need help w/ hard to kill trojan

Hi, find HJT and KOS logs below, and I have taken all the steps given in sticky post :angel:

I need help to complete and clean up a partly successful struggle with a nasty trojan that has bloggers me since Friday night. I think it was some kind of Bagle that suddenly made me sober as it blocked my avast and ad-aware programs, loaded some srosa.sys driver, created a dir named down in system32, populated with exe files with numbers as file name. It also created and started the files winterm.exe and hldrrr.exe, and apart from this it was not possible to run HJT or reboot into safe mode (computer just rebooted).

To make a long story short, I am a geek and tried to fix this on my own (which I of course shouldn't have done, wiser now) running different online scanner which detected this and lead me on track but of course asked for my money before fixing it , but I finally came a cross ComboFix which at first seem to have fixed it.

Then I found Spybot which alerted me to be infected with Win32.Agent.bgy and Win32.Bagle.hi, and although I clean them out in Safe Mode, run Spybot again when booting into normal and coming up clean, I then get an error message saying "[256] Detected debugger running, please close etc" which goes away by it self and when I then run Spybot again after system completed boot the same Agent.bgy and Bagle.hi is detected. I looked around and have figured out that the trojan maybe was wrapped with Thimidia or something like that.

Anyhow here is my logs as I stand now. Spybot still open w/o fixing detected infections and same with HJT.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:24:36, on 19/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Paradigma Software\Bonjour\mDNSResponder.exe
C:\Program Files\CVSNT\cvslock.exe
C:\Program Files\CVSNT\cvsservice.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - (no file)
O2 - BHO: Microsoft Web Test Recorder 9.0 Helper - {E31CE47F-C268-41ba-897B-B415E613947D} - C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpeedFan.lnk.disabled
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: Dispatcher.lnk.disabled
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.astrocalc.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189011463281
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}: NameServer = 213.226.224.12,213.226.224.66
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Paradigma Software\Bonjour\mDNSResponder.exe
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 9655 bytes

Virus scan took almost freaking 20h and report is massive, so I cleaned out all except the detected infections.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 19, 2008 10:54:31 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/02/2008
Kaspersky Anti-Virus database records: 570665
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
H:\
J:\

Scan Statistics:
Total number of scanned objects: 586273
Number of viruses found: 6
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 19:56:09

Infected Object Name / Virus Name / Last Action
...
C:\Documents and Settings\Joakim\My Documents\Downloads\Stardock SkinStudio Professional\SkinStudio5_Pro.exe/data0000.cab/devenv.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ks skipped
C:\Documents and Settings\Joakim\My Documents\Downloads\Stardock SkinStudio Professional \SkinStudio5_Pro.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.ks skipped
C:\Documents and Settings\Joakim\My Documents\Downloads\Stardock SkinStudio Professional\SkinStudio5_Pro.exe Rsrc-Package: infected - 2 skipped
C:\Old F\dl\SQLDiff\digf287a.zip/runme.zip/runme.exe Infected: Trojan.Win32.Dialer.oi skipped
C:\Old F\dl\SQLDiff\digf287a.zip/runme.zip Infected: Trojan.Win32.Dialer.oi skipped
C:\Old F\dl\SQLDiff\digf287a.zip ZIP: infected - 2 skipped
C:\Old G\dlfiles\flashget\fgf140.exe/WISE0018.BIN/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Old G\dlfiles\flashget\fgf140.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Old G\dlfiles\flashget\fgf140.exe WiseSFX: infected - 2 skipped
C:\Old G\dlfiles\MailThem\igmsetup.exe/AJJ.EXE Infected: not-a-virus:AdWare.Win32.Aureate.d skipped
C:\Old G\dlfiles\MailThem\igmsetup.exe ZIP: infected - 1 skipped
C:\Old G\dlfiles\MailThem\igmsetup.exe WiseSFXDropper: infected - 1 skipped
C:\reggapps\Unisuite\hz-utx01.exe/run.exe Infected: Trojan-Downloader.Win32.Harnig.bg skipped
C:\reggapps\Unisuite\hz-utx01.exe ZIP: infected - 1 skipped
C:\WINDOWS\system32\drivers\SROSA.SYS.del Infected: Trojan-Downloader.Win32.Bagle.iw skipped
...
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Now I touch nothing before I get instructions :santa:

HI

Hijackthis only has a couple of orphan reg keys to remove:-

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - (no file)

Do you really need this in your trusted sites ?

O15 - Trusted Zone: *.astrocalc.com

You do realise that putting any site in here is like giving a stranger the keys to your house, it can run anything on your computer without informing you.

RE: KAV scan log ....

It look like you have been downloading cracked programs, these nearly always come with a "little extra"

C:\Documents and Settings\Joakim\My Documents\Downloads\Stardock SkinStudio Professional\SkinStudio5_Pro.exe ... Infected with AdWare.Win32.Virtumonde.ks

-
C:\Old F\dl\SQLDiff\digf287a.zip/runme.zip/runme.exe Infected: Trojan.Win32.Dialer.oi skipped
C:\Old F\dl\SQLDiff\digf287a.zip/runme.zip Infected: Trojan.Win32.Dialer.oi skipped

This could be a legit dialer ... or a porn dialer ... if you don't know what it is, get the file checked out here :-

http://www.virustotal.com/flash/index_en.html

or just delete it.

-
C:\Old G\dlfiles\flashget\fgf140.exe

AdWare.Win32.Cydoor ... more adware - delete it

-
C:\Old G\dlfiles\MailThem\igmsetup.exe

& more to delete ... Win32.Aureate.d

-
C:\reggapps\Unisuite\hz-utx01.exe

Trojan-Downloader.Win32.Harnig.bg .. delete

-
C:\WINDOWS\system32\drivers\SROSA.SYS.del ... Infected: Trojan-Downloader.Win32.Bagle.iw skipped

delete this ...

-------
Run spybot again & post the log ...

THEN ...

Please follow these instructions for running Combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

1. When finished, it will produce a logfile located at C:\ComboFix.txt.
2. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Please remember to post :-


1. Spybot log
2. C:\ComboFix.txt


steam

Thanks for finally coming at my assistance, I was just about to enter the waiting room ;-)

I will do as you said... but first, it's correct I have downloaded cracked programs, but it's not quite how it look... can I pm you with some details I don't like to be publicly visible, which also would help to solve this case?

/Y

yettyn said:

Thanks for finally coming at my assistance, I was just about to enter the waiting room ;-)

I will do as you said... but first, it's correct I have downloaded cracked programs, but it's not quite how it look... can I pm you with some details I don't like to be publicly visible, which also would help to solve this case?

/Y

Click to expand...

Sorry for the delay, I've just been working on the older posts, everyone who posted more than 4 days ago has now received a reply I'm happy to say

Sure Please feel free to send me a PM

steam

All virus junk was deleted right away, in fact it was mostly old stuff taking up HDD space anyway - I must get myself a smaller HDD to become less lazy :red: I am pretty sure my infection didn't come from there anyhow as I know were and when I got it. My Avast was taken by surprise, but infact only 2 of 32 scanners at jotty and viruscontrol did catch it when I sent up the infecting file.

As I said in my pm, I became a bit too restless after waiting for 2 days and took some steps to gather more information, both regarding the threath and what was going on inside my computer. like I have run Spybot several times and it basically goes around in circles. So I post several logs to give you proper information, basically the very first one and the last.

I have cleaned out tracking cookies, and also below the item Partizan I am pretty sure is a false positive as it belongs to RegRun which I at least think is a legitimate malware program?

17.02.2008 22:02:33 - ##### check started #####
17.02.2008 22:02:33 - ### Version: 1.5.2
17.02.2008 22:02:33 - ### Date: 17/02/2008 22:02:33
17.02.2008 22:02:34 - ##### checking bots #####
17.02.2008 22:10:20 - found: Microsoft.WindowsSecurityCenter.AntiVirusOverride Settings
17.02.2008 22:17:01 - found: Win32.Agent.bgy Settings
17.02.2008 22:17:11 - found: Win32.Bagle.hi Settings
17.02.2008 22:17:11 - found: Win32.Bagle.hi Program directory
17.02.2008 22:17:48 - found: Win32.VB.jl Settings
17.02.2008 22:17:49 - found: Win32.VB.jl Settings
17.02.2008 22:21:57 - ##### check finished #####


--- Report generated: 2008-02-17 22:21 ---

Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Win32.Agent.bgy: [SBI $3FF5579E] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun

Win32.Bagle.hi: [SBI $FF44CCD9] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\ts

Win32.Bagle.hi: [SBI $37536BC2] Program directory (Directory, nothing done)
C:\WINDOWS\system32\drivers\down\

Win32.VB.jl: [SBI $4A7DE52E] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Partizan

Win32.VB.jl: [SBI $3C98DC13] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Partizan


