need help w/ hard to kill trojan

[yettyn]

Hi, find HJT and KOS logs below, and I have taken all the steps given in sticky post

I need help to complete and clean up a partly successful struggle with a nasty trojan that has bloggers me since Friday night. I think it was some kind of Bagle that suddenly made me sober as it blocked my avast and ad-aware programs, loaded some srosa.sys driver, created a dir named down in system32, populated with exe files with numbers as file name. It also created and started the files winterm.exe and hldrrr.exe, and apart from this it was not possible to run HJT or reboot into safe mode (computer just rebooted).

To make a long story short, I am a geek and tried to fix this on my own (which I of course shouldn't have done, wiser now) running different online scanner which detected this and lead me on track but of course asked for my money before fixing it , but I finally came a cross ComboFix which at first seem to have fixed it.

Then I found Spybot which alerted me to be infected with Win32.Agent.bgy and Win32.Bagle.hi, and although I clean them out in Safe Mode, run Spybot again when booting into normal and coming up clean, I then get an error message saying "[256] Detected debugger running, please close etc" which goes away by it self and when I then run Spybot again after system completed boot the same Agent.bgy and Bagle.hi is detected. I looked around and have figured out that the trojan maybe was wrapped with Thimidia or something like that.

Anyhow here is my logs as I stand now. Spybot still open w/o fixing detected infections and same with HJT.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:24:36, on 19/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Paradigma Software\Bonjour\mDNSResponder.exe
C:\Program Files\CVSNT\cvslock.exe
C:\Program Files\CVSNT\cvsservice.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - (no file)
O2 - BHO: Microsoft Web Test Recorder 9.0 Helper - {E31CE47F-C268-41ba-897B-B415E613947D} - C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpeedFan.lnk.disabled
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: Dispatcher.lnk.disabled
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.astrocalc.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1189011463281
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}: NameServer = 213.226.224.12,213.226.224.66
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Paradigma Software\Bonjour\mDNSResponder.exe
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 9655 bytes

Virus scan took almost freaking 20h and report is massive, so I cleaned out all except the detected infections.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 19, 2008 10:54:31 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/02/2008
Kaspersky Anti-Virus database records: 570665
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
H:\
J:\

Scan Statistics:
Total number of scanned objects: 586273
Number of viruses found: 6
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 19:56:09

Infected Object Name / Virus Name / Last Action
...
C:\Documents and Settings\Joakim\My Documents\Downloads\Stardock SkinStudio Professional\SkinStudio5_Pro.exe/data0000.cab/devenv.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ks skipped
C:\Documents and Settings\Joakim\My Documents\Downloads\Stardock SkinStudio Professional \SkinStudio5_Pro.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.ks skipped
C:\Documents and Settings\Joakim\My Documents\Downloads\Stardock SkinStudio Professional\SkinStudio5_Pro.exe Rsrc-Package: infected - 2 skipped
C:\Old F\dl\SQLDiff\digf287a.zip/runme.zip/runme.exe Infected: Trojan.Win32.Dialer.oi skipped
C:\Old F\dl\SQLDiff\digf287a.zip/runme.zip Infected: Trojan.Win32.Dialer.oi skipped
C:\Old F\dl\SQLDiff\digf287a.zip ZIP: infected - 2 skipped
C:\Old G\dlfiles\flashget\fgf140.exe/WISE0018.BIN/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Old G\dlfiles\flashget\fgf140.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Old G\dlfiles\flashget\fgf140.exe WiseSFX: infected - 2 skipped
C:\Old G\dlfiles\MailThem\igmsetup.exe/AJJ.EXE Infected: not-a-virus:AdWare.Win32.Aureate.d skipped
C:\Old G\dlfiles\MailThem\igmsetup.exe ZIP: infected - 1 skipped
C:\Old G\dlfiles\MailThem\igmsetup.exe WiseSFXDropper: infected - 1 skipped
C:\reggapps\Unisuite\hz-utx01.exe/run.exe Infected: Trojan-Downloader.Win32.Harnig.bg skipped
C:\reggapps\Unisuite\hz-utx01.exe ZIP: infected - 1 skipped
C:\WINDOWS\system32\drivers\SROSA.SYS.del Infected: Trojan-Downloader.Win32.Bagle.iw skipped
...
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Now I touch nothing before I get instructions

[steamwiz]

HI

Hijackthis only has a couple of orphan reg keys to remove:-

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - (no file)

Do you really need this in your trusted sites ?

