Trojan Virtumonde And Others

Hello BitDefender !

My PC got infected with what Spyware Doctor calls" Trojan Virtumondo " and assorted oher goodies.

Back at Christmas you helped me disinfect my laptop , hopefully we can do it again.

Many thanks,

Attached are the HijackThis log , SR log, and some Spyware Doctor logs ( over two days )

I will upload an " infected Rar " with the two dll's and their ini's that i found to infect most runing processes in the PC.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:41:22 PM, on 6/2/2008

Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2900.3264)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\locator.exe

\Program Files\Spyware Doctor\svcntaux.exe

\Program Files\Spyware Doctor\swdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

\Program Files\Spyware Doctor\SDTrayApp.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe

C:\Program Files\Softwin\BitDefender10\bdagent.exe

\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe

C:\Program Files\Softwin\BitDefender10\vsserv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKLM\..\Run: [bDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [sDTray] "D:\Program Files\Spyware Doctor\SDTrayApp.exe"

O4 - HKLM\..\Run: [bM172e7995] Rundll32.exe "C:\WINDOWS\system32\rovbhatq.dll",s

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: iPhoneRingToneMaker.lnk = C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe

O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201782226937

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - \Program Files\Spyware Doctor\svcntaux.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - \Program Files\Spyware Doctor\swdsvc.exe

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"BDMCon" = "C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" ["SOFTWIN S.R.L."]

"BDAgent" = ""C:\Program Files\Softwin\BitDefender10\bdagent.exe"" ["SOFTWIN S.R.L."]

"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]

"iTunesHelper" = ""D:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]

"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]

"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"SDTray" = ""D:\Program Files\Spyware Doctor\SDTrayApp.exe"" ["PC Tools"]

"BM172e7995" = "Rundll32.exe "C:\WINDOWS\system32\rovbhatq.dll",s" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{3151DC5C-3A72-407E-8AAF-3A1957DEDBB0}\(Default) = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\tuvULFVn.dll" [null data]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"

-> {HKLM...CLSID} = "Display Panning CPL Extension"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}" = "Send To Mail Recipient CMC PowerToy"

-> {HKLM...CLSID} = "Send To Mail Recipient CMC PowerToy"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\SENDTOX.DLL" [MS]

"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"

-> {HKLM...CLSID} = "UnlockerShellExtension"

\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"

-> {HKLM...CLSID} = "7-Zip Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

-> {HKLM...CLSID} = "RealOne Player Context Menu Class"

\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"

-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"

\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

-> {HKLM...CLSID} = "iTunes"

\InProcServer32\(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

"{BAF55D20-7BC0-4bcc-A91F-A5223FFFDC9D}" = "Sorcerer Shell Extension"

-> {HKLM...CLSID} = "Sorcerer Shell Extension"

\InProcServer32\(Default) = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006SX.DLL" ["Software 2000 Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

-> {HKLM...CLSID} = "WPDShServiceObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\

<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\tuvULFVn"

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\

<<!>> ("credssp.dll" [MS]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"

-> {HKLM...CLSID} = "7-Zip Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

DAP_Menu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"

-> {HKLM...CLSID} = "DAPMenuShellExt Class"

\InProcServer32\(Default) = "C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]

DAP_ShredMenu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"

-> {HKLM...CLSID} = "DAPMenuShellExt Class"

\InProcServer32\(Default) = "C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]

TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"

-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"

\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"

-> {HKLM...CLSID} = "7-Zip Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

DAP_ShredMenu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"

-> {HKLM...CLSID} = "DAPMenuShellExt Class"

\InProcServer32\(Default) = "C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]

TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"

-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"

\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

-> {HKLM...CLSID} = "UnlockerShellExtension"

\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

-> {HKLM...CLSID} = "UnlockerShellExtension"

\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoSMHelp" = (REG_BINARY) hex:01 00 00 00