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-02-17 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-02-13 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-02-13 Includes\DialerC.sbi (*)
2008-02-13 Includes\HeavyDuty.sbi (*)
2008-02-13 Includes\Hijackers.sbi (*)
2008-02-13 Includes\HijackersC.sbi (*)
2008-02-13 Includes\Keyloggers.sbi (*)
2008-02-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-02-13 Includes\Malware.sbi (*)
2008-02-13 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2008-02-13 Includes\PUPSC.sbi (*)
2008-02-13 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-02-13 Includes\SecurityC.sbi (*)
2008-02-13 Includes\Spybots.sbi (*)
2008-02-13 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-02-13 Includes\Trojans.sbi (*)
2008-02-13 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll

This first pass was done in safe mode I think, then booted normal and run again to get this:

17.02.2008 22:34:16 - ##### check started #####
17.02.2008 22:34:16 - ### Version: 1.5.2
17.02.2008 22:34:16 - ### Date: 17/02/2008 22:34:16
17.02.2008 22:34:17 - ##### checking bots #####
17.02.2008 22:47:10 - found: Win32.Agent.bgy Settings
17.02.2008 22:47:19 - found: Win32.Bagle.hi Program directory
17.02.2008 22:51:53 - ##### check finished #####

--- Report generated: 2008-02-17 22:53 ---

Win32.Agent.bgy: [SBI $3FF5579E] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun

Win32.Bagle.hi: [SBI $37536BC2] Program directory (Directory, fixed)
C:\WINDOWS\system32\drivers\down\


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-02-17 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-02-13 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-02-13 Includes\DialerC.sbi (*)
2008-02-13 Includes\HeavyDuty.sbi (*)
2008-02-13 Includes\Hijackers.sbi (*)
2008-02-13 Includes\HijackersC.sbi (*)
2008-02-13 Includes\Keyloggers.sbi (*)
2008-02-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-02-13 Includes\Malware.sbi (*)
2008-02-13 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2008-02-13 Includes\PUPSC.sbi (*)
2008-02-13 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-02-13 Includes\SecurityC.sbi (*)
2008-02-13 Includes\Spybots.sbi (*)
2008-02-13 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-02-13 Includes\Trojans.sbi (*)
2008-02-13 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll

to be continued...

HI

Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

This may or may not be malware related ... it could be your anti-virus claiming responsibility for monitoring itself.

-
17.02.2008 22:47:10 - found: Win32.Agent.bgy Settings
17.02.2008 22:47:19 - found: Win32.Bagle.hi Program directory

Win32.Agent.bgy: [SBI $3FF5579E] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun

Would you please run Regedit & export this key :-

HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun

Then copy& paste the contents here

Win32.Bagle.hi: [SBI $37536BC2] Program directory (Directory, fixed)
C:\WINDOWS\system32\drivers\down\

these are bagle ... surprisingly it shows nothing in the "down" folder ...

-
This is from another spybot log, you will notice that spybot deletes all files in the System32\drivers\down\ folder

Win32.Agent.bgy: [SBI $3FF5579E] Einstellungen (Registrierungsdatenbank-Schlüssel, fixed)
HKEY_USERS\S-1-5-21-1009317085-2326122771-423037255-1000\Software\FirstRRRun

Win32.Bagle.hi: [SBI $FF44CCD9] Einstellungen (Registrierungsdatenbank-Schlüssel, fixed)
HKEY_USERS\S-1-5-21-1009317085-2326122771-423037255-1000\Software\ts

Win32.Bagle.hi: [SBI $37536BC2] Programm-Verzeichnis (Verzeichnis, fixed)
C:\Windows\System32\drivers\down\

Win32.Bagle.hi: [SBI $5A6A2EC7] Ausführbare Datei (Datei, fixed)
C:\Windows\System32\drivers\down\245359.exe

Win32.Bagle.hi: [SBI $5A6A2EC7] Ausführbare Datei (Datei, fixed)
C:\Windows\System32\drivers\down\280078.exe

Win32.Bagle.hi: [SBI $5A6A2EC7] Ausführbare Datei (Datei, fixed)
C:\Windows\System32\drivers\down\285765.exe

---------
Here's another bagle similar to yours, but this version has been around over 2 years

http://vil.nai.com/vil/content/v_138585.htm

--
You say you've run Combofix, bagle notoriously corrupts the headers of certain exe files, Combofix included, unless the exe is renamed first (before download) ... but you had no trouble running it ?

I'll be interested to see some of your Combofix logs ..

steam

So here we kinda start over with fresh logs. First an observation though. Last friday when this started I happened to double click that file I told you about resulting in a dialog saying "select file to crack". It was friday night :santa: and selected the file I opened somewhat puzzled, before I realized what had happened.

I emediately took preventive meassures like pulling the net cable and open Windows Task Manager where I saw these numbered.exe files popping up which I understood was crap and killed and relatively soon I also located hldrrr.exe and winterms.exe which was killed but at this stage I was still unaware of srosa.sys but possibly fast response to the situation limited the damage somehow, at least I never saw much of that in the other tread you pointed me at. I found some of the registry keys and values which I deleted, although some of the srosa stuff was hard to get rid of as it didn't help to change permissions inside of regedit and at that point I could open none of my usual security programs, nor install HJT.

Anyhow, that open dialog never showed up again, until now. Now it comes up every time I boot into normal mode. If I just leave it there nothing further seem to happen. I surely wont select any file and Cancel probably wont make much difference so I tested the X instead which result in the system takes a dive :snorkle: after a short delay. But as I said, if I just leave it open there things seem to be statusQ and I can use the system.

The very first time I "managed" to get this dialog to come back was on wednesday when I got restless and started to poke around, do some different online scans and finally was able to clean out much although after reboot the classic things came back. I then noticed there was something strange with my display driver and looking for hidden/camoflaged things I couldn't find anything else except legit things that loaded. Actually it started with me trying to install a new ATI Catalyst driver set but as the fist ATI screen loaded I got a message I needed Admin privileges (or something similar) to install. I then decided to uninstall the ATI drivers (I have a Radeon 9250) and bump down to VGA and see what happened. Before I rebooted I cleaned up the virus tracks and when the machine came up I saw no down dir and a Spybot scan came out clear - at that point I thought I had done it... but as soon as I touched the install new hardware dialog that came up for missing display driver that dialog popped up again!

Now I think it's RegRun's Anti-rootkit driver which loads early that actually forces the dialog to get up to surface instead of hiding. Anyhow, that were I am now. I will post Spybot logs right away in a new post and then run Combofix to see were it gets us. I assume I should disable RegRun then although I am a bit reluctant as I basically know how the CF will come out, it will delete the down dir and then reboot and after reboot the dir is back as well as the reg keys. Or do you have a better idea? Basically I think I have it all out, except for 1 place were it hides and reincarnate unless we can give it a final blow.

First some logs

Spybot in Safe Mode
23.02.2008 19:52:32 - ##### check started #####
23.02.2008 19:52:32 - ### Version: 1.5.2
23.02.2008 19:52:32 - ### Date: 2008-02-23 19:52:32
23.02.2008 19:52:33 - ##### checking bots #####
23.02.2008 20:11:01 - found: Win32.Agent.bgy Settings
23.02.2008 20:11:17 - found: Win32.Bagle.hi Program directory
23.02.2008 20:12:14 - found: Win32.VB.jl Settings
23.02.2008 20:17:46 - ##### checking usage tracking #####
23.02.2008 20:17:46 - found: Common Dialogs History 4 files
23.02.2008 20:17:46 - found: Log Activity: ntbtlog.txt ntbtlog.txt
23.02.2008 20:17:46 - found: Log Install: setupapi.log setupapi.log
23.02.2008 20:17:46 - found: Log Shutdown: System32\wbem\logs\wbemess.log System32\wbem\logs\wbemess.log
23.02.2008 20:17:46 - found: Log Shutdown: System32\wbem\logs\wmiprov.log System32\wbem\logs\wmiprov.log
23.02.2008 20:17:47 - found: 7-Zip Folder history
23.02.2008 20:17:47 - found: 7-Zip Last used folder
23.02.2008 20:17:48 - found: Internet Explorer Typed URL list 1 files
23.02.2008 20:17:48 - found: MS Management Console Recent command list 1 files
23.02.2008 20:17:50 - found: MS Office 12.0 (Word) Recent Document List 1 files
23.02.2008 20:17:51 - found: MS Regedit Recent open key
23.02.2008 20:17:52 - found: Windows Explorer Run history 2 files
23.02.2008 20:17:52 - found: Windows Explorer Stream history 2 files
23.02.2008 20:17:52 - found: Windows Explorer User Assistant history IE 4 files
23.02.2008 20:17:52 - found: Windows Explorer User Assistant history files 19 files
23.02.2008 20:17:52 - found: Windows Explorer Last visited history 2 files
23.02.2008 20:17:52 - found: Windows Explorer Recent file global history
23.02.2008 20:17:53 - found: Cookie Cookie (5)
23.02.2008 20:17:53 - found: Cache Cache (138)
23.02.2008 20:17:53 - found: History History (22)
23.02.2008 20:17:53 - found: Cookie Cookie (20)
23.02.2008 20:17:53 - ##### check finished #####


--- Report generated: 2008-02-23 20:17 ---

Win32.Agent.bgy: [SBI $3FF5579E] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun

Win32.Bagle.hi: [SBI $37536BC2] Program directory (Directory, nothing done)
C:\WINDOWS\system32\drivers\down\

Win32.VB.jl: [SBI $4A7DE52E] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Partizan

Common Dialogs: [SBI $4CDCC3D5] History (4 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: [SBI $4CDCC3D5] Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINDOWS\ntbtlog.txt

Log: [SBI $4CDCC3D5] Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: [SBI $4CDCC3D5] Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: [SBI $4CDCC3D5] Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

7-Zip: [SBI $12C3A52C] Folder history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\7-ZIP\FM\FolderHistory

7-Zip: [SBI $3D5692BD] Last used folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\7-ZIP\FM\PanelPath0

Internet Explorer: [SBI $1E8157BE] Typed URL list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Internet Explorer\TypedURLs

MS Management Console: [SBI $ECD50EAD] Recent command list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Microsoft Management Console\Recent File List

MS Office 12.0 (Word): [SBI $E357B233] Recent Document List (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Office\12.0\Word\File MRU

MS Regedit: [SBI $C3B62FC1] Recent open key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

Windows Explorer: [SBI $7308A845] Run history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: [SBI $AA0766B5] Stream history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: [SBI $2026AFB6] User Assistant history IE (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: [SBI $6107D172] User Assistant history files (19 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: [SBI $B7EBA926] Last visited history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Cookie: Cookie (5) (Cookie, nothing done)


Cache: Cache (138) (Cache, nothing done)


History: History (22) (History, nothing done)


Cookie: Cookie (20) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-02-17 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-02-13 Includes\Beta.sbi (*)
2007-11-06 Includes\Beta.uti (*)
2008-02-20 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-02-20 Includes\DialerC.sbi (*)
2008-02-20 Includes\HeavyDuty.sbi (*)
2008-02-20 Includes\Hijackers.sbi (*)
2008-02-20 Includes\HijackersC.sbi (*)
2008-02-20 Includes\Keyloggers.sbi (*)
2008-02-20 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-02-20 Includes\Malware.sbi (*)
2008-02-20 Includes\MalwareC.sbi (*)
2008-02-20 Includes\PUPS.sbi (*)
2008-02-20 Includes\PUPSC.sbi (*)
2008-02-20 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-02-20 Includes\SecurityC.sbi (*)
2008-02-20 Includes\Spybots.sbi (*)
2008-02-20 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti (*)
2008-02-20 Includes\Trojans.sbi (*)
2008-02-20 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll

After cleaning it automatically runs again (but only in safe mode it appears)

23.02.2008 20:22:09 - ##### check started #####
23.02.2008 20:22:09 - ### Version: 1.5.2
23.02.2008 20:22:09 - ### Date: 2008-02-23 20:22:09
23.02.2008 20:22:11 - ##### checking bots #####
23.02.2008 20:42:32 - ##### checking usage tracking #####
23.02.2008 20:42:32 - found: Common Dialogs History 4 files
23.02.2008 20:42:32 - found: Log Activity: ntbtlog.txt ntbtlog.txt
23.02.2008 20:42:32 - found: Log Install: setupapi.log setupapi.log
23.02.2008 20:42:32 - found: Log Shutdown: System32\wbem\logs\wbemess.log System32\wbem\logs\wbemess.log
23.02.2008 20:42:32 - found: Log Shutdown: System32\wbem\logs\wmiprov.log System32\wbem\logs\wmiprov.log
23.02.2008 20:42:32 - found: 7-Zip Folder history
23.02.2008 20:42:32 - found: 7-Zip Last used folder
23.02.2008 20:42:32 - found: Internet Explorer Typed URL list 1 files
23.02.2008 20:42:33 - found: MS Management Console Recent command list 1 files
23.02.2008 20:42:35 - found: MS Office 12.0 (Word) Recent Document List 1 files
23.02.2008 20:42:35 - found: MS Regedit Recent open key
23.02.2008 20:42:35 - found: Windows Explorer Run history 2 files
23.02.2008 20:42:35 - found: Windows Explorer Stream history 2 files
23.02.2008 20:42:35 - found: Windows Explorer User Assistant history IE 4 files
23.02.2008 20:42:35 - found: Windows Explorer User Assistant history files 19 files
23.02.2008 20:42:35 - found: Windows Explorer Last visited history 2 files
23.02.2008 20:42:35 - found: Windows Explorer Recent file global history
23.02.2008 20:42:36 - found: Cookie Cookie (5)
23.02.2008 20:42:36 - found: Cache Cache (138)
23.02.2008 20:42:36 - found: History History (22)
23.02.2008 20:42:36 - found: Cookie Cookie (20)
23.02.2008 20:42:36 - ##### check finished #####

and then comes the final report from Spybot, in next post as it's long

Part 1

--- Search result list ---
Common Dialogs: [SBI $4CDCC3D5] History (4 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: [SBI $4CDCC3D5] Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINDOWS\ntbtlog.txt

Log: [SBI $4CDCC3D5] Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: [SBI $4CDCC3D5] Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: [SBI $4CDCC3D5] Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

7-Zip: [SBI $12C3A52C] Folder history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\7-ZIP\FM\FolderHistory

7-Zip: [SBI $3D5692BD] Last used folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\7-ZIP\FM\PanelPath0

Internet Explorer: [SBI $1E8157BE] Typed URL list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Internet Explorer\TypedURLs

MS Management Console: [SBI $ECD50EAD] Recent command list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Microsoft Management Console\Recent File List

MS Office 12.0 (Word): [SBI $E357B233] Recent Document List (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Office\12.0\Word\File MRU

MS Regedit: [SBI $C3B62FC1] Recent open key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

Windows Explorer: [SBI $7308A845] Run history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: [SBI $AA0766B5] Stream history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: [SBI $2026AFB6] User Assistant history IE (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: [SBI $6107D172] User Assistant history files (19 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: [SBI $B7EBA926] Last visited history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Cookie: Cookie (5) (Cookie, nothing done)


Cache: Cache (138) (Cache, nothing done)


History: History (22) (History, nothing done)


Cookie: Cookie (20) (Cookie, nothing done)


Congratulations!: No immediate threats were found. ()



--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-02-17 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-02-13 Includes\Beta.sbi (*)
2007-11-06 Includes\Beta.uti (*)
2008-02-20 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-02-20 Includes\DialerC.sbi (*)
2008-02-20 Includes\HeavyDuty.sbi (*)
2008-02-20 Includes\Hijackers.sbi (*)
2008-02-20 Includes\HijackersC.sbi (*)
2008-02-20 Includes\Keyloggers.sbi (*)
2008-02-20 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-02-20 Includes\Malware.sbi (*)
2008-02-20 Includes\MalwareC.sbi (*)
2008-02-20 Includes\PUPS.sbi (*)
2008-02-20 Includes\PUPSC.sbi (*)
2008-02-20 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-02-20 Includes\SecurityC.sbi (*)
2008-02-20 Includes\Spybots.sbi (*)
2008-02-20 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti (*)
2008-02-20 Includes\Trojans.sbi (*)
2008-02-20 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll



--- System information ---
Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security update for Microsoft Data Access Components
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
/ Microsoft Visual Studio 2005 Professional Edition - ENU: This service pack is for Microsoft Visual Studio 2005 Professional Edition - ENU. \n
If you later install a more recent service pack, this service pack will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/926601
/ Microsoft Visual Studio 2005 Professional Edition - ENU: This Security Update is for Microsoft Visual Studio 2005 Professional Edition - ENU. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/937061
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player: Windows Media Update 828026
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB937143)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB939653)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB942615)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899589)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Update for Windows XP (KB904942)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Security Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Security Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911567)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912812)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913446)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Hotfix for Windows XP (KB914440)
/ Windows XP / SP3: Hotfix for Windows XP (KB915800)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Security Update for Windows XP (KB916281)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917159)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917537)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918118)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB918899)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920214)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Security Update for Windows XP (KB921503)
/ Windows XP / SP3: Security Update for Windows XP (KB921883)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB922760)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923694)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924191)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB924667)
/ Windows XP / SP3: Security Update for Windows XP (KB925454)
/ Windows XP / SP3: Security Update for Windows XP (KB925486)
/ Windows XP / SP3: Update for Windows XP (KB925720)
/ Windows XP / SP3: Security Update for Windows XP (KB925902)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
/ Windows XP / SP3: Security Update for Windows XP (KB926436)
/ Windows XP / SP3: Security Update for Windows XP (KB927779)
/ Windows XP / SP3: Security Update for Windows XP (KB927802)
/ Windows XP / SP3: Update for Windows XP (KB927891)
/ Windows XP / SP3: Security Update for Windows XP (KB928090)
/ Windows XP / SP3: Security Update for Windows XP (KB928255)
/ Windows XP / SP3: Hotfix for Windows XP (KB928388)
/ Windows XP / SP3: Security Update for Windows XP (KB928843)
/ Windows XP / SP3: Security Update for Windows XP (KB929123)
/ Windows XP / SP3: Update for Windows XP (KB929338)
/ Windows XP / SP3: Security Update for Windows XP (KB929969)
/ Windows XP / SP3: Security Update for Windows XP (KB930178)
/ Windows XP / SP3: Update for Windows XP (KB930916)
/ Windows XP / SP3: Security Update for Windows XP (KB931261)
/ Windows XP / SP3: Security Update for Windows XP (KB931768)
/ Windows XP / SP3: Security Update for Windows XP (KB931784)
/ Windows XP / SP3: Update for Windows XP (KB931836)
/ Windows XP / SP3: Security Update for Windows XP (KB932168)
/ Windows XP / SP3: Update for Windows XP (KB933360)
/ Windows XP / SP3: Security Update for Windows XP (KB933566)
/ Windows XP / SP3: Security Update for Windows XP (KB933729)
/ Windows XP / SP3: Security Update for Windows XP (KB935839)
/ Windows XP / SP3: Security Update for Windows XP (KB935840)
/ Windows XP / SP3: Security Update for Windows XP (KB936021)
/ Windows XP / SP3: Update for Windows XP (KB936357)
/ Windows XP / SP3: Security Update for Windows XP (KB937143)
/ Windows XP / SP3: Security Update for Windows XP (KB937894)
/ Windows XP / SP3: Security Update for Windows XP (KB938127)
/ Windows XP / SP3: Update for Windows XP (KB938828)
/ Windows XP / SP3: Security Update for Windows XP (KB938829)
/ Windows XP / SP3: Security Update for Windows XP (KB939373)
/ Windows XP / SP3: Security Update for Windows XP (KB941202)
/ Windows XP / SP3: Security Update for Windows XP (KB941568)
/ Windows XP / SP3: Security Update for Windows XP (KB941644)
/ Windows XP / SP3: Update for Windows XP (KB942763)
/ Windows XP / SP3: Security Update for Windows XP (KB943055)
/ Windows XP / SP3: Security Update for Windows XP (KB943460)
/ Windows XP / SP3: Security Update for Windows XP (KB943485)
/ Windows XP / SP3: Security Update for Windows XP (KB944653)
/ Windows XP / SP3: Security Update for Windows XP (KB946026)
/ XML Paper Specification Shared Components Pack 1.0: XML Paper Specification Shared Components Pack 1.0

