That is MBX@110@B33240.### and MBX@57C@B33240.###

[zepete]

In my computer is two hidden executable files (they beginning on "MZ" and have text:"This program must be run under Win32") in hidden folder "c:\Document and settings\MyName\Application Data\.#".
They named: MBX@110@B33240.### and MBX@57C@B33240.###.
Every files size 2048 bytes and consist many zero.
That is?

[polonus]

Hi zepete,

Try to upload the files at virustotal.com and post the results here.

After you have done that you could also download DrWebCureIt from here: ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe see (see that it is the latest updated version)
to your desktop and do a full scan,

polonus

[zepete]

Results tests virustotal.com:
File MBX_57C_B33240.___ received on 01.20.2009 00:09:04 (CET)
Current status:     finished   
Result: 2/39 (5.13%)
 Compact
Print results  Antivirus   Version   Last Update   Result
a-squared   4.0.0.73   2009.01.19   -
AhnLab-V3   2009.1.20.1   2009.01.19   -
AntiVir   7.9.0.57   2009.01.19   -
Authentium   5.1.0.4   2009.01.19   -
Avast   4.8.1281.0   2009.01.19   -
AVG   8.0.0.229   2009.01.19   -
BitDefender   7.2   2009.01.19   -
CAT-QuickHeal   10.00   2009.01.19   -
ClamAV   0.94.1   2009.01.19   -
Comodo   937   2009.01.19   -
DrWeb   4.44.0.09170   2009.01.19   -
eSafe   7.0.17.0   2009.01.19   Suspicious File
eTrust-Vet   31.6.6315   2009.01.19   -
F-Prot   4.4.4.56   2009.01.19   -
F-Secure   8.0.14470.0   2009.01.19   -
Fortinet   3.117.0.0   2009.01.15   -
GData   19   2009.01.19   -
Ikarus   T3.1.1.45.0   2009.01.19   -
K7AntiVirus   7.10.595   2009.01.19   -
Kaspersky   7.0.0.125   2009.01.19   -
McAfee   5500   2009.01.19   -
McAfee+Artemis   5500   2009.01.19   -
Microsoft   1.4205   2009.01.20   -
NOD32   3779   2009.01.19   -
Norman   5.93.01   2009.01.19   -
nProtect   2009.1.8.0   2009.01.19   -
Panda   9.5.1.2   2009.01.19   -
PCTools   4.4.2.0   2009.01.19   -
Prevx1   V2   2009.01.20   -
Rising   21.13.02.00   2009.01.19   -
SecureWeb-Gateway   6.7.6   2009.01.19   Win32.Malware.gen!90 (suspicious)
Sophos   4.37.0   2009.01.19   -
Sunbelt   3.2.1835.2   2009.01.16   -
Symantec   10   2009.01.19   -
TheHacker   6.3.1.5.223   2009.01.18   -
TrendMicro   8.700.0.1004   2009.01.19   -
VBA32   3.12.8.10   2009.01.19   -
ViRobot   2009.1.19.1565   2009.01.19   -
VirusBuster   4.5.11.0   2009.01.19   -
Additional information
File size: 2048 bytes
MD5...: b3db2eed1a0072d51a9ee920f250ba92
SHA1..: 804800ab3b70863689067b28d1195dacba18eaef
SHA256: e3fc1a1b4019fe81221f3b19d3edb7624186bf13a42c30db2a0738a5a2c1aae9
SHA512: 680dbb6ca115c77782189462c0064fb5bf077302b861625c0bcdbe624c7b6aa8
4877ce2dcd8eeb7495d86ce4881b3cb576a76a7d0e5161ad6e9176f513101004
ssdeep: 6:MxlEh/jKjXFeyclltA9lncl//yPxkgJAJhUI9NVljif:OEh/G70yUQ9l0/6kgC
Jioda
PEiD..: -
TrID..: File type identification
Win16/32 Executable Delphi generic (34.0%)
Generic Win/DOS Executable (32.9%)
DOS Executable Generic (32.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40a000
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x3000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
DATA 0x4000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
BSS 0x5000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x6000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.edata 0x7000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.reloc 0x8000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x9000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
_BOX_ 0xa000 0x1000 0x200 1.50 f86c92bd50585e94729486f8a2d005cf

( 0 imports )

( 0 exports )



 ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Файл MBX_110_B33240.___ получен 2009.01.20 00:15:09 (CET)
Текущий статус:   закончено
Результат: 2/39 (5.13%)
 Форматированные
Печать результатов  Антивирус   Версия   Обновление   Результат
a-squared   4.0.0.73   2009.01.19   -
AhnLab-V3   2009.1.20.1   2009.01.19   -
AntiVir   7.9.0.57   2009.01.19   -
Authentium   5.1.0.4   2009.01.19   -
Avast   4.8.1281.0   2009.01.19   -
AVG   8.0.0.229   2009.01.19   -
BitDefender   7.2   2009.01.19   -
CAT-QuickHeal   10.00   2009.01.19   -
ClamAV   0.94.1   2009.01.19   -
Comodo   937   2009.01.19   -
DrWeb   4.44.0.09170   2009.01.19   -
eSafe   7.0.17.0   2009.01.19   Suspicious File
eTrust-Vet   31.6.6315   2009.01.19   -
F-Prot   4.4.4.56   2009.01.19   -
F-Secure   8.0.14470.0   2009.01.19   -
Fortinet   3.117.0.0   2009.01.15   -
GData   19   2009.01.19   -
Ikarus   T3.1.1.45.0   2009.01.19   -
K7AntiVirus   7.10.595   2009.01.19   -
Kaspersky   7.0.0.125   2009.01.19   -
McAfee   5500   2009.01.19   -
McAfee+Artemis   5500   2009.01.19   -
Microsoft   1.4205   2009.01.20   -
NOD32   3779   2009.01.19   -
Norman   5.93.01   2009.01.19   -
nProtect   2009.1.8.0   2009.01.19   -
Panda   9.5.1.2   2009.01.19   -
PCTools   4.4.2.0   2009.01.19   -
Prevx1   V2   2009.01.20   -
Rising   21.13.02.00   2009.01.19   -
SecureWeb-Gateway   6.7.6   2009.01.19   Win32.Malware.gen!90 (suspicious)
Sophos   4.37.0   2009.01.19   -
Sunbelt   3.2.1835.2   2009.01.16   -
Symantec   10   2009.01.19   -
TheHacker   6.3.1.5.224   2009.01.20   -
TrendMicro   8.700.0.1004   2009.01.19   -
VBA32   3.12.8.10   2009.01.19   -
ViRobot   2009.1.19.1565   2009.01.19   -
VirusBuster   4.5.11.0   2009.01.19   -
Дополнительная информация
File size: 2048 bytes
MD5...: 22ee8242685aa35570230a8eec38f231
SHA1..: c53935667beb7130b7874f25a1bf190fbb416650
SHA256: d53d9083729f10565993a8ec23d4648dd030da7e9822f618f1f4aef708698715
SHA512: 429f64f9b73d4250919a27786b9b5650429819a8f80954b109207e3c692f5e29
f33fcb61bd863dd09cefacef67ab9359b41743068756c68f86fc2c2c8247fcdb
ssdeep: 6:MxlEh/jKjXFeyclltA9lncl//yPxkgJAJhUIM6NVljif:OEh/G70yUQ9l0/6kg
CJipida
PEiD..: -
TrID..: File type identification
Win16/32 Executable Delphi generic (34.0%)
Generic Win/DOS Executable (32.9%)
DOS Executable Generic (32.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40a000
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x3000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
DATA 0x4000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
BSS 0x5000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x6000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.edata 0x7000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.reloc 0x8000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x9000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
_BOX_ 0xa000 0x1000 0x200 1.50 f83460ee030dd2c7810ad35504f7368c

( 0 imports )

( 0 exports )
**************
I think, that dont need run DrWebCureIt, because DrWeb in virustotal.com dont find problem.
But that sign this test? i dont know.

[polonus]

Halio zepete,

A pity the folks from St.Petersburg could not do much there.
As can be detected by the name of the suspected malware, it could be a generic find. If the files apparently have no purpose you could put them in the chest after analysis is done, and you know what you will put there in isolation.
You can also attach a hjt logfile.txt to your next posting, download from here unto your desktop: http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php
Naboj!

polonus

[zepete]

Send files in intel hex format, used in electronics for programs ic.
Format file (http://en.wikipedia.org/wiki/.hex):
[magic symbol ":"]+[number of bytes in string, 2 symbol, in this case 20]+[offset first byte string,4 symbol]+[00-type string, sign that this is data]+data string+[check sum].
Program for work with hex:http://www.keil.com/download/docs/7.asp

[zepete]

Log HijackThis attachment

[polonus]

Hi zepete,
Some consider this a pest, Russian Searchbar, ad/spyware, re:

http://www.ca.com/ru/securityadvisor/pest/pest.aspx?id=453079056

The following entries could be fixed because some consider them as unwanted..

:C:\Program Files\AskBarDis\bar\bin\AskService.exe
Nasty Nasty (2.8 / 5.00)
 
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
Nasty (2.8 / 5.00)
This is a unknown process.

R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll

O3 - Toolbar: ßíäåêñ.Áàð - {91397D20-1446-11D4-8AF4-0040CA1127B6} - C:\Program Files\Yandex\YandexBarIE\yndbar.dll

Must be fixed! YNDBAR.DLL - Russian Searchbar, Russian SearchbarO3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
Neutral Nasty (2.95 / 5.00)

O4 - HKCU\..\Run: [Yupdate!] "C:\Program Files\Common Files\Yandex\Yupdate\yupdate.exe" nastyO23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
Nasty Nasty (2.8 / 5.00)
 
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
Nasty (2.8 / 5.00)

O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
Nasty Nasty (2.8 / 5.00)
 
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
Nasty (2.8 / 5.00)

For the virustotal results: http://forum.kaspersky.com/index.php?s=c7e7393e2c2a40b0cf03062e5a057f24&showtopic=98408
If so this could be under suspicion of being a AUTOMATED file-infecting Trojan, for removal info see:
http://spywarefiles.prevx.com/RRHDID032566066/MS056679616124.EXE.html

polonus