Exploit.win32.ms04-028.gen

Sal Khan
edited June 2008 in Logs analysis

I just purchased a new 2GB MicroSD card for my Samsung SCH-i760 and whenever I put the card in my card reader, open an image (jpg) file, try to rotate the picture and save it, I get this Virus alert just like many of you. Kinda of a PITA. The messages from Bit Defender is about Exploit.win32.ms04-028.gen


Attach is an example of a file from the card that comes up infected with password "infected"


Here is the HiJackThis! log:


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 11:26:07 AM, on 6/19/2008


Platform: Windows Vista SP1 (WinNT 6.00.1905)


MSIE: Internet Explorer v7.00 (7.00.6001.18000)


Boot mode: Normal


Running processes:


C:\Windows\system32\taskeng.exe


C:\Windows\system32\Dwm.exe


C:\Windows\Explorer.EXE


C:\Windows\RtHDVCpl.exe


C:\Program Files\Toshiba\Power Saver\TPwrMain.exe


C:\Program Files\Toshiba\SmoothView\SmoothView.exe


C:\Program Files\Toshiba\FlashCards\TCrdMain.exe


C:\Program Files\Toshiba\ConfigFree\NDSTray.exe


C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe


C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


C:\Program Files\iTunes\iTunesHelper.exe


C:\Windows\WindowsMobile\wmdc.exe


C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe


C:\Windows\ehome\ehtray.exe


C:\Program Files\DAEMON Tools Lite\daemon.exe


C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE


C:\Program Files\MagicDisc\MagicDisc.exe


C:\Windows\System32\mobsync.exe


C:\Program Files\Synaptics\SynTP\SynToshiba.exe


C:\Windows\ehome\ehmsas.exe


C:\Program Files\Synaptics\SynTP\SynTPHelper.exe


C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe


C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =


O1 - Hosts: ::1 localhost


O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll


O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll


O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide


O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe


O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE


O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe


O4 - HKLM\..\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe


O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe


O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe


O4 - HKLM\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe


O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"


O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"


O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"


O4 - HKLM\..\Run: [skytel] Skytel.exe


O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime


O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE


O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount


O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"


O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe


O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun


O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')


O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')


O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')


O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')


O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')


O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe


O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE


O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll


O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll


O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll


O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll


O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll


O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll


O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll


O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL


O13 - Gopher Prefix:


O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab


O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab


O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab


O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll


O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe


O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe


O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe


O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe


O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe


O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe


O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe


O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe


O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe


O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe


O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe


O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


--


End of file - 9266 bytes

/applications/core/interface/file/attachment.php?id=2285" data-fileid="2285" rel="">0612081656.zip

Comments

  • rootkit
    rootkit ✭✭✭
    edited June 2008

    Thenk you for the sample !


    The guys from the LAB will take a look ! ;)


    Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe


    Then close all running programs, including web browser, instant messenger, etc and then run ComboFix.


    It will ask you whether it should start cleaning or not. Press 1 and hit Enter. Don't stop it while running. While doing this your screen may disappear but don't worry, it's a normal behaviour.


    At the end ComboFix will generate a log file. Save it and post it here.

  • The file is not currently detected. This was probably a false positive which was in the meantime eliminated. Please update the signatures of you BitDefender installation. If the problem persists, please let us know.


    Best regards.

  • The file is not currently detected. This was probably a false positive which was in the meantime eliminated. Please update the signatures of you BitDefender installation. If the problem persists, please let us know.


    Best regards.


    I ran an update for BD (IS 2008), restarted my computer, and attempted to open and manipulate a few different known image files that come up as infected and it still gave me the message saying it a virus was quarantined. So in other words: Nothing has changed.


    Was I missing some sort of update not covered by the update that's run through the BD App?


    Also, I ran the ComboFix App and here is the Log it generated:


    ComboFix 08-06-20.4 - Someone 2008-06-23 13:37:41.1 - NTFSx86


    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1131 [GMT -7:00]


    Running from: C:\Users\Someone\Desktop\ComboFix.exe


    * Created a new restore point


    * Resident AV is active


    .


