Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not sure what these are...


  • Please log in to reply
13 replies to this topic

#1 aland08

aland08

  • Members
  • 210 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 30 March 2009 - 12:24 PM

Hi,

I had some work done on my machine in another forum and every time I used Combofix, my AV/AS would find this...

2009-03-28-01:33 , Quarantined , KaZaA , P2P , Key "hkey_users \S-1-5-21-1390067357-1229272821-682003330-1003\software\kazaa" , -1
2009-03-28-01:33 , Quarantined , WinSpywareProtect , Rogue Security Software , Key "hkey_users \S-1-5-21-1390067357-1229272821-682003330-1003\software\microsoft\windows\currentversion\drivers" , -1
2009-03-28-01:33 , Quarantined , Bifrost , Backdoor , Key "hkey_users \S-1-5-21-1390067357-1229272821-682003330-1003\software\wget" , -1

I was given somewhat of an explanation but I still do not understand. Perhaps someone could give me a fresh explanation of what exactly these infections or files are.

Thanks!

Alan

BC AdBot (Login to Remove)

 


#2 figgis41

figgis41

  • Members
  • 801 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hull England
  • Local time:08:31 AM

Posted 30 March 2009 - 02:57 PM

hi,,,looking at these,,, i would surgest that they are files that have been quarantined by your security when scanning,,, looks like one is from a well known p2p site called kazaa,,, so when you were torrenting,, somthing nastie came with it,,, also there is a rogue piece of software called "WinSpywareProtect" this one of those real looking scanners that finds loads of bleep wrong and will make it all go away if you part with some cash,,, its self being the virus,,,, bitfrost is a back door trojan,,, look at the link
http://en.wikipedia.org/wiki/Bifrost_(trojan_horse)
i would go and delete all Quarantined files in your security software and also purge your system restore (turn it off then back on,, this will delete all infected restore points)
and just to be on the safe side i would look for a post by Boopme and follow his Malwarebytes download and scan instructions,,,,
Figgis,,,, LUFC

#3 aland08

aland08
  • Topic Starter

  • Members
  • 210 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 30 March 2009 - 03:07 PM

figgis,

Thanks... My AV did quarantine it and I have MBAM but based on your reply, I am now more concerned with the help I received in the HJT forum. These problems seemed to have come with the Combofix or something else that the BC staff had me download. Anyone have any more suggestions?

Alan

#4 figgis41

figgis41

  • Members
  • 801 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hull England
  • Local time:08:31 AM

Posted 31 March 2009 - 12:36 PM

hi,,, if your still concerned about an infection and you are recieving help on this matter in another forum (security) then your best bet is to post your concerns there with the security staff and members that are helping you,,, they will be current with your problem and can offer the best advice on the matter,,,
good luck. :thumbsup:
Figgis,,,, LUFC

#5 aland08

aland08
  • Topic Starter

  • Members
  • 210 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 31 March 2009 - 01:08 PM

I did ask my helper but unfortunately his answer didn't make sense to me

Alan

#6 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:02:31 AM

Posted 31 March 2009 - 01:27 PM

figgis,

Thanks... My AV did quarantine it and I have MBAM but based on your reply, I am now more concerned with the help I received in the HJT forum. These problems seemed to have come with the Combofix or something else that the BC staff had me download. Anyone have any more suggestions?

Alan

Alan, I looked through a couple of your posts and I think you should stick with one thread. Your thread in malware removal was closed due to your asking for advice elsewhere. I also see where you expressed your displeasure with some of the senior staff here. Your not going to get much more help if we cannot keep everything in one spot.
EB asked you to uninstall Combofix, using a run command. Did you complete that?
Everything that you were instructed to download can be removed, are you having problems with that?

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#7 aland08

aland08
  • Topic Starter

  • Members
  • 210 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 31 March 2009 - 02:49 PM

Thanks haryythhook,

I hear what you're saying but I do stay within the appropriate thread when possible. That initial one you saw was from a post on MBAM & then here. I did not know at the time how this all worked & when I didn't get a reply in MBAM, I came here. Ever since I think I post as I should. The reason that I opened another thread for this topic is because the initial thread in which I developed these issues is closed. I expressed my concern to my EB as I picked up the additional infections but I did not understand his answer. It just doesn't make sense to me & I since I cannot post this in the HJT forum, I chose this one. I thought it to be best.