O15 - Trusted Zone: *.astrocalc.com

You do realise that putting any site in here is like giving a stranger the keys to your house, it can run anything on your computer without informing you.

RE: KAV scan log ....

It look like you have been downloading cracked programs, these nearly always come with a "little extra"

C:\Documents and Settings\Joakim\My Documents\Downloads\Stardock SkinStudio Professional\SkinStudio5_Pro.exe ... Infected with AdWare.Win32.Virtumonde.ks

-
C:\Old F\dl\SQLDiff\digf287a.zip/runme.zip/runme.exe Infected: Trojan.Win32.Dialer.oi skipped
C:\Old F\dl\SQLDiff\digf287a.zip/runme.zip Infected: Trojan.Win32.Dialer.oi skipped

This could be a legit dialer ... or a porn dialer ... if you don't know what it is, get the file checked out here :-

http://www.virustotal.com/flash/index_en.html

or just delete it.

-
C:\Old G\dlfiles\flashget\fgf140.exe

AdWare.Win32.Cydoor ... more adware - delete it

-
C:\Old G\dlfiles\MailThem\igmsetup.exe

& more to delete ... Win32.Aureate.d

-
C:\reggapps\Unisuite\hz-utx01.exe

Trojan-Downloader.Win32.Harnig.bg .. delete

-
C:\WINDOWS\system32\drivers\SROSA.SYS.del ... Infected: Trojan-Downloader.Win32.Bagle.iw skipped

delete this ...

-------
Run spybot again & post the log ...

THEN ...

Please follow these instructions for running Combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

1. When finished, it will produce a logfile located at C:\ComboFix.txt.
2. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Please remember to post :-


1. Spybot log
2. C:\ComboFix.txt


steam

[yettyn]

Thanks for finally coming at my assistance, I was just about to enter the waiting room ;-)

I will do as you said... but first, it's correct I have downloaded cracked programs, but it's not quite how it look... can I pm you with some details I don't like to be publicly visible, which also would help to solve this case?

/Y

[steamwiz]

Quote:

Originally Posted by yettyn

Thanks for finally coming at my assistance, I was just about to enter the waiting room ;-)

I will do as you said... but first, it's correct I have downloaded cracked programs, but it's not quite how it look... can I pm you with some details I don't like to be publicly visible, which also would help to solve this case?

/Y

Sorry for the delay, I've just been working on the older posts, everyone who posted more than 4 days ago has now received a reply I'm happy to say

Sure Please feel free to send me a PM

steam

[yettyn]

All virus junk was deleted right away, in fact it was mostly old stuff taking up HDD space anyway - I must get myself a smaller HDD to become less lazy I am pretty sure my infection didn't come from there anyhow as I know were and when I got it. My Avast was taken by surprise, but infact only 2 of 32 scanners at jotty and viruscontrol did catch it when I sent up the infecting file.

As I said in my pm, I became a bit too restless after waiting for 2 days and took some steps to gather more information, both regarding the threath and what was going on inside my computer. like I have run Spybot several times and it basically goes around in circles. So I post several logs to give you proper information, basically the very first one and the last.

I have cleaned out tracking cookies, and also below the item Partizan I am pretty sure is a false positive as it belongs to RegRun which I at least think is a legitimate malware program?

17.02.2008 22:02:33 - ##### check started #####
17.02.2008 22:02:33 - ### Version: 1.5.2
17.02.2008 22:02:33 - ### Date: 17/02/2008 22:02:33
17.02.2008 22:02:34 - ##### checking bots #####
17.02.2008 22:10:20 - found: Microsoft.WindowsSecurityCenter.AntiVirusOverride Settings
17.02.2008 22:17:01 - found: Win32.Agent.bgy Settings
17.02.2008 22:17:11 - found: Win32.Bagle.hi Settings
17.02.2008 22:17:11 - found: Win32.Bagle.hi Program directory
17.02.2008 22:17:48 - found: Win32.VB.jl Settings
17.02.2008 22:17:49 - found: Win32.VB.jl Settings
17.02.2008 22:21:57 - ##### check finished #####


