Exploit.win32.ms04-028.gen

Sal Khan · June 2008

I just purchased a new 2GB MicroSD card for my Samsung SCH-i760 and whenever I put the card in my card reader, open an image (jpg) file, try to rotate the picture and save it, I get this Virus alert just like many of you. Kinda of a PITA. The messages from Bit Defender is about Exploit.win32.ms04-028.gen

Attach is an example of a file from the card that comes up infected with password "infected"

Here is the HiJackThis! log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:26:07 AM, on 6/19/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\RtHDVCpl.exe

C:\Program Files\Toshiba\Power Saver\TPwrMain.exe

C:\Program Files\Toshiba\SmoothView\SmoothView.exe

C:\Program Files\Toshiba\FlashCards\TCrdMain.exe

C:\Program Files\Toshiba\ConfigFree\NDSTray.exe

C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Windows\WindowsMobile\wmdc.exe

C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\MagicDisc\MagicDisc.exe

C:\Windows\System32\mobsync.exe

C:\Program Files\Synaptics\SynTP\SynToshiba.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe

O4 - HKLM\..\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe

O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [skytel] Skytel.exe

O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE

O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe

O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe

O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe

O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--

End of file - 9266 bytes

/applications/core/interface/file/attachment.php?id=2285" data-fileid="2285" rel="">0612081656.zip

rootkit · June 2008

Thenk you for the sample !

The guys from the LAB will take a look !

Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Then close all running programs, including web browser, instant messenger, etc and then run ComboFix.

It will ask you whether it should start cleaning or not. Press 1 and hit Enter. Don't stop it while running. While doing this your screen may disappear but don't worry, it's a normal behaviour.

At the end ComboFix will generate a log file. Save it and post it here.

Cd-MaN · June 2008

The file is not currently detected. This was probably a false positive which was in the meantime eliminated. Please update the signatures of you BitDefender installation. If the problem persists, please let us know.

Best regards.

Sal Khan · June 2008

The file is not currently detected. This was probably a false positive which was in the meantime eliminated. Please update the signatures of you BitDefender installation. If the problem persists, please let us know.

Best regards.

I ran an update for BD (IS 2008), restarted my computer, and attempted to open and manipulate a few different known image files that come up as infected and it still gave me the message saying it a virus was quarantined. So in other words: Nothing has changed.

Was I missing some sort of update not covered by the update that's run through the BD App?

Also, I ran the ComboFix App and here is the Log it generated:

ComboFix 08-06-20.4 - Someone 2008-06-23 13:37:41.1 - NTFSx86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1131 [GMT -7:00]

Running from: C:\Users\Someone\Desktop\ComboFix.exe

* Created a new restore point

* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-05-23 to 2008-06-23 )))))))))))))))))))))))))))))))

.

2008-06-19 11:15 . 2008-06-19 11:15 <DIR> d-------- C:\Program Files\Trend Micro

2008-06-18 13:12 . 2008-06-18 13:13 <DIR> d-------- C:\Program Files\QuickTime

2008-06-18 13:04 . 2008-06-18 13:04 <DIR> d-------- C:\Program Files\Opera

2008-06-13 05:55 . 2008-04-22 21:42 428,544 --a------ C:\Windows\System32\EncDec.dll

2008-06-13 05:55 . 2008-04-22 21:42 293,376 --a------ C:\Windows\System32\psisdecd.dll

2008-06-13 05:55 . 2008-04-22 21:41 218,624 --a------ C:\Windows\System32\psisrndr.ax

2008-06-13 05:55 . 2008-04-22 21:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax

2008-06-11 11:42 . 2008-06-11 19:44 <DIR> d-------- C:\Program Files\DAEMON Tools Lite

2008-06-11 11:33 . 2008-06-11 11:33 <DIR> d-------- C:\Users\Someone\AppData\Roaming\DAEMON Tools

2008-06-11 06:22 . 2008-04-24 19:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb

2008-06-11 06:22 . 2008-04-24 21:35 826,880 --a------ C:\Windows\System32\wininet.dll

2008-06-11 05:13 . 2008-05-09 18:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys

2008-06-11 05:11 . 2008-04-26 01:08 1,314,816 --a------ C:\Windows\System32\quartz.dll

