Exploit.win32.ms04-028.gen
I just purchased a new 2GB MicroSD card for my Samsung SCH-i760 and whenever I put the card in my card reader, open an image (jpg) file, try to rotate the picture and save it, I get this Virus alert just like many of you. Kinda of a PITA. The messages from Bit Defender is about Exploit.win32.ms04-028.gen
Attach is an example of a file from the card that comes up infected with password "infected"
Here is the HiJackThis! log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:07 AM, on 6/19/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [skytel] Skytel.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 9266 bytes
/applications/core/interface/file/attachment.php?id=2285" data-fileid="2285" rel="">0612081656.zip
Comments
-
Thenk you for the sample !
The guys from the LAB will take a look !
Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Then close all running programs, including web browser, instant messenger, etc and then run ComboFix.
It will ask you whether it should start cleaning or not. Press 1 and hit Enter. Don't stop it while running. While doing this your screen may disappear but don't worry, it's a normal behaviour.
At the end ComboFix will generate a log file. Save it and post it here.0 -
The file is not currently detected. This was probably a false positive which was in the meantime eliminated. Please update the signatures of you BitDefender installation. If the problem persists, please let us know.
Best regards.0 -
The file is not currently detected. This was probably a false positive which was in the meantime eliminated. Please update the signatures of you BitDefender installation. If the problem persists, please let us know.
Best regards.
I ran an update for BD (IS 2008), restarted my computer, and attempted to open and manipulate a few different known image files that come up as infected and it still gave me the message saying it a virus was quarantined. So in other words: Nothing has changed.
Was I missing some sort of update not covered by the update that's run through the BD App?
Also, I ran the ComboFix App and here is the Log it generated:
ComboFix 08-06-20.4 - Someone 2008-06-23 13:37:41.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1131 [GMT -7:00]
Running from: C:\Users\Someone\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2008-05-23 to 2008-06-23 )))))))))))))))))))))))))))))))
.
2008-06-19 11:15 . 2008-06-19 11:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-18 13:12 . 2008-06-18 13:13 <DIR> d-------- C:\Program Files\QuickTime
2008-06-18 13:04 . 2008-06-18 13:04 <DIR> d-------- C:\Program Files\Opera
2008-06-13 05:55 . 2008-04-22 21:42 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-06-13 05:55 . 2008-04-22 21:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-06-13 05:55 . 2008-04-22 21:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-13 05:55 . 2008-04-22 21:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-11 11:42 . 2008-06-11 19:44 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-06-11 11:33 . 2008-06-11 11:33 <DIR> d-------- C:\Users\Someone\AppData\Roaming\DAEMON Tools
2008-06-11 06:22 . 2008-04-24 19:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-06-11 06:22 . 2008-04-24 21:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-11 05:13 . 2008-05-09 18:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-11 05:11 . 2008-04-26 01:08 1,314,816 --a------ C:\Windows\System32\quartz.dll
2008-06-06 02:26 . 2008-06-06 02:26 <DIR> d-------- C:\Program Files\IrfanView
2008-05-30 04:55 . 2008-05-30 04:55 <DIR> d-------- C:\Users\Someone\AppData\Roaming\Move Networks
2008-05-28 17:59 . 2008-05-28 17:59 <DIR> d-------- C:\Users\Someone\AppData\Roaming\Microsoft Office Mobile
2008-05-27 23:16 . 2008-06-23 13:25 12 --a------ C:\Windows\bthservsdp.dat
2008-05-27 15:10 . 2008-03-07 19:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-27 15:10 . 2008-03-07 21:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\Windows\System32\QuickTime.qts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 20:24 --------- d-----w C:\Users\Someone\AppData\Roaming\uTorrent
2008-06-23 05:25 --------- d-----w C:\Program Files\Safari
2008-06-17 18:10 --------- d-----w C:\Users\Someone\AppData\Roaming\FileZilla
2008-06-13 13:16 --------- d-----w C:\Program Files\Windows Mail
2008-06-11 20:12 --------- d-----w C:\Users\Someone\AppData\Roaming\GARMIN
2008-06-11 18:34 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-06-06 17:28 --------- d-----w C:\Program Files\DivX
