Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

am i being watched?


  • This topic is locked This topic is locked
43 replies to this topic

#1 Lombardi Rahm

Lombardi Rahm

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 AM

Posted 22 February 2011 - 05:26 PM

Grinler saw nothing in my network scan so he directed me here.
Since I am running WIN7 on a 64 bit, the DDS did not work. Instead I used RSIT and attached are the two files.
The GMER file is forthcoming.

Original Post

A ApplicUnsaf\win32 malicious file was reported by comodo. perhaps a false positive, but it compelled me to run a Hijack this log and consult someone with expertise to find out if something has found it's way into my small business network.

although i am confident my network is safe, i am not sure if by opening an email, that a spy sniper or spy software has been installed and whether an outsider is able to view all my display screens.

i want to confirm if someone, who may actually be reading all our correspondence just as well, is in fact doing this, or if i am paranoid.

i received an email from someone i knew that said he would be watching my computers.

attached GMER report

looking into these spy programs, i think it might be a program like sniperspy remote spy that got put on my network when i read the guy's email.

Merged posts. ~ OB

Edited by Orange Blossom, 22 February 2011 - 10:31 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:55 AM

Posted 27 February 2011 - 09:21 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Lombardi Rahm

Lombardi Rahm
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 AM

Posted 28 February 2011 - 12:56 AM

i am here, thanks for picking up the thread.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:55 AM

Posted 28 February 2011 - 03:16 PM

First thing we need to do is to replace the Gmer scan with another scanner.

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Posted Image
m0le is a proud member of UNITE

#5 Lombardi Rahm

Lombardi Rahm
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 AM

Posted 01 March 2011 - 07:10 AM

requested file attached

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:55 AM

Posted 03 March 2011 - 04:54 PM

Please run MBAM and SAS

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


Then

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image
m0le is a proud member of UNITE

#7 Lombardi Rahm

Lombardi Rahm
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 AM

Posted 05 March 2011 - 05:42 PM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5950

Windows 6.1.7600
Internet Explorer 9.0.7930.16406

3/4/2011 11:45:36 AM
mbam-log-2011-03-04 (11-45-36).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 916632
Time elapsed: 5 hour(s), 52 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/05/2011 at 02:58 PM

Application Version : 4.49.1000

Core Rules Database Version : 6538
Trace Rules Database Version: 4350

Scan type : Complete Scan
Total Scan Time : 02:27:25

Memory items scanned : 632
Memory threats detected : 0
Registry items scanned : 14923
Registry threats detected : 0
File items scanned : 74121
File threats detected : 0

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:55 AM

Posted 06 March 2011 - 01:31 PM

Well, that's a clean set of logs. Please run BitDefender next

Please run a BitDefender QuickScan
  • Click Start Scanner
  • Click Start Scan

    If you are running Firefox you should accept the installation of the Plug-in and restart Firefox
    If you are running Internet Explorer then allow the ActiveX control to install when prompted.


  • Click Start Scan
  • Check the I ACCEPT box on the EULA and click OK
When the scan has finished, it should take about a minute, click View Log and copy and paste the log into your next reply.
Posted Image
m0le is a proud member of UNITE

#9 Lombardi Rahm

Lombardi Rahm
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 AM

Posted 07 March 2011 - 08:20 AM

QuickScan Beta 32-bit v0.9.9.77
-------------------------------
Scan date: Mon Mar 07 07:18:11 2011
Machine ID: E43E3168



No infection found.
-------------------



Processes
---------
(unsigned) Cobian Backup 2876 C:\Program Files (x86)\Cobian Backup 10\cbInterface.exe
(unsigned) Cobian Backup Boletus 3960 C:\Program Files (x86)\Cobian Backup 10\Cobian.exe

(verified) Dropbox 3756 C:\Users\KT\AppData\Roaming\Dropbox\bin\Dropbox.exe
(verified) Firefox 2436 C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(verified) Jing 3944 C:\Program Files (x86)\TechSmith\Jing\Jing.exe
(verified) Secunia PSI Tray 3976 C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
(verified) ThreatFire 3192 C:\Program Files (x86)\ThreatFire\TFTray.exe


Network activity
----------------
Process firefox.exe (2436) connected on port 80 (HTTP) --> 74.125.225.16
Process firefox.exe (2436) connected on port 80 (HTTP) --> 66.220.146.15
Process firefox.exe (2436) connected on port 443 (HTTP over SSL) --> 74.125.95.138
Process firefox.exe (2436) connected on port 80 (HTTP) --> 74.125.95.101
Process firefox.exe (2436) connected on port 443 (HTTP over SSL) --> 74.84.128.88
Process firefox.exe (2436) connected on port 443 (HTTP over SSL) --> 74.125.225.16
Process firefox.exe (2436) connected on port 443 (HTTP over SSL) --> 209.85.225.97
Process firefox.exe (2436) connected on port 443 (HTTP over SSL) --> 74.125.95.132
Process firefox.exe (2436) connected on port 443 (HTTP over SSL) --> 74.125.95.136
Process firefox.exe (2436) connected on port 80 (HTTP) --> 66.220.149.25
Process Dropbox.exe (3756) connected on port 80 (HTTP) --> 174.36.30.27