Part 2

--- Startup entries list ---
Located: HK_LM:Run, @RegRunOnSecure
command: C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
file: C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
size: 57856
MD5: 6BFAFA44C356BE7E6258675AA5C11C61

Located: HK_LM:Run, avast!
command: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
file: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 1679729
MD5: D8A1FF72BE7C6F0B1506265713550512

Located: HK_LM:Run, KernelFaultCheck
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922EB54890C77005268882629A31FE

Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3E4C03CEFAD8DE135263236B61A49C90

Located: HK_LM:Run, RegRun WinBait
command: C:\WINDOWS\winbait.exe
file: C:\WINDOWS\winbait.exe
size: 16384
MD5: 6852D6328F97347FE611EFC51778B9D0

Located: HK_LM:Run, SoundMAXPnP
command: C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
file: C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
size: 790528
MD5: 8A6EF2D20DA01FC5934F63DE43752C1B

Located: HK_LM:Run, VMware hqtray
command: "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
file: C:\Program Files\VMware\VMware Workstation\hqtray.exe
size: 56112
MD5: 15B7664C3DFD193BD8D9CE822D066E23

Located: HK_LM:Run, vmware-tray
command: C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
file: C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
size: 68400
MD5: 8692155C3CC033EA10D7BCC57C0B54CD

Located: HK_LM:Run, SoundMAX (DISABLED)
command: "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
file: C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
size: 585728
MD5: 5FA14654B827BC70DC14DE586DC5D493

Located: HK_LM:Run, VMware hqtray (DISABLED)
command: "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
file: C:\Program Files\VMware\VMware Workstation\hqtray.exe
size: 56112
MD5: 15B7664C3DFD193BD8D9CE822D066E23

Located: HK_LM:Run, vmware-tray (DISABLED)
command: C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
file: C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
size: 68400
MD5: 8692155C3CC033EA10D7BCC57C0B54CD

Located: HK_CU:Run, ctfmon.exe
where: PE_C_ADMINISTRATOR...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-1482476501-507921405-725345543-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8

Located: HK_CU:Run, Registry
where: S-1-5-21-1482476501-507921405-725345543-1003...
command: "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "J:\backreg\rstore.ini"
file: C:\Program Files\Greatis\RegRunSuite\lsoon.exe
size: 390656
MD5: D2E34D66CF273B2FA881AB5D9CF0F983

Located: HK_CU:Run, Regrun2
where: S-1-5-21-1482476501-507921405-725345543-1003...
command: C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
file: C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
size: 1679729
MD5: D8A1FF72BE7C6F0B1506265713550512

Located: HK_CU:Run, SpybotSD TeaTimer (DISABLED)
where: S-1-5-21-1482476501-507921405-725345543-1003...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2097488
MD5: A9A5DB6AC3721BE698B996913693D73F

Located: Startup (common), Acrobat Assistant.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
file: C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
size: 217194
MD5: CFE5228556C93D03D6753E7953CCD4A9

Located: Startup (common), Dispatcher.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Reliable Software\Code Co-op\Dispatcher.exe
file: C:\Program Files\Reliable Software\Code Co-op\Dispatcher.exe
size: 1368064
MD5: 784E19C5A8BA2C56C77465B5C8643F5F

Located: Startup (user), ERUNT AutoBackup.lnk (DISABLED)
where: C:\Documents and Settings\Joakim\Start Menu\Programs\Startup...
command: C:\Program Files\ERUNT\AUTOBACK.EXE
file: C:\Program Files\ERUNT\AUTOBACK.EXE
size: 38912
MD5: E00DE20F0F6BED5CD2160247DDC9443B

Located: Startup (user), SpeedFan.lnk (DISABLED)
where: C:\Documents and Settings\Joakim\Start Menu\Programs\Startup...
command: C:\Program Files\SpeedFan\speedfan.exe
file: C:\Program Files\SpeedFan\speedfan.exe
size: 2902528
MD5: 72B1BA02D12BAFEC388FB80C68080529

Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Part 3

--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 2003-11-03 23:17:44
Date (last access): 2008-02-23 19:37:42
Date (last write): 2003-11-03 23:17:44
Filesize: 54248
Attributes: archive
MD5: FC7850324464E4D19A24A03D882B5CC4
CRC32: 452E8571
Version: 6.0.1.1091

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 2008-02-17 21:53:36
Date (last access): 2008-02-23 20:42:38
Date (last write): 2008-01-28 11:43:28
Filesize: 1554256
Attributes: archive
MD5: 5248E02EFBCB64D328647CD00E384B85
CRC32: C1B426A9
Version: 1.5.0.11

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Groove GFS Browser Helper
Path: C:\Program Files\Microsoft Office\Office12\
Long name: GrooveShellExtensions.dll
Short name: GRA8E1~1.DLL
Date (created): 2007-08-24 07:01:22
Date (last access): 2008-02-23 19:09:12
Date (last write): 2007-08-24 07:01:22
Filesize: 2212224
Attributes: archive
MD5: 32C4927E013C018A13D8DFBDA4148812
CRC32: 9A9F3D8B
Version: 12.0.6211.1000

{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live Sign-in Helper
Path: C:\Program Files\Common Files\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name: WINDOW~1.DLL
Date (created): 2007-09-20 10:30:18
Date (last access): 2008-02-23 20:09:18
Date (last write): 2007-09-20 10:30:18
Filesize: 328752
Attributes: archive
MD5: 59CF5BF6684AFCF906CADAD39B4214DE
CRC32: C363813C
Version: 4.200.520.1

{AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: AcroIEToolbarHelper Class
description: Adobe Acrobat
classification: Legitimate
known filename: AcroIEFavClient.dll
info link: http://www.adobe.com/products/acrobatpro/main.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 6.0\Acrobat\
Long name: AcroIEFavClient.dll
Short name: ACROIE~1.DLL
Date (created): 2003-05-15 01:03:46
Date (last access): 2008-02-23 20:07:14
Date (last write): 2003-05-15 01:03:46
Filesize: 147456
Attributes: archive
MD5: 44BCFF08947790E74BD7CC7532D2B793
CRC32: 0C91890B

{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live Toolbar Helper
Path: C:\Program Files\Windows Live Toolbar\
Long name: msntb.dll
Short name:
Date (created): 2007-10-19 11:20:48
Date (last access): 2008-02-23 19:05:24
Date (last write): 2007-10-19 11:20:48
Filesize: 546320
Attributes: archive
MD5: CEE1BE1DA21300208D07FBEAE9EA2B51
CRC32: 12446524
Version: 3.1.0.146

{E31CE47F-C268-41ba-897B-B415E613947D} (Microsoft Web Test Recorder 9.0 Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Microsoft Web Test Recorder 9.0 Helper
Path: C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\
Long name: Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
Short name: MID57A~1.DLL
Date (created): 2007-11-08 08:19:22
Date (last access): 2008-02-23 19:40:40
Date (last write): 2007-11-08 08:19:22
Filesize: 64088
Attributes: archive
MD5: 351A23DAC4ABC59854E718EDF19ECF4F
CRC32: 94EE98C7
Version: 9.0.21022.8