--- Report generated: 2008-02-17 22:21 ---

Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Win32.Agent.bgy: [SBI $3FF5579E] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun

Win32.Bagle.hi: [SBI $FF44CCD9] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\ts

Win32.Bagle.hi: [SBI $37536BC2] Program directory (Directory, nothing done)
C:\WINDOWS\system32\drivers\down\

Win32.VB.jl: [SBI $4A7DE52E] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Partizan

Win32.VB.jl: [SBI $3C98DC13] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Partizan


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-02-17 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-02-13 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-02-13 Includes\DialerC.sbi (*)
2008-02-13 Includes\HeavyDuty.sbi (*)
2008-02-13 Includes\Hijackers.sbi (*)
2008-02-13 Includes\HijackersC.sbi (*)
2008-02-13 Includes\Keyloggers.sbi (*)
2008-02-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-02-13 Includes\Malware.sbi (*)
2008-02-13 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2008-02-13 Includes\PUPSC.sbi (*)
2008-02-13 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-02-13 Includes\SecurityC.sbi (*)
2008-02-13 Includes\Spybots.sbi (*)
2008-02-13 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-02-13 Includes\Trojans.sbi (*)
2008-02-13 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll

This first pass was done in safe mode I think, then booted normal and run again to get this:

17.02.2008 22:34:16 - ##### check started #####
17.02.2008 22:34:16 - ### Version: 1.5.2
17.02.2008 22:34:16 - ### Date: 17/02/2008 22:34:16
17.02.2008 22:34:17 - ##### checking bots #####
17.02.2008 22:47:10 - found: Win32.Agent.bgy Settings
17.02.2008 22:47:19 - found: Win32.Bagle.hi Program directory
17.02.2008 22:51:53 - ##### check finished #####

--- Report generated: 2008-02-17 22:53 ---

Win32.Agent.bgy: [SBI $3FF5579E] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun

Win32.Bagle.hi: [SBI $37536BC2] Program directory (Directory, fixed)
C:\WINDOWS\system32\drivers\down\


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-02-17 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-02-13 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-02-13 Includes\DialerC.sbi (*)
2008-02-13 Includes\HeavyDuty.sbi (*)
2008-02-13 Includes\Hijackers.sbi (*)
2008-02-13 Includes\HijackersC.sbi (*)
2008-02-13 Includes\Keyloggers.sbi (*)
2008-02-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-02-13 Includes\Malware.sbi (*)
2008-02-13 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2008-02-13 Includes\PUPSC.sbi (*)
2008-02-13 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-02-13 Includes\SecurityC.sbi (*)
2008-02-13 Includes\Spybots.sbi (*)
2008-02-13 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-02-13 Includes\Trojans.sbi (*)
2008-02-13 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll

to be continued...

[steamwiz]

HI

Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

This may or may not be malware related ... it could be your anti-virus claiming responsibility for monitoring itself.

-
17.02.2008 22:47:10 - found: Win32.Agent.bgy Settings
17.02.2008 22:47:19 - found: Win32.Bagle.hi Program directory

Win32.Agent.bgy: [SBI $3FF5579E] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun

Would you please run Regedit & export this key :-

HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun

Then copy& paste the contents here

Win32.Bagle.hi: [SBI $37536BC2] Program directory (Directory, fixed)
C:\WINDOWS\system32\drivers\down\

these are bagle ... surprisingly it shows nothing in the "down" folder ...

-
This is from another spybot log, you will notice that spybot deletes all files in the System32\drivers\down\ folder

Win32.Agent.bgy: [SBI $3FF5579E] Einstellungen (Registrierungsdatenbank-Schlüssel, fixed)
HKEY_USERS\S-1-5-21-1009317085-2326122771-423037255-1000\Software\FirstRRRun

Win32.Bagle.hi: [SBI $FF44CCD9] Einstellungen (Registrierungsdatenbank-Schlüssel, fixed)
HKEY_USERS\S-1-5-21-1009317085-2326122771-423037255-1000\Software\ts

Win32.Bagle.hi: [SBI $37536BC2] Programm-Verzeichnis (Verzeichnis, fixed)
C:\Windows\System32\drivers\down\