Process Dropbox.exe (3756) listens on ports: 17500


Autoruns and critical files
---------------------------
(unsigned) Cobian Backup Boletus C:\Program Files (x86)\Cobian Backup 10\Cobian.exe
(unsigned) DesktopOK 2.15 C:\Users\KT\Documents\Desktop OK\DesktopOK_x64.exe
(unsigned) Mozilla Firefox C:\Program Files (x86)\Mozilla Firefox
(unsigned) synergys.exe C:\Program Files (x86)\Synergy\synergys.exe
(unsigned) WD Drive Manager C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

(verified) COMODO Internet Security C:\Windows\SysWOW64\guard32.dll
(verified) Dropbox C:\Users\KT\AppData\Roaming\Dropbox\bin\Dropbox.exe
(verified) Google Update C:\Users\KT\AppData\Local\Google\Update\GoogleUpdate.exe
(verified) Jing C:\Program Files (x86)\TechSmith\Jing\Jing.exe
(verified) Microsoft® Windows® Operating System C:\Windows\system32\ssText3d.scr
(verified) Microsoft® Windows® Operating System C:\Windows\system32\userinit.exe
(verified) Secunia PSI Tray C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
(verified) ThreatFire C:\Program Files (x86)\ThreatFire\TFTray.exe


Browser plugins
---------------
(unsigned) Google Earth Plugin C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
(unsigned) Java™ Platform SE 6 U22 C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin2.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin3.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin4.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin5.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin6.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin7.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll
(unsigned) QuickTime Plug-in 7.6.8 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll
(unsigned) RadioWMPCore.dll C:\Users\KT\AppData\Roaming\Mozilla\Firefox\Profiles\le6tvej6.default\extensions\engine@conduit.com\components\RadioWMPCore.dll
(unsigned) RadioWMPCore.dll C:\Users\KT\AppData\Roaming\Mozilla\Firefox\Profiles\le6tvej6.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll

(verified) Adobe PDF Toolbar for IE c:\program files (x86)\common files\adobe\acrobat\activex\acroiefavclient.dll
(verified) BitDefender QuickScan C:\Users\KT\AppData\Roaming\Mozilla\Firefox\Profiles\le6tvej6.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
(verified) Conduit Toolbar c:\program files (x86)\freesoundrecorder\tbfree.dll
(verified) FFExternalAlert.dll C:\Users\KT\AppData\Roaming\Mozilla\Firefox\Profiles\le6tvej6.default\extensions\{32b29df0-2237-4370-9a29-37cebb730e9b}\components\FFExternalAlert.dll
(verified) Foxit Reader Plugin for Mozilla C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
(verified) Google Talk Plugin C:\Users\KT\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
(verified) Google Talk Plugin Video Accelerator C:\Users\KT\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
(verified) Google Update C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
(verified) Google Update C:\Users\KT\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
(verified) Java Deployment Toolkit 6.0.220.4 C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
(verified) LastPass Toolbar c:\program files (x86)\lastpass\lpbar.dll
(verified) Microsoft Support Diagnostic Tool C:\Windows\Downloaded Program Files\MSDCode.DLL
(verified) Microsoft® Windows® Operating System C:\Windows\System32\mswsock.dll
(verified) Microsoft® Windows® Operating System C:\Windows\system32\napinsp.dll
(verified) Microsoft® Windows® Operating System C:\Windows\system32\NLAapi.dll
(verified) Microsoft® Windows® Operating System C:\Windows\system32\pnrpnsp.dll
(verified) Microsoft® Windows® Operating System C:\Windows\System32\winrnr.dll
(verified) Mozilla Default Plug-in C:\Program Files (x86)\Mozilla Firefox\plugins\npnul32.dll
(verified) NPSWF32.dll C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
(verified) Picasa C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
(verified) RadioWMPCore.dll C:\Users\KT\AppData\Roaming\Mozilla\Firefox\Profiles\le6tvej6.default\extensions\{32b29df0-2237-4370-9a29-37cebb730e9b}\components\RadioWMPCore.dll
(verified) RadioWMPCoreGecko19.dll C:\Users\KT\AppData\Roaming\Mozilla\Firefox\Profiles\le6tvej6.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
(verified) RadioWMPCoreGecko19.dll C:\Users\KT\AppData\Roaming\Mozilla\Firefox\Profiles\le6tvej6.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCoreGecko19.dll
(verified) sdhelper.dll c:\program files (x86)\spybot - search & destroy\sdhelper.dll
(verified) Windows Activation Technologies C:\Windows\system32\Wat\npWatWeb.dll
(verified) Windows® Internet Explorer c:\windows\syswow64\ieframe.dll


