Visible signs.
O23 - Service: CbEvtSvc - Unknown owner - C:\WINDOWS\System32\CbEvtSvc.exeSeveral files will be downloaded onto the PC once the CbEvtSvc service running.
______________________________
filename: inst601.exe
Kaspersky: Trojan-Dropper.Win32.Agent.uax (Srizbi rootkit)filename: pre17078.exe
Driver: mickey32.sys
Kaspersky: Trojan-Downloader.Win32.Mutant.aoyfilename: Crack_20091rt.exe
QUOTEFile Crack_20091rt.exe received on 09.21.2008 18:47:07 (CET)
AhnLab-V3 2008.9.19.2 2008.09.19 -
AntiVir 7.8.1.34 2008.09.21 -
Authentium 5.1.0.4 2008.09.21 -
Avast 4.8.1195.0 2008.09.20 -
AVG 8.0.0.161 2008.09.21 -
BitDefender 7.2 2008.09.21 -
CAT-QuickHeal 9.50 2008.09.20 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.09.21 -
DrWeb 4.44.0.09170 2008.09.21 -
eSafe 7.0.17.0 2008.09.21 Suspicious File
eTrust-Vet 31.6.6098 2008.09.21 -
Ewido 4.0 2008.09.21 -
F-Prot 4.4.4.56 2008.09.21 -
F-Secure 8.0.14332.0 2008.09.21 -
Fortinet 3.113.0.0 2008.09.21 -
GData 19 2008.09.21 -
Ikarus T3.1.1.34.0 2008.09.21 -
K7AntiVirus 7.10.466 2008.09.20 -
Kaspersky 7.0.0.125 2008.09.21 -
McAfee 5388 2008.09.19 -
Microsoft 1.3903 2008.09.21 -
NOD32v2 3458 2008.09.21 -
Norman 5.80.02 2008.09.19 -
Panda 9.0.0.4 2008.09.21 -
PCTools 4.4.2.0 2008.09.21 -
Prevx1 V2 2008.09.21 -
Rising 20.62.62.00 2008.09.21 -
Sophos 4.33.0 2008.09.21 -
Sunbelt 3.1.1653.1 2008.09.20 -
Symantec 10 2008.09.21 -
TheHacker 6.3.0.9.090 2008.09.20 -
TrendMicro 8.700.0.1004 2008.09.20 -
VBA32 3.12.8.5 2008.09.20 -
ViRobot 2008.9.20.1385 2008.09.20 -
VirusBuster 4.5.11.0 2008.09.21 -
Webwasher-Gateway 6.6.2 2008.09.21 -
Kaspersky: Backdoor.Win32.Frauder.hbDesktop WallPaper.
Fake Antivirus Suite: Antivirus XP 2008.
filename: outpuk27.exe
QUOTEFile outpuk27.exe received on 09.21.2008 18:47:36 (CET)
AhnLab-V3 2008.9.19.2 2008.09.19 -
AntiVir 7.8.1.34 2008.09.21 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.09.21 -
Avast 4.8.1195.0 2008.09.20 -
AVG 8.0.0.161 2008.09.21 -
BitDefender 7.2 2008.09.21 Trojan.Peed.Gen
CAT-QuickHeal 9.50 2008.09.20 -
ClamAV 0.93.1 2008.09.21 -
DrWeb 4.44.0.09170 2008.09.21 -
eSafe 7.0.17.0 2008.09.21 Suspicious File
eTrust-Vet 31.6.6098 2008.09.21 -
Ewido 4.0 2008.09.21 -
F-Prot 4.4.4.56 2008.09.21 -
F-Secure 8.0.14332.0 2008.09.21 -
Fortinet 3.113.0.0 2008.09.21 -
GData 19 2008.09.21 -
Ikarus T3.1.1.34.0 2008.09.21 -
K7AntiVirus 7.10.466 2008.09.20 -
Kaspersky 7.0.0.125 2008.09.21 -
McAfee 5388 2008.09.19 -
Microsoft 1.3903 2008.09.21 -
NOD32v2 3458 2008.09.21 a variant of Win32/Spy.Agent.PZ
Norman 5.80.02 2008.09.19 -
Panda 9.0.0.4 2008.09.21 -
PCTools 4.4.2.0 2008.09.21 -
Prevx1 V2 2008.09.21 -
Rising 20.62.62.00 2008.09.21 -
Sophos 4.33.0 2008.09.21 -
Sunbelt 3.1.1653.1 2008.09.20 -
Symantec 10 2008.09.21 -
TheHacker 6.3.0.9.090 2008.09.20 -
TrendMicro 8.700.0.1004 2008.09.20 -
VBA32 3.12.8.5 2008.09.20 suspected of MalwareScope.Worm.Nuwar-Glowa.1 (paranoid heuristics)
ViRobot 2008.9.20.1385 2008.09.20 -
VirusBuster 4.5.11.0 2008.09.21 -
Webwasher-Gateway 6.6.2 2008.09.21 Trojan.Crypt.XPACK.Gen
Kaspersky: Trojan.Win32.Agent.aehbFiles added:
Note:QUOTEc:\Program Files\Internet Explorer\setupapi.dll
Date: 9/21/2008 7:16 PM
Size: 52,736 bytes
%ProgramFiles%\Internet Explorer\setupapi.dll loads into the Internet Explorer process. Do not confound with c:\windows\system32\setupapi.dll which is a legitimate file / process. We do observe a "smart way" of loading this malware here. Although you don’t see any loading points for %ProgramFiles%\Internet Explorer\setupapi.dll in the registry, this dll will be loaded into iexplore.exe each time you launch the program; even after a reboot. Why ? Every executable loads different dll’s. c:\windows\system32\setupapi.dll is one of those loaded by Internet Explorer. Here comes the interesting part … when you execute a file, the program looks first in the current folder after the dll’s it needs to load. If the dll is not present in the current program folder, the exe looks after the dll in the folders defined by the variable %path% - Usually: %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem - Since setupapi.dll is found by iexplore.exe in the current folder, it uses that copy and not the file present in the system32 folder.
filename: ccnd.exe
Kaspersky: Trojan.Win32.Pakes.klsNote: Other version of C:\WINDOWS\System32\CbEvtSvc.exe