{User Configuration|Administrative Templates|Start Menu and Taskbar|

Remove Help menu from Start Menu}

"ClearRecentDocsOnExit" = (REG_BINARY) hex:01 00 00 00

{unrecognized setting}

"NoRecentDocsHistory" = (REG_BINARY) hex:01 00 00 00

{unrecognized setting}

"NoComputersNearMe" = (REG_BINARY) hex:01 00 00 00

{unrecognized setting}

"NoSMMyDocs" = (REG_BINARY) hex:01 00 00 00

{User Configuration|Administrative Templates|Start Menu and Taskbar|

Remove Documents menu from Start Menu}

"NoSMMyPictures" = (REG_BINARY) hex:01 00 00 00

{User Configuration|Administrative Templates|Start Menu and Taskbar|

Remove My Pictures icon from Start Menu}

"NoDrives" = (REG_BINARY) hex:02 F8 FF 03

{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

-----------------------------

Active Desktop may be enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\ACD Wallpaper.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\ACD Wallpaper.bmp"

Enabled Screen Saver:

---------------------

HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssstars.scr" [MS]

Windows Portable Device AutoPlay Handlers

-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

ACDSee100AcquirePicturesOnArrival\

"Provider" = "ACDSee 10 Photo Manager"

"InvokeProgID" = "ACDSee 10.0.AutoPlayHandlerAcquire"

"InvokeVerb" = "Acquire"

HKLM\SOFTWARE\Classes\ACDSee 10.0.AutoPlayHandlerAcquire\shell\Acquire\command\(Default) = ""C:\Program Files\ACD Systems\ACDSee\10.0\ACDSeeQV10.exe" /detect:%1" ["ACD Systems"]

ACDSee100AcquireVideoFilesOnArrival\

"Provider" = "ACDSee 10 Photo Manager"

"InvokeProgID" = "ACDSee 10.0.AutoPlayHandlerAcquire"

"InvokeVerb" = "Acquire"

HKLM\SOFTWARE\Classes\ACDSee 10.0.AutoPlayHandlerAcquire\shell\Acquire\command\(Default) = ""C:\Program Files\ACD Systems\ACDSee\10.0\ACDSeeQV10.exe" /detect:%1" ["ACD Systems"]

ACDSee100PlayVideoFilesOnArrival\

"Provider" = "ACDSee 10 Photo Manager"

"InvokeProgID" = "ACDSee 10.0.AutoPlayHandler"

"InvokeVerb" = "Open"

HKLM\SOFTWARE\Classes\ACDSee 10.0.AutoPlayHandler\shell\Open\command\(Default) = ""C:\Program Files\ACD Systems\ACDSee\10.0\ACDSeeQV10.exe" "%1"" ["ACD Systems"]

ACDSee100ShowPicturesOnArrival\

"Provider" = "ACDSee 10 Photo Manager"

"InvokeProgID" = "ACDSee 10.0.AutoPlayHandler"

"InvokeVerb" = "Open"

HKLM\SOFTWARE\Classes\ACDSee 10.0.AutoPlayHandler\shell\Open\command\(Default) = ""C:\Program Files\ACD Systems\ACDSee\10.0\ACDSeeQV10.exe" "%1"" ["ACD Systems"]

iTunesBurnCDOnArrival\

"Provider" = "iTunes"

"InvokeProgID" = "iTunes.BurnCD"

"InvokeVerb" = "burn"

HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]

iTunesImportSongsOnArrival\

"Provider" = "iTunes"

"InvokeProgID" = "iTunes.ImportSongsOnCD"

"InvokeVerb" = "import"

HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]

iTunesPlaySongsOnArrival\

"Provider" = "iTunes"

"InvokeProgID" = "iTunes.PlaySongsOnCD"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]

iTunesShowSongsOnArrival\

"Provider" = "iTunes"

"InvokeProgID" = "iTunes.ShowSongsOnCD"

"InvokeVerb" = "showsongs"

HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]

IviDVDEventHandler\

"Provider" = "InterVideo WinDVD 7"

"InvokeProgID" = "Ivi.MediaFile"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = ""C:\Program Files\InterVideo\DVD7\WinDVD.exe" %1" ["InterVideo Inc."]

IviVideoCDHandler\

"Provider" = "InterVideo WinDVD 7"

"InvokeProgID" = "Ivi.MediaFile"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = ""C:\Program Files\InterVideo\DVD7\WinDVD.exe" %1" ["InterVideo Inc."]

