system
April 14, 2008, 7:01pm
1
Okay, after hesitating for around an hour and looking around I was wondering if these are false positives?
VBS:Malware-Gen found at “C:\Users\NewChapter\AppData\Local\Mozilla\Firefox\Profiles\cjcvji9a.default\Cache\1D4F0946d01”
Win32:Rootkit-gen [Rtk] at “C:\Windows\meta4.exe”
The first happened when I loaded up one of my friends myspace page, so I don’t know if that has something to do with the Malware being in Firefox’s cache. I deleted this when I quaruntined it though I didn’t get to look up the files details.
The second happened when I started scanning after I discovered the first one. Though when I went to see its properties meta4.exe hasen’t been edited since 2006, which was before I even bought my laptop. It is still currently quaruntined.
I’m not sure if this is the correct log I’m supposed to post…
If more info is needed I will be glad to give.
Thank you in advance.
system
April 14, 2008, 7:03pm
2
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe
C:\Program Files\TOSHIBA\Registration\ToshibaRegistration.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Kontiki\KHost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
system
April 14, 2008, 7:04pm
3
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..\Run: [TPwrMain] “C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE”
O4 - HKLM..\Run: [HSON] “C:\Program Files\TOSHIBA\TBS\HSON.exe”
O4 - HKLM..\Run: [SmoothView] “C:\Program Files\Toshiba\SmoothView\SmoothView.exe”
O4 - HKLM..\Run: [00TCrdMain] “C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe”
O4 - HKLM..\Run: [KeNotify] “C:\Program Files\TOSHIBA\Utilities\KeNotify.exe”
O4 - HKLM..\Run: [HWSetup] “C:\Program Files\TOSHIBA\Utilities\HWSetup.exe” hwSetUP
O4 - HKLM..\Run: [SVPWUTIL] “C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe” SVPwUTIL
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM..\Run: [topi] “C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe” -startup
O4 - HKLM..\Run: [Desktop SMS] “C:\Program Files\IDM\Desktop SMS\DesktopSMS.exe” /auto
O4 - HKLM..\Run: [NvSvc] “RUNDLL32.EXE” C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM..\Run: [NvCplDaemon] “RUNDLL32.EXE” C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NvMediaCenter] “RUNDLL32.EXE” C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [Apoint] “C:\Program Files\Apoint2K\Apoint.exe”
O4 - HKLM..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\COMODO\Firewall\cfp.exe” -s
O4 - HKLM..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM..\Run: [4oD] “C:\Program Files\Kontiki\KHost.exe” -all
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU..\Run: [TOSCDSPD] “C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe”
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [SpybotSD TeaTimer] “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe”
O4 - HKCU..\Run: [RunSpySweeperScheduleAtStartup] “C:\Windows\system32\msfeedssync.exe” /ScheduleSweep=User_Feed_Synchronization-{D24D81AA-E343-4953-A69B-4CBA35F264AC}
O4 - HKCU..\Run: [CTSyncU.exe] “C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe”
O4 - HKCU..\Run: [CreativeTaskScheduler] “C:\Program Files\Creative\Shared Files\CTSched.exe” /logon
O4 - HKCU..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5185/mcfscan.cab
O20 - AppInit_DLLs: C:\Windows\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
I don’t know if this is the correct log Im supposed to post…
If more info is needed I will gladly give.
Thank you in advance.
do a www.virustotal.com scan of the meta4.exe file and post the results here
system
April 14, 2008, 8:37pm
5
Hi, I’ve extracted the meta4.exe file to my desktop (made a copy) and scanned it with virustotal. I’ve deleted the meta4.exe copy after.
Here are the results.
http://www.virustotal.com/analisis/7a49e09e69f138477f838099b41d56cb
AhnLab-V3 2008.4.12.0 2008.04.14 -
AntiVir 7.6.0.85 2008.04.14 -
Authentium 4.93.8 2008.04.13 -
Avast 4.8.1169.0 2008.04.14 Win32:Rootkit-gen
AVG 7.5.0.516 2008.04.14 -
BitDefender 7.2 2008.04.14 -
CAT-QuickHeal 9.50 2008.04.14 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.04.14 -
DrWeb 4.44.0.09170 2008.04.14 -
eSafe 7.0.15.0 2008.04.09 suspicious Trojan/Worm
eTrust-Vet 31.3.5697 2008.04.14 -
Ewido 4.0 2008.04.14 -
F-Prot 4.4.2.54 2008.04.14 -
F-Secure 6.70.13260.0 2008.04.14 -
FileAdvisor 1 2008.04.14 -
Fortinet 3.14.0.0 2008.04.14 -
Ikarus T3.1.1.26 2008.04.14 -
Kaspersky 7.0.0.125 2008.04.14 -
McAfee 5272 2008.04.11 -
Microsoft 1.3408 2008.04.14 -
NOD32v2 3025 2008.04.14 -
Norman 5.80.02 2008.04.14 -
Panda 9.0.0.4 2008.04.14 Suspicious file
Prevx1 V2 2008.04.14 -
Rising 20.40.02.00 2008.04.14 -
Sophos 4.28.0 2008.04.14 -
Sunbelt 3.0.1041.0 2008.04.12 -
Symantec 10 2008.04.14 -
TheHacker 6.2.92.277 2008.04.14 -
VBA32 3.12.6.4 2008.04.14 -
VirusBuster 4.3.26:9 2008.04.14 -
Webwasher-Gateway 6.6.2 2008.04.14 Win32.Malware.gen (suspicious)
Additional information
File size: 217073 bytes
MD5…: fce9e5f5c7ce6d7b1ec49b5ce07070c9
SHA1…: 2ca7b4304072b5a2634bae8dbb496ab2ebbc921a
SHA256: 7939dfbfe0860998c18a2949d7cc177e9fe393886aa4160887adf7a48f9a503c
SHA512: 7a88dd8894311fcc92dc66ecedac4689631ccd9e898ddf9deeb37e3a7e07dbbe
4ac19ff47faecb8af43f7f456a905b81523b1c5ba83870f00e7c609a42b5b022
PEiD…: UPX 2.90 [LZMA] → Markus Oberhumer, Laszlo Molnar & John Reiser
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x4ca540
timedatestamp…: 0x3f624be0 (Fri Sep 12 22:42:40 2003)
machinetype…: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x99000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.data 0x9a000 0x31000 0x30800 7.64 6ce4ec47baa8be574bc676d1d1289646
.rdata 0xcb000 0x1000 0x200 1.46 d221ad615082a40dbddfbb1887007f98
( 2 imports )
KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess
msvcrt.dll: _iob
( 0 exports )
packers: UPX
packers: UPX
packers: UPX
i found this http://www.castlecops.com/p836479-Prevx1_finds_META4_exe.html about the meta4.exe file… having any packed file in windows or windows\system32 folder is suspicious…
system
April 15, 2008, 2:55pm
7
OK, thank you. I’ve deleted it as I haven’t any use for it. Maybe it came from the eRightsoft video converter I downloaded.