    ((((((((((((((((((((((((( Files Created from 2008-05-23 to 2008-06-23 )))))))))))))))))))))))))))))))


    .


    2008-06-19 11:15 . 2008-06-19 11:15 <DIR> d-------- C:\Program Files\Trend Micro


    2008-06-18 13:12 . 2008-06-18 13:13 <DIR> d-------- C:\Program Files\QuickTime


    2008-06-18 13:04 . 2008-06-18 13:04 <DIR> d-------- C:\Program Files\Opera


    2008-06-13 05:55 . 2008-04-22 21:42 428,544 --a------ C:\Windows\System32\EncDec.dll


    2008-06-13 05:55 . 2008-04-22 21:42 293,376 --a------ C:\Windows\System32\psisdecd.dll


    2008-06-13 05:55 . 2008-04-22 21:41 218,624 --a------ C:\Windows\System32\psisrndr.ax


    2008-06-13 05:55 . 2008-04-22 21:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax


    2008-06-11 11:42 . 2008-06-11 19:44 <DIR> d-------- C:\Program Files\DAEMON Tools Lite


    2008-06-11 11:33 . 2008-06-11 11:33 <DIR> d-------- C:\Users\Someone\AppData\Roaming\DAEMON Tools


    2008-06-11 06:22 . 2008-04-24 19:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb


    2008-06-11 06:22 . 2008-04-24 21:35 826,880 --a------ C:\Windows\System32\wininet.dll


    2008-06-11 05:13 . 2008-05-09 18:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys


    2008-06-11 05:11 . 2008-04-26 01:08 1,314,816 --a------ C:\Windows\System32\quartz.dll


    2008-06-06 02:26 . 2008-06-06 02:26 <DIR> d-------- C:\Program Files\IrfanView


    2008-05-30 04:55 . 2008-05-30 04:55 <DIR> d-------- C:\Users\Someone\AppData\Roaming\Move Networks


    2008-05-28 17:59 . 2008-05-28 17:59 <DIR> d-------- C:\Users\Someone\AppData\Roaming\Microsoft Office Mobile


    2008-05-27 23:16 . 2008-06-23 13:25 12 --a------ C:\Windows\bthservsdp.dat


    2008-05-27 15:10 . 2008-03-07 19:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll


    2008-05-27 15:10 . 2008-03-07 21:21 1,695,744 --a------ C:\Windows\System32\gameux.dll


    2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx


    2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\Windows\System32\QuickTime.qts


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-06-23 20:24 --------- d-----w C:\Users\Someone\AppData\Roaming\uTorrent