2008-06-06 02:26 . 2008-06-06 02:26 <DIR> d-------- C:\Program Files\IrfanView

2008-05-30 04:55 . 2008-05-30 04:55 <DIR> d-------- C:\Users\Someone\AppData\Roaming\Move Networks

2008-05-28 17:59 . 2008-05-28 17:59 <DIR> d-------- C:\Users\Someone\AppData\Roaming\Microsoft Office Mobile

2008-05-27 23:16 . 2008-06-23 13:25 12 --a------ C:\Windows\bthservsdp.dat

2008-05-27 15:10 . 2008-03-07 19:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll

2008-05-27 15:10 . 2008-03-07 21:21 1,695,744 --a------ C:\Windows\System32\gameux.dll

2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx

2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\Windows\System32\QuickTime.qts

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-23 20:24 --------- d-----w C:\Users\Someone\AppData\Roaming\uTorrent

2008-06-23 05:25 --------- d-----w C:\Program Files\Safari

2008-06-17 18:10 --------- d-----w C:\Users\Someone\AppData\Roaming\FileZilla

2008-06-13 13:16 --------- d-----w C:\Program Files\Windows Mail

2008-06-11 20:12 --------- d-----w C:\Users\Someone\AppData\Roaming\GARMIN

2008-06-11 18:34 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys

2008-06-06 17:28 --------- d-----w C:\Program Files\DivX

2008-05-30 23:22 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll

2008-05-30 23:22 823,296 ----a-w C:\Windows\System32\divx_xx07.dll

2008-05-30 23:22 815,104 ----a-w C:\Windows\System32\divx_xx0a.dll

2008-05-30 23:22 802,816 ----a-w C:\Windows\System32\divx_xx11.dll

2008-05-30 23:22 683,520 ----a-w C:\Windows\System32\DivX.dll

2008-05-30 23:22 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll

2008-05-30 23:22 57,344 ----a-w C:\Windows\System32\dpv11.dll

2008-05-30 23:22 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll

2008-05-30 23:22 344,064 ----a-w C:\Windows\System32\dpus11.dll

2008-05-30 23:22 294,912 ----a-w C:\Windows\System32\dpu11.dll

2008-05-30 23:22 294,912 ----a-w C:\Windows\System32\dpu10.dll

2008-05-23 13:24 --------- d-----w C:\Program Files\Microsoft Silverlight

2008-05-22 22:22 524,288 ----a-w C:\Windows\System32\DivXsm.exe

2008-05-22 22:22 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll

2008-05-22 22:20 200,704 ----a-w C:\Windows\System32\ssldivx.dll

2008-05-22 22:20 1,044,480 ----a-w C:\Windows\System32\libdivx.dll

2008-05-22 22:19 81,920 ----a-w C:\Windows\System32\dpl100.dll

2008-05-22 22:19 196,608 ----a-w C:\Windows\System32\dtu100.dll

2008-05-22 22:19 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe

2008-05-22 22:18 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll

2008-05-18 19:41 --------- d-----w C:\ProgramData\Microsoft Help

2008-05-18 19:38 --------- d-----w C:\Program Files\MSBuild

2008-05-18 19:38 --------- d-----w C:\Program Files\Microsoft Works

2008-05-13 17:55 --------- d-----w C:\Program Files\Picasa2

2008-05-11 14:28 --------- d-----w C:\ProgramData\WinZip

2008-05-11 14:26 --------- d-----w C:\Program Files\Common Files\Ahead

2008-05-11 14:26 --------- d-----w C:\Program Files\Ahead

2008-05-07 02:19 --------- d-----w C:\Program Files\IM+ 4.56 for PocketPC

2008-05-05 05:19 --------- d-----w C:\Program Files\Free Audio Pack

2008-05-05 05:13 --------- d-----w C:\Users\Someone\AppData\Roaming\NCH Swift Sound