Win32.Bagle.hi: [SBI $5A6A2EC7] Ausführbare Datei (Datei, fixed)
C:\Windows\System32\drivers\down\245359.exe

Win32.Bagle.hi: [SBI $5A6A2EC7] Ausführbare Datei (Datei, fixed)
C:\Windows\System32\drivers\down\280078.exe

Win32.Bagle.hi: [SBI $5A6A2EC7] Ausführbare Datei (Datei, fixed)
C:\Windows\System32\drivers\down\285765.exe

---------
Here's another bagle similar to yours, but this version has been around over 2 years

http://vil.nai.com/vil/content/v_138585.htm

--
You say you've run Combofix, bagle notoriously corrupts the headers of certain exe files, Combofix included, unless the exe is renamed first (before download) ... but you had no trouble running it ?

I'll be interested to see some of your Combofix logs ..

steam

[yettyn]

So here we kinda start over with fresh logs. First an observation though. Last friday when this started I happened to double click that file I told you about resulting in a dialog saying "select file to crack". It was friday night and selected the file I opened somewhat puzzled, before I realized what had happened.

I emediately took preventive meassures like pulling the net cable and open Windows Task Manager where I saw these numbered.exe files popping up which I understood was crap and killed and relatively soon I also located hldrrr.exe and winterms.exe which was killed but at this stage I was still unaware of srosa.sys but possibly fast response to the situation limited the damage somehow, at least I never saw much of that in the other tread you pointed me at. I found some of the registry keys and values which I deleted, although some of the srosa stuff was hard to get rid of as it didn't help to change permissions inside of regedit and at that point I could open none of my usual security programs, nor install HJT.

Anyhow, that open dialog never showed up again, until now. Now it comes up every time I boot into normal mode. If I just leave it there nothing further seem to happen. I surely wont select any file and Cancel probably wont make much difference so I tested the X instead which result in the system takes a dive after a short delay. But as I said, if I just leave it open there things seem to be statusQ and I can use the system.

The very first time I "managed" to get this dialog to come back was on wednesday when I got restless and started to poke around, do some different online scans and finally was able to clean out much although after reboot the classic things came back. I then noticed there was something strange with my display driver and looking for hidden/camoflaged things I couldn't find anything else except legit things that loaded. Actually it started with me trying to install a new ATI Catalyst driver set but as the fist ATI screen loaded I got a message I needed Admin privileges (or something similar) to install. I then decided to uninstall the ATI drivers (I have a Radeon 9250) and bump down to VGA and see what happened. Before I rebooted I cleaned up the virus tracks and when the machine came up I saw no down dir and a Spybot scan came out clear - at that point I thought I had done it... but as soon as I touched the install new hardware dialog that came up for missing display driver that dialog popped up again!

Now I think it's RegRun's Anti-rootkit driver which loads early that actually forces the dialog to get up to surface instead of hiding. Anyhow, that were I am now. I will post Spybot logs right away in a new post and then run Combofix to see were it gets us. I assume I should disable RegRun then although I am a bit reluctant as I basically know how the CF will come out, it will delete the down dir and then reboot and after reboot the dir is back as well as the reg keys. Or do you have a better idea? Basically I think I have it all out, except for 1 place were it hides and reincarnate unless we can give it a final blow.

[yettyn]