Scan
----
(unsigned) MD5: 93e4d6184b772a861f91f98a064390ae C:\Program Files (x86)\AddinForUNCFAT\UNCFATDMS.exe
(unsigned) MD5: 6ac704215fb264f0db99b4034101dd54 C:\Program Files (x86)\Cobian Backup 10\cbEngine.dll
(unsigned) MD5: 9e2944289377456ddc4fe3b50f39b5a0 C:\Program Files (x86)\Cobian Backup 10\cbInterface.exe
(unsigned) MD5: ed5411a69c5bac78d245c893af64352a C:\Program Files (x86)\Cobian Backup 10\cbVSCService.exe
(unsigned) MD5: d1155b7d2235edbb459524863480b51e C:\Program Files (x86)\Cobian Backup 10\Cobian.exe
(unsigned) MD5: f76d04f7413b07daa029f6520b64b4e8 C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
(unsigned) MD5: 008e8aca17692ca701792ea76641bc78 C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
(unsigned) MD5: 5af9bf694133d557014e1481743f3846 C:\Program Files (x86)\Google\Google Gears\Firefox\lib\ff36\gears.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin2.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin3.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin4.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin5.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin6.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files (x86)\Internet Explorer\plugins\npqtplugin7.dll
(unsigned) MD5: 3ed8e561044723c6039a8a20a3ae60cc C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
(unsigned) MD5: 45bda3d349da131faf7192c3c6124d3b C:\Program Files (x86)\Mozilla Firefox\freebl3.dll
(unsigned) MD5: 3d92a3102a75d75cf165bb2503db2d05 C:\Program Files (x86)\Mozilla Firefox\nssdbm3.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll
(unsigned) MD5: e55be7a502b3a78f32ba3a208f6874b7 C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll
(unsigned) MD5: 9fc405765fabe03d708ddd2909e6fc70 C:\Program Files (x86)\Mozilla Firefox\softokn3.dll
(unsigned) MD5: 9eb3b683a7badea98b91b4f6478b5d3b C:\Program Files (x86)\Synergy\synergys.exe
(unsigned) MD5: da631fee06408776e52795ac7d2f8cef C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
(unsigned) MD5: be2ffed9a5393814c5ebab8e723680d8 C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
(unsigned) MD5: 6d74290856347cf8682277a54b433d4b C:\Users\KT\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
(unsigned) MD5: b919cf6730e0e6c154837d08f7042909 C:\Users\KT\AppData\Roaming\Dropbox\bin\Python25.dll
(unsigned) MD5: 34c084b321ea0308c58eed1cf6b5fb02 C:\Users\KT\AppData\Roaming\Mozilla\Firefox\Profiles\le6tvej6.default\extensions\engine@conduit.com\components\RadioWMPCore.dll
(unsigned) MD5: 3374d5470b3f9a810e066db932833a49 C:\Users\KT\AppData\Roaming\Mozilla\Firefox\Profiles\le6tvej6.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
(unsigned) MD5: 34c084b321ea0308c58eed1cf6b5fb02 C:\Users\KT\AppData\Roaming\Mozilla\Firefox\Profiles\le6tvej6.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
(unsigned) MD5: 7e96230475019949599be37f99e001a3 C:\Users\KT\Documents\Desktop OK\DesktopOK_x64.exe
(unsigned) MD5: 375640f39f2d613b6fdcf8c2f956205a c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
(unsigned) MD5: 6b3569b08cf6aa9023281b09426e9ad2 C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f58ab951b57c8526430486dcf7ee38fd\mscorlib.ni.dll
(unsigned) MD5: ad023f0de29e0378fb98ebcc28eabdd8 C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\74f3fc09a810d9b704a80ee8c18d9d04\PresentationCore.ni.dll
(unsigned) MD5: f683259f1e6ebc8af76b24c59d24d40f C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\9e58e5346c3d0c341258f7c276a99121\PresentationFramework.ni.dll
(unsigned) MD5: 07b5b1ca3979f131cf5827e8dd60414f C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\caa7dd69e03dada6747085a5f2d4fb0c\PresentationFramework.Aero.ni.dll
(unsigned) MD5: d689e8f39bbbb41b8f2704f85220590a C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\4be2653d1c9804d2ff6e6b66d22764e1\System.Configuration.ni.dll
(unsigned) MD5: 0e8deab79bf37617c41783c99684190e C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\fdeec42fa02f3d789c42be2e33b130eb\System.Drawing.ni.dll
(unsigned) MD5: 1383868bf3724167026f8db984718b6d C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\f92c882fd4e7005c005e208daa04c28d\System.Windows.Forms.ni.dll
(unsigned) MD5: f55e3a708c1b6db16a64c40c3d8bfb88 C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\3060dfcdecbeb8ee65077fb29b217c3d\System.Xml.ni.dll
(unsigned) MD5: 306f368dceeccd7b856814ca9adafb63 C:\Windows\assembly\NativeImages_v2.0.50727_32\System\500ddd904b1099f95552a81b54223b7f\System.ni.dll
(unsigned) MD5: b3a00fd029974eaf92a4f447d7ff0b2c C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\3c0fbe23fa37ca50fea3dbe200b40f7a\WindowsBase.ni.dll
(unsigned) MD5: 0c83fc56707bf68db04947052a8188b1 C:\Windows\system32\astsrv.exe