2008-05-30 23:22 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\Windows\System32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\Windows\System32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-05-23 13:24 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-22 22:22 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-05-22 22:22 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-05-22 22:20 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-05-22 22:19 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-05-22 22:19 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-05-18 19:41 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-18 19:38 --------- d-----w C:\Program Files\MSBuild
2008-05-18 19:38 --------- d-----w C:\Program Files\Microsoft Works
2008-05-13 17:55 --------- d-----w C:\Program Files\Picasa2
2008-05-11 14:28 --------- d-----w C:\ProgramData\WinZip
2008-05-11 14:26 --------- d-----w C:\Program Files\Common Files\Ahead
2008-05-11 14:26 --------- d-----w C:\Program Files\Ahead
2008-05-07 02:19 --------- d-----w C:\Program Files\IM+ 4.56 for PocketPC
2008-05-05 05:19 --------- d-----w C:\Program Files\Free Audio Pack
2008-05-05 05:13 --------- d-----w C:\Users\Someone\AppData\Roaming\NCH Swift Sound
2008-05-05 05:13 --------- d-----w C:\Program Files\NCH Swift Sound
2008-05-03 06:47 --------- d-----w C:\ProgramData\NCH Swift Sound
2008-05-03 04:03 --------- d-----w C:\Users\Someone\AppData\Roaming\GetRightToGo
2008-05-02 12:59 122,368 ----a-w C:\Windows\system32\drivers\Rtlh86.sys
2008-05-01 17:56 --------- d-----w C:\ProgramData\Office Genuine Advantage
2008-05-01 04:39 --------- d-----w C:\ProgramData\InstalledPackages
2008-05-01 04:38 --------- d-----w C:\Program Files\Wireless Sync
2008-04-30 19:02 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2008-04-30 18:49 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2008-04-25 03:36 --------- d-----w C:\Program Files\gallery2
2008-04-23 04:58 --------- d-----w C:\Program Files\Apple Software Update
2008-04-15 20:46 1,537,536 ----a-w C:\Program Files\siw.exe
2008-04-14 00:54 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-04-14 00:35 174 --sha-w C:\Program Files\desktop.ini
2008-04-13 23:55 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-04-13 23:55 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-16 22:16 724,984 ----a-w C:\Users\Someone\gotomypc_437.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="TOSCDSPD.EXE" []
"Aim6"="" []
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 00:20 222080]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [ ]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 00:33 125952]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 02:39 486856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 19:26 4702208 C:\Windows\RtHDVCpl.exe]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 10:39 411192]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 16:49 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-06-15 21:01 448080]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 16:32 538744]
"NDSTray.exe"="NDSTray.exe" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 16:46 61440]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-06-09 08:32 360448]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 19:12 1029416]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Skytel"="Skytel.exe" [2007-08-03 13:22 1826816 C:\Windows\SkyTel.exe]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"Windows Mobile Device Center"="C:\Windows\WindowsMobile\wmdc.exe" [2007-05-31 09:21 648072]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 18:23 443968]
C:\Users\Someone\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-02-09 22:32:39 557568]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D311D56B-1CEC-4F59-89FE-401DD08B22B7}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{1BB15376-723F-4F05-981B-FD8794D41B2C}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{B83C060B-A173-4445-83CB-FDDC8B2D0ABF}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{0872348F-7252-48B3-AF48-021095C12BBC}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{D51300AB-72B0-49FE-AA7C-55CEDEE6BE14}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{AAE94964-3FF1-4025-BB85-8B94FA664D4C}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{1BBBCBB1-5477-4A56-954F-E49013EFC8FE}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{5BFD67DD-2523-4615-AD10-E0214C997E33}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