MSWPDShellNamespaceHandler\

"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"

"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"

"InitCmdLine" = " "

-> {HKLM...CLSID} = "WPDShextAutoplay"

\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

RPCDBurningOnArrival\

"Provider" = "RealPlayer"

"InvokeProgID" = "RealPlayer.CDBurn.6"

"InvokeVerb" = "open"

HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\

"Provider" = "RealPlayer"

"ProgID" = "RealPlayer.HWEventHandler"

HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"

-> {HKLM...CLSID} = "RealNetworks Scheduler"

\LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\

"Provider" = "RealPlayer"

"InvokeProgID" = "RealPlayer.AudioCD.6"

"InvokeVerb" = "play"

HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\

"Provider" = "RealPlayer"

"InvokeProgID" = "RealPlayer.DVD.6"

"InvokeVerb" = "play"

HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\

"Provider" = "RealPlayer"

"InvokeProgID" = "RealPlayer.AutoPlay.6"

"InvokeVerb" = "open"

HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]

Startup items in "Administrator" & "All Users" startup folders:

---------------------------------------------------------------

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup

"iPhoneRingToneMaker" -> shortcut to: "C:\Program Files\iPhoneRingToneMaker\iPhoneRingToneMaker.exe -hideonstart" [empty string]

Enabled Scheduled Tasks:

------------------------

"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

"HP WEP" -> launches: "C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe" [null data]

Winsock2 Service Provider DLLs:

-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 14

%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

Toolbars, Explorer Bars, Extensions:

------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.6.0_05"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]

Miscellaneous IE Hijack Points

------------------------------

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\

<<H>> "TuneUp" = "file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]

BitDefender Communicator, XCOMM, ""C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]

BitDefender Desktop Update Service, LIVESRV, ""C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service" ["SOFTWIN S.R.L."]

BitDefender Scan Server, bdss, ""C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]

BitDefender Virus Shield, VSSERV, ""C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service" ["SOFTWIN S.R.L."]

iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]

PC Tools Auxiliary Service, sdAuxService, "D:\Program Files\Spyware Doctor\svcntaux.exe" ["PC Tools"]

PC Tools Security Service, sdCoreService, "D:\Program Files\Spyware Doctor\swdsvc.exe" ["PC Tools"]

Print Monitors:

---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

HP LaserJet P1006 Language Monitor\Driver = "HP1006LM.DLL" ["Software 2000 Limited"]

Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]

Motorola Print Server\Driver = "mtprtserv.dll" [null data]

SSGB3 Langmon\Driver = "ssgb3mon.dll" ["Samsung Electronics."]

---------- (launch time: 2008-06-02 13:43:02)

<<!>>: Suspicious data at a malware launch point.

<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.

+ To see *everywhere* the ****** checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 135 seconds, including 18 seconds for message boxes)

6/2/2008 5:37:59 AM:375

Infection quarantined

Threat Name - Trojan.Agent

Type - Registry Key

Risk Level - High

Infection - HKEY_USERS\S-1-5-21-606747145-1343024091-682003330-500\Software\Microsoft\rdfa

6/2/2008 5:37:59 AM:390

Infection quarantined

Threat Name - Trojan.Agent

Type - Registry Value

Risk Level - High

Infection - HKEY_USERS\S-1-5-21-606747145-1343024091-682003330-500\Software\Microsoft\rdfa, N

6/2/2008 5:37:59 AM:406

Infection quarantined

Threat Name - Trojan.Agent

Type - Registry Value

Risk Level - High

Infection - HKEY_USERS\S-1-5-21-606747145-1343024091-682003330-500\Software\Microsoft\rdfa, F

6/2/2008 5:37:59 AM:421

Infection quarantined

Threat Name - Trojan.Agent

Type - Registry Key

Risk Level - High

Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

6/2/2008 5:37:59 AM:437

Infection quarantined

Threat Name - Trojan.Agent

Type - Registry Value

Risk Level - High

Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws, (Default)

6/2/2008 5:37:58 AM:375

Infection quarantined

Threat Name - Trojan.Virtumonde

Type - Cookie

Risk Level - Elevated

Infection - 82.98.235.70/ 82.98.235.70

6/1/2008 2:53:18 PM:812

Infection quarantined

Threat Name - Trojan.Virtumonde

Type - File

Risk Level - Elevated

Infection - C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\removalfile.bat

1/8/2008 6:34:34 PM:31

Infection was detected on this computer

Threat Name - Application.Windows_File_Protection_Disabled

Type - Modified Registry Value

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, SFCDisable

End of Logs

 

/applications/core/interface/file/attachment.php?id=19784" data-fileExt='zip' data-fileid='19784'>Infected.rar.zip