{E5A1691B-D188-4419-AD02-90002030B8EE} (FlashFXP Helper for Internet Explorer)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: FlashFXP Helper for Internet Explorer
Path: C:\PROGRA~1\FlashFXP\
Long name: IEFlash.dll
Short name:
Date (created): 2006-03-31 21:27:14
Date (last access): 2008-02-23 20:07:14
Date (last write): 2006-03-31 21:27:14
Filesize: 191096
Attributes: archive
MD5: 3507AEE207E68553606F17DB01574E60
CRC32: 7906032A
Version: 3.0.0.1015

Part 4

--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool)
DPF name:
CLSID name: Office Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\OGAControl.inf
Codebase: http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
Path: C:\WINDOWS\system32\
Long name: OGACheckControl.DLL
Short name: OGACHE~1.DLL
Date (created): 2007-03-05 13:34:28
Date (last access): 2008-02-23 19:40:42
Date (last write): 2007-06-19 12:11:08
Filesize: 676224
Attributes: archive
MD5: 7F0A75930BFD106D349EF925A080AF03
CRC32: 46CC7779
Version: 1.6.21.0

{0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1)
DPF name:
CLSID name: F-Secure Online Scanner 3.1
Installer: C:\WINDOWS\Downloaded Program Files\fscax.inf
Codebase: http://support.f-secure.com/ols/fscax.cab
description:
classification: Legitimate
known filename: fscax.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: fscax.dll
Short name:
Date (created): 2007-05-07 16:39:24
Date (last access): 2008-02-23 19:40:42
Date (last write): 2007-05-07 16:39:24
Filesize: 254360
Attributes: archive
MD5: D5199825510E4C4F97DC93B7BC3B1A8A
CRC32: 9FA45099
Version: 3.1.0.5

{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object)
DPF name:
CLSID name: CKAVWebScan Object
Installer: C:\WINDOWS\Downloaded Program Files\kavwebscan.inf
Codebase: http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\
Long name: kavwebscan.dll
Short name: KAVWEB~1.DLL
Date (created): 2007-08-29 15:49:54
Date (last access): 2008-02-23 12:54:30
Date (last write): 2007-08-29 15:49:54
Filesize: 950272
Attributes: archive
MD5: BC915C49931CE46222F9B0A7EFB56CEE
CRC32: 11048171
Version: 5.0.98.0

{193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control)
DPF name:
CLSID name: ewidoOnlineScan Control
Installer:
Codebase: http://downloads.ewido.net/ewidoOnlineScan.cab
description:
classification: Legitimate
known filename: EWIDOO~1.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: ewidoOnlineScan.dll
Short name: EWIDOO~1.DLL
Date (created): 2006-07-11 09:41:36
Date (last access): 2008-02-23 19:40:42
Date (last write): 2006-07-11 09:41:36
Filesize: 345656
Attributes: archive
MD5: B284992540E0FA2B76DEA56F93D49A16
CRC32: FD2E709C
Version: 1.0.0.4

{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control)
DPF name:
CLSID name: OnlineScanner Control
Installer: C:\WINDOWS\Downloaded Program Files\OnlineScanner.inf
Codebase: http://www.eset.eu/buxus/docs/OnlineScanner.cab
Path: C:\WINDOWS\system32\
Long name: OnlineScanner.ocx
Short name: ONLINE~1.OCX
Date (created): 2008-02-11 09:40:08
Date (last access): 2008-02-23 19:40:42
Date (last write): 2008-02-11 09:40:08
Filesize: 2715648
Attributes: archive
MD5: 8A41731096C2ECD10568DDB8F0F90498
CRC32: 5CE9D28A
Version: 1.0.0.635

{5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module)
DPF name:
CLSID name: Windows Live Safety Center Base Module
Installer: C:\WINDOWS\Downloaded Program Files\wlscBase.inf
Codebase: http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
description:
classification: Legitimate
known filename: wlscBase.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: wlscBase.dll
Short name:
Date (created): 2008-01-21 21:34:22
Date (last access): 2008-02-23 19:40:42
Date (last write): 2008-01-21 21:34:22
Filesize: 465472
Attributes: archive
MD5: 66D7300A615CA949EF495270D2DA15E2
CRC32: B3EEF44F
Version: 1.7.370.1

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\muweb.inf
Codebase: http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1189011463281
description:
classification: Legitimate
known filename: muweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: muweb.dll
Short name:
Date (created): 2007-07-30 18:18:34
Date (last access): 2008-02-23 19:45:32
Date (last write): 2007-07-30 18:18:34
Filesize: 207736
Attributes: archive
MD5: 8038B166CE79E58E193566150CE26465
CRC32: 9137D395
Version: 7.0.6000.381

{C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Installer: C:\WINDOWS\Downloaded Program Files\opuc.inf
Codebase: http://office.microsoft.com/officeupdate/content/opuc4.cab
description:
classification: Legitimate
known filename: opuc.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\
Long name: opuc.dll
Short name:
Date (created): 2007-10-22 10:57:52
Date (last access): 2008-02-23 19:40:42
Date (last write): 2007-10-22 10:57:52
Filesize: 524288
Attributes: archive
MD5: F1ED50F66FEF8F56E06F087AA1CE3629
CRC32: CD8AE024
Version: 12.0.5543.1000



--- Process list ---
PID: 0 ( 0) [System]
PID: 144 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 212 ( 144) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 236 ( 144) \??\C:\WINDOWS\system32\winlogon.exe
size: 502272
PID: 280 ( 236) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 292 ( 236) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 448 ( 280) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 512 ( 280) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 580 ( 280) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 824 ( 796) C:\WINDOWS\Explorer.EXE
size: 1033216
MD5: 97BD6515465659FF8F3B7BE375B2EA87
PID: 1048 ( 824) C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
size: 405504
MD5: A7E1BDD605277ABAD6603E6854270042
PID: 1176 (1160) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A
PID: 4 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 2008-02-23 20:44:58

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD RfComm [Bluetooth]
GUID: {9FC48064-7298-43E4-B7BD-181F2089792A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Bluetooth
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD RfComm [Bluetooth]

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7EB7E0A6-747D-41E5-B3E9-51B238242A17}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7EB7E0A6-747D-41E5-B3E9-51B238242A17}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BE5D971E-ABC2-4BEE-9C80-BAE2A10D8C86}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BE5D971E-ABC2-4BEE-9C80-BAE2A10D8C86}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4B98A9D0-0CE3-45B2-9972-AFF344D2021A}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4B98A9D0-0CE3-45B2-9972-AFF344D2021A}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CBD9838C-BC86-4C69-A2EC-E0194C37955F}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CBD9838C-BC86-4C69-A2EC-E0194C37955F}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A315DF94-269F-4F6F-B4FD-1903A31FA824}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A315DF94-269F-4F6F-B4FD-1903A31FA824}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: Bluetooth Namespace
GUID: {06AA63E0-7D60-41FF-AFB2-3EE6D2D9392D}
Filename: %SystemRoot%\system32\wshbth.dll
Description: Bluetooth
DB filename: %SystemRoot%\system32\wshbth.dll
DB protocol: Bluetooth-Namespace

Done with Spybot

Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun]
"First12Ru123n"=dword:00000001

that's all in that key, I will post some of my backed up ComboFix logs next.

There are more registry values I have found though that gets recreated, basically variants of some from that other case (which I been too busy with logs to look fully at yet). Do you want me to export these as well?

My oldest CF log - Part 1

ComboFix 08-02-20.2 - Joakim 2008-02-20 1:53:02.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1518 [GMT 1:00]
Running from: C:\Documents and Settings\Joakim\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\down

