Trojan Virtumonde And Others

soidog2
edited December 2019 in Logs analysis


Hello BitDefender !


My PC got infected with what Spyware Doctor calls" Trojan Virtumondo " and assorted oher goodies.


Back at Christmas you helped me disinfect my laptop , hopefully we can do it again.


Many thanks,


Attached are the HijackThis log , SR log, and some Spyware Doctor logs ( over two days )


I will upload an " infected Rar " with the two dll's and their ini's that i found to infect most runing processes in the PC.


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 1:41:22 PM, on 6/2/2008


Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)


MSIE: Internet Explorer v6.00 (6.00.2900.3264)


Boot mode: Normal


Running processes:


C:\WINDOWS\System32\smss.exe


C:\WINDOWS\system32\csrss.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\system32\services.exe


C:\WINDOWS\system32\lsass.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\System32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\Explorer.EXE


C:\WINDOWS\system32\ctfmon.exe


C:\WINDOWS\system32\spoolsv.exe


C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


C:\WINDOWS\system32\locator.exe


D:\Program Files\Spyware Doctor\svcntaux.exe


D:\Program Files\Spyware Doctor\swdsvc.exe


C:\WINDOWS\system32\svchost.exe


C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


D:\Program Files\Spyware Doctor\SDTrayApp.exe


C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe


C:\Program Files\Softwin\BitDefender10\bdagent.exe


D:\Program Files\iTunes\iTunesHelper.exe


C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe


C:\WINDOWS\system32\Rundll32.exe


C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe


C:\Program Files\Softwin\BitDefender10\vsserv.exe


C:\WINDOWS\system32\wscntfy.exe


C:\Program Files\Logitech\MouseWare\system\em_exec.exe


C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE


C:\Program Files\iPod\bin\iPodService.exe


C:\WINDOWS\System32\alg.exe


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


C:\WINDOWS\system32\wbem\wmiprvse.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =


O4 - HKLM\..\Run: [bDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe


O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"


O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd


O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"


O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE


O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe


O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"


O4 - HKLM\..\Run: [sDTray] "D:\Program Files\Spyware Doctor\SDTrayApp.exe"


O4 - HKLM\..\Run: [bM172e7995] Rundll32.exe "C:\WINDOWS\system32\rovbhatq.dll",s


O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


O4 - Startup: iPhoneRingToneMaker.lnk = C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe


O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm


O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm


O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll


O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll


O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201782226937


O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\svcntaux.exe


O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\swdsvc.exe


O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe


O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe


O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


--


"Silent Runners.vbs", revision 58, http://www.silentrunners.org/


Operating System: Windows XP


Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:


---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}


"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}


"BDMCon" = "C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" ["SOFTWIN S.R.L."]


"BDAgent" = ""C:\Program Files\Softwin\BitDefender10\bdagent.exe"" ["SOFTWIN S.R.L."]


"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]


"iTunesHelper" = ""D:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]


"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]


"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]


"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]


"SDTray" = ""D:\Program Files\Spyware Doctor\SDTrayApp.exe"" ["PC Tools"]


"BM172e7995" = "Rundll32.exe "C:\WINDOWS\system32\rovbhatq.dll",s" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\


{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)


-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"


\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]


{3151DC5C-3A72-407E-8AAF-3A1957DEDBB0}\(Default) = (no title provided)


-> {HKLM...CLSID} = (no title provided)


\InProcServer32\(Default) = "C:\WINDOWS\system32\tuvULFVn.dll" [null data]


{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)


-> {HKLM...CLSID} = "SSVHelper Class"


\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\


"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"


-> {HKLM...CLSID} = "Display Panning CPL Extension"


\InProcServer32\(Default) = "deskpan.dll" [file not found]


"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"


-> {HKLM...CLSID} = "HyperTerminal Icon Ext"


\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]


"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}" = "Send To Mail Recipient CMC PowerToy"


-> {HKLM...CLSID} = "Send To Mail Recipient CMC PowerToy"


\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\SENDTOX.DLL" [MS]


"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"


-> {HKLM...CLSID} = "UnlockerShellExtension"


\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]


"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"


-> {HKLM...CLSID} = "WinRAR"


\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"


-> {HKLM...CLSID} = "7-Zip Shell Extension"


\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]


"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"


-> {HKLM...CLSID} = "RealOne Player Context Menu Class"


\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]


"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"


-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"


\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]


"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"


-> {HKLM...CLSID} = (no title provided)


\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]


"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"


-> {HKLM...CLSID} = "iTunes"


\InProcServer32\(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]


"{BAF55D20-7BC0-4bcc-A91F-A5223FFFDC9D}" = "Sorcerer Shell Extension"