    2008-06-23 05:25 --------- d-----w C:\Program Files\Safari


    2008-06-17 18:10 --------- d-----w C:\Users\Someone\AppData\Roaming\FileZilla


    2008-06-13 13:16 --------- d-----w C:\Program Files\Windows Mail


    2008-06-11 20:12 --------- d-----w C:\Users\Someone\AppData\Roaming\GARMIN


    2008-06-11 18:34 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys


    2008-06-06 17:28 --------- d-----w C:\Program Files\DivX


    2008-05-30 23:22 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll


    2008-05-30 23:22 823,296 ----a-w C:\Windows\System32\divx_xx07.dll


    2008-05-30 23:22 815,104 ----a-w C:\Windows\System32\divx_xx0a.dll


    2008-05-30 23:22 802,816 ----a-w C:\Windows\System32\divx_xx11.dll


    2008-05-30 23:22 683,520 ----a-w C:\Windows\System32\DivX.dll


    2008-05-30 23:22 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll


    2008-05-30 23:22 57,344 ----a-w C:\Windows\System32\dpv11.dll


    2008-05-30 23:22 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll


    2008-05-30 23:22 344,064 ----a-w C:\Windows\System32\dpus11.dll


    2008-05-30 23:22 294,912 ----a-w C:\Windows\System32\dpu11.dll


    2008-05-30 23:22 294,912 ----a-w C:\Windows\System32\dpu10.dll


    2008-05-23 13:24 --------- d-----w C:\Program Files\Microsoft Silverlight


    2008-05-22 22:22 524,288 ----a-w C:\Windows\System32\DivXsm.exe


    2008-05-22 22:22 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll


    2008-05-22 22:20 200,704 ----a-w C:\Windows\System32\ssldivx.dll


    2008-05-22 22:20 1,044,480 ----a-w C:\Windows\System32\libdivx.dll


    2008-05-22 22:19 81,920 ----a-w C:\Windows\System32\dpl100.dll


    2008-05-22 22:19 196,608 ----a-w C:\Windows\System32\dtu100.dll


    2008-05-22 22:19 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe


    2008-05-22 22:18 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll


    2008-05-18 19:41 --------- d-----w C:\ProgramData\Microsoft Help


    2008-05-18 19:38 --------- d-----w C:\Program Files\MSBuild


    2008-05-18 19:38 --------- d-----w C:\Program Files\Microsoft Works


    2008-05-13 17:55 --------- d-----w C:\Program Files\Picasa2


    2008-05-11 14:28 --------- d-----w C:\ProgramData\WinZip


    2008-05-11 14:26 --------- d-----w C:\Program Files\Common Files\Ahead


    2008-05-11 14:26 --------- d-----w C:\Program Files\Ahead


    2008-05-07 02:19 --------- d-----w C:\Program Files\IM+ 4.56 for PocketPC


    2008-05-05 05:19 --------- d-----w C:\Program Files\Free Audio Pack


    2008-05-05 05:13 --------- d-----w C:\Users\Someone\AppData\Roaming\NCH Swift Sound


    2008-05-05 05:13 --------- d-----w C:\Program Files\NCH Swift Sound


    2008-05-03 06:47 --------- d-----w C:\ProgramData\NCH Swift Sound


    2008-05-03 04:03 --------- d-----w C:\Users\Someone\AppData\Roaming\GetRightToGo


    2008-05-02 12:59 122,368 ----a-w C:\Windows\system32\drivers\Rtlh86.sys


    2008-05-01 17:56 --------- d-----w C:\ProgramData\Office Genuine Advantage


    2008-05-01 04:39 --------- d-----w C:\ProgramData\InstalledPackages


    2008-05-01 04:38 --------- d-----w C:\Program Files\Wireless Sync


    2008-04-30 19:02 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf


    2008-04-30 18:49 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf


    2008-04-25 03:36 --------- d-----w C:\Program Files\gallery2


    2008-04-23 04:58 --------- d-----w C:\Program Files\Apple Software Update


    2008-04-15 20:46 1,537,536 ----a-w C:\Program Files\siw.exe


    2008-04-14 00:54 319,456 ----a-w C:\Windows\DIFxAPI.dll


    2008-04-14 00:35 174 --sha-w C:\Program Files\desktop.ini


    2008-04-13 23:55 82,432 ----a-w C:\Windows\System32\axaltocm.dll


    2008-04-13 23:55 101,888 ----a-w C:\Windows\System32\ifxcardm.dll


    2008-03-16 22:16 724,984 ----a-w C:\Users\Someone\gotomypc_437.exe


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "TOSCDSPD"="TOSCDSPD.EXE" []


    "Aim6"="" []


    "AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 00:20 222080]


    "TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [ ]


    "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 00:33 125952]


    "DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 02:39 486856]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 19:26 4702208 C:\Windows\RtHDVCpl.exe]


    "TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 10:39 411192]


    "HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 16:49 55416]


    "SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-06-15 21:01 448080]


    "00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 16:32 538744]


    "NDSTray.exe"="NDSTray.exe" []


    "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]


    "BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 16:46 61440]


    "BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-06-09 08:32 360448]


    "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]


    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]


    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 19:12 1029416]


    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]


    "Skytel"="Skytel.exe" [2007-08-03 13:22 1826816 C:\Windows\SkyTel.exe]


    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]


    "Windows Mobile Device Center"="C:\Windows\WindowsMobile\wmdc.exe" [2007-05-31 09:21 648072]