.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-19 23:37 . 2008-02-19 23:37 250 --a------ C:\WINDOWS\gmer.ini
2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-18 10:44 . 2008-02-18 10:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-18 10:39 . 2008-02-18 10:39 812,344 --a------ C:\temp\HJTInstall.exe
2008-02-18 00:53 . 2008-02-18 00:53 2,062,665 --a------ C:\temp\spywareguardsetup.exe
2008-02-18 00:42 . 2008-02-18 00:43 2,566,736 --a------ C:\temp\spywareblastersetup351.exe
2008-02-17 23:14 . 2008-02-17 23:13 15,852,952 --a------ C:\temp\jre-6u4-windows-i586-p.exe.exe
2008-02-17 21:53 . 2008-02-17 21:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-17 21:53 . 2008-02-17 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 21:02 . 2002-09-20 10:53 235,100 --a------ C:\WINDOWS\system32\drivers\MidiSyn.sys
2008-02-17 21:01 . 2008-02-17 21:01 <DIR> d-------- C:\WINDOWS\VirtualEar
2008-02-17 21:01 . 2008-02-17 21:01 <DIR> d-------- C:\Program Files\Analog Devices
2008-02-17 21:01 . 2001-09-11 15:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-02-17 21:01 . 2001-09-19 13:47 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
2008-02-17 21:01 . 2001-09-19 13:47 720,896 --a------ C:\WINDOWS\system32\Audio3d.dll
2008-02-17 21:01 . 2003-06-02 13:42 578,304 --a------ C:\WINDOWS\system32\drivers\smwdm.sys
2008-02-17 21:01 . 2003-03-13 18:34 100,224 --a------ C:\WINDOWS\system32\drivers\aeaudio.sys
2008-02-17 21:01 . 2003-01-08 11:23 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-02-17 21:01 . 2002-04-17 15:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-02-17 21:01 . 2001-09-11 15:20 30,208 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-02-17 21:01 . 2003-03-13 15:40 3,744 --a------ C:\WINDOWS\system32\drivers\smsens.sys
2008-02-17 20:34 . 2008-02-18 23:21 <DIR> d-------- C:\temp\WinLicenseDemo
2008-02-17 18:53 . 2008-02-17 18:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 16:44 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-17 16:44 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-17 16:44 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-17 16:44 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-17 16:44 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-17 16:44 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-17 16:44 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-17 13:35 . 2008-02-17 13:35 55 --a------ C:\WINDOWS\regrunfix.rnr
2008-02-17 03:58 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-02-16 23:10 . 2008-02-16 23:12 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\PrevxCSI
2008-02-16 09:09 . 2008-02-16 21:37 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-15 16:31 . 2008-02-17 14:18 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-15 16:30 . 2008-02-15 22:55 <DIR> d-------- C:\Documents and Settings\Joakim\.housecall6.6
2008-02-15 15:20 . 2008-02-17 22:57 <DIR> d-------- C:\Program Files\Trojan Remover
2008-02-15 15:20 . 2008-02-15 15:20 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\Simply Super Software
2008-02-15 15:20 . 2008-02-15 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-15 15:20 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-15 15:20 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-15 15:20 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-15 15:20 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-15 15:20 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-15 00:12 . 2008-02-15 00:11 407,680 --a------ C:\temp\aswclnr.exe
2008-02-14 22:43 . 2008-02-17 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-14 22:27 . 2008-02-14 22:38 21,364,592 --a------ C:\temp\aaw2007.exe
2008-02-14 22:22 . 2008-02-14 22:22 17,255,626 --a------ C:\temp\WinLicenseDemo.zip
2008-02-14 12:41 . 2008-02-14 12:41 499,712 --a------ C:\WINDOWS\system32\ExSlider.dll
2008-02-14 12:41 . 2008-02-14 12:41 203,488 --a------ C:\WINDOWS\system32\ExSlider.chm
2008-02-14 12:40 . 2008-02-14 12:40 573,440 --a------ C:\WINDOWS\system32\ExStatusBar.dll
2008-02-14 12:40 . 2008-02-14 12:40 436,674 --a------ C:\WINDOWS\system32\ExStatusBar.chm
2008-02-14 12:39 . 2008-02-14 12:39 434,176 --a------ C:\WINDOWS\system32\ExThumbnail.dll
2008-02-14 12:34 . 2008-02-14 12:34 331,776 --a------ C:\WINDOWS\system32\ExTexture.dll
2008-02-14 12:34 . 2008-02-14 12:34 102,224 --a------ C:\WINDOWS\system32\ExTexture.chm
2008-02-14 12:31 . 2008-02-14 12:31 172,032 --a------ C:\WINDOWS\system32\MaskEdit.dll
2008-02-14 12:31 . 2008-02-14 12:31 53,672 --a------ C:\WINDOWS\system32\MaskEdit.chm
2008-02-14 12:28 . 2008-02-14 12:28 <DIR> d-------- C:\Program Files\Copy of EXECryptor
2008-02-13 14:50 . 2008-02-13 14:50 389,120 --a------ C:\WINDOWS\system32\ExCalc.dll
2008-02-13 14:50 . 2008-02-13 14:50 84,478 --a------ C:\WINDOWS\system32\ExCalc.chm
2008-02-13 14:42 . 2008-02-13 14:42 479,232 --a------ C:\WINDOWS\system32\ExRolList.dll
2008-02-13 14:42 . 2008-02-13 14:42 210,902 --a------ C:\WINDOWS\system32\ExRolList.CHM
2008-02-13 14:03 . 2008-02-13 14:03 225,280 --a------ C:\WINDOWS\system32\ExShellView.dll
2008-02-13 14:03 . 2008-02-13 14:03 83,770 --a------ C:\WINDOWS\system32\ExShellView.chm
2008-02-13 13:58 . 2008-02-13 13:58 397,312 --a------ C:\WINDOWS\system32\ExFolderView.dll
2008-02-13 13:58 . 2008-02-13 13:58 117,644 --a------ C:\WINDOWS\system32\ExFolderView.chm
2008-02-13 13:52 . 2008-02-13 14:09 286,720 --a------ C:\WINDOWS\system32\ExToolTip.dll
2008-02-13 13:52 . 2008-02-13 14:09 119,264 --a------ C:\WINDOWS\system32\ExToolTip.chm
2008-02-13 13:34 . 2008-02-13 13:34 438,272 --a------ C:\WINDOWS\system32\ExLabel.dll
2008-02-13 13:34 . 2008-02-13 13:34 152,774 --a------ C:\WINDOWS\system32\ExLabel.chm
2008-02-12 20:09 . 2008-02-12 20:09 1,995,825 --a------ C:\WINDOWS\system32\ExGantt.chm
2008-02-12 20:09 . 2008-02-12 20:09 1,486,848 --a------ C:\WINDOWS\system32\ExGantt.dll
2008-02-12 20:05 . 2008-02-12 20:05 634,880 --a------ C:\WINDOWS\system32\ExCalendar.dll
2008-02-12 20:05 . 2008-02-12 20:05 460,734 --a------ C:\WINDOWS\system32\ExCalendar.chm
2008-02-12 19:56 . 2008-02-12 19:56 2,680,120 --a------ C:\WINDOWS\system32\ExG2antt.chm
2008-02-12 19:56 . 2008-02-12 19:56 1,933,312 --a------ C:\WINDOWS\system32\ExG2antt.dll
2008-02-12 10:16 . 2008-02-12 10:16 <DIR> d-------- C:\Program Files\QuickTime
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\js
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\images
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\html
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\css
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\Program Files\Business Objects
2008-02-11 18:10 . 2008-02-11 18:10 <DIR> d-------- C:\Program Files\Microsoft Device Emulator
2008-02-11 18:09 . 2008-02-11 18:09 <DIR> d-------- C:\Program Files\Windows Mobile 5.0 SDK R2
2008-02-11 18:08 . 2008-02-11 18:08 <DIR> d-------- C:\Program Files\Microsoft Synchronization Services
2008-02-11 18:08 . 2008-02-11 18:08 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-11 17:51 . 2008-02-11 18:26 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-02-11 17:51 . 2008-02-11 17:51 <DIR> d-------- C:\Program Files\Microsoft SDKs
2008-02-11 17:50 . 2008-02-11 17:50 <DIR> d-------- C:\Program Files\Microsoft Web Designer Tools
2008-02-11 17:47 . 2008-02-11 17:47 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-11 17:47 . 2008-02-11 17:47 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-11 17:47 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-11 17:46 . 2008-02-11 17:46 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-07 23:56 . 2008-02-07 23:57 <DIR> d-------- C:\xampp
2008-02-07 23:42 . 2008-02-07 23:43 30,565,644 --a------ C:\xampp-win32-1.6.6-RC2.7z
2008-02-06 11:10 . 2008-02-11 02:19 <DIR> d-------- C:\temp\htdocs
2008-02-06 10:35 . 2008-02-10 19:06 228,285 --a------ C:\temp\mxEAL.zip
2008-02-02 19:19 . 2008-02-02 19:19 896,535 --a------ C:\temp\e107bb_v3.0.0.zip
2008-02-02 09:08 . 2008-02-02 09:08 <DIR> d-------- C:\Documents and Settings\Joakim\Contacts

Part 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\VMware
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\Joakim\Application Data\VMware
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-02-19 23:57 --------- d-----w C:\Program Files\SpywareGuard
2008-02-18 14:03 --------- d-----w C:\Documents and Settings\Joakim\Application Data\Skype
2008-02-17 23:50 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-17 23:36 --------- d-----w C:\Program Files\SpeedFan
2008-02-17 22:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-17 22:19 --------- d-----w C:\Program Files\Java
2008-02-17 20:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 17:54 --------- d-----w C:\Program Files\Lavasoft
2008-02-16 23:46 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-02-16 21:49 --------- d-----w C:\Documents and Settings\Joakim\Application Data\uTorrent
2008-02-16 20:50 --------- d-----w C:\Program Files\Windows Desktop Search
2008-02-14 23:04 --------- d-----w C:\Program Files\WYSIWYG Web Builder 4.0
2008-02-14 21:29 --------- d-----w C:\Documents and Settings\Joakim\Application Data\Lavasoft
2008-02-14 11:41 --------- d-----w C:\Program Files\Exontrol
2008-02-14 11:29 --------- d-----w C:\Program Files\EXECryptor
2008-02-12 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-12 09:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-11 17:37 --------- d-----w C:\Program Files\MSDN
2008-02-11 17:24 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-02-11 17:21 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-11 16:58 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-02-11 16:53 --------- d-----w C:\Program Files\MSBuild
2008-02-10 23:43 --------- d-----w C:\Program Files\FlashFXP
2008-02-01 20:16 --------- d-----w C:\Program Files\TortoiseCVS
2008-01-23 15:27 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-10 19:29 --------- d-----w C:\Documents and Settings\Joakim\Application Data\vlc
2008-01-04 22:28 --------- d-----w C:\Documents and Settings\Joakim\Application Data\VanDyke
2008-01-03 22:10 --------- d-----w C:\Program Files\Skype
2008-01-01 22:02 --------- d-----w C:\Program Files\TortoiseSVN
2007-12-24 01:22 --------- d-----w C:\Documents and Settings\Joakim\Application Data\phpDesigner 2008
2007-12-24 01:15 --------- d-----w C:\Program Files\phpDesigner 2008
2007-05-01 15:12 79,245 ----a-w C:\Documents and Settings\Joakim\Application Data\unins000.dat
2007-05-01 15:11 683,801 ----a-w C:\Documents and Settings\Joakim\Application Data\unins000.exe
2007-08-26 00:41 23 --sha-w C:\WINDOWS\system32\abbdadee_r.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-02-12 11:18 1679729]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52 68400]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52 56112]

