Restored: C:\WINDOWS\system32\appmgmts.dll

April 17, 2010 by NightWatcher
Filed under: Malware 
: Solved!

Fix it immediately:

Malware: 75.exe

—————————————————————————————————————————-

Restored:
C:\WINDOWS\system32\appmgmts.dll

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: APPMGMTS.DLL
Author: Unknown
Related File: C:\WINDOWS\SYSTEM32\APPMGMTS.DLL
Type: Infected System Files

The original APPMGMTS.DLL has been successfully restore using RegRun Warrior from the Windows installation CD.

Removal Results: Success
Number of reboot: 1
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.15370.0 2010.04.05 Worm.Generic.229192
Kaspersky 7.0.0.125 2010.04.05 Trojan-Downloader.Win32.Agent.daxa
Microsoft 1.5605 2010.04.04 TrojanDropper:Win32/Jadtre.B
NOD32 4999 2010.04.04 Win32/AutoRun.AntiAV.T

—————————————————————————————————————————-
Additional information
File size: 249344 bytes
MD5 : 47db988d2201cda76a4ffb072328320c
SHA1 : bdbc41a0351e7a3d8eac937086307715c630dda3
SHA256: b68e9fd2463c85e7ed20efd9602e0cbacac6225ae9432a977380fcf970abc115
—————————————————————————————————————————-
Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys deleted:124
———————————-
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system
/…/
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}

———————————-
Keys added:67
———————————-
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe
/…/
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zhudongfangyu.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\?????ยค??.exe
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_FORTER
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_FORTER\0000

———————————-
Values deleted:122
———————————-
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\: “Human Interface Devices”
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\: “Volume”
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}\: “Floppy disk drive”
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}\: “System”
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}\: “SCSIAdapter”
/…/
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system\: “Driver Group”
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender\: “Driver Group”
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base\: “Driver Group”
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt\: “Service”
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD\: “Service”

———————————-
Values added:71
———————————-
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe\Debugger: 6E 74 73 64 20 2D 64
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.exe\Debugger: 6E 74 73 64 20 2D 64
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\Debugger: 6E 74 73 64 20 2D 64
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe\Debugger: 6E 74 73 64 20 2D 64
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe\Debugger: 6E 74 73 64 20 2D 64
/…/
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TMBMSRV.exe\Debugger: 6E 74 73 64 20 2D 64
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TmProxy.exe\Debugger: 6E 74 73 64 20 2D 64
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UfSeAgnt.exe\Debugger: 6E 74 73 64 20 2D 64
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe\Debugger: 6E 74 73 64 20 2D 64
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zhudongfangyu.exe\Debugger: 6E 74 73 64 20 2D 64
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_FORTER\0000\Service: “Forter”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_FORTER\0000\Legacy: 0×00000001
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_FORTER\0000\ConfigFlags: 0×00000000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_FORTER\0000\Class: “LegacyDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_FORTER\0000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_FORTER\0000\DeviceDesc: “Forter”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_FORTER\NextInstance: 0×00000001

———————————-
Values modified:2
———————————-
(-) HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable: 0×00000001
(+) HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable: 0×00000000
(-) HKLM\System\CurrentControlSet\Services\AppMgmt\Start: 0×00000003
(+) HKLM\System\CurrentControlSet\Services\AppMgmt\Start: 0×00000002

———————————-
Files added:1
———————————-
C:\Documents and Settings\NetworkService\Favorites\Desktop.ini

———————————-
Files deleted:1
———————————-
C:\sand-box\75.exe

———————————-
Files [attributes?] modified:5
———————————-
C:\Documents and Settings\NetworkService\Cookies\index.dat
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\WINDOWS\system32\appmgmts.dll

———————————-
Folders added:1
———————————-
C:\Documents and Settings\NetworkService\Favorites

———————————-
Folders attributes changed:2
———————————-
C:\Documents and Settings\NetworkService\Local Settings\History
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files

———————————-
Total changes:396
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


Recommended: UnHackMe anti-rootkit and anti-malware

Premium software: RegRun Security Suite (Good choice for removal and protection)

Written by

Malware Hunter.

Tags: appmgmts.dll

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.