internet\\utorrent.exe"= "j:\\program files\\SecondLife\\SLVoice.exe"= "c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"= "c:\\Program Files\\Java\\jre1.6.0_07\\bin\\java.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1060:TCP"= 1060:TCP:*:Disabled:torente "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [1/3/2009 12:24 PM 101776] R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [1/3/2009 12:24 PM 31504] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/20/2009 4:02 PM 133104] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/29/2007 2:01 AM 42512] S3 ZSMC0305;A4 TECH PC Camera V;c:\windows\system32\Drivers\usbVM305.sys --> c:\windows\system32\Drivers\usbVM305.sys [?] S4 SatSrv;Steganos AntiTheft;c:\windows\system32\SatSrv.exe --> c:\windows\system32\SatSrv.exe [?] . Contents of the 'Scheduled Tasks' folder 2009-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-20 14:01] . . ------- Supplementary Scan ------- . uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm IE: E&xport to Microsoft Excel - j:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Translate with &Babylon - j:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm TCP: {2AFE39A0-7C71-4953-BC9E-02557DE19A01} = 85.222.160.152,217.26.64.131,208.67.222.222,208.67.220.220 FF - ProfilePath - c:\documents and settings\ja\Application Data\Mozilla\Firefox\Profiles\rso4qa7l.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - component: c:\documents and settings\ja\Application Data\Mozilla\Firefox\Profiles\rso4qa7l.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll FF - plugin: c:\program files\Opera\program\plugins\nppl3260.dll FF - plugin: c:\program files\Opera\program\plugins\nprpjplug.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-07 16:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\documents and settings\ja\Application Data\Mozilla\Firefox\Profiles\rso4qa7l.default\pluginreg.dat.bak 6291 bytes c:\documents and settings\ja\Application Data\Mozilla\Firefox\Profiles\rso4qa7l.default\prefs.js.BAK 4152 bytes scan completed successfully hidden files: 2 ************************************************************************** . Completion time: 2009-10-07 16:53 ComboFix-quarantined-files.txt 2009-10-07 14:53 Pre-Run: 1,982,668,800 bytes free Post-Run: 2,102,419,456 bytes free 141 ========================================== And HijackThis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:55:05 PM, on 10/7/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\VMware\VMware Workstation\vmware-authd.exe C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\terrorista.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://J:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Translate with &Babylon - res://J:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{2AFE39A0-7C71-4953-BC9E-02557DE19A01}: NameServer = 85.222.160.152,217.26.64.131,208.67.222.222,208.67.220.220 O17 - HKLM\System\CS1\Services\Tcpip\..\{2AFE39A0-7C71-4953-BC9E-02557DE19A01}: NameServer = 85.222.160.152,217.26.64.131,208.67.222.222,208.67.220.220 O17 - HKLM\System\CS2\Services\Tcpip\..\{2AFE39A0-7C71-4953-BC9E-02557DE19A01}: NameServer = 85.222.160.152,217.26.64.131,208.67.222.222,208.67.220.220 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe -- End of file - 5423 bytes
  6. Sorry http://www.virustotal.com/analisis/5ff1766...bffe-1254688016
  7. DDS (Ver_09-09-24.01) - NTFSx86 Run by ja at 10:05:12.87 on Sun 09/27/2009 Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12 ============== Pseudo HJT Report =============== uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdmcks.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [smapp] c:\program files\analog devices\soundmax\SMTray.exe mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min mRunOnce: [Malwarebytes' Anti-Malware] j:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent mRunOnce: [innoSetupRegFile.0000000001] "c:\windows\is-PQ10B.exe" /REG uPolicies-explorer: NoSMHelp = 01000000 uPolicies-explorer: NoSMMyDocs = 01000000 uPolicies-explorer: NoSMMyPictures = 01000000 uPolicies-explorer: NoActiveDesktop = 01000000 IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm IE: E&xport to Microsoft Excel - j:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Translate with &Babylon - j:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - j:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab TCP: {2AFE39A0-7C71-4953-BC9E-02557DE19A01} = 85.222.160.152,217.26.64.131,208.67.222.222,208.67.220.220 AppInit_DLLs: interceptor.dll ================= FIREFOX =================== FF - ProfilePath - FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== =============== Created Last 30 ================ 2009-09-23 11:14 <DIR> --d----- c:\docume~1\ja\applic~1\Dev-Cpp 2009-09-21 23:19 <DIR> --d----- c:\program files\Microsoft SQL Server 2009-09-21 23:13 <DIR> --d----- c:\program files\common files\Merge Modules 2009-09-02 20:39 10,498 a------- c:\windows\is-PQ10B.msg 2009-09-02 20:39 460 a------- c:\windows\is-PQ10B.lst 2009-09-02 20:39 687,104 a------- c:\windows\is-PQ10B.exe 2009-09-02 12:12 <DIR> --d----- c:\program files\Planetarium0130 ==================== Find3M ==================== 2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys ============= FINISH: 10:05:56.65 ===============
  8. I started this topic and I was told to post logs here, so here they are: Malwarebytes' Anti-Malware 1.41 Database version: 2858 Windows 5.1.2600 Service Pack 2 9/26/2009 11:11:49 AM mbam-log-2009-09-26 (11-11-49).txt Scan type: Quick Scan Objects scanned: 129791 Time elapsed: 9 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ___________________________________ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:32:26 PM, on 9/25/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\VMware\VMware Workstation\vmware-authd.exe C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\HijackThis\terrorista.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] j:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKLM\..\RunOnce: [innoSetupRegFile.0000000001] "C:\WINDOWS\is-PQ10B.exe" /REG O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\RunOnce: [sSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [sSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-21-1801674531-879983540-839522115-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'milos') O4 - HKUS\S-1-5-18\..\RunOnce: [sSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [sSS2006] "C:\Program Files\Steganos Security Suite 2006\SSS2006.exe" -firstboot (User 'Default user') O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://J:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Translate with &Babylon - res://J:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{2AFE39A0-7C71-4953-BC9E-02557DE19A01}: NameServer = 85.222.160.152,217.26.64.131,208.67.222.222,208.67.220.220 O17 - HKLM\System\CS1\Services\Tcpip\..\{2AFE39A0-7C71-4953-BC9E-02557DE19A01}: NameServer = 85.222.160.152,217.26.64.131,208.67.222.222,208.67.220.220 O17 - HKLM\System\CS2\Services\Tcpip\..\{2AFE39A0-7C71-4953-BC9E-02557DE19A01}: NameServer = 85.222.160.152,217.26.64.131,208.67.222.222,208.67.220.220 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe -- End of file - 5955 bytes ___________________________ Last night I copied these three files to winXP virtual machine and tried to execute .exe file. During that time wireshark was running on gateway machine. Exe file briefly pops up in task manager and then it disappears. I double-clicked it at least 50 times, each time it's the same. There was no network traffic. So, any ideas what is is-PQ10B.exe (no pun intended) and why is it there?
  9. I've never used Kaspersky removal tool, nor anything else from Kaspersky on my computer. Currently I have Avira, previously I had NOD 32 and AVG (free). Here's HJT log. hijackthis25sep2009.txt
  10. I noticed this during regular scan with HJT. I googled it, but didn't get any result. Then I uploaded it to virustotal.com and none of the AVs reported any virus. When I examined WINDOWS folder more closely I noticed three such files, is-PQ10B.exe, is-PQ10B.lst and is-PQ10B.msg. The concent of is-PQ10B.lst is ; This file was created by the installer for: ; Malwarebytes' Anti-Malware ; Location: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe ; List of files to be registered on the next reboot. DO NOT EDIT! [sq]j:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll [sq]j:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll [sq]j:\Program Files\Malwarebytes' Anti-Malware\vbalsgrid6.ocx Later I performed quick scan with freshly updated malwarebytes and no malware was found. I'm just curious - do these three files belong to malwarebytes? At least, now something will appear in google search .
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.