Spybot in Safe Mode
23.02.2008 19:52:32 - ##### check started #####
23.02.2008 19:52:32 - ### Version: 1.5.2
23.02.2008 19:52:32 - ### Date: 2008-02-23 19:52:32
23.02.2008 19:52:33 - ##### checking bots #####
23.02.2008 20:11:01 - found: Win32.Agent.bgy Settings
23.02.2008 20:11:17 - found: Win32.Bagle.hi Program directory
23.02.2008 20:12:14 - found: Win32.VB.jl Settings
23.02.2008 20:17:46 - ##### checking usage tracking #####
23.02.2008 20:17:46 - found: Common Dialogs History 4 files
23.02.2008 20:17:46 - found: Log Activity: ntbtlog.txt ntbtlog.txt
23.02.2008 20:17:46 - found: Log Install: setupapi.log setupapi.log
23.02.2008 20:17:46 - found: Log Shutdown: System32\wbem\logs\wbemess.log System32\wbem\logs\wbemess.log
23.02.2008 20:17:46 - found: Log Shutdown: System32\wbem\logs\wmiprov.log System32\wbem\logs\wmiprov.log
23.02.2008 20:17:47 - found: 7-Zip Folder history
23.02.2008 20:17:47 - found: 7-Zip Last used folder
23.02.2008 20:17:48 - found: Internet Explorer Typed URL list 1 files
23.02.2008 20:17:48 - found: MS Management Console Recent command list 1 files
23.02.2008 20:17:50 - found: MS Office 12.0 (Word) Recent Document List 1 files
23.02.2008 20:17:51 - found: MS Regedit Recent open key
23.02.2008 20:17:52 - found: Windows Explorer Run history 2 files
23.02.2008 20:17:52 - found: Windows Explorer Stream history 2 files
23.02.2008 20:17:52 - found: Windows Explorer User Assistant history IE 4 files
23.02.2008 20:17:52 - found: Windows Explorer User Assistant history files 19 files
23.02.2008 20:17:52 - found: Windows Explorer Last visited history 2 files
23.02.2008 20:17:52 - found: Windows Explorer Recent file global history
23.02.2008 20:17:53 - found: Cookie Cookie (5)
23.02.2008 20:17:53 - found: Cache Cache (138)
23.02.2008 20:17:53 - found: History History (22)
23.02.2008 20:17:53 - found: Cookie Cookie (20)
23.02.2008 20:17:53 - ##### check finished #####


--- Report generated: 2008-02-23 20:17 ---

Win32.Agent.bgy: [SBI $3FF5579E] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun

Win32.Bagle.hi: [SBI $37536BC2] Program directory (Directory, nothing done)
C:\WINDOWS\system32\drivers\down\

Win32.VB.jl: [SBI $4A7DE52E] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Partizan

Common Dialogs: [SBI $4CDCC3D5] History (4 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: [SBI $4CDCC3D5] Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINDOWS\ntbtlog.txt

Log: [SBI $4CDCC3D5] Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: [SBI $4CDCC3D5] Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: [SBI $4CDCC3D5] Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

7-Zip: [SBI $12C3A52C] Folder history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\7-ZIP\FM\FolderHistory

7-Zip: [SBI $3D5692BD] Last used folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\7-ZIP\FM\PanelPath0

Internet Explorer: [SBI $1E8157BE] Typed URL list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Internet Explorer\TypedURLs

MS Management Console: [SBI $ECD50EAD] Recent command list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Microsoft Management Console\Recent File List

MS Office 12.0 (Word): [SBI $E357B233] Recent Document List (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Office\12.0\Word\File MRU

MS Regedit: [SBI $C3B62FC1] Recent open key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

Windows Explorer: [SBI $7308A845] Run history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: [SBI $AA0766B5] Stream history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: [SBI $2026AFB6] User Assistant history IE (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: [SBI $6107D172] User Assistant history files (19 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: [SBI $B7EBA926] Last visited history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Cookie: Cookie (5) (Cookie, nothing done)


Cache: Cache (138) (Cache, nothing done)


History: History (22) (History, nothing done)


Cookie: Cookie (20) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-02-17 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-02-13 Includes\Beta.sbi (*)
2007-11-06 Includes\Beta.uti (*)
2008-02-20 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-02-20 Includes\DialerC.sbi (*)
2008-02-20 Includes\HeavyDuty.sbi (*)
2008-02-20 Includes\Hijackers.sbi (*)
2008-02-20 Includes\HijackersC.sbi (*)
2008-02-20 Includes\Keyloggers.sbi (*)
2008-02-20 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-02-20 Includes\Malware.sbi (*)
2008-02-20 Includes\MalwareC.sbi (*)
2008-02-20 Includes\PUPS.sbi (*)
2008-02-20 Includes\PUPSC.sbi (*)
2008-02-20 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-02-20 Includes\SecurityC.sbi (*)
2008-02-20 Includes\Spybots.sbi (*)
2008-02-20 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti (*)
2008-02-20 Includes\Trojans.sbi (*)
2008-02-20 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll

After cleaning it automatically runs again (but only in safe mode it appears)