-> {HKLM...CLSID} = "Sorcerer Shell Extension"


\InProcServer32\(Default) = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006SX.DLL" ["Software 2000 Limited"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\


"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"


-> {HKLM...CLSID} = "WPDShServiceObj Class"


\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]


HKLM\SYSTEM\CurrentControlSet\Control\Lsa\


<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\tuvULFVn"


HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\


<<!>> ("credssp.dll" [MS]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll"


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\


<<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS]


HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\


{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"


-> {HKLM...CLSID} = "PDF Shell Extension"


\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\


7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"


-> {HKLM...CLSID} = "7-Zip Shell Extension"


\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]


DAP_Menu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"


-> {HKLM...CLSID} = "DAPMenuShellExt Class"


\InProcServer32\(Default) = "C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]


DAP_ShredMenu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"


-> {HKLM...CLSID} = "DAPMenuShellExt Class"


\InProcServer32\(Default) = "C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]


TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"


-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"


\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]


WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"


-> {HKLM...CLSID} = "WinRAR"


\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\


7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"


-> {HKLM...CLSID} = "7-Zip Shell Extension"


\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]


DAP_ShredMenu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"


-> {HKLM...CLSID} = "DAPMenuShellExt Class"


\InProcServer32\(Default) = "C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]


TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"


-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"


\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]


WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"


-> {HKLM...CLSID} = "WinRAR"


\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\


UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"


-> {HKLM...CLSID} = "UnlockerShellExtension"


\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]


WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"


-> {HKLM...CLSID} = "WinRAR"


\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\


UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"


-> {HKLM...CLSID} = "UnlockerShellExtension"


\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]


Group Policies {GPedit.msc branch and setting}:


-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoSMHelp" = (REG_BINARY) hex:01 00 00 00


{User Configuration|Administrative Templates|Start Menu and Taskbar|


Remove Help menu from Start Menu}


"ClearRecentDocsOnExit" = (REG_BINARY) hex:01 00 00 00


{unrecognized setting}


"NoRecentDocsHistory" = (REG_BINARY) hex:01 00 00 00


{unrecognized setting}


"NoComputersNearMe" = (REG_BINARY) hex:01 00 00 00


{unrecognized setting}


"NoSMMyDocs" = (REG_BINARY) hex:01 00 00 00


{User Configuration|Administrative Templates|Start Menu and Taskbar|


Remove Documents menu from Start Menu}


"NoSMMyPictures" = (REG_BINARY) hex:01 00 00 00


{User Configuration|Administrative Templates|Start Menu and Taskbar|


Remove My Pictures icon from Start Menu}


"NoDrives" = (REG_BINARY) hex:02 F8 FF 03


{unrecognized setting}


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001


{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|


Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) dword:0x00000001


{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|


Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:


-----------------------------


Active Desktop may be enabled at this entry:


HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:


HKCU\Software\Microsoft\Internet Explorer\Desktop\General\


"Wallpaper" = "C:\WINDOWS\ACD Wallpaper.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:


HKCU\Control Panel\Desktop\


"Wallpaper" = "C:\WINDOWS\ACD Wallpaper.bmp"


Enabled Screen Saver:


---------------------


HKCU\Control Panel\Desktop\


"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssstars.scr" [MS]


Windows Portable Device AutoPlay Handlers


-----------------------------------------


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\


ACDSee100AcquirePicturesOnArrival\


"Provider" = "ACDSee 10 Photo Manager"


"InvokeProgID" = "ACDSee 10.0.AutoPlayHandlerAcquire"


"InvokeVerb" = "Acquire"


HKLM\SOFTWARE\Classes\ACDSee 10.0.AutoPlayHandlerAcquire\shell\Acquire\command\(Default) = ""C:\Program Files\ACD Systems\ACDSee\10.0\ACDSeeQV10.exe" /detect:%1" ["ACD Systems"]


ACDSee100AcquireVideoFilesOnArrival\


"Provider" = "ACDSee 10 Photo Manager"


"InvokeProgID" = "ACDSee 10.0.AutoPlayHandlerAcquire"


"InvokeVerb" = "Acquire"


HKLM\SOFTWARE\Classes\ACDSee 10.0.AutoPlayHandlerAcquire\shell\Acquire\command\(Default) = ""C:\Program Files\ACD Systems\ACDSee\10.0\ACDSeeQV10.exe" /detect:%1" ["ACD Systems"]


ACDSee100PlayVideoFilesOnArrival\


"Provider" = "ACDSee 10 Photo Manager"


"InvokeProgID" = "ACDSee 10.0.AutoPlayHandler"


"InvokeVerb" = "Open"