2008-05-05 05:13 --------- d-----w C:\Program Files\NCH Swift Sound

2008-05-03 06:47 --------- d-----w C:\ProgramData\NCH Swift Sound

2008-05-03 04:03 --------- d-----w C:\Users\Someone\AppData\Roaming\GetRightToGo

2008-05-02 12:59 122,368 ----a-w C:\Windows\system32\drivers\Rtlh86.sys

2008-05-01 17:56 --------- d-----w C:\ProgramData\Office Genuine Advantage

2008-05-01 04:39 --------- d-----w C:\ProgramData\InstalledPackages

2008-05-01 04:38 --------- d-----w C:\Program Files\Wireless Sync

2008-04-30 19:02 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf

2008-04-30 18:49 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf

2008-04-25 03:36 --------- d-----w C:\Program Files\gallery2

2008-04-23 04:58 --------- d-----w C:\Program Files\Apple Software Update

2008-04-15 20:46 1,537,536 ----a-w C:\Program Files\siw.exe

2008-04-14 00:54 319,456 ----a-w C:\Windows\DIFxAPI.dll

2008-04-14 00:35 174 --sha-w C:\Program Files\desktop.ini

2008-04-13 23:55 82,432 ----a-w C:\Windows\System32\axaltocm.dll

2008-04-13 23:55 101,888 ----a-w C:\Windows\System32\ifxcardm.dll

2008-03-16 22:16 724,984 ----a-w C:\Users\Someone\gotomypc_437.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="TOSCDSPD.EXE" []

"Aim6"="" []

"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 00:20 222080]

"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [ ]

"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 00:33 125952]

"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 02:39 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 19:26 4702208 C:\Windows\RtHDVCpl.exe]

"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 10:39 411192]

"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 16:49 55416]

"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-06-15 21:01 448080]

"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 16:32 538744]

"NDSTray.exe"="NDSTray.exe" []

"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]

"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 16:46 61440]

"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-06-09 08:32 360448]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 19:12 1029416]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

"Skytel"="Skytel.exe" [2007-08-03 13:22 1826816 C:\Windows\SkyTel.exe]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]

"Windows Mobile Device Center"="C:\Windows\WindowsMobile\wmdc.exe" [2007-05-31 09:21 648072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-25 18:23 443968]

C:\Users\Someone\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-02-09 22:32:39 557568]

OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 04:45:42 101784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"{D311D56B-1CEC-4F59-89FE-401DD08B22B7}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes

"{1BB15376-723F-4F05-981B-FD8794D41B2C}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

"{B83C060B-A173-4445-83CB-FDDC8B2D0ABF}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader

"{0872348F-7252-48B3-AF48-021095C12BBC}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader

"{D51300AB-72B0-49FE-AA7C-55CEDEE6BE14}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger

"{AAE94964-3FF1-4025-BB85-8B94FA664D4C}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger

"{1BBBCBB1-5477-4A56-954F-E49013EFC8FE}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

"{5BFD67DD-2523-4615-AD10-E0214C997E33}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent

"{CC77E681-BB2F-428F-BADB-E6E4A9CCD28E}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook

"{4DDC9FB4-8C55-48C9-B9C6-11D02DB7C4B7}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove

"{D7E88062-3ACF-445E-A4A3-42799E39DCE7}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove

"{69764175-22D6-470A-943E-D82FC876C718}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{7DC9820D-78F8-420C-897A-1A257E62C2B0}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{94E9E0D7-8D0C-4545-BAB7-F1DF38189939}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour

"{8A28C6FD-23D4-4839-AA8D-AB735D5D131C}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour

"{6262E605-CCD9-4EC1-9AFF-BCE431D6C050}"= UDP:C:\Users\Someone\AppData\Roaming\Facebook\facebook.exe:Facebook

"{FB519924-BEEB-48FA-8F23-76F09DEFE178}"= TCP:C:\Users\Someone\AppData\Roaming\Facebook\facebook.exe:Facebook

"{FD9D7D31-2EF4-441C-92DA-91F190C8BF9A}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes

"{9D2CEB40-014C-4F88-9D95-23289DD48B9B}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

"{D0C1E4D1-77AA-4029-BC73-4CA1FA518E11}"= UDP:5721:LocalSubnet:LocalSubnet|IF={36D6A040-4C02-4C21-AFA9-851ECDD2AE43}:@%systemroot%\WindowsMobile\wmdc.exe,-4002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]

"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine

"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 11:23]

R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-19 00:33]

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]

R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-19 00:33]

R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-07-27 23:36]

R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\Windows\system32\DRIVERS\bdfndisf.sys [2008-02-13 10:54]

R3 FwLnk;FwLnk Driver;C:\Windows\system32\DRIVERS\FwLnk.sys [2006-11-19 23:11]

R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8187B.sys [2008-03-18 10:02]

S3 winbondcir;Winbond IR Transceiver;C:\Windows\system32\DRIVERS\winbondcir.sys [2007-03-28 07:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba635721-a1f9-11dc-b8c9-00a0d1880dd5}]

\shell\AutoRun\command - H:\InstallTomTomHOME.exe

*Newly Created Service* - CATCHME

.