C:\Documents and Settings\Joakim\Start Menu\Programs\Startup\
SpeedFan.lnk.disabled [2006-03-04 16:49:13 682]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk.disabled [2006-02-03 00:05:49 1824]
Dispatcher.lnk.disabled [2006-04-05 16:01:09 856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe"
"vmware-tray"=C:\Program Files\VMware\VMware Workstation\vmware-tray.exe

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-07 12:27]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 tcaicchg;tcaicchg;C:\WINDOWS\System32\tcaicchg.sys [2000-06-06 11:08]
R2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys [2001-09-04 04:22]
R2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys [2007-04-09 12:55]
R3 vmkbd;VMware kbd;C:\WINDOWS\system32\drivers\VMkbd.sys [2007-05-01 21:52]
S3 GTwinUSB;GTwinUSB;C:\WINDOWS\system32\Drivers\GTwinUSB.sys [2002-10-04 11:21]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 08:50]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10]
S3 ufad-ws60;VMware Agent Service;"C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" []
S3 VSPerfDrv90;Performance Tools Driver 9.0;C:\Program Files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 16:53]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2006-12-02 05:17]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2007-11-07 08:58]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Launcher.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 15:06:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-17 15:06:24 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 02:00:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Paradigma Software\Bonjour\mDNSResponder.exe
C:\Program Files\CVSNT\cvslock.exe
C:\Program Files\CVSNT\cvsservice.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
.
**************************************************************************
.
Completion time: 2008-02-20 2:08:06 - machine was rebooted
ComboFix2.txt 2008-02-18 02:21:47
.
2008-02-12 23:25:53 --- E O F ---

My latest (old) CF log Part 1

ComboFix 08-02-20.2 - Joakim 2008-02-22 4:11:00.8 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1593 [GMT 1:00]
Running from: C:\Documents and Settings\Joakim\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\down

.
((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-22 03:53 . 2008-02-22 03:53 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-22 03:40 . 2008-02-22 03:40 <DIR> d-------- C:\Program Files\ATI Technologies
2008-02-22 03:21 . 2006-02-28 13:00 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2008-02-22 03:18 . 2008-02-22 03:18 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-02-22 00:32 . 2008-02-22 00:32 <DIR> d-------- C:\Documents and Settings\Joakim\DoctorWeb
2008-02-21 20:40 . 2008-02-21 20:41 <DIR> d-------- C:\getservice
2008-02-21 19:38 . 2008-02-21 19:38 <DIR> d-------- C:\ATI
2008-02-21 01:03 . 2008-02-21 01:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-21 01:03 . 2008-02-21 01:03 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\Malwarebytes
2008-02-21 01:03 . 2008-02-21 01:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-20 14:32 . 2008-02-20 14:32 <DIR> d-------- C:\VundoFix Backups
2008-02-19 23:37 . 2008-02-21 08:19 250 --a------ C:\WINDOWS\gmer.ini
2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-18 10:44 . 2008-02-18 10:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-18 10:39 . 2008-02-18 10:39 812,344 --a------ C:\temp\HJTInstall.exe
2008-02-18 00:53 . 2008-02-18 00:53 2,062,665 --a------ C:\temp\spywareguardsetup.exe
2008-02-18 00:42 . 2008-02-18 00:43 2,566,736 --a------ C:\temp\spywareblastersetup351.exe
2008-02-17 23:14 . 2008-02-17 23:13 15,852,952 --a------ C:\temp\jre-6u4-windows-i586-p.exe.exe
2008-02-17 21:53 . 2008-02-17 21:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-17 21:53 . 2008-02-17 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 21:02 . 2002-09-20 10:53 235,100 --a------ C:\WINDOWS\system32\drivers\MidiSyn.sys
2008-02-17 21:01 . 2008-02-17 21:01 <DIR> d-------- C:\WINDOWS\VirtualEar
2008-02-17 21:01 . 2008-02-17 21:01 <DIR> d-------- C:\Program Files\Analog Devices
2008-02-17 21:01 . 2001-09-11 15:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-02-17 21:01 . 2001-09-19 13:47 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
2008-02-17 21:01 . 2001-09-19 13:47 720,896 --a------ C:\WINDOWS\system32\Audio3d.dll
2008-02-17 21:01 . 2003-06-02 13:42 578,304 --a------ C:\WINDOWS\system32\drivers\smwdm.sys
2008-02-17 21:01 . 2003-03-13 18:34 100,224 --a------ C:\WINDOWS\system32\drivers\aeaudio.sys
2008-02-17 21:01 . 2003-01-08 11:23 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-02-17 21:01 . 2002-04-17 15:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-02-17 21:01 . 2001-09-11 15:20 30,208 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-02-17 21:01 . 2003-03-13 15:40 3,744 --a------ C:\WINDOWS\system32\drivers\smsens.sys
2008-02-17 20:34 . 2008-02-18 23:21 <DIR> d-------- C:\temp\WinLicenseDemo
2008-02-17 18:53 . 2008-02-17 18:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 16:44 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-17 16:44 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-17 16:44 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-17 16:44 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-17 16:44 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-17 16:44 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-17 16:44 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-17 13:35 . 2008-02-17 13:35 55 --a------ C:\WINDOWS\regrunfix.rnr
2008-02-17 03:58 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-02-16 23:10 . 2008-02-16 23:12 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\PrevxCSI
2008-02-16 09:09 . 2008-02-16 21:37 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-15 16:31 . 2008-02-17 14:18 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-15 16:30 . 2008-02-15 22:55 <DIR> d-------- C:\Documents and Settings\Joakim\.housecall6.6
2008-02-15 15:20 . 2008-02-17 22:57 <DIR> d-------- C:\Program Files\Trojan Remover
2008-02-15 15:20 . 2008-02-15 15:20 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\Simply Super Software
2008-02-15 15:20 . 2008-02-15 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-15 15:20 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-15 15:20 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-15 15:20 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-15 15:20 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-15 15:20 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-15 00:12 . 2008-02-15 00:11 407,680 --a------ C:\temp\aswclnr.exe
2008-02-14 22:43 . 2008-02-17 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-14 22:27 . 2008-02-14 22:38 21,364,592 --a------ C:\temp\aaw2007.exe
2008-02-14 22:22 . 2008-02-14 22:22 17,255,626 --a------ C:\temp\WinLicenseDemo.zip
2008-02-14 12:41 . 2008-02-14 12:41 499,712 --a------ C:\WINDOWS\system32\ExSlider.dll
2008-02-14 12:41 . 2008-02-14 12:41 203,488 --a------ C:\WINDOWS\system32\ExSlider.chm
2008-02-14 12:40 . 2008-02-14 12:40 573,440 --a------ C:\WINDOWS\system32\ExStatusBar.dll
2008-02-14 12:40 . 2008-02-14 12:40 436,674 --a------ C:\WINDOWS\system32\ExStatusBar.chm
2008-02-14 12:39 . 2008-02-14 12:39 434,176 --a------ C:\WINDOWS\system32\ExThumbnail.dll
2008-02-14 12:34 . 2008-02-14 12:34 331,776 --a------ C:\WINDOWS\system32\ExTexture.dll
2008-02-14 12:34 . 2008-02-14 12:34 102,224 --a------ C:\WINDOWS\system32\ExTexture.chm
2008-02-14 12:31 . 2008-02-14 12:31 172,032 --a------ C:\WINDOWS\system32\MaskEdit.dll
2008-02-14 12:31 . 2008-02-14 12:31 53,672 --a------ C:\WINDOWS\system32\MaskEdit.chm
2008-02-14 12:28 . 2008-02-14 12:28 <DIR> d-------- C:\Program Files\Copy of EXECryptor
2008-02-13 14:50 . 2008-02-13 14:50 389,120 --a------ C:\WINDOWS\system32\ExCalc.dll
2008-02-13 14:50 . 2008-02-13 14:50 84,478 --a------ C:\WINDOWS\system32\ExCalc.chm
2008-02-13 14:42 . 2008-02-13 14:42 479,232 --a------ C:\WINDOWS\system32\ExRolList.dll
2008-02-13 14:42 . 2008-02-13 14:42 210,902 --a------ C:\WINDOWS\system32\ExRolList.CHM
2008-02-13 14:03 . 2008-02-13 14:03 225,280 --a------ C:\WINDOWS\system32\ExShellView.dll
2008-02-13 14:03 . 2008-02-13 14:03 83,770 --a------ C:\WINDOWS\system32\ExShellView.chm
2008-02-13 13:58 . 2008-02-13 13:58 397,312 --a------ C:\WINDOWS\system32\ExFolderView.dll
2008-02-13 13:58 . 2008-02-13 13:58 117,644 --a------ C:\WINDOWS\system32\ExFolderView.chm
2008-02-13 13:52 . 2008-02-13 14:09 286,720 --a------ C:\WINDOWS\system32\ExToolTip.dll
2008-02-13 13:52 . 2008-02-13 14:09 119,264 --a------ C:\WINDOWS\system32\ExToolTip.chm
2008-02-13 13:34 . 2008-02-13 13:34 438,272 --a------ C:\WINDOWS\system32\ExLabel.dll
2008-02-13 13:34 . 2008-02-13 13:34 152,774 --a------ C:\WINDOWS\system32\ExLabel.chm
2008-02-12 20:09 . 2008-02-12 20:09 1,995,825 --a------ C:\WINDOWS\system32\ExGantt.chm
2008-02-12 20:09 . 2008-02-12 20:09 1,486,848 --a------ C:\WINDOWS\system32\ExGantt.dll
2008-02-12 20:05 . 2008-02-12 20:05 634,880 --a------ C:\WINDOWS\system32\ExCalendar.dll
2008-02-12 20:05 . 2008-02-12 20:05 460,734 --a------ C:\WINDOWS\system32\ExCalendar.chm
2008-02-12 19:56 . 2008-02-12 19:56 2,680,120 --a------ C:\WINDOWS\system32\ExG2antt.chm
2008-02-12 19:56 . 2008-02-12 19:56 1,933,312 --a------ C:\WINDOWS\system32\ExG2antt.dll
2008-02-12 10:16 . 2008-02-12 10:16 <DIR> d-------- C:\Program Files\QuickTime
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\js
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\images
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\html
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\css
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\Program Files\Business Objects
2008-02-11 18:10 . 2008-02-11 18:10 <DIR> d-------- C:\Program Files\Microsoft Device Emulator
2008-02-11 18:09 . 2008-02-11 18:09 <DIR> d-------- C:\Program Files\Windows Mobile 5.0 SDK R2
2008-02-11 18:08 . 2008-02-11 18:08 <DIR> d-------- C:\Program Files\Microsoft Synchronization Services
2008-02-11 18:08 . 2008-02-11 18:08 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-11 17:51 . 2008-02-11 18:26 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-02-11 17:51 . 2008-02-11 17:51 <DIR> d-------- C:\Program Files\Microsoft SDKs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-22 03:09 --------- d-----w C:\Documents and Settings\Joakim\Application Data\VMware
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\VMware
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-02-19 23:57 --------- d-----w C:\Program Files\SpywareGuard
2008-02-18 14:03 --------- d-----w C:\Documents and Settings\Joakim\Application Data\Skype
2008-02-17 23:50 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-17 23:36 --------- d-----w C:\Program Files\SpeedFan
2008-02-17 22:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-17 22:19 --------- d-----w C:\Program Files\Java
2008-02-17 20:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 17:54 --------- d-----w C:\Program Files\Lavasoft
2008-02-16 23:46 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-02-16 21:49 --------- d-----w C:\Documents and Settings\Joakim\Application Data\uTorrent
2008-02-16 20:50 --------- d-----w C:\Program Files\Windows Desktop Search
2008-02-14 23:04 --------- d-----w C:\Program Files\WYSIWYG Web Builder 4.0
2008-02-14 21:29 --------- d-----w C:\Documents and Settings\Joakim\Application Data\Lavasoft
2008-02-14 11:41 --------- d-----w C:\Program Files\Exontrol
2008-02-14 11:29 --------- d-----w C:\Program Files\EXECryptor
2008-02-12 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-12 09:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-11 17:37 --------- d-----w C:\Program Files\MSDN
2008-02-11 17:24 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-02-11 17:21 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-11 16:58 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-02-11 16:53 --------- d-----w C:\Program Files\MSBuild
2008-02-10 23:43 --------- d-----w C:\Program Files\FlashFXP
2008-02-01 20:16 --------- d-----w C:\Program Files\TortoiseCVS
2008-01-23 15:27 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-10 19:29 --------- d-----w C:\Documents and Settings\Joakim\Application Data\vlc
2008-01-04 22:28 --------- d-----w C:\Documents and Settings\Joakim\Application Data\VanDyke
2008-01-03 22:10 --------- d-----w C:\Program Files\Skype
2008-01-01 22:02 --------- d-----w C:\Program Files\TortoiseSVN
2007-12-24 01:22 --------- d-----w C:\Documents and Settings\Joakim\Application Data\phpDesigner 2008
2007-12-24 01:15 --------- d-----w C:\Program Files\phpDesigner 2008
2007-05-01 15:12 79,245 ----a-w C:\Documents and Settings\Joakim\Application Data\unins000.dat
2007-05-01 15:11 683,801 ----a-w C:\Documents and Settings\Joakim\Application Data\unins000.exe
2007-08-26 00:41 23 --sha-w C:\WINDOWS\system32\abbdadee_r.dll
.