No file uploaded.

Scan finished - communication took 12 sec
Total traffic - 0.04 MB sent, 3.92 KB recvd
Scanned 570 files and modules - 45 seconds

==============================================================================

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:55 AM

Posted 07 March 2011 - 08:34 AM

There's nothing there either. I think you're clear of any issues.

Is Comodo still flagging it? If so, can I have a report or the details of what it is registering this threat as and where?
Posted Image
m0le is a proud member of UNITE

#11 Lombardi Rahm

Lombardi Rahm
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 AM

Posted 07 March 2011 - 03:53 PM

Comodo is not flagging it.

There are three other computers in the network, would you like their reports as well? i imagine something could come through that way and/or evade scanning.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:55 AM

Posted 07 March 2011 - 05:15 PM

Do you have Comodo reports for all the other PCs on the network? If so, attach each one naming them PC1, PC2 and PC3 please, otherwise it could get really confusing. :blink:
Posted Image
m0le is a proud member of UNITE

#13 Lombardi Rahm

Lombardi Rahm
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 AM

Posted 08 March 2011 - 07:18 PM

attached are comodo AV reports for puters PC2 and PC3

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:55 AM

Posted 08 March 2011 - 07:51 PM

Let's take you through the two logs:


PC2

C:\Program Files\Synergy\synergyc.exe TrojWare.Win32.Swizzor.~Gen2@103115731 Detect Success
C:\Program Files\Synergy\synergyc.exe

synergyc.exe is being detected as a known trojan. This is a legitimate file from the software company Synergy. The only way this could be infected would be if this was pirated software.


PC3

C:\$WINDOWS.~Q\DATA\Program Files\COMODO\COMODO Internet Security\Quarantine\EBF0FB2B-3C7E-440A-B205-C2F8901373E5.data|Unsfx|VncViewer.class ApplicUnsaf.Win32.RemoteAdmin.WinVncBased.f@6658930

This is another legitimate file. The same thing applies as with synergyc.exe above

2011-01-24 23:06:35 C:\$WINDOWS.~Q\DATA\Program Files\COMODO\COMODO Internet Security\Quarantine\9D8BB6A2-D289-4A1C-BC62-BD371D930591.data Heur.Suspicious@132521768
2011-01-24 23:30:49 C:\$WINDOWS.~Q\DATA\Program Files\COMODO\COMODO Internet Security\Quarantine\9D8BB6A2-D289-4A1C-BC62-BD371D930591.data Heur.Suspicious@132521768

These are data files and are considered suspicious purely because they act like malware files. Heur is short for heuristic and this detection process can cause false positives.

2011-02-24 07:03:07 C:\Users\new user\Desktop\gmer.exe Packed.Win32.MUPX.Gen@129019204
2011-02-24 07:03:07 C:\Users\new user\Desktop\gmer.exe Packed.Win32.MUPX.Gen@129019204
2011-02-24 07:03:13 C:\Users\new user\Desktop\gmer.exe

To prove that these programs aren't perfect, here's the rootkit detector Gmer being picked up as packed malware...

Looks like these other PCs are clean from the Comodo logs. I would imagine that these two are now flagging nothing as they have quarantined what they believed to be the threat. Any problems with these two PCs other than that?
Posted Image
m0le is a proud member of UNITE

#15 Lombardi Rahm

Lombardi Rahm
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 AM

Posted 09 March 2011 - 09:08 AM

your assumption is correct.

in regards to synergy and the 2nd item.

the synergy program was downloaded from their site and offered for free.

what program is PC3 first line item referring to?

OT:

Pirating? a social engineering tactic deployed by the RIA upon the consumer to maintain a failed business model based upon their own perceived entitlement rather than legitimacy.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users