Exploit.win32.ms04-028.gen

Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 6:37:47, on 9.3.2009


Platform: Unknown Windows (WinNT 6.01.2904)


MSIE: Internet Explorer v8.00 (8.00.7000.0000)


Boot mode: Normal


Running processes:


C:\Windows\system32\taskhost.exe


C:\Windows\system32\Dwm.exe


C:\Windows\Explorer.EXE


C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe


C:\Program Files\Winamp\winampa.exe


C:\Program Files\iTunes\iTunesHelper.exe


C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe


C:\Program Files\Windows Sidebar\sidebar.exe


C:\Program Files\Skype\Phone\Skype.exe


C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe


C:\Program Files\Windows Live\Messenger\msnmsgr.exe


C:\Program Files\Windows Live\Contacts\wlcomm.exe


C:\Program Files\Skype\Plugin Manager\skypePM.exe


C:\Windows\system32\taskhost.exe


C:\totalcmd\TOTALCMD.EXE


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.si/


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =


O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll


O2 - BHO: Windows Live - Pomoc pri vpisu - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll


O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll


O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll


O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"


O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"


O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime


O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"


O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles


O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"


O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"


O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun


O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized


O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background


O4 - HKCU\..\Run: [FveNotify] %WINDIR%\system32\fveNotify.exe


O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')


O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')


O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')


O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')


O4 - Global Startup: Nokia Nseries PC Suite.lnk = C:\Program Files\Nokia\NNPCS\RunLauncher.exe


O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


O9 - Extra button: Objavi v spletnem dnevniku - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll


O9 - Extra 'Tools' menuitem: &Objavi v spletnem dnevniku v Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll


O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll


O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL


O13 - Gopher Prefix:


O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab


O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab


O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab


O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab


O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL


O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe


O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe


O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe


O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe


--


End of file - 6435 bytes

Comments

  • rootkit
    rootkit ✭✭✭

    Plase post the full BitDefender log. This is clean :)

  • @BravoSlo:


    Please take a look at /index.php?/topic/12282-exploitwin32ms04-028gen-with-image-editing/" rel="">this topic. Is it anything similar to your situation? Please let me know exactly what's going on and how you got that detection.

  • This detection has been revised as it seems it was generating false positives. Can you please tell me if you still get this detection?

  • This detection has been revised as it seems it was generating false positives. Can you please tell me if you still get this detection?


    Hei..still I have problem


    Dont know how to resolve this..


    I sent virus files from karantena to your lab.....


    I make a screen shot.....Is helpful??


    With my regards Stanislav Perc


    /applications/core/interface/file/attachment.php?id=4892" data-fileid="4892" rel="">vir.doc

  • The same procedure as the thread I pointed out earlier:


    First of all I will need a copy of your history.xml:


    C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Events


    Then upload the latest files from C:\ProgramData\BitDefender\Desktop\Quarantine (using any upload service you want). We will analyze them and remove the detection.


    You can use one of our FTP servers as well:


    -----


    horizon.bitdefender.ro


    user: ccsubmit-write00


    pass: XM6wD6a(M]25


    -----


    NOTE: Make sure your BitDefender is up to date!

  • The same procedure as the thread I pointed out earlier:


    First of all I will need a copy of your history.xml:


    C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Events


    Then upload the latest files from C:\ProgramData\BitDefender\Desktop\Quarantine (using any upload service you want). We will analyze them and remove the detection.


    You can use one of our FTP servers as well:


    -----


    horizon.bitdefender.ro


    user: ccsubmit-write00


    pass: XM6wD6a(M]25


    -----


    NOTE: Make sure your BitDefender is up to date!


    I sent you files to your ftp from quarantine ,but my sistem windows 7 dont alow mee to go in Application Data-map.....


    My bitdefender is updated avtomaticly.......


    Hawe you same idea how to remove this???Its happend only when I want to turned picture left or right and when I want to save picture.Pictures have saved in usb connected outside disc.....


    With my regard,s

  • rootkit
    rootkit ✭✭✭
    edited March 2009

    Windows 7 beta is not recomended for daily user.


    BitDefender 2009 is not fully compatible with it.

  • We are analyzing this once more and I will let you know what conclusion we reach.

  • This issue has been fixed (again). Is anyone else still experiencing this?