23.02.2008 20:22:09 - ##### check started #####
23.02.2008 20:22:09 - ### Version: 1.5.2
23.02.2008 20:22:09 - ### Date: 2008-02-23 20:22:09
23.02.2008 20:22:11 - ##### checking bots #####
23.02.2008 20:42:32 - ##### checking usage tracking #####
23.02.2008 20:42:32 - found: Common Dialogs History 4 files
23.02.2008 20:42:32 - found: Log Activity: ntbtlog.txt ntbtlog.txt
23.02.2008 20:42:32 - found: Log Install: setupapi.log setupapi.log
23.02.2008 20:42:32 - found: Log Shutdown: System32\wbem\logs\wbemess.log System32\wbem\logs\wbemess.log
23.02.2008 20:42:32 - found: Log Shutdown: System32\wbem\logs\wmiprov.log System32\wbem\logs\wmiprov.log
23.02.2008 20:42:32 - found: 7-Zip Folder history
23.02.2008 20:42:32 - found: 7-Zip Last used folder
23.02.2008 20:42:32 - found: Internet Explorer Typed URL list 1 files
23.02.2008 20:42:33 - found: MS Management Console Recent command list 1 files
23.02.2008 20:42:35 - found: MS Office 12.0 (Word) Recent Document List 1 files
23.02.2008 20:42:35 - found: MS Regedit Recent open key
23.02.2008 20:42:35 - found: Windows Explorer Run history 2 files
23.02.2008 20:42:35 - found: Windows Explorer Stream history 2 files
23.02.2008 20:42:35 - found: Windows Explorer User Assistant history IE 4 files
23.02.2008 20:42:35 - found: Windows Explorer User Assistant history files 19 files
23.02.2008 20:42:35 - found: Windows Explorer Last visited history 2 files
23.02.2008 20:42:35 - found: Windows Explorer Recent file global history
23.02.2008 20:42:36 - found: Cookie Cookie (5)
23.02.2008 20:42:36 - found: Cache Cache (138)
23.02.2008 20:42:36 - found: History History (22)
23.02.2008 20:42:36 - found: Cookie Cookie (20)
23.02.2008 20:42:36 - ##### check finished #####

and then comes the final report from Spybot, in next post as it's long

[yettyn]

--- Search result list ---
Common Dialogs: [SBI $4CDCC3D5] History (4 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: [SBI $4CDCC3D5] Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINDOWS\ntbtlog.txt

Log: [SBI $4CDCC3D5] Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: [SBI $4CDCC3D5] Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: [SBI $4CDCC3D5] Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

7-Zip: [SBI $12C3A52C] Folder history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\7-ZIP\FM\FolderHistory

7-Zip: [SBI $3D5692BD] Last used folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\7-ZIP\FM\PanelPath0

Internet Explorer: [SBI $1E8157BE] Typed URL list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Internet Explorer\TypedURLs

MS Management Console: [SBI $ECD50EAD] Recent command list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Microsoft Management Console\Recent File List

MS Office 12.0 (Word): [SBI $E357B233] Recent Document List (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Office\12.0\Word\File MRU

MS Regedit: [SBI $C3B62FC1] Recent open key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

Windows Explorer: [SBI $7308A845] Run history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: [SBI $AA0766B5] Stream history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: [SBI $2026AFB6] User Assistant history IE (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: [SBI $6107D172] User Assistant history files (19 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: [SBI $B7EBA926] Last visited history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Cookie: Cookie (5) (Cookie, nothing done)


Cache: Cache (138) (Cache, nothing done)


History: History (22) (History, nothing done)


Cookie: Cookie (20) (Cookie, nothing done)


Congratulations!: No immediate threats were found. ()



--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-02-17 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-02-13 Includes\Beta.sbi (*)
2007-11-06 Includes\Beta.uti (*)
2008-02-20 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-02-20 Includes\DialerC.sbi (*)
2008-02-20 Includes\HeavyDuty.sbi (*)
2008-02-20 Includes\Hijackers.sbi (*)
2008-02-20 Includes\HijackersC.sbi (*)
2008-02-20 Includes\Keyloggers.sbi (*)
2008-02-20 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-02-20 Includes\Malware.sbi (*)
2008-02-20 Includes\MalwareC.sbi (*)
2008-02-20 Includes\PUPS.sbi (*)
2008-02-20 Includes\PUPSC.sbi (*)
2008-02-20 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-02-20 Includes\SecurityC.sbi (*)
2008-02-20 Includes\Spybots.sbi (*)
2008-02-20 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti (*)
2008-02-20 Includes\Trojans.sbi (*)
2008-02-20 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll



--- System information ---
Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security update for Microsoft Data Access Components
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
/ Microsoft Visual Studio 2005 Professional Edition - ENU: This service pack is for Microsoft Visual Studio 2005 Professional Edition - ENU. \n
If you later install a more recent service pack, this service pack will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/926601
/ Microsoft Visual Studio 2005 Professional Edition - ENU: This Security Update is for Microsoft Visual Studio 2005 Professional Edition - ENU. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/937061
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player: Windows Media Update 828026
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB937143)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB939653)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB942615)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899589)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Update for Windows XP (KB904942)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Security Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Security Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911567)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912812)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913446)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Hotfix for Windows XP (KB914440)
/ Windows XP / SP3: Hotfix for Windows XP (KB915800)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Security Update for Windows XP (KB916281)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917159)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917537)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918118)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB918899)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920214)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Security Update for Windows XP (KB921503)
/ Windows XP / SP3: Security Update for Windows XP (KB921883)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB922760)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923694)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924191)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB924667)
/ Windows XP / SP3: Security Update for Windows XP (KB925454)
/ Windows XP / SP3: Security Update for Windows XP (KB925486)
/ Windows XP / SP3: Update for Windows XP (KB925720)
/ Windows XP / SP3: Security Update for Windows XP (KB925902)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
/ Windows XP / SP3: Security Update for Windows XP (KB926436)
/ Windows XP / SP3: Security Update for Windows XP (KB927779)
/ Windows XP / SP3: Security Update for Windows XP (KB927802)
/ Windows XP / SP3: Update for Windows XP (KB927891)
/ Windows XP / SP3: Security Update for Windows XP (KB928090)
/ Windows XP / SP3: Security Update for Windows XP (KB928255)
/ Windows XP / SP3: Hotfix for Windows XP (KB928388)
/ Windows XP / SP3: Security Update for Windows XP (KB928843)
/ Windows XP / SP3: Security Update for Windows XP (KB929123)
/ Windows XP / SP3: Update for Windows XP (KB929338)
/ Windows XP / SP3: Security Update for Windows XP (KB929969)
/ Windows XP / SP3: Security Update for Windows XP (KB930178)
/ Windows XP / SP3: Update for Windows XP (KB930916)
/ Windows XP / SP3: Security Update for Windows XP (KB931261)
/ Windows XP / SP3: Security Update for Windows XP (KB931768)
/ Windows XP / SP3: Security Update for Windows XP (KB931784)
/ Windows XP / SP3: Update for Windows XP (KB931836)
/ Windows XP / SP3: Security Update for Windows XP (KB932168)
/ Windows XP / SP3: Update for Windows XP (KB933360)
/ Windows XP / SP3: Security Update for Windows XP (KB933566)
/ Windows XP / SP3: Security Update for Windows XP (KB933729)
/ Windows XP / SP3: Security Update for Windows XP (KB935839)
/ Windows XP / SP3: Security Update for Windows XP (KB935840)
/ Windows XP / SP3: Security Update for Windows XP (KB936021)
/ Windows XP / SP3: Update for Windows XP (KB936357)
/ Windows XP / SP3: Security Update for Windows XP (KB937143)
/ Windows XP / SP3: Security Update for Windows XP (KB937894)
/ Windows XP / SP3: Security Update for Windows XP (KB938127)
/ Windows XP / SP3: Update for Windows XP (KB938828)
/ Windows XP / SP3: Security Update for Windows XP (KB938829)
/ Windows XP / SP3: Security Update for Windows XP (KB939373)
/ Windows XP / SP3: Security Update for Windows XP (KB941202)
/ Windows XP / SP3: Security Update for Windows XP (KB941568)
/ Windows XP / SP3: Security Update for Windows XP (KB941644)
/ Windows XP / SP3: Update for Windows XP (KB942763)
/ Windows XP / SP3: Security Update for Windows XP (KB943055)
/ Windows XP / SP3: Security Update for Windows XP (KB943460)
/ Windows XP / SP3: Security Update for Windows XP (KB943485)
/ Windows XP / SP3: Security Update for Windows XP (KB944653)
/ Windows XP / SP3: Security Update for Windows XP (KB946026)
/ XML Paper Specification Shared Components Pack 1.0: XML Paper Specification Shared Components Pack 1.0