Yes, I did uninstall CF and deleted the infections that seem to come with it but the fact that my AV picked up new infections immediately after downloading CF on two separate occasions concerns me. I do not understand why this would happen while working with a HJT specialist. I am just trying to get to the bottom of what happened, that's all. I hope that makes sense & wasn't too wordy :thumbsup:

Alan

#8 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:02:31 AM

Posted 31 March 2009 - 04:13 PM

Ok Alan, 14 different topics in March is a bit much.
See if you can find this folder>>> C:\Qoobox
That is where combofix puts all the removed malware. If you find it , simply remove it and run you A/V again.

To note, Combofix did not put the malware on your machine. Your A/V might see it now that its been moved :thumbsup:

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#9 aland08

aland08
  • Topic Starter

  • Members
  • 210 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 31 March 2009 - 04:33 PM

Sorry... I did not know there was a limit. I assumed that the more traffic the forum received the better. Also, thanks for the explanation but you said "Combofix did not put the malware on your machine. Your A/V might see it now that its been moved". I could understand that if my AV only picked up the infections once but after it cleaned them and we ran CF again, they came back. That part I don't understand. Maybe there is an explanation, but I don't know what that would be. Thanks.

Alan

Edited by aland08, 31 March 2009 - 04:37 PM.


#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:31 AM

Posted 01 April 2009 - 01:13 PM

You can ask as many questions you want in the forums. Noone will begrudge you the right to do that. I think the concern from Harry is that it is 14 topics over the same issues.

Just to clarify, you were receiving those messages from your AV while Combofix was running. Or after it ran?

What AV program are you using?

#11 aland08

aland08
  • Topic Starter

  • Members
  • 210 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 01 April 2009 - 02:19 PM

Grinler,

I'm not sure exactly when they arrived, but I caught them twice after CF ran as I my system scanned with my CA Antispyware on reboots. MBAM didn't catch them. After the first time I saw them, I deleted them. I was clean. But then again after running CF, my CA Antispy caught them again. Understand that this is to the best of my knowledge, which if was that vast, I wouldn't need to be here :thumbsup:

BTW... I am no longer using CA. Too many problems w/ '09 updrade. Now am using Avast, SuperAS, MBAM & SpywareBlaster

Thanks for trying to figure this out with me!

Alan

Edited by aland08, 01 April 2009 - 02:21 PM.


#12 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:02:31 AM

Posted 01 April 2009 - 08:03 PM

Ok Alan, here is a little information about this. Bear with me, it is a simple explanation and not for the advanced user.
Look at the lines, and the key that is referenced in it:
Quarantined , KaZaA , P2P , Key "hkey_users \S-1-5-21-1390067357-1229272821-682003330-1003\software\kazaa"
Quarantined should be a reference to where this item was found
KaZaA , P2P is the name of the program, and type of said program
"hkey_users \S-1-5-21-1390067357-1229272821-682003330-1003\software\kazaa" is a reference to an area in the registry on that machine, that is specific to the user that is logged on. This particular key will be modified every time the user logs onto the machine. An orphan line elsewhere in the registry may cause these entries to show again, as windows follows a specific regime every time it starts, it will put a pointer in HKEY_USERS\S-(your identifier) just as you are seeing in the A/V results.
If you are finding this after Combofix was removed, along with the Qoobox folder, these lines may be in another tools quarantine area. If so, I would recommend checking on how to clean out the files/folders that have been moved to the quarantine area. Since you are no longer using CA, did you remove that program completely or just deactivate it?

This make things any clearer?
Harry

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,470 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:31 AM

Posted 01 April 2009 - 08:55 PM

These lines are false positives and can be ignored. I confirmed it with sUBs, the creator of CF, and they are harmless. Without going to much into the technical details of why they are there after running CF, I can confirm that they are indeed harmless and can just be ignored. There is no infection there.

#14 aland08

aland08
  • Topic Starter

  • Members
  • 210 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 01 April 2009 - 10:30 PM

Harry,

Thanks...Let's just say that I understand more than I did :thumbsup: FYI...I believe the reason that the items are in a quarantine folder is because the info that I posted in this thread was after CA antispy quarantined them. Prior to being quarantined, there was no reference made to quarantine.
-------------------------------------------------------

Lawrence,

Thank you!!

Alan :flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users