View Single Post
Old 09 June 2014, 16:04   #4
PeterK
Registered User
 
Join Date: Apr 2005
Location: Hangover
Posts: 1,731
My warning in the post above could be unfounded (maybe ?), but I didn't download much last night and nowhere else I got something like this strange change of the file name extension as from "Aros_Vision.zip" into "Aros_Vision.zip.mas". This means that not the contents of the zip file is infected but perhaps the html code of the Aros Vision download page has been manipulated by someone.

On my system I got a warning from HijackThis after booting:
O23 - Service: FTQTMZX - Unknown owner - E:\Peter\TMP\FTQTMZX.exe (file missing)
The contents of all TMP and TEMP drawers is always deleted at startup.
In my registry I found some entries for this malware service (probably a backdoor):
Code:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Enum\Root\LEGACY_FTQTMZX]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Enum\Root\LEGACY_FTQTMZX\0000]
"Service"="FTQTMZX"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="FTQTMZX"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\FTQTMZX]
"Type"=dword:00000110
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):45,00,3a,00,5c,00,50,00,65,00,74,00,65,00,72,00,5c,00,54,00,\
  4d,00,50,00,5c,00,46,00,54,00,51,00,54,00,4d,00,5a,00,58,00,2e,00,65,00,78,\
  00,65,00,00,00
"DisplayName"="FTQTMZX"
"ObjectName"="LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\FTQTMZX\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\FTQTMZX\Enum]
"0"="Root\\LEGACY_FTQTMZX\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
PeterK is offline  
 
Page generated in 0.06082 seconds with 9 queries