Part 2

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-02-12 11:18 1679729]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52 68400]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52 56112]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

C:\Documents and Settings\Joakim\Start Menu\Programs\Startup\
SpeedFan.lnk.disabled [2006-03-04 16:49:13 682]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk.disabled [2006-02-03 00:05:49 1824]
Dispatcher.lnk.disabled [2006-04-05 16:01:09 856]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe"
"vmware-tray"=C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-07 12:27]
R3 vmkbd;VMware kbd;C:\WINDOWS\system32\drivers\VMkbd.sys [2007-05-01 21:52]
S2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S2 tcaicchg;tcaicchg;C:\WINDOWS\System32\tcaicchg.sys [2000-06-06 11:08]
S2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys [2001-09-04 04:22]
S2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys [2007-04-09 12:55]
S3 ATICDSDr;ATICDSDr;C:\DOCUME~1\Joakim\LOCALS~1\Temp\ATICDSDr.sys []
S3 GTwinUSB;GTwinUSB;C:\WINDOWS\system32\Drivers\GTwinUSB.sys [2002-10-04 11:21]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 08:50]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-02-18 19:42]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10]
S3 VSPerfDrv90;Performance Tools Driver 9.0;C:\Program Files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 16:53]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2006-12-02 05:17]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2007-11-07 08:58]
S4 ufad-ws60;VMware Agent Service;"C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Launcher.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 15:06:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-17 15:06:24 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 04:19:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2008-02-22 4:26:54 - machine was rebooted
ComboFix2.txt 2008-02-21 21:57:46
ComboFix3.txt 2008-02-21 21:10:53
ComboFix4.txt 2008-02-20 01:08:07
ComboFix5.txt 2008-02-18 02:21:47
.
2008-02-12 23:25:53 --- E O F ---

I will now download a new copy of CF and try to run a scan with current situation. I have not noticed any renaming but it's possibly because my very first actions. The files in down dir have been there but as I also said before, I tried to fix this myself before I turned here for help but was only half successful. I also think 1 CF log was lost as the program seem to recycle them pushing the stack after 5 runs/backup. But I think I got rid of these files without seeing them coming back, before I turned here.

Hi

This infection hides it's reinfector in what appears to be a legitimate file with a legit run key, so that when you reboot it can reinfect ...

the first Combofix log shows this run key & the infected file is atiptaxx.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-02-12 11:18 1679729]

The second Combofix log shows the atiptaxx.exe run key gas been moved to the run- & now the ashDisp.exe is the infecter ... note the date & size on both files ...


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-02-12 11:18 1679729]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

-
ComboFix 08-02-20.2 - Joakim 2008-02-20 1:53:02.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1518 [GMT 1:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-02-12 11:18 1679729]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52 68400]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52 56112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe"
"vmware-tray"=C:\Program Files\VMware\VMware Workstation\vmware-tray.exe


-
ComboFix 08-02-20.2 - Joakim 2008-02-22 4:11:00.8 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1593 [GMT 1:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-02-12 11:18 1679729]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52 68400]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52 56112]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe"
"vmware-tray"=C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

--------------

Another interesting thing is XP doesn't by default have a :-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] key

It uses different keys ...

--
I'm sending you another PM

steam

Then I was right in my suspision of the ati driver, although it was more intuition then technical analys :santa: and now it hits me I havenät seen the avast popper about updated deffinitions for a while but I have plugged the speakers into my notebook for some entertainment while wating for scans :red:

so it should basically be just to reinstall Avast to replace the file, unless it has moved to another hideout.