{CC77E681-BB2F-428F-BADB-E6E4A9CCD28E}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{4DDC9FB4-8C55-48C9-B9C6-11D02DB7C4B7}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{D7E88062-3ACF-445E-A4A3-42799E39DCE7}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{69764175-22D6-470A-943E-D82FC876C718}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7DC9820D-78F8-420C-897A-1A257E62C2B0}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{94E9E0D7-8D0C-4545-BAB7-F1DF38189939}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{8A28C6FD-23D4-4839-AA8D-AB735D5D131C}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{6262E605-CCD9-4EC1-9AFF-BCE431D6C050}"= UDP:C:\Users\Someone\AppData\Roaming\Facebook\facebook.exe:Facebook
"{FB519924-BEEB-48FA-8F23-76F09DEFE178}"= TCP:C:\Users\Someone\AppData\Roaming\Facebook\facebook.exe:Facebook
"{FD9D7D31-2EF4-441C-92DA-91F190C8BF9A}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{9D2CEB40-014C-4F88-9D95-23289DD48B9B}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{D0C1E4D1-77AA-4029-BC73-4CA1FA518E11}"= UDP:5721:LocalSubnet:LocalSubnet|IF={36D6A040-4C02-4C21-AFA9-851ECDD2AE43}:@%systemroot%\WindowsMobile\wmdc.exe,-4002
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger
R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 11:23]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-19 00:33]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-19 00:33]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-07-27 23:36]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\Windows\system32\DRIVERS\bdfndisf.sys [2008-02-13 10:54]
R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-19 23:11]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8187B.sys [2008-03-18 10:02]
S3 winbondcir;Winbond IR Transceiver;C:\Windows\system32\DRIVERS\winbondcir.sys [2007-03-28 07:51]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba635721-a1f9-11dc-b8c9-00a0d1880dd5}]
\shell\AutoRun\command - H:\InstallTomTomHOME.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-23 16:49:16 C:\Windows\Tasks\User_Feed_Synchronization-{9E354B1C-535B-4DA1-964E-863686482802}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 13:42:04
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-23 13:44:38
ComboFix-quarantined-files.txt 2008-06-23 20:43:41
Pre-Run: 78,748,930,048 bytes free
Post-Run: 78,913,888,256 bytes free
196 --- E O F --- 2008-06-19 20:21:31
Hope that helps!0 -
Please upload one of the infected file on http://www.virustotal.com/ and leave here the test link
(disable BD shield for a few second to do this)0 -
Please upload one of the infected file on http://www.virustotal.com/ and leave here the test link
(disable BD shield for a few second to do this)
It came up clean, it seems. I tried to manipulate the photo to make sure the virus warning still popped up, and it did.
File 0622080941.jpg received on 06.30.2008 21:44:03 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/33 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.7.1.0 2008.06.30 -
AntiVir 7.8.0.59 2008.06.30 -
Authentium 5.1.0.4 2008.06.29 -
Avast 4.8.1195.0 2008.06.30 -
AVG 7.5.0.516 2008.06.30 -
BitDefender 7.2 2008.06.30 -
CAT-QuickHeal 9.50 2008.06.30 -
ClamAV 0.93.1 2008.06.30 -
DrWeb 4.44.0.09170 2008.06.30 -
eSafe 7.0.17.0 2008.06.30 -
eTrust-Vet 31.6.5914 2008.06.30 -
Ewido 4.0 2008.06.27 -
F-Prot 4.4.4.56 2008.06.29 -
F-Secure 7.60.13501.0 2008.06.26 -
Fortinet 3.14.0.0 2008.06.30 -
GData 2.0.7306.1023 2008.06.30 -
Ikarus T3.1.1.26.0 2008.06.30 -
Kaspersky 7.0.0.125 2008.06.30 -
McAfee 5328 2008.06.30 -
Microsoft 1.3704 2008.06.30 -
NOD32v2 3228 2008.06.30 -
Norman 5.80.02 2008.06.30 -
Panda 9.0.0.4 2008.06.30 -
Prevx1 V2 2008.06.30 -
Rising 20.51.02.00 2008.06.30 -
Sophos 4.30.0 2008.06.30 -
Sunbelt 3.0.1176.1 2008.06.26 -
Symantec 10 2008.06.30 -
TheHacker 6.2.96.364 2008.06.28 -
TrendMicro 8.700.0.1004 2008.06.30 -
VBA32 3.12.6.8 2008.06.30 -
VirusBuster 4.5.11.0 2008.06.30 -
Webwasher-Gateway 6.6.2 2008.06.30 -
Additional information
File size: 501658 bytes
MD5...: 4676302b0c45c7af7434e2580760b696
SHA1..: b55450d9299eeed8ec9e1c9eb3efce9410d097c3
SHA256: eea86ba3d649ea2bffbd020229ad33f111a0f4fcdeb4d9a779b82e73cf23ac94
SHA512: 917908377b07ad1d724f1f49d4b9371871d1b25353f41f000bd83ca7b6d48abb
7fd5762de684572c2d5100042ff3db8fbc20a05500ff6dc8b2ea7a4dd44da4ee
PEiD..: -
PEInfo: -
packers (F-Prot): appended0 -
No luck yet?
So... No Dice?
Still does it. Phone is even updated to WM6.1 and BD Updates are frequent.0