Trend Micro HouseCall picked these out. Trojans??

Several of my friends have been hacked lately. I have AVG Free, use the Win7 firewall and also am on a router. I use SpywareBlaster as well. I generally run a security check at Gibson Research every quarter and an online scan about once a month. I used the New Trend Micro HouseCall free online scan today. First I ran the Quick Scan and it was fine, then I ran a full scan and it pulled these two files up listing them as trojans.

AMPEG2P.zip and paradox.exe: TROJ_GEN.r47C3II

Well I did find some information, but for the most part, I'm thinking these are false positives (I hope), at least on the first one, but I'm truly unsure about the second one. I even searched this site and got nothing for information.

On the first, AMPEG2P.zip, could be a legit file, but I couldn't find that either, at least not specifically. What I found was this:

'method for real time transcoding a MPEG2 p frame into H.263 P frame in a compressed domain'

I've had a terrible time finding anything out about paradox.exe except these:


What you should do about VISTA ACTIVATION CRACK BY PARADOX.EXE:
The most common objects with the name of VISTA ACTIVATION CRACK BY PARADOX.EXE have yet to be classified as safe by our research department.

If you are concerned that your PC might be infected why not try our Free version of Prevx 3.0. It will thoroughly check your PC for millions of active Spyware and malware infections and takes less than 2 minutes. Don't take the risk, check your PC now.

Download Prevx 3.0
What we know about VISTA ACTIVATION CRACK BY PARADOX.EXE:

VISTA ACTIVATION CRACK BY PA.....EXE
AUTOMATED MALWARE PROFILE, ANALYSIS, REMOVAL AND SIGNATURE INFORMATION:
DEFINITION OF: VISTA ACTIVATION CRACK BY PA.....EXE
Safety Rating: Known malware, do not run
Protection: Prevx provides powerful security products that you can use to detect, remove and protect you from VISTA ACTIVATION CRACK BY PA.....EXE and safeguard your PC against viruses, trojans, worms, spyware, rootkits and adwareWhy risk having spyware on your PC when it takes less than 2 minutes to thoroughly check it with Prevx CSI? Click here to check your PC with Prevx CSI Now.
First seen: Mar 4 2007 (GMT)
Last seen: Mar 4 2007 (GMT)
File Size: 297,102 bytes


And several downloads which were all similar in listing:


← Back to "Adobe Photoshop CS2 Keygen" search resultsAdobe Photoshop CS2 Keygen PARADOX.exe Applications
Cached .torrent download
Trackers: (aggregated from BitTorrent sites everywhere for reliability and speed)

Tracker down, last changed 18.2 hours ago
0 seeds, 1 leechers, 0 downloads
http://tracker.publicbt.com:80/announcetra...om:80/announce: 0 seeds

Tracker down, last changed - hours ago
? seeds, ? leechers, ? downloads
Original, primary tracker
http://tracker.openbittorrent.com:80/annou...om:80/announce: ? seeds

File: Adobe Photoshop CS2 Keygen PARADOX.exe


219.06 KB in 1 file. Torrent created 185.8 weeks ago.

info_hash: e0bac2641898522017340156196cd297f4ea4387 (?)



Well, that's where it gets tricky. I bought this computer from a friend. It came with VISTA (I have the original copy), but he loaded Windows 7 on it (I bought and still have a legit copy, but he said he could get me a copy for much less, so I should save mine for when I replace my other computer which still runs XP).....now I'm wondering....do I have a bogus copy of Win7, or is this an actual trojan?

Thanks!

Hello,it appears they sold you pirated software( VISTA ACTIVATION CRACK)and then used a dangerous (PARADOX.EXE) Key generator to make it run.
Plus it appears to be infected .... Safety Rating: Known malware, do not run
can you do a system file search for this and post back it's path...AMPEG2P.zip

EDIT: also gave you a pirated PhotShop. these are probably full of malware.

Please download CKScanner and save it to your Desktop. <-Important!!!

• Double-click on CKScanner.exe and click Search For Files.
• If using Vista, right-click on it and Run As Administrator.
• After a very short time, when the cursor hourglass disappears, click Save List To File.
• A text file will be created on your desktop named ckfiles.txt.
• Click OK at the file saved message box.
• Double-click the ckfiles.txt icon on your desktop to open the log and copy/paste the contents in your next reply.

Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1
Download Link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
  For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Edited by boopme, 01 October 2010 - 08:16 PM.

Sorry, just woke up.
I can answer one of these right away.
I found the file on my old, 2nd harddrive (E:) and the free stranding TB (J:) I use for backup and storage, it wasn't on the main C: harddrive.

J:\aleta\My Documents\master save\wow\cd burner programs\nero 5.5 6.4 Date modified 5/9/2002 11:40 AM

It was also on E: same path

I'll run the others you requested and post back with them.
Thanks!

Again a quick search and the paradox.exe also is not on the main harddrive (C:), but it's on the other 2 (E:) and (J:) same path. Oh the only things that showed up on (C:) were the web pages from my search for information.

The thing is, I bought the computer from CompUSA that the (E:) harddrive came from, and the nero program came with that computer as part of the program pack. I still have the disk. I checked the original disk and it also has the paradox.exe and the other file as well.

These are programs I don't use anymore. They got brought in to this computer via the old harddrive, but I don't use the programs on it, basically I kept it for the extra space and the documents, photos, etc. that were on it.

The only time I ever had photoshop CS on my machine was the free time to try it downloaded directly from Adobe. I uninstalled it at the end of the trial.

Also, my computer is an authorized Dell machine. It just came with Vista and I hate Vista. Give me XP or Win7, but I didn't like Vista at all, so I simply replaced the OS, upgraded the memory and graphics card and only added the programs that I actually use on the main drive.

I also run regular Windows Updates, I don't let it go automated, but I run it manually once a week and it seems MS would know if Win7 Ultima was a pirated copy, as there was an update some months back specifically meant to target bad keys. I called my friend and he said it came from a legit distributor who was just doing his company's promotion and selling the copies at a reduced rate for a short period of time.

I also still had housecall up at the results and action section. I had it 'fix' the files found and it is now running another full scan. Since the files were on the old harddrive, and I don't use those programs, and on the back up, which I just had a mirror of the (E:) drive, in case that harddrive crapped out on me, it doesn't matter if those files were wiped. (I should really clean up the old drives....I'm such a pack rat....and get rid of the older programs and such). I run housecall, or another online scanner once a month, so I"m surprised that it pulled out those files as they've been there for years, and just now getting picked out.

If housecall comes up clean this time, I'll let you know, and once it's done scanning, I'll run the others you recommended.
Thanks again and I'll post back when complete.

Edited by Lithial, 02 October 2010 - 07:30 AM.

While the scan is running, I did some more checking on the paradox.exe since the Vista hack was first seen in 2007 and the files I have with it are dated in 2002. The file in my computer actually had a logo attached which was the same as on the disk that came from CompUSA. The file name is paradox.exe and was the file on my computer, whereas the reference I found online to the Vista hack lists it as PARADOX.exe or PARADOX.EXE, and I found another reference to a similar key hack as PaRaDoX.exe with a few variations of the location(s) of the capital letters.

The 2nd full scan with HouseCall, after letting it 'fix' the items, came up clean.


The CKScanner results:

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----

And the remaining results:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4733

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/2/2010 12:02:42 PM
mbam-log-2010-10-02 (12-02-42).txt

Scan type: Quick scan
Objects scanned: 133803
Time elapsed: 3 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I was surprised to see the one registry entry for a hijack, but as I said, I use SpywareBlaster and it prevents anything from changing my homepage and I keep it set so that I have to change the setting if I want to change my homepage. It can't be done from IE. I also use CCleaner once a month, or more if needed.

Thank you so much! I'll hang on to these programs. You guys are terrific! Between your site and Geekstogo, I've learned enough to keep my system as safe as I can, and know I can count on your help and knowledge base when something out of the ordinary happens.

I would say that we can close this now, unless you think there's anything further that I should do.

Thanks again!!

Edited by Lithial, 02 October 2010 - 11:27 AM.

Ok, you're welcome.
If your security software locks your home page then please have MBAM set this to ignore as long as you use Spyware Blaster. It is only saying the home page had a change attempted and was reset.