HKLM\SOFTWARE\Classes\ACDSee 10.0.AutoPlayHandler\shell\Open\command\(Default) = ""C:\Program Files\ACD Systems\ACDSee\10.0\ACDSeeQV10.exe" "%1"" ["ACD Systems"]


ACDSee100ShowPicturesOnArrival\


"Provider" = "ACDSee 10 Photo Manager"


"InvokeProgID" = "ACDSee 10.0.AutoPlayHandler"


"InvokeVerb" = "Open"


HKLM\SOFTWARE\Classes\ACDSee 10.0.AutoPlayHandler\shell\Open\command\(Default) = ""C:\Program Files\ACD Systems\ACDSee\10.0\ACDSeeQV10.exe" "%1"" ["ACD Systems"]


iTunesBurnCDOnArrival\


"Provider" = "iTunes"


"InvokeProgID" = "iTunes.BurnCD"


"InvokeVerb" = "burn"


HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]


iTunesImportSongsOnArrival\


"Provider" = "iTunes"


"InvokeProgID" = "iTunes.ImportSongsOnCD"


"InvokeVerb" = "import"


HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]


iTunesPlaySongsOnArrival\


"Provider" = "iTunes"


"InvokeProgID" = "iTunes.PlaySongsOnCD"


"InvokeVerb" = "play"


HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]


iTunesShowSongsOnArrival\


"Provider" = "iTunes"


"InvokeProgID" = "iTunes.ShowSongsOnCD"


"InvokeVerb" = "showsongs"


HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]


IviDVDEventHandler\


"Provider" = "InterVideo WinDVD 7"


"InvokeProgID" = "Ivi.MediaFile"


"InvokeVerb" = "play"


HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = ""C:\Program Files\InterVideo\DVD7\WinDVD.exe" %1" ["InterVideo Inc."]


IviVideoCDHandler\


"Provider" = "InterVideo WinDVD 7"


"InvokeProgID" = "Ivi.MediaFile"


"InvokeVerb" = "play"


HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = ""C:\Program Files\InterVideo\DVD7\WinDVD.exe" %1" ["InterVideo Inc."]


MSWPDShellNamespaceHandler\


"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"


"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"


"InitCmdLine" = " "


-> {HKLM...CLSID} = "WPDShextAutoplay"


\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]


RPCDBurningOnArrival\


"Provider" = "RealPlayer"


"InvokeProgID" = "RealPlayer.CDBurn.6"


"InvokeVerb" = "open"


HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]


RPDeviceOnArrival\


"Provider" = "RealPlayer"


"ProgID" = "RealPlayer.HWEventHandler"


HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"


-> {HKLM...CLSID} = "RealNetworks Scheduler"


\LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]


RPPlayCDAudioOnArrival\


"Provider" = "RealPlayer"


"InvokeProgID" = "RealPlayer.AudioCD.6"


"InvokeVerb" = "play"


HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."]


RPPlayDVDMovieOnArrival\


"Provider" = "RealPlayer"


"InvokeProgID" = "RealPlayer.DVD.6"


"InvokeVerb" = "play"


HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]


RPPlayMediaOnArrival\


"Provider" = "RealPlayer"


"InvokeProgID" = "RealPlayer.AutoPlay.6"


"InvokeVerb" = "open"


HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]


Startup items in "Administrator" & "All Users" startup folders:


---------------------------------------------------------------


C:\Documents and Settings\Administrator\Start Menu\Programs\Startup


"iPhoneRingToneMaker" -> shortcut to: "C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe -hideonstart" [empty string]


Enabled Scheduled Tasks:


------------------------


"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]


"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]


"HP WEP" -> launches: "C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe" [null data]


Winsock2 Service Provider DLLs:


-------------------------------


Namespace Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}


000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]


000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}


0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:


%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 14


%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:


------------------------------------


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\


{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\


"MenuText" = "Sun Java Console"


"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"


-> {HKCU...CLSID} = "Java Plug-in 1.6.0_05"


\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]


-> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"


\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]


Miscellaneous IE Hijack Points


------------------------------


HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\


<<H>> "TuneUp" = "file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):


------------------------------------------------------------------


Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]


BitDefender Communicator, XCOMM, ""C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]


BitDefender Desktop Update Service, LIVESRV, ""C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service" ["SOFTWIN S.R.L."]


BitDefender Scan Server, bdss, ""C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]


BitDefender Virus Shield, VSSERV, ""C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service" ["SOFTWIN S.R.L."]


iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]


PC Tools Auxiliary Service, sdAuxService, "D:\Program Files\Spyware Doctor\svcntaux.exe" ["PC Tools"]


PC Tools Security Service, sdCoreService, "D:\Program Files\Spyware Doctor\swdsvc.exe" ["PC Tools"]


Print Monitors:


---------------


HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\


HP LaserJet P1006 Language Monitor\Driver = "HP1006LM.DLL" ["Software 2000 Limited"]


Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


Motorola Print Server\Driver = "mtprtserv.dll" [null data]


SSGB3 Langmon\Driver = "ssgb3mon.dll" ["Samsung Electronics."]