    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]


    "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 18:23 443968]


    C:\Users\Someone\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\


    MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-02-09 22:32:39 557568]


    OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]


    "EnableUIADesktopToggle"= 0 (0x0)


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]


    "msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm


    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]


    "DisableMonitoring"=dword:00000001


    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]


    "AntiSpywareOverride"=dword:00000001


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]


    "EnableFirewall"= 0 (0x0)


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]


    "{D311D56B-1CEC-4F59-89FE-401DD08B22B7}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes


    "{1BB15376-723F-4F05-981B-FD8794D41B2C}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes


    "{B83C060B-A173-4445-83CB-FDDC8B2D0ABF}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader


    "{0872348F-7252-48B3-AF48-021095C12BBC}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader


    "{D51300AB-72B0-49FE-AA7C-55CEDEE6BE14}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger


    "{AAE94964-3FF1-4025-BB85-8B94FA664D4C}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger


    "{1BBBCBB1-5477-4A56-954F-E49013EFC8FE}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent


    "{5BFD67DD-2523-4615-AD10-E0214C997E33}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent


    "{CC77E681-BB2F-428F-BADB-E6E4A9CCD28E}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook


    "{4DDC9FB4-8C55-48C9-B9C6-11D02DB7C4B7}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove


    "{D7E88062-3ACF-445E-A4A3-42799E39DCE7}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove


    "{69764175-22D6-470A-943E-D82FC876C718}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote


    "{7DC9820D-78F8-420C-897A-1A257E62C2B0}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote


    "{94E9E0D7-8D0C-4545-BAB7-F1DF38189939}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour


    "{8A28C6FD-23D4-4839-AA8D-AB735D5D131C}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour


    "{6262E605-CCD9-4EC1-9AFF-BCE431D6C050}"= UDP:C:\Users\Someone\AppData\Roaming\Facebook\facebook.exe:Facebook


    "{FB519924-BEEB-48FA-8F23-76F09DEFE178}"= TCP:C:\Users\Someone\AppData\Roaming\Facebook\facebook.exe:Facebook


    "{FD9D7D31-2EF4-441C-92DA-91F190C8BF9A}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes


    "{9D2CEB40-014C-4F88-9D95-23289DD48B9B}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes


    "{D0C1E4D1-77AA-4029-BC73-4CA1FA518E11}"= UDP:5721:LocalSubnet:LocalSubnet|IF={36D6A040-4C02-4C21-AFA9-851ECDD2AE43}:@%systemroot%\WindowsMobile\wmdc.exe,-4002


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]


    "EnableFirewall"= 0 (0x0)


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]


    "EnableFirewall"= 0 (0x0)


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]


    "C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine


    "C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger


    R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 11:23]


    R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-19 00:33]


    R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]


    R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-19 00:33]


    R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-07-27 23:36]


    R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\Windows\system32\DRIVERS\bdfndisf.sys [2008-02-13 10:54]


    R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-19 23:11]


    R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8187B.sys [2008-03-18 10:02]


    S3 winbondcir;Winbond IR Transceiver;C:\Windows\system32\DRIVERS\winbondcir.sys [2007-03-28 07:51]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]


    bdx REG_MULTI_SZ scan


    WindowsMobile REG_MULTI_SZ wcescomm rapimgr


    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr


    bthsvcs REG_MULTI_SZ BthServ


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba635721-a1f9-11dc-b8c9-00a0d1880dd5}]


    \shell\AutoRun\command - H:\InstallTomTomHOME.exe


    *Newly Created Service* - CATCHME


    .


    Contents of the 'Scheduled Tasks' folder


    "2008-06-23 16:49:16 C:\Windows\Tasks\User_Feed_Synchronization-{9E354B1C-535B-4DA1-964E-863686482802}.job"


    - C:\Windows\system32\msfeedssync.exe


    .