[yettyn]

--- Startup entries list ---
Located: HK_LM:Run, @RegRunOnSecure
command: C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
file: C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
size: 57856
MD5: 6BFAFA44C356BE7E6258675AA5C11C61

Located: HK_LM:Run, avast!
command: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
file: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 1679729
MD5: D8A1FF72BE7C6F0B1506265713550512

Located: HK_LM:Run, KernelFaultCheck
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922EB54890C77005268882629A31FE

Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3E4C03CEFAD8DE135263236B61A49C90

Located: HK_LM:Run, RegRun WinBait
command: C:\WINDOWS\winbait.exe
file: C:\WINDOWS\winbait.exe
size: 16384
MD5: 6852D6328F97347FE611EFC51778B9D0

Located: HK_LM:Run, SoundMAXPnP
command: C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
file: C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
size: 790528
MD5: 8A6EF2D20DA01FC5934F63DE43752C1B

Located: HK_LM:Run, VMware hqtray
command: "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
file: C:\Program Files\VMware\VMware Workstation\hqtray.exe
size: 56112
MD5: 15B7664C3DFD193BD8D9CE822D066E23

Located: HK_LM:Run, vmware-tray
command: C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
file: C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
size: 68400
MD5: 8692155C3CC033EA10D7BCC57C0B54CD

Located: HK_LM:Run, SoundMAX (DISABLED)
command: "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
file: C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
size: 585728
MD5: 5FA14654B827BC70DC14DE586DC5D493

Located: HK_LM:Run, VMware hqtray (DISABLED)
command: "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
file: C:\Program Files\VMware\VMware Workstation\hqtray.exe
size: 56112
MD5: 15B7664C3DFD193BD8D9CE822D066E23

Located: HK_LM:Run, vmware-tray (DISABLED)
command: C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
file: C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
size: 68400
MD5: 8692155C3CC033EA10D7BCC57C0B54CD

Located: HK_CU:Run, ctfmon.exe
where: PE_C_ADMINISTRATOR...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-1482476501-507921405-725345543-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8

Located: HK_CU:Run, Registry
where: S-1-5-21-1482476501-507921405-725345543-1003...
command: "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "J:\backreg\rstore.ini"
file: C:\Program Files\Greatis\RegRunSuite\lsoon.exe
size: 390656
MD5: D2E34D66CF273B2FA881AB5D9CF0F983

Located: HK_CU:Run, Regrun2
where: S-1-5-21-1482476501-507921405-725345543-1003...
command: C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
file: C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
size: 1679729
MD5: D8A1FF72BE7C6F0B1506265713550512

Located: HK_CU:Run, SpybotSD TeaTimer (DISABLED)
where: S-1-5-21-1482476501-507921405-725345543-1003...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2097488
MD5: A9A5DB6AC3721BE698B996913693D73F

Located: Startup (common), Acrobat Assistant.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
file: C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
size: 217194
MD5: CFE5228556C93D03D6753E7953CCD4A9

Located: Startup (common), Dispatcher.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Reliable Software\Code Co-op\Dispatcher.exe
file: C:\Program Files\Reliable Software\Code Co-op\Dispatcher.exe
size: 1368064
MD5: 784E19C5A8BA2C56C77465B5C8643F5F

Located: Startup (user), ERUNT AutoBackup.lnk (DISABLED)
where: C:\Documents and Settings\Joakim\Start Menu\Programs\Startup...
command: C:\Program Files\ERUNT\AUTOBACK.EXE
file: C:\Program Files\ERUNT\AUTOBACK.EXE
size: 38912
MD5: E00DE20F0F6BED5CD2160247DDC9443B

Located: Startup (user), SpeedFan.lnk (DISABLED)
where: C:\Documents and Settings\Joakim\Start Menu\Programs\Startup...
command: C:\Program Files\SpeedFan\speedfan.exe
file: C:\Program Files\SpeedFan\speedfan.exe
size: 2902528
MD5: 72B1BA02D12BAFEC388FB80C68080529

Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!