Contents of the 'Scheduled Tasks' folder

"2008-06-23 16:49:16 C:\Windows\Tasks\User_Feed_Synchronization-{9E354B1C-535B-4DA1-964E-863686482802}.job"

- C:\Windows\system32\msfeedssync.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-23 13:42:04

Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-06-23 13:44:38

ComboFix-quarantined-files.txt 2008-06-23 20:43:41

Pre-Run: 78,748,930,048 bytes free

Post-Run: 78,913,888,256 bytes free

196 --- E O F --- 2008-06-19 20:21:31

Hope that helps!

rootkit · June 2008

Please upload one of the infected file on http://www.virustotal.com/ and leave here the test link

(disable BD shield for a few second to do this)

Sal Khan · June 2008

Please upload one of the infected file on http://www.virustotal.com/ and leave here the test link

(disable BD shield for a few second to do this)

It came up clean, it seems. I tried to manipulate the photo to make sure the virus warning still popped up, and it did.

File 0622080941.jpg received on 06.30.2008 21:44:03 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/33 (0%)

Loading server information...

Your file is queued in position: ___.

Estimated start time is between ___ and ___ .

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Compact

Print results Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

AhnLab-V3 2008.7.1.0 2008.06.30 -

AntiVir 7.8.0.59 2008.06.30 -

Authentium 5.1.0.4 2008.06.29 -

Avast 4.8.1195.0 2008.06.30 -

AVG 7.5.0.516 2008.06.30 -

BitDefender 7.2 2008.06.30 -

CAT-QuickHeal 9.50 2008.06.30 -

ClamAV 0.93.1 2008.06.30 -

DrWeb 4.44.0.09170 2008.06.30 -

eSafe 7.0.17.0 2008.06.30 -

eTrust-Vet 31.6.5914 2008.06.30 -

Ewido 4.0 2008.06.27 -

F-Prot 4.4.4.56 2008.06.29 -

F-Secure 7.60.13501.0 2008.06.26 -

Fortinet 3.14.0.0 2008.06.30 -

GData 2.0.7306.1023 2008.06.30 -

Ikarus T3.1.1.26.0 2008.06.30 -

Kaspersky 7.0.0.125 2008.06.30 -

McAfee 5328 2008.06.30 -

Microsoft 1.3704 2008.06.30 -

NOD32v2 3228 2008.06.30 -

Norman 5.80.02 2008.06.30 -

Panda 9.0.0.4 2008.06.30 -

Prevx1 V2 2008.06.30 -

Rising 20.51.02.00 2008.06.30 -

Sophos 4.30.0 2008.06.30 -

Sunbelt 3.0.1176.1 2008.06.26 -

Symantec 10 2008.06.30 -

TheHacker 6.2.96.364 2008.06.28 -

TrendMicro 8.700.0.1004 2008.06.30 -

VBA32 3.12.6.8 2008.06.30 -

VirusBuster 4.5.11.0 2008.06.30 -

Webwasher-Gateway 6.6.2 2008.06.30 -

Additional information

File size: 501658 bytes

MD5...: 4676302b0c45c7af7434e2580760b696

SHA1..: b55450d9299eeed8ec9e1c9eb3efce9410d097c3

SHA256: eea86ba3d649ea2bffbd020229ad33f111a0f4fcdeb4d9a779b82e73cf23ac94

SHA512: 917908377b07ad1d724f1f49d4b9371871d1b25353f41f000bd83ca7b6d48abb

7fd5762de684572c2d5100042ff3db8fbc20a05500ff6dc8b2ea7a4dd44da4ee

PEiD..: -

PEInfo: -

packers (F-Prot): appended

Sal Khan · July 2008

No luck yet?

So... No Dice?

Still does it. Phone is even updated to WM6.1 and BD Updates are frequent.

Exploit.win32.ms04-028.gen

Comments

All Time Leaders

Categories

Defenders of the month