---------- (launch time: 2008-06-02 13:43:02)


<<!>>: Suspicious data at a malware launch point.


<<H>>: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.


+ To see *everywhere* the ****** checks and *everything* it finds,


launch it from a command prompt or a shortcut with the -all parameter.


+ To search all directories of local fixed drives for DESKTOP.INI


DLL launch points, use the -supp parameter or answer "No" at the


first message box and "Yes" at the second message box.


---------- (total run time: 135 seconds, including 18 seconds for message boxes)


6/2/2008 5:37:59 AM:375


Infection quarantined


Threat Name - Trojan.Agent


Type - Registry Key


Risk Level - High


Infection - HKEY_USERS\S-1-5-21-606747145-1343024091-682003330-500\Software\Microsoft\rdfa


6/2/2008 5:37:59 AM:390


Infection quarantined


Threat Name - Trojan.Agent


Type - Registry Value


Risk Level - High


Infection - HKEY_USERS\S-1-5-21-606747145-1343024091-682003330-500\Software\Microsoft\rdfa, N


6/2/2008 5:37:59 AM:406


Infection quarantined


Threat Name - Trojan.Agent


Type - Registry Value


Risk Level - High


Infection - HKEY_USERS\S-1-5-21-606747145-1343024091-682003330-500\Software\Microsoft\rdfa, F


6/2/2008 5:37:59 AM:421


Infection quarantined


Threat Name - Trojan.Agent


Type - Registry Key


Risk Level - High


Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws


6/2/2008 5:37:59 AM:437


Infection quarantined


Threat Name - Trojan.Agent


Type - Registry Value


Risk Level - High


Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws, (Default)


6/2/2008 5:37:58 AM:375


Infection quarantined


Threat Name - Trojan.Virtumonde


Type - Cookie


Risk Level - Elevated


Infection - 82.98.235.70/ 82.98.235.70


6/1/2008 2:53:18 PM:812


Infection quarantined


Threat Name - Trojan.Virtumonde


Type - File


Risk Level - Elevated


Infection - C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\removalfile.bat


1/8/2008 6:34:34 PM:31


Infection was detected on this computer


Threat Name - Application.Windows_File_Protection_Disabled


Type - Modified Registry Value


Risk Level - Info & PUAs


Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, SFCDisable


End of Logs


 


/applications/core/interface/file/attachment.php?id=19784" data-fileExt='zip' data-fileid='19784'>Infected.rar.zip

Comments

  • Chesda
    edited June 2008

    Run Hijackthis, check and fix these following entries:


    O4 - HKLM\..\Run: [bM172e7995] Rundll32.exe "C:\WINDOWS\system32\rovbhatq.dll",s


    crysty2k5's EDIT: removed HijackThis lines

  • rootkit
    rootkit ✭✭✭
    edited June 2008

    After you do that, reboot in safe mode and delete the file !


    Download SUPERAntiSpyware and Malwarebytes' Anti-Malware and run a full scan !


    After post here another HijackThis log ! ;)


    Later edit: Your BD version has firewall (internet security edition) ?!

  • After you do that, reboot in safe mode and delete the file !


    Download SUPERAntiSpyware and Malwarebytes' Anti-Malware and run a full scan !


    After post here another HijackThis log ! ;)


    Later edit: Your BD version has firewall (internet security edition) ?!


    Did everything you asked , both programs found and removed items.


    BD v10 does not have a firewall , I will upgrade once this is finished !


    Thanks


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 1:46:28 PM, on 6/3/2008


    Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)


    MSIE: Internet Explorer v6.00 (6.00.2900.3264)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\system32\ctfmon.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    C:\WINDOWS\system32\locator.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    C:\WINDOWS\system32\wscntfy.exe


    C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe


    C:\Program Files\Softwin\BitDefender10\bdagent.exe


    D:\Program Files\iTunes\iTunesHelper.exe


    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe


    C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe


    C:\Program Files\Logitech\MouseWare\system\em_exec.exe


    C:\Program Files\Softwin\BitDefender10\vsserv.exe


    C:\Program Files\iPod\bin\iPodService.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll


    O4 - HKLM\..\Run: [bDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"


    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd


    O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"


    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE


    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe


    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [sUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe


    O4 - Startup: iPhoneRingToneMaker.lnk = C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe


    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm


    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201782226937


    O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll


    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\svcntaux.exe


    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\swdsvc.exe


    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 5027 bytes