Mail from Adobe: a virus???

[Guest]

[anuswara]

chiron, the adwcleaner seem to see a malware that yesterday your program did not see.

[Chiron]

This behavior sounds as if your computer may be infected. Please try following the advice I give in this topic.

Let me know what the three scanners find after step 1. This should help us to diagnose exactly what is going on.

Thank you.

[anuswara]

I rerun now Open autorun analyzer: 50 unsafe become now 14. only 14.

[anuswara]

Actually I dont know if my pc is infected. I hope to know this tomorrow.

yesterday appered only dthtml.exe,

but today....other files!
I dont know why the apply did not see yesterday these files.
____________________

kaspersky:
3:55:38.0335 7656   Scan finished
23:55:38.0335 7656   ============================================================
23:55:38.0344 7672   Detected object count: 0
23:55:38.0344 7672   Actual detected object count: 0

________________________________________________________


file unknown after step 1):


https://valkyrie.comodo.com/Result.aspx?sha1=f00e65422ecdbd7fd2440552b773cb6fd8c79d86&&&query=0&filename=dthtml.exe

SHA1:f00e65422ecdbd7fd2440552b773cb6fd8c79d86    Process:Active
Auto Result: Normal    Final Result: Normal
but I see:

AI_Detector_13       Malware       2012-02-05 04:47:42       2012-02-05 04:47:44       2012-02-05 04:47:44

submitted to the experts because: half good but half malware!!??





good:
to be whitelisted??
https://valkyrie.comodo.com/Result.html?sha1=3c24f2d665bd3f373e8fe2ededc9bf56401fa986&&query=0&&filename=KMProcess.exe




to be whitlisted??
https://valkyrie.comodo.com/Result.html?sha1=6bb9c2b367d2b7668be3154e81cebaf20bb0040e&&query=0&&filename=DTSRVC.exe




submitted to expert: half good + half malware!!!??? (yesterday this file did not appear!!!)
https://valkyrie.comodo.com/Result.html?sha1=a697da33ab769fc8e961e3ae564fe337b084ea55&&query=0&&filename=hpsysdrv.exe



submitted to expert: half good + half malware!!??
https://valkyrie.comodo.com/Result.aspx?sha1=5e26a56615d1343053a1959d4786e8362c9db0d0&&&query=0&filename=clmlsvc.exe
_____________________________________
______________________   _____  _____




all the **unsafe** files at step 2,
yesterday 12 files, today 14 after the second run! (the only difference: firefox remains open today):




the same file (see above), before unknown (step 1), then unsafe at step 2 ()
https://valkyrie.comodo.com/Result.aspx?sha1=5e26a56615d1343053a1959d4786e8362c9db0d0&&&query=0&filename=clmlsvc.exe




malware detector 10:
submitted

https://valkyrie.comodo.com/Result.html?sha1=cce2325dc1c214fffcc6e324718df73a174c0616&&query=0&&filename=DT_Startup.exe



good. to be whitelisted please ?
https://valkyrie.comodo.com/Result.html?sha1=f91e52a6e3261ec8f5a68715a10dfba3840cda56&&query=0&&filename=HiDownloadPlatinum.exe



to be whitelisted
https://valkyrie.comodo.com/Result.html?sha1=371754173c1fea170735be6d2a59c776c6d2d00c&&query=0&&filename=CM106.sys



malware detector 10: subm...
https://valkyrie.comodo.com/Result.html?sha1=261838d7e2f2d613ad59f7bdd36e704a936b287b&&query=0&&filename=hpplsbulk.sys



malware subm...
https://valkyrie.comodo.com/Result.html?sha1=356fdb583fe452390307d92d2416adcd130bd7c4&&query=0&&filename=claud.ax




to be whitelisted please:
https://valkyrie.comodo.com/Result.html?sha1=74b368ecfde8a88983194d0d6a1389ff29b47f05&&query=0&&filename=hppgfax.exe




98% good. please whitelist this:
https://valkyrie.comodo.com/Result.html?sha1=d44973f93ab42acef19d22d94c058659a8fe6a23&&query=0&&filename=hppscan2.exe



malware detec 10  subm...:
https://valkyrie.comodo.com/Result.html?sha1=26c28755f74289e59701181a39454fe099b7b00a&&query=0&&filename=LabelPrint.exe



!!!!!!!!!!!!!!!
mediainfo, red color!!!! (but this file changes every month: build 50, 51, 52, 53, 54.....every month I install the updated version for mediainfo.exe: perhaps it were better to whitelist this), but it is reported as Malware, RED colored!!
Malware:ApplicUnwnt.Win32.SMSSend.VE

https://valkyrie.comodo.com/Result.html?sha1=39aa910aa0ebfa4d95dce1284ea74e7ef6696510&&query=0&&filename=MediaInfo.exe

CCE "smart scan" sees it as malware too, at step 4!!!
mediainfo is useful for me: what to do?




one malware in one scanner:
https://valkyrie.comodo.com/Result.html?sha1=e1b23229f3cf7fc531ff9b52ea7d4b974cbd99b2&&query=0&&filename=hppcappm.dll


and here too
https://valkyrie.comodo.com/Result.html?sha1=5c745389c6dc7d624073df76f9176fec1eeb3428&&query=0&&filename=HPTcpMon.dll



=> photoshop.exe:  44MB!!!! I am unable to add this into valkyrie!!!


=> muveeapp.exe: 11MB  it stops uploading after 30 minutes...slow adsl?

these last 2 files will remains Unknown.




please let me know if al the file (except the last 2 that cannot be uploaded) are safe / to be whitelisted.


after we resolve this problem we should consider adwcleaner with the malware trappolltimemillisecs in HKLM\SOFTWARE\Microsoft\RFC1156Agent that did bypass the 4 steps.


I post the link in the 3d whitelist too.
I hope that i will receive good news tomorrow

thanks a lot. best,

[anuswara]

In the meantime...
This is to inform you that false-positive with
<dthtml.exe> (SHA1: <f00e65422ecdbd7fd2440552b773cb6fd8c79d86>)
has been fixed.


This is to inform you that false-positive with
<MediaInfo.exe> (SHA1: <39aa910aa0ebfa4d95dce1284ea74e7ef6696510>)
has been fixed.
You can update to AV database Version <11423> of  Comodo Internet Security Version<5.9.219863.2196> and confirm it.

[anuswara]

https://valkyrie.comodo.com/Result.html?sha1=14fc30a68cb7de929859b0412a4a252b20931417

but photoshop.exe is too big 44MB...nothing done with this file...

[Chiron]

!!!!!!!!!!!!!!!
mediainfo, red color!!!! (but this file changes every month: build 50, 51, 52, 53, 54.....every month I install the updated version for mediainfo.exe: perhaps it were better to whitelist this), but it is reported as Malware, RED colored!!
Malware:ApplicUnwnt.Win32.SMSSend.VE

Can you please PM me a link to a page about this software so I can investigate it directly? Do not post it on the forums as it may be dangerous.

Thanks.

but photoshop.exe is too big 44MB...nothing done with this file...

If you post a link to the download location in the whitelist then they can whitelist it in that way also.

Also, if you wish you can upload it to a site like http://ifile.it/ and post a link to the download in the whitelist topic. That works as well. You can also do the same when reporting a false positive.

[anuswara]

Thank you Chiron!

you have PM with the links to mediainfo.

now I am uploading the photoshop to ifile.it
it seems to work well even if noscript are blocking the scripts from ifile.it
((((usually, if you wanto to upload/download a file into/from hosting sites you MUST allow noscript to accept and execute the scripts....otherwise you are unable to get what you need...but...but...but, doing so, you will install malware from hosting site!! therefore I am very happy and grateful to you for this ifile.it that seems to be a trusted site!! very good   ))))


=> Totally I uploaded 19 files: 5 from step 1, 14 from step 2, inclusive the big file that I am still uploading now...

dthtml.exe and mediainfo.exe has been fixed and the Comodo engineers consider them as false positive. ok.


now I wait the report of the remaining files (to be whitelisted).

then I will run all your 4 steps again to get finally "There are no items" I hope

then the conclusions of this "adventure"

thanks.

[anuswara]

now all my files (unknown + unsafe) has been posted in the topic Whiteliste.

I wait untill all the 19 files has been processed and approved by Comodo engineers.

thanks

[anuswara]

ok, to download the files from here I have to allow noscript to accept the scripts
http://ifile.it/f92mqbt/Photoshop.exe

I will consider this site safe.

[anuswara]

In the meantime I deleted the entries found by adwcleaner.

here the malware description I found online
http://www1.avira.com/it/support-threats-description/tid/5496/tlang/it

and now the last log:
# AdwCleaner v1.408 - Logfile created 02/05/2012 at 21:49:12
# Updated 29/01/2012 by Xplode
# Operating system : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v10.0 (it)

Profile : 73b02pu3.default
File : C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\73b02pu3.default\prefs.js

[OK] File is clean.

*************************


AdwCleaner[R2].txt - [1221 octets] - [05/02/2012 21:32:12]
AdwCleaner[S1].txt - [1382 octets] - [05/02/2012 21:33:09]
AdwCleaner[R3].txt - [888 octets] - [05/02/2012 21:49:12]

########## EOF - C:\AdwCleaner[R3].txt - [1015 octets] ##########

_______________
I merk that a lot people have this malware, see please the mozilla forum too and other...


then

appdata\local\temp folder cleaned.  (more than 6000 files)
c:\windows\Temp   cleaned. (more than 2000 files)


Please let me know when I will be allowed to run your 4 steps again, after whitelisting process by the experts.
I guess all will be fine!!

[Chiron]

Please let me know when I will be allowed to run your 4 steps again, after whitelisting process by the experts.
I guess all will be fine!!

Yes, when the whitelisting is verified complete re-run the methods in my article.

If they come up empty then your computer is definitely clean.

[anuswara]

...and then we will drink to victory!!!! hehehehe

[Chiron]

...and then we will drink to victory!!!! hehehehe

Hopefully...

[anuswara]

Hi. I add 4 files in valkirie from step 2 which dont appeared yesterday.
One of them appears 2 times during the scan.

(as today I received only 2 mail reports from Comodo flase positive, manual analysis: dthtml.exe and mediainfo.exe).


oh I re-run the process...other file unknown. why those files has been not detected yesterday?
every day appear unknown processes *confused*

yesterday OSD Maestro ok
today red colored as malware...



I think if I re-run now for the third time I become other files marked as unknown.

What suggest me? should I use online scanner (activex)? more than just one?

I cannot post newer files very day, every minute for whitelisting, as mediainfo that resulted false positive.

[Tags:]