    **************************************************************************


    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-06-23 13:42:04


    Windows 6.0.6001 Service Pack 1 NTFS


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    Completion time: 2008-06-23 13:44:38


    ComboFix-quarantined-files.txt 2008-06-23 20:43:41


    Pre-Run: 78,748,930,048 bytes free


    Post-Run: 78,913,888,256 bytes free


    196 --- E O F --- 2008-06-19 20:21:31


    Hope that helps!

  • rootkit
    rootkit ✭✭✭
    edited June 2008

    Please upload one of the infected file on http://www.virustotal.com/ and leave here the test link ;)


    (disable BD shield for a few second to do this) ;)

  • Please upload one of the infected file on http://www.virustotal.com/ and leave here the test link ;)


    (disable BD shield for a few second to do this) ;)


    It came up clean, it seems. I tried to manipulate the photo to make sure the virus warning still popped up, and it did.


    File 0622080941.jpg received on 06.30.2008 21:44:03 (CET)


    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


    Result: 0/33 (0%)


    Loading server information...


    Your file is queued in position: ___.


    Estimated start time is between ___ and ___ .


    Do not close the window until scan is complete.


    The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.


    If you are waiting for more than five minutes you have to resend your file.


    Your file is being scanned by VirusTotal in this moment,


    results will be shown as they're generated.


    Compact Compact


    Print results Print results


    Your file has expired or does not exists.


    Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.


    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.


    Email:


    Antivirus Version Last Update Result


    AhnLab-V3 2008.7.1.0 2008.06.30 -


    AntiVir 7.8.0.59 2008.06.30 -


    Authentium 5.1.0.4 2008.06.29 -


    Avast 4.8.1195.0 2008.06.30 -


    AVG 7.5.0.516 2008.06.30 -


    BitDefender 7.2 2008.06.30 -


    CAT-QuickHeal 9.50 2008.06.30 -


    ClamAV 0.93.1 2008.06.30 -


    DrWeb 4.44.0.09170 2008.06.30 -


    eSafe 7.0.17.0 2008.06.30 -


    eTrust-Vet 31.6.5914 2008.06.30 -


    Ewido 4.0 2008.06.27 -


    F-Prot 4.4.4.56 2008.06.29 -


    F-Secure 7.60.13501.0 2008.06.26 -


    Fortinet 3.14.0.0 2008.06.30 -


    GData 2.0.7306.1023 2008.06.30 -


    Ikarus T3.1.1.26.0 2008.06.30 -


    Kaspersky 7.0.0.125 2008.06.30 -


    McAfee 5328 2008.06.30 -


    Microsoft 1.3704 2008.06.30 -


    NOD32v2 3228 2008.06.30 -


    Norman 5.80.02 2008.06.30 -


    Panda 9.0.0.4 2008.06.30 -


    Prevx1 V2 2008.06.30 -


    Rising 20.51.02.00 2008.06.30 -


    Sophos 4.30.0 2008.06.30 -


    Sunbelt 3.0.1176.1 2008.06.26 -


    Symantec 10 2008.06.30 -


    TheHacker 6.2.96.364 2008.06.28 -


    TrendMicro 8.700.0.1004 2008.06.30 -


    VBA32 3.12.6.8 2008.06.30 -


    VirusBuster 4.5.11.0 2008.06.30 -


    Webwasher-Gateway 6.6.2 2008.06.30 -


    Additional information


    File size: 501658 bytes


    MD5...: 4676302b0c45c7af7434e2580760b696


    SHA1..: b55450d9299eeed8ec9e1c9eb3efce9410d097c3


    SHA256: eea86ba3d649ea2bffbd020229ad33f111a0f4fcdeb4d9a779b82e73cf23ac94


    SHA512: 917908377b07ad1d724f1f49d4b9371871d1b25353f41f000bd83ca7b6d48abb


    7fd5762de684572c2d5100042ff3db8fbc20a05500ff6dc8b2ea7a4dd44da4ee


    PEiD..: -


    PEInfo: -


    packers (F-Prot): appended

  • Sal Khan
    edited August 2008

    No luck yet?


    So... No Dice?


    Still does it. Phone is even updated to WM6.1